Some things about RealID

I will not explain the recent deal with RealID itself, as there’s probably about a hundred or so posts on this topic, and if you’re reading this, I’m pretty sure you already have an opinion on it. I’ll talk a bit about all the side issues that popped out with it.

Evil addons are stealing my name and Battle.net account ID!

It started on forums, was reported by wow.com, and by the time you blink it’s all over the bloody place. I’ve even seen this one in one place I would never expect it – on Tobold’s blog. I know he’s not a bad guy (and neither are the rest), and I was really surprised to see him release such crap on the net. I have no idea why. However he did, and as in every FUD, there is some truth in it – let’s take it apart then.

There is no magical way for any addon to show you real names of other characters on mouseover. This can happen only in two instances:

1. The character is already on your RealID friends list (in which case you know that name anyway, duh). Note that this is only your own friends list, not the one you could get from the “friends of friends” feature – that one doesn’t have character names included at all, even if the person in question is online and right besides you on your screen.
2. The player behind the character somehow transmitted his real name to you, so your addon knows his name.

So, let’s talk about the second instance, since the first one is obvious. There is indeed a vulnerability in which you can let some addon get your real name. If an addon gets your name, it can transmit it to someone, and you won’t even know that it happened. I won’t go into details of how it works – if you know about how addons work, you can figure it out by yourself, and this itself is not very important here.[1]

What is important, are these things:

1. To learn my real name this way, I have to have a suspicious addon in my own addon folder. Now, the question is, why would I have something like that? I download addons only from respectable sources like WoWInterface or Curse, and I’m pretty sure that the authors of Grid or Auctioneer won’t risk putting malicious code in their work. So as far as you’re downloading well known addons from well known sites, you can be pretty sure that you’re safe.
2. It is also technically possible – I guess – that someone will hack into my laptop (or that I get some trojan from a website, or something like that) and alter some addon to include malicious code in it. Again, why? Just put a bloody keylogger there and get my account ID, password and authenticator code all at the same time, it’s easier. And you can defend against this in exactly the same way as you’re now defending yourself against keyloggers.
3. As for my Battle.net account ID, this is simply impossible. Yes, I used my friend’s email to add them to my friends list, but this email is not stored or displayed anywhere, and there’s no way at all for an addon to get hold of it.

To be exactly sure that you’re safe, I suggest you download one of these addons – BlizzBugsSuck or BNIsNotSelf. Both of them will block any attempts of addons trying to use this exploit and will tell you which addon tried to do nasty things, so you can delete it right away.

You could also use the solution that Tobold is suggesting in his post, namely enabling parental controls on your Battle.net account and disabling RealID altogether. However, because this will remove all your friends from the ingame list, I’ve opted not to do so, as I like the ingame thing a lot. You can safely enable both the parental controls and keep RealID enabled, which is what I did.

The last words on this are – watch what addons you’re downloading and where from, or at the very least use the fix. Not sure if an addon is okay? Don’t download it. Not sure if this “new and improved Grid666, a replacement for Grid/Healbot/Decursive” is okay? Don’t download it. Curse/WoWI are laggy, and you just happened to find a mirror of AtlasLoot on some site you’ve never heard before? It’s a trap. In the end, it’s your PC and your hard drive, you’re going to be the one responsible if you happen to download something bad onto it.

The responses.

Rather than talking about the changes themselves, I’d like to take a look at the responses it provoked on the blogs and forums. From the mild ones (“I’m not posting on forums now, so I won’t post on them anyway”), through conspiracy theories, to extreme cases like some Gnome cancelling his account. Gnomes, I tell you, they’re crazy and dangerous creatures. One of them, that small one with pink pigtails, even said she can delete me! Anyway, where was I…

I kind of admire Gnomeageddon for making a stand in this way – even though I realize that he loses absolutely nothing by doing it. Blizzard won’t delete his stuff anyway, so he can resubscribe later if he wants to. Some reactions however are just over the edge – like a blogger deleting all of her WoW related posts on her blog in protest. Now, I’ve never read her blog, so I can’t say what was there, but it seems like a bit of an overreaction. I wouldn’t delete stuff that could be possibly helpful to someone. So, it’s a strange way to protest, and given that Blizzard doesn’t really seem to care about blogs, it mostly hurts the blog readers that have done nothing wrong.

Some apparently don’t mind it too much – this being mostly the people that have their names known anyway, like Turpster or Big Bear Butt – so they don’t care much for this change at all, even if they’re not really agreeing with it.

There’re also responses that you could expect from 4chan and other crappy sites like that. Browsing through blogs, I’ve found one that openly lists personal information of Blizzard employees – information some moron with keyboard, google and too much free time found by looking up their names. Protesting is one thing – and completely okay, but shit like that? No way, that’s why I won’t link to it. I did report it to their hosting service, and I had to lie in the support form that it’s my name and personal details that’s there, even though I’m in no way a Blizzard employee. Hopefully they’ll check it anyway.

My own response.

I don’t really like the forum change itself. It feels too much like an experiment, and I’m not really sure that I’d like to be paying to be a test subject. It’s a very interesting experiment, mind you, but an experiment nonetheless, and I don’t know if it will fail or be a success. I know that it could be done in a different way, like a permanent nickname that you setup for your Battle.net account and sign all posts with that – like they’re proposing with our names, but without all the privacy issues.

I don’t actually care that much about the change, though, as I very rarely post on official forums anyway – so don’t expect any big protests from me. I use the RealID ingame communication feature to talk with my friends cross-realm, and I still like the game and what they’re planning for Cataclysm.

Would I post on the official forums under my real name? Probably not. Unlike Gnomeageddon or Hatch, I don’t have a boss that would give me the bad eye if he knew that I play games after work, and my name is already connected to some anime stuff I’ve done in the past. Even though, I still post here and on the WoW blogs as Saithir – and I would prefer to do so on the official forums as well, because it would keep all my thoughts and opinions under one name. Using my real name for one of them is not helping with that, unless I’ll use it everywhere, and that’s not going to happen.

For now, I’m going to sit tight and watch how the situation will evolve. I hope they won’t go through with the real names idea, and implement the new forums with permanent nicknames instead. We shall see.

FOOTNOTES
1.  It’s still a bug, though – something that Blizzard overlooked. I expect this will be fixed.↑