More Awesome Than You!

ACHTUNG!

As if SecuROM wasn't bad enough, there is also a MASSIVE SECURITY LEAK in Spore: If you EVER share ANY content with ANYONE, be warned that YOUR COMPUTER USERNAME is ENCRYPTED INTO THE CREATURE "IMAGE" FILE. YOU WILL NOT BE ABLE TO REMOVE THIS INFORMATION BY HEXING! This means that ANYONE who downloads it will know what your username is on your computer.

This represents a MASSIVE security breach because many people (foolishly) encode their real names into their Windoze username. Even if you don't, revealing this username to the world presents a point of vulnerability for attack by hackers. By sharing any Spore content ANYWHERE, you are leaving your computer open to attack and leaving yourself open to stalking and identity theft.

BEWARE!

If this isn't a good enough reason to boycott Spore, I don't know what is. Granted, I don't use any semblance of my real name or any identity attached as such. I don't even use nekonoai for my computer names. They have interesting names based on their personalities.

What was wrong with using random numbers to identify who is uploading what? Or even a login name for the Spore sharing site? Wouldn't that have made more sense?

Oh, wait, this is EAxis. Sense goes out the window.  ::)

Well, this is just stupid. Would it be safe if I made a new account on my computer and named it after my user name here?

What about your account? I believe what Pes is saying is that it's the account name that shows, not the PC's name. I know all mine say "Kari" despite the fact that I never told Spore my name. The PC is named Addison.

A login name would have made infinite sense. Obviously, it could not be the correct solution.

I am not even slightly surprised by this.  A corporation as terminally obsessed with copy-protection, fighting teh pierassy, and being suspicious of their customers will naturally choose any procedure that allows them to gather as much personal information as possible from the users of their products.  This is a natural extension of normal EAxis paranoia.

Man, that's really stupid.  But honestly, EA didn't prevent this because they don't care.  Why should they?  Proving liability would be very difficult, so they don't have to worry about the repercussions.   >:(

My accounts are also having nothing to do with my name or any online handles. Generally, since I'm the only one who ever uses my computers (UNDER PAIN OF DEATH!), the account has the same name as the computer.

First secuROM and now this!  Thanks to the most awesome for finding this out and giving the alert.

Has anyone informed the sheep on the Sims/Spore website yet?

Hmm good thing I'm not buying the game. Looks like a stupid concept to me anyway. I don't know why there's so much hype for it.

/me gets popcorn and settles in to watch the fur fly.

You know that quite a number of MATY folks appear to be interested in this game, do you?  And you've just called their new interest stupid.  I think you may become quite "popular", in a manner of speaking.

Only with butthurt F-types who think someone expressing disagreement about a subject is equivalent to them saying "I hate you and you are stupid."

Ts could not care less about some random forumdweller's negative opinion if they have decided that they are interested in something.

Also? I DO NOT WANT Spore, either.

This does not make sense.  Why store the user name? What good does that do?  It is hardly unique across all installations, even if someone is silly enough to use a real name.  So, it can't be for tracking outside of the PC... at least, not by itself.  The only purpose would be to establish ownership of creatures built by different players on the same PC, each with a different ID.  Is there something about Spore where anyone would care?

I worry that time will tell us that they store more than the user name... either something obvious like the IP address or something less obvious like a system identifying fingerprint.

Mine's called "Administrator". I don't think you can tell anything about me from it. :) Though I'm quite grateful that it wouldn't let me rename it now. Very grateful.

Nobody on the Sims site will believe this, because it comes from the blazing hell that is "pirate city". They will believe exactly what EA wants them to believe, and will buy the demo, the game and anything else that EA puts out with SecuRom on it because EA says it's all good.
You don't want to open the can of worms-because you'll get banned or banished to the tech area of the BBS. EA has been doing that for a while now-if they see any truth, they will hide it, or delete it.

As I am getting a new PC, what is my safest option here? Fake name, second non-admin account for Spore (with fake name), just not share, or what? I'm afraid simply not installing it isn't an option. I want to make creatures! I'll be honest, that's what got me into the Geneforge (http://www.spiderwebsoftware.com/geneforge/index.html) series of games, which are awesome, but Spore is probably closer to what I was looking for. Though I am quite fond of the RPG nature and storylines of the Geneforge games as well, which I highly doubt Spore can match. (Even the third game, with all that stupid annoying island hopping. If I never see another dock again, it'll be too soon!)

...

I think I have to make a Fyora (http://www.spiderwebsoftware.com/geneforge/creatures.html) now, once I've got my new PC set up. (They said 2-3 days, and it's day 3...)

Are you lobbing dud grenades again?
I see the username that was used on the spore site registration, which is about as secret and useful as "J. M. Pescado" is.
And encrypted is more correctly labelled compressed, with the same 0x10FB compression as used in The Sims 2 and the compressorizer.

Paranoia is a useful survival trait, but if you don't want to get bombarded with gamma rays, you can't lay out at the beach.

That is not what others are reporting. Also, the username is displayed before there even IS a registration. Given that not all users are registered and no input is solicited, this means your username is still being displayed to the world.

Trial says admin as my user title on my creatures. Never bothered to change it. I suppose if I got an account, then it would say the username I would register with.

What is the preferred method of extracting the creature data from the PNG file so that it can be examined?

There is none, yet.

