More Awesome Than You!
Welcome, Guest. Please login or register.
2024 March 29, 12:44:16

Login with username, password and session length
Search:     Advanced search
540270 Posts in 18066 Topics by 6511 Members
Latest Member: zheng
* Home Help Search Login Register
+  More Awesome Than You!
|-+  Serious Business
| |-+  Secret Desert Headquarters
| | |-+  Spore Discussions
| | | |-+  MASSIVE SECURITY HAZARD in Spore!
0 Members and 1 Chinese Bot are viewing this topic. « previous next »
Pages: 1 [2] 3 4 ... 6 THANKS THIS IS GREAT Print
Author Topic: MASSIVE SECURITY HAZARD in Spore!  (Read 95662 times)
BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #25 on: 2008 June 20, 03:59:52 »
THANKS THIS IS GREAT

True.  I can't imagine anyone other than a troll bothering.
« Last Edit: 2008 June 20, 04:15:10 by BastDawn » Logged

wes_h
Knuckleheaded Knob
**
Posts: 530


Lady on Rancho Como


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #26 on: 2008 June 20, 04:17:10 »
THANKS THIS IS GREAT

I have been looking deeply into the very soul of these files. Smiley

I do not doubt that the program "phones home" when installed, that was foretold. I will trust others efforts to prove it was SecuRom that did it, that was foretold.

The creature data itself is inserted into .package files, in the new DBPF V2. The decompression code Dizzy wrote for the extract program (in the bowels), with minor modifications to the source, works on the compressed parts, although I have an all new parser for the V2 files. My thanks to Dizzy for the posting the source.

The main part of the creature data itself is an xml 1.0 file, uncompressed about 30K (my example critter). In the packages is/are sections(s) with the username and creature name, in unicode. While one user is hardly proof, the user name in there is the user name part of the account (sans the email domain) I made at the Spore site.

So I believe that when creatures are "published" the data uploaded includes the user name from the account, and the creature name, and that when the small PNG file is dropped onto the application by a different user, the data for the creature is downloaded and inserted into a package file, together with other creatures. That downloaded data includes the user name, compressed with the same 'QFS' method used on The Sims 2.

So I disagree with the "massive security leak" part. The rest of the issues about working with the program online and unblocked by a firewall are certainly valid points for people to watch, especially with installations that were not done with "gen-u-wine EA advantage" materials.
Logged
J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #27 on: 2008 June 20, 04:46:00 »
THANKS THIS IS GREAT

The creature data itself is inserted into .package files, in the new DBPF V2.
It looks to me that the creature data is encoded into the PNG, and no .package files are involved. Are you looking at the right thing?

The main part of the creature data itself is an xml 1.0 file, uncompressed about 30K (my example critter). In the packages is/are sections(s) with the username and creature name, in unicode. While one user is hardly proof, the user name in there is the user name part of the account (sans the email domain) I made at the Spore site.
Where's this information? I scanned the PNG file and it appears to not be there, meaning it has been encrypted to be unrecognizeable.

So I disagree with the "massive security leak" part. The rest of the issues about working with the program online and unblocked by a firewall are certainly valid points for people to watch, especially with installations that were not done with "gen-u-wine EA advantage" materials.
There's one fundamental flaw with your belief: It is not negative. Because it is not negative, it must be incorrect.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
Zazazu
Fuzzy Pumpkin
Whiny Wussy
*****
Posts: 8583


Potiron flou


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #28 on: 2008 June 20, 04:54:24 »
THANKS THIS IS GREAT

True.  I can't imagine anyone other than a troll bothering.
Bastdawn, is your account named "Ibis"?

The reason I ask is because I downloaded your .png you shared in the RL thread. That's what comes up in the creator name for me. Now, if that's not your account's name, that's very interesting, and suggests that it's something to do with EA pulling information when you transmit the files to them that's adding your name.
Logged

Capitalism, Ho!
"Continue to beat it in masturbatory ecstasy if you like, but only Pescado can make it go away." - Lemmiwinks
My Urinal
wes_h
Knuckleheaded Knob
**
Posts: 530


Lady on Rancho Como


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #29 on: 2008 June 20, 05:07:14 »
THANKS THIS IS GREAT

I have seen and accessed creatures from other users, so I know the process and have some of the files. I am of the belief the creature is downloaded separately after the picture is dropped on the application, but the data does compress well, WinRar got it down to 3K from 30K, so it could be incorporated in the PNG file. I don't have anything to parse a PNG file with here to separate the pixel data from any other.

