Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Critical Vulnerabilities In Call of Duty: Modern Warfare 3, CryEngine 3

Soulskill posted about a year and a half ago | from the can't-even-trust-games-anymore dept.

Security 77

hypnosec writes with news that two security consultants have found vulnerabilities in Call of Duty: Modern Warfare 3 and the CryEngine 3 graphics engine that could harm game makers and players alike. Presenting at the Power of Community (POC2012) security conference, the researchers demonstrated how a denial-of-service attack could affect Modern Warfare 3, and how a server-level attack on CryEngine 3 allowed them to "create a remote shell on a game-player's computer." "'Once you get access to the server, which is basically the interface with the company, you can get access to all of the information on the players through the server,' Ferrante said. In general, game companies don't seem to be very focused on security but rather on performance of the game itself, Ferrante said. Adding security checks can slow down games, and if the companies don't deem the problem a very critical issue, it will usually be ignored. 'These are games that have a very large market,' Auriemma said."

cancel ×

77 comments

Well duh (3, Insightful)

neo8750 (566137) | about a year and a half ago | (#41946365)

Ferrante said. In general, game companies don't seem to be very focused on security but rather on performance of the game itself, Ferrante said. Adding security checks can slow down games, and if the companies don't deem the problem a very critical issue, it will usually be ignored.

Well of course they care only about performance Its all their user base really cares about.

Blame the users/consumers/people (3, Insightful)

tuppe666 (904118) | about a year and a half ago | (#41946491)

Well of course they care only about performance Its all their user base really cares about.

To be fair...nobody is interested in security until things go wrong, they will and they do. Then its look for a scapegoat, and the solution is to remove rights and privacy of the individual for the illusion protection, throw in a few laws, that only affect the law abiding and decent. Then we live in fear.

...If I looks like I could be talking about anything...I am; The strategies are the same for everything.

Re:Well duh (0)

Anonymous Coward | about a year and a half ago | (#41946947)

Because by default we already assume it's secure.

Re:Well duh (4, Insightful)

Opportunist (166417) | about a year and a half ago | (#41948797)

Because by default we don't expect a game to compromise the security of our machine.

And, bluntly, I cannot fault the player, while at the same time knowing that games ARE a ticking time bomb. What really ticks me off about it is that there is usually no reason that it has to.

First of all, a lot of games require admin privileges on Windows, which always keeps me wondering why. What the FUCK is a game supposedly doing in areas where it touches anything that should remotely require admin rights? DRM, anyone? That's actually what really pisses me off, the game doesn't really need the privileges, but the useless crap that serves the player no purpose not only slows the whole crap down but also opens him up for an attack if the game has a security hole.

Now add that A-titles have a large player base and more and more of them require a network connection (DRM raises its ugly head again there) and see why they are a really interesting target for malware authors. First, unlike OSs and business software, security updates for games are not really a prime concern since there is with some certainty no business involved that could have a legal department which makes your life really unpleasant if your crappy software causes security concerns. The user doesn't worry if the software starts an online connection even if he doesn't intent to have one, since DRM is known to phone home, so firewall rules don't hit and the game has the rights to initiate contact to the outside world. Depending on the game, it might even be necessary to allow incoming connections. And to make matters worse, the game has admin privileges.

What more could a malware author ask for?

Re:Well duh (0)

Anonymous Coward | about a year and a half ago | (#41950749)

We must follow the proven model for defeating botnets: "Pirated" copies released by consumer-advocacy groups such as RELOADED or SKiDROW defeat or bypass the DRM, keeping the player disconnected from the Origin or Steam C&C servers, disallowing the distribution of this malware.

Cut off the head and the body will die.

Re:Well duh (1)

Opportunist (166417) | about a year and a half ago | (#41952337)

Two wrongs don't make a right, though. Doing this only convinces the studios that their DRM was not badass enough and needs more tightening to work.

Abstaining is the solution, and buying if, and only if, they do remove the DRM lockdown somewhere in the future. I really wanted to play R.U.S.E. I was really looking forward to it, but once I read what shape its DRM would take, I didn't get it. I still don't have it. The same is true for Diablo 3 and Mass Effect 3. Both titles that I really wanted, still want but I do not accept the DRM used to protect them from me. Heaven forbid I could actually play games that I buy!

