SimCity Always-Online DRM Lets Hackers Play Godzilla With Anyone's Cities
from the go-go-godzilla dept
It seems that everyone is giving EA and Maxis quite a bit of grief over the SimCity debacle. The game's launch was, um, not great. The backlash against the game's producers was worse, all the more so once the lying began. But late last week, new evidence was uncovered that suggests perhaps we've all been a little bit unfair to EA and Maxis. What if I told you that the always-online game architecture enabled you to be what all of us have secretly wanted to be since we were very, very little children?
Well, hello, childhood fantasy o' mine. I didn't see you standing there.
Image source: CC BY 2.0
Yes, as Kionae alerts us, one (unplanned?) consequence of requiring online saves for your SimCity games is that anyone with a bit of hacking skill can visit your city, put some Blue Oyster Cult on in the background, and wreak the kind of havoc normally reserved for Japanese nuclear monsters. See, you can, were you so inclined, enter the save game city of another person, and then completely edit or destroy their loving creation like some kind of digital psuedo-god.
Pictured: Omnipotence
Just so we're clear, this is only possible because of the EA always-online requirement.
It's still awesome because this hack is only as destructive as it is because of EA's decision to make the game always-on. If the game hadn't had always-on DRM then this hack wouldn't be half as devastating as it is. Having EA delete these kind of topics from their forums is great damage control but don't be surprised if there's another furor when people start raging on the forums when some hacker decides to go through and Godzilla everyone's town. Enjoy.Enjoy indeed, as long as that enjoyment happens outside of EA's forums. As noted above, the company is enforcing their TOS rules on their forums and deleting all topics relating to these kinds of hacks. Why? Well, because when a dingo is chewing on your arm, the best defense is to place your noggin lovingly into some sand to make it all just disappear. Or, if that doesn't work, you could always just apologize for what is becoming the greatest video game debacle this side of a Duke Nukem game, but I'm not holding my breath.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: broken, destroy cities, godzilla, hacking, simcity
Companies: ea, maxis
Reader Comments
Subscribe: RSS
View by: Time | Thread
figures
[ link to this | view in chronology ]
Interviewer: Question #1, have you at any time in your life, played a video game?
Exec: Well no, i can't say that i have.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The rate this is going i would not be surprised to hear that hackers have managed to setup a full server to service simcity and are making money from all the lovely loot they are selling to people that don't realise , or even do realize, that they are not logged onto official EA servers.
[ link to this | view in chronology ]
Re: Re: Re:
In case of the latter : Destroying other people’s cities on the servers for them to log back into and try to fix the mess, would be the first non-trivial feature of the new SimCity that would make use of on-line play. Yes this is a hypothetical thing right now, downloading other people’s cities as described in the article is an unintended consequence of how EA set up the game (ie bad security design) and does not actually affect other players right now, but that mistake inspires people to imagine the greatest possible feature they could have included in the SimCity reboot.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Spoken like a true Eve Online player...
If you ever need to find someone truly afraid of shadows, all you need to do is find someone who's played the game within a player corporation (not run by themselves.) I played for a year and a half within an NPC/PC owned by myself, and 1 year in a player run corporation, and during that time in the player run corporation, I had the most fun and yet the least fun playing the game. Spies are everywhere! Even my best friends in the game were kept at an arms distance. I can't believe how paranoid I got in that game...gave it up because the drama was getting to me.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Figure that out and you can solve all kinds of problems, from vandalism to Minecraft raids.
I don't get it either.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Here's quotes from the linked article:
and
And more. The linked articles, anyway, back up what this posting says.
[ link to this | view in chronology ]
Re: Re:
The first quote you cite appears to be the simply be the author's analysis (which appears to be incorrect).
The second quote you cite is referring to a different situation where client-side files can affect server-side changes. However, these were players affecting things within their own city (such as city-size limits, etc). I imagine these things were always client enforced, and changing the client's rules had no effect on the server.
The linked article also notes:
"...however the modder notes that he turned off synching". This implies to me that an attack that caused the local-changes to be synched has not yet been performed. The quote from the modder further supports this:
"I am worried about people that go deeper into the code and start spoofing the owner ID’s of cities and start doing this maliciously though. Hopefully there are server side safeties on this…"
(from http://www.kotaku.com.au/2013/03/hacker-finds-a-way-to-destroy-other-simcities-hasnt-used-his-power- for-evil/)
It sounds like there has not yet been an attack where someone changes another person's city and successfully syncs it. The modder has noted that more work would remain before such an attack would be successful (spoofing the owner's ID). I'm not arguing that such an attack is impossible, but until it occurs this is a total non-event.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
I will note that I haven't disputed their word or their video evidence, though. In fact, I quoted the modder himself to note that server-syncing of these toys hasn't been performed.