Regardless of what is in the PNG file, after whatever download process the data is placed in .package files in your user directory. This is where I am viewing the data, and where the program accesses it from, after decompressing it.

Anyway, enjoy your morning, old grouchy-grouch.
Logged
J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #30 on: 2008 June 20, 06:03:26 »
THANKS THIS IS GREAT

I have seen and accessed creatures from other users, so I know the process and have some of the files. I am of the belief the creature is downloaded separately after the picture is dropped on the application, but the data does compress well, WinRar got it down to 3K from 30K, so it could be incorporated in the PNG file.
This does not match empirical evidence, that it was possible to get BastDawn's stuff simply by rightclicking and save-as'ing her PNG.

Regardless of what is in the PNG file, after whatever download process the data is placed in .package files in your user directory. This is where I am viewing the data, and where the program accesses it from, after decompressing it.
There are no .package files in my user directory. The only .packages are the CSA packages in the data directory of the main install.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #31 on: 2008 June 20, 07:50:02 »
THANKS THIS IS GREAT

Yes, my computer is named Ibis.  And I do not allow any programs access to the internet without permission from my firewall, including Spore Creature Creator, so the data in the critters I posted did not go to the Spore site at all.  I have also successfully downloaded critters from non-Spore sites (like MATY) and placed them in the game, again without allowing SCC to connect.  Last night I picked up a few using my other computer, which is a crappy ME box that can't even run SCC, and transfered them over my network.

My computer is set up on a home network, where the administrator name is not identical to the nickname the computer is given to identify it to other computers on the network.  This means that I can change my computer's name at will, so I'm not as worried about the security breach.  That doesn't mean I'm not irritated, of course.   Angry
Logged

Emma
Goopy Lover
Dead Member
*
Posts: 6109


All Pescados Suck.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #32 on: 2008 June 20, 08:00:30 »
THANKS THIS IS GREAT

Yeah. Do not want Spore. Not sharing creatures either Cheesy I'm having great fun making them (and my kids are) but we are just making snapshots and printscreens of our stuff.
Logged

J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #33 on: 2008 June 20, 08:13:59 »
THANKS THIS IS GREAT

Death to EMMA.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
Emma
Goopy Lover
Dead Member
*
Posts: 6109


All Pescados Suck.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #34 on: 2008 June 20, 08:15:54 »
THANKS THIS IS GREAT

*Emma moons Pescado
Logged

Mirelly
Pinheaded Pissant
***
Posts: 1037


Pompous Twitter


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #35 on: 2008 June 20, 08:35:58 »
THANKS THIS IS GREAT

Meh. Not sure how anyone knowing that I am known as Mirelly is dangerous to me, but lacking total awesomeness I bow to those more paranoid that me.

I have tried out the critter maker -- the free one -- and I have to say that it is rather disappointing. It is extremely limited and, a lot like TS2, there is no real scope for making creatures which are genuinely different from each other. The differences (component parts like insectile mandibles versus crocodilian jaws) are insufficiently numerous and versatile to make a toolbox with which one craft one's imagination. A Pierson's Puppeteer has proved to be impossible; I had to put the mouth on the body ... I put it at the back so it could blow raspberries at its enemies as it kicks out their hearts with its hefty hind leg.

I was never sold on the idea of a PacmanPopulousCivilizationMaster_of_Orion chimera, so the critter builder was always going to be the USP for me. It has phail.

Logged

me shit
Wayward Ink now with SMF shiny and no ads
I see the Dome is filled with Lamb Chop conspiracy theories. The only authentic Mirelly sock is "readordead", who will not be posting, for obvious reasons.
BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #36 on: 2008 June 20, 08:36:45 »
THANKS THIS IS GREAT

Well, here's some good news.  Once you change your computer name, Spore Creature Creator continues to use the old name.  I just changed my computer name to something else, reset, confirmed my old shortcuts to this computer no longer work, and then ran SCC and made a new thing from scratch.  The new thing is still using "Ibis".

