Ubisoft Uplay DRM Found To Include a Rootkit 473
An anonymous reader writes "It has been discovered that the Uplay system Ubisoft uses to both check a game is legal and offer up gaming achievements, multiplayer, and additional content, actually contains a rootkit. The discovery was made by Tavis Ormandy, an information security engineer at Google, when he installed Assassin's Creed: Revelations on his laptop. He noticed that during the installation Uplay installed a browser plug-in that allows any website to gain access to your machine through a backdoor and take control of it.The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user's consent."
Update: Ubisoft has released a statement saying it has issued a forced patch to correct the flaw in the browser plug-in for the Uplay PC application.
Update: Ubisoft has released a statement saying it has issued a forced patch to correct the flaw in the browser plug-in for the Uplay PC application.
under the DMCA any antivirus software can get sued (Score:5, Interesting)
under the DMCA any antivirus software companies can get sued for remove or even marking this.
Re:under the DMCA any antivirus software can get s (Score:5, Insightful)
under the DMCA any antivirus software companies can get sued for remove or even marking this.
On the other hand, Ubisoft is probably guilty of violating Federal wiretap laws.
Re: (Score:2)
In what way?
You really think they did not include some fine print in the EULA about how the user was consenting to this?
Re:under the DMCA any antivirus software can get s (Score:5, Insightful)
You can't always waive your rights, even if you agree to it.
Re:under the DMCA any antivirus software can get s (Score:4, Informative)
As we have seen, US isn't the world and it's EU that's currently championing consumer rights in the Western world. And in here, you can't waive rights through a simple click-through quite as easily. In many cases, you cannot waive them at all.
The fact that Ubi rushed to fix the problem so fast tells you just how risky someone high up thought this is.
Re:under the DMCA any antivirus software can get s (Score:5, Interesting)
You have to be careful about what you consider to be waiving your rights ie. I wave my rights, sorry changed my mind, waived them again, changed my mind again, waived, not waived, waived, mine again.
Waiving your rights means pretty much nothing because the very second you claim them back, they return with full force of the law, constitutional and criminal law both of which out weigh contract law. There is no legal condition of contract that can prevent you from reclaiming your rights, at any time you choose.
Re:under the DMCA any antivirus software can get s (Score:5, Informative)
In what way?
You really think they did not include some fine print in the EULA about how the user was consenting to this?
An illegal action (not sure if this is or not) remains illegal, even if both parties agree to it.
Re:under the DMCA any antivirus software can get s (Score:5, Informative)
Re:under the DMCA any antivirus software can get s (Score:5, Insightful)
In most if not all jurisdictions in this world, the law is always above any contract or agreement. And rightfully so, just think of the mess we would have if that is not the case. It's also why in all proper contracts you will find a "survivability clause", stating that if anything in the contract is overruled by another law, that the rest of the contract remains in force.
Re: (Score:3, Insightful)
But sometimes actions are illegal only if they are non-consensual. Agreeing to a EULA might be considered consent.
Re:under the DMCA any antivirus software can get s (Score:4, Funny)
I hope you don't have any Apple products or software on your system...
Re:under the DMCA any antivirus software can get s (Score:4, Insightful)
Of course, where I live "EULA's" are invalid and can not be enforced under California law. Sorry UbiSoft, you've just made a tactical error that will get your asses sued in California and no, since an EULA is not recognized by California and Symantec has? their HQ in Silicon Valley - Don't know about McAffee, they're protected from DMCA issues.
Re:under the DMCA any antivirus software can get s (Score:4, Funny)
1) give me all your money, assets and all future earnings and assets.
2) whenever there is a full moon, stand in a public area on one foot and howl at the moon.
3) Say "boop" every 87.24 minutes.
Re: (Score:3)
The court stated that Zeidenberg could have rejected the terms of the contract and returned the software.
Good luck finding any software retailer that will allow you to return opened software, of course. Is the manufacturer even legally required to compensate the purchaser in a case such as that? Seems like the consumer is screwed either way...
