Monday Night Combat; Team-Based Multiplayers.

Is anyone else as in love with Monday Night Combat as I am? It’s odd; I sheepishly admit that not only did I avoid playing DoTA at all back in the day (nothing personal against it, I just never got into it; I dunno), but I also have never been very good at FPSs, and as such, never really got into Team Fortress 2. I have many friends who swear by it, and I’ve always wanted to sit down and learn it, but I admit that I hate the multiplayer learning curve of “get facerolled and teabagged for days of playtime until you learn the maps and figure out how to play” that is, in essence, the basis of all FPSs on the market. It’s just not how I roll.

On top of that, we’ve seen an increase in games that are primarily multiplayer-based, ranging anywhere from the solo-hero-centric Halo to the group-focused Modern Warfare and Team Fortress 2, which on the one hand will increase the “team factor” and make every player relevant in their own right (at least in theory), but on the other hand only increases the distress afflicted on new players to perform well not only generally but specifically, to master their roles immediately and fully understand all maps, all game and class mechanics, all aspects of wall hacking and the avoidance thereof, to make themselves impenetrable to the veritable slings and arrows of outrageous fortune, or at least in this case, the trials and tribulations of the onslaught of the sharp learning curve that is the multiplayer FPS industry.

With all of that going on, it’s hard for me to muster up the energy and effort required to learn a new game, let alone a new style of play. I enjoy playing team games with my friends, but the task of finding a frequent and mutually agreeable timeframe in which to play team games with my friends is something that I often find nearly impossible. I think this is the primary reason that I never really got into Left4Dead; I had a lot of friends who played it, but when combining my schedule with theirs, I found it shockingly difficult to find a time in which we would all be around and able to play, which kills the “playing with friends makes the learning curve easier to handle” angle right off the bat. As a result, it never really took to me.

I’m currently fortunate in regards to Monday Night Combat in that I have a crew of friends who play it on a fairly regular basis (read: 3-4 nights a week), and what with Wrath of the Lich King truly winding down as everyone prepares for the 4.0 patch and begins serious prep for Cataclysm, I’ve found that my normal Monday+Wednesday raiding schedule is a lot more open (ok, there’s actually a lot more than the end of WotLK keeping me from raiding, but I’ll post about that next – hint: it involves awesome things happening because of that whole RealID thing – it’s so awesome, just you wait). This has allowed me to actually get some good xbox live time in with my friends, which has done wonders for my entry into this crazy-awesome team-based 3rd person shooter/escort game.

Is anyone else playing this game? Drop me a line!

RealID pt.3; Penny Arcade Chimes In; Internet Dragons.

Just so you all know, I don’t work from home, nor do I have a cushy office job where I pretend to work while instead scanning forums and e-stalking hapless WoW players. This week just so happens to be my vacation (or stay-cation, to be more accurate), and while I fully intended on getting some serious gaming in all week (I have a giant backlog of xbox 360 games, not to mention some great new games from Steam’s crazy summer sale), ActiBlizzard’s release of the RealID plans kind of, well, threw that for a loop. On the upside, I got a cool flash in the pan out of it; let’s see how many of you stick around next week (SPOILER ALERT: I’ll still post, but probably not every day). Don’t worry, I won’t take it personally if you don’t – it’s the internet!

So first and foremost, a list of a few RealID-related updates:

I’m sure you’re all familiar with John Gabriel’s Greater Internet Fuckwad Theory. If not, it is as follows:

Now I’m sure a lot of you have noticed that many of the supporters of the RealID system (so far every one that I’ve found is white and male, but that could just be coincidence) have been referencing the above Greater Internet Fuckwad Theory as proof/reason for their support. “Remove the anonymity, and the troll will go away!” they say. Now, Tim Buckley over at Ctrl+Alt+Del is of the mind that if you take away the anonymity, not a goddamned thing changes, and I agree. People who are gonna troll are gonna troll no matter what.

More to my amusement, however, Tycho posts his take on the RealID/Real Names issue:

Blizzard’s RealID thing didn’t make any sense to me, but that’s because I was relying on the official message to get a sense of it’s purpose. It’s a much more straightforward when you read the article at USAToday’s Game Hunters entitled “Blizzard and Facebook’s friendly social networking deal launches with ‘StarCraft II’.”