Here's how to rename your XP computer:

1. Right-click on the My Computer desktop icon, then left-click on Properties.
* If you do not have that icon on the desktop:
  a. Left-click on Start > Control Panel
  b. Double left-click on the System icon (if you don't see it, select "Switch to Classic View" on the left-hand side of the window first).

2. Select the "Computer name" tab, then type a new name

3. Select the Change button, type the new name again in the "Computer name" field, and select OK.  Windows will prompt: "You must restart this computer before these changes will take effect."

4. Shut down and restart your PC normally.


EDIT: 
Damn.  Pescado's right: changing the computer's name on the network doesn't change the login name; it's merely cosmetic.  That means sharing creatures is generally a bad idea.   Sad 

I like sharing.  Tell me, Pescado, just how serious a threat is it, if the name is something like "Ibis" that has nothing to do with my real identity or interests?
« Last Edit: 2008 June 20, 10:43:15 by BastDawn » Logged

J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #37 on: 2008 June 20, 10:31:31 »
THANKS THIS IS GREAT

That is because it is not using your Computer Name, it is using your computer USERNAME. Do you login as "Ibis"? If so, that's what it's using. Changing your computer name won't fix this.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
Emma
Goopy Lover
Dead Member
*
Posts: 6109


All Pescados Suck.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #38 on: 2008 June 20, 11:36:48 »
THANKS THIS IS GREAT

I just created 2 creatures, one offline and one online. The offline one shows my pc username (surprisingly, Emma) and the online one shows my Spore login name. So which one is the dangerous one? Both?
Logged

J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #39 on: 2008 June 20, 12:14:28 »
THANKS THIS IS GREAT

In your case? Probably none of them, since we already know you are EMMA. Death to EMMA!
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
Emma
Goopy Lover
Dead Member
*
Posts: 6109


All Pescados Suck.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #40 on: 2008 June 20, 12:32:53 »
THANKS THIS IS GREAT

Oh, so it is only ninjas who should be worried then Cheesy
Logged

wes_h
Knuckleheaded Knob
**
Posts: 530


Lady on Rancho Como


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #41 on: 2008 June 20, 14:07:01 »
THANKS THIS IS GREAT

There are no .package files in my user directory. The only .packages are the CSA packages in the data directory of the main install.
Try looking in C:{username}\AppData\Roaming\Spore Creature Creator\ (that's for Vista). In XP it should be something like Application Data, but I have no install here on XP at this time. By default, the app data folder is hidden in both XP and Vista (Microsoft calls it a system folder, and says you could damage your system).

The other directory in User Data, in Documents\My Spore Creations, just contains pictures and videos you make.
Logged
Obsidian
Asinine Airhead

Posts: 21


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #42 on: 2008 June 20, 17:29:14 »
THANKS THIS IS GREAT

After the whole SecuROM fiasco, I expected something like this would happen. That's the reason I've not uploaded any creature I've created onto the internet, and also set my firewall to block the Spore Creature Creator from communicating with the internet at all.

Stupid EAxis.
Logged
wes_h
Knuckleheaded Knob
**
Posts: 530


Lady on Rancho Como


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #43 on: 2008 June 20, 18:52:35 »
THANKS THIS IS GREAT

I have examined the PNG image files that appear publicly on Sporepedia.

The PNG format allows non-standard chunks to be inserted in a file, but I find only image data in them. Interestingly enough, when you load one into Paint Shop Pro and save it under a different name, the resulting file is actually larger than the one downloaded from Sporepedia. Clearly, there is no room for 3K of creature data in there, unless they have much beter compression than WinRar.

