Imagine a world where there is no, say, AWS. So many basic security things that we take for granted are automatically set up for you in the cloud, as most shops out there could not care for it to save their own lives.
Companies that torch through millions of dollars of VC money need a nice ransomeware kick in the ass to set up a MongoDB password, and will proactively ignore S3 warnings to not make something public, so what do you expect?
I think this my first time I see a leaked source code for a closed source product before its lunch. Viva battlefield 2042. Cheats will be available in a time record.
The Half-Life 2 leak happened way before launch (13 months) and there were a lot of changes when it actually released. 2042 is much closer (4 months) if the release date keeps.
The HL2 leak was super cool and practically a behind the scenes copy. Untextured walls, unfinished levels, all sorts of fascinating test areas. Great reference.
In the old days, EA used to mean genuinely good games with great level design. It’s not even close to the same company now, but I understand some people being sad because they still think about EA as old EA.
Not sure if it is a good thing, besides plain studying, though.
Imagine some developer in perfect good faith who finds some interesting graphics code online with no references to EA and a fake Open Source license attached to it, and that code happens to be part of EA's code, then imagine this developer incorporating them into an Open Source game, maybe just 150 lines of code out of several tens of thousands. EA's lawyers would hardly ignore him, and the poor guy would see his own career and possibly his entire life ruined.
Not to mention the possibility of becoming a case against Open Source.
I don't think is necessarily the case. You can take security seriously, but there are limits, and you have to balance the effort with the willingness of someone breaching your safeguards.
I would use a bicycle as an example. You can buy whatever lock you want, it can be broken by someone. The better the lock, the less people can get through it or are less inclined to do so anyway. You can pay a security guard to look after your bike, but at some point, if your bicycle is really valuable, one guard can be bribed (or killed), and so on, and so on.
In summary, just because they were "hacked" does not mean they are not taking security seriously.
> In summary, just because they were "hacked" does not mean they are not taking security seriously.
To some extent though it does mean they were not taking security seriously _enough_. In your example, they misjudged whether they needed a guard or not.
[EDIT] Actually, I realized it's not about taking it seriously, but executing it efficiently.
Even so, they could have defended perfectly against a threat model, which might have been completely reasonable. But it might have been pure bad luck. Although I don't know any of the details.
Back then, when they enforced a maximum 16 character password, I saw enough security. Are they storing them in plaintext or what? Btw, I think they increased the limit to 32 now
Well, 72 bytes is still far away from 16 characters. Also, nearly every website is able to allow passwords longer than 16 chars, so it is definitely possible somehow!? This limit is ridiculous
Because then people find out that it ignores a bunch of your password and people's "password12DHpS*yoCTV44cAmg$gJj" is matched by "password123". Or "correct horse battery staple i have the most brilliant password ever" is matched by "correct horse battery staple".
Good point, that was too simplistic. Then again, I guess longer passwords could be preprocessed with another hashing function, one that returns a string of X bytes?
My point is that throwing a "password too long" error, especially for 32 characters or less, feels like a wrong approach to me; no matter the circumstances or the amount of backward compatibility that has to be kept.
What do you mean by problematic? The source links to YT and I can’t view a YT link.
I assume “problematic” here means “difficult but possible”. If problems arise then I guess it’s a matter of priorities; but I think that not inconveniencing the user with password length limits should be high priority.
Realistically, what are you going to do to protect against this case? Your developers/artists are going to use Windows machines, they're going to need access to the source code and access to the internet. Add in a 0-day and that's all the the ingredients to allow for exfiltration of data. Ultimately, there is no protection against this.
Of course you can make your employees' lives worse by siloing them off, enforcing all sorts of security policies and so on. It's just not worth it in this case. So the source code of some video games got leaked... big deal. What are hackers going to do with it, make their own version of Battlefield and FIFA? Write snarky comments on how crappy the code is? Maybe they'll develop cheats, but that can also be done without the source code.
Application whitelisting can prevent the execution of unapproved executables, that's about it. Oh, you need to run Python scripts? You're using npm? There go your whitelisting efforts...
