157 comments

[ 2.0 ms ] story [ 222 ms ] thread
Should I shed tears for them for getting hacked, or laugh to them because they are not taking security seriously?
I'm inclined to laugh at them but honestly what does it even mean at this point to take security seriously?

It appears that the only companies capable of being secure are Google and Apple. Aside them everyone is getting hacked every other day.

Imagine a world where there is no, say, AWS. So many basic security things that we take for granted are automatically set up for you in the cloud, as most shops out there could not care for it to save their own lives.

Companies that torch through millions of dollars of VC money need a nice ransomeware kick in the ass to set up a MongoDB password, and will proactively ignore S3 warnings to not make something public, so what do you expect?

I can imagine it, I see many independent security consultants and companies making money instead of Amazon.
I think this my first time I see a leaked source code for a closed source product before its lunch. Viva battlefield 2042. Cheats will be available in a time record.
The Half-Life 2 leak happened way before launch (13 months) and there were a lot of changes when it actually released. 2042 is much closer (4 months) if the release date keeps.
The HL2 leak was super cool and practically a behind the scenes copy. Untextured walls, unfinished levels, all sorts of fascinating test areas. Great reference.
Shed tears because they're not taking security seriously.
No, laugh to them for getting hacked. It's EA afterall.
In the old days, EA used to mean genuinely good games with great level design. It’s not even close to the same company now, but I understand some people being sad because they still think about EA as old EA.
I feel neither sorrow nor laugh. Just joy about the fact the source code is going to be available.
Maybe it is not going to be available publicly after all.
Not sure if it is a good thing, besides plain studying, though. Imagine some developer in perfect good faith who finds some interesting graphics code online with no references to EA and a fake Open Source license attached to it, and that code happens to be part of EA's code, then imagine this developer incorporating them into an Open Source game, maybe just 150 lines of code out of several tens of thousands. EA's lawyers would hardly ignore him, and the poor guy would see his own career and possibly his entire life ruined. Not to mention the possibility of becoming a case against Open Source.
> because they are not taking security seriously?

I don't think is necessarily the case. You can take security seriously, but there are limits, and you have to balance the effort with the willingness of someone breaching your safeguards.

I would use a bicycle as an example. You can buy whatever lock you want, it can be broken by someone. The better the lock, the less people can get through it or are less inclined to do so anyway. You can pay a security guard to look after your bike, but at some point, if your bicycle is really valuable, one guard can be bribed (or killed), and so on, and so on.

In summary, just because they were "hacked" does not mean they are not taking security seriously.

> In summary, just because they were "hacked" does not mean they are not taking security seriously.

To some extent though it does mean they were not taking security seriously _enough_. In your example, they misjudged whether they needed a guard or not.

[EDIT] Actually, I realized it's not about taking it seriously, but executing it efficiently.

Even so, they could have defended perfectly against a threat model, which might have been completely reasonable. But it might have been pure bad luck. Although I don't know any of the details.
> I don't think is necessarily the case

Back then, when they enforced a maximum 16 character password, I saw enough security. Are they storing them in plaintext or what? Btw, I think they increased the limit to 32 now

some hashing algorithm don't allow longer passwords. https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor....
Well, 72 bytes is still far away from 16 characters. Also, nearly every website is able to allow passwords longer than 16 chars, so it is definitely possible somehow!? This limit is ridiculous
also in unicode? (4 byte * 19 chars)
No, but they don't support it anyways
1. Unicode has no idea of "bytes" at all.

2. Only in the UTF-32 encoding, which no one uses, are all characters represented by 4 bytes.

Most sites today use UTF-8 where most characters on a standard keyboard are 1 byte, and almost all characters from any language take 3 bytes.

3. Even 19 characters is a lot better than 12.

(comment deleted)
Is this is a good reason to reject long passwords?

If that kind of hashing algorithm is a must, why not use first X bytes of the password input?

