SimCity Always-Online DRM Lets Hackers Play Godzilla With Anyone's Cities
from the go-go-godzilla dept
It seems that everyone is giving EA and Maxis quite a bit of grief over the SimCity debacle. The game’s launch was, um, not great. The backlash against the game’s producers was worse, all the more so once the lying began. But late last week, new evidence was uncovered that suggests perhaps we’ve all been a little bit unfair to EA and Maxis. What if I told you that the always-online game architecture enabled you to be what all of us have secretly wanted to be since we were very, very little children?
Well, hello, childhood fantasy o’ mine. I didn’t see you standing there.
Image source: CC BY 2.0
Yes, as Kionae alerts us, one (unplanned?) consequence of requiring online saves for your SimCity games is that anyone with a bit of hacking skill can visit your city, put some Blue Oyster Cult on in the background, and wreak the kind of havoc normally reserved for Japanese nuclear monsters. See, you can, were you so inclined, enter the save game city of another person, and then completely edit or destroy their loving creation like some kind of digital psuedo-god.
Pictured: Omnipotence
Just so we’re clear, this is only possible because of the EA always-online requirement.
It’s still awesome because this hack is only as destructive as it is because of EA’s decision to make the game always-on. If the game hadn’t had always-on DRM then this hack wouldn’t be half as devastating as it is. Having EA delete these kind of topics from their forums is great damage control but don’t be surprised if there’s another furor when people start raging on the forums when some hacker decides to go through and Godzilla everyone’s town. Enjoy.
Enjoy indeed, as long as that enjoyment happens outside of EA’s forums. As noted above, the company is enforcing their TOS rules on their forums and deleting all topics relating to these kinds of hacks. Why? Well, because when a dingo is chewing on your arm, the best defense is to place your noggin lovingly into some sand to make it all just disappear. Or, if that doesn’t work, you could always just apologize for what is becoming the greatest video game debacle this side of a Duke Nukem game, but I’m not holding my breath.
Filed Under: broken, destroy cities, godzilla, hacking, simcity
Companies: ea, maxis
Comments on “SimCity Always-Online DRM Lets Hackers Play Godzilla With Anyone's Cities”
figures
ASSUMING DIRECT CONTROL.
Should try and get an interview with EA’s executives.
Interviewer: Question #1, have you at any time in your life, played a video game?
Exec: Well no, i can’t say that i have.
Re: Re:
You think you’re joking? It’s reality.
Uh oh, I suddenly find myself wanting very badly to purchase this game.
Re: Re:
I don’t know what it is about destroying other people’s work that sounds like so much FUN. If this destruction couldn’t be undone, it might actually be the first justification of always-online play and data storage that I would agree as being significant to everyone’s gameplay.
Re: Re: Re:
No it would point to people rather having offline games files that nobody can hack into or change in any way, have you ever played a game? Seriously either you have never ever played a game or you are an EA exec trying unsuccessfully to con people into thinking EA has better server side security than people have on their own computers, you do know what security is don’t you?
The rate this is going i would not be surprised to hear that hackers have managed to setup a full server to service simcity and are making money from all the lovely loot they are selling to people that don’t realise , or even do realize, that they are not logged onto official EA servers.
Re: Re: Re: Re:
I… really want to think this is not a reply that is correctly place instead of a spectacular example of a failure in reading comprehension.
In case of the latter : Destroying other people?s cities on the servers for them to log back into and try to fix the mess, would be the first non-trivial feature of the new SimCity that would make use of on-line play. Yes this is a hypothetical thing right now, downloading other people?s cities as described in the article is an unintended consequence of how EA set up the game (ie bad security design) and does not actually affect other players right now, but that mistake inspires people to imagine the greatest possible feature they could have included in the SimCity reboot.
Re: Re: Re: Re:
And I don’t see how what I first said can be taken as approving of EA’s security practices,this whole thing being made possible by completely horrid security, but Origin apparently allows people to run malicious code on your computer by way of drumroll… unprotected link handler execution. Classics never die apparently.
Re: Re: Re:
You should fit right in to eve online.
Re: Re: Re: Re:
Although I do like a good spreadsheet, I admittedly can’t keep up with people that tap phone lines to win.
Re: Re: Re:2 Re:
Although I do like a good spreadsheet, I admittedly can’t keep up with people that tap phone lines to win.
