El - Tim Howgego

Frostmourne Cavern

This movie records one of the many lore-related events in World of Warcraft’s upcoming expansion, Wrath of the Lich King. It’s a vision of Arthas and Muradin Bronzebeard discovering the sword, and in doing so, changing the “world” forever. The event is part of a single-player quest in Northrend, the expansion’s new continent. Previously events like this were found at the end of dungeons so hard that most players never saw them.

The aim of the game is changing. Previously the aim for a lot of players was to get to “the end”: To obtain the highest possible level, at which point they could embark on challenging group dungeons or player-vs-player battles. But Northrend is full of reasons to play the game in the middle. Not just this. There is a lot of high quality, fun, even inventive content coming with the new expansion. From aircraft combat and mass-slaughter shoot-em ups, to peace, love and harmony: Saving baby murlocs is enough to bring a tear to the eye, which is quite an achievement for any game.

Tim Howgego, 31st July 2008. Related topics: El, Game Design, Machinima, Video Games, WoW. Comment »

Infecting the Ad Pool

Malicious Advertising (Malvertising) is becoming a problem. This is the practice of purchasing advertising space on unsuspecting websites, then using that space to run adverts which automatically redirect the user’s browser to a malware site – a site that distributes viruses, spyware, and other computer nasties.

The practice first emerged in 2006. Already 2008 has seen may large publishers (website operators) attacked, including Classmates, USA Today, Photobucket, and MySpace.

Late last night I visited one of my own websites and got immediately redirected off to a domain already blacklisted by Google, which in turn redirected to another site that was intent on installing a scareware “virus checker”. ZAM (a gaming network), already plagued by “XP Online Scanner” adverts earlier this year, had again been hit by malicious adverts. The timing, just after midnight UTC Saturday, was impeccable: Advertising networks tend to work sensible business hours, ensuring 48 hours of infestation before anyone starts to investigate it. [Although I should add that in this case I did get a positive resolution within 24 hours.]

My response was to temporarily abandon the advertising network that had delivered the “malvert”, and switch to affiliate advertising I control.

This article explains why publishers have a very low tolerance of malverts, and consequently why it is in the best interests of advertising networks to deal with malvertising before it becomes widespread.

Valuing Users

The cost to a malware writer of placing a single malvert is in the order of $0.001, with the publisher receiving somewhat less than that. The pricing model assumes a high volume of advertising is ignored by users: An advertiser might need to screen thousands of adverts to get any referrals (click-throughs). It does not assume that the adverts will immediately refer every user to the advertiser’s site, without user interaction.

For malware writers this is both cheap and highly effective: Quantcast and Compete suggest xponlinescanner.com (a recent case of malicious advertising) attracted 1-2% of all US internet users in May: A dominance achieved by less than 500 other sites worldwide. Something advertising agencies can only dream about. Quantcast’s demographic analysis also indicates that the old, poor or poorly educated are more likely than other internet users to be caught by malware.

The publisher got a fraction of a cent, and may have lost 1 or more customers forever:

New visitors essentially bounce straight into “virus hell”. They are never coming back; not after “what you did to their computers”. Regular visitors assume your site was “hacked” (a security breach on your servers), and loose confidence. Even if they stay, they’ll think twice about typing their credit card number in again. If the site relies on viral traffic, they will be sure to tell their friends not to visit as well.

So Block the Advert!

Unless the publisher has a very strong community, they might never realise why their users are leaving: Malverts may be targeted by location or time of day, such that the publisher never sees them.

Assuming the publisher knows about the malvertising, finding the source transpires to be exceptionally hard. Malicious adverts may be embedded in an advert that looks perfectly normal, but only triggers an automatic redirect under certain circumstances. So even in simple cases, where the publisher has a direct relationship to advertisers, finding malware requires the advert to be tested.

But adverts are increasingly run via networks, who increasingly rely on advertising exchanges. So a large publisher could be running practically any advertising campaign in existence. I was running over 2,000 different campaigns (many of which have multiple adverts), and my site is small fry.

So once a malicious advert enters the system, it can spread like a virus throughout online advertising networks, almost unchecked.

Reactions

Publishers who care about their customers (and consequently also tend to have the most valuable advertising inventory) are likely to avoid any advertising network that delivers malvertising:

They might establish direct relationships with reputable advertisers, which cuts the networks out of the loop completely. Only viable for large publishers or those in specific niches.
Or perhaps they will change to text or non-interactive adverts? Advertisers that rely on being able to communicate using imagary will have problems: The only publishers to remain with malware-infested networks will be those that do not care about their users. Precisely the sites that were probably not good places to advertise anyway.

