More Awesome Than You!
Welcome, Guest. Please login or register.
2024 November 24, 22:07:05

Login with username, password and session length
Search:     Advanced search
540287 Posts in 18067 Topics by 6545 Members
Latest Member: cincinancy
* Home Help Search Login Register
+  More Awesome Than You!
|-+  Serious Business
| |-+  Secret Desert Headquarters
| | |-+  Spore Discussions
| | | |-+  MASSIVE SECURITY HAZARD in Spore!
0 Members and 1 Chinese Bot are viewing this topic. « previous next »
Pages: 1 2 [3] 4 5 6 THANKS THIS IS GREAT Print
Author Topic: MASSIVE SECURITY HAZARD in Spore!  (Read 102965 times)
BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #50 on: 2008 June 21, 07:17:45 »
THANKS THIS IS GREAT

Yes.  (I had to log out as Ibis to complete the change, and I figured I might as well reboot completely.)  So Spore keeps the name it knew at installation.  But I'm happy with it that way, because "Ibis" is not the name the computer is registered under.
Logged

J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26288



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #51 on: 2008 June 21, 08:11:51 »
THANKS THIS IS GREAT

I have a few hunches on where it is stored at the moment, and have also made some progress is understanding the spyware components. Research is ongoing.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
Mirelly
Pinheaded Pissant
***
Posts: 1037


Pompous Twitter


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #52 on: 2008 June 21, 08:51:43 »
THANKS THIS IS GREAT

Can someone explain to me why someone knowing my account's log-in name on my PC is dangerous to me?

I submit that 90% of Windoze users operate with a single account using the generic MS account name and with no password set. I was one of those until a few ago when I migrated from dial-up to DSL. At that point I realised that I needed additional levels of security and installed a firewall and began operating password protected user accounts.
Logged

me shit
Wayward Ink now with SMF shiny and no ads
I see the Dome is filled with Lamb Chop conspiracy theories. The only authentic Mirelly sock is "readordead", who will not be posting, for obvious reasons.
J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26288



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #53 on: 2008 June 21, 09:51:35 »
THANKS THIS IS GREAT

Can someone explain to me why someone knowing my account's log-in name on my PC is dangerous to me?
If your login name is not sensitive information, then you are relatively safe. However, a disturbing number of computers I have encountered actually contain the user's real name, which is highly sensitive information that should not be shared with the world, especially given that other information tends to be incidentally attached to it by IP. All in all, the fact that it transmits potentially sensitive information to the entire world is cause for concern.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
Mirelly
Pinheaded Pissant
***
Posts: 1037


Pompous Twitter


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #54 on: 2008 June 21, 12:02:51 »
THANKS THIS IS GREAT

Ah, my computer's log-in name is my real name that my friends use to address me, but that name has no direct correlation with my "real" real name as found in government records and which I use only to notarise documents for the purposes of accepting liabilities and responsibilities.

I also have two signatures. One for official purposes and one for sundry purposes, for example signing for a delivery; I believe in plausible deniability ....
Logged

me shit
Wayward Ink now with SMF shiny and no ads
I see the Dome is filled with Lamb Chop conspiracy theories. The only authentic Mirelly sock is "readordead", who will not be posting, for obvious reasons.
Menaceman
Horrible Halfwit
**
Posts: 361



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #55 on: 2008 June 21, 16:52:09 »
THANKS THIS IS GREAT

When I use the SCC the lower left of the screen shows my full name until it "phones home" when it changes to display my Spore account name. I never got to name my user account as the laptop was delivered to me with it already named after me and I never saw the need to change it. I've asked a friend what my creations show up as on his machine as he has downloaded some of them and he says they are listed with my Spore account name, not my laptop user account name.
Should I still be worried or not? I hate finding threads like this as they make me so paranoid.
Logged
Baroness
witch
Breakfast of Champions!
Senator
*
Posts: 11636


Shunning the accursed daystar.


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #56 on: 2008 June 21, 22:53:40 »
THANKS THIS IS GREAT

Question for JM.

If I'm running the game on a hardware profile that doesn't allow for networking and internet, will the EAxis phone home info be held after the machine has been rebooted?
Logged

My fists are named Feminine and Wiles.
BastDawn
Retarded Reprobate
****
Posts: 1355


I'll stop by to read Awesomeland once in a while.