Re:under the DMCA any antivirus software can get s (Score:4, Insightful)
EULAs are not tested very well in court, and that's a 7th circuit decision. California is in the 9th circuit. 7th circuit might be REFERENCED but in the 9th circuit EULAs have been found null and void (try my legal battle with EA over the Spore DRM, which is why EA settled and FAST.)
Re: (Score:3)
I've seen you cite that three times in the comments so far, and I'm not even very far down the page. I'm pretty sure it's been tested more recently than 1996. In fact, here you go [wikipedia.org]. I imagine you got your link from the wikipedia page on shrink-wrap contracts, as did I.
It varies by court and by license - there's no precedent that's used in all cases.
And regardless, what they're doing is illegal so it doesn't matter if it was in the EULA. Knowledge != consent
Re:under the DMCA any antivirus software can get s (Score:5, Informative)
What, have you never heard of the sony rootkit? they were pretty damn close to getting sued for similar issues.
Fine print won't do anything to get around this. Just like every fine print says you indemnify the company - if there's a real issue, the judges will ignore the EULAs which have been deemed legally unenforceable anyway.
Maybe they'll actually get sued this time... (Score:5, Interesting)
Maybe they'll actually get sued this time...
I play Everquest 2 on this machine, and look what I just found (installed yesterday). Firefox never informed me that it was being installed.
FF - HKLM\Software\MozillaPlugins\@soe.sony.com/installer,version=1.0.3: C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\5kpvldeq.default\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}\plugins\npsoe.dll ()
In the Firefox browser Add-on pane it is listed as SOE Web Installer 1.0.3.171. It can be disabled, but I have not attempted to remove it yet. I want to keep it around while I figure out what it is doing. A web-search is inconclusive as it appears to have just been released, although I did find several links to a "test page" that belongs to Sony that instantly tries to install said plug-in. No-script blocked these attempts, so I have to assume it was served to me via the EQ2 GAME updating system. If so, complete bullshit.
Again, I never got any sort of plug-in install warning when running Firefox, and I have my browser warning settings at maximum verbosity. This plug-in was just "there".
Re:Maybe they'll actually get sued this time... (Score:4, Interesting)
Update, if anyone cares.
You can uninstall the plug-in, SOE Web Installer, by using the provided "Uninstaller" you get at the same webpage that installs it.
Or, you can do what I did. Manually uninstall the game then spend 2 hours scouring out the 67 registry entries the "uninstaller" left behind. (The game uninstaller didn't actually remove a single file...not a single one. The plug-in uninstaller simply appeared to remove the plug-in from the control panel--all of the registry entries remained. CCleaner only found four of the 67 I removed.)
That shit is pure rootkit. Considering you can't even firewall out the outbound data without also firewalling your browser, this one is worse then the Sony/BMG rootkit. I've had to remove both and this one was spread all over the damn place, with redundant registry entries everywhere.
Never again, Sony, will any of your products enter this household.
Re:Maybe they'll actually get sued this time... (Score:4, Informative)
Verified that the SOE Web Installer plug-in for Firefox is installed by the Everquest 2 Updater (I'm guessing their other games will install it as well).
Verified by updating the game (my wife hadn't updater her machine yet) with Firefox open-- Game Updater hung until I closed down Firefox--Plug-in is installed once Game updater was finished. I made sure it was NOT installed before updating the game.
Much like the music CDs, I guess Sony cannot be trusted even after a class-action for doing the same sort of shit.
Re:under the DMCA any antivirus software can get s (Score:5, Informative)
Which is incorrect. There was a class action suit, which Sony in the end settled [zdnet.com].
Re:under the DMCA any antivirus software can get s (Score:5, Informative)
Which is a perfect example of how the rich and powerful live by a different set of laws. If I put a root kit on Sony's computer, you'd better believe I'd have felony charges filed against me. If Sony puts a root kit on my computer, all they have to do is pay off some state AGs.