Because then people find out that it ignores a bunch of your password and people's "password12DHpS*yoCTV44cAmg$gJj" is matched by "password123". Or "correct horse battery staple i have the most brilliant password ever" is matched by "correct horse battery staple".
In other words, a modern version of Microsoft LAN Manager:

https://en.wikipedia.org/wiki/LM_hash

Save-ya-a-click: basically what jfrunyon describes, along with a whole lot of other insecurity goodness (and to be fair, LANMan was a long time ago).

Good point, that was too simplistic. Then again, I guess longer passwords could be preprocessed with another hashing function, one that returns a string of X bytes?

My point is that throwing a "password too long" error, especially for 32 characters or less, feels like a wrong approach to me; no matter the circumstances or the amount of backward compatibility that has to be kept.

I understand your point but then password shucking can be problematic: https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...
What do you mean by problematic? The source links to YT and I can’t view a YT link.

I assume “problematic” here means “difficult but possible”. If problems arise then I guess it’s a matter of priorities; but I think that not inconveniencing the user with password length limits should be high priority.

Realistically, what are you going to do to protect against this case? Your developers/artists are going to use Windows machines, they're going to need access to the source code and access to the internet. Add in a 0-day and that's all the the ingredients to allow for exfiltration of data. Ultimately, there is no protection against this.

Of course you can make your employees' lives worse by siloing them off, enforcing all sorts of security policies and so on. It's just not worth it in this case. So the source code of some video games got leaked... big deal. What are hackers going to do with it, make their own version of Battlefield and FIFA? Write snarky comments on how crappy the code is? Maybe they'll develop cheats, but that can also be done without the source code.

Application whitelisting can prevent most vulnerabilities from being exploited.
Application whitelisting can prevent the execution of unapproved executables, that's about it. Oh, you need to run Python scripts? You're using npm? There go your whitelisting efforts...

Whitelisting also won't protect you from exploits in the software itself. If some non-technical user gets compromised and starts sending out malicious PDFs, you better make sure every single installation of Acrobat is up-to-date. If you get hit by a 0-day in Outlook - good luck.

Now perhaps in this case people were just sloppy, but again, if you want to rule out exfiltration of data - as opposed to just making it less likely - you need a completely different approach and it'll cost you.

(comment deleted)
Capcom, CD Projekt Red, and now EA?
Ubisoft and Crytek were also hacked last October
You forgot Nintendo.
This is news to me, what happened to Nintendo?
From what I remember a company that had a copy of Nintendo's source code for many N64/wii items got hacked and people took a copy of the code. That company was making some sort of portable hand held N64 thing. Apparently Nintendo had copied more into that copy of the repo than they intended and so a bunch of stuff leaked. It was mostly early 2000s stuff.
Is it possible that corporations generally are getting so large that comprehensively securing their entire network is more or less untenable?

Maybe instead, individual business units (or even smaller) should be independently responsible for security.

It couldn't happen to a more deserving company.. Well, maybe Ubisoft.
That actually happened in Watch Dogs 2. It was a funny tongue-in-cheek mission.
I worked for Ubisoft, curious why you think we’re worse than EA.
As far as I know, EA did not permit and then cover for a bunch of sex pests in upper management[1]. It's sad that the work of a bunch of talented people is tarnished by these kind of management misdeeds.

[1] https://www.bloomberg.com/news/articles/2020-07-21/ubisoft-s...

I worked for Ubi during that time and honestly, I think if Yves had known any of this Serge would have been let go long ago.

The head of global HR was covering for Serge. She was axed immediately (as was Serge).

It’s important to know though. Serge was _insanely_ core to the functionality of Ubisoft; he was the sole approver of every AAA game. Axing him was like removing the beating heart of the company to shareholders.

Obviously our morality says that this was the right thing to do, but I’ve seen other CEOs who would cover for such an “invaluable asset”.

And Serge was axed before this was public, so it’s not like the hand was forced- there was a “creative directors board of editoriale” which sprung up shortly before because of this.