I will not buy them, and I certainly will not copy them. Yes, I could buy them, strip away the crap and play as I please, but why? That doesn't teach the maker anything. Copying it will only show them that people want their games but are only going to buy if they can force them even harder than they already try to. Abstaining shows them that people do not buy their wares and don't even copy their wares, and then they will start to dig for the reason. They will ask why. They will want to know why the heck only one in thousands of people who expressed interest, played the demo and gave it stellar feedback bought it.

And if "because they copied it" isn't a possible answer anymore, maybe, just maybe, they will get smart.

Re:Well duh (0)

Anonymous Coward | about a year and a half ago | (#41951665)

It's been a while since I played a game that required admin privileges. Usually it was because they wrote their save games and/or settings files to c:\program files\gamename or did something similar to that because Windows 98 basically had no concept of security design, and then suddenly when Windows XP came along they were too lazy to change their code to reflect the new security reality and just told people to run as admin.

Call of Duty is basically still Quake 3. It probably still requires admin because in the past 12 years they haven't bothered to update it to reflect the modern security reality.

Re:Well duh (1)

Opportunist (166417) | about a year and a half ago | (#41952315)

There is exactly NO excuse for games that require at least Windows Vista to run to NOT be aware of the security model of Vista, because obviously it was developed for it. Ancient games developed for Win95 and its immediate successors may be excused, but there is really no sensible excuse for games past WinXP.

A (new) game may even be excused to require elevated privileges to install, despite me even questioning this (unless I insist to install it in a non-public place, or the game needing updated runtime libraries), but so far no game studio was able to offer a sensible explanation for needing administrator privileges aside of the DRM requirements. And I can tell you for a fact that it ain't the Q3 engine, I had to work with it (yes, had to, it was definitely NOT my decision).

I could even to some degree accept the need to run anti-cheat tools with elevated privileges, since they have to scan the other processes for attempts to hook into parts of the game memory. But the game itself? Not to mention, why does it need it if I only play single player?

Look around the game market. It is almost only A-titles and big studio titles that demand admin privs to run, and most that I had been subjected to lately did, while nearly all indie games I know run quite fine on standard user privileges, even if they install into "locked" areas (as I said, sometimes elevated privs may be necessary during install, but not for actual playing).

Now let's all take a wild guess what the reason might be.

Re:Well duh (0)

Anonymous Coward | about a year and a half ago | (#41956223)

Which games have you played that required admin privledges to run? Pretty much every installer (and patcher, if updates need to be installed) in existence requires them, but I can't think of any games that require admin purely to run (well, maybe some GoG ones, but I'm not going to count those since most of it's for compatibility).

Re:Well duh (2)

PhrostyMcByte (589271) | about a year and a half ago | (#41947015)

This is pretty common. Source engine can also be DoSed very easily with corrupt packets. It's one of the reasons I stopped playing Left 4 Dead --- some people can't just lose, they need to be losers.

Re:Well duh (1)

theArtificial (613980) | about a year and a half ago | (#41948159)

How'd they get your IP? Or was this aimed specifically at the server?

Re:Well duh (0)

Anonymous Coward | about a year and a half ago | (#41949559)

It happens in counterstrike too. They make the server shit itself and everyone times out.

Re:Well duh (1)

theArtificial (613980) | about a year and a half ago | (#41951477)

I see, thanks for the clarification.

first? (0)

Anonymous Coward | about a year and a half ago | (#41946369)

Imagine a beowolf.... where am I?

Oh no! (1, Funny)

partyguerrilla (1597357) | about a year and a half ago | (#41946381)

If there only was a way to remedy this problem, a "patch" if you will.

Re:Oh no! (0, Troll)

Anonymous Coward | about a year and a half ago | (#41946433)

After you pay $30 for the DLC patch update.

Re:Oh no! (4, Insightful)

PlusFiveTroll (754249) | about a year and a half ago | (#41946437)

Yep, and that patch will clean up your computer after hackers take over the server and run a remote shell on your computer and pilfer any information their botnet can find. Thank god we don't have to write secure software any more since we can patch it any time we need to before the hackers actually run exploits.

Re:Oh no! (0)

Anonymous Coward | about a year and a half ago | (#41955417)

"Thank god we don't have to write secure software any more since we can patch it any time we need to before the hackers actually run exploits."