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #57 on: 2008 June 22, 00:17:22 »
THANKS THIS IS GREAT

I was checking out the forums at Penny Arcade for more creatures to download, and found this:

Quote
jonxp wrote:

The creature data is encoded in the actual PNG images not as metadata, but through stenographically altering the image. Each pixel is made of four bytes of data (Red, Green, Blue, and Alpha) to extract the data from the image, one needs to take each byte of the image, divide it by two, and use the remainder as a single bit (this is known as a modulus operation). So for each byte in the decoded image you get a bit of information, each pixel is a nibble, and every two pixels is a full byte. Since the thumbs are 128x128, you can store 8KB of information in this manner.

I have written a program to extract the creature data, unfortunately it seems to be signed and/or encoded in some fashion, so I can't actually manipulate it (as far as I can tell).

I will put up some proof-of-concept "spore rolled" creatures soon that appear to be one creature, but are in fact a different one when loaded.

Interesting, but not very useful until it's decoded.
Logged

J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26288



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #58 on: 2008 June 22, 00:19:50 »
THANKS THIS IS GREAT

When I use the SCC the lower left of the screen shows my full name until it "phones home" when it changes to display my Spore account name. I never got to name my user account as the laptop was delivered to me with it already named after me and I never saw the need to change it. I've asked a friend what my creations show up as on his machine as he has downloaded some of them and he says they are listed with my Spore account name, not my laptop user account name.
Should I still be worried or not? I hate finding threads like this as they make me so paranoid.
You should panic now, yes. In the event that the Splorch server cannot be logged in, anything you make will contain your name in it. You can freak out now.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
wes_h
Knuckleheaded Knob
**
Posts: 530


Lady on Rancho Como


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #59 on: 2008 June 22, 05:11:06 »
THANKS THIS IS GREAT

I saw a post elsewhere claiming that the data is in the color channels at all the locations that are transparent (where teh alpha is zero). It seems like a reasonable conjecture and also a very clever method.

If it bears out to be true I will eat my words here publicly (and this may very well be necessary), although I am correct that there are only standard PNG chunk types in any of the files I examined (no private or metadata chunks). Since I do not have any significant tools here or previous experience to aid me in decompressing and checking these files, I will leave that research to the ongoing efforts of others.

I will say that I know the username is saved in .package files, along with the creature name and other data (likely ID values similar to the TS2 group and instance) after the file is downloaded, and that at least a significant amount of the creature data is an XML file. Unlike TS2, it appears when the file is donwloaded that the package file containing your creature data (created by you and that downloaded) is updated, rather than separate files existing for each creature.
Logged
J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26288



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #60 on: 2008 June 22, 05:25:30 »
THANKS THIS IS GREAT

Where are these package files HIDING, anyway? I can't seem to locate them inside the directories.

I saw a post elsewhere claiming that the data is in the color channels at all the locations that are transparent (where teh alpha is zero). It seems like a reasonable conjecture and also a very clever method.
I wouldn't worry about that. An experiment is meaningful even when the hypothesis is proven to be false.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
Baronetess
Lorelei
Grammar Police
*
Posts: 6512


I like pie. A cake is fine, too.


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #61 on: 2008 June 22, 20:01:58 »
THANKS THIS IS GREAT

Photoshop has a "feature" where you can add data info (name of artist, source of image(s), address, copyright, contact data, whatever) to images. I haven't used it in ages, so I can't recall if this data is only for Photoshop-format files or if jpgs, pngs and gifs can also be data-enhanced. At any rate, there are ways to embed data that don't require a lot of nerdery or specialized knowledge. Said data can be very complex.

As far as reading info off a standard compy, also easy. Simplistic Javascripted code embedded in HTML has been used since practically the first days of the graphical (rather than text-based) WWW, and before.

Not a great stretch of the imagination that an unethical data-mining company like EA might seek to tweak existing old tech to steal your personal info. Fuckers.
Logged


Super INTJ.    MATY's Big Cat.    LOLcult.   Pescado: Like the ancient Egyptians, the Internet worships cats.
Mirelly
Pinheaded Pissant
***
Posts: 1037


Pompous Twitter


View Profile WWW
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #62 on: 2008 June 22, 20:48:42 »
THANKS THIS IS GREAT

In the event that the Splorch server cannot be logged in, anything you make will contain your name in it. You can freak out now.

Muahaha. I visited the Sporepedia today and broke it.

proof ... it's a screencap.