They publish the same sandbox reskinned 3 times a year, i could effectively do your job with a find and replace tool coupled with Ctrl C + Ctrl V.
I'm really interested to know more about the actual effect this will have on EA. Because other than the problems with potential cheats and bots, there are not much anyone can do. No one will use closed source engine for developing a game without permission. Maybe the only other problem for EA is if there are many exploits that can lead to a serious security implications.
I've heard Titanfall 1 and 2 multiplayer are basically unplayable for many people, as a hacker with knowledge about the game's internals managed to get such comprehensive access to the multiplayer servers that they can literally ban certain players (like streamers) independently of IP address or game account. And so far developers haven't been doing anything even though it's been going on for many months.

So the worst case scenario could be worse than just a few cheaters. Either way EA will endure it without problems because it's barely different than the average bad game launch.

I don't know about this game, but I wonder how this hacker can identify those certain players without targeting their IP or account. The only thing I can think of is if the game collects data about players statistics with Mac addresses included. This way he can ban them if he got internal control which is something developers should be able to handle and I wonder why they didn't quickly. They can rewrite the control module of the servers for example instead of just doing nothing and lose everything.
They aren't. No one can play TF1 because the hacker is applying a denial of service attack on the servers.

Worst part is that the denial doesn't appear to be bandwidth-intensive, just a persistent trickle of bad requests. The hacker may even have forgotten they left the script running, somewhere.

Respawn continues to have DDOS issues with Apex today. Where did you hear it’s a trickle of malformed requests? I don’t understand how DDOSing is still a problem in this day and age…

You start a game, 60 user accounts are in it. You inspect their IPs, give them a token, whatever. If they send too many requests you can drop some, and if it’s inhumanly possible given the games code, you ban them. That’s it?

I could see how a public-facing website could get DDOSed but not a game where people are registered. I must be missing something. Maybe input parsing has to happen faster than IP check?

It's not a standard DDOS relying on brute force. Titanfall is attacked by someone with in-depth knowledge of how the whole distributed backend is organised and they're abusing that to keep the infrastructure from working properly. In TF2 there seems to be a whole list of unofficially "banned" streamers, for example, and if one of them tries to play multiplayer some automated script will immediately disconnect all players in the match.

That causes a lot of speculation, including suspicions it's run by an ex-employee who worked on those systems internally.

(comment deleted)
There probably shouldn't be such exploits, but there probably are.

I remember Quake 3 had a number of exploits that could allow a server owner to essentially run arbitrary code on clients machines.

As a newer game, probably Battlefield 2042 servers are entirely run by EA, so any exploitation will have to go through the server first.

Run arbitrary code as opposed to what code on clients machines? Wouldn’t running any code on a clients machine be a potential security risk? I’m just curious why people always refer to it as “arbitrary code”
As opposed to, say, running a code (already existing in client software) for rendering transparent surfaces (by sending client a level that features such surfaces)

Also I think sometimes there are vulnerabilities where you can technically run some tiny bit of your code on a vulnerable machine, but it would lead to a crash. Hence, people use "arbitrary code execution" to distinguish this particular threat from the less severe ones.

As opposed to code that's already there.

It could be running part of the game code. Deleting saved games, for instance.

Getting control of the client application is different from pushing arbitrary code (any code the attacker want) on the machine and executing it.

An in-between is return-oriented programming, where an attacker gains complete control over the execution flow of a given program. Even if they aren't able to push different code on the machine, they can chain parts of existing code to perform arbitrary computations on the machine: https://en.wikipedia.org/wiki/Return-oriented_programming

A server always runs some sort of code on a client's machine (such as sending it instructions about the game world for it to render into an image). This isn't a problem because it can only do this in an incredibly constrained way.
Thanks for your response. I’m confused how a server runs code on a client’s machine. It sends instructions over HTTP (presumably?), but then the client uses those instructions to decide what to do. I feel like sending the client some JSON is not the same as sending it some PHP code to execute. Maybe I’m misunderstanding something?
'Arbitrary' code in this case is your 'any code on a clients machine'.

A vulnerability that lets someone run arbitrary code means they can run whatever code they want; that's what makes it such a problem.

Phrased differently: Quake 3 servers could publish server mods that would be executed by the clients.