And there probably won't be any, if EA has their say. EA doesn't seem too keen on modders touching this game:

The PNG file is just a picture, so the CC has to be using the filename to trigger a download.

As for extracting things, I have enough information gathered to split the DBPF V2 package files into component parts with a commandline tool. Ugly but effective. I am trying to leverage the dead Dizzy's decompression code in the dead "simpemustbedestroyed" tools to complete my file splitter.

Then I can try to determine what these part pieces are used for (except the PNG parts, I already know what they are). My findings are posted at my place.

And no Spore Creature Creator programs have been, or need be, reverse engineered to determine the .package file layout.

Got it.  The only reason that we know that the user account name is being stored in the creature data inside the PNG file is that CC displays this information when showing the saved creatures.  However, we don't know what other data may be tucked away in the PNG file that might identify the system that it came from because we really don't have a good way to extract and decode the data... yet.  Although, it looks like people are working on the extraction tools already.

Edit: I can see why EA would not want the creatures edited.  Already, I am seeing people talking about crafting creature files that have a picture that is entirely different from the creature contained in it.  Looking at what they likely store in these creature files, I am not certain that editing them would be useful anyway.  There is not enough room in the creature PNG file to do more than store building block reference and connection information.  The creatures have to be built from a known library of parts.  That, in itself, sounds like something that could well be unfriendly to third party creations.

It looks like the creature data is stored inside custom blocks accepted as part of the PNG spec, thus allowing foreign data to be bundled inside a PNG which will be ignored (and possibly shredded) by other graphics-editor tools. However, the data appears to be unreadable as a cursory glance in a hex editor reveals nothing, not even the strings, so it looks like it's encrypted in some way to prevent modification.

The file name of the png is meaningless.  I've changed the name of every creature png file I've downloaded to a "creator name-creature name" format, and they still work.  I've heard the information is stored in the alpha channel, and if you look at a spore creature on a colored background, you can see how pixelated it is.  Presumably you could "hack" a png file to have the data for one creature while showing the picture of a completely different creature, just by replacing the right part of the image.  I could probably do it in less than two minutes in Paintshop Pro.

The utility of such an act seems somewhat limited, though.

True.  I can't imagine anyone other than a troll bothering.

I have been looking deeply into the very soul of these files. :)

I do not doubt that the program "phones home" when installed, that was foretold. I will trust others efforts to prove it was SecuRom that did it, that was foretold.

The creature data itself is inserted into .package files, in the new DBPF V2. The decompression code Dizzy wrote for the extract program (in the bowels), with minor modifications to the source, works on the compressed parts, although I have an all new parser for the V2 files. My thanks to Dizzy for the posting the source.

The main part of the creature data itself is an xml 1.0 file, uncompressed about 30K (my example critter). In the packages is/are sections(s) with the username and creature name, in unicode. While one user is hardly proof, the user name in there is the user name part of the account (sans the email domain) I made at the Spore site.

So I believe that when creatures are "published" the data uploaded includes the user name from the account, and the creature name, and that when the small PNG file is dropped onto the application by a different user, the data for the creature is downloaded and inserted into a package file, together with other creatures. That downloaded data includes the user name, compressed with the same 'QFS' method used on The Sims 2.

So I disagree with the "massive security leak" part. The rest of the issues about working with the program online and unblocked by a firewall are certainly valid points for people to watch, especially with installations that were not done with "gen-u-wine EA advantage" materials.

It looks to me that the creature data is encoded into the PNG, and no .package files are involved. Are you looking at the right thing?

Where's this information? I scanned the PNG file and it appears to not be there, meaning it has been encrypted to be unrecognizeable.

There's one fundamental flaw with your belief: It is not negative. Because it is not negative, it must be incorrect.

Bastdawn, is your account named "Ibis"?

The reason I ask is because I downloaded your .png you shared in the RL thread. That's what comes up in the creator name for me. Now, if that's not your account's name, that's very interesting, and suggests that it's something to do with EA pulling information when you transmit the files to them that's adding your name.

I have seen and accessed creatures from other users, so I know the process and have some of the files. I am of the belief the creature is downloaded separately after the picture is dropped on the application, but the data does compress well, WinRar got it down to 3K from 30K, so it could be incorporated in the PNG file. I don't have anything to parse a PNG file with here to separate the pixel data from any other.

Regardless of what is in the PNG file, after whatever download process the data is placed in .package files in your user directory. This is where I am viewing the data, and where the program accesses it from, after decompressing it.

Anyway, enjoy your morning, old grouchy-grouch.

This does not match empirical evidence, that it was possible to get BastDawn's stuff simply by rightclicking and save-as'ing her PNG.

There are no .package files in my user directory. The only .packages are the CSA packages in the data directory of the main install.

Yes, my computer is named Ibis.  And I do not allow any programs access to the internet without permission from my firewall, including Spore Creature Creator, so the data in the critters I posted did not go to the Spore site at all.  I have also successfully downloaded critters from non-Spore sites (like MATY) and placed them in the game, again without allowing SCC to connect.  Last night I picked up a few using my other computer, which is a crappy ME box that can't even run SCC, and transfered them over my network.

My computer is set up on a home network, where the administrator name is not identical to the nickname the computer is given to identify it to other computers on the network.  This means that I can change my computer's name at will, so I'm not as worried about the security breach.  That doesn't mean I'm not irritated, of course.   >:(

Yeah. Do not want Spore. Not sharing creatures either :D I'm having great fun making them (and my kids are) but we are just making snapshots and printscreens of our stuff.

