MASSIVE SECURITY HAZARD in Spore!
Menaceman:
When I use the SCC the lower left of the screen shows my full name until it "phones home" when it changes to display my Spore account name. I never got to name my user account as the laptop was delivered to me with it already named after me and I never saw the need to change it. I've asked a friend what my creations show up as on his machine as he has downloaded some of them and he says they are listed with my Spore account name, not my laptop user account name.
Should I still be worried or not? I hate finding threads like this as they make me so paranoid.
witch:
Question for JM.
If I'm running the game on a hardware profile that doesn't allow for networking and internet, will the EAxis phone home info be held after the machine has been rebooted?
BastDawn:
I was checking out the forums at Penny Arcade for more creatures to download, and found this:
Quote
jonxp wrote:
The creature data is encoded in the actual PNG images not as metadata, but through stenographically altering the image. Each pixel is made of four bytes of data (Red, Green, Blue, and Alpha) to extract the data from the image, one needs to take each byte of the image, divide it by two, and use the remainder as a single bit (this is known as a modulus operation). So for each byte in the decoded image you get a bit of information, each pixel is a nibble, and every two pixels is a full byte. Since the thumbs are 128x128, you can store 8KB of information in this manner.
I have written a program to extract the creature data, unfortunately it seems to be signed and/or encoded in some fashion, so I can't actually manipulate it (as far as I can tell).
I will put up some proof-of-concept "spore rolled" creatures soon that appear to be one creature, but are in fact a different one when loaded.
Interesting, but not very useful until it's decoded.
J. M. Pescado:
Quote from: Menaceman on 2008 June 21, 16:52:09
When I use the SCC the lower left of the screen shows my full name until it "phones home" when it changes to display my Spore account name. I never got to name my user account as the laptop was delivered to me with it already named after me and I never saw the need to change it. I've asked a friend what my creations show up as on his machine as he has downloaded some of them and he says they are listed with my Spore account name, not my laptop user account name.
Should I still be worried or not? I hate finding threads like this as they make me so paranoid.
You should panic now, yes. In the event that the Splorch server cannot be logged in, anything you make will contain your name in it. You can freak out now.
wes_h:
I saw a post elsewhere claiming that the data is in the color channels at all the locations that are transparent (where teh alpha is zero). It seems like a reasonable conjecture and also a very clever method.
If it bears out to be true I will eat my words here publicly (and this may very well be necessary), although I am correct that there are only standard PNG chunk types in any of the files I examined (no private or metadata chunks). Since I do not have any significant tools here or previous experience to aid me in decompressing and checking these files, I will leave that research to the ongoing efforts of others.
I will say that I know the username is saved in .package files, along with the creature name and other data (likely ID values similar to the TS2 group and instance) after the file is downloaded, and that at least a significant amount of the creature data is an XML file. Unlike TS2, it appears when the file is donwloaded that the package file containing your creature data (created by you and that downloaded) is updated, rather than separate files existing for each creature.
Navigation
[0] Message Index
[#] Next page
[*] Previous page