Security breach!

You’ve probably heard about the peeps suing Blizzard over the authenticator thing. If not, WoW Insider has a pretty good summary.

At first I was amused. Well, of course Blizz claims the case has no merit! The suing lawfirm could have pictures of Metzen on the Grassy Knoll with a rifle in his hand, and they’d say that.  So, SHOCK, right?

Then you look at the suit itself and things start to pop out.

After reviewing it, I have come to the careful conclusion that Carney Williams Bates Pulliam & Bowman are, collectively and individually, full of shit.

Now, this is notwithstanding Blizz’s own response, which pretty much sums up a fair response on the topic of their response to the data breach earlier this year. I also love this bit:

"…and we will vigorously defend ourselves through the appropriate legal channels."

Heh. In other words, CWBBPB are a bunch of grandstanding losers that are trying to run this case through the press in the hopes of getting some sort of useful publicity.

But in case anyone out there feels like a "victim" and think that CWBBPB make a good point about "forcing" you to use an authenticator, let’s put the record straight.

Blizzard’s login security does not require an authenticator.

It requires two things – an email address, and a password. This is the same thing you get from Twitter, Facebook, Google (who also recommend two-part security, FWIW), MSN, and so forth. 

Maintenance of that password is your responsibility.

The same as it is with Twitter, Facebook, Google, MSN, and so forth.

Maintenance of your own security is your responsibility.

The same as it is with Twitter, Facebook, Google, MSN, and so forth.

The need for an authenticator is dependent on your own security, not Blizzard’s

As far as I can tell, we’ve had exactly one breach of the account servers since WoW’s inception, and that was in August of this year ((Searching Google for this sort of thing generally fills your page with PSN server breach info, unless you restrict the search to this year, because they generally haven’t had problems in that realm and seem to take it pretty seriously.)).

No, authenticators are designed to mitigate (not solve) problems with users not following proper security protocols.

• Using the same password for all your accounts everywhere.  All it takes is some bozo to hack Twitter – and Twitter to not inform you – for that bozo to get your WoW password as well.
• Not using antivirus software. Come on. If you’re on Windows, it’s free, even for XP.  Microsoft’s "Defender" software is highly recommended, it’s lightweight and fairly unobtrusive, and it’s completely free of charge. There is no excuse. And don’t tell me you have nothing to fear from viruses. Just don’t.
• Visiting website of questionable reputation.  I’m not talking about porn here, or torrent sites, or zero-days, or anything like that. Well, okay, I am, but only in as much as purveyors of Trojan viruses will use the porn, torrents, and warez to get you to click something and then hit YES when the dialog comes up. This is probably the greatest threat out there, and anti-virus software can only warn you. If you don’t listen, and grant some crusty software from a porn site full access to your system, you’re getting pwned, and now. Say hello to my little friend "keylogger".
• Not using multi-user security on a multi-user system. Sure, it’s a family computer. But Microsoft provides many tools for keeping YOUR stuff out Junior’s hands.  Oh, sure, he’s an angel. And he’s not downloading "free" software, surely.  (insert sarcasm emotes here)

I’m just scratching the surface here.

Point is, the vast, vast, vast majority of account breaches are because you, the user, did not follow protocol, or got some bug somewhere, without knowing it.  The authenticator is as much protection against YOU as it is the bad guys.

All this is to say

If this lawsuit has given rise to a nice, warm sense of entitlement, I want you to reach out, put your hands around its neck, and choke it in its sleep. It’s not for real. It’s like one of those pod people in that movie. It will consume you and return nothing back.

Nobody is forcing you to use an authenticator. Nobody. Well, maybe your GM wisely requires an authenticator for access to the guild bank. But that’s the GM being properly cautious since she can’t control where everyone sticks their noses, as it were.

But the authenticator is not intended as a replacement for Blizzard’s security or your own. It’s a safeguard against YOU at your worse. If you have impeccable security practices online, never have virus issues, use strong security all the time, you could probably get away with not having one.  I, however, am not that good, and am glad for the extra bit of protection.