Re:under the DMCA any antivirus software can get s (Score:5, Interesting)
Actually they were sued by several state's attorneys, and settled. Personally, as a victim of XCP (I didn't agree to their god damned eula, my daughter installed it, never imagining that a big respected company would deliberately install MALWARE) I'd like to meet Sony's President in Felbers' beer garden and beat him to death with a two by four. I'm still pissed, and it's almost been ten years. I will never EVER be stupid enough to buy another Sony product. I want the company broken up and its board of directors impoverished. Nothing's too bad for those evil sociopaths. Cancer and AIDS are too good for 'em.
A rootkit is MALWARE. The president of Sony should have gone to prison, and the President of Ubisoft should, too. If I did to Sony what Sony did to me, you can bet your ass I'd go to prison. But it's OK for the 1% to fuck over the 99% any way they want, but if you mess with them, well, you're screwed.
And you stupid people should quit buying their damned games! Jesus, stop letting these assholes take advantage of you! You would buy from a company that deliberately installs malware on their customers' computers??? How goddamned stupid can you get????
Comment removed (Score:4, Interesting)
Re: (Score:3)
Re:under the DMCA any antivirus software can get s (Score:5, Informative)
Re: (Score:3)
Re: (Score:3)
but you keep claiming your citation as if it were applicable to the entire country. All over the thread. It doesn't. Period.
I know way more than you'd suspect. I've done it from criminal and civil sides, from unlawful detainers to suing the shit out of EA.
Re: (Score:3)
Re:under the DMCA any antivirus software can get s (Score:5, Insightful)
Re:under the DMCA any antivirus software can get s (Score:5, Insightful)
Re:under the DMCA any antivirus software can get s (Score:5, Insightful)
Re: (Score:3)
It does? Always?
Re: (Score:3)
So? Ubisoft is a corporation, its not like anything bad is actually going to happen to them.
There are lines that even major corporations cannot cross. Putting rootkits on US Federal computing equipment is one such line. Sony's fine for their rootkit fiasco was certainly enough to get Sony's stockholders' attention, but that wasn't the worst of it.
The Department of Justice basically said: it would be within the law to sieze all Sony assets in America and ban all future imports of all Sony products, but we're not going to ask for that becuase we don't think it was deliberate .... this time.
Deliber
Not really surprising. (Score:5, Insightful)
Re:Not really surprising. (Score:5, Insightful)
Re:Not really surprising. (Score:4, Informative)
I finally got HoMM VI despite DRM reservations on extreme sale and I have to say it wasn't worth it even for 90% off. They stripped all the strategy from the game and left it an empty advertising husk. Don't bother.
Re: (Score:3)
Re:Not really surprising. (Score:4, Insightful)
+1 to that. A global flag in steam to hide them. With 30%+ using this flag devs would wise up.
Unlikely, would probably just cause another outbreak of "Our sales are dropping from piracy again!"
I really would like that toggle, if Steam could manage to make it accurate anyway.
Re:Not really surprising. (Score:4, Insightful)
Re:Not really surprising. (Score:5, Insightful)
I've said this before: DRM, in and of itself, is not evil.
If all the DRM does is check whether I have or have not purchased the [whatever], and reliably detects paying users as such (low false-positive rate; the false-negative rate is meaningless to me), and the only thing it does is conditionally run (or not run) the [whatever], and it requires minimal work on my own part, I'm fine with it. And, it seems, many others are fine with it as well.
Now, many, even most, DRM implementations fail at least one of those evilness checks. This Ubisoft one violates the "don't do anything on the system not related to your product" clause. Many others fail the "reliably detect paying users as such" clause - always-online systems detect offline-but-paying users as nonpaying, for instance.
