Interface
advertisement
Interface Dear Editors, The online article by Chet Ignatowski, “How World of Warcraft Almost Ruined My Credit Rating,” makes a statement in the title and the concluding paragraph makes assertions that aren’t true, based on the facts as presented in the article. The article also has several serious technical errors. These problems should be an embarrassment to IEEE and should have never made it past technical/ editorial review before posting. The author’s World of Warcraft (WoW) account was hacked due to use of insecure software (Microsoft Windows I.E. 6) combined with his use of a malware site, neither of which are connected to the game (WoW) or the game vendor/operator (Blizzard/ Vivendi). Yet the title blames his woes on the game itself, which is completely incorrect. The author uses a hypothetical assumption as the basis of his assertion that WoW almost ruined his credit (“I imagined what might have happened if WoW had stored my credit-card information in its entirety...”) Imagination of an untrue condition isn’t justification for a statement of fact such as appears in the article title and in several paragraphs throughout the article. The statement “a very serious real-life problem he experienced when playing World of Warcraft” is untrue, because the problem he experienced (installation of malware on his computer) happened completely outside the game, and the postulated result “almost ruined my credit rating” is based on an untrue assumption about storage of credit-card information which he acknowledges wasn’t done. He also makes an amazing tech6 nically incorrect assertion about protection against malware (“the executable didn’t (and perhaps still doesn’t) protect users afflicted with a keystroke logger from having their account credentials logged.”). NO executable on his computer protects against having information logged by a keystroke logger, not even the antivirus (or security) software he used to discover the keystroke logger. This statement should have never made it past even a moderately computerknowledgeable editor, especially one associated with IEEE! The author also makes another untrue assumption about the hackers’ profit (“The perpetrators in my case spent their own money to do this [$25 for a character transfer], so I guess my gold and items were worth far more than $25 to them.”) The hackers who are attacking WoW accounts are invariably using stolen credit cards for character transfer fees, and this fact is acknowledged by Blizzard. I am extremely disappointed that this article appears in the otherwise outstanding set of articles on securing online games. I feel this article is way below the standards for accuracy and technical correctness I expect from a professional society such as IEEE. I believe this article should immediately be edited and corrected, or removed entirely. David E. Price SRO, CHMM Senior Consequence Analyst for Special Projects, CBRNE (Nuclear, Chemical, Biological, and Explosives Accident/Safety Analyses) Counterproliferation & Operational Intelligence Support, Z Program Global Security Directorate Lawrence Livermore National Laboratory COPublished by the IEEE Computer and Reliability Societies ■ Chet Ignatowski responds: I encourage IEEE Security & Privacy to publish Mr. Price’s critique of my article, as he points out many good observations. I’m not a regular reader of this publication and I gather from the many gasps and groans that lighthearted fare, such as what I wrote, isn’t commonplace within the publication. The title might be misleading (I address this later), but the first paragraph (“This is a cautionary tale…”) sets the tone of what to come. I would have taken no umbrage had S&P decided not to run my article, as Mr. Price suggests, in order to protect the integrity of the publication. I enjoyed writing the article as it gave me great introspection into the event, and working through the editorial process was eye-opening as well. I did not intend to blame any woes on the game, as Mr. Price suggests. The article’s title is meant to be colloquial. “How Playing World of Warcraft . . .” or “How Researching World of Warcraft Strategies in order to be a Better World of Warcraft Player Almost Ruined My Credit Rating” is surely more accurate, but lacks the attention-grabbing “zing” of my actual title. The article’s first paragraph states clearly the very true story I unfolded for the reader. If readers weren’t interested, they could choose to move on. The article is an editorial. I feel completely justified writing about the assumptions of what might have happened had the transgressors been more aggressive in their pursuit of my virtual wealth. Those fearful thoughts are what drove me to relate this tale, as embarrassing as it is. Had I known immediately that the only 1540-7993/09/$26.00 © 2009 IEEE ■ July/August 2009 Interface real fallout from the event would have been the loss of my WoW gold, which Blizzard recovered, I wouldn’t have bothered responding to the article solicitation. As for other technical and nontechnical inaccuracies, I fully admit that at the time of writing the article, I didn’t know the intricacies of keystroke loggers. Further, the fact that Blizzard acknowledges this is done with stolen credit cards didn’t come up in my research, and I should have worded the character transfer comment as “I did not spend $25 to transfer the character.” I thank Mr. Price for pointing out these flaws. Upon reflection, I would expand the point I want the reader to conclude when finishing the article. Initially, the point was just that there should be no assumption of security, given that the major components that allow playing World of Warcraft come from large and “trusted” organizations. I did not take into account the ultimate component, the Internet itself; there’s no way of completely securing the Internet, besides perhaps never using it. In retrospect, at the time of my security breach, I never realized that someone’s pursuit of my WoW riches would lead to identity theft. I was familiar with email-based security breaches— who in corporate America didn’t receive an email 12 years ago because some acquaintance clicking on the “AnnaKournikova. vbs” attachment to an email then flooded the poor sap’s address book? If I was researching Drupal administration best practices, as I am doing now, and I came across a sketchy URL, I would never think of clicking it. The fact that someone would want to access my personally identifiable information through a Web site link purporting a WoW-related subject never entered my mind. I place this blame solely on myself. Executive Committee Members: Alan Street, President; Dr. Sam Keene, VP Technical Operations; Lou Gullo, VP Publications; Alfred Stevens, VP Meetings; Marsha Abramo, Secretary; Richard Kowalski, Treasurer; Dennis Hoffman, VP Membership and Sr. Past President; Dr. Jeffrey Voas, Jr. Past President; Administrative Committee Members: Lou Gullo, John Healy, Dennis Hoffman, Jim McLinn, Bret Michael, Bob Stoddard. Joe Childs, Irv Engleson, Sam Keene, Lisa Edge, Todd Weatherford, Eric Wong, Scott B. Abrams, John Harauz, Phil LaPlante, Alfred Stevens, Alan Street, Scott Tamashiro www.ieee.org/reliabilitysociety The IEEE Reliability Society (RS) is a technical Society within the IEEE, which is the world’s leading professional association for the advancement of technology. The RS is engaged in the engineering disciplines of hardware, software, and human factors. Its focus on the broad aspects of reliability, allows the RS to be seen as the IEEE Specialty Engineering organization. The IEEE Reliability Society is concerned with attaining and sustaining these design attributes throughout the total life cycle. The Reliability Society has the management, resources, and administrative and technical structures to develop and to provide technical information via publications, training, conferences, and technical library (IEEE Xplore) data to its members and the Specialty Engineering community. The IEEE Reliability Society has 22 chapters and members in 60 countries worldwide. The Reliability Society is the IEEE professional society for Reliability Engineering, along with other Specialty Engineering disciplines. These disciplines are design engineering fields that apply scientific knowledge so that their specific attributes are designed into the system / product / device / process to assure that it will perform its intended function for the required duration within a given environment, including the ability to test and support it throughout its total life cycle. This is accomplished concurrently with other design disciplines by contributing to the planning and selection of the system architecture, design implementation, materials, processes, and components; followed by verifying the selections made by thorough analysis and test and then sustainment. Visit the IEEE Reliability Society Web site as it is the gateway to the many resources that the RS makes available to its members and others interested in the broad aspects of Reliability and Specialty Engineering. www.computer.org/security 7