Spoken like a true Eve Online player…
If you ever need to find someone truly afraid of shadows, all you need to do is find someone who’s played the game within a player corporation (not run by themselves.) I played for a year and a half within an NPC/PC owned by myself, and 1 year in a player run corporation, and during that time in the player run corporation, I had the most fun and yet the least fun playing the game. Spies are everywhere! Even my best friends in the game were kept at an arms distance. I can’t believe how paranoid I got in that game…gave it up because the drama was getting to me.
Re: Re: Re:3 Re:
As a roleplayer, that sort of intregue sounds amazingly interesting, if routinely frustrating. A delicious combination. X3
Re: Re: Re:
“I don’t know what it is about destroying other people’s work that sounds like so much FUN.”
Figure that out and you can solve all kinds of problems, from vandalism to Minecraft raids.
I don’t get it either.
Re: Re:
SimCityPvP edition, now available from Origin!
Re: Re: Re:
they should make an official mod with one player getting points for disasters and the mayor getting points for avoiding them. Switch halfway through and you have got a game!
Re: Re: Re:
That’s taking a sim game to a whole new level! I wonder if we can produce and throw nuclear weapons at the enemy city?
Re: Re: Re: Re:
But then it would just be Civilization…
Well, you can damage a local copy of someone’s city that gets over-written when you connect back to the server… or at least that’s what I understand from the non-fud version of the article.
Re: Re:
What “non-fud” version are you talking about?
Here’s quotes from the linked article:
and
And more. The linked articles, anyway, back up what this posting says.
Re: Re: Re:
I disagree that the linked article actually provides support for the notion that these changes can affect the server.
The first quote you cite appears to be the simply be the author’s analysis (which appears to be incorrect).
The second quote you cite is referring to a different situation where client-side files can affect server-side changes. However, these were players affecting things within their own city (such as city-size limits, etc). I imagine these things were always client enforced, and changing the client’s rules had no effect on the server.
The linked article also notes:
“…however the modder notes that he turned off synching”. This implies to me that an attack that caused the local-changes to be synched has not yet been performed. The quote from the modder further supports this:
“I am worried about people that go deeper into the code and start spoofing the owner ID?s of cities and start doing this maliciously though. Hopefully there are server side safeties on this?”
(from http://www.kotaku.com.au/2013/03/hacker-finds-a-way-to-destroy-other-simcities-hasnt-used-his-power-for-evil/)
It sounds like there has not yet been an attack where someone changes another person’s city and successfully syncs it. The modder has noted that more work would remain before such an attack would be successful (spoofing the owner’s ID). I’m not arguing that such an attack is impossible, but until it occurs this is a total non-event.
Re: Re: Re: Re:
I think i would accept their word and video evidence above your comment, sorry.
Re: Re: Re:2 Re:
You have every right to do so.
I will note that I haven’t disputed their word or their video evidence, though. In fact, I quoted the modder himself to note that server-syncing of these toys hasn’t been performed.
The video evidence (which I don’t dispute) clearly shows the modder destroy a local copy of his friends’ cities. What I dispute is the notion that this permanently destroys the friends’ cities. In fact, the youtube video that this sources from says quite clearly:
“IMPORTANT NOTE: I have NOT enabled syncing of data for this. All cities you see in this video remain UNHARMED – nothing got synced to server.”
http://www.youtube.com/watch?feature=player_embedded&v=ROy6VE5ZsZw
Re: Re: Re:3 Re:
That only means he gained access and turned off syncing as a courtesy to those whose games he hacked. Imagine if you will, if syncing was turned on while he hacked an account….the video shows it is possible to access another person’s city.
Re: Re: Re:3 Re:
Now tell me,
Do you seriously think EA and Maxis, after all this, has done the necessary server-side legwork to prevent players from uploading malicious save files to their server?
The exploit that caused this, if you read into it, was just accepting that the client was exactly who it claimed to be. That is kindergarten level programming that shouldn’t have left QA, much less be shipped in an actual game.
I somehow doubt your supposition that just because the modder CHOSE to not ruin other people’s cities because he values the hard work and fun of other players somehow means that he couldn’t. Especially when we have three-stooges levels of coding practices at work inside Maxis and EA.
Re: Re: Re: Re:
Saying you don’t believe the source is different from saying the source doesn’t say that.
Re: Re: Re:2 Re:
I suppose this depends on who you consider the source to be.
I consider the source to be the modder. His words, in comments on the youtube video:
“IMPORTANT NOTE: I have NOT enabled syncing of data for this. All cities you see in this video remain UNHARMED – nothing got synced to server.”
and
“There is still no city syncing at this most basic level, so you can wreak havoc on a friend’s city, quit out, log back in, and it’s back the way it was – great fun! I am worried about people that go deeper into the code and start spoofing the owner ID’s of cities and start doing this maliciously though.”
http://www.youtube.com/watch?feature=player_embedded&v=ROy6VE5ZsZw
I do agree that the linked article makes the claim that this means you can destroy the cities permanently. I disagree with that claim, I’ve provided my evidence to back this up.