If I thought I could top this comment over at MetaFilter, I would do so. I can’t. The RealID thing is a bad idea that won’t work. If it were merely a bad idea, or merely wouldn’t work, maybe there’d be something in it. Accountability is crucial – you might recall our theory on the subject – and a fixed persona makes the laws of a microculture enforceable. But the idea that this persona must bear your actual name to lend it value (for you, or for others) is ludicrous.

The worst part about the official messaging is how it conflates expanded Battle.Net functionality with RealID, so that it seems as though these things are inseparable, as though your mystically-infused “truename” is a bundle of syllables congealed with a cosmic power. They chose to commingle these things in order to realize Battle.Net as a Social Network, and to develop true cultural currency (also: regular currency) thereby.

What do you get out of it? Well, that depends.

So please – stop posting the Fuckwad Theory as your basis. Accountability is important, yes, but a single username for a RealID would accomplish the same thing.

SpiderFarmer makes one of many fantastic posts from a female gamer’s standpoint, and I commend her for her post. Also deserving of praise for the same topic are all the folks over in the WoW Ladies community who decided to step up and speak their minds – not to mention this incredible master list of information and links. Well done!

A great many popular gaming bloggers continue to leave the game in protest (or at least cancel their subscriptions for the time being), while many helpful forum posters state they will cease to post altogether outside of their blogs. Keeva at Tree Bark Jacket suggests allowing a wow.com-esque self-regulation downranking system, and I gotta say that’d be pretty awesome. The sad thing is, the more and more I read about this, the more I’m convinced that it has nothing at all to do with forum behavior or trolls, as the initial post said, but instead has to do with the aforementioned facebook integration, a desire to secure ActiBlizzard’s Asian market by complying with Korean and Chinese laws, and/or the eventual implementation of targeted advertising in game. That is not a road upon which I’d like to travel, sad to say.

Anyone have any suggestions of upcoming MMOs that look promising? Champions? Warhammer? FFXIV? That Torchlight MMO? Ascended is open to suggestions, should this change go live. I know many will still play (and I support their decision to do so – I just want them to be happy), but a large amount of my guild has already canceled their subscriptions, and one of the most important things for us all, in the end, is that we play together. We still have members on our forums that quit playing years ago, and I have no intention nor desire to see the community of my guild collapse because of RealID. Any and all suggestions, however, are most appreciated. We just want to kill internet dragons.

Finally, I’d also like to add that I am extremely excited about this possibly becoming the new Hitler Downfall meme:

Video editors – FALL IN AND ROLL OUT!

RealID (pt2); Ethics; Voting With Your Dollar.

First and foremost, it appears that my readership has jumped, so to speak – hello everyone! Turns out when you stalk someone in a non-creepy way to prove a point, people listen. Who knew?

So the real question now is, of course – how the hell do I follow that up? I’m not going to lie – I definitely wanted some publicity for what I did (who wouldn’t?), but I didn’t expect anything like this. A few hundred readers made me happy. Now that you guys are in the tens of thousands (and still climbing!), I feel like I better have a good follow-up trick, eh? Well, let’s see what I have up my sleeve.

Let me preface this by saying that I love this game. In fact, I loved every Blizzard game I ever played. Before WoW, I played Diablo II for four years, and loved every second of it. Some of my favorite people that I know today I met on the diabloii forums, debating the most efficient leveling/gearing path for hammerdins (gogo Enigma runeword!). Several of them are actually the people who convinced me to pick up WoW.

At the time, I was opposed to pay-to-play games. “I already bought the game once,” I’d argue, “why would I keep paying for it?” Obviously, at that time I had no real understanding of the cost nor scope involved in the running or maintenance of an MMO. A few of those friends offered to give me prepaid WoW cards, just to see if I’d like it. Their reasoning was that I had just purchased Half-Life 2, beaten it in a week, and felt entirely justified in my $60 purchase. With the same cost to me, I could have several months of play time and see how I like it. I agreed and bought the game the day it came out. I was hooked immediately.