Steam passes the evilness checks with only a few caveats (it's not perfect, but it's one of the better ones, and probably the best with that level and quantity of games). You will have to go online at least once to authenticate, you need to prepare a bit ahead of time before going offline (random internet dropouts or the Steam servers themselves going down can stop you), and it does encrypt pre-loaded games. And then there's the whole "no reselling/used games" thing, but honestly, I'm fine with that. I've never found selling my old games to be financially worth it, and the very phrase "used digital games" is an absurdity.
Re: (Score:3)
I would buy that argument more if it weren't also true of physical retail. Read the EULA next time.
Re:Not really surprising. (Score:5, Informative)
I have had games limit me to 10 installs. Games with cruddy DRM that can't possibly function under wine. Others let me only download them once. I have fortunately never had to deal with the always online crap, unless by its very nature it was necessary for the game (MMORPG's, for example).
[1] Yes, I actually game using wine, so that is of value to me. I only run Linux at home. It's a pain in the butt for gaming, but it's how I do it.
Re:Not really surprising. (Score:5, Insightful)
You'd like Steam - a DRM system - to help you buy only DRMed games that don't use a competing DRM system?
People really have drunk the Steam kool-aid, haven't they?
Yes, because unlike every other DRM system I've ever seen, Steam actually helps to improve the experience, by making sure the game is up-to-date, storing saves and config files in the "cloud" (for developers who implement it), allowing me to re-download and re-install games on as many computers as I please, allowing me to easily play with friends (or not, as I see fit), and still allowing me to play games offline (unlike *ahem* Blizzard). And of course their famous sales. I know people who dislike Valve who still like Steam. Granted, the DRM isn't necessary for all that technically speaking, but it is to provide a decent selection (most developers wouldn't put their games on Steam if it didn't have copy-protection of some kind).
Honestly, Steam is almost always as easier, sometimes more, than pirating games.
Re: (Score:3)
Re:Not really surprising. (Score:5, Funny)
Re: (Score:3, Funny)
You use a closed source firewall and are worried about what games are doing?
That seems pretty odd.
Re: (Score:3)
Re:Not really surprising. (Score:5, Insightful)
happily playing Diablo 3 after I told them how much of a bitch the DRM is to the market place
That's the problem in a nutshell. If they're happy, either we aren't doing a good job making our point, or it really doesn't matter to them. Only one of two things will happen to make them change their minds. We have to make a case that they will be happier without DRM (in a way that is compelling enough that they will choose to be less happy in the short term to achieve it--By not playing Diablo, etc), or they have to get burned bad enough that the product itself makes them unhappy.
The problem, as I see it, is that most people just don't care, as long as it works. Most people aren't game historians, who worry about whether the authentication servers will still be there in 10 years. And for the small percentage of the people who actively fight against corporate interests, things like DRM take a backseat (and probably rightfully so) behind getting fucked by the banks, fucked by your health care provider, poisoned by local industries, etc.
If there is a technical issue that's on the public's front burner, it's Net Neutrality. And I'm ok with that. I can walk away from Ubisoft. But it's much harder to just say I'll do without the Internet.
Re: (Score:3)
"We have to make a case that they will be happier without DRM"
"In history it is not idealism, goodness or morality that reign -- their kingdom is not of this world -- but rather resolve, energy, presence of mind, and practical ability. One cannot erase this fact with laments and moral judgments. That is the way man is; that is the way life is; that is way history is."--Oswald spengler
What I'm saying is simply the vast majority of people don't know how computers work and new generations of gamers either don'
Re:Not really surprising. (Score:4, Funny)
"Will it find your porn?"
I dunno, a DRM scheme that found all my porn and automatically downloaded similar high def porn clips would be pretty useful. Would save me a lot of time on YouPorn.
Is anyone actually surprised? (Score:5, Insightful)
Who is actually surprised?
This is the one thing that has me worried about Steam on linux. Using it in wine I can be fairly sure I have it limited to one user account and no real ability to mess with the machine, but when it installs natively who knows.
Re: (Score:2)
OTOH, if it is not possible to install steam as a user, a good excuse will be necessary.
