An interesting read came across my Twitter feed this morning, called “Looking Inside Your Screenshots.” The theory is simple: Blizzard is applying watermarks to your screenshots storing “personal” information. In this case, the author states that your account ID, a timestamp, and your server IP are captured.
Part of me was intrigued, and I did some reading on the discussion (get your tinfoil hats ready), and part of me shook my head. This blog post is around the thoughts that sprung to mind as I watched the commentary fly by about the whole topic, and my thoughts as I read the post.
Who Are You Really?
One of the fascinating things about the internet is that you can be anyone you want to be. I say that with a casual attitude, and only some succeed at it, but let’s walk through this.
Most people, WoW players, guild mates, even Twitter pals, exist as you know them. They are male, they are female, they are tall, they are short. You may know this because you’ve heard their voices in chat, you may know what they look like because of a picture thread on your guild forums, or maybe you’ve even met them in person! You may know if they are married, or if they have kids. What their pets look like, what their favorite pair of shoes is. You can learn a lot about a person, or even people, if you just step back and listen.
But there are other people; individuals who go to great lengths to hide their identities. They may only provide their voice in chat, but you know nothing about them. Some people choose to not even speak. They could be a stranger you see at the bus stop each morning on your way to work. They could be the classmate sitting beside you in lecture.
But you really don’t know, because they don’t want you to know.
I’ve been told I share a lot with the world. In the grand scheme, I probably do. That said, there is much that I don’t share. I shape a personality, an image, that I want you to perceive when you think about me. But who I really am, most people will never know. I can smoke screen through a lot of things–the only people who can truly see through it are the people who play the same mental games I do.
Social Engineering 101
Social Engineering, as defined by Wikipedia:
Social Engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.
And it’s so easy to do.
Wiki’s definition is a bit too tight for me. I’d paint it a touch broader that social engineering is the art of manipulating people to gain information or perform actions which they might not be inclined to do otherwise.
I was going to use Twitter as a prime example, but I think that it would hit too close to home for many, so I’m choosing to shy away from it. It’s a rabbit hole that if I went down would probably make people a touch uncomfortable around me, but it’s how my mind works…
The long and short of it is that I don’t need much information to build a picture about my Twitter followers. You’ve given me a lot of information, and with just a few nuggets, I can do some digging and build a complete picture that you probably don’t even realize.
Social engineering is, to put it bluntly, “creative use of real life mechanics.” It’s taking bits of information and seeding the rest to gather what you need. It’s asking very basic questions about a topic of interest, about your personal life, and then taking that information back into (in some cases) readily accessible tools to learn about someone.
Let’s take a step back in time in Miri’s life. I shared this in a very early blog post, but I’m going to flesh it out to give perspective on how easy it is to manipulate people. In this case, I manipulated my peers for my own success…
Social Engineering in Action
One of the courses I was required to take for my degree was in Information Warfare (my degree is in NetSec). The course description:
This course will examine and assess the role of information technology as a tool of warfare. Topics will be discussed from both a defensive and offensive perspective and will include: physical attacks, cyber-terrorism, espionage, psyops, biometrics, Network Centric Warfare, and applications of encryption technology.
Our final project was an information war, where we picked sides and were told about our alignments with other groups (enemies and allies).
My team took the challenge a touch further. We were, after all, the hackers. Loyal to no one, but hell bent on our own desire to win. But how were we going to defeat the other 10-11 teams? We sat together one day in the atrium at school, our laptops balanced in our laps, our cans of soda on the tables beside us, as we argued and debated our points to win. And then one of our teammates spoke. “What if we turned each team against each other? What if we played the ultimate war game?” Intrigued, we all leaned in. At that moment, we had decided to take one hell of a giant step, sidestepping the line of ethics, a scheme beginning to flesh itself out.
My teammate proposed an idea, and we began to weave the fabric that would completely change the game. We would pretend to be our professor, the current Assistant Dean of our school. We would communicate with our fellow classmates, planting seeds of misinformation to spin the game in our favor.
We had months of email communication from our professor. We knew her writing style, her greeting and her closing methods, her sentence structure. So we began drafting our communications, our misinformation. We knew who was on each team–their email addresses were published in an a course tool that everyone had access to. We sat on the school network, and spoofed our professor’s email address. We sent out email after email, each a touch different than the first, updating other players in the “war.”