Over the years, I’ve been in a few guilds, led two of them, and have been fortunate enough to have spent the last four years or so with the same amazing group of people. I’ve gone from a member, to a class leader, to the guild leader, and I consider them an extension of my family. Some members I’ve never met in real life, but would be at my wedding were I to get married. Some members are now some of my best friends irl, and I met them because they applied to my guild and happened to live in the next town over. Over the years I’ve met a large amount of them in real life and regularly talk with most of them on the phone (even the ones who don’t play anymore). There have been times when I’ve pushed through brutal burnout just for them; times when I was so tired of the game, but I logged in to continue making the game fun, safe and enjoyable for them.

Our charter is simple, yet powerful. Our goal is to have fun in a safe, comfortable environment. We raid casually, but not poorly. We raid twice a week, which means that when we have a bad night, it’s not a night – it’s a week. We have to push that much harder. Still, at the end, we’re friends playing a game together, and as such we strongly enforce a simple rule – respect each other, always. There is no excessive cursing, harassing, or griefing; we’re all in this together. Sure, it’s a game, but I take my role in it seriously, and the GM’s job is to make sure the game is fun, enjoyable, and safe for everyone else.

Now back to RealID.

I’ve always been a strong proponent of voting with your dollar. Financially supporting a company is not only a means of acquiring goods and services, but also of showing support for the products and behaviors of said company. I believe in the market, and just as firmly believe that consumers should use their money to demonstrate what companies and products they support (when possible).

I’ve spent the last two days glued to my computer, reading post after post, pingback after pingback. I’ve read the first several hundred pages of the initial forum thread, I’ve read fantastic posts (some good ones here, here, and a great list here) and some good debates, but in the end, it comes down to one thing – complacency and support.

If this change goes live and I am a paying customer when it does, I am implicitly supporting the entire system. That means I am implicitly supporting a system that I 100% believe will (not could, we know that already – will) cause harm to someone. My post yesterday proved the ease of it. Yes, if you want to find someone, you probably can and will, but having a company decide to be the ones to display names in a competitive environment crosses the line. This change is ill-conceived, poorly thought out, and as far as I’m concerned, unethical and immoral. This change will push the moderation responsibility outside of the game world/forums and into the real world. I cannot think of a more irresponsible course of action for a company to take with the safety and privacy of their client base.

Some have said I’m all talk (a funny statement from people who’ve only known of my existence for less than 24 hours, but ok), so here’s some action.

It is with heavy heart that I have canceled my World of Warcraft subscriptions. They will run their course into the end of the month, at which point one of two things will happen.

• 1.) Blizzard will have by then changed their planned implementation of real names on the forums due to overwhelmingly negative response. As a result, I will reactivate my subscription and all will be well in the world.
• 2.) Blizzard will not have changed their planned implementation of real names on the forums, and my subscription, as well as my continued support of any Activision Blizzard product, will remain absent.

Why am I doing this now, instead of later? Why so early on, some ask? I’ll tell you. Sure, I could wait a month and if it’s still planned on going live, unsub then. My account is still paid up until the end of the month anyway, so there’s no real difference there. But the timing is the key. By canceling now, I’ve sent a message that I am unhappy with what they are doing now. If I wait a couple weeks until they issue an official response to the backlash, I’ve already lost my chance at being a voice that helped influence their decision; I’d be quietly and passively reacting to their decision. I don’t want to leave this game, I just feel like I have to do so. I have no intention of walking away without first doing what I can to try to change the reason that I feel I must go.

This is not an easy decision, nor does it feel good. I sincerely hope that Blizzard changes their policy/implementation on this. I’ve been a fan of everything they’ve done since I was a kid. I’ve not only been looking forward to Cataclysm, but also Diablo III. My guild has been my extended family for years, and I cherish their presence in my life. I cannot, however, idly support what will be a decision that ends up assisting (if not directly causing) the assault, rape, or stalking of someone, and I cannot and will not support it with my dollar.

To my guild – I’m so, so sorry. You are family to me, and if this is permanent, I will do all I can to smoothly transition leadership to a new leader as well as finish our preparations for Cataclysm. I cannot, however, financially support a company that so blatantly disregards the safety and security of their client base. To do so would be in violation of everything good you love about me. I’m sorry, I’m sorry, I’m sorry.

Please, Activision Blizzard – rethink your plans for RealID. I want to give you money; I want to play your games. Please make me feel comfortable doing so.