The video evidence (which I don't dispute) clearly shows the modder destroy a local copy of his friends' cities. What I dispute is the notion that this permanently destroys the friends' cities. In fact, the youtube video that this sources from says quite clearly:
"IMPORTANT NOTE: I have NOT enabled syncing of data for this. All cities you see in this video remain UNHARMED - nothing got synced to server."
http://www.youtube.com/watch?feature=player_embedded&v=ROy6VE5ZsZw
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Do you seriously think EA and Maxis, after all this, has done the necessary server-side legwork to prevent players from uploading malicious save files to their server?
The exploit that caused this, if you read into it, was just accepting that the client was exactly who it claimed to be. That is kindergarten level programming that shouldn't have left QA, much less be shipped in an actual game.
I somehow doubt your supposition that just because the modder CHOSE to not ruin other people's cities because he values the hard work and fun of other players somehow means that he couldn't. Especially when we have three-stooges levels of coding practices at work inside Maxis and EA.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
I consider the source to be the modder. His words, in comments on the youtube video:
"IMPORTANT NOTE: I have NOT enabled syncing of data for this. All cities you see in this video remain UNHARMED - nothing got synced to server."
and
"There is still no city syncing at this most basic level, so you can wreak havoc on a friend's city, quit out, log back in, and it's back the way it was - great fun! I am worried about people that go deeper into the code and start spoofing the owner ID's of cities and start doing this maliciously though."
http://www.youtube.com/watch?feature=player_embedded&v=ROy6VE5ZsZw
I do agree that the linked article makes the claim that this means you can destroy the cities permanently. I disagree with that claim, I've provided my evidence to back this up.
[ link to this | view in chronology ]
Re: Re:
/rolls eyes/
[ link to this | view in chronology ]
Re:
This is my understanding also. Many of the articles I've seen reporting this event suggest the person simply didn't sync his changes to the server; from my reading it is that the person can't sync his changes to the server.
The fact that someone is able to do this locally is a non-event. If someone is able to do this in a way that persists to the servers, well, that's more interesting.
As much as I hate EA, and as much as the SimCity launch was a failure, I don't understand why this particular story is getting widespread attention.
[ link to this | view in chronology ]
Re: Re:
It's unclear which is the case. However, which it is can be thought of as a security competence question - wether or not EA can design and build a robust server infrastructure to prevent PersonA making changes to PersonB's stuff. Let's take a quick look at EA's past competence level in regards to SimCity.
1) Competence in allocating enough server resources to handle load?
Fail.
2) Competence in adjusting to unforseen load?
Fail.
3) Competence in designing software to meet their own goals?
Fail (fudging population/simulation of individual agents).
Fail (dumb as a box of dull rocks pathing AI).
Fail (secure software, ie left developer mode in, leading to this possibility).
4) Overall competence in admitting when they were wrong so they could salvage the situation?
Fail.
Since they fail at so much, what makes you think their server design/infrastructure is competently designed to disallow Godzilla-ing someone else's city?
[ link to this | view in chronology ]
Re: Re: Re:
I agree that it's totally possible for someone to develop an attack that breaks EA's servers. I definitely don't think EA's servers are perfectly protected and it's very possible that someone will be able to break their protection.
As soon as someone does break their protection, I think it's a very news-worthy story. Until they do, I read this as an "here's something interesting you can do to your friends' cities if you're bored, and have the misfortune of having purchased SimCity".
[ link to this | view in chronology ]
Hollywood couldn’t sell us better stories if it tried (and judging from its output so far this year, it ain’t tryin’).
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It's official
[ link to this | view in chronology ]
Re: It's official
[ link to this | view in chronology ]
*RAR!* *STOMP!* *RAR!* *STOMP!* *RAR!* *STOMP!* "Bring up the tanks! Call for support from another city!" *RAR!* *STOMP!* *RAR!* *STOMP!* *RAR!* *STOMP!*
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Just leave it to the Swat Kats!
[ link to this | view in chronology ]
Can't save it yet?
Though I fully expect that to be cracked soon. Maybe even by the time I finish writing this comment.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
We've already had three of those today. We get it: SimCity 5 is a bust.
Now, can we concentrate on real issues like Prenda Law? These popcorn won't eat themselves you know?
[ link to this | view in chronology ]
Re:
Personally, I never tire of the delicious egg on EA's face. I've had a bone to pick with them for about 13 years, ever since they turned the very-promising "Need for Speed: Motor City" into "Motor City Online" and made it online-only when a large percentage of internet users only had unreliable dial-up connections.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
No it's not enough. EA sells this shit and their stock goes up. Unreal.
This may not be precisely up TD's alley, but there's a real problem of customers not understanding that EA's business model of shit = profit is working wonderfully. Disposable consumers and, um, "liquidating" title loyalty.
[ link to this | view in chronology ]
Conspiracy
1. Make game terrible for everyone but pirates.
2. Piracy will be more rampant than ever
3. ???
4. Profit
[ link to this | view in chronology ]
Brilliant
[ link to this | view in chronology ]
Yet another EA always-on DRM catastrophe
[ link to this | view in chronology ]
"Hi - We don't have a hacker problem, we have very talented mod community who agree with you and disagree with our design choice"
https://twitter.com/buzzspinner/status/312343408754700288
[ link to this | view in chronology ]
Re:
sudo rm -rf /
[ link to this | view in chronology ]
Online Japanese Monster Simulator
*Sits down and starts coding*
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I should have waited so I could play some Godzilla.
