Symantec notes a new trojan horse "PWSteal.Wowcraft" that steals World of Warcraft passwords and emails them to the author. Security guru Bruce Shneier notes how this business of stealing imaginary things seems to be part of a growing trend. Thanks to TN friend and virtual worlds scholar James Grimmelmann for the tip.
In related news, David Long of Gamer Dad has some thoughts on the recent EQ II Dog Dupe story that, if credited, apparently netted the wily Methical somewhere upward of $70K. This was reportedly well spent on a trip to Paris. Note that Methical, like Julian, does have some pangs of conscience:
"P.S. Sorry for ruining the economy and all that."
Robert Morris, on the other hand, didn't really understand what he was doing. How long until we see decisions applying the CFAA to virtual worlds?
I’m not up on hacking laws but I thought that, under UK law, this might not just be illegal but potentially terrorism.
From The Register (http://www.theregister.co.uk/2001/02/20/hackers_are_terrorists_says_uk/)
“…under the banner of cybercrime, hackers have also been written into the definition of a terrorist. Anyone who tries to "seriously disrupt an electronic system"”
Stealing and changing passwords is disruptive of the system – tick.
“with the intention of threatening or influencing the government or the public”
MMO players, that’s the public – tick.
"a political, religious or ideological cause"
Hating fricking elves is an ideology in my book – tick.
So, it can be terrorism then.
Posted by: ren reynolds | Aug 10, 2005 at 10:36
I'm increasingly convinced "stealing imaginary things" is really just an old phenomenon with a new face. In a sense, most exploits and scams look a lot like garden-variety financial-instrument fraud. Thus, if I steal your WoW password and loot your account, it's not all that different from stealing your checkbook or ATM card and looting your account. If I find a dupe bug and start minting money, it's not all that different from presenting forged checks.
Both of these are, in a sense, the theft of something "imaginary" -- all you're doing is acquiring something that will convince someone else to do something for you. But when you negotiate that check or sell that Bone Crusher, you've then equally converted the imaginary/virtual item into "real" money.
Posted by: James Grimmelmann | Aug 10, 2005 at 10:53
>I'm increasingly convinced "stealing imaginary things"
A password is only imaginary until it’s recorded somewhere, if this virus is taking passwords from a hard drive, then they are recorded, so they are not imaginary. Or am I imagining this.
Posted by: ren reynolds | Aug 10, 2005 at 11:16
...if I steal your WoW password and loot your account, it's not all that different from stealing your checkbook...
From Symantec's description, the mechanism seems applicable to other frauds, just so happens to be customized to the WoW one in this case:
5. Attempts to initiate a keylogging process upon finding windows associated with "wow.exe", "Launcher.exe", "www.wowchina.com" or "signup.worldofwarcraft.com".
Posted by: Nate Combs | Aug 10, 2005 at 13:39
JG> I'm increasingly convinced "stealing imaginary things" is really just an old phenomenon...
Quite right -- it is very much not new in form or substance. Automated password theft always reminds me of the Chaos Computer Club. And stealing game play time is not exactly a new concept either -- kind of like sneaking into a movie theater.
The thing that is kind of novel is the damage question. Steal 70K from a bank, and someone has 70K less. Sell 70K in duped loot to players and get banned -- have you really caused 70K in damages? How would you best calculate the damages? I think that's what the "imaginary" is pointing to...
Posted by: greglas | Aug 10, 2005 at 21:19
The whole "virtual" thing is what gets people interested.
Qiu Chengwei, that guy in China who killed his friend over a virtual sword got life imprisonment for the fairly ancient crime of murder, but it's reported in the West only because China has no law that covers the ownership of virtual weapons. I'm sure there are some people out there who are going to think the murder was committed with a Dragon Sabre...
Richard
PS: Technically, the guy wasn't given life imprisonment, but a "suspended death sentence". Sounds like a polite way of saying they're going to hang him.
Posted by: Richard Bartle | Aug 11, 2005 at 02:49
I'm waiting for the first, true, MMO Ponzi scheme.
SW
Posted by: Steve Williams | Aug 11, 2005 at 09:31
Yep -- this was close, but the "author" apparently didn't cash out on it. :-) This seems close too, but it wasn't virtual worldy enough...
Posted by: greglas | Aug 11, 2005 at 10:21
Steve Williams wrote:
I'm waiting for the first, true, MMO Ponzi scheme.
Not sure if this qualifies, but what about the player hierarchies from Asheron's Call? Money wasn't involved there, but my understanding was that it was essentially a Ponzi scheme in the same way Amway essentially is (please don't sue me for saying that, Amway. I was only joking! Sort of.)
--matt
Posted by: Matt Mihaly | Aug 11, 2005 at 15:53
As I understand it, AC's allegiance structure was designed directly from the influence of the structure of Amway and other MLMs. It's not a Ponzi scheme as such though, in that it doesn't depend on the "greater fool" theory for continued operation. Now if you created a scheme whereby everyone gave 100K gold to the person on the top of a list and added their name to the bottom, you might have something. ;)
Posted by: Mike Sellers | Aug 11, 2005 at 17:13
James Grimmelmann> I'm increasingly convinced "stealing imaginary things" is really just an old phenomenon with a new face.
Sounds pretty much like the Supreme Court of the U.S. agreed with you. Their opinions in the Grokster case (as noted here on TN) focused on the action and intent. The mechanism (P2P technology) and the fact that the property in question was just ones and zeroes were basically dismissed as irrelevant; the ones and zeroes were treated as a copyrightable expression of art -- in effect, ones and zeroes are real property.
Next question: Would the Court have held otherwise if those ones and zeroes weren't stored in a file, but were dynamically held in a database?
Is that still real property, and are actions touching that property therefore subject to all the case law and statute law regarding real property? ("It's in our database, so it's ours and you're a thief or worse if you do anything with it other than what we say is OK.")
--Bart
Posted by: Bart Stewart | Aug 11, 2005 at 20:16
If you dupe $70k in loot, you almost certainly have actually caused $70k in damages because the developers will react like EQ and cause the duped loot to vanish. Then your customers end up holding the bag, out their very real money without any ingame item of value to compensate them for it.
Posted by: Patrick McKenzie | Aug 15, 2005 at 11:40
Patrick McKenzie> If you dupe $70k in loot, you almost certainly have actually caused $70k in damages because the developers will react like EQ and cause the duped loot to vanish. Then your customers end up holding the bag, out their very real money without any ingame item of value to compensate them for it.
Okay, let's assume that's true -- if the devs decide not to delete the stuff (for whatever reason), is there any damage in that case?
Posted by: greglas | Aug 18, 2005 at 15:06