EDIT: I just wanted to add – the fix here isn’t hard. I’m not against RealID; I’m against forcing the outing and display of real names. The fix is a simple one – instead of it showing real names, show a single username per RealID. That gives the accountability you say you want without violating the privacy of your clients, not to mention it avoids putting them into unnecessary danger. Do that, and I’ll gladly renew my accounts. Keep real names in, and I will never be buying another Activision product again.

Lich King Down!

You know, it’s been a long, long time coming, but I knew a change was ‘goin come. Yes it did.

And that, my friends, is how we do it. We opted to keep at it sans buff, not for bragging rights or anything (it certainly wasn’t a server first, by a long shot), but just because hey – this is endgame end-of-expansion-pack content. We wanted to do it for ourselves, to know that we could, in fact, overcome the obstacles as the were initially tuned. As it turns out, we can. ^.^

PAX East Decom.

This weekend, expect –

• PAX East decom post (wih pictures!)
• RB2 DLC update (Hendrix!)
• Ascended Meetup! (tons of fun, and even more beer!)
• D&D Discussion (yes, I’m starting again)
• FFXIII talk (not much, as I’m not far in)
• ROFLcon Anticipation (less than a month!)
• Lich King 10m update (hint: still trying)

and MORE! You’ll see; it’ll be rad.

PAX East Updates; Shadowmourne Quest Progression; 3.3.3 Patch Notes (or, why I still won’t run Occulus).

This just in! According to neowin.net, Nvidia will be unveiling it’s fastest gaming technology yet at PAX East 2010. This event just gets cooler and cooler. Who’s going? I know Averna and I are going, as are about a dozen of our guildies. Straight-up Ascended meetup! Woot! Also, given that I will be hosting a ton of guildies, I will not be registering for the BYOC option, but if you’re interested, I recommend registering ASAP – spots are very limited.

I will be updating more on this as the event gets closer, and of course, I’ll be doing what I can to update what I can about the event itself (though since we’ll be hosting a slew of guildmates, don’t expect minute-by-minute updates).

In other news, I’ve almost completed A Feast of Souls, my current quest in my Shadowmourne questline. After that, next up – a hard-ass kill of Putricide! Seeing as we’ll be banging our heads against Putricide again tonight hoping for our first kill of him on 25-man, I’d say it’s a bit away before we can do it so well we can have me in there messing around with being the Abom to get the debuff for the quest, but I’ll update as we get closer. Wish us luck!

So as I mentioned the other day, Blizzard has released the patch notes for 3.3.3 (though GhostCrawler has stated that they are not 100% complete) and there’s some big changes coming. I’m not even going to touch the massive pvp/battleground changes, ’cause hey, pvp is fun, but it’s not my big thing. I’m on a PvP server because I like the violent nature of it; I like the unsuspecting attacks, I like the “look over your shoulder” feel it gives, but at the end of the day, PvE is where my heart is; I live for the raid, for the group kill, for the exultation of a hard fight well executed. Leave the PvP change reviews to someone who lives and breathes for the PK.

First – some random stuff.

Dungeons & Raids

• Culling of Stratholme
  • Players may now skip the initial introduction dialog to this dungeon once they have completed it at least once.

Classes: General

• Several raid buffs have had their ranges increased to 100 yards, up from 45 yards, to prevent select buffs from repeatedly getting applied and removed during highly mobile encounters. Some buffs, such as paladin auras, totems, shouts and Blood Pact are intentionally meant to have shorter ranges and remain unchanged.

Ok, so we’ve got some simple fixes here that make life a little easier. I’m all for ’em. Bring ’em on. Insert more times that I say “’em”. Onward. As I’m sure you’ve noticed, I care a lot about my Unholy DK (and am at this point just amused by the fact that it’s impossible for a patch to come without a serious change to the spec), so I’ll hit on those changes.

Death Knights

• Talents
  • Unholy
    • Scourge Strike: Now deals 70% weapon damage, plus 12% of physical damage done as shadow damage for each of the death knight’s diseases on the target. The net result should be larger strikes with no diseases present, while maximum damage with all diseases applied to the target should stay the same.