Time passed, and we continued to develop our battle plan. We composed the final documents to present to our classmates, and showed up to class, completely calm, and more than a little curious to see if we actually succeeded in our game.
We chose to be the last team to present, and we watched as each team went to the front of the room, and pulled up their PowerPoint decks. We listened as they presented their list of allies, and their list of enemies. And we watched as they wove in our “information”–stating how they changed their allies and enemies list based on additional information that was provided to them during the course of the battle.
We watched our professor’s face contort into a frown, but she never spoke. The presentations continued, each one building on the last.
And then it was our turn.
I took center stage in the front of the room, and displayed the following image on the screen:
I watched the class’s facial expressions change. First they were confused, and I’ll admit, I smirked. My team’s ultimate goal had succeeded.
And then I spoke. I stated that we had no allies, and that everyone was an enemy. And I thanked them for their participation in our little scheme.
And the looks of confusion turned to anger.
I took a casual posture, leaning up against a table at the front of the room, my arms crossed in front of my chest, my face only illuminated by the projector showing the image behind me.
I asked my classmates who sent them the emails with the “additional information.” I asked that they point to the sender.
And I waited.
My classmates shifted in their seats and pointed to our professor, who looked even more confused. My fellow students studied our instructor as their looks turned to horror as they faced me once again.
I changed slides and sat back on the table, my legs crossed at the ankle, my hands casually resting on the table as I leaned forward to impart my final words of wisdom.
“You just spent a semester learning how wars can be fought online. You learned the ways that social engineering can be used to manipulate outcomes. And yet, you fell for everything you were taught to watch out for. Let this be a lesson–that things aren’t always what they seem.”
And with those final words, I blanked the screen and walked back to my seat.
Once my professor was able to get over her shock–her realization that we had completely manipulated a project she had assigned us, she polled the class on who won the war.
What You’ve Given Blizzard…
I got to watch people go “OMG my privacies!” about this whole watermarking scenario. I’ve watched people wave the BS flag, and I’ve watched people step back and wait for more findings.
My stance on the whole thing was “I don’t really care.”
If you are so worried about what’s in your screenshot, then take the time to step back and think about what you’ve given Blizzard.
Here’s a quickly compiled list:
- Name (Real or not, hope you never have to recover your account)
- Email Address
- Mailing Address
- Credit Card w/ expiration and secure code
- Buying history
- IP Address
- Computer specifications
When you’re logged into Blizzard’s servers, they have records of everything. A quick list, once again:
- Your IP
- Your character’s location in their world
- What’s in your bags/bank/mail
- Your addons
- Your conversations
If Blizzard wants information, they don’t need to store it in a screenshot; you’ve already given it to them when you sign on to their realms.
They didn’t need to socially engineer you for that information–you gave it readily.
So how do you protect yourself in light of this “finding”?
According to the author of the screenshots post, they think that “someone could use this to identify which account holds which characters and perhaps stalk and annoy its user, or help perpetrators choose their phishing victims with a more targeted approach.”
Some things I’d like to note:
- The account ID that is shown is not your Battle.net account ID, nor is it your BattleTag. It’s apparently the name that your account started with (think before we merged into Battle.net). The only person who knows that is the person who signs into the account (if you have multiple accounts and have to select which account to sign in).
- A time stamp. Well, in my screenshots, my clock is showing. You can see the HH:MM in my lower right hand corner if you care. And if you want to look at a screenshot where I hid my UI? Please let me know what time I took it in case I can’t find it again.
- My realm IP. As was noted to me earlier, it could be a dozen different IPs on any given night. Your realm IP, your dungeon server IP (remember, dungeons are on a different server), your raid server IP. And let’s not even open the can of worms that is CRZ–you’re bouncing to (or from) various realms all night now if you’re in low level zones. Have at it Blizzard. If anything, it would be intriguing for me to learn what the dungeon/raid server IPs are.
If you can go to the Armory, you can figure out what realm I’m on. Hell, it’s in my blog header. It’s on my Twitter account. I publish that information so people can find me.
If someone wants to exert the effort to extract that information from a picture, have at it.
There’s a lot of information already available thanks to search engines, standard “friendly” commentary, and ourselves.
Protect yourself by limiting what you say and share. You can help control the amount of information that the world can use against you.
But you have to make intelligent decisions to protect yourself. Don’t expect anyone else to do it for you.
Your safety and security starts with you.