Death to EMMA.

*Emma moons Pescado

Meh. Not sure how anyone knowing that I am known as Mirelly is dangerous to me, but lacking total awesomeness I bow to those more paranoid that me.

I have tried out the critter maker -- the free one -- and I have to say that it is rather disappointing. It is extremely limited and, a lot like TS2, there is no real scope for making creatures which are genuinely different from each other. The differences (component parts like insectile mandibles versus crocodilian jaws) are insufficiently numerous and versatile to make a toolbox with which one craft one's imagination. A Pierson's Puppeteer has proved to be impossible; I had to put the mouth on the body ... I put it at the back so it could blow raspberries at its enemies as it kicks out their hearts with its hefty hind leg.

I was never sold on the idea of a PacmanPopulousCivilizationMaster_of_Orion chimera, so the critter builder was always going to be the USP for me. It has phail.

Well, here's some good news.  Once you change your computer name, Spore Creature Creator continues to use the old name.  I just changed my computer name to something else, reset, confirmed my old shortcuts to this computer no longer work, and then ran SCC and made a new thing from scratch.  The new thing is still using "Ibis".

Here's how to rename your XP computer:

1. Right-click on the My Computer desktop icon, then left-click on Properties.
* If you do not have that icon on the desktop:
  a. Left-click on Start > Control Panel
  b. Double left-click on the System icon (if you don't see it, select "Switch to Classic View" on the left-hand side of the window first).

2. Select the "Computer name" tab, then type a new name

3. Select the Change button, type the new name again in the "Computer name" field, and select OK.  Windows will prompt: "You must restart this computer before these changes will take effect."

4. Shut down and restart your PC normally.

EDIT: 
Damn.  Pescado's right: changing the computer's name on the network doesn't change the login name; it's merely cosmetic.  That means sharing creatures is generally a bad idea.   :( 

I like sharing.  Tell me, Pescado, just how serious a threat is it, if the name is something like "Ibis" that has nothing to do with my real identity or interests?

That is because it is not using your Computer Name, it is using your computer USERNAME. Do you login as "Ibis"? If so, that's what it's using. Changing your computer name won't fix this.

I just created 2 creatures, one offline and one online. The offline one shows my pc username (surprisingly, Emma) and the online one shows my Spore login name. So which one is the dangerous one? Both?

In your case? Probably none of them, since we already know you are EMMA. Death to EMMA!

Oh, so it is only ninjas who should be worried then :D

Try looking in C:{username}\AppData\Roaming\Spore Creature Creator\ (that's for Vista). In XP it should be something like Application Data, but I have no install here on XP at this time. By default, the app data folder is hidden in both XP and Vista (Microsoft calls it a system folder, and says you could damage your system).

The other directory in User Data, in Documents\My Spore Creations, just contains pictures and videos you make.

After the whole SecuROM fiasco, I expected something like this would happen. That's the reason I've not uploaded any creature I've created onto the internet, and also set my firewall to block the Spore Creature Creator from communicating with the internet at all.

Stupid EAxis.

I have examined the PNG image files that appear publicly on Sporepedia.

The PNG format allows non-standard chunks to be inserted in a file, but I find only image data in them. Interestingly enough, when you load one into Paint Shop Pro and save it under a different name, the resulting file is actually larger than the one downloaded from Sporepedia. Clearly, there is no room for 3K of creature data in there, unless they have much beter compression than WinRar.

I still think a download of creature data happens after the image is dropped on the CC.

I'd been so looking forward to this game... but if this is true, I don't dare.  :'( Bugger EA.

Wes_h, procedural generation doesn't work that way.  The code to generate the creature is tiny, small enough to be held in a little 25kb png.  When put into the game, the data then creates the polygons and textures from a formula.  Check out this article:

http://www.joystiq.com/2006/07/12/procedural-synthesis-gamings-fountain-of-youth/ (http://www.joystiq.com/2006/07/12/procedural-synthesis-gamings-fountain-of-youth/)

That's not what Wes_h is saying. Wes_h is saying that he cannot find any nonstandard data chunks which would represent the tiny creature data.

There are no data chunks which are not image data? Does a re-saved image function as a critter anymore, or is the critter data destroyed by this process? If you cannot find any custom data chunks inside the file, then it is likely that the creature data is steganographically encoded into the image data rather than using nonstandard PNG chunks.

Impossible, because otherwise I would not have been able to get BastDawn's flower-creatures by downloading the image from a Botophucket. Downloading could not happen because the Creator is not permitted access to the Internets.

I acknowledge my misunderstanding.  But still: here's what a spore creature png looks like after all the layers are merged and everything pure white (#FFFFFF) is colored hot pink.  I enlarged the image by 300% for clarity, using "pixel resize" to prevent blurring the edges.

(http://img75.imageshack.us/img75/3641/sporeciritterdataym7.png)

You can clearly see that the background is not solid white.  The merged image is pixelated with the color #FEFEFE.  It's binary.


You're doing it wrong.  What settings are you using?  I just tried it and saving the same file under a different name made the image 1kb smaller, not bigger.  Then I did it again with a different creature, only I removed all the pixelation in the alpha channel and then saved it without changing the file name.  It went from 26kb to 15kb, suggesting that it takes 11kb of data to generate my creature.  However, doing that did NOT remove the creature from my game, so the change in the package file you're seeing must be the game storing the data generated from the png.  I'm unpleasantly reminded of the errors with the first FreeTime patch -- if it's ever necessary to patch Spore, we'd better have kept all of our png files.

