MASSIVE SECURITY HAZARD in Spore!
BastDawn:
True. I can't imagine anyone other than a troll bothering.
wes_h:
I have been looking deeply into the very soul of these files. :)
I do not doubt that the program "phones home" when installed, that was foretold. I will trust others efforts to prove it was SecuRom that did it, that was foretold.
The creature data itself is inserted into .package files, in the new DBPF V2. The decompression code Dizzy wrote for the extract program (in the bowels), with minor modifications to the source, works on the compressed parts, although I have an all new parser for the V2 files. My thanks to Dizzy for the posting the source.
The main part of the creature data itself is an xml 1.0 file, uncompressed about 30K (my example critter). In the packages is/are sections(s) with the username and creature name, in unicode. While one user is hardly proof, the user name in there is the user name part of the account (sans the email domain) I made at the Spore site.
So I believe that when creatures are "published" the data uploaded includes the user name from the account, and the creature name, and that when the small PNG file is dropped onto the application by a different user, the data for the creature is downloaded and inserted into a package file, together with other creatures. That downloaded data includes the user name, compressed with the same 'QFS' method used on The Sims 2.
So I disagree with the "massive security leak" part. The rest of the issues about working with the program online and unblocked by a firewall are certainly valid points for people to watch, especially with installations that were not done with "gen-u-wine EA advantage" materials.
J. M. Pescado:
Quote from: wes_h on 2008 June 20, 04:17:10
The creature data itself is inserted into .package files, in the new DBPF V2.
It looks to me that the creature data is encoded into the PNG, and no .package files are involved. Are you looking at the right thing?
Quote from: wes_h on 2008 June 20, 04:17:10
The main part of the creature data itself is an xml 1.0 file, uncompressed about 30K (my example critter). In the packages is/are sections(s) with the username and creature name, in unicode. While one user is hardly proof, the user name in there is the user name part of the account (sans the email domain) I made at the Spore site.
Where's this information? I scanned the PNG file and it appears to not be there, meaning it has been encrypted to be unrecognizeable.
Quote from: wes_h on 2008 June 20, 04:17:10
So I disagree with the "massive security leak" part. The rest of the issues about working with the program online and unblocked by a firewall are certainly valid points for people to watch, especially with installations that were not done with "gen-u-wine EA advantage" materials.
There's one fundamental flaw with your belief: It is not negative. Because it is not negative, it must be incorrect.
Zazazu:
Quote from: BastDawn on 2008 June 20, 03:59:52
True. I can't imagine anyone other than a troll bothering.
Bastdawn, is your account named "Ibis"?
The reason I ask is because I downloaded your .png you shared in the RL thread. That's what comes up in the creator name for me. Now, if that's not your account's name, that's very interesting, and suggests that it's something to do with EA pulling information when you transmit the files to them that's adding your name.
wes_h:
I have seen and accessed creatures from other users, so I know the process and have some of the files. I am of the belief the creature is downloaded separately after the picture is dropped on the application, but the data does compress well, WinRar got it down to 3K from 30K, so it could be incorporated in the PNG file. I don't have anything to parse a PNG file with here to separate the pixel data from any other.
Regardless of what is in the PNG file, after whatever download process the data is placed in .package files in your user directory. This is where I am viewing the data, and where the program accesses it from, after decompressing it.
Anyway, enjoy your morning, old grouchy-grouch.
Navigation
[0] Message Index
[#] Next page
[*] Previous page