Re:Is anyone actually surprised? (Score:5, Insightful)
Re: (Score:3)
Cheating may be the terrorism of the online gaming world, it's the full-powers resolution of the offline single-player gaming world.
Re:Is anyone actually surprised? (Score:4, Interesting)
Re:Is anyone actually surprised? (Score:5, Interesting)
Re: (Score:3)
That's not enough by far. It's very easy for the program to contain a wine style fake dll, which can call any libc functions it wishes (e.g. system, posix_spawn, etc.). Wine does not try to protect the windows programs from accessing the system.
Re: (Score:3)
So do you actually install it as a different user, or do you just feel warm and fuzzy that they can't modify your system, even though most of what you probably care about exists within your user account?
Even if you install it as a different user, you would need to log out of your main account every time (or, I suppose, run a secondary X server) as the rights required to display to your X server pretty much give full access to your account.
Re:Is anyone actually surprised? (Score:5, Interesting)
So do you actually install it as a different user, or do you just feel warm and fuzzy that they can't modify your system, even though most of what you probably care about exists within your user account?
Even if you install it as a different user, you would need to log out of your main account every time (or, I suppose, run a secondary X server) as the rights required to display to your X server pretty much give full access to your account.
My own setup has a user account specifically dedicated to Wine. This user doesn't run anything else. That user has no network access at all because of iptables. There is a PAM module that gives this user access to draw on the X display when I switch to it (Gentoo does this by default; on most Debian-derived distros you have to configure PAM with a one-liner in /etc/pam.d/su -- add "session optional pam_xauth.so" to that text file).
I use a Gentoo Hardened system so I place extra restrictions on it. The Wine user cannot see processes of any other user and the permissions on anything outside of its home directory are quite restrictive. Back when I played WoW (and had to allow network access, but only just what it needed), it would scan the running processes as an anti-cheating measure; on this system it would see only itself and a couple of Wine processes. On a normal Linux system, any user can view every user's running processes. Also, Wine is compiled with SSP and has NX and other hardening features applied to it.
That's not an exhaustive list but it covers the main steps I took. You can probably gather that I don't trust binary Windows programs.
That's awesome (Score:5, Interesting)
I started boycotting several manufacturers over the games that required a constant online connection. I can't wait to tell my buddy that thinks that the boycott is stupid how his system is rooted (again)!
Re:That's awesome (Score:5, Interesting)
As somebody who hasn't bought (or pirated) any games in about a decade (other than a few of the Wii Lego series) I have to say that the only downside of boycotting all modern games is that you have to find something to do with all the extra free time and money.
Re: (Score:3)
Re:That's awesome (Score:4, Funny)
The problem is that if you try to boycott every game publisher or developer that does stupid things like this, you'll shortly end up boycotting almost every company.
Never mind, there's always Tux Racer.
All DRM is rootkit (Score:2)
While it may not fit the dictionary definition, IMHO ANY software that allows someone to delete/alter/lock up something on my machine without my permission is essentially a rootkit. DRM fits that definition, thus "All DRM is rootkit".
nevertheless, glad to see people calling out companies for particularly egregious behavior in the DRM realm.
Re:All DRM is rootkit (Score:5, Insightful)
IMHO ANY software that allows someone to delete/alter/lock up something on my machine without my permission is essentially a rootkit.
DRM does not allow someone to "delete/alter" anything. It only "locks up" in the crypto sense, as DRM is basically crypto code. I dislike DRM, but will defend a software company's right to encrypt their software, and even allow them to require an Internet connection to "unlock/decrypt" that software so that it can be used. This is their choice, and in that respect, "buyer beware". Vote with your cash.
OTOH, installing a rootkit which allows possible unauthorised access to my machine, by the company or any other 3rd party without specific permission for each and every access??? They deserve to be fined out of existence by every legal system on the planet.