Whitelisting also won't protect you from exploits in the software itself. If some non-technical user gets compromised and starts sending out malicious PDFs, you better make sure every single installation of Acrobat is up-to-date. If you get hit by a 0-day in Outlook - good luck.
Now perhaps in this case people were just sloppy, but again, if you want to rule out exfiltration of data - as opposed to just making it less likely - you need a completely different approach and it'll cost you.
From what I remember a company that had a copy of Nintendo's source code for many N64/wii items got hacked and people took a copy of the code. That company was making some sort of portable hand held N64 thing. Apparently Nintendo had copied more into that copy of the repo than they intended and so a bunch of stuff leaked. It was mostly early 2000s stuff.
As far as I know, EA did not permit and then cover for a bunch of sex pests in upper management[1]. It's sad that the work of a bunch of talented people is tarnished by these kind of management misdeeds.
I worked for Ubi during that time and honestly, I think if Yves had known any of this Serge would have been let go long ago.
The head of global HR was covering for Serge. She was axed immediately (as was Serge).
It’s important to know though. Serge was _insanely_ core to the functionality of Ubisoft; he was the sole approver of every AAA game. Axing him was like removing the beating heart of the company to shareholders.
Obviously our morality says that this was the right thing to do, but I’ve seen other CEOs who would cover for such an “invaluable asset”.
And Serge was axed before this was public, so it’s not like the hand was forced- there was a “creative directors board of editoriale” which sprung up shortly before because of this.
I'm really interested to know more about the actual effect this will have on EA. Because other than the problems with potential cheats and bots, there are not much anyone can do. No one will use closed source engine for developing a game without permission. Maybe the only other problem for EA is if there are many exploits that can lead to a serious security implications.
I've heard Titanfall 1 and 2 multiplayer are basically unplayable for many people, as a hacker with knowledge about the game's internals managed to get such comprehensive access to the multiplayer servers that they can literally ban certain players (like streamers) independently of IP address or game account. And so far developers haven't been doing anything even though it's been going on for many months.
So the worst case scenario could be worse than just a few cheaters. Either way EA will endure it without problems because it's barely different than the average bad game launch.
I don't know about this game, but I wonder how this hacker can identify those certain players without targeting their IP or account. The only thing I can think of is if the game collects data about players statistics with Mac addresses included. This way he can ban them if he got internal control which is something developers should be able to handle and I wonder why they didn't quickly. They can rewrite the control module of the servers for example instead of just doing nothing and lose everything.
They aren't. No one can play TF1 because the hacker is applying a denial of service attack on the servers.
Worst part is that the denial doesn't appear to be bandwidth-intensive, just a persistent trickle of bad requests. The hacker may even have forgotten they left the script running, somewhere.
Respawn continues to have DDOS issues with Apex today. Where did you hear it’s a trickle of malformed requests? I don’t understand how DDOSing is still a problem in this day and age…
You start a game, 60 user accounts are in it. You inspect their IPs, give them a token, whatever. If they send too many requests you can drop some, and if it’s inhumanly possible given the games code, you ban them. That’s it?
I could see how a public-facing website could get DDOSed but not a game where people are registered. I must be missing something. Maybe input parsing has to happen faster than IP check?
It's not a standard DDOS relying on brute force. Titanfall is attacked by someone with in-depth knowledge of how the whole distributed backend is organised and they're abusing that to keep the infrastructure from working properly. In TF2 there seems to be a whole list of unofficially "banned" streamers, for example, and if one of them tries to play multiplayer some automated script will immediately disconnect all players in the match.
That causes a lot of speculation, including suspicions it's run by an ex-employee who worked on those systems internally.
Run arbitrary code as opposed to what code on clients machines? Wouldn’t running any code on a clients machine be a potential security risk? I’m just curious why people always refer to it as “arbitrary code”
As opposed to, say, running a code (already existing in client software) for rendering transparent surfaces (by sending client a level that features such surfaces)
Also I think sometimes there are vulnerabilities where you can technically run some tiny bit of your code on a vulnerable machine, but it would lead to a crash. Hence, people use "arbitrary code execution" to distinguish this particular threat from the less severe ones.
It could be running part of the game code. Deleting saved games, for instance.