Okay, now I've managed to changed my computer's login name.  It's easy, too.  Just go to Start --> Settings --> Control Panel and open up User Accounts.  From there I clicked on the profile name and followed the prompts.  I log on and off using the new name, and the old name only exists as a file folder in C:\Documents and Settings, which did not create a new folder for the changed name.  Then I made a new creature, and it still uses the Ibis name.  Pescado, am I doing it right now?

Well, the username change procedure was performed correctly, but evidently Splotch does not recognize it. Did you try rebooting?

Yes.  (I had to log out as Ibis to complete the change, and I figured I might as well reboot completely.)  So Spore keeps the name it knew at installation.  But I'm happy with it that way, because "Ibis" is not the name the computer is registered under.

I have a few hunches on where it is stored at the moment, and have also made some progress is understanding the spyware components. Research is ongoing.

Can someone explain to me why someone knowing my account's log-in name on my PC is dangerous to me?

I submit that 90% of Windoze users operate with a single account using the generic MS account name and with no password set. I was one of those until a few ago when I migrated from dial-up to DSL. At that point I realised that I needed additional levels of security and installed a firewall and began operating password protected user accounts.

If your login name is not sensitive information, then you are relatively safe. However, a disturbing number of computers I have encountered actually contain the user's real name, which is highly sensitive information that should not be shared with the world, especially given that other information tends to be incidentally attached to it by IP. All in all, the fact that it transmits potentially sensitive information to the entire world is cause for concern.

Ah, my computer's log-in name is my real name that my friends use to address me, but that name has no direct correlation with my "real" real name as found in government records and which I use only to notarise documents for the purposes of accepting liabilities and responsibilities.

I also have two signatures. One for official purposes and one for sundry purposes, for example signing for a delivery; I believe in plausible deniability ....

When I use the SCC the lower left of the screen shows my full name until it "phones home" when it changes to display my Spore account name. I never got to name my user account as the laptop was delivered to me with it already named after me and I never saw the need to change it. I've asked a friend what my creations show up as on his machine as he has downloaded some of them and he says they are listed with my Spore account name, not my laptop user account name.
Should I still be worried or not? I hate finding threads like this as they make me so paranoid.

Question for JM.

If I'm running the game on a hardware profile that doesn't allow for networking and internet, will the EAxis phone home info be held after the machine has been rebooted?

I was checking out the forums at Penny Arcade for more creatures to download, and found this:


Interesting, but not very useful until it's decoded.

You should panic now, yes. In the event that the Splorch server cannot be logged in, anything you make will contain your name in it. You can freak out now.

I saw a post elsewhere claiming that the data is in the color channels at all the locations that are transparent (where teh alpha is zero). It seems like a reasonable conjecture and also a very clever method.

If it bears out to be true I will eat my words here publicly (and this may very well be necessary), although I am correct that there are only standard PNG chunk types in any of the files I examined (no private or metadata chunks). Since I do not have any significant tools here or previous experience to aid me in decompressing and checking these files, I will leave that research to the ongoing efforts of others.

I will say that I know the username is saved in .package files, along with the creature name and other data (likely ID values similar to the TS2 group and instance) after the file is downloaded, and that at least a significant amount of the creature data is an XML file. Unlike TS2, it appears when the file is donwloaded that the package file containing your creature data (created by you and that downloaded) is updated, rather than separate files existing for each creature.

Where are these package files HIDING, anyway? I can't seem to locate them inside the directories.

I wouldn't worry about that. An experiment is meaningful even when the hypothesis is proven to be false.

Photoshop has a "feature" where you can add data info (name of artist, source of image(s), address, copyright, contact data, whatever) to images. I haven't used it in ages, so I can't recall if this data is only for Photoshop-format files or if jpgs, pngs and gifs can also be data-enhanced. At any rate, there are ways to embed data that don't require a lot of nerdery or specialized knowledge. Said data can be very complex.

As far as reading info off a standard compy, also easy. Simplistic Javascripted code embedded in HTML has been used since practically the first days of the graphical (rather than text-based) WWW, and before.

Not a great stretch of the imagination that an unethical data-mining company like EA might seek to tweak existing old tech to steal your personal info. Fuckers.

Muahaha. I visited the Sporepedia today and broke it.

proof (http://www.hotlinkfiles.com/files/1486001_lwogc/broke.jpg) ... it's a screencap.

ETA Cold Fusion ... yeesh.

I am running the program here on a Vista machine. On Vista the packages are in C:\Users\myusername\AppData\Roaming\SPORE Creature Creator\

I would believe on XP there will be a SPORE Creature Creator in your user area in a folder called "Application Data". This folder or it's analog is, under both Vista and XP, a locked system folder, and to see the files in Windows Explorer you have to uncheck the option "Hide Protected Operating System Files", ignoring the dire warnings that messing with these files could ruin your system, and may perhaps be the source of all strife in the world.

SimPE Phails at opening them, because the format has been updated to version major 2. This has become the latest time sink for me.