Re:All DRM is rootkit (Score:5, Interesting)
I dislike DRM, but will defend a software company's right to encrypt their software, and even allow them to require an Internet connection to "unlock/decrypt" that software so that it can be used.
I would too. But I would also defend the right of people to modify their copy of the software to remove said DRM and even distribute cracks for it.
Re:All DRM is rootkit (Score:5, Insightful)
A rootkit is software that allows root access without (further) exploiting the OS/software on the machine. The software itself may do nothing at all beyond that, and it's still a rootkit.
Conversely, software which reformats your harddrive is not a rootkit if it doesn't grant root access. Even if it itself is running as root!
So, your definition is crap. You've basically made up your own just so you can hate on DRM. It's stupid because DRM is crap even without this misguided rationalization.
The post: (Score:5, Informative)
Because it's missing from the summary and also the linked article, here's the initial report: http://seclists.org/fulldisclosure/2012/Jul/375 [seclists.org]
Torchs and Pitchforks are authorized (Score:2, Insightful)
Any time a rootkit is found the perpetrators should be (metaphorically) strung up.
It's hard to find a car analogy for this, but I can try: it's like a car dealer keeping a copy of your key for personal use. It's just unacceptable and so far outside of proper ethics that even the corporate sycophants should find it troubling.
No wonder game sales are slumping... (Score:4, Insightful)
Re: (Score:3)
Game sales are seriously down in 2012 compared to previous years. I am willing to bet that at least partially, this is because of the Steam/Origin/UPlay DRM garbage game publishers force you to install.
I can't speak for everyone, but it has influenced by buying. The number of game publishers that I boycott keeps growing, and my game buying keeps decreasing. I used to buy 20 - 30 games a year. This past year, I might have bought 2. Though, to their credit, I pirate a lot less also! I haven't pirated a game in 3 years.
Now, I just find other ways to spend my time other than video games. The funny thing is, I've found new hobbies that are more social, more personally rewarding, and make me less intereste
Re:No wonder game sales are slumping... (Score:4, Interesting)
Based on what data? NPD says that game sales are slumping, but NPD's numbers are shit. They're based on retail sales at big stores. They're of little to no use when tracking the growth areas of the gaming market: anything digital. Game sales are likely not down at all, just people buying shiny disks at Walmart.
Besides that, 2012 has featured a lot of big name letdowns compared to 2011. The fall season will likely do better.
Re:No wonder game sales are slumping... (Score:5, Informative)
Game sales are down for consoles maybe. With a bit of googling, you might find silly things like NVidia's 23% revenue growth attributed to PC gaming [technologizer.com] alone. And of course that Steam has 100% sales growth [eurogamer.net] in 2012 over 2011. Oh and Diablo III selling like hotcakes. But hey, this profit growth is all because DRM is making people NOT buy games right?
Re: (Score:3)
Re:No wonder game sales are slumping... (Score:5, Insightful)
Because of Steam, I have actually bought MORE games than I ever had in my entire life up to that point. And that's, IMO, it actually gives me value:
a) amazing deals on games, allowing me to buy top titles for $15 as long as I'm patient enough to wait for the sale
b) saved games are backed up, so when I need to delete a game, I know that I can reinstall in the future and continue from where I left off
c) I can load the game onto an entirely *different* machine and continue from where I left off
d) My primary machine is a mac, but when I buy a game on steam I get the mac AND windows version. While I have not actually tried to yet, I *think* the save games are supposed to move between platforms as well. I could be wrong about that though.
e) Steam/Valve has done a LOT to improve the gaming scene on Mac, and now they are trying to do the same for Linux.
The only real downside is that I can't sell my games second-hand to someone else. But considering that I've never really done that anyway, it's a moot point.
So yeah, Steam may have the properties of a DRM system, but I am willing to live with it because I consider the benefits to dramatically outweigh the negatives.
Meanwhile Blizzard and Ubisoft provide nothing of the sort, and can go DIAF for all I care.
