The Gaming Police

Howard County Sheriff’s Department have been on the hunt for a drug dealer for a while, but lost track. The dealer skipped the country to hide in Canada. He made a mistake though — he chose to play World of Warcraft. Someone told the police about his online gaming habit, and they sent a Subpoena to Blizzard, requesting any information they had about the dealer in question.

Something interesting happens here. Maryland police has no legal juridistiction to subpoena things from Blizzard (situated elsewhere). The subpoena is more to be seen as a kind request for information. Months passed, and eventually Blizzard provides a chunk of information. Among others, the police gets an IP address that can be located and used to coordinate an apprehension together with Canadian police.

There have been plenty of reactions to the story, with comments like “if you don’t fancy prison life, you shouldn’t be selling drugs”. This is some form of the “if you’ve got nothing to hide” argument and thus misses the central problem of it all. You get caught on a quite common, but still quite false, line of reasoning that equates the possibility with the action. The problem here isn’t the action itself, it’s the possibility; not the result in itself, but the span of potential results that are made possible by the action as it is.

Let me explain that further. When the police nicely asks for information this way, Blizzard ends up in a problematic position of power. The company now has to take a moral position and in principle act as an authority of law. Maybe this had been a clear-cut case if we had been dealing with something that was illegal everywhere, and which everyone agreed constitutes an illegal and immoral action, like violent crimes.

Now it’s about the war on drugs. Regardless of how you feel about narcotics, you have to realize that laws about them are different in different parts of the world. So, now it’s suddenly up to Blizzard to decide if these sorts of laws also apply in the virtual Azeroth, regardless of where the people playing are in the world, or relative to where the police who’s asking the question is. Has Azeroth signed an extradition treaty with the United States of America?

In and of itself, it’s not a major problem, but the fact that Blizzard doesn’t answer “no” to any such requests as a policy is somewhat dubious. It opens the door for enforcement of any law in any country around the world — in the online world.

This is what I mean with that the possibility is the problem, not the specific action in the case at hand — what happens when Chinese authorities want some information? There are a whole lot of Chinese World of Warcraft players out there. Is that request equally much ok? The matter could concern different crimes there, and most of us agree that it would be less than pleasant if all the laws from all countries could potentially be applicable online, internationally. Is the next person who hides in Canada a Chinese dissident? What will Blizzard’s decision be in that case?

Of course I realize that Canadian police may not be very helpful when it comes to the Chinese government wanting to hunt dissidents, and that it’s very likely that Blizzard would take a different decision in that case, but there are issues in the decision to hand out information that are decidedly unpleasant, regardless of if you find the effect in this specific case upsetting. It’s a path that doesn’t look brushy, but leads deep into the djungle undergrowth.

Image credits: jluster.

Beta Comics

I want to share Azarimy’s Battlefield: Bad Company 2 beta comics with you. They’ve been posted on the EA UK beta forums, but not really had the recognition or attention they deserve. It’s an amazing feeling that we’re not just making a game, but also inspiring other creative art like this.

My respect to Azarimy for some awesome comics, and my gratitude for his permission to share them with you here.

Awesome stuff. Azarimy’s got more coming, so if you like them, head on over to his thread on the forums. And on that note, I wish you all a happy new year.

(I’m a ninja, I’m a ninja, I’m a ninja, I’m a ninja!)

Wordpress image upload bug fixed

When upgrading my blogs to wordpress 2.9, I found that the image upload broke. After some fiddling around I managed to get a proper error message out of it, I managed to track down the error to the file wp-admin/includes/file.php, which used a ctype_ function that, for some reason, was disabled on my php version.

Funnily, the exact same bug has apparently been a problem on wordpress before, on version 2.5, in a different file.

Anyway, I fixed the problem. If anyone wants the fixed file, here it is:

Download file.zip

Download the archive, unzip the file.php inside and replace the one in your wp-admin/includes folder with it.

Building an Awesome Sound System

One of the reasons I’ve not been writing here much lately has been us buying and moving to a new house (that and the crunch time to get BFBC2 shipped, in which I’ve ended up in a crucial role).

As we are finally getting a bit settled in (at least the living room is free of boxes now), I’ve started thinking about a new audio and video setup for the entire house.

One thing I’m missing about the apartment we moved out of is my sound system that covered the entire place — living room, bed room, kitchen, even bathroom. The whole thing was a DIY thing involving two amps, a partially broken speaker selector, lots of wiring and speakers everywhere. I could select what rooms I wanted music in, which was awesome, but it had its issues. One thing was that there was only one input, so if one of us watched a movie there was no way to listen to music in another room, another that… well, there was lots of wiring.