I get those error screens a lot when browsing the spore site.
As to my earlier post, I have since created creatures without being connected to the net and they have indeed been stored to my sporpedia with my real name attached. I figure I can just edit them and save as new creatures to get them to use my account name before uploading.

Thank you for telling us this!  This only shows that EA is in it for the bucks and nothing else.  If they actually listened to the customers, this would have stopped awhile ago.  If this is any indication of what is to come for The Sims 3, count me out.  >:(

All ass kissing aside Pes, but after not beiing here for awhile I was rather disappointed to read this. Certainly you must have a a trick or two up your sleeve to bypass this problem?  Not that I was going to buy it, but still.

Silly people still feeding the cash cow. All one is ask is, why?

Yeah, don't put your name on your computer and/or don't share your files. It's really a problem that afflicts Sheeples, but there's an awful lot of them.

You know, I don't post ofter - usually when I need help (stupid non tech here), but I just have to say EA stinks! *read sucks*  What chance does someone like me who is miles below you guys, but miles above even more people? 

Thanks for sharing this info.  I hadn't intended to get spore, but will pass this on to student's parents when school starts back.

I don't think so. When I got my computer, the account was named something other than it is now. In documents and settings, the account folder still has the previous name and I have had games pull from that name before. So I wouldn't doubt that spore, though installed after I changed the account name, would pick up the previous name.

Out of curiosity, JM, how dangerous are slightly-unusual firstnames? I've heard varying opinions from varying people, most of which can't tell their heads from their asses...


ETA: And are we sure the computer name isn't stored anywhere? I got this lappy from my school, so if there's both that gives a first name and a school. . .

Extremely. I mean, if your name is something like "John" or "Emma", you probably have little to worry about...

DEAD MEAT. Reformat that sucker NOW. Tell them it got hacked by mudkipz. A name alone may not be enough, but three points of data in the form of a name, an organization, and an IP is enough to definitely peg you to within 50 meters. With that much information, someone with the resources of EAxis can take you out with an artillery strike right there.

It's not, it's one of those last names that is sometimes used as a first name, for a boy, when spelled differently. Googling it shows no relevant results in the first five pages (after that I lost count)

Glad I haven't installed the Creature Creator yet then. I'll put it on the more anonymous computer after checking to ensure there's nothing on it.

According to last thing I read, EA/Maxis accuse to have more than 100 million copies of their games sold. Everyday you read users saying "I'm totally excited waiting for the new Ep, or whatever".
You are BUYING boy, no matter what kind of rape is done to you. I don't have Spore, or any other product from EA and I decided that no one in my circle will ever buy anything else with EA logo in it. We avoid even the shops that place the logo on the window.
No one has to care about what you have to say, because you say it and run to buy the next crap released.
Game players are developping the same relation as the whore to the pimp. You destroy me but what am I without you?

-x-x-x-x-x-
90% of the people in this planet, should use the brain outside the cranium.  It is only decorative anyway!

Who needs Gali?

that sounds there's been a lot of funs as EAxis turned into manipulating every aspect of sharing... cool... I'm waiting to see people start to share funwares through their secure system... :D

Anyway, the addiction of the customers by means of their imaginations and/or the success or charisma of the product VS the complains and disappoinment and frustration of the customers.
If the latter becomes strong enough statistically, most people quit and the sale line will be enervated.  Penalty back on the company administration.
If the former remains stronger, the company administration can get around it with ease for sale boom remains regardless of further poor quality and unpleasing acts.

This trading rule is pretty obvious and simple. Can the crowd just learn to control themselves instead of getting hooked up to be a slave? Let's see. :D

There is another way.
(http://www.moreawesomethanyou.com/cats/piratecat.jpg)
Viva Los Gatos!

That is because THEY ARE NOT THE SAME DUMBASS.

Sony BMG used Extended Copy Protection, that is from First 4 Internet/Fortium Technologies Ltd and MediaMax CD-3 that is from SunnComm International Inc as SecuROM is a Sony product.

And I am not even going to the FUNCTIONS of each..

Sony BMG is a major record label, one of the "Big Four" ... in the DRM case they are as guilty as EA since they used 3rd party software.

Of course we are talking about music CDs in that case, as someone said in Wikipedia talk page about that case

"The underlying problem is that CD standards were created before people had computers or the internet and do not cater for copy protection, and existing stand-alone players are not capable of being modified to facilitate changed CD standards. Consequently, all attempts to prevent copying CD's on pc's have to involve either (a) contriving a CD which will play on a standalone player, but is malformed in such a way as a pc cannot play it, or (b) making a CD with software on it as well as the music contect, where the software interferes with the use of the computer.

The problem with (a) is that increasingly, computer type cd drives are being used in stand-alone players and you end up with CD's that won't play in some players (eg some car CD players), and with (b) is that interfering with how the user has proper access to their computer also interferes with computer security."

SecuROM is a different matter ...

First its not a Rootkit, its gives a false positive because it adds null byte registry entry that raises the suspicious flag but its not one (at least nobody is saying that it is (besides idiots).

But that is not real issue with SecuROM, the issue is how EA decided to use some optional checks ... like the every 10 day online validation and the only 3 activations that were in Mass Effect (Bioshock also had the 3 activations but it seems Take2 at least knows what the hell they are doing).

The only similarity is they run as a program but SecuROM runs as ring 3 (least privilaged) as XCP runs as ring 0 (Kernel, meaning the most privileged).