Getting control of the client application is different from pushing arbitrary code (any code the attacker want) on the machine and executing it.
An in-between is return-oriented programming, where an attacker gains complete control over the execution flow of a given program. Even if they aren't able to push different code on the machine, they can chain parts of existing code to perform arbitrary computations on the machine: https://en.wikipedia.org/wiki/Return-oriented_programming
A server always runs some sort of code on a client's machine (such as sending it instructions about the game world for it to render into an image). This isn't a problem because it can only do this in an incredibly constrained way.
Thanks for your response. I’m confused how a server runs code on a client’s machine. It sends instructions over HTTP (presumably?), but then the client uses those instructions to decide what to do. I feel like sending the client some JSON is not the same as sending it some PHP code to execute. Maybe I’m misunderstanding something?
Phrased differently: Quake 3 servers could publish server mods that would be executed by the clients.
This is the same security risk that anything with plugin/extension/mod functionality experiences.
Generally, the best way to secure that vulnerability is to verify downloads from a moderated source, i.e. run a mod forum/plugin repository that disenfranchises bad actors and verify checksums at download.
Wow: "Source code is a version of computer software which is usually much easier to read and understand than the end version in a finished product, and could be used to reverse engineer parts of the product."
Codebases with high levels of abstraction and metaprogramming are often easier to understand in IDA/Ghidra, if your goal is to understand how a specific part of the program works.
Oh really? Didn't know that! Wish we had this source code thingy available for the critical programs that we use everyday, so I can look to them and understand how they work.
I'm sorry, what's the objection here? Source code is better for understanding how a program works in a big-picture sense, compared to the binary. This sentence conveys that in a way that a lay audience can understand. What's the problem?
It was just a light hearted take on the wording of the definition, combined with a slight irony that we indeed have some critical stuff open sourced with pretty neat (read xGPL) licenses, which was unimaginable ~20 years ago.
Maybe it's an outdated type of humor, but I didn't see a reason to stop myself. While this is HN, we can use some old Slashdot style now and then IMHO.
I don't think it's a bad definition but, it sounds a little bit inaccurate here and there.
Something in the lines of "Source code is the human readable version of the end product before it's packaged for computers, and it's much easier to read and understand. Also, the source code may allow reverse engineering of the product in question" would be more precise and similarly understandable IMHO.
I also thought that was funny wording, but I guess if you only have partial source code of a program, it can help to reverse engineer the full program (as you'll have some access to symbol names, structures, patterns etc)
I've always described source code to non-technical people as the recipe and ingredients, compiling as the baking, and the software as the bread loaf. Seems to land for most people
What do you achieve with this explanation? This metaphor literally has zero predictive value.
For example, it may be quite hard to reverse-engineer a loaf of bread, but reading assembly is actually quite easy to understand what the program actually does.
When you know the recipe for a bread you can make another one and maybe add or remove some ingredient. If you only have the loaf then indeed you can't reverse engineer the recipe unless you are a very experienced baker. Same with code.
Reading assembly is not really easy, especially in the context of video games using proprietary GPU I/O, it might as well be obfuscated because there is no way you're figuring out how Frostbite handles bullet drop from a page of x86 instructions. Maybe if you're willing to spend years reverse engineering game engines, you can start to form patterns in your head, but even then we're talking about niche specialties inside niche specialties. In no way is it accessible to an average software developer, unlike source code which most developers can read and understand after a few dozen hours.
Reading Assembly may not be difficult, but reverse engineering and figuring out what it is doing is. Same as with bread. Pulling a loaf of bread apart and seeing the individual grains and how the connect isn't difficult, figuring out the process for making it is.
If you're trying to explain to a non-technical person what source code is, the bread example from OP is actually a great analogy. It's simple, to the point, and almost everyone will know how bread is made. Is it oversimplified? Sure. But that's the entire point of trying to give a real brief overview to someone with no technical experience.
Which is true and fair. But as a method of describing a very technical thing to non-technical people, it seems like a useful tool. We're not trying to give them a CS degree here, just give them enough information to continue reading the article without being totally confused.