The problem is that even when people find out about this stuff, nobody cares anymore. Sony has had a game-installed rootkit out for awhile now ( http://thepiratebay.se/torrent/7522392/NEW_2012_Sony_Rootkit_Exploit ), one that hackers appear to have already used code from--it isn't really a stretch to see them actually use the servers themselves. They are, after all, using the exact same backdoor that the game developers are putting in games in the name of product support.

Nobody is going to patch anything as that would be acknowledging an issue that they don't wish being addressed, let alone discussed...at least until people actually start doing something.

Re:Oh no! (5, Funny)

sjwt (161428) | about a year and a half ago | (#41947425)

Are you kidding? Why patch it.. is a feature, after all the future of modern warfare is cyber warfare! Users are now getting extra content for free,they should be thankful they aren't charged for a DLC pack that they are already using!

post (0)

Anonymous Coward | about a year and a half ago | (#41946393)

post the video or it didnt happen

The remote shell is NOT a surprise (0)

gweihir (88907) | about a year and a half ago | (#41946417)

The game makes can install arbitrary code on the user's computer anyways by way of updates. (Anybody remember Sony's root-kit?). A remote shell is therefore trivial to implement.

Re:The remote shell is NOT a surprise (4, Insightful)

cbhacking (979169) | about a year and a half ago | (#41946709)

The importance of the remote shell is not that "if you can get arbitrary code execution, you can get a remote shell" (this is pretty much a tautology). The importance is that it demonstrates the possibility of arbitrary code execution at all. A lot of security vulnerabilities are difficult to actually exploit. In most cases, the best that an attacker will ever achieve is denial of service ( a crash, or forced disconnect, or using up all the RAM so the game runs too slowly, or soemthing like that).

Contrary to what the movies would have you believe, actual exploits are (especially in a modern environment full of vulnerability mitigations) very difficult to produce in most cases. Many security researchers don't even bother with that step; it's enough to find the vulnerability and flag it "probably exploitable".

Re:The remote shell is NOT a surprise (2)

AchilleTalon (540925) | about a year and a half ago | (#41948125)

Contrary to what the movies would have you believe, actual exploits are (especially in a modern environment full of vulnerability mitigations) very difficult to produce in most cases. Many security researchers don't even bother with that step; it's enough to find the vulnerability and flag it "probably exploitable".

On another hand, unpatched, unresolved, unfixed security issues will attract hackers until they find a way to exploit them. So, no need to find an easy exploitable scenario to flag them as probably exploitable. Why someone should sit and wait it becomes exploitable to fix it? It's a kind of security through obscurity you are talking about. I'm sorry, but this must be secure by design.

Re:The remote shell is NOT a surprise (1)

cbhacking (979169) | about a year and a half ago | (#41954533)

What do you mean, I'm talking about security through obscurity? That makes nothing resembling sense. I certainly didn't suggest that the vuln shouldn't be reported if the researcher doesn't develop an exploit, nor that the developer shouldn't fix it. Some devs won't take a vuln seriously without a PoC, it's true, but that's a failure on their part, not on the researcher's. Some developers don't take security seriously regardless.

I also don't understand why you seem to think that flagging a vuln as probably exploitable is something that requires it be easily exploitable, or where you think I even implied as such. Are you familiar with security testing? You can tell the probable exploitability of a vulnerability by reading a few lines of disassembly, in most cases. Attempt to read a NULL pointer that the attacker cannot control and there's no way for the attacker to have mapped page 0 in this process' memory space? Not exploitable (except for DoS). NX (Data Execute Prevention) violation? Exploitable. Read fail on the instruction pointer at or near 0? Probably exploitable (and can most likely be refined with a bit more research).

My claim was, quite simply, that most people would merely have done the wrok needed to say "yep, looks exploitable, probably arbitrary code execution", flagged the vuln as such, and moved on. The time and effort to develop working exploits, while fun, is rarely cost-effective to a white-hat.

Re:The remote shell is NOT a surprise (1)

gweihir (88907) | about a year and a half ago | (#41953441)

The attack stipulates the server-side is compromised. Updates come from the server-side. This is not a remote code execution, this is a compromised update server scenario, no need for any exploit at all.There is not much that can be done on client side to defend.

Re:The remote shell is NOT a surprise (1)

cbhacking (979169) | about a year and a half ago | (#41954551)

Good point on the distinction between server and client side, and the fact that a meaningful cliam is actually being made here (two, really: first that it's possible to get arbitrary code execution on the server, second that it's possible to leverage that into arbitrary code execution on the client).