Users will gradually grow more paranoid. Pop-up advertising is a perfect example: Browsers gave too much control to scripts, and not enough control to the user. The result was that pop-up blocking features became commonplace, and pop-ups became a redundant technology.

What are users’ “solutions” to malvertising? Completely blocking all adverts and disabling all scripting. How does that help advertisers, networks or publishers? It doesn’t.

Sadly users’ solutions will not include disabling Flash, the poor design of which seems to be at the heart of the malicious advertising (something countered by Adobe). Flash is so critical for online video most users cannot browse the internet without it.

Solutions

There still seems to be a lack of appreciation of the damage potential of malicious advertising. But there are solutions available to the industry collectively, as many of the authors below demonstrate:

Spyware Sucks – Sandi Hardmeier’s ‘blog documents many malvertising events and methods. Summaries can also be found at TeMerc Internet Countermeasures.
Online advertising’s dirty secret: Malvertising – Introduction and possible solutions, from Ian Thomas.
Malicious Ads getting More Attention — People Still Clueless – Common misunderstandings.

Tim Howgego, 12th July 2008. Related topics: Advertising, El, Malvertising. Comment »

Map of World of Warcraft Online Communities

Michael Zenke’s MMO Blogipelago map [via Tobold], based on the famous xkcd map of online communities, inspired me to create a map for World of Warcraft (WoW) online communities. Click on the map for a larger image with links:

This article explains the logic behind the map. Read more of this article »

Tim Howgego, 25th June 2008. Related topics: Community, El, Identity, Learn2Play, Machinima, Social Networking, Video Games, WoW. 29 Comments »

Another BlizzCon Costume

Blizzard’s developers spontaneously created one of the most surreal moments I’ve ever experienced in World of Warcraft. Enough to warrant a short movie:

The footage comes from part of a stress test of World of Warcraft’s new tournament realms. The stress is technical – to see how many players the server can support. Events like this keep players entertained and online. On live game servers, the costumes are only available to those that attended one specific event (BlizzCon), so it would probably be impossible to find this many players with costumes on a single live server. The large costumed avatar is the Games Master (presumably a developer), who is being followed by her new found fans…

Tim Howgego, 23rd March 2008. Related topics: El, Machinima, WoW. Comment »

BarCamp: Living on Virtual Fish

For those that missed my BarCamp Scotland presentation, “Living on Virtual Fish”, you can view it on SlideShare:

| View | Upload your own

The following articles loosely correlate to each of the talk’s sections, and provide more depth and explanation:

Tim Howgego, 2nd February 2008. Related topics: Advertising, BarCamp, Edinburgh, El, Learn2Play, Video Games, Virtual Goods, WoW. Comment »

Adventures in Online Advertising

This article summarises what I have learnt from introduction of advertising onto El’s Extreme Anglin’, a guide to fishing in the World of Warcraft (WoW). It introduces internet advertising with discussion of the earning potential, cashflow and ethics. The article then provides a series of case studies on specific topics, such as iteratively improving revenue, altering placement, cloaking, use of text or image adverts, and seasonal variations over Christmas. It should offer a useful introduction for those attempting to monetarise medium-sized websites.

Gravatars and Identity

Gravatars are “globally recognised avatars”. Here, an avatar is a simple image representing the author of a ‘blog or forum comment. The name is derived from Hindu philosophy, although the blog/forum avatars are the direct descendants of the avatars found in video games, specifically role-play titles. This article discusses the limitations of Gravatars, and hints at a future based on game-like automated customisation for forum avatars.

Be warned that this is another inadequately researched “thoughts” article, that covers a lot of rather well-discussed territory superficially, and perhaps needs to be developed further.

Gravatars in Practice

The idea is simple: Instead of uploading your image to every website you interact with, upload it centrally, and allow each website you use to retrieve your avatar from the central source. Gravatars are linked to your email address, which already uniquely identifies you on the internet. Gravatars are currently still the preserve of hardcore bloggers. And no, they are not installed on this site yet either (comments are infrequent here). While implementing the code to support Gravatars is straightforward, it is still rarely done on ‘blogs, and almost never added to internet forums. Like OpenID, it is the sort of idea that needs to attain a critical mass of widespread use before it will become truly useful.

I opted to try using Gravatars at El’s Extreme Anglin’ forums. Partly because (by design) BBPress has no avatar features by default, yet users still expect to be able to personalise their posts by using avatars. Partly because not allowing image uploads or remote image hosting removes a potential avenue of attack by hackers. Partly because it seems logical.