Look I am FINE with roasting their asses but at least I am to be sure of why I am roasting their asses ... I know some people reported awful things with SecuROM as destroying their computers and all that but I am by nature suspicious, especially when there is a convenient target and that is what SecuROM became with BioShock.

I am not part of Sony fanclub, I am PAL and so I have been screwed over by Sony too many times to have any love for then but in this case, I am assured the blame lies with EA (after all, they were the ones that created the stupidity that Pescado found).

"Better Locks make Better Burglars"

It is really ridiculous when companies lose most of their time inventing better ways to protect their products. In games case, they are becoming everytime cheaper, for no other reason than that Data products (the whole Electronics business in general) are branches where things develop faster than one can register in the account books and normally become obsolete before reaching the market. The companies that are more worried about losing income are exactly the ones that are alone in market and have power to threaten the concurrence with psycho terror. In the case of TS for example, when I first bought TS1 I had to pay about 100 USdollars per unit (and I have 23 legal copies of the crap). TS2 is being sold for the half of the price (at present exchange that is much lower). Stuff packs are very low priced (though they are not worth more than this too). I would not dirty my name for so low amount and have never used piracy. The case is that the situation makes the criminal and I would probably also look for piracy if too many hamperances are made for my access.
I hate to be dealt as a criminal in spite of all my concious and wish to be "on the right side of the road". The practical result is that "if I'm judged as a criminal before I really become one, then we are on the same holed boat and we can join the devil if we cannot fight him. 
The consumer is the most important part of deal, but most of the time it is classified just as the useful "idiot". No wonder. Most of the consumers don't care to be more than the useful idiot.
And I do not believe that so big weapons are necessary against the normal user. Just as test, I've been teasing most of the active users that are involved in modding and none of them seems to be capable to take actions against the power. To say the truth, the majority of the users don't know how to make more than some recolors or some very simple modifications.
Who are really the big dangerous ones? To spread something you need, first MONEY, second ACCESS to sophisticated equipment and programs.
None of us have none of both.

Gali Jr. is full of truth and win.


They are SEPARATE DUMBASSES! So sayeth the Drakron.

Oh, I never use my real name for anything besides only 2 email accounts. That's it. My computer name is completely different than my real name, and I doubt that anybody will even try to use my fake computer name for any malicious purposes.

I'm smarter than most of the sheeple who actually use their names for their logins. Usually I'm the only person who uses my computer, and if anyone else does, they use my username. So I'm in no threat of being attacked by a malicious person finding out my Spore login name then managing to get my ip address to hack my computer. I know it's possible, but I don't keep anything important of value on my computer anyways.

It's the stupid people that will be effected by this. These stupid people are also the ones who have 'default' as their wireless network SSID and also have no password or MAC address filtering.

Not to mention that I actually got into someone's wireless who did this and also could have made his network my own if I wanted.

Some people deliberately maintain unsecured wireless either because they want to provide public Internets, or because they want the plausible deniability of being able to blame some random person for anything they get accused of.

FWIW, I have no intention of installing Spore on my computer. Nonetheless, I am curious about exactly which user name is being used, and possibly exposed to unauthorized viewers, in this instance (it is not entirely clear from this discussion).

Basically, my question is, if my user name is 'Hegelian' and I use the User Account function to change it to 'Justinian', the associated folder in the "Documents and Settings" directory is still 'Hegelian'. Is the Spore software using the user name I can change, or the name of the user folder, which is a system folder cannot be changed by any normal means?

It is possible to move all the data (http://support.microsoft.com/?kbid=811151) for an existing administrator-level account to a new one and then delete the original account, but it's a bit of a PITA.

So, now that the splotchen are overtaking torrent sites and the world at large, did anyone ever figure out how to excise the data from Splotchcritter image files?
(For the record, my computer username is not my own name or even something remotely dangerous in the hands of others, but I like mah privacy.)

I think you missed the fact that EA sucks.

Hypothetical question: if person1 borrowed person2's game and wanted to load it onto another computer, but without loading SECUROM, or using one of the 3 activations, or allowing it to phone home- how would they go about doing this? Is there an equivalent of a no CD exe?
Assume person1 is ignorant, but can follow simple instructions.

There is a crack, yes. It's in the torrent, and it's also linked at GameCopyWorld. It's not hosted on GameCopyWorld though.

Does the crack require arring the whole game, or is it some kind of replacement .exe?

If it's like pretty much every other crack, it just replaces the .exe, regardless of how you got the game.

but my username on vista is "max"... did you think i'm in danger ?  ::)
it's a realy common name  ???

Yes! They are out to get you!


Shouldn't be an issue. The problem arises with people who use their whole name as their computer account name. Mine is only my first name, which isn't too uncommon. I am, as far as I can tell, the only person with my first and last name combination in the world.

My habit of various nicknames started at a young age pays off once again!
Oh Mea Someoneelse, I hardly knew ye.

If I'm reading the info correctly, the arrgh version doesn't support connecting online anyway, right?  You pretty much just play as a stand-alone game.

Is the same also true for the no-cd.exe?  Or can you get online with that one while avoiding suckrot?

I used to have Jess as my account name, but now I have Jess Maree. It sounds a whole lot nicer than plain ol' Jess.

actually i'm playing with arrrgh version of the exe 'cause i hate to play with cd, but i'vent tryed to register/download anything, to be honest i didn't feel the need  ::)

Does anyone have any idea, when game tries to do an 'online activation'? I mean does it 'activate' when the game is intalling or does it 'activate' the first time you play the game? (I want to prevent it from activating, since the computer I use for gaming is not connected to the internet...at all. The internet is on another computer).