However, I don't quite buy your argument about updates. The update server is not usually the game server. Compromising a game server doesn't (in theory) let you send an update to the client, much less force them to install it. In practice, it sounds like the game servers have way more control over the connected clients than they should. Especially in the case of games where anybody who wants to can host a game (act as server), connecting to that server absolutely should not expose the client to arbitrary code execution. That's a huge security flaw.

Re:The remote shell is NOT a surprise (1)

icebraining (1313345) | about a year and a half ago | (#41946849)

That's an oversimplification. If the patches are signed and the update system verifies the signatures using well tested libraries, it's probably much harder to attack it that way instead of using any of the other "data entry points", even if that data isn't supposed to contain code.

Re:The remote shell is NOT a surprise (1)

gweihir (88907) | about a year and a half ago | (#41953445)

I agree, but only if the signature keys are off-line and well protected. This rarely seems to be the case though.

They focus on client level security to some extent (2)

sandytaru (1158959) | about a year and a half ago | (#41946557)

I have to do triple double or level security passes, including a one time security token, to get into quite a few MMOs. They had to; many RMT organizations made a profit hacking and looting accounts by using keyloggers to obtain passwords.

Re:They focus on client level security to some ext (0)

Anonymous Coward | about a year and a half ago | (#41947113)

This isn't about getting access to information through logging into an account, but abusing a wide back door that many people have to gather more personal information than even a MMO may have.

Since MW3 is on the same engine as the others... (1)

Hsien-Ko (1090623) | about a year and a half ago | (#41946599)

Wouldn't the rest of the series down to the original COD also be affected?

Re:Since MW3 is on the same engine as the others.. (0)

Anonymous Coward | about a year and a half ago | (#41946633)

Isn't there an exploit in the CoD4 dedicated server that allowed easy DDoS'ing? The last patch for CoD4 (on PC anyway) was back in June of 2008. I doubt they'll patch any expolit, unless it's the current game. Hell, I even doubt that.

Re:Since MW3 is on the same engine as the others.. (4, Informative)

Black LED (1957016) | about a year and a half ago | (#41946825)

They pretty much are. Some of these exploits have existed since the original id Tech 3 engine, from which Modern Warfare 3's engine is originally based. I've been using Luigi's proof of concept tools to do testing on old id Tech 3 engine games that I used to host servers on for years. With his advice I was able to work around certain problems, but not all of them.

I am not sure how bad the vulnerabilities have become, but back then it was generally buffer overflow exploits that allowed player clients to be crashed, servers to be crashed or even the master server to be crashed. There weren't any exploits that I would consider critical, but they were highly annoying.

They could stop these things... (1, Insightful)

blahplusplus (757119) | about a year and a half ago | (#41946615)

... by you know having LAN and private servers again so hacks don't take down the community. Security wouldn't be an issue for Diablo 3 if you could play the fucking game offline. But corporate greed and the dumb masses that feed the move to "online only" games this will become more frequent.

Re:They could stop these things... (0, Troll)

KingMotley (944240) | about a year and a half ago | (#41946645)

If the masses want something that YOU don't, it doesn't make them dumb; It just makes you the odd man out. Guess you are used to being there. I can see how that could make you bitter.

I like diablo 3 being online, sucks to be you.

Re:They could stop these things... (1, Insightful)

blahplusplus (757119) | about a year and a half ago | (#41946673)

"If the masses want something that YOU don't, it doesn't make them dumb"

Single player lag is such an awesome feature, that didn't exist in Diablo 1 + 2 because of morons like you who don't understand technology. Only a tech illiterate would say something like what you said.

Re:They could stop these things... (-1, Troll)

KingMotley (944240) | about a year and a half ago | (#41946737)

Hacks, cheats, and massive dups are such an awesome feature, that doesn't exist in Diablo 3 because they don't allow antisocial rejects to play offline by themselves.

Considering that a vast number of your previous posts degrade into nothing more than you trying to prove your awesomeness by insulting others, I'll just let the rest of your post slide and speak for itself. I'd wager that I am vastly more technical than you, and I understand sometimes people have opinions are desires that aren't an exact match of my own.