This is the same security risk that anything with plugin/extension/mod functionality experiences.

Generally, the best way to secure that vulnerability is to verify downloads from a moderated source, i.e. run a mod forum/plugin repository that disenfranchises bad actors and verify checksums at download.

A good example is Emacs and melpa.

Wow: "Source code is a version of computer software which is usually much easier to read and understand than the end version in a finished product, and could be used to reverse engineer parts of the product."
> usually much easier to read and understand

They would be doing something seriously wrong if that wasn't always the case haha

Maybe EA writes their games in brainfuck.
Remember the golden days of Perl?
I remember in ye-olde days going back to modify my perl code from 2 days ago and scratching my head...

So yes, never forget...!

This. And 2 days ago it seemed so obvious that there was no reason to leave any bread crumbs.
Codebases with high levels of abstraction and metaprogramming are often easier to understand in IDA/Ghidra, if your goal is to understand how a specific part of the program works.
If a (non-malware) application is easier to understand in IDA than from its source code, something has gone horribly wrong.
Game programming in particular is often full of interesting hacks and difficult to read code, because in game programming performance trumps all else.
Sure, I understand that. But I imagine the IDA views would still be even more difficult to read.
Going horribly wrong is somewhat typical for large software projects.
Oh really? Didn't know that! Wish we had this source code thingy available for the critical programs that we use everyday, so I can look to them and understand how they work.
One day, only the machines will understand.
I'm sorry, what's the objection here? Source code is better for understanding how a program works in a big-picture sense, compared to the binary. This sentence conveys that in a way that a lay audience can understand. What's the problem?
It was just a light hearted take on the wording of the definition, combined with a slight irony that we indeed have some critical stuff open sourced with pretty neat (read xGPL) licenses, which was unimaginable ~20 years ago.

Maybe it's an outdated type of humor, but I didn't see a reason to stop myself. While this is HN, we can use some old Slashdot style now and then IMHO.

isn't that what we call "well documented code following best coding practices" in our world ?
I felt that this was well written. Do you have a better definition of source code that is:

- Accessible to the general public (it's a BBC article)

- One sentence long (you will lose readers if this becomes a cs101 lecture)

- Articulates why a source code leak matters

I don't think it's a bad definition but, it sounds a little bit inaccurate here and there.

Something in the lines of "Source code is the human readable version of the end product before it's packaged for computers, and it's much easier to read and understand. Also, the source code may allow reverse engineering of the product in question" would be more precise and similarly understandable IMHO.

- packaged is a word that doesn't make sense unless you explain it. Do you mean putting the end product in a box?

- I would say even that reverse engineering, as mentioned, is not something the layman understands.

Yeah i also reacted to the reverse engineering part. But mostly that if you have the original source code, can you really call it reverse engineering?

Other than that the article was fine IMO

I also thought that was funny wording, but I guess if you only have partial source code of a program, it can help to reverse engineer the full program (as you'll have some access to symbol names, structures, patterns etc)
> packaged is a word that doesn't make sense unless you explain it. Do you mean putting the end product in a box?

I mean yes. It isn't that long ago that software was sold in boxes. So the packaging analogy is probably within reach of most people.

But maybe "released" or similar would be more widely understood.

I like the GPL definition.

> The “source code” for a work means the preferred form of the work for making modifications to it.

But the BBC article definition, while less precise, is more relevant to the subject.

I've always described source code to non-technical people as the recipe and ingredients, compiling as the baking, and the software as the bread loaf. Seems to land for most people
Ooh I like this one, thanks!
What do you achieve with this explanation? This metaphor literally has zero predictive value.