Whoa whoa wait a second there – is that a buff, a nerf, or somewhere in the middle? Well, it sorta depends on what you do. With the physical damage increase, you’re looking at a buff on non-diseased targets. That is to say, if you use Scourge Strike against something right off the bat, it’s going to do more damage post-patch than it does now. This change should not, however, affect much for PvEers, as even though it looks like a nerf at first glance on the shadow damage, don’t forget the shadow damage is directly proportional to the physical damage, so it’s relatively the same thing (an ever-so-slight buff, actually). Both still double dip in the same ratios, and in the end, if there’s a change, you’re probably not going to notice it. If anything, you’ll notice that ArmPen is worth a tiny bit more. Don’t worry about it. In the end, this will most likely be about a 50 dps buff for you. From this post:

Scourge Strike was:

(0.65*D + 676)(1 + 0.75 * 1.43)

where 1.43 is as far as I know the double-dip multiplier for the shadow portion

New Scourge Strike:

(0.91*D + 946) * (1 + 0.36 * 1.43)

Then

1.347*D + 1401 < 1.378*D + 1433

So with these data it’s a clear PVE buff of about 2.3% Scourge Strike damage. However, this doesn’t take partial resists into account. If we do that with the average partial at 4.5% as mentioned earlier we get

Scourge Strike was:

(0.65*D + 676)(1 + 0.75 * 1.43 * 0.955)

New Scourge Strike:

(0.91*D + 946) * (1 + 0.36 * 1.43 * 0.955)

Then

1.316 * D + 1368 < 1.357 * D + 1411

So taking partial resists into account PVE SS damage increases by around 3.1%. If we take SS to be about 23% of our single target damage, it’s a slight boost of a about 0.7%. Rejoice!

There are a ton of Auction House changes, which I’ll go over (read: look at) at some point in the future, but for now let’s just skip ahead to what made me omg wtf nerdrage pissed:

User Interface

• Dungeon Finder
  • The Deserter debuff given to players who leave a dungeon prematurely when queuing via the Random Dungeon option has been increased to 30 minutes, up from 15 minutes. The cooldown for using the Random Dungeon option remains 15 minutes.

Yup, totally wtf pissed.

Here’s the thing – I’m in the camp of people that hates Occulus. Now, before you get all hatin’, raging at me for not knowing how to play, saying it’s easy, saying I can get all those extra badges and the mount, hear me out. I like vehicles. Which is to say, I like 2d vehicles, land vehicles. I think that the Flame Leviathan fight is super cool and fun, I think that while Wintergrasp is poorly implemented and the server architecture can’t handle it, it’s fun in concept and I like the style. 3D drake vehicle combat, however, is another thing entirely. I hated Malygos Phase 3 with a seething passion, and would have opted out of running it at all if I weren’t, y’know, the guild leader (it would have set a bad precedent, not to mention the hit on morale). The display engine just doesn’t cope well with 3-dimensional space, figuring placement not just 360º around you, but also above and below. It’s poorly designed and plays in a way that I do not find enjoyable in any way, shape, or form.

Is it easy? Totally. Can I do it? Of course. Should I have to? NO. I play this game to have fun, and Occulus is not fun, at all. I’d rather not play WoW than run Occulus. I don’t care about Triumph badges, I don’t care about mounts. I have no reason to run it, at all, and it saddens me that because Blizzard decided to make the random daily include Emblems of Frost, I’m basically forced to run one random a day in order to be a dedicated raider.

Currently, this isn’t much of an issue: if it pops, I leave, wait 15 minutes, and try again. But the above change tells me the following. First, Blizzard recognized that they had an epidemic of people leaving Occulus when it popped, so they added some extra rewards for completing it – a few extra Triumph badges and the chance at a mount. Apparently, that didn’t do enough, so now they’re taking the other route – punishment. Blizz is acting like a bad parent, first offering sweets as a reward for finishing a dry meatloaf dinner, and when that doesn’t work, threaten punishment. If you don’t run Occulus when it pops, you don’t get to run anything for half an hour. Ok, I’ll log out and go play Rock Band for half an hour. No skin off my back. At least that’s FUN.

