More Awesome Than You!
Welcome, Guest. Please login or register.
2024 March 28, 09:17:23

Login with username, password and session length
Search:     Advanced search
540270 Posts in 18066 Topics by 6511 Members
Latest Member: zheng
* Home Help Search Login Register
+  More Awesome Than You!
|-+  Serious Business
| |-+  Secret Desert Headquarters
| | |-+  Spore Discussions
| | | |-+  MASSIVE SECURITY HAZARD in Spore!
0 Members and 1 Chinese Bot are viewing this topic. « previous next »
Pages: [1] 2 3 ... 6 THANKS THIS IS GREAT Print
Author Topic: MASSIVE SECURITY HAZARD in Spore!  (Read 95649 times)
J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
MASSIVE SECURITY HAZARD in Spore!
« on: 2008 June 19, 11:29:26 »
THANKS THIS IS GREAT

ACHTUNG!

As if SecuROM wasn't bad enough, there is also a MASSIVE SECURITY LEAK in Spore: If you EVER share ANY content with ANYONE, be warned that YOUR COMPUTER USERNAME is ENCRYPTED INTO THE CREATURE "IMAGE" FILE. YOU WILL NOT BE ABLE TO REMOVE THIS INFORMATION BY HEXING! This means that ANYONE who downloads it will know what your username is on your computer.

This represents a MASSIVE security breach because many people (foolishly) encode their real names into their Windoze username. Even if you don't, revealing this username to the world presents a point of vulnerability for attack by hackers. By sharing any Spore content ANYWHERE, you are leaving your computer open to attack and leaving yourself open to stalking and identity theft.

BEWARE!
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
nekonoai
Weeaboo
Retarded Reprobate
****
Posts: 1448


Hell yeah.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #1 on: 2008 June 19, 15:08:15 »
THANKS THIS IS GREAT

If this isn't a good enough reason to boycott Spore, I don't know what is. Granted, I don't use any semblance of my real name or any identity attached as such. I don't even use nekonoai for my computer names. They have interesting names based on their personalities.

What was wrong with using random numbers to identify who is uploading what? Or even a login name for the Spore sharing site? Wouldn't that have made more sense?

Oh, wait, this is EAxis. Sense goes out the window.  Roll Eyes
Logged
Simsbaby
Pinheaded Pissant
***
Posts: 1062


INTP - I didn't do it.


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #2 on: 2008 June 19, 15:12:19 »
THANKS THIS IS GREAT

Well, this is just stupid. Would it be safe if I made a new account on my computer and named it after my user name here?
Logged

Remember - a bimbo is for life and not just for christmas!
Zazazu
Fuzzy Pumpkin
Whiny Wussy
*****
Posts: 8583


Potiron flou


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #3 on: 2008 June 19, 15:56:29 »
THANKS THIS IS GREAT

If this isn't a good enough reason to boycott Spore, I don't know what is. Granted, I don't use any semblance of my real name or any identity attached as such. I don't even use nekonoai for my computer names. They have interesting names based on their personalities.
What about your account? I believe what Pes is saying is that it's the account name that shows, not the PC's name. I know all mine say "Kari" despite the fact that I never told Spore my name. The PC is named Addison.

A login name would have made infinite sense. Obviously, it could not be the correct solution.
Logged

Capitalism, Ho!
"Continue to beat it in masturbatory ecstasy if you like, but only Pescado can make it go away." - Lemmiwinks
My Urinal
Count
jolrei
Senator
*
Posts: 6420


Son of Perdition


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #4 on: 2008 June 19, 16:06:52 »
THANKS THIS IS GREAT

A login name would have made infinite sense. Obviously, it could not be the correct solution.

I am not even slightly surprised by this.  A corporation as terminally obsessed with copy-protection, fighting teh pierassy, and being suspicious of their customers will naturally choose any procedure that allows them to gather as much personal information as possible from the users of their products.  This is a natural extension of normal EAxis paranoia.
Logged


Tribulatio proxima est
BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #5 on: 2008 June 19, 16:16:55 »
THANKS THIS IS GREAT

Man, that's really stupid.  But honestly, EA didn't prevent this because they don't care.  Why should they?  Proving liability would be very difficult, so they don't have to worry about the repercussions.   Angry
Logged

nekonoai
Weeaboo
Retarded Reprobate
****
Posts: 1448


Hell yeah.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #6 on: 2008 June 19, 16:24:59 »
THANKS THIS IS GREAT

If this isn't a good enough reason to boycott Spore, I don't know what is. Granted, I don't use any semblance of my real name or any identity attached as such. I don't even use nekonoai for my computer names. They have interesting names based on their personalities.
What about your account? I believe what Pes is saying is that it's the account name that shows, not the PC's name.
My accounts are also having nothing to do with my name or any online handles. Generally, since I'm the only one who ever uses my computers (UNDER PAIN OF DEATH!), the account has the same name as the computer.
Logged
Kraken
Asinine Airhead

Posts: 23



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #7 on: 2008 June 19, 16:45:42 »
THANKS THIS IS GREAT

First secuROM and now this!  Thanks to the most awesome for finding this out and giving the alert.