Re:They could stop these things... (5, Insightful)

blahplusplus (757119) | about a year and a half ago | (#41946821)

You believe all the propaganda they pushed to get you to accept DRM. Cheats have always been a natural part of playing games provided the player can control who you can play with. Cheaters could cheat to their hearts content in private games and not effect anyone else. Private servers/LAN allow people to choose who they play with, when and where. These centralized servers create huge security and points of failure.

Not only that but cheating in a single player game you paid for - there's nothing wrong with it because it hurts no one. You are victim of gaming PR and propaganda. You accept broken and inferior products that's not a sign of a healthy mind.

Re:They could stop these things... (0)

KingMotley (944240) | about a year and a half ago | (#41947001)

I currently have no problems choosing who I play with, when, or where. As for centralized servers creating huge security and points of failure... LOL! Keep reaching.

As for the product being broken and inferior... Seems to work better than diablo 2 ever did. I don't see people running around online with hacked gear in 24 out of 25 games like I did in diablo 2. Seems diablo 1 & 2 were broken and inferior to me. I don't have to install hamachi or another type of VPN software and wonder if the game is going to work on a multi-homed network like so many LAN-only games. Or if it was going to throw up and lag when response times if they got over 10ms. Or if the game will belly up because the one guy running the server had his machine overclocked and it locked up. Or he had to go. Or after 2 hours getting somewhere every drops with a "sync error". Remember those? Yeah, me too. Haven't seen that happen once in diablo 3.

Seems you just value being able to cheat and hack more than just playing the game and having it work. I'll put up with a few instances of lag rather than hours of troubleshooting network issues with my not so technical friends, exposing my entire network or shares to random people on the internet through VPNs, and wasted hours of gaming because the game was designed for LAN play instead of internet play. Feel free to play diablo 2, I'm still enjoying diablo 3.

Re:They could stop these things... (1)

Anonymous Coward | about a year and a half ago | (#41947137)

I hardly had any of the problems you've had in past older games. There are tons of mods for Counter-strike, Team Fortress, etc with people running their own servers and quite successful. Hell, I was playing Tribes with 100+ players on private servers that hardly ever had any issues and were quite fast. Now they won't even let us play with more than 32 players if we're lucky, they're all focusing on 16 players max, and the lag right now is unbearable with these company DRM'd servers.

Re:They could stop these things... (1)

Anonymous Coward | about a year and a half ago | (#41947825)

Man, you're really some special kind of idiot. They don't NEED to make the game exclusively online for you to have your "non-antisocial reject" features (man, you're really worried about your own image to be typing like this. Projection much?)

They can just have a toggle "offline" / "online" and if they're worried about cheating, make it so offline characters can't go online. Don't fucking kid yourself, the only reason they require an internet connection is because it's a form of DRM.

Re:They could stop these things... (1)

Baloroth (2370816) | about a year and a half ago | (#41947917)

As for centralized servers creating huge security and points of failure... LOL! Keep reaching.

Ahem, you heard of Sony Playstation Network? If you haven't, you are grossly uninformed. If you have, you are an idiot for thinking as you do, and more of one for advertising your idiocy online.

Re:They could stop these things... (1)

KingMotley (944240) | about a year and a half ago | (#41953747)

Haven't you heard about the 0-day hacks infesting COD (Which are non-centralized servers)? Or the people who got hacked by using hamachi or other VPNs to set up LAN based games over the internet? Oh, how about Company of Heroes and their hacks since the servers aren't centralized, or their massive issues that STILL haven't been solved with people behind NATs. Guess you are grossly uninformed.

Re:They could stop these things... (1)

hairyfeet (841228) | about a year and a half ago | (#41947025)

I don't know if its right to blame the people though, because when you are just pounded by propaganda day after day AFTER DAY it can be hard to separate the truth from the bullshit, especially about high tech where many might have trouble understanding enough of the fundamentals to really see where the truth and the bullshit meet. its like that old saying "tell a truth, a half truth, and a lie together and people will believe it all" and with tech frankly they know so little about how it REALLY works that by just mixing a kernel of truth into their bullshit they can get people to go along.

That is why its important that we geeks warn those that don't know better when they are being had. We have to be vigilant and point out the horseshit as often as we can because not everybody can know everything and tech is one of those subjects if you aren't REALLY interested enough to actually study it frankly many of the concepts will just woosh over your head.