The mixing & prep already begin to change the substance of the ingredients, just like 'compiling' is in fact usually multiple steps which all change the substance (for example, preprocessor=cutting, compiler=mixing, assembler=baking, linker=cooling)
> I've always described source code to non-technical people as the recipe and ingredients
Not bad. What would you say about saying - " a source code is a set of instructions for a computer to execute". That way, we can still keep the conversation (some what) technical.
You can open the binary file in a text editor and it will be much harder to actually read it. Next best solution is to use a HEX editor but having the source code will make it much easier to understand.
I would say that "source code is the blueprint of a computer program". If you look at the wikipedia entry:
> A blueprint is a reproduction of a technical drawing or engineering drawing [...] allowed rapid and accurate production of an unlimited number of copies.
and even if no-one reads the definition, the term is in common use. Spies stealing blueprints of weapons in movies / real-life being an immediate example.
Yeah, I think that “blueprint” or “plans” works pretty well, especially if you think about it like the plans for a weapon (say, an advanced airplane) that one country wants to keep a secret so that other countries can’t figure out how to build the same weapon. The other countries will be able to see the airplane, they may even get their hands on one of them, but you definitely don’t want them to get their hands on the plans.
I've always described source code to non-technical people as the recipe and ingredients, compiling as the baking, and the software as the bread loaf. Seems to land for most people.
I downvote comments like this, not because I disagree with them, but because they digress the conversation from what I think is more important - the hack itself.
It's a cultural quirk of HN to go into linguistic hair-splitting mode when it comes cybersecurity incidents as described by a media outlet whose audience is the general public.
All I can say is thank you to danG for implementing expand/collapse on comment threads so you can quickly move on to comments discussing the topic itself.
All the BBC articles are meant for everyone to understand, they are not aimed at engineers, or CS grads (or even graduates of any kind, for that matter).
Did you really need to read what source code was again from the BBC? If you know already, great - but if you don't, why do you need to know what a compiler is?
It's similar to their general coverage of the covid vaccine - does everyone that reads an article about the vaccine really need to know the scientific debate, context, cohort data, vaccine action detail? Or just that the vaccine works & is safe?
I must be missing something but I don’t see any mention that the Battlefield 2042 source code got leaked, nor in this article nor from any other credible sources. There is a difference between the game engine and the game itself.
Would you expect those assets to be included in source code, though? Roosters are generally fully customizable and EA games vary little year to year, I wouldn't expect players to ever show up in source.
That depends on how data driven player appearance, animations and behaviors are. I would start with the AI code and see if there are any player specific exceptions (that is, hacks) in there to match a certain play style.
Unless... wouldn't it be funny if new FIFA releases were auto-generated from a config file? The developer would only need to update the roster and provide paths to new art assets. Boom, new retail game.
Maybe inject some buggy DLLs too. Make sure some characters have that bug where only their mouth and eyeballs are showing, not their whole head, and so on.
With the code it should be easier to fake a client, download and decode that configuration. Hopefully some further experiments can be done with access to the real source.
Or you could confirm that the published rates match what is in the source, assuming that it is not loaded in from the server at runtime. Loading them from the server, in my opinion, is very likely.
Personally, for me, because the decision makers around me are spending an inordinate amount of time worrying and talking about ransoms. It's the overworn topic-du-jour, and I'm happy for something else to shift the news cycle.
Although I don't condone hacks like this of course, I think it would be amazing for someone to interpret the engineering and mechanics behind a title like FIFA for the rest of us; I'd look through the code myself though I'd imagine it would take a long time to make sense of it.
Same for Frostbite.
I'm just curious about the tech behind AAA games and it would be fascinating to explore the innards.
157 comments
[ 2.0 ms ] story [ 222 ms ] threadIt appears that the only companies capable of being secure are Google and Apple. Aside them everyone is getting hacked every other day.
Companies that torch through millions of dollars of VC money need a nice ransomeware kick in the ass to set up a MongoDB password, and will proactively ignore S3 warnings to not make something public, so what do you expect?
I don't think is necessarily the case. You can take security seriously, but there are limits, and you have to balance the effort with the willingness of someone breaching your safeguards.