Could I suck it up and run it? Sure, I could. I mean, it’s quick and easy, right? As I told a guildie last night, so’s your mom, but that doesn’t mean I should jump her bones. Not. The. Point. I play this game to have fun. I play this game because it IS fun. I like the grind, I like the options, I like the playstyle; hell, I’m working on Loremaster for my freakin’ Death Knight, and even though it’s tedious as all hell, I’m enjoying it a lot. Occulus does nothing for me, and I resent being extorted into running that 15-minute facepalm just because Blizzard can’t admit/accept that it’s terrible. They did as much already when they added the extra rewards for it; I’m sorry that wasn’t enough. You know what would be enough? Give us a one-minute pre-combat “grace period” upon entering an instance to leave it. Yes, you’d see people leaving groups because their teammates aren’t in T10 – I consider that an acceptable rarity, or at least an acceptable option vs punishing people who refuse to waste their time because Blizzard can’t accept that they made something that sucks.

I’m not saying it should be abolished; I’m not saying it should be removed. Shit, some people like it. You may enjoy it, and if so, kudos – I’m fine with that. Everyone is different (no two people are not on fire). But now Blizz wants to see if people will log out for half an hour when their RNG gives them that joke of a run?

You bet your ass I will. I’m just going to do so while being even more pissed that in order to be a progressive raider, I have to run content that I beat over a year ago *every day* and subject myself to the chance of that abortion of an instance or a half hour penalty? The damn things never should have given Emblems of Frost in the first place. I don’t see them changing that anytime soon, though, so I die the little death inside.

Now, again I recognize – some people really like it. I also know that a lot of devs put a lot of time and effort into it, and I respect that. The existence of the instance doesn’t bother me; the fact that I’m going to be penalized for half an hour for not wanting to run it does. I could just not do the daily random, but again – then I’m losing 14 Emblems of Frost a week, and for a serious raider (especially an Unholy DK, that needs all five pieces plus the cloak – 455 Emblems total, unless I get lucky in VoA), that’s a lot.

So that’s why I hate this change. Weak, Blizzard, really weak.

So what are your thoughts on the change? Like it? Hate it? If you’re civil, I’m down for a discussion. Whatcha got?

GameFly; Boss Kills; 10-man vs. 25-man.

Holy smokes, it finally shipped!

I love GameFly, I really do. I even had a clever plan with them – keep my queue insanely small, and they’ll be forced to send me the games I want. It worked up until now. This time, Bioshock 2 was the only game in my queue for two weeks. Looks like they will not, in fact, just buy another copy to fill the demand. All is good now, though, for they have finally shipped me a copy, and I should have it by Monday. I look forward to revisiting Rapture next week.

If you’re in Cambridge tonight, you have the chance to see me in rare form, which is to say out and about on the town instead of sequestered away in my office, working on Loremaster on my Death Knight. I will instead be at TT the Bear’s, greatly enjoying the music of The Luxury. Freakin’ awesome Brit-pop-rock band from Boston, winners of the 31st annual Rock and Roll Rumble, totally awesome ninja robots that breath lava while they play and more badass than Chuck Norris after he beheaded the Highlander. No, really. Check it out.

Some new Kill Shots/Achievements up – check em out.

Aeman (one of my guild‘s two raid leaders – trust me, they make it work well) has been working on an off-official-raidtimes 10-man Glory of the Icecrown Raider run for a few weeks now, and we’ve been making some steady progress. I’m quite excited about what’s to come. So far, the fights haven’t been too tricky; I’d say just enough for a 10-man run, enough to make you work for it. Averna and I were talking about the ease of 10m vs. 25m last night, and I’m of the mind that it’s not so much that the 10m runs are easier, per se, but rather that there’s less to carry, less confusion, and each and every member is important. On the one hand, that puts a lot more pressure on each raid member, but on the other, that’s a lot less chances to mess up; it narrows the margin of error by 15 players, and that’s a lot of confusion removed. Someone died? It’s pretty easy to notice, and probably pretty easy to get a battle rez up (it’s not like you have five druids in the raid – well, you probably don’t).

Thing is, with 25 people, someone’s more likely to mess up, someone’s more likely to need to be carried, and in some 25-man encounters, people can’t be carried. Everyone has a job, and they need to perform it flawlessly or everyone dies. That’s just how it goes sometimes, and I think that just becomes more apparent when there are more chances/people to mess up. 10 man runs aren’t inherently easier, they’re just easier to manage. I guess my point is, no hatin’ on those who push out 10-man runs/kills/achievements – they’re working just as hard as you are at them. They just might be working harder than the weakest link in your 25-man, and that can be the difference between a kill and a wipe.