Re:They could stop these things... (1)

blahplusplus (757119) | about a year and a half ago | (#41947651)

We were pounded by the same propaganda and didn't succumb. I agree with some of what you are saying as problems become more detailed and technical it's hard to figure out the truth.

But when it comes to games that have parts of their code taken hostage on the other side of the net for their SINGLE PLAYER component like diablo 3, most people (gamers) simply want to play and don't want to learn anything about how the tech works or how bad they are being ripped off. Those of us who grew up on PC games through the early PC and console era have seen the horrors, newer generations just accept the status quo by default because they never grew up playing 'those ugly old games'. They don't know/care about dedicated servers/LAN

What's even worse most gamers in the know whine and buy the game anyway because they are addicted and most people are emotionally immature when they are emotionally attached to something like games, they find themselves defending insane points of view just because they have invested so much of themselves in terms of time inside a game or its characters. Now there's nothing wrong with this level of passion if you keep a level head, but modern gamers get robbed then turn around and defend the robber... that's a sign of stupidity.

The real problem is just people confuse how the are made to feel by propaganda with knowledge.

Re:They could stop these things... (1)

Anonymous Coward | about a year and a half ago | (#41947117)

The upside of cheating and hacking is that it allows modding in game features. These game companies don't care about the cheaters that cheat their system, they don't want YOU to modify the game to make it better that everyone starts playing your mod instead of their crappy game modes. They made you accept DRM with the excuse of cheaters and hackers ruining your public game like they made you accept TSA at airports because of terrorism. And let me add on that there are people that are cheating and hacking in Diablo 3 regardless of the DRM.

There are better ways to deal with actual public cheaters that ruin games, and DRM is not the answer.

Re:They could stop these things... (0)

Anonymous Coward | about a year and a half ago | (#41947969)

Not to mention the people getting online on Diablo 3 without ever having a battle.net account. That's some awesome DRM right there.

Re:They could stop these things... (1)

Opportunist (166417) | about a year and a half ago | (#41948819)

If someone plays only by himself, why should I care if he cheats?

I played D2 offline, as well as online, with online being only with friends or on the "official" closed Battle.net servers. One might see why I never had a problem with cheaters, either I was by myself or with friends that I knew and trusted, or if I had to play with strangers I went for the venue that is now the only one.

What's wrong with offering me this option?

Re:They could stop these things... (1)

KingMotley (944240) | about a year and a half ago | (#41953717)

Because the hacks, cheats, and dups were on the official battle.net servers. Then you'd have the griefers that would only come online to try and kill off hardcore characters until they got banned and they wouldn't care because they'd just go play offline or on non-battle.net servers. All that went away, and good riddance.

Re:They could stop these things... (2)

drinkypoo (153816) | about a year and a half ago | (#41946689)

No actually, the masses are dumb. They don't want their single player games to actually be multiplayer games. However, many of them have been led to believe it is a good thing via techniques of propaganda, which have time and again been proven to be effective at making people make poor decisions. The masses want someone else to make decisions for them. That's why we can't have libertarianism. It only works if people can make their own decisions responsibly, and most people don't even want to make their own decisions.

Re:They could stop these things... (3, Interesting)

hairyfeet (841228) | about a year and a half ago | (#41946991)

Because the people came to Blizzard with pitchforks and said "We want single player to be online only, with lots of lag and a real money market so you can assrape us on loot!"...ohhh wait, nobody wanted that but Blizzard, which is why I bought Torchlight II instead where I can host my own games and play SP without the net.

Re:They could stop these things... (1)

KingMotley (944240) | about a year and a half ago | (#41953785)

No, they said they were sick and tired of running into griefers, cheaters, and people who ruin the game for others.

Re:They could stop these things... (1)

hairyfeet (841228) | about a year and a half ago | (#41955105)

Funny, Torchlight 2 doesn't seem to have that problem, everything plays just fine. hell they even allow mods, which means the game will still be fresh and have new content years after they have moved onto TL3.

Don't fall for the bullshit friend, they've had anti-cheating tech like Punkbuster for years, the ONLY reason Diablo 3 was made online only was so they could rape your wallet with a real money market, that's all. hell look up any of Blizzard's talks before the release, they hardly talked about the game at all, it was ALL about their real money market, aka "Buy your progress instead of earn it"

Re:They could stop these things... (1)

cbhacking (979169) | about a year and a half ago | (#41946777)

Security would absolutely still be an issue. The scope of an attack might be lower, but the actual threat of compromise would still exit unless they removed the multiplayer funcationity (clients and servers) entirely.