I would use a bicycle as an example. You can buy whatever lock you want, it can be broken by someone. The better the lock, the less people can get through it or are less inclined to do so anyway. You can pay a security guard to look after your bike, but at some point, if your bicycle is really valuable, one guard can be bribed (or killed), and so on, and so on.
In summary, just because they were "hacked" does not mean they are not taking security seriously.
To some extent though it does mean they were not taking security seriously _enough_. In your example, they misjudged whether they needed a guard or not.
[EDIT] Actually, I realized it's not about taking it seriously, but executing it efficiently.
Back then, when they enforced a maximum 16 character password, I saw enough security. Are they storing them in plaintext or what? Btw, I think they increased the limit to 32 now
2. Only in the UTF-32 encoding, which no one uses, are all characters represented by 4 bytes.
Most sites today use UTF-8 where most characters on a standard keyboard are 1 byte, and almost all characters from any language take 3 bytes.
3. Even 19 characters is a lot better than 12.
If that kind of hashing algorithm is a must, why not use first X bytes of the password input?
https://en.wikipedia.org/wiki/LM_hash
Save-ya-a-click: basically what jfrunyon describes, along with a whole lot of other insecurity goodness (and to be fair, LANMan was a long time ago).
My point is that throwing a "password too long" error, especially for 32 characters or less, feels like a wrong approach to me; no matter the circumstances or the amount of backward compatibility that has to be kept.
I assume “problematic” here means “difficult but possible”. If problems arise then I guess it’s a matter of priorities; but I think that not inconveniencing the user with password length limits should be high priority.
Of course you can make your employees' lives worse by siloing them off, enforcing all sorts of security policies and so on. It's just not worth it in this case. So the source code of some video games got leaked... big deal. What are hackers going to do with it, make their own version of Battlefield and FIFA? Write snarky comments on how crappy the code is? Maybe they'll develop cheats, but that can also be done without the source code.
Whitelisting also won't protect you from exploits in the software itself. If some non-technical user gets compromised and starts sending out malicious PDFs, you better make sure every single installation of Acrobat is up-to-date. If you get hit by a 0-day in Outlook - good luck.
Now perhaps in this case people were just sloppy, but again, if you want to rule out exfiltration of data - as opposed to just making it less likely - you need a completely different approach and it'll cost you.
https://en.wikipedia.org/wiki/2020_Nintendo_data_leak
Maybe instead, individual business units (or even smaller) should be independently responsible for security.
[1] https://www.bloomberg.com/news/articles/2020-07-21/ubisoft-s...
The head of global HR was covering for Serge. She was axed immediately (as was Serge).
It’s important to know though. Serge was _insanely_ core to the functionality of Ubisoft; he was the sole approver of every AAA game. Axing him was like removing the beating heart of the company to shareholders.
Obviously our morality says that this was the right thing to do, but I’ve seen other CEOs who would cover for such an “invaluable asset”.
And Serge was axed before this was public, so it’s not like the hand was forced- there was a “creative directors board of editoriale” which sprung up shortly before because of this.
So the worst case scenario could be worse than just a few cheaters. Either way EA will endure it without problems because it's barely different than the average bad game launch.
Worst part is that the denial doesn't appear to be bandwidth-intensive, just a persistent trickle of bad requests. The hacker may even have forgotten they left the script running, somewhere.
You start a game, 60 user accounts are in it. You inspect their IPs, give them a token, whatever. If they send too many requests you can drop some, and if it’s inhumanly possible given the games code, you ban them. That’s it?
I could see how a public-facing website could get DDOSed but not a game where people are registered. I must be missing something. Maybe input parsing has to happen faster than IP check?
That causes a lot of speculation, including suspicions it's run by an ex-employee who worked on those systems internally.
I remember Quake 3 had a number of exploits that could allow a server owner to essentially run arbitrary code on clients machines.
As a newer game, probably Battlefield 2042 servers are entirely run by EA, so any exploitation will have to go through the server first.
Also I think sometimes there are vulnerabilities where you can technically run some tiny bit of your code on a vulnerable machine, but it would lead to a crash. Hence, people use "arbitrary code execution" to distinguish this particular threat from the less severe ones.