[ link to this | view in chronology ]
http://arstechnica.com/gaming/2013/03/electronic-arts-ceo-resigns-effective-on-march-3 0/
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[url]http://www.ea.com/news/from-larry-probst-ea-leadership-transition[/url}
[ link to this | view in chronology ]
Please verify before posting inaccurate claims
[ link to this | view in chronology ]
Next EA Statement
[ link to this | view in chronology ]
EA's CEO just stepped down. LAWL.
Suck it EA.
[ link to this | view in chronology ]
Re: EA's CEO just stepped down. LAWL.
Sadly they're just going to find another Sock Puppet for their board, the Chairman standing in for CEO right now is Larry Probst(the CEO before Riccitiello). Although slightly entertaining to see the issue they downplayed is actually bigger than they would admit.
Until the board is done bashing their collective face into their finely crafted meeting room table, don't expect any changes. Boards select these CEOs then fight them to keep the board's interests as the primary concern, which happens to be stocks and not the health of the company.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
http://kotaku.com/5991077/your-complete-guide-to-the-simcity-disaster?utm_source=gawker. com&utm_medium=recirculation&utm_campaign=recirculation
As one EA forum member points out, SimCity's sim-people use the same sort of AI-handling "agent system" that traffic and sewage and power uses. The results are not pretty.
The problem is that, just as power can sometimes take a ridiculously long time to fill the entire map (because the "power agents" just randomly move about with no sense) traffic and workers can do the same thing. Workers leave their homes as "people agents." These agents go to the nearest open job, not caring at all where they worked yesterday. They fill the job, and the next worker goes to the next building and fills that job, and so it goes until all the jobs are "filled." So, when you have all your "worker" sims leaving their houses for work in the morning, they all cluster together like some kind of "tourist pack" until they have all been sucked into "jobs." They don't seem to care if the job is Commercial or Industrial, only that it's a job.
"Scholars" are handled exactly the same way. As are school busses and mass-transit agents. This is why you see the "trains" of busses roaming through your city, and why entire sections of town may never see a school bus, despite having plenty of stops... Once all the busses are full, they return to school and stay there until school is done for the day.
Now, here is where it gets really good... In the evening, when work and school lets out, they all leave and proceed to the absolute closest "open" house. They don't "own" their houses. The "people" you see are actually just mindless agents (much like the utilities agents, as I said earlier) making the whole idea of "being able to follow a 'Sim' through their entire day" utterly POINTLESS!!"
-Instead of returning to their own homes, individual Sims would drive into the nearest home available.
-Instead of driving on empty roads, Sims would take the shortest path available, even if that led straight into congestion.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Give me the days when all you had to worry about were budget, traffic problems, pollution, population, crime, and disasters. That is all I request..the simplicity of the original with the updated graphics of today.
[ link to this | view in chronology ]
Hitchhiker's guide
In other words - peril sensistive sunglasses
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I didn't expect this from Techdirt
It might be that someone finds a way to get the server to accept the changed save by spoofing the ownerid but considering that the trick has been in the open for two or so days now and there is no news whatsoever of that happening, it will, at the very least be non trivial to do so.
Very sloppy article, highly disappointed.
[ link to this | view in chronology ]
This is about damaging local copies of cities
[ link to this | view in chronology ]
This is about damaging local copies of cities
[ link to this | view in chronology ]
This hack is the perfect allegory to what DRM is doing to the game =D
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This is somewhat misleading
This changes are not and currently cannot be synced with the server, the modder was only talking about being worried that some one would be able to spoof other player ID's down the road and cause trouble. We don't know if that can be done and we don't know if there are server side checks that would prevent it if you could.
In short I'm on the hate EA train as much as every one else but there is plenty of real issues that we don't have to start making crap up.
What's happened here is some messing with the debug mode has allowed some one to mess around with the local data uses to allow viewing of other peoples cities in a region. This has nothing to do with the DRM and currently, and is frankly unlikely too, lead to being able to damage other peoples saves.
I'd expect Tech Dirt to do better than this, even reading the youtube description rather than the sensationalist blog should make all the above perfectly clear.
IMPORTANT NOTE: I have NOT enabled syncing of data for this. All cities you see in this video remain UNHARMED - nothing got synced to server. I would not condone any action which could actually harm another player's city without permission!
So, this was done by editing the SimCity packages, tweaking some code, and getting the game to think that, when I visited a random person's city in a random region, I WASN'T in observer mode, and force enabling of edit mode so that I had full access to the city as if it was my own. There is still no city syncing at this most basic level, so you can wreak havoc on a friend's city, quit out, log back in, and it's back the way it was - great fun! I am worried about people that go deeper into the code and start spoofing the owner ID's of cities and start doing this maliciously though. Hopefully there are server side safeties on this... hmmm.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]