Re:They could stop these things... (5, Insightful)

blahplusplus (757119) | about a year and a half ago | (#41946899)

Well yes but THINK about having millions of people playing a SINGLE PLAYER GAME ONLINE, that means huge swaths of computers wouldn't have open ports/be communicating with servers at all if not for 'online drm'. Diablo 3 being a case in point, all these security issues are caused by gaming corporations wanting absolute control over everyone and everything in gaming.

The point is the whole centralization and DRM make security issues much bigger since companies tend to want control and as much information as possible about users and are careless with data. All that could be avoided if the multiplayer aspects of videogames didn't require being chained to online and all sorts of needing accounts, user info and other nonsense.

In Quake 3 you didn't need to sign up anywhere to play the damn game and you never had to give out emails or information to anybody. Not only that requiring users to be online when they play single player just creates a huge attack surface.

Re:They could stop these things... (1)

ildon (413912) | about a year and a half ago | (#41951693)

Security wouldn't be an issue for Diablo 3 if you could play the fucking game offline.

False. If you could play Diablo 3 offline and on LAN, there would still be a significant portion of the population that would want to play it on the battle.net servers. Just like Diablo 2. And those people would still need to have these security concerns addressed.

Patch will soon be here (4, Funny)

Tr3vin (1220548) | about a year and a half ago | (#41946617)

On Tuesday the patch for MW3 will be released. Some know it as Black Ops II but it will practically ensure that nobody is left playing MW3.

Re:Patch will soon be here (4, Insightful)

Anonymous Coward | about a year and a half ago | (#41946783)

MW3. My mind will always translates as Mech Warrior.

Re:Patch will soon be here (0)

Anonymous Coward | about a year and a half ago | (#41947145)

That reminds me.. When will the next Mech Warrior come out? I'm not talking about the online one either. A year ago there was a trailer for the restarted Mech Warrior franchise, going back in time before the Clan Wars I believe. The Atlas pilot in the trailer sucked though.

Re:Patch will soon be here (1)

Anonymous Coward | about a year and a half ago | (#41947273)

Cancelled. They didn't have the funding to make it, and apparently hadn't even started on it judging by how the MWO guys had to start with zero assets after the sublicensing deal.

Re:Patch will soon be here (1)

xhrit (915936) | about a year and a half ago | (#41954019)

The Mechwarrior 5 reboot became Mechwarrior online... and most Atlas pilots in Mechwarrior Online suck. MWO in general however is pure epic win. I personally have not had this much fun since Netmech replaced my nightly visits to Virtual World to play in the Tesla II pods.

In any case, it is the same as it always has been. Noobs will grab the biggest slowest mech they can, group all their weapons and try to alpha people, thinking they have an autowin button. They don't. It's not. I can run circles around an assault in my 35 ton light RVN-X2. And once I am behind an assault, it is very easy to stay behind it, and strip off layers of rear torso armor with lasers and streaks. And once the armor is gone, my twin machine guns will crit internals and its all over. OMG so much fun.

http://mwomercs.com/media/video/3CWr3ZUQJeo [mwomercs.com]

Re:Patch will soon be here (0)

Anonymous Coward | about a year and a half ago | (#41954993)

Check out Hawken (http://www.playhawken.com), it's not exactly the same, but it's pretty cool.

Re:Patch will soon be here (1)

Anonymous Coward | about a year and a half ago | (#41947431)

Funny, my mind will always translate it as Moraff's World.

Re:Patch will soon be here (1)

gl4ss (559668) | about a year and a half ago | (#41948399)

Funny, my mind will always translate it as Moraff's World.

damn man.. I had forgotten about Moraffs games totally. was moraffs world any good?

Re:Patch will soon be here (1)

jones_supa (887896) | about a year and a half ago | (#41948783)

MW3. My mind will always translates as Mech Warrior.

Same here!

Re:Patch will soon be here (1)

ildon (413912) | about a year and a half ago | (#41951715)

Every time I see someone refer to Assassin's Creed 3 as "AC3" I read "Asheron's Call 3" in my head.

Cry me a river. (-1)

Anonymous Coward | about a year and a half ago | (#41946811)

It's a computer game we're talking about here. It's not like it's a banking or voting site. Not news worthy, and who cares if a few gamers in their mom's basements get some compromised accounts?