It could be running part of the game code. Deleting saved games, for instance.
Getting control of the client application is different from pushing arbitrary code (any code the attacker want) on the machine and executing it.
An in-between is return-oriented programming, where an attacker gains complete control over the execution flow of a given program. Even if they aren't able to push different code on the machine, they can chain parts of existing code to perform arbitrary computations on the machine: https://en.wikipedia.org/wiki/Return-oriented_programming
A vulnerability that lets someone run arbitrary code means they can run whatever code they want; that's what makes it such a problem.
This is the same security risk that anything with plugin/extension/mod functionality experiences.
Generally, the best way to secure that vulnerability is to verify downloads from a moderated source, i.e. run a mod forum/plugin repository that disenfranchises bad actors and verify checksums at download.
A good example is Emacs and melpa.
They would be doing something seriously wrong if that wasn't always the case haha
So yes, never forget...!
Maybe it's an outdated type of humor, but I didn't see a reason to stop myself. While this is HN, we can use some old Slashdot style now and then IMHO.
- Accessible to the general public (it's a BBC article)
- One sentence long (you will lose readers if this becomes a cs101 lecture)
- Articulates why a source code leak matters
Something in the lines of "Source code is the human readable version of the end product before it's packaged for computers, and it's much easier to read and understand. Also, the source code may allow reverse engineering of the product in question" would be more precise and similarly understandable IMHO.
- I would say even that reverse engineering, as mentioned, is not something the layman understands.
Other than that the article was fine IMO
I mean yes. It isn't that long ago that software was sold in boxes. So the packaging analogy is probably within reach of most people.
But maybe "released" or similar would be more widely understood.
https://news.ycombinator.com/item?id=27471488
> The “source code” for a work means the preferred form of the work for making modifications to it.
But the BBC article definition, while less precise, is more relevant to the subject.
For example, it may be quite hard to reverse-engineer a loaf of bread, but reading assembly is actually quite easy to understand what the program actually does.
If you're trying to explain to a non-technical person what source code is, the bread example from OP is actually a great analogy. It's simple, to the point, and almost everyone will know how bread is made. Is it oversimplified? Sure. But that's the entire point of trying to give a real brief overview to someone with no technical experience.
Not bad. What would you say about saying - " a source code is a set of instructions for a computer to execute". That way, we can still keep the conversation (some what) technical.
You can open the binary file in a text editor and it will be much harder to actually read it. Next best solution is to use a HEX editor but having the source code will make it much easier to understand.
(This is what I used for my child.)
> A blueprint is a reproduction of a technical drawing or engineering drawing [...] allowed rapid and accurate production of an unlimited number of copies.
and even if no-one reads the definition, the term is in common use. Spies stealing blueprints of weapons in movies / real-life being an immediate example.
I think the key element of source code is that this is what is written and read by programmers -- it is akin to the secret recipe for Coke.
Hope that's ok.
All I can say is thank you to danG for implementing expand/collapse on comment threads so you can quickly move on to comments discussing the topic itself.
Did you really need to read what source code was again from the BBC? If you know already, great - but if you don't, why do you need to know what a compiler is?
It's similar to their general coverage of the covid vaccine - does everyone that reads an article about the vaccine really need to know the scientific debate, context, cohort data, vaccine action detail? Or just that the vaccine works & is safe?
I know that joking is not appreciated on HN, but the mental image here is absolutely fantastic. I'm giving my rooster a gigantic beak and three legs.
An apt description of the franchise since FIFA 2013.
It almost seems possible...
Edit: [0] is also a much better source than BBC in this case.
[0] https://www.vice.com/en/article/wx5xpx/hackers-steal-data-el...
https://www.eurogamer.net/articles/2021-05-11-unbannable-ape...
Looks to me like it's all the same since Battlefield 3 and they only change the look.
But possibly I'm too ignorant and expect too much of major game releases.
Same for Frostbite.
I'm just curious about the tech behind AAA games and it would be fascinating to explore the innards.
I'd love to contribute to something like this.
Of course not best for financials
Where does it say battlefield 2042 was leaked?
All I see is Fifa and Frostbite (a game engine)