For example, it may be quite hard to reverse-engineer a loaf of bread, but reading assembly is actually quite easy to understand what the program actually does.

it's an analogy, you're not supposed to overthink it
When you know the recipe for a bread you can make another one and maybe add or remove some ingredient. If you only have the loaf then indeed you can't reverse engineer the recipe unless you are a very experienced baker. Same with code.
Reading assembly is not really easy, especially in the context of video games using proprietary GPU I/O, it might as well be obfuscated because there is no way you're figuring out how Frostbite handles bullet drop from a page of x86 instructions. Maybe if you're willing to spend years reverse engineering game engines, you can start to form patterns in your head, but even then we're talking about niche specialties inside niche specialties. In no way is it accessible to an average software developer, unlike source code which most developers can read and understand after a few dozen hours.
Reading Assembly may not be difficult, but reverse engineering and figuring out what it is doing is. Same as with bread. Pulling a loaf of bread apart and seeing the individual grains and how the connect isn't difficult, figuring out the process for making it is.

If you're trying to explain to a non-technical person what source code is, the bread example from OP is actually a great analogy. It's simple, to the point, and almost everyone will know how bread is made. Is it oversimplified? Sure. But that's the entire point of trying to give a real brief overview to someone with no technical experience.

The only difference is that we have the equivalent of molecular nanoassemblers for code, but not for bread.
Which is true and fair. But as a method of describing a very technical thing to non-technical people, it seems like a useful tool. We're not trying to give them a CS degree here, just give them enough information to continue reading the article without being totally confused.
Source code is also the mixing & prep. Compiling is just the heat of the oven in the metaphor.
The mixing & prep already begin to change the substance of the ingredients, just like 'compiling' is in fact usually multiple steps which all change the substance (for example, preprocessor=cutting, compiler=mixing, assembler=baking, linker=cooling)
That's a fine way to put it, but it's not as relevant in the context of the BBC article, particularly focusing on why the leak matters.
> I've always described source code to non-technical people as the recipe and ingredients

Not bad. What would you say about saying - " a source code is a set of instructions for a computer to execute". That way, we can still keep the conversation (some what) technical.

I agree that is well written.

You can open the binary file in a text editor and it will be much harder to actually read it. Next best solution is to use a HEX editor but having the source code will make it much easier to understand.

Now a days a lot of games you can’t even do that. They run the games in a vm so crackers and hackers can’t mod it.
I think the phrase "source code" is basically self- explanatory.
To this audience yes. My wife a 38 year old college grad in law school has no clue what source code is and she’s married to a computer programmer.
"Source code is like the Lego instruction booklet. If the computer follows the instructions, it gets a nice rocket ship to play with."

(This is what I used for my child.)

I would say that "source code is the blueprint of a computer program". If you look at the wikipedia entry:

> A blueprint is a reproduction of a technical drawing or engineering drawing [...] allowed rapid and accurate production of an unlimited number of copies.

and even if no-one reads the definition, the term is in common use. Spies stealing blueprints of weapons in movies / real-life being an immediate example.

Yeah, I think that “blueprint” or “plans” works pretty well, especially if you think about it like the plans for a weapon (say, an advanced airplane) that one country wants to keep a secret so that other countries can’t figure out how to build the same weapon. The other countries will be able to see the airplane, they may even get their hands on one of them, but you definitely don’t want them to get their hands on the plans.
(comment deleted)
I'm not sure I like the definition given. It makes it sound like it is an alternative version of the program that is often easier to read.

I think the key element of source code is that this is what is written and read by programmers -- it is akin to the secret recipe for Coke.

So where is the source code of this Perl script ?
Yeah, EA source code is probably much easier to understand than their end products.
I've always described source code to non-technical people as the recipe and ingredients, compiling as the baking, and the software as the bread loaf. Seems to land for most people.
I downvote comments like this, not because I disagree with them, but because they digress the conversation from what I think is more important - the hack itself.

Hope that's ok.

It's a cultural quirk of HN to go into linguistic hair-splitting mode when it comes cybersecurity incidents as described by a media outlet whose audience is the general public.

All I can say is thank you to danG for implementing expand/collapse on comment threads so you can quickly move on to comments discussing the topic itself.

I know, right. They tried their best.
All the BBC articles are meant for everyone to understand, they are not aimed at engineers, or CS grads (or even graduates of any kind, for that matter).

Did you really need to read what source code was again from the BBC? If you know already, great - but if you don't, why do you need to know what a compiler is?