This just in! Patch notes for 3.3.3 just hit, and boy am I pissed about some of it (just some, though – some is sweet!). Next post will cover what I think; stay tuned and see you soon!

How the Blizzard Authenticators Work (and why you want one)

We interrupt your regularly scheduled blog for a Public Service Announcement. This is a post I put up on my guild forums a while back, but with the recent report of a supposed account hack to an authenticator-enabled account, I figured I’d repost here for mass consumption. In regards to the above link, I’m calling BS until I see more about it, and this post should explain why I feel that way. I’m far more likely to believe that the account was compromised by some manner of social engineering (be it a Blizzard look-alike phishing site, an irl “friend” theft, a shared account, or some other manner – any and all of which involve user error) than I am to believe that one of the most widely-considered secure systems in the world, used by banks, casinos, credit bureaus, government agencies, and high-profile data security firms has been circumvented by Chinese wow hackers to be used for in-game gold theft rather than, say, nearly any other possible use of such technology/cracking ability. I just don’t buy it. Read on, and be informed.

——————–

How the Blizzard Authenticator works, and why it improves security.

=================NEWSFLASH==============
The Blizzard Authenticators are once again in stock!

Click here for orders in the United States
Click here for orders in Canada, New Zealand, and Latin America

==========================================

On 26/06/08, Blizzard announced the Blizzard Authenticator, a device that provides your WoW account with an extra layer of security. They sell this device in their Blizzard Store for $6.50. You may consider buying it, but is the extra security really worth the money? How much more secure does it make your account? This post will explain how this device works, and exactly why it makes your account more secure.

===How the authenticator works===

The Blizzard Authenticator is a token that you can put for example on your keychain. It has a little display that, once your press the button will generate a 6-digit number that changes every minute.

This number is used as a 1-time password. This means the password is only valid once. When you use it to log in, the code becomes invalid and any hacker trying to access your account later with the same number won’t be able to log in.

A hacker wanting to access your account will now, in addition to keylogging your username and password, have to physically break into your house and steal the authenticator to see what number it displays. But hackers are clever people. Isn’t there any way for them to know which number the authenticator is going to display? The answer is no, and here’s why.

Every authenticator has a little built-in clock. This clock keeps track of the number of seconds since, for example the WoW release date, Tigole’s birthday or whenever. Each authenticator also has a unique key, which it uses to encrypt this number of seconds into what looks like a completely random number. There is no way, without knowing the encryption key, to guess what number is going to be displayed at any point in time. Even if the hacker has all the numbers you entered before, he can’t extrapolate that into what number will be showing next.

The hacker also can’t hack into the device itself to find out it’s key, because it doesn’t connect to the computer in any way. Even if the hacker were the mailman who delivered the authenticator to your house, he would have to open it up and extract the hardware that contained the key. These devices are generally tamper-resistant and will purge themselves when opened.

So, if the hacker can’t know your 1-time password, how is Blizzard going to know? The difference is, Blizzard has the key for every authenticator they made. When you log in, blizzard looks up which authenticator is associated with your account, and finds the matching key. They then use this key to decrypt the number you entered into the number of seconds the authenticator has been counting. They then verify that this number matches the current time.

Even if the time on your authenticator doesn’t exactly match the time on blizzard’s server, they still allow you to log in within a minute or so of the defined time, just in case the clock in your authenticator is running a little slower or faster than normal. This still does not allow hackers to use the number from a minute ago, because when you log in successfully, that number is then disabled and prevented from being used again.

If you still think someone may eventually find a way around it, this security measure is used by businesses and government agencies around the world to provide security, and they have a lot more sensitive information to guard than the login information to a WoW account. One of my good friends, who is a VIP services lead at Mohegan Sun, saw me log in once and went “wow, *I* use one of those to get into secure areas at work.” This is a tested method that has proven itself to be secure.

===Is existing security not already enough?===

While the authenticator provides an extra security layer strong enough to make your account virtually unhacklable, you can already secure your computer a lot. Is the authenticator really needed?