Re: Re: Re:
And n-o-b-o-d-y has ever written an article wrong to get more click views…
/rolls eyes/
Re: Re:
“Well, you can damage a local copy of someone’s city that gets over-written when you connect back to the server…”
This is my understanding also. Many of the articles I’ve seen reporting this event suggest the person simply didn’t sync his changes to the server; from my reading it is that the person can’t sync his changes to the server.
The fact that someone is able to do this locally is a non-event. If someone is able to do this in a way that persists to the servers, well, that’s more interesting.
As much as I hate EA, and as much as the SimCity launch was a failure, I don’t understand why this particular story is getting widespread attention.
Re: Re: Re:
suggest the person simply didn’t sync his changes to the server; from my reading it is that the person can’t sync his changes to the server.
It’s unclear which is the case. However, which it is can be thought of as a security competence question – wether or not EA can design and build a robust server infrastructure to prevent PersonA making changes to PersonB’s stuff. Let’s take a quick look at EA’s past competence level in regards to SimCity.
1) Competence in allocating enough server resources to handle load?
Fail.
2) Competence in adjusting to unforseen load?
Fail.
3) Competence in designing software to meet their own goals?
Fail (fudging population/simulation of individual agents).
Fail (dumb as a box of dull rocks pathing AI).
Fail (secure software, ie left developer mode in, leading to this possibility).
4) Overall competence in admitting when they were wrong so they could salvage the situation?
Fail.
Since they fail at so much, what makes you think their server design/infrastructure is competently designed to disallow Godzilla-ing someone else’s city?
Re: Re: Re: Re:
So, my understanding from reading the sources is that what we’ve seen so far is a local change that hasn’t been sync’d to the server.
I agree that it’s totally possible for someone to develop an attack that breaks EA’s servers. I definitely don’t think EA’s servers are perfectly protected and it’s very possible that someone will be able to break their protection.
As soon as someone does break their protection, I think it’s a very news-worthy story. Until they do, I read this as an “here’s something interesting you can do to your friends’ cities if you’re bored, and have the misfortune of having purchased SimCity”.
Between this and Prenda Law?s?situation, this past month has just had ALL the entertainment.
Hollywood couldn?t sell us better stories if it tried (and judging from its output so far this year, it ain?t tryin?).
Re: Re:
RIAA and MPAA has lost so much funding. They are barely able to deliver the money to politicians with the funding cuts they have recieved! No money, no laws. TAFTA is still far too far away in the distance to give any meaning lobbying for.
Re: Re:
Silly Rabbit. Hollywood isn’t about storytelling, it’s about demographics.
It's official
EA/Maxis has achieved maximum self-parody.
Re: It's official
and making mr crabs look like he gives a damn.
Damn! I was hoping for the ability to unleash an actual, controllable Godzilla! How awesome would that be?! Now mayors would have to balance running a city with Civil Defense!
*RAR!* *STOMP!* *RAR!* *STOMP!* *RAR!* *STOMP!* “Bring up the tanks! Call for support from another city!” *RAR!* *STOMP!* *RAR!* *STOMP!* *RAR!* *STOMP!*
Re: Re:
BRING ME CHOPPER BACKUP.
Re: Re: Re:
Commander Feral, is that you?
Just leave it to the Swat Kats!
Can't save it yet?
In the video description on YouTube, he says it’s not possible to actually sync your changes back to the server, so the “victim”‘s city is unaffected.
Though I fully expect that to be cracked soon. Maybe even by the time I finish writing this comment.
The most basic level of security a multi-user environment must have is separation of privileges. This path has been beaten over, and over, and over…and over again. To fail at this shows complete lack of either knowledge or competence.
Also, can we please stop with the SimFail articles?
We’ve already had three of those today. We get it: SimCity 5 is a bust.
Now, can we concentrate on real issues like Prenda Law? These popcorn won’t eat themselves you know?
Re: Re:
I doubt you’ll see anymore Prenda articles until the 29th. That’s when the fireworks are scheduled, anyway.
Personally, I never tire of the delicious egg on EA’s face. I’ve had a bone to pick with them for about 13 years, ever since they turned the very-promising “Need for Speed: Motor City” into “Motor City Online” and made it online-only when a large percentage of internet users only had unreliable dial-up connections.