ETA Cold Fusion ... yeesh.
Logged

me shit
Wayward Ink now with SMF shiny and no ads
I see the Dome is filled with Lamb Chop conspiracy theories. The only authentic Mirelly sock is "readordead", who will not be posting, for obvious reasons.
wes_h
Knuckleheaded Knob
**
Posts: 530


Lady on Rancho Como


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #63 on: 2008 June 23, 02:03:40 »
THANKS THIS IS GREAT

Where are these package files HIDING, anyway? I can't seem to locate them inside the directories.

I am running the program here on a Vista machine. On Vista the packages are in C:\Users\myusername\AppData\Roaming\SPORE Creature Creator\

I would believe on XP there will be a SPORE Creature Creator in your user area in a folder called "Application Data". This folder or it's analog is, under both Vista and XP, a locked system folder, and to see the files in Windows Explorer you have to uncheck the option "Hide Protected Operating System Files", ignoring the dire warnings that messing with these files could ruin your system, and may perhaps be the source of all strife in the world.

SimPE Phails at opening them, because the format has been updated to version major 2. This has become the latest time sink for me.

Logged
Menaceman
Horrible Halfwit
**
Posts: 361



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #64 on: 2008 June 23, 21:14:10 »
THANKS THIS IS GREAT

In the event that the Splorch server cannot be logged in, anything you make will contain your name in it. You can freak out now.

Muahaha. I visited the Sporepedia today and broke it.

proof ... it's a screencap.

ETA Cold Fusion ... yeesh.

I get those error screens a lot when browsing the spore site.
As to my earlier post, I have since created creatures without being connected to the net and they have indeed been stored to my sporpedia with my real name attached. I figure I can just edit them and save as new creatures to get them to use my account name before uploading.
Logged
CM
Asinine Airhead

Posts: 11


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #65 on: 2008 June 25, 03:04:28 »
THANKS THIS IS GREAT

Thank you for telling us this!  This only shows that EA is in it for the bucks and nothing else.  If they actually listened to the customers, this would have stopped awhile ago.  If this is any indication of what is to come for The Sims 3, count me out.  Angry
Logged
Zilla
Blathering Buffoon
*
Posts: 59


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #66 on: 2008 June 25, 16:10:07 »
THANKS THIS IS GREAT

ACHTUNG!

As if SecuROM wasn't bad enough, there is also a MASSIVE SECURITY LEAK in Spore: If you EVER share ANY content with ANYONE, be warned that YOUR COMPUTER USERNAME is ENCRYPTED INTO THE CREATURE "IMAGE" FILE. YOU WILL NOT BE ABLE TO REMOVE THIS INFORMATION BY HEXING! This means that ANYONE who downloads it will know what your username is on your computer.

This represents a MASSIVE security breach because many people (foolishly) encode their real names into their Windoze username. Even if you don't, revealing this username to the world presents a point of vulnerability for attack by hackers. By sharing any Spore content ANYWHERE, you are leaving your computer open to attack and leaving yourself open to stalking and identity theft.

BEWARE!

All ass kissing aside Pes, but after not beiing here for awhile I was rather disappointed to read this. Certainly you must have a a trick or two up your sleeve to bypass this problem?  Not that I was going to buy it, but still.

Silly people still feeding the cash cow. All one is ask is, why?
Logged
J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26288



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #67 on: 2008 June 25, 23:41:33 »
THANKS THIS IS GREAT

All ass kissing aside Pes, but after not beiing here for awhile I was rather disappointed to read this. Certainly you must have a a trick or two up your sleeve to bypass this problem?  Not that I was going to buy it, but still.
Yeah, don't put your name on your computer and/or don't share your files. It's really a problem that afflicts Sheeples, but there's an awful lot of them.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
zolabee
Asinine Airhead

Posts: 30



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #68 on: 2008 June 28, 12:49:30 »
THANKS THIS IS GREAT

You know, I don't post ofter - usually when I need help (stupid non tech here), but I just have to say EA stinks! *read sucks*  What chance does someone like me who is miles below you guys, but miles above even more people? 

Thanks for sharing this info.  I hadn't intended to get spore, but will pass this on to student's parents when school starts back.
Logged

I admit I'm probably a retard - but I'm only retarded if I stay there - so laugh at me- but, watch your back, because I learn pretty da*n fast!
SilentDream
Asinine Airhead

Posts: 27


Diva


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #69 on: 2008 July 01, 00:01:32 »
THANKS THIS IS GREAT

spore will use the name of the account it was installed under so even though you changed your login name it will still use the name it was installed with. (if you uninstall,reinstall it will use your new one Smiley).

