Slashdot Mirror
Unreal Security Hole
Screaming Lunatic writes "There seems to be a big security hole in the Unreal engine that has been around for about 5 years. It affects servers for a number of games and operating systems, including Linux (which accounts for about 40% of UT2003 servers). Epic has been working on a patch for about 3 months. Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created." A Bugtraq post from Thor Larholm of Pivx,
says that Marc Rein of Epic threatened PivX with "getting
our lawyers involved with this"; the TechTV article Larholm cites (the same one linked from this submission), however, contains no
mention of legal action. Rein nonetheless apologized for "those completely unfortunate comments" in a followup message to Bugtraq.
My mother always told me never to disturb a hornet's nest. Those critters will come after you with all their fury. It seems that's what I did with my last column, " Free Software. Is it Worth the Cost? " (MIND, May 1999). I'm going to use this column to respond to the large amount of email received at the MIND offices in the last week.
First, I should say what these two columns are not. I'm not here to criticize Linux. I'm sure it's a fine operating system; its market share is substantial. Folks who use it seem satisfied. While I might have a few bones to pick with Linux as it stands today, I'm not interested in getting into a shouting match over Linux.
I'm also not interested in defending Microsoft. I don't wish to be drawn into an argument about the size, marketing practices, or quality of Microsoft code. That's not what this column is about. Frankly, a company as fast on its feet as Microsoft can change and thrive in almost any environment. I don't worry about its future.
This column is about the question: should intellectual propertyâ"more specifically, softwareâ"be "free"?
Many respondents thought I was confused on the concept of free as it applied to software. They quoted the "think free speech, not free beer" statement from the Free Software Foundation Web site, http://www.fsf.org/philosophy/free-sw.html. I think I was on the money. For the definition of free, let's use the four freedoms listed on the FSF site, specifically on the URL listed above. The third of these freedoms is "The freedom to redistribute copies so you can help your neighbor." Well folks, if you can freely distribute copies of a program you didn't produce, it's pretty much free in the beer sense as well as the speech sense. It's the freedom to distribute that brings this back to a discussion about economics as well as freedom.
Reading the GNU manifesto (http://www.fsf.org/gnu/manifesto.html) is enlightening and I recommend anyone discussing this topic to do so. However, in its pure form, the GNU concept does envision a world where general-purpose software is freely availableâ"a world where the programmers are hired for support of this public software. Boy, that's what I live for, maintaining someone else's code.
I like a world where a programmer can sit in a spare bedroom hacking away late at night. When the product is ready, the budding young entrepreneur can sell the product. All the toils of late-night development may then be rewarded with, among other things, a nice pile of cash. This flies in the face of the GNU concept where the product can be distributed by anyone to anyone. Per copy licenses allow a one-to-many multiplier when it comes to the value a programmer generates. Without it, a programmer is left selling his or her skills as a journeyman hacker to the large companies that use the freely distributed software.
If GNU software becomes the norm, of course programmers won't starve. To quote the manifesto, "The real reason programmers will not starve is that it will still be possible for them to get paid for programming; just not paid as much as now." That's a bright future for a high school counselor to put in front of a kid. Sure, some folks will program for the love of it, myself included. It's not a bad thing, though, to be paid and paid well for a program well written. A few companies are paying programmers to write either "free" software or open source software, but large companies like Apple and Netscape have license agreements that violate the spirit and even the word of the GNU General Public License.
This leads me to my last point. Many of the respondents jumped all over the fact that I stated "It's hard to compete if your competition is free" without mentioning Microsoft Internet Explorer. I have less than a thousand words to make a point in this column, so some things have to be understood, not stated explicitly. Of course Internet Explorer is free. However, the developers who wrote Internet Explorer were paid for their efforts.
Finally, last month's column has been used by many as an example of FUD by a Microsoft employee. I'm not, nor have I ever been, an employee of Microsoft. My column is written on my own, thousands of miles from the MIND offices. Now, clearly this column is published in a magazine produced by Microsoft employees, so I am not going to maintain that I am free to say just anything, but any censorship is self-imposed, not the result of pressure from Microsoft. The recently appended disclaimer at the foot of the column is the direct result of my editors wanting to disassociate themselves from my opinions while at the same time allowing me the space to state them.