Has anyone informed the sheep on the Sims/Spore website yet?

Logged
Lord Vader
Asinine Airhead

Posts: 6


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #8 on: 2008 June 19, 18:06:35 »
THANKS THIS IS GREAT

Hmm good thing I'm not buying the game. Looks like a stupid concept to me anyway. I don't know why there's so much hype for it.
Logged
Count
jolrei
Senator
*
Posts: 6420


Son of Perdition


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #9 on: 2008 June 19, 18:22:25 »
THANKS THIS IS GREAT

Hmm good thing I'm not buying the game. Looks like a stupid concept to me anyway. I don't know why there's so much hype for it.

* jolrei gets popcorn and settles in to watch the fur fly.

You know that quite a number of MATY folks appear to be interested in this game, do you?  And you've just called their new interest stupid.  I think you may become quite "popular", in a manner of speaking.
Logged


Tribulatio proxima est
Baronetess
Lorelei
Grammar Police
*
Posts: 6512


I like pie. A cake is fine, too.


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #10 on: 2008 June 19, 21:12:53 »
THANKS THIS IS GREAT

Hmm good thing I'm not buying the game. Looks like a stupid concept to me anyway. I don't know why there's so much hype for it.

* jolrei gets popcorn and settles in to watch the fur fly.

You know that quite a number of MATY folks appear to be interested in this game, do you?  And you've just called their new interest stupid.  I think you may become quite "popular", in a manner of speaking.

Only with butthurt F-types who think someone expressing disagreement about a subject is equivalent to them saying "I hate you and you are stupid."

Ts could not care less about some random forumdweller's negative opinion if they have decided that they are interested in something.

Also? I DO NOT WANT Spore, either.
Logged


Super INTJ.    MATY's Big Cat.    LOLcult.   Pescado: Like the ancient Egyptians, the Internet worships cats.
lordrichter
Dimwitted Dunce
*
Posts: 190



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #11 on: 2008 June 19, 21:19:52 »
THANKS THIS IS GREAT

This does not make sense.  Why store the user name? What good does that do?  It is hardly unique across all installations, even if someone is silly enough to use a real name.  So, it can't be for tracking outside of the PC... at least, not by itself.  The only purpose would be to establish ownership of creatures built by different players on the same PC, each with a different ID.  Is there something about Spore where anyone would care?

I worry that time will tell us that they store more than the user name... either something obvious like the IP address or something less obvious like a system identifying fingerprint.

Logged

Danger: Chaotic Neutral Human Wizard, 4th Level
Tchan
Little Bitch
Feckless Fool
*
Posts: 251


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #12 on: 2008 June 19, 21:22:50 »
THANKS THIS IS GREAT

Mine's called "Administrator". I don't think you can tell anything about me from it. Smiley Though I'm quite grateful that it wouldn't let me rename it now. Very grateful.
Logged
MaryH
Garrulous Gimp
**
Posts: 309


I can haz Polar Bearz


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #13 on: 2008 June 19, 22:20:42 »
THANKS THIS IS GREAT

First secuROM and now this!  Thanks to the most awesome for finding this out and giving the alert.

Has anyone informed the sheep on the Sims/Spore website yet?



Nobody on the Sims site will believe this, because it comes from the blazing hell that is "pirate city". They will believe exactly what EA wants them to believe, and will buy the demo, the game and anything else that EA puts out with SecuRom on it because EA says it's all good.
You don't want to open the can of worms-because you'll get banned or banished to the tech area of the BBS. EA has been doing that for a while now-if they see any truth, they will hide it, or delete it.
Logged

Of all the things I've lost, I miss my mind the most.
Faizah
Lipless Loser
***
Posts: 692


INFP/INTJ


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #14 on: 2008 June 19, 22:26:21 »
THANKS THIS IS GREAT

As I am getting a new PC, what is my safest option here? Fake name, second non-admin account for Spore (with fake name), just not share, or what? I'm afraid simply not installing it isn't an option. I want to make creatures! I'll be honest, that's what got me into the Geneforge series of games, which are awesome, but Spore is probably closer to what I was looking for. Though I am quite fond of the RPG nature and storylines of the Geneforge games as well, which I highly doubt Spore can match. (Even the third game, with all that stupid annoying island hopping. If I never see another dock again, it'll be too soon!)

...

I think I have to make a Fyora now, once I've got my new PC set up. (They said 2-3 days, and it's day 3...)
Logged

wes_h
Knuckleheaded Knob
**
Posts: 530


Lady on Rancho Como


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #15 on: 2008 June 19, 23:13:46 »
THANKS THIS IS GREAT

As if SecuROM wasn't bad enough, there is also a MASSIVE SECURITY LEAK in Spore: If you EVER share ANY content with ANYONE, be warned that YOUR COMPUTER USERNAME is ENCRYPTED INTO THE CREATURE "IMAGE" FILE.

Are you lobbing dud grenades again?
I see the username that was used on the spore site registration, which is about as secret and useful as "J. M. Pescado" is.
And encrypted is more correctly labelled compressed, with the same 0x10FB compression as used in The Sims 2 and the compressorizer.