Re: Re:
Meh. This is a fun subject, too. Just skip the posts that don’t appeal to you. I do that all the time here (and everywhere else I read).
Re: Re:
Three! I only read 2, damn it.
No it’s not enough. EA sells this shit and their stock goes up. Unreal.
This may not be precisely up TD’s alley, but there’s a real problem of customers not understanding that EA’s business model of shit = profit is working wonderfully. Disposable consumers and, um, “liquidating” title loyalty.
Conspiracy
What’s that? Another problem pirates won’t have to deal with? It’s almost like EA is running some kind of conspiracy.
1. Make game terrible for everyone but pirates.
2. Piracy will be more rampant than ever
3. ???
4. Profit
Brilliant
This is brilliant on the part of EA. I too find myself wanting to play SimCity now. I normally don’t have time for games. I may just find time. I hope Godzilla is available as an avatar.
Yet another EA always-on DRM catastrophe
In other news, EA’s servers also facilitate the remote installation of malware on users’ computers: http://arstechnica.com/security/2013/03/bug-on-eas-origin-game-platform-allows-attackers-to-hijack-player-pcs/
I really like the quote from Erik Reynolds – Sr.Dir Worldwide Communications – EA Maxis on the hacking problem
“Hi – We don’t have a hacker problem, we have very talented mod community who agree with you and disagree with our design choice”
https://twitter.com/buzzspinner/status/312343408754700288
Re: Re:
Anyone in for a little:
sudo rm -rf /
Online Japanese Monster Simulator
A sim game which allows you log on to someone elses on purpose and imitate old Japanese monster films? I better get to work.
*Sits down and starts coding*
This whole debacle is hilarious and I’m laughing my ass off about how much EA’s screwed this up.
MOTHER FUCKER! Why did I have to go and refund to tell EA to fuck off. 🙁
I should have waited so I could play some Godzilla.
And in more news…EA’s CEO resigns…
http://arstechnica.com/gaming/2013/03/electronic-arts-ceo-resigns-effective-on-march-30/
Re: Re:
Was just coming here to post the same.
Re: Re:
Or officially:
[url]http://www.ea.com/news/from-larry-probst-ea-leadership-transition[/url}
Please verify before posting inaccurate claims
It’s been confirmed that any edits done by someone else ARE NOT saved to the server. So this article is very misleading.
Next EA Statement
EA Executive: “At the flick of a switch EA could destroy your online creation…so why not let anybody do it?”
EA's CEO just stepped down. LAWL.
http://www.pcmag.com/article2/0,2817,2416756,00.asp
Suck it EA.
Re: EA's CEO just stepped down. LAWL.
Just read that on Engadget.
Sadly they’re just going to find another Sock Puppet for their board, the Chairman standing in for CEO right now is Larry Probst(the CEO before Riccitiello). Although slightly entertaining to see the issue they downplayed is actually bigger than they would admit.
Until the board is done bashing their collective face into their finely crafted meeting room table, don’t expect any changes. Boards select these CEOs then fight them to keep the board’s interests as the primary concern, which happens to be stocks and not the health of the company.
i dont suppose there’s any chance of someone committing ‘Duke Nukem’ on EA, is there? now that would ALMOST be worth all the grief, the lies and the bullshit that they have put out up til now (but i doubt have stopped putting out. there has to be more on the way. after all, once you start lying, they just get bigger, broader and downright worse as time goes on!)
Don’t forget that once you do get logged in the game doesn’t deliver as promised
http://kotaku.com/5991077/your-complete-guide-to-the-simcity-disaster?utm_source=gawker.com&utm_medium=recirculation&utm_campaign=recirculation
As one EA forum member points out, SimCity’s sim-people use the same sort of AI-handling “agent system” that traffic and sewage and power uses. The results are not pretty.
The problem is that, just as power can sometimes take a ridiculously long time to fill the entire map (because the “power agents” just randomly move about with no sense) traffic and workers can do the same thing. Workers leave their homes as “people agents.” These agents go to the nearest open job, not caring at all where they worked yesterday. They fill the job, and the next worker goes to the next building and fills that job, and so it goes until all the jobs are “filled.” So, when you have all your “worker” sims leaving their houses for work in the morning, they all cluster together like some kind of “tourist pack” until they have all been sucked into “jobs.” They don’t seem to care if the job is Commercial or Industrial, only that it’s a job.