Whew (Score:2)
Glad I stuck to my Ubisoft (and EA and Blizzard) boycott even in the face of the big Steam Summer Sale. Here's hoping more gamers will stick to their principles and force developers into customer-friendly behavior, though sadly it seems that most people prefer to boycott companies just until a new title is released...
Not a rootkit, but... (Score:5, Informative)
Re:Not a rootkit, but... (Score:5, Informative)
Re: (Score:3)
IMO rootkit needs to be able to hide itself, which is pretty much impossible without root access. Otherwise it's just a trojan with a backdoor.
this sounds familiar (Score:4, Interesting)
By the way, if you're thinking "hmmm, where have I heard Ubisoft news before?" they used a hacker team's no-CD crack, as-is, in one of their official updates to Rainbow 6 Vegas 2 to solve a problem with the game calling their own legit CD a fake CD.
And they wonder... (Score:5, Insightful)
The evil JS: (Score:5, Informative)
x.setAttribute("type", "application/x-uplaypc");
document.body.appendChild(x);
x.open("-orbit_product_id 1 -orbit_exe_path QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play")
Prosecute? (Score:4, Interesting)
I'm going to contact my Congresspeople, and ask them to ask the Department of Justice to investigate and prosecute any violation of wiretapping and/or computer crime laws which may have occurred.
Time to pirate (Score:3)
Guess we should all just use the pirated versions of Ubisoft games to get around this rootkit.
uPlay just updated (Score:5, Informative)
uPlay update 2.0.4: 'Fix addressing browser plugin. Plugin now only able to open uPlay application.'
Well, that was fast.
Re:uPlay just updated (Score:4, Insightful)
The problem is that people see things as fixed/not fixed.
Let's assume the problem is "fixed". What sort of development, security and testing regimes did their DRM go through to get to the point where any web page can open any application without any checks whatsoever previously? And how does that bode for anything that's not STUPIDLY TRIVIAL like finding this bug, e.g. buffer overflows, privilege escalations, etc.
Don't judge them on what they fixed. Judge them on just how terminally inept is was to allow that sort of thing to exist in the first place, let alone slip through into production code on a multi-million dollar game publisher. What else is there lurking in that plugin / app that *hasn't* been found and isn't so trivial to spot and fix?
Re: (Score:3)
Not to mention the fact that if this WAS a quick update, who knows what kind of QA process (guffaw) the fix went through.
Oh well (Score:3)
As someone who personally boycotted Ubisoft a long time ago because of their DRM shenanigans, the only thing I have to say is:
HA HA (in nelsons voice)
It's impossible to convince everyone to not buy a game because people just don't care. So I'll just sprinkle this nice big helping of schadenfreude onto my cereal this morning, instead.
Just say No? (Score:3)
Stop buying their games. The DRM will stop. Steam isn't much better as far as playing 'unplugged' but I guess I have more faith in Valve as a company.
Why Do They Keep Doing This? (Score:3)
One of the tags on this story is, "theyneverlearn".
On the contrary, "they" have learned exceptionally well! One could argue that "they" are A+ students with a 4.0 GPA across the board, having graduated Suma cum laude from the University of Violating People's Rights.
1. Any illegal action is legal until you get caught. (This is universal, and does not apply only to software.)
2. If you get caught, bluff. Claim that the plaintiff signed away their rights in the EULA.
3. If the bluff fails, obstruct. Claim that the EULA dictates the plaintiff must agree to arbitration in the Dominican Republic, where all parties may only meet on the 5th Wednesday of every month, between the hours of 8AM to 12PM.
4. If the obstruction has failed, then the client has identified themselves as a serious threat. Primarily because they have enough money to get this far in a court of law. Commence filing delaying actions. Request discovery on the plaintiff's machine. Engage private investigators, or even law enforcement by accusing the plaintiff of willfully violating the EULA. Plaintiff's property is then confiscated pending an investigation which can take up to a year. Continue until plaintiff runs out of money.