Re:Cry me a river. (0)

Anonymous Coward | about a year and a half ago | (#41947983)

Either way, its client server model hacking practice.
Most malicious hackers start out by breaking online games because it's easy to make a name for yourself in a game community when you're feeding everyone free hacks. Also, games can have the best of security for you to practice breaking. I've seen games that are not only protected by an anti-hack/debugger program, but also encrypted and run totally in a Themida VM. Have fun breaking that shit. If you do, you could probably get a job in security fairly easily.

captcha was "shelled" thought that was funny.

Hoi polloi (1)

tpotus (1856224) | about a year and a half ago | (#41946941)

The common will always serve the main. Please continue to serve up your shiny hardware for use, as if you even had a clue to what it means to open up ports to arbitrary root level apps. Bitches.

Dunia? (1)

fragMasterFlash (989911) | about a year and a half ago | (#41947213)

Anyone know if the Dunia [wikipedia.org] codebase forked from CryEngine before or after this vulnerability was introduced? I'd really like to enjoy some FarCry 3 during my year end holiday but I'd prefer not to get hacked.

Re:Dunia? (0)

Anonymous Coward | about a year and a half ago | (#41947905)

Yes, I can answer that q. That fork occurred many years ago, and there is almost no code in common now. You are safe to play FarCry 3 !

There are two Dunia codebases (FarCry 3 and Watch Dogs) and they both contain almost entirely code written by Ubisoft Montreal, or other Ubisoft studios from around the world. There's virtually no code from the old CryEngine 1 left in Dunia. Even when we were making FarCry 2 there was very little of that code left; thats why we gave the engine the new name "Dunia" during FarCry 2, because so much of it had been rewritten that it was basically an all-new engine. Since then, Ubisoft has continued to change and improve Dunia even more (for Far Cry 3 and Watch Dogs) and Crytek has also been changing and improving their tech, producing CryEngine 2 for Crysis and CryEngine 3. After so many years of independent development, these two engines have almost zero percent of their code in common.

40 Comments and no console joke? (1)

JohnnyComeLately (725958) | about a year and a half ago | (#41947833)

HA! This is yet another piece of proof that consoles are better! NAH NAH :-)~ :) Go ahead, hack my console. Whatyagonnado? Jack up my Skyrim campaign. *Feigned Horror Scary Face* :O

Hahahahahah! (0)

WillyWanker (1502057) | about a year and a half ago | (#41948023)

It's so quaint they think anyone cares.

Luigi Auriemma is a security ass (0)

Anonymous Coward | about a year and a half ago | (#41948221)

Luigi Auriemma doesn't play the security researcher game properly, doesn't notify the software vendors about security issues, he just releases them. Often he releases them right after a patch has been released, and then claim that the vendor still hasn't fix the issues.

I told you little pirates (1)

stormhalplus (2772115) | about a year and a half ago | (#41948647)

You will have to pay our software or you will get all of your computers cracked to the bones. We made sure that a hole was there for that matters. After all if a customer's computer gets penetrated, that's ... collateral damage. Besides you all accepted no guarantees when you purchased and you are the only ones who are going to suffer the consequences of our actions. So who cares :). The MW3 Staff

Well I'll Be... Do We Do Wop (1)

TheRealHocusLocus (2319802) | about a year and a half ago | (#41949107)

Vulnerable to hacks indeed. WELL... if these Call of Duty Black Ops server thingies have become a problem, a way to hurt people I say maybe we should call it a day and just shut them down.

'Cause we don't want to hurt people now do we.

Do we??

Cheap Discount UGG Boots handbags sale (1)

kaituwei (2779791) | about a year and a half ago | (#42080629)

Hello!! Fashion,low price,the good shopping places, Cheap wholesale and retail Gucci/Shoes $45, ( Discount UGG/Boots ) LV Shoes $46, DG Shoes $46, BURBERRY Shoes $46, LACOSTE Shoes $46, Women Boots $55, handbags(Coach lv fendi d&g/Gucci) $39, Sunglasses(Oakey,coach/Gucci,Armaini) $25, free shipping and quantity discount, Accept credit card and PAYPAL ==== http://www.cbssbase.com/ [cbssbase.com] ==== ==== http://www.cbssbase.com/ [cbssbase.com] ====
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...