Paranoia is a useful survival trait, but if you don't want to get bombarded with gamma rays, you can't lay out at the beach.
Logged
J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #16 on: 2008 June 19, 23:44:54 »
THANKS THIS IS GREAT

I see the username that was used on the spore site registration, which is about as secret and useful as "J. M. Pescado" is.
That is not what others are reporting. Also, the username is displayed before there even IS a registration. Given that not all users are registered and no input is solicited, this means your username is still being displayed to the world.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
morriganrant
Terrible Twerp
****
Posts: 2382



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #17 on: 2008 June 19, 23:59:06 »
THANKS THIS IS GREAT

Trial says admin as my user title on my creatures. Never bothered to change it. I suppose if I got an account, then it would say the username I would register with.
Logged

One day in college I was feeling very stupid. So I drove with Ben down to Maitland and toured EA Tiburon for an hour as an 'honorary intern'. I left feeling MUCH smarter. I recommend the experience to everyone.  -this is a quote from an Ex-boyfriend of mine..
http://www.mediafire.com/?ng20de0zmly
lordrichter
Dimwitted Dunce
*
Posts: 190



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #18 on: 2008 June 20, 00:11:45 »
THANKS THIS IS GREAT

What is the preferred method of extracting the creature data from the PNG file so that it can be examined?
Logged

Danger: Chaotic Neutral Human Wizard, 4th Level
jfade
Obtuse Oaf
***
Posts: 904


Esteemed Senator Emeritus


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #19 on: 2008 June 20, 00:50:02 »
THANKS THIS IS GREAT

What is the preferred method of extracting the creature data from the PNG file so that it can be examined?
There is none, yet.

And there probably won't be any, if EA has their say. EA doesn't seem too keen on modders touching this game:

Quote from: EULA
You may not further modify Spore Creatures with any other materials, tools, or software programs. All rights not expressly granted herein, are reserved by EA.
Logged


Nifty Sims hacks and programs at: DJS Sims
wes_h
Knuckleheaded Knob
**
Posts: 530


Lady on Rancho Como


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #20 on: 2008 June 20, 01:02:14 »
THANKS THIS IS GREAT

What is the preferred method of extracting the creature data from the PNG file so that it can be examined?

The PNG file is just a picture, so the CC has to be using the filename to trigger a download.

As for extracting things, I have enough information gathered to split the DBPF V2 package files into component parts with a commandline tool. Ugly but effective. I am trying to leverage the dead Dizzy's decompression code in the dead "simpemustbedestroyed" tools to complete my file splitter.

Then I can try to determine what these part pieces are used for (except the PNG parts, I already know what they are). My findings are posted at my place.

And no Spore Creature Creator programs have been, or need be, reverse engineered to determine the .package file layout.
Logged
lordrichter
Dimwitted Dunce
*
Posts: 190



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #21 on: 2008 June 20, 02:17:51 »
THANKS THIS IS GREAT

Got it.  The only reason that we know that the user account name is being stored in the creature data inside the PNG file is that CC displays this information when showing the saved creatures.  However, we don't know what other data may be tucked away in the PNG file that might identify the system that it came from because we really don't have a good way to extract and decode the data... yet.  Although, it looks like people are working on the extraction tools already.

Edit: I can see why EA would not want the creatures edited.  Already, I am seeing people talking about crafting creature files that have a picture that is entirely different from the creature contained in it.  Looking at what they likely store in these creature files, I am not certain that editing them would be useful anyway.  There is not enough room in the creature PNG file to do more than store building block reference and connection information.  The creatures have to be built from a known library of parts.  That, in itself, sounds like something that could well be unfriendly to third party creations.
Logged

Danger: Chaotic Neutral Human Wizard, 4th Level
J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #22 on: 2008 June 20, 03:41:45 »
THANKS THIS IS GREAT

It looks like the creature data is stored inside custom blocks accepted as part of the PNG spec, thus allowing foreign data to be bundled inside a PNG which will be ignored (and possibly shredded) by other graphics-editor tools. However, the data appears to be unreadable as a cursory glance in a hex editor reveals nothing, not even the strings, so it looks like it's encrypted in some way to prevent modification.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #23 on: 2008 June 20, 03:51:07 »
THANKS THIS IS GREAT

The file name of the png is meaningless.  I've changed the name of every creature png file I've downloaded to a "creator name-creature name" format, and they still work.  I've heard the information is stored in the alpha channel, and if you look at a spore creature on a colored background, you can see how pixelated it is.  Presumably you could "hack" a png file to have the data for one creature while showing the picture of a completely different creature, just by replacing the right part of the image.  I could probably do it in less than two minutes in Paintshop Pro.
Logged

J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26281



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #24 on: 2008 June 20, 03:58:09 »
THANKS THIS IS GREAT

Presumably you could "hack" a png file to have the data for one creature while showing the picture of a completely different creature, just by replacing the right part of the image.  I could probably do it in less than two minutes in Paintshop Pro.
The utility of such an act seems somewhat limited, though.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
Pages: [1] 2 3 ... 6 Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.076 seconds with 21 queries.