If you’re running Firefox with Noscript, Flashblock, adblockers, 5 different virus and spyware scanners, a NAT router with it’s ports strictly regulated, using Linux/MacOS X or another operating system, and other security measures I can’t think of at the moment, you are probably really secure. The danger is hackers finding a new way to enter your system that isn’t being guarded yet. Until the vulnerability is patched, or instructions to disable the exploited software are issued, you could potentially get infected with a virus or other malicious software during that short time. The more security measures you take, the lower the chance you will be vulnerable. But security is an ever-changing thing. You have to keep things up-to-date constantly in order to stay secure.

Using an authenticator is completely optional, but it does solve the problem by taking another approach. Instead of preventing keyloggers from getting onto your system, it makes you virtually immune to them. They can try, but with a login code that is always changing logging your keystrokes won’t be any good.

If you wish to better secure your system without buying an authenticator, instructions are given in stickies on the WoW forums, links to which are provided at the end of this post.

Then there is the issue of cost. Blizzard is offering these for $6.50, but should they? It would be a lot better if they provided them for free right? Well, I doubt Blizzard is making money on these. The manufacturing and distribution of these tokens costs them money, and $6.50 is actually pretty cheap. Market prices for these devices can be around $50.

I myself have been playing for over five years, so that’s roughly $900 this game has cost me already, and I’m not even counting the money I payed for the original game and the expansions (or my second account, or name changes, or transfers). I’m not going to mind another $6.50, especially since it provides me the peace of mind of never risking account theft. I purchased one the day I took Guild Leader, because the security and safety of my guild is far, far more important to me than $6.50 or the three seconds extra it takes me to log in every day.

As an aside, there are to date no known account hacks¹ to an authenticator-enabled account. There’s really no reason not to have one.

===More Information===

If you wish to learn more about this authentication technology, most of the information for this post was obtained from the Security Now podcast. All episodes are freely available for download on http://www.grc.com/securitynow.htm. Transcripts are also available. The particular episode that deals with the authenticator technology is #90: Multifactor Authentication, the part which covers some of the information above starting 20 minutes into the episode.

===Useful Links===

Buy the Blizzard Authenticator:
Unites States
Canada, New Zealand, Latin America

More information about the Blizzard Authenticator:

Support page: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24986]http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24986
FAQ page: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660]http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660
Activating your authenticator: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24987]http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24987

Links for securing your system against keyloggers (no authenticator required):

Protect your PC guide: http://forums.wow-europe.com/thread.html?topicId=273198555]http://forums.wow-europe.com/thread.html?topicId=273198555
Avoid getting hacked: http://forums.wow-europe.com/thread.html?topicId=102690401]http://forums.wow-europe.com/thread.html?topicId=102690401
Account security: http://forums.wow-europe.com/thread.html?topicId=35983697]http://forums.wow-europe.com/thread.html?topicId=35983697
How to recover a compromised account: http://forums.wow-europe.com/thread.html?topicId=17191745]http://forums.wow-europe.com/thread.html?topicId=17191745

*this post shamelessly stolen/paraphrased from Ysgarth. (I’d link directly, but I honestly lost the original)

Not only does having an authenticator save you trouble, it saves your guild leader trouble. You see, every time a member gets hacked, each of their toons steals items/money/whatever they can get from the gbank. When the hacked accountholder goes through their restoration process, GMs only help with THEIR account. The gbank is considered to be an extension of the Guild Leader’s account/responsibility, and as a result, *they* have to put in a ticket, too. This makes GLs like me die the little death every time.  Don’t make us pay for your negligence!

¹Again, a unsubstantiated report arises now and then, as I mention above. Until I see an official report from Blizzard or some tech industry standard saying keyfobs aren’t as secure as we thought, I don’t buy it – the science just isn’t there. Most importantly, though, it is still important to remember that although authenticators do, to the best of our knowledge, make your account hack-proof, they do not, in fact, make them doing dumb stuff-proof. In order to have your authenticated account compromised, you have to fall for a phishing/fake site; you have to give your account info/keyfob/unused current number out to someone; you have to be gullible enough to do exactly what Blizzard has said to never do – NEVER GIVE OUT YOUR INFO. Never! Don’t enter your account info into a linked site, ever. Go to what you know to be the real login site, always. Don’t tell anyone your account name, your password, your keyfob serial number, anything.

I’ll repeat – never trust another player, and never trust a link. Ever.

And get an authenticator.