I don't think so. When I got my computer, the account was named something other than it is now. In documents and settings, the account folder still has the previous name and I have had games pull from that name before. So I wouldn't doubt that spore, though installed after I changed the account name, would pick up the previous name.
Logged

With broken wings, we'll fly away
kuronue
Querulous Quidnunc
****
Posts: 1154



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #70 on: 2008 July 08, 02:29:50 »
THANKS THIS IS GREAT

Out of curiosity, JM, how dangerous are slightly-unusual firstnames? I've heard varying opinions from varying people, most of which can't tell their heads from their asses...


ETA: And are we sure the computer name isn't stored anywhere? I got this lappy from my school, so if there's both that gives a first name and a school. . .
Logged

INFP or something
J. M. Pescado
Fat Obstreperous Jerk
El Presidente
*****
Posts: 26288



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #71 on: 2008 July 08, 02:35:23 »
THANKS THIS IS GREAT

Out of curiosity, JM, how dangerous are slightly-unusual firstnames? I've heard varying opinions from varying people, most of which can't tell their heads from their asses...
Extremely. I mean, if your name is something like "John" or "Emma", you probably have little to worry about...

ETA: And are we sure the computer name isn't stored anywhere? I got this lappy from my school, so if there's both that gives a first name and a school. . .
DEAD MEAT. Reformat that sucker NOW. Tell them it got hacked by mudkipz. A name alone may not be enough, but three points of data in the form of a name, an organization, and an IP is enough to definitely peg you to within 50 meters. With that much information, someone with the resources of EAxis can take you out with an artillery strike right there.
Logged

Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those I had to kill because they pissed me off.
kuronue
Querulous Quidnunc
****
Posts: 1154



View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #72 on: 2008 July 08, 23:54:01 »
THANKS THIS IS GREAT

Out of curiosity, JM, how dangerous are slightly-unusual firstnames? I've heard varying opinions from varying people, most of which can't tell their heads from their asses...
Extremely. I mean, if your name is something like "John" or "Emma", you probably have little to worry about...
It's not, it's one of those last names that is sometimes used as a first name, for a boy, when spelled differently. Googling it shows no relevant results in the first five pages (after that I lost count)
Quote
ETA: And are we sure the computer name isn't stored anywhere? I got this lappy from my school, so if there's both that gives a first name and a school. . .
DEAD MEAT. Reformat that sucker NOW. Tell them it got hacked by mudkipz. A name alone may not be enough, but three points of data in the form of a name, an organization, and an IP is enough to definitely peg you to within 50 meters. With that much information, someone with the resources of EAxis can take you out with an artillery strike right there.

Glad I haven't installed the Creature Creator yet then. I'll put it on the more anonymous computer after checking to ensure there's nothing on it.
Logged

INFP or something
edalbformat
Exasperating Eyesore
*
Posts: 208


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #73 on: 2008 July 15, 11:14:46 »
THANKS THIS IS GREAT

According to last thing I read, EA/Maxis accuse to have more than 100 million copies of their games sold. Everyday you read users saying "I'm totally excited waiting for the new Ep, or whatever".
You are BUYING boy, no matter what kind of rape is done to you. I don't have Spore, or any other product from EA and I decided that no one in my circle will ever buy anything else with EA logo in it. We avoid even the shops that place the logo on the window.
No one has to care about what you have to say, because you say it and run to buy the next crap released.
Game players are developping the same relation as the whore to the pimp. You destroy me but what am I without you?

-x-x-x-x-x-
90% of the people in this planet, should use the brain outside the cranium.  It is only decorative anyway!
Logged
Zazazu
Fuzzy Pumpkin
Whiny Wussy
*****
Posts: 8583


Potiron flou


View Profile
Re: MASSIVE SECURITY HAZARD in Spore!
« Reply #74 on: 2008 July 15, 15:15:37 »
THANKS THIS IS GREAT

Game players are developping the same relation as the whore to the pimp. You destroy me but what am I without you?

-x-x-x-x-x-
90% of the people in this planet, should use the brain outside the cranium.  It is only decorative anyway!

Who needs Gali?
Logged

Capitalism, Ho!
"Continue to beat it in masturbatory ecstasy if you like, but only Pescado can make it go away." - Lemmiwinks
My Urinal
Pages: 1 2 [3] 4 5 6 Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.084 seconds with 21 queries.