So if it activates when you first start the game, I have no problem (see gamecopyworld  ;) ), otherwise...
(Yes, I want a copy I can legally hold in my hand)

3 activations ... I guess even after the Mass FAILure they still have not learned.

I cannot wait for Sims 3 were a EA representative goes to your house in order to install the game.

I suggest going with "Pedobait", so that it isn't identifying at all.

It activates everytime time it goes on the Internet, which is, normally, every time you play the game.

Get off my site!

What news, exactly, do you want him/us to spread? The security hazard? The torrent-ability? Neither is really new news.

I haven't even played Apartment Life. Spore just owns too much. My actual copy arrives today and it will be grand.

Bundled with SecuROM and activation schemes, what more could you ask for?

And if you're willing, you may add your review of the product: http://www.amazon.com/review/product/B000FKBCX4/ref=cm_cr_pr_helpful

;D

I only had to activate it the once online, it's when you first load the game. You can play sans internets otherwise. I do have the EA downloader copy though. Not a real one or an arr'd one, though I still got it for free.

I'd like to report that despite changing my computer username prior to installing, it's still using my original username for the creator name on my items.  I'm not surprised, but it's a completely stupid thing to do.  I'm not connecting to the internet in Spore, so this hasn't been a problem, but it's going to keep me from sharing my content and probably keep me from ever letting the game connect. 

Does anyone have a suggestion on how to change the username Spore uses without having to copy all my files over to a new account?  My computer has been getting a blue screen of death when copying files, so that puts a bit of a wrench in the works.   :-[

I wouldn't be worried but I have a very unusual first name, and I don't really want to be sending it out to the world if I can avoid it.  It's too easy to connect it to me.  If I had a name like Mike or Katie I'd be ok with it. 

Thanks... I finallly got my copy yesterday... And it indeed looks like it only activates when you run it for the first time (or at least if you use the original exe-file, and I don't....).

I noticed it also checks your drivers, since it came complaining with a message simular to "you're drivers are out of date. Please update them." I could still play the game though...

Yeah mine said about drivers, but I figured it was just because I just formatted and haven't connected the laptop to the internet since to update vista and drivers and such. But it runs fine.

Yeah it still works fine, I haven't been backdoored through the SUPER SECURITY HAZARD THE EVIL SERUROM OPENED WITHOUT MY PERMISSION ITS NOT EVEN IN THE EULA!!!!!!! Its installed on one my my desktops and my laptop and they both work a charm w/o the disc natively. No slow down in computer processes. Not a degree increase in CPU idle temps. My keyboard still works fine.

Seriously, it isn't a big deal. If Spore's copy protection fucked up your computer it was a shitty computer to start with.

Actually, I don't even get it. Why even worry about copy protection when most of you pirate your games anyway?

SecuROM is why most of us pirate our games.

Man, there sure are a ton of shitty computers out there, then... especially odd since most of them gave no indication of being shitty before SecuROM. Could it be SecuROM's fault? ...Naaah, it's all your stoopid pirutez fault.


I feel rather strongly about buying current gen games. I bought every expansion pack up to Seasons. Once I heard the troubles SecuROM was giving others, however, I decided I rather not support a company that treats its customers like criminals. I have yet to have SecuROM on my computer, but I am not going to risk it, least my computer is too "shitty" to withstand a rootkit fucking around with it.

You do know about the 3 install limits in spore and the activation procedure in spore, do you?  EA made certain that after 3 installs the game will not work any longer. So if you buy a new computer, or format your current computer, you loose an install. If EA takes the activation servers offline (knowing EA they will do that the moment spore2 comes out) you can no longer activate (and play) spore, since spore wants to 'activate', on install and everytime you go online.

No big deal? Are you certain about that?

I tried the first ep of the sims that had securom (without a no-cd), nero didn't work as it should an my dvd-burner (that I use for BACK-UPS) didn't work as it should either. And allthough all problems are solved now (and I'm using a no-cd), it shouldn't have happend with a 1-year old computer in the first place. MY computer to be exact. I never gave permission to install securom and there wasn't a  single notice about securom, so that makes it basicly spyware. And no-one wants spyware on his/her system, so most people go for the free 'spyware'-free version of the game that doesn't break their system.

Edit to fix spelling mistakes...

This is true for me.  I used to be very anti-piracy.   I would pay for everything.  Then I met securom, and found how easy piracy is.  I will not pay for a securom infested game. 

I can still burn CD/r and DVD/r's. I'll keep you updated as to when the evil ROOTKIT COMPUTER VIRUS doesn't allow me to anymore. I'm going to install Mass Effect right now then uninstall it and continue to do so until it doesn't let me anymore. I'll let you know when that happens as well. I'll also let you know when the evil BACKDOOR TROJAN doesn't allow me to back up my harddrive onto my backup HDDs.

Don't hold your breath.

Hur. One born every minute.

Lucky you.  I've heard too many stories, including in real life, of people who had drives stop working completely after installing something that came with SecuROM (including people with non-shitty computers purchased fairly recently).  They can't all be coincidence or a faulty drive or be the case that the drive's time was somehow up.