So today the changes to the Scroll of Resurrection were announced. If you didn’t know what the SoR was, basically it was a way to lure your friends back into WoW after they had quit for a period of time. You could issue them a scroll and they’d get some free play time. I’ll be honest, I’ve never used a SoR to bring a friend back to WoW. They’ve come back of their own volition, usually to see new content or try out the changes to their class. Maybe they like what they see and they choose to stay, maybe they don’t, or another game catches their eye, and they wander away from WoW again.
Friends who have quit did so because they were hardcore raiders and burned out, some needed to get finances in line. Some of them came back, some didn’t.
The New Scroll of Resurrection
Let’s take a look at what the new Scroll of Resurrection gives you:
Not bad huh? A free upgrade to Cata, a boost of your character to level 80, a free realm transfer or faction swap to play with your friend who brought you back.
Not gonna lie, it’s tempting as heck! But tossing all these freebies at players who quit the game? Free Faction changes? That’s a $30 savings right there. A free server transfer? That’s another $25.
Not a bad deal in the least.
Miri’s “Get off my Lawn” Rant…
So here’s why this rubs me the wrong way. Every time we turn around, there’s a “bonus” associated with bringing someone to WoW. Whether it be a player who quit the game eons ago or a new player who wanted to experience the game.
Now players can play WoW free to lvl 20, the $20 purchase of Vanilla WoW nets you the Burning Crusade, and now you can come back and get boosted to lvl 80.
Not gonna lie, it’s better to be a new player (or a returning player) to WoW than it is to be a long-time subscriber.
And this bugs me!
The account that I play on each and every night hit it’s 7th anniversary last month. Over 7 years this game has been paid for. That’s Vanilla. That’s BC. That’s Wrath. That’s Cata. Every single expansion picked up. Let’s not mention that the account has every CE ever produced for those expansions tied to it as well.
I’d screenshot all the Feats of Strength I have on a character I no longer play, but it would take too long to piece together my WoW history in Photoshop. But if you want to take a gander, Mirina, my hunter, was the character I focused on in BC. My original Vanilla hunter and rogue were deleted eons ago, and only my baby druid still remains.
Admittedly, I play WoW because I enjoy it. I’ve RaF’d myself twice simply to speed level alts and get the Zhevra mount (on characters, once again, that I don’t play anymore). I play because I like to raid, because I like to do things with friends, because I like to explore, work on achievements, and in general, immerse myself in the World of Warcraft.
And many will say “well, then you should be content with what you have. You have raids, and heroics, and all the content that’s designed for players at max level.” And that’s great. I, as a player, have that. But so does every other max level player who plays WoW.
You know what else I had? I had a time were I had to buy ammo before raids, and your rep and the raids you were working on determined if you had the best ammo in game. I had to carry my mounts around in my bags, and pets too! I had to do my dailies so I could afford to raid, because guilds didn’t have the ability to skim money off of my kills and deposit it; regifting it back to me as payment for repairs while we were learning fights. I had to pay each time I wanted to change my spec because we could have only one. I had to go tame pets for my higher level pet skills. I had to attune myself to the raids I was preparing to progress in. I could go on and on.Yes, things have gotten better. Yes, the game is much more friendly and open to new and returning players.
But what do I have to show for 7 years in the World of Warcraft? I have Feats of Strength that no one looks at. I have moments like I did in the previous paragraph, where I extol how WoW has changed. But within WoW, what do I have to show for it? Well, I have a couple pets that were there for years 4 and 5. And those are cool. But they don’t go with my character for various reasons. Maybe it clashes with my Transmog, maybe it’s just not something I want to pair with Raz because of his personality in game.
The Missing Link
Blizzard rewards players for coming back to WoW via the Scroll of Resurrection. Blizzard entices you with two-seater mounts to bring a friend to the game via Recruit a Friend. But there is nothing for the WoW Veterans.
This is a topic that has been batted around for years, with people coming up with various ideas. In fact, just last month a discussion was started by Mathew McCurley on WoW Insider asking what a WoW Veteran program would look like.
My favorite option is a token awarded for each year you’ve been an active subscriber. Everyone can earn tokens to spend on a pool of items–it will just take more time for the person who’s been subscribed for a year to achieve all the items that a 7 year subscriber to get. It’s an equal opportunity for all to walk away with something highlighting their time spent in Azeroth.
Or, you know, I would love a backpack upgrade.