I still think a download of creature data happens after the image is dropped on the CC.
Logged
Insanity Prelude
Juvenile Jackass
**
Posts: 488


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #44 on: 2008 June 20, 18:54:32 »
THANKS THIS IS GREAT

I'd been so looking forward to this game... but if this is true, I don't dare.  Cry Bugger EA.
Logged
BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #45 on: 2008 June 20, 22:19:44 »
THANKS THIS IS GREAT

Wes_h, procedural generation doesn't work that way.  The code to generate the creature is tiny, small enough to be held in a little 25kb png.  When put into the game, the data then creates the polygons and textures from a formula.  Check out this article:

http://www.joystiq.com/2006/07/12/procedural-synthesis-gamings-fountain-of-youth/
Logged

J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #46 on: 2008 June 21, 03:57:11 »
THANKS THIS IS GREAT

Wes_h, procedural generation doesn't work that way.  The code to generate the creature is tiny, small enough to be held in a little 25kb png.
That's not what Wes_h is saying. Wes_h is saying that he cannot find any nonstandard data chunks which would represent the tiny creature data.

The PNG format allows non-standard chunks to be inserted in a file, but I find only image data in them. Interestingly enough, when you load one into Paint Shop Pro and save it under a different name, the resulting file is actually larger than the one downloaded from Sporepedia. Clearly, there is no room for 3K of creature data in there, unless they have much beter compression than WinRar.
There are no data chunks which are not image data? Does a re-saved image function as a critter anymore, or is the critter data destroyed by this process? If you cannot find any custom data chunks inside the file, then it is likely that the creature data is steganographically encoded into the image data rather than using nonstandard PNG chunks.

I still think a download of creature data happens after the image is dropped on the CC.
Impossible, because otherwise I would not have been able to get BastDawn's flower-creatures by downloading the image from a Botophucket. Downloading could not happen because the Creator is not permitted access to the Internets.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #47 on: 2008 June 21, 05:12:27 »
THANKS THIS IS GREAT

Wes_h, procedural generation doesn't work that way.  The code to generate the creature is tiny, small enough to be held in a little 25kb png.
That's not what Wes_h is saying. Wes_h is saying that he cannot find any nonstandard data chunks which would represent the tiny creature data.

I acknowledge my misunderstanding.  But still: here's what a spore creature png looks like after all the layers are merged and everything pure white (#FFFFFF) is colored hot pink.  I enlarged the image by 300% for clarity, using "pixel resize" to prevent blurring the edges.



You can clearly see that the background is not solid white.  The merged image is pixelated with the color #FEFEFE.  It's binary.

Interestingly enough, when you load one into Paint Shop Pro and save it under a different name, the resulting file is actually larger than the one downloaded from Sporepedia. Clearly, there is no room for 3K of creature data in there, unless they have much beter compression than WinRar.

You're doing it wrong.  What settings are you using?  I just tried it and saving the same file under a different name made the image 1kb smaller, not bigger.  Then I did it again with a different creature, only I removed all the pixelation in the alpha channel and then saved it without changing the file name.  It went from 26kb to 15kb, suggesting that it takes 11kb of data to generate my creature.  However, doing that did NOT remove the creature from my game, so the change in the package file you're seeing must be the game storing the data generated from the png.  I'm unpleasantly reminded of the errors with the first FreeTime patch -- if it's ever necessary to patch Spore, we'd better have kept all of our png files.
« Last Edit: 2008 June 21, 05:21:31 by BastDawn » Logged

BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #48 on: 2008 June 21, 07:01:58 »
THANKS THIS IS GREAT

Okay, now I've managed to changed my computer's login name.  It's easy, too.  Just go to Start --> Settings --> Control Panel and open up User Accounts.  From there I clicked on the profile name and followed the prompts.  I log on and off using the new name, and the old name only exists as a file folder in C:\Documents and Settings, which did not create a new folder for the changed name.  Then I made a new creature, and it still uses the Ibis name.  Pescado, am I doing it right now?
Logged

J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #49 on: 2008 June 21, 07:07:42 »
THANKS THIS IS GREAT

Then I made a new creature, and it still uses the Ibis name.  Pescado, am I doing it right now?
Well, the username change procedure was performed correctly, but evidently Splotch does not recognize it. Did you try rebooting?
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
Pages: 1 [2] 3 4 ... 6 Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.074 seconds with 20 queries.