The house is a much larger space, and with it far longer wires to put up all over the place. I’m going to install a wired network that covers the place, but I’d rather not install any more wiring. Still, I’m going to want to send video signals from the digital TV box to the new TV in the bed room, which I might solve with a Slingbox PRO-HD and SlingCatcher, which seems like a cool combo with a bonus of access to my TV anywhere — if I can only figure out if it’ll work to remote control my box or not (my cable TV provider is probably Sweden’s most hated company not involved in public transport – com hem).

The audio setup is a different problem — I want a system which can play music from my media server in any room I’m in, can sync music in several rooms at once and which can also play audio from a separate input (like have the audio from a live music DVD on the PS3 on in several rooms at once). That last one seems to be tricky to pull off…

I’ve looked at several network media players, but most seem content at simply streaming media from a computer to a home entertainment system. Sonos S5 ZonePlayer seems like a popular geek choice, but sadly doesn’t do an external input (like my PS3).

The Logitech Squeezebox series seems to do (almost) what I want, but the component I’d need for the living room, a Squeezebox Transporter has some drawbacks. First of all, I can’t seem to figure out if it can stream its digital input out to other squeezeboxes — a make or break feature for me, but hardly mentioned out there on the ‘net. Second, the price tag! Holy crap, $1999? I’ll be upgrading my audio equipment, but I’m not really an audiophile of a class that needs that kind of equipment. It’d easily be the most expensive piece of equipment in the set.

I could even consider building my own system from scratch. It’d be kind of cool with a compact computer hidden away in each room, and a touch screen display system to interface with the thing. It’d probably end up cheaper than the Squeezebox option, but with a lot more work involved. Fun work, but frustrating at the moment as I don’t really have the time needed. If there’s a cheaper product out there which satisfies my three demands above, I’m a sale waiting to happen.

Do you know of any good network media player systems that fit the bill? Or do you have any experience with systems like that, good or bad? Please share any knowledge you have in the comments. I would also be happy to hear from anyone with experience of the Slingbox products.

Web Form Verification for Dummies

The standard method for interaction with computer applications has gone from being the command line to being the native GUI, to being the web form. We were awesome at verifying input when it came from the command line — that was simple. Then we were kind of ok verifying input in the native GUI, although quality varied a lot more.

Now we suck at verifying user input from web forms. The current state of code that verifies user input has both managed to take us back to the kindness of the command line when it comes to freedom of input and manages to check all the wrong kinds of things. Why is it so hard to write these checks? I suspect because people don’t really think much about them, and I bet there are more interesting things out there than to write user input verification.

These problems aren’t some beginner coder errors either — they’re rampant on even the biggest sites out there like paypal.

The most common field to get me snared is the phone number field. In 99% of all cases, the site assumes that all phone numbers in the entire world are formatted like US phone numbers. Not, as one could imagine, because I’m claiming to live in America — I clearly just told the site that I live in a European country. So anyway, inputting my actual phone number causes an “invalid phone number” error. Not that there is any mention whatsoever on the site about what the correct format of a phone number is (there are, in fact, even several ways of writing a US phone number).

This sets off a wildly unamusing guessing game of how to “convert” my phone number into a format the site will accept. This practice often costs the sites money as I end up giving up and going somewhere else, frustrated and unable to make a simple online purchase that didn’t really require that phone number anyway, did it?

Passwords

Another highly amusing game is the one where web sites try to force users to choose “secure” passwords by enforcing the formats of passwords. “You must have at least 6 characters, with at least one letter and one number”. Sounds good, except in general these passwords are restricted to only contain letters and numbers. Hold on, isn’t it common wisdom to include at least one non-alphanumeric character in a secure password?

As such, out of my set of passwords, the only password which tends to pass most password verifications is my least secure one. The idea that you could fix a social problem through technology is somewhat funny anyway — “password1″ is not more secure than “password” in any way that really matters.

The same thing applies to the old trick of forcing your users to change passwords every month. This can have two potential outcomes — users append a counter to the end of their password, and increment it every time they are forced to switch, or they keep a post-it note taped to their monitor with their current password. Neither outcome is a net gain in terms of security.

Some sites even let the user set a password which is then considered invalid when the user tries to log in (ebay, for instance,  has done this) — causing a prompt for a new password and much annoyance.

Format wars

Parsing stuff is what computers are good at. So forcing me to input something in a strict format is always a loss. Either separate the fields and force me to select the individual parts of a date separately or actually use all that computing power at your disposal to do your user a favor. Telling me you have no idea what I mean by “2009-12-21″ because you expected “20091221″ is annoying the user for no good reason, even if you told me to not include dashes.

If you find yourself in a situation where you need to verify input  from the web, take an extra minute to consider how you could make things as convenient as possible for the user, which ones of your assumptions only hold true for the region you live in… and when you’re done, whatever you do make sure you tell the user exactly what the expected format is.