These two columns have been about discussing the concept of intellectual property and whether it should be "free" or owned. Intelligent people can take either side of the argument. I'm not bashing the other side, I'm disagreeing with it. Folks on the "free" side ought to consider that there is another side to the issue and debate it intellectually, not emotionally. In any case, it's time to move on. I welcome opportunities to debate the topic in other arenas.
The opinions expressed herein are those of Douglas Boling and should not be construed as the opinions of Microsoft Corporation.
Troll 66 of 208 from the annals of the Troll Library .
You are not logged in. You can log in now using the convenient form below, or Create an Account. Posts without proper registration are posted as Anonymous Coward
So, how long until we see the "Monster Kill" virus begin to make the rounds?
WE ARE THE BORG
Lower your firewalls and surrender your computers. We will add your MP3s and bootleg movies to our own. Your lack of culture will adapt to survice us.
Slashdot will be assimilated!
Resistance is futile!
Resistance is futile!
Resistance is futile!
Resistance is futil3!
Resistance is futil3!
Resistance is futil3!
R3sistance is futile!
R3sistance is futile!
R3sistance is futile!
RESISTANCE IS FUTILE.
RESISTANCE IS FUTILE.
RESISTANCE IS FUTILE.
Repeal the DMCA!
More at bluesnews.
There seems to be a big security hole in the Unreal engine that has been around for about 5 years
first off, that is damn lucky that this didnt get out till now. secondly, 5 years and they are finally working on a patch now sure sounds like another company we all know and love...*cough* M$ *cough*..
xao
xao
http://TheHillforum.hopto.org
and here i thought ut2k3 was just really good at killing time. does this mean we can all go up on terrorism charges now since we've used a device capable of bringing down network systems? =)
So, Microsoft makes Unreal? No way!!
-insert a witty something-
What If It Does Get Hit By A Worm Like Slammer? I'd have UT2003 withdrawls like a crackhead in rehab. Hurry up and patch it! But seriously, a hole thats been open for 5 years and just now been discovered and working on patching? C'mon Epic your not microsoft.
I think that those responsible deserve at least a little credit for being so forward with not only the nature of the problem but their failure to attend to this earlier. It would be simple to take a MS-esque stance on this, but instead they're taking the bull by the horns.
Frankly, given the time that this exploit has been known amongst the internet community, I'm shocked UT servers haven't yet been utilized maliciously in this way.
"Stumble before you crawl"
The flaw in a netshell is that if you have autodownload turned on, you don't know what you might get.
Well no shit.
So, there may be code in a level you get from a server. Whoopde doo, Basil. Do you autodownload and install browser plugins?
It's just a flaw in the complete system of downloading maps from untrusted servers. Turn AD off, get your maps from an archive you trust.
Slammer_Worm is on a killing spree!
Slammer_Worm is on rampage!
Slammer_Worm is dominating!
Slammer_Worm is unstoppable!
Slammer_Worm is Godlike!!!
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
That bug is UNREALL!!!!! TOTALLY out of THIS WORLD!!!!
Am I the only one to see a whole generation being wasted by such games like CS? I know ppl who play it 12 hours a day, god damn it! If someone would compare the degeneration of health/brain etc from CS vs. Grass, I bet CS would win.
Sooo...what I wanted to say is that I hope that someone f**k the game-servers up so badly that these trapped gamerz can see what life has to offer!
I only want to hear about real security holes.
5... 4... 3... 2......
Lots of software has security holes. Games are no different... the difference with games is that they are not targets. It's interesting that this one was spotted, but it's no real surprise.
The poster mentions Slammer. The difference between Slammer and this is that Slammer affected "mission critical" systems, and there are pretty easily demonstratable monetary losses attributed to that worm.
In the case of Unreal, there are not many (if any) businesses (or lives) depending on this software. Hypothetically, someone who hosts games for a fee would get some complaints from customers. But really, a lot of the people affected would be "home users". And, let's face it, home users (including those running Linux) are really vulnerable to all kinds of attacks. This is just a drop in the bucket...
Of course, it'd still suck to get fucked over by this security flaw (just like all the others).
Down with Saudi Arabia!!!
A.C.K.W PoStErS
- adv_pr.htm l
x t
a ction=v iewthread&threadid=39954
/ 0,24195, 3417248,00.html
- adv_pr.htm l
On February 5th, Luigi Auriemma of PivX Solutions released a tightly packed
advisory detailing multiple vulnerabilities in the Unreal network gaming
engine developed by Epic Games. These vulnerabilities affect both clients
and servers who are playing the plethora of games that are using the engine,
and has been readily exploitable for 5 years.