It's similar to their general coverage of the covid vaccine - does everyone that reads an article about the vaccine really need to know the scientific debate, context, cohort data, vaccine action detail? Or just that the vaccine works & is safe?

I feel the "usually" might be ironic humor.
I must be missing something but I don’t see any mention that the Battlefield 2042 source code got leaked, nor in this article nor from any other credible sources. There is a difference between the game engine and the game itself.
The title is incorrect in many ways. The source code is stolen, not leaked. Source codes of Frostbite + FIFA were stoles, not other titles.
FIFA? That could be 10 year old source code, who can tell the difference?
You look for references to new players. Can't find any? It's an older FIFA then.
Would you expect those assets to be included in source code, though? Roosters are generally fully customizable and EA games vary little year to year, I wouldn't expect players to ever show up in source.
That depends on how data driven player appearance, animations and behaviors are. I would start with the AI code and see if there are any player specific exceptions (that is, hacks) in there to match a certain play style.
> Roosters

I know that joking is not appreciated on HN, but the mental image here is absolutely fantastic. I'm giving my rooster a gigantic beak and three legs.

Rooster Ultimate Team, or RUT.

An apt description of the franchise since FIFA 2013.

Unless... wouldn't it be funny if new FIFA releases were auto-generated from a config file? The developer would only need to update the roster and provide paths to new art assets. Boom, new retail game.

It almost seems possible...

At least now we can get Fifa 22-25 as soon as next month.
Easy. Just get a copy of Fifa 2021 and a sharpie.
eh, you need a few Sqlite scripts too.
Maybe inject some buggy DLLs too. Make sure some characters have that bug where only their mouth and eyeballs are showing, not their whole head, and so on.
A long time ago somewhere I read that the entire game's AI system ran through a function called kick_ball() or something like that
A really good time to get access to the loot box code and verify what exactly are the drop rates for items.
It probably comes from config/database, not hard-coded, so might not get it after all.
(comment deleted)
With the code it should be easier to fake a client, download and decode that configuration. Hopefully some further experiments can be done with access to the real source.
The configuration will be server-side only. It would be madness to generate the lootbox result client-side.
I think it's Korea or China that requires the rates to be published, so they might be available somewhere already.
I guess we can’t be sure whether the rates are the same across regions.
Or you could confirm that the published rates match what is in the source, assuming that it is not loaded in from the server at runtime. Loading them from the server, in my opinion, is very likely.
One imagines that the source code just makes those variables, and they're configured server side as required.
Thankfully, no ransom. That fire doesn't need more fuel.
How is stealing something better than stealing something + optionally offering to return it for money?
Because ransoms are more profitable and therefore more likely and therefore more profitable...
Personally, for me, because the decision makers around me are spending an inordinate amount of time worrying and talking about ransoms. It's the overworn topic-du-jour, and I'm happy for something else to shift the news cycle.
Because we are talking about copying, not stealing. Critically, the thing was not taken away, and the victim is still in possession of it.
Are these games any different than in name and textures?

Looks to me like it's all the same since Battlefield 3 and they only change the look.

But possibly I'm too ignorant and expect too much of major game releases.

Is it known what kind of source code hosting solution EA is using that got hacked, and how it got hacked?
Although I don't condone hacks like this of course, I think it would be amazing for someone to interpret the engineering and mechanics behind a title like FIFA for the rest of us; I'd look through the code myself though I'd imagine it would take a long time to make sense of it.

Same for Frostbite.

I'm just curious about the tech behind AAA games and it would be fascinating to explore the innards.

Plus, this would be a goldmine for finding game exploits, and creating PC mods for all the Frostbite-powered games.
You can pretty much do that with Unreal Engine which allows you access without relying on stolen goods...
Hopefully this means we'll finally get dedicated servers from the community for these games.

I'd love to contribute to something like this.

Moddable dedicated servers are the best. There's still active communities on e.g almost 20 years old CS:S and probably older games.

Of course not best for financials

There is literally no mention of 2042 in the article.

Where does it say battlefield 2042 was leaked?

All I see is Fifa and Frostbite (a game engine)