However, already some issues are emerging:

Where users attempt to create a Gravatar account, they invariably fail to get Gravatars working, with the result that the default image shows.
The majority of users don’t already have, or don’t wish to use Gravatars.

In my opinion, the first problem is a design failing of Gravatar’s website: After uploading an image, Gravatar needs to be told to use the image that has just been uploaded. This final step in the process is not sufficiently clear to most users because it should not be necessary – “I just gave you an image to use, why aren’t you using it?”

Multiple Identities and Avatars

The second problem in part reflects the tendency of ordinary internet users (that is, not the people that post a lot of blog comments) not to have Gravatars associated with their email addresses. That may change in time, particularly in tech-savvy areas such as gaming.

But one specific reason for not using Gravatars is the fact that a user may want to display a different image depending on the type of site they are posting on. Gravatar’s service allows multiple images to be uploaded, but only one image can be used at a time. The only way I know to attach different images to different websites is to use different email addresses. Sure, there is no shortage of free email services… but doesn’t that merely replace one administrative saving (an avatar that follows you) with another (a need to create and monitor a new email account)?

At the root of the problem is the premise that one person = one email = one identity = one avatar. In the sphere of online gaming, at least, that is a very contentious, and consequently dangerous, assumption to make.

It is worth analysing our perceptions on this.

Some people have a desire for separate visual identities, yet all managed from the same email address. Deep philosophical debate can ensue. Does that mean our emails are closer to us as physical entities than our avatars? Or is it just a purely pragmatic visual thing? A lolcat might look great on a casual discussion forum, but would be less convincing (or socially acceptable) against a formal piece of academic writing.

Sometimes it is very practical: On a service such as Facebook, I find it useful to see a picture of what a person physically looks like, because most of the people I have befriended there are people that I am likely to meet and talk to physically. (And I’m terrible at remembering names, so am frequently confused by friend requests from cute animals or blurry-looking groups of drunk people.) In contrast, on a gaming discussion forum, seeing an image of the actual person posting is not especially relevant, and can even be somewhat distracting.

Every online game that introduces something akin to Tabula Rasa’s surname (where the surname is linked to the player, and shows on all their alts), seems to upset people that want to separate out characters/avatars from any link to other characters/avatars. Yet in Live Action Role-Play (like a Massively Multiplayer Online Game RolePlay-Player-vs-Player server, but without the computers), it was often said that most players end up playing themselves: While you can attempt to change your visual identity, your behaviour ultimately reflects who you are. Clay Shirky draws an interesting conclusion from the case of Kaycee Nicole, a famous internet hoax involving false identity:

“When the community understands that you’ve been doing it and you’re faking, that is seen as a huge and violent transgression. And they will expend an astonishing amount of energy to find you and punish you. So identity is much less slippery than the early literature would lead us to believe.”

Avatars of the Future

Are these perceptions changing over time? Personally I’ve found that over the last ten years my real and virtual identities have merged: I no longer actively try and isolate one from another, and pretend that one is a different person from the other. But that may simply reflect my growing personal acceptance of who I am, and not be related to physical-vs-virtual identity. At the other end of the scale their are the social networking virgins: Young adults who continue to refuse to engage in any for of internet networking with their peers, because they fear that they will no longer be able to hide the truth about what they really do from polite society, potential employers, or anyone else that might “use the web against them”. Will they change with time?

The key question remains, will multiple avatars always be a requirement of an online presence, or is this merely a transitional phase while people experiment with the concept? It might be argued that in either case Gravatar is the wrong approach, since currently there is a need for multiple visual identities – a mainstream need, not the need of a quirky few – yet the system struggles to accommodate that need. It follows that linking a visual internet identity to an email address is flawed.

A solution would be to add a further sub-classification of avatar after the email address: me@example.com:work would somehow determine that the site displaying the avatar was a work-related one, and display a sensible work-related avatar.

But avatars are still incredibly basic. On some forums, you will now find a line below the avatar that says “I’m feel a tired”, yet the avatar still shows a happy smiling face. Or the poster is on holiday in Florida… yet there is still snow in the background of their picture. Better to alter the face in the image to reflect the mood or alter the background of the avatar to reflect the place. (With appropriate alt and title tags, of course!)

The historic link between forum and game avatars is already coming full circle, with avatar generators for “games” like World of Warcraft and Gaia Online that allow the creation of forum avatars based on virtual-world appearance. It isn’t a huge step forward to make avatars a lot more “realistic” than they traditionally have been.

With all those customisation options, perhaps the old method of site-specific avatars wasn’t so bad after all?

Tim Howgego, 29th January 2008. Related topics: El, Gravatar, Identity, Thoughts. Comment »

Tim Howgego // El