“Scholars” are handled exactly the same way. As are school busses and mass-transit agents. This is why you see the “trains” of busses roaming through your city, and why entire sections of town may never see a school bus, despite having plenty of stops… Once all the busses are full, they return to school and stay there until school is done for the day.
Now, here is where it gets really good… In the evening, when work and school lets out, they all leave and proceed to the absolute closest “open” house. They don’t “own” their houses. The “people” you see are actually just mindless agents (much like the utilities agents, as I said earlier) making the whole idea of “being able to follow a ‘Sim’ through their entire day” utterly POINTLESS!!”
-Instead of returning to their own homes, individual Sims would drive into the nearest home available.
-Instead of driving on empty roads, Sims would take the shortest path available, even if that led straight into congestion.
Re: Re:
What I wonder is if the ‘sim’ is even designated as an adult or child. Is the sim a reproductive adult one day, and then a prepubescent elementary school child the next?
Re: Re:
“The problem is that, just as power can sometimes take a ridiculously long time to fill the entire map (because the “power agents” just randomly move about with no sense) traffic and workers can do the same thing. Workers leave their homes as “people agents.” These agents go to the nearest open job, not caring at all where they worked yesterday.”
Give me the days when all you had to worry about were budget, traffic problems, pollution, population, crime, and disasters. That is all I request..the simplicity of the original with the updated graphics of today.
Hitchhiker's guide
Why? Well, because when a dingo is chewing on your arm, the best defense is to place your noggin lovingly into some sand to make it all just disappear.
In other words – peril sensistive sunglasses
I wonder if EA used the Sony BMG Rootkit source code for the DRM contained in the game and in their servers….this sounds an awful lot like the Sony BMG Rootkit vulnerability.
Re: Re:
*Maybe EA borrowed some code from Fortium Technologies Ltd….
I didn't expect this from Techdirt
To use an analogy, what we have here is essentially someone downloading saves of other players and doing stuff to them locally. That’s absolutely it.
It might be that someone finds a way to get the server to accept the changed save by spoofing the ownerid but considering that the trick has been in the open for two or so days now and there is no news whatsoever of that happening, it will, at the very least be non trivial to do so.
Very sloppy article, highly disappointed.
This is about damaging local copies of cities
It’s like photoshopping a moustache on a photograph of someone, funny but not harmful in any way. Nobody has damaged data on a server and nobody has any evidence that it’s possible. Wish OP would fix the article.
This is about damaging local copies of cities
It’s like photoshopping a moustache on a photograph of someone, funny but not harmful in any way. Nobody has damaged data on a server and nobody has any evidence that it’s possible. Wish OP would fix the article.
I think they’ll have to give a few more “we-are-sorry” games now…
This hack is the perfect allegory to what DRM is doing to the game =D
I would personally suggest that if you fix the problem and delete the threads about said hack, it would probably blow over as well. (the important part being fixing the problem)
And I still won’t buy it.
This is somewhat misleading
This is taking place on a local version of the map, the one you load up when you view some one else’s city. A bug where you could place parks while viewing some one else’s city has been in since launch.
This changes are not and currently cannot be synced with the server, the modder was only talking about being worried that some one would be able to spoof other player ID’s down the road and cause trouble. We don’t know if that can be done and we don’t know if there are server side checks that would prevent it if you could.
In short I’m on the hate EA train as much as every one else but there is plenty of real issues that we don’t have to start making crap up.
What’s happened here is some messing with the debug mode has allowed some one to mess around with the local data uses to allow viewing of other peoples cities in a region. This has nothing to do with the DRM and currently, and is frankly unlikely too, lead to being able to damage other peoples saves.
I’d expect Tech Dirt to do better than this, even reading the youtube description rather than the sensationalist blog should make all the above perfectly clear.
IMPORTANT NOTE: I have NOT enabled syncing of data for this. All cities you see in this video remain UNHARMED – nothing got synced to server. I would not condone any action which could actually harm another player’s city without permission!
So, this was done by editing the SimCity packages, tweaking some code, and getting the game to think that, when I visited a random person’s city in a random region, I WASN’T in observer mode, and force enabling of edit mode so that I had full access to the city as if it was my own. There is still no city syncing at this most basic level, so you can wreak havoc on a friend’s city, quit out, log back in, and it’s back the way it was – great fun! I am worried about people that go deeper into the code and start spoofing the owner ID’s of cities and start doing this maliciously though. Hopefully there are server side safeties on this… hmmm.
dosent even matter alll of my games are PRIVATE
I didn’t buy Sim City and I have no intention of doing so, but holy hell has it given me hours of entertainment! Best game I never bought.