5. If things get this far, then plaintiff is extremely dangerous. Withdraw all claims against plaintiff. Immediately offer a deal to the plaintiff in return for a non-disclosure. Agree to any amount of money. Because it has not made it to court, you can promise umpteen squintillion bars of diamond-studded gold, and never have to pay one thin dime. What's the plaintiff going to do? Send the debt to a collection agency? (Use caution with this tactic! People are learning-albeit slowly-that you can send the sheriff to foreclose on a defaulting defendant's property.)
6. The plaintiff refuses any deal. Case actually makes it to court. Offer another deal for much less money. Court costs for the plaintiff will now most likely exceed damages, so make an appropriate offer. Use caution: a court-agreed settlement MUST be paid, but it will not dictate as to when it must be paid.
7. All attempts at a deal have failed. Plaintiff has bottomless pockets and blood in their eye, and is Hell-bent on taking you down. Begin repeat of Step 4.
8. Repeat of Step 4 has failed. The Lord God has taken a direct interest in this case, and has been witnessed pissing into your cornflakes. Change your plea to "no contest". The court is restricted to how much they can fine you, and the case comes to a halt.
9. Write off all losses by routing funds through the third set of books. Engage social media sock puppets to gin up your products. Sue anyone who bad-mouths you, even if they're pointing out the truth. Inform R&D that they are to conceal the program on the next release.
"Ubisoft has issed a patch to correct the flaw" (Score:3)
The flaw with the root kit of course being that someone detected it.
But don't worry, they're working hard to correct that problem.
Re:Enough with giving Windows a pass (Score:5, Insightful)
This is software installed by the user on purpose, it is no flaw in windows that allowed it in. You could write software to do the same thing on any number of OSes.
I am no windows fan, but you can't blame them for this.
Re: (Score:3)
Re:Enough with giving Windows a pass (Score:5, Insightful)
Wait, not really.
You install a computer game
The game claims to install counterfeiting and cheat protection
What you also get in the bundle without consenting is a backdoor/rootkit
This is the very definition of a trojan.
Re: (Score:3)
This is software installed by the user on purpose
True, it is a Troyan, software that disguise as something you want but do things or allow others to do things you don't granted permission
Re: (Score:3, Insightful)
You think a backdoor couldn't be installed on Linux? The person voluntarily ran an installer executable. The sky is the limit when you do that. Heck, it came from a big company as official product, giving the social engineering aspect a boost -- people just clicked approve approve approve on all Windows' carefully-engineered install blockers.
Which, IIRC, don't even exist on Linux. Or maybe you're a Mac fan. Guess what? See above re: running an executable from a trusted source.
Re:Enough with giving Windows a pass (Score:4, Funny)
Can we stop calling them "Computer" games when what we really mean is Windows game? Linux constantly gets a pass in the popular press using generic terms when the entertainment is very specific to the Windows platform. Yes, other OSs get games but it is a drop in the bucket to the ocean of what is seen on Windows and it is disingenuous to mislead laypeople otherwise.
And don't worry, if Ubisoft ever makes a game available on linux, this is what you'd see:
[sudo] password for AC:
Re: (Score:3)
RPM and DEB packages run arbitrary Bash scripts as pre-install/post-install during package installation, with full rights to alter the entire system. Gentoo ebuilds use a sandbox prelinked object that prevents writes into the system--it overlays the sandbox through libc function calls, writing new files to a separate directory tree and reading them from the real filesystem if they don't exist in that tree--but you can easily escape this by making direct syscalls.
Making a secure package manager is hard. W
Re:you know what... I blame myself... (Score:5, Informative)
And the price you pay for buying d3 is an endless pointless grind to gather loot, to sell to the vendor for a paltry few of the billion gold that you would need in order to have the gear strong enough to farm for actual items. Or you can go on the real money auction house and give blizzard an extra 15% of filthy lucre from the $500 to $2500 it will cost you to gear up for inferno act4.