My son is sometimes called upon by various family members and his friends to fix their computer issues, and the first thing he looks for when he's fixing a computer with a bad CD/DVD drive is SecuROM - and he always finds it.

My daughter installed BV from the disc she purchased legally.  The game refused to run while the disc was in her drive, it kept telling her she needed to insert the disc.  Up until that point we'd always bought two copies of every EP in the Sims line - going back to TS1 base game - one for her and one for me.  We never got around to purchasing a copy of BV for me, and we chose to pirate FT & AL.  She's also pirated Spore due to SecuROM.  Why would we pay for a product that doesn't work and that has killed the drives of people we know, when the pirated version works and doesn't kill drives?

That's exactly what happened to me, and why I first got a no-cd.exe. Took a bit to get SecurROM off my system, but I learned my lesson. In my case, it was a 2-year old mid-line Dell machine.

Fucking trolls.

Many here would probably get wet thinking about my Addison. I love him, yes I do. He is far from shitty. Yet SecuROM deemed my antivirus and firewall OMG EVIL and disabled them, plus disabled my ability to get updates. You, sir, are part of the problem. Did you even pay for your rig, or did Mommy and Daddy buy it for you? I've put over $2k in mine, and no one is going to kill it just because they want to bundle a DRM program that is ineffective at doing what it was meant for and only too effective at screwing with things it has no business bothering with.

This chum seems to have been around since 2006. Ether it decided to turn troll for the lulz, or it is one of those dense sheep who think that EAxis can do no wrong, and everyone else's complaints about SecuROM are part of one vast pirating conspiracy.

ETA:


Mass Effect only allows three installs. Good luck wasting them, you dit.

Ass Defect has no online component of any worth, however, so even if he gets it locked out just to see how easy it is to do, he can just crack it.

Same thing with Spore. There's really no reason to let Spore connect to the Internet. What, so you can get other people's stuff in your game? You can already do that by browsing the Sporepedia at the main site and saving the .pngs. And guess what? No penis creatures, unless you were specifically searching for that sort of thing.

* Hanlon's razor shreds hyperbole to bits.

Now, it appears that a serial key will only give you one Spore account, as stated in this article (http://consumerist.com/5048556/want-more-than-one-account-on-your-spore-game-buy-another-copy-sucker). And that instead of correcting it in a patch, EAxis intends to correct the manual that says otherwise (http://forum.spore.com/jforum/posts/list/103.page)! ::)

PS: Link craftily chosen for creature pic. ;)

I discovered that yesterday and was pretty annoyed. But I can always download content directly from the site I guess. Was it not the case with TS2 anyway, one account per serial? TS1 let you have more than one account. Those were the days...

Well, they are claiming the manual is a misprint and that the back of the game's box states there's only one account per copy. Which, if it was a mistake...fine. But this is not how you handle mistakes. You apologize, then you make it so that people can have multiple accounts with one copy of the software. I'd even say it was a fine solution if they wanted to charge a minimal fee ($5-$10) for an additional account. But no. They want you to pay another $50 and install the software twice. Nevermind that you can't really do that unless you have a second harddrive/computer, so what they are really saying is to pay them $50 and then pay $1,000 for a new computer.

What I don't get is, if it's $50 US ($60 Aus) for the game, why does it cost $99.95 Aus ($83 US) for the exact same thing over here? (The 'galactic edition' crap is even more expensive, $139 Aus/$116 US)

Yes, I too long for the days where they con every country out of their money.

Get "fixed" .exe through Gamecopyworld's link. Screw activating online content, you can download that directly from www.spore.com with 100% less chance of penis creatures.

Not really spore related, but further evidence of EA's draconian control-freak behavior.  As you know (or may not), for Xbox live games, EA demands that they maintain their own servers that are not part of XBL.  As a result, the EA servers are periodically down...thanks to EA's stellar QA department. 

The real kicker:  When my brother and I got Mercenaries 2 to play on XBL, he couldn't connect to the EA servers.  XBL worked fine, but EA rejected his connection.  Why?


His Xbox system clock was off by three minutes.  Now, there was no indication that this was the problem, as the error message simply said "cannot connect"...and it took an hour on the phone with EA tech support (not counting hold time) to determine that the system clock being off was causing his xbox to be labelled as modded or cheating and therefore connection to the EA servers was rejected.

That is ridiculous. Why the fuck would they even *CARE* what time it is? Clearly this is some sort of weird nosy behavior practice, although why they would want to spy on your CLOCK is beyond me.

Penis creatures?

Yea, the 12's think its funny to make Spore creatures that look like walking penises.

Seriously, the day of creature creator release (http://www.xspore.com/news/488_spore-pp-creature.html). Check YouTube for "Spore penis".

I'm assuming the thought process goes something like this:

XBL autoupdates time.
all Xboxes should share the same time.
any Xbox with a different time is modded, thus evil, thus a dirty dirty cheater, kill it! kill it with fire!

But that's just me guessing.

I've a question about this particular behavior of sporeapp.exe. When I used the SysInternals Process monitor, I can clearly see SporeApp.exe for some reason opening, reading, closing Norton Antivirus 2008's VIRSCAN7.DAT file. Attached is a log file of all accesses. I would need some clarification.

Is this some sort of unwanted security hazard of running Spore.

Regards,
Karthik

I don't have an answer, but I have a suggestion: Don't use Norton. It's terrible.