The press release:
http://www.pivx.com/press_releases/ueng
The advisory itself:
http://www.pivx.com/luigi/adv/ueng-adv.t
Following both industry and personal standards, PivX gave Epic Games a
duration of 30 days to (at the very least) respond to our private
notification to them. After nothing had happened during that month we
prepared to release the advisory, yet once the press asked Epic Games for
comments they were suddenly very responsive. Promises to work closely with
us on the vulnerability and advisory were made and we managed to hold down
the press for several months after this. 60 days passed after this, without
any collaberation, honest effort or actual contact from Epic Games.
We released the advisory after 90 days had passed from the original vendor
notification. 90 days, in which we were played like fools, in which Epic
Games had ample time and sufficient opportunity to react and work with us on
a coordinated release. 90 days in which Epic Games, from the best of our
comprehension, had archived our communications in the thrash, during which
we received no serious communication except for crisis handling at the
originally planned release time.
On February 6th, BluesNews (among many others) could cite a quote from Mark
Rein, Epic Games Vice President:
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes
this was brought to our attention and yes we should have fixed it by now."
http://www.bluesnews.com/cgi-bin/board.pl?
On February 11th the tides have changed, and TechTV are reporting public
legal threats from that same person:
"This is slanderous," he says. "They've taken this too far. We're getting
our lawyers involved with this."
http://www.techtv.com/news/security/story
I fail to see how Mark Rein on one hand can publicly announce this to be a
real threat that they should have fixed earlier, and on the other hand can
announce the advisory to be false and malicious statements. There is no
slander or libel in any aspect of this, and the only imaginable outcome that
Mark Rein must have been aiming for by his declaration of layer involvement
is to silence future security research on Epic Games products through the
promise of unfounded barratry. As we know from precedents in the past, this
approach to security is counterproductive at best and encouraging for
underground security research at worst, and I can only hope for an official
retraction of this policy by Epic Games once other employees have had half a
minute to think about the implications and example that Mark Rein is setting
forth.
In the past, I have received better nonresponsive treatment by Microsoft
when their security handling was at its worst. Contrary to the vast
improvements that Microsoft has gone through over the last year and a half,
Epic Games did not even start to acknowledge the problem properly before a
full public disclosure had been made on February 5th.
I believe that Luigi, and all of PivX, has handled this issue in a
courteous, proffessional and ethical manner, and the uncoordinated release
that was its outcome stems from a direct result of a nonresponsive vendor
that at best is plainly ignorant and at worst acts directly against the best
interest and security of its own customers.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
Latest PivX research: Multi-Vendor Unreal Engine Advisory
http://www.pivx.com/press_releases/ueng
I mean that. I simply can't believe it.
"threatened PivX with "getting our lawyers involved with this""
No, let's not let the lawyers get involved. THey make enough per hour as it is - we don't need to pay anyone $250/hr to play Unreal Tournament for "case notes."
Wait.. then again, lawyers in Unreal Tournament games. Hrm. It could be an all-out fragfest on a level that nobody could have ever imagined before. I like that idea!
"I won't sugar coat this. We f***ed up on this. Yes this is real and yes this was brought to our attention and yes we should have fixed it by now."
:)
I get the feeling that I'll be in my cold, cold grave before Microsoft starts releasing statements like this
But seriously, it's nice to see a large company admitting it has "F***ed up".
Did PivX bother to notify any of the licensees that their games were exploitable?
--sex
Very popular slashdot journal for adul
Think about it. There are literally thousands of internet based applications in use every day, and they range from the obscure to the common on a wide variety of operating systems.
Just because your favorite (or even least favorite) app hasn't had a major hole found in it that doesn't mean it isn't there. You might be running a time-bomb on even the most secure of your systems and not even be aware.
Of course this is all obvious to anybody who has been online for a while.
It's been a question for years whether bug finders should go public with bug finds or contact the company directly as to the flaws and the extent of their risk. I think the Open Source community agrees that places like bugtraq and open forums are the best way to discuss holes and security risks. Although Mark Rein was a little over-reactive and zealous M$ and other companies should make more effort to help their users find bug reporting easy -- in an open environment. This would really speed up the patching process (the priority at least) as well as the overall quality of knowledge available to the users affected and the company whose product is at fault.
I think this adds some teeth to the popular notion that gamers, or at least the majority of them are, terrorists. Plain and simple. They are a threat to the security of the principles we hold dear in the United States of America, and the Right Honourable Prime Minister George Williamson Bush, Junior should consider binding legislation against anyone suspected of being in a gamer-terrorist cell.
A.C.K.W PoStErS
Thor,
I have sent your company an apology for those completely unfortunate
comments that I sincerely regret. We did provide an official statement
and I was not, at the time, aware that my verbal reaction, in a moment of
shock and surprise, was being captured for the article.
The comment was a complete over-reaction to seeing the list of games
including future games that have not yet been published. It had nothing
to do with the security issues themselves, the validity of the report, or
the way Pivx presented it to us. Pivx gave us more than fair enough
warning of the bugs and we simply failed to fix them in the allotted
time. We released a statement last week to the Unreal community
indicating that "we fucked up" in not addressing these concerns within
the given time and that we were already testing a patch with the security
issues corrected. In addition the official statement we gave pointed out
that we were fixing the holes and that the Pivx report was fair and
accurate. Licensees were already provided with the source code for the
security fixes.
Again this was a moment-of-stupidity reaction and I sincerely apologize
to Pivx and the entire security community. Epic has already stated that
we will take these matters far more seriously in the future.
Mark Rein,
Epic Games Inc.
Visit us at http://www.epicgames.com
Good. On. Mark. Rein.
He admitted that they screwed up. (or fucked up, as the case may be.) He lost it when pivx when public. Then he apologised for losing it, and admitted that pivx was entirely in the right.
This is about as much news as the bug itself. Not much.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
that's why I've lost so many matches! Somebody is executing malicious code that screws up my aim and makes me play like crap.
Carmack? I hope you know about this .. please dont have security issues in Doom 3. That would really suck.
We're not talking GOATSE here, either folks!
I hate liberals. If you are a liberal, do not reply.
Servers out there. Simply create UDP packets and sent them to 10000 servers and they will all respond to the place you want to DoS. Games are no safer than any other piece of Internet connected piece of software.
This should definately get more attention now and in the future. The innocence of the internet is long dead (long live the king [of porn]).
Just like I've always said!! Windows is incredibly insecu.. ehh...
Um...oh. never mind.
teeker
Bill Gates called a news conference at Microsoft HQ in Redmond Washington.
Gates had slated a news conference regarding Microsoft's long-awaited "Return of Clippy" office suite. Gates was reportedly wearing sunglasses and a t-shirt that had printed, on the front, "fuck you, I have enough friends". He was holding what appeared to be a forty-ounce bottle of Miller Genuine Draft. Pouring a small amount of his beverage on the ground, Gates quipped "fuck this, nigga gotta get laid," before laying a patch in his plum-purple '69 Impala.
Showing robust shareholder interest, Microsoft's stock rose ten points.
~D:
Now they should make a movie, where some kid installs this on his dad's computer at work, and his dad just HAPPENS to be the scientist involved in working the computers that controls nuclear weapons, and they have to play unreal, and if they loose: the world will be destroyed, so they put the kid in some virtual reality suit so he can get inside the game and play for real and save the day. oh come on! its as good a plot as any other videogame based movie, think of that and really tell me honestly that wouldn't be the plot of any unreal movie that came out....
-You're wasting your time. Alfador only likes me.
if he doesn't want to use the word 'fuck', why does he use it? oh, i guess it's for the children's sake, because they can't figure out what the missing word is.
Being a fairly regular UT2003 player I can honestly say there are not nearly as many servers out there as open MS SQL boxes. There are maybe a 1000 or so boxes at any one time running servers and the traffic is generally low.
I'd like the Moderators to experience a holocaust!
I think a worm targetting corporate computing environments that causes real economic damage is a LOT more important than a worm targetting "game servers". "Like Slammer". No, this is nothing like slammer.
That's quite a number of games that are affected. Epic probably can't issue patches for games that it doesn't own, so its up to the engine licensees to do this.
I'm curious if PivX notified those developers before it issued its advisory. Some of the developers might have addressed this on their own if they were aware. Or is PivX trying to gain a bit of exposure by jumping the gun?
Switching to Quake III.
:-(
Just when me and my friends were putting the finishing touches of our college residence Unrealy Tourny level
Patch it! Patch it quick, I have to snipe! A day without "M-mmmonster KILL" ringing in my ears, is a day not worth waking up for.
Saskboy's blog is good. 9 out of 10 dentists agree.
... especially when the first demo gets put out. And then the first few point releases/patches/whatever. And lets not forget what that new 400mb mod can do to a poor ftp server when it suddenly becomes the Hot New Thing in gaming.
If thats not an invitation for the goatse.cx guy then I dont know what is...
GG
NEW MAP!!!!!!!!!!!!!!!!!!1111
GG EVARYBODY
ZEROSTUD IS A CHEATER
YEAH, I
OMFG UR TEH LAMER
SHUTUP, U CAMPING FAG
[FGP]-Killaz-X -0- LAG!
NO LAG U SUX
NO FUCK YOU
I GET 20 PING
U GUYS HERE ABOUT TEH SECURITY THING??!
GG
NEW MAP
LATZ, IM GONNA PLAY CS
FUCK YOU
KILLING SPREE
UR CHEATING
KICK HIM
STFU U LAMR, YUO SUK
VOTE ON NEW MAP
Interview - Bob Goatse - the passage of the century Bob Goatse, semi-mythical figure and regular guest on the FC Forum, spoke to our special reporter in a telephone interview from his home on the Christmas Islands. FC-uk: Hello? Hello? Mr Goatse? Bob Goatse: (muffled) Where's the cellphone? I thought I heard it. FC-uk: Hello? Bob Goatse: (sounds of movement) Agh. Hello? Who's this? FC-uk: Mr Goatse, I'm Huw Jaersal, calling from the UK. We were going to do an interview? Bob Goatse: Sure. I remember. Sorry 'bout the mixup - I couldn't find the phone. FC-uk: Couldn't remember where you'd put it? Bob Goatse: Couldn't reach it when it rang, actually. Had to jump a bit to get to it. FC-uk: Ah. On a high shelf? Bob Goatse: Not really. Let's not talk about my phone, huh? FC-uk: Sure. You've become quite a celebrity, Mr Goatse... Bob Goatse: Bob FC-uk: ...OK, Bob. Much like Mahir and the the 'All Your Base' phenomenom, your fame is due to the internet. People think they know what you're like inside without getting to know the real you. Does that bother you?
Bob Goatse: It's a bit of a stretch, I'll admit. I feel I've put more work into my reputation than the others. Opened myself up more, you know.
FC-uk: The others?
Bob Goatse: Mahir - I mean, all he had to do was scan in a couple cheesy photos, put some silly greeting on his site, and he's doing ads for IBM. All your base - like, where did that come from?
FC-uk: So that bothers you?
Bob Goatse: Do you see me doing ads for IBM?
FC-uk: Well, no, but...
Bob Goatse: Or Microsoft? 'Suddenly everything fits'?
FC-uk: You've got to admit there's a certain niche appeal in what you do. Have you explored the idea of sponsorship or publicity?
Bob Goatse: The genie's out of the bottle now, son. You have a skill, and then before you can take a breath it's been circulated all the way across the world. Let me tell you - I go to talent scouts, theatrical agents, and I tell them my name. Know what they say?
FC-uk: Ah, no.
Bob Goatse: They laugh. They say 'we've seen that already, thanks'. Then they hang up.
FC-uk: So, what's next then?
Bob Goatse: I had a Vegas tour arranged before the pictures got out. Vegas, for Chrissake. 'The Amazing Goatse and his Magical Secret Pocket' - had the flyers and everything. That's gone.
FC-uk: I heard you worked as a drug mule for a while?
Bob Goatse: Who told you that? Why do you think I'm living on the frigging Christmas Islands now, huh? Two trips from Columbia and I've flooded the market. The price of cocaine in the entire state of Ohio dropped to half because they didn't realise how much I could carry. The drug barons want to put a cap in my ass now.
FC-uk: To limit it?
Bob Goatse: No, I mean they want to kill me. They weren't happy.
FC-uk: OK, moving on. Tell us some more about Bob Goatse. Is there a Mrs Goatse?
Bob Goatse: There is. We've been together ten years now.
FC-uk: And how does she feel about you?
Bob Goatse: Carefully, with a lot of lube.
FC-uk: No, I meant, uh,
Bob Goatse: Oh, I getcha! She loves the fame, but it's kinda 'through a glass darkly'. I mean, she says 'my husbands a star - he's Bob Goatse' and if people don't already know us, they say 'Yeah? Prove it', so I do. And they don't come round any more.
FC-uk: So tell us some more about those photographs. How did it happen?
Bob Goatse: Allergy
FC-uk: Sorry?
Bob Goatse: I've got an allergy to poppy seeds.
Fc-uk: Is it serious?
Bob Goatse: Not really. It only seriously affects a band of flesh about six inches long.
FC-uk: Where?
Bob Goatse: You've seen the photos. Where do you think? It began one night when we'd been out for a meal. I came home, and I itched. All over. So I got out of my clothes and started scratching. Gwen (that's Mrs Goatse) thought this was hilarious, and she began taking pictures of me in the lounge, scratching like an ape with fleas. We'd just bought a digital camera, see, and she figured this was a great joke.
FC-uk: And then what happened?
Bob Goatse: The itching got worse. Just in one place. Gwen's taking pictures, we've had a bit too much to drink, and it's driving me mad. I turn to her and I say - 'Look, hon, it's really stinging - can you see anything?'
FC-uk: What did she say?
Bob Goatse: She said it was echoing. So then she took a picture - that's the one everyone sees.
FC-uk: But there's a series, aren't there?
Bob Goatse: Kinda. Gwen's taking shots and laughing and I've had too much to drink and I'm trying anything I can get my hands on to stop the itching, and we end up taking forty or so pictures. By the time I'm done I've almost tried to get a back-scratcher there to stop the itching.
FC-uk: And then what?
Bob Goatse: See, there's the funny thing. It just went. Gone. No more itching. Sure, I'm RAW, I mean I've tried everything to stop the itching inside, but it's gone. So me and Gwen go to bed and sleep off too many bottles of red wine.
FC-uk: Why did you release the pictures?
Bob Goatse: We didn't release the pictures. We got burgled.
Fc-uk: And the camera?
Bob Goatse: Taken. We didn't tell the cops - how are we to say 'Well officer, you'll know it's ours because there's pictures of my ass in the card. Here's what it looks like so you'll know when you get it.' Gwen figured we should just write it off.
FC-uk: So when the pictures arrived?
Bob Goatse: That was the Stile Project. Made me into a star overnight. Gwen saw them first and thought it was funny. I realised pretty quick that someone in one of the major cartels was going to recognise my butt - it's not like we're all built for that kind of capacity. So it was time to move on.
FC-uk: You were trying to hide?
Bob Goatse: Something like that. You know how hard it is to hide when you're an icon? There's pictures of me all over the world, you know. Hell, there's even a 'net shrine to me hosted in Spain of all places. Home of the Inquisition becomes host to a church of butt-worshippers. Who makes this up?
FC-uk: But we don't see your face, do we?
Bob Goatse: Hell, no. But if you want to - where's the issue? I mean, you get a coupla Columbians in sharp suits waving 'that' picture around saying 'We want to see his face', people say 'You want help'. You get hundreds of geeks across the world saying 'What does Bob Goatse look like from the front', it's a joke. Sorta like 'Where's Waldo?' but for the very sick in the head.
FC-uk: But why's it an issue?
Bob Goatse: Hey, Sherlock - they might not all be geeks, might they? Christ, the chat rooms are fulla middle-aged Feds pretending to be 12-year-old girls, why can't you have a coupla pissed-off guys from a Columbian cartel pretending to be teenagers wanting to know what Bob Goatse looks like?
FC-uk: So you've tried to stay anonymous?
Bob Goatse: Yeah, right. Y'know, it's like God wants me in the spotlight. Put it this way - fall 2000 we go do a bit of sightseeing in NYC. Take in the tourist places, all of that. Gwen takes a shot of me on the observation deck - and when we get it back, it's like wow! There's me in the right of the picture, and there's New York behind me. Great shot. We bought a new camera, see?
Bastards.
FC-uk: What's the problem?
Bob Goatse: September 18th, I check out one of the bulletin boards and see the picture again. There's me - hat and glasses so my friends in Medellin won't recognise me - and someone's pasted a plane into the background. Next thing I know, I'm all over the friggin' 'net. Bob Goatse tries to hide and they latch on to me and make me into another freakin' joke, for Christ's sake. Don't get your pictures developed at Boots, that what I say.
FC-uk: You mean the 'Tourist of Death' pictures?
Bob Goatse: Oh, and thank you very much for making my day. You know how good it feels to be called that when you've got Escobar's little helpers looking for you day and night?
FC-uk: OK, the WTC guy.
Bob Goatse: That's better.
FC-uk: So what's next on the horizon for you, Bob?
Bob Goatse: I've finally found an agent, so we're going to go into merchandising. GoatseGoods.com - that's the plan.
FC-uk: What sort of merchandising?
Bob Goatse: Novelty items. Mousemats, t-shirts, that kind of thing. We're working on an icon set for windows at the moment - your trashcan becomes 'that' picture. Latest idea - an inflatable 'Bob Butt' to fit over your real wastebin in the office. Those basketball nets are an old idea - this'll give it a new bit of life. There's talk of a whole range of clothes - like if Heidi Fleiss can do it, then I can: 'red cavern outerwear - cover yourself!'.
FC-uk: Any other plans?
Bob Goatse: That's enough for now, don't you think?
FC- uk: There's been some talk of a career in adult films, for example?
Bob Goatse: You can stick that right up your.... Anyway, Gwen won't allow it. She doesn't want me going near another camera for a while. Same with the Jim Rose Circus. I'm just too distinctive now, that's the problem.
FC-uk: We understand. Thanks for your time, Mr Goatse.
Bob Goatse: Bob. It's been a pleasure.
Repeal the DMCA!
..when the only weapons you have are a pair of Enforcers.
Those damn guns are just too fantastic not to use. High rate of fire (when you have two), good accuracy, no splash damage to yourself in a fire fight, pretty dangerous if you can keep your cross hairs on your opponent's head.
Lobbing the Gravity Vortex or flying a Redeemer missile into a large bunch of players to get the M-Kill seems like cheating!
What's really amazing about this flaw is that GameSpy and it's ilk unwittingly offer thousands of IP addresses from which possible DOS attacks may originate. Part of running an Unreal server involves sending "heartbeats" to the master servers of your choice advertising your IP so that other players may easily connect.
No port scanning any IP ranges to determine what services available is needed.
That's like Microsoft providing a web page showing which IIS servers are still affected by code red and showing their IP's.
Praying for the end of your wide-awake nightmare.
Guns, rocket launchers, women: good
Worms, security holes, f'ing smiley face proxy mines, Microsoft: bad
mmmkay?
What has happened to Epic? They have gone from being the creators of some of my favourite games, to releasing two disappointing games in six months, doctoring pre-release photos to make them look spiffy, not releasing demos, making slurs against female gamers (again with Mark Rein) taking playable female avatars out of their games and replacing them with BMX XXX style eye candy for the guys who think that kind of thing makes up for lame gameplay. No demo for Unreal 2, short, mediocre single player Unreal 2 and UT 2003, average maps, no online play for Unreal 2, buggy releases, taking all the stuff out of UT that made it fun, telling their fans who can't play UT 2003 because of their idiotic disc security to go find an "exe" replacement, and linking to a page from their forums that also has for download (ta da!) a key generator for UT 2003. ALSO - focusing on making console stuff and giving PC users second rate, dumbed down, and simplified ports of XBox games...
I hope they get their act together, because at their best, they are inspired with a lot of talented people on board. But what is going on?? Perhaps they need to reassess and re-build and somehow find that pure love of making a well crafted game instead of a graphics demo for their engine. I hope they succeed.
You are a shithead. Everything you stand for supports terrorism and as a result there are angry U.S. soldiers being air dropped over your house to stamp their jack boots down on your neck bitches.
With all these knuckleheads with too much time on their hands, trying to find as many holes, exploits and bugs in commercial and os software... It's about time they finally started popping up in games and entertainment as well. I find it rather funny that this hasn't happened more often, but I suppose that if you were to break it down, people who are hardcore gamers are probably a fair bit more knowledgable about exploits and the like than your average sysadmin.
:)
(I'm serious! And you know it's true... even if you deny it!)
IT'S A TRAP!
[/Admiral Akbar]
It can't be real ;-)
that carmack left in there with an ip specified specifically from id software would allow complete control? Basically, the server watched for a packet from a specific server and would do anything it wanted.
Well after 2 years of unemployment, toqer is getting into the game house business. That's right, 40 computers T1, the works. I know that my users will be 10 times smarter than the average corporate user and 1/2 the age!
(dum bum bum)
Joking aside, from personal experience I say we're all doomed to open mouth insert foot once in a while, and Marc Rein is no exception. Before you disagree with me or mod me down, let me remind you all of what a *ASSET* epic has been to the gaming community.
Unreal is cross platform, no waiting, it was there pretty much day 1. You can play UT2003 on win or lin.
In regards to my future business, epic has THE BEST licensing compared to EA, Valve, Activision and blizzard, their license is basically "You buy it retail, go ahead and load it on your rental computer" The afformentioned companies want indefinite license fee's and Epic doesn't.
Despite home PC gaming being the best, I know the gamehouse community will grow because not everyone can afford 50 P4 3ghz with hyperthreading. As long as the gamehouses keep their technology ahead the the "home curve" they will become a dominating force for showcasing games, a marketing tool if you will. Epic understands this and wants to see this happen.
Epic has been good to the gaming community, and since Marc was grown up enough to apoligize, we should be grown up enough to forgive him.
Sorry I can't stop talking about the gamehouse thing....Since I know some dev's (Even Carmack at ID) read slash, hopefully if I get modded up enough they'll read this.
To: EA, Valve, Activision and blizzard
Your indefinite contracts suck. Gamehouses are Synonymous with arcades with one vital difference... You do not provide the actual hardware. The owner of the facility provides hardware at a HUGE cost. Try pricing a gamehouse built on Dells sometime and see, the monthly cost of lease / and or buy is crazy. Don't be cheap about it either, price all top of the line and see what you come up with.
The thing you guys don't see is that gamehouse could be the new retail outlet for your games. Licensing shmicening, send me a box of your product to sell on consignment, and I GUARANTEE I would sell out those boxes faster than any single fry's or compusa store. Just find 1 gamehouse to TRY it with as an experiment, see if you sell more.
Kudos, however, to Epic for later retracting it.
Not so much a sig as a lack of one.
If there's as many Unreal Servers as MS SQL servers and as many firewalls forwarding the ports, then something's just not right with the internet world...
Then again, many things are not right with the internet world [shrugs]
The past 15 years of life all in one.
I like it better when you surpass "M-M-Monster Kill" and the announcer says , "Holy Shit!"
its only a game so how long does it take to fix bug like this, for a game? It shouldn't take that long its not an operating system. Well I guess we can say that Microsoft isn't the only company with bugs left unfixed.
Frankly, if you're someone who routinely writes "ppl" in place of "people" you're already demonstrating such severe degeneration of health/brain that you may already be a lost cause.
Sooo...what I wanted to say is that I hope that someone f**k the game-servers up so badly that these trapped gamerz can see what life has to offer!
Might I suggest you take some of the same advice you give to these "gamerz" and check out what life has to offer. It appears to be passing you by.
"They do not preach that their god will rouse them, a little before the Nuts work loose." Kipling, 'The Sons of Martha'
It is likely that this whole f#ck up was caused by clueless middle people at Epic. Those that have no frigging clue about what security people do in situations like this. I am pretty sure they also could not be bothered to research the consequences of their silence.
Hopefully this story gets more publicity so that even the least informed ones get a clue that ignoring vulnerabilities is a BAD thing to do!!!
Now I guess when someone says they '0wnz j00' they might really mean it. ;)
-- There was no way I was geting sniped in my fly hiding spot on the side of the Red Tower. I mean what Blue guy would even be looking there? Had to be a bug of some kind! --
This
Imagine the bad publicity games would receive if a worm on the scale of Slammer had been created.
I wouldn't mind seeing which bank used unreal servers in their ATMs :)
Report the REAL security holes, dagnabbitall!
"But the cars are all flashing me, bright lights are passing me, I feel life passing me by" - Stiff Little Fingers
Well, if the security hole is unreal, then why are we worrying about it? The definition of unreal is non-existent... Oh, wait, you're talking about the GAME unreal! My mistake :-)
now they're posting FAKE security holes... Unreal Security Hole
~Jon
This space for rent, inquire within.
This not very different from the Gamespy vulnerability posted here about a month ago. This vulnerability also lets the attacker crash the server instead of just using it for a DDOS attack. What do you guys think it's more likely, that a script kiddie will use a l337 h4ck to try to DDOS yahoo, or taht he'll just try to take down every unreal server on the internet?
I just wonder if this was caused by a drunken programmer that decided that avioding a handshake would optimize the network code, or by just a network programmer that didn't even know what a handshake is. If this happened in my company I'd wish it was the former, not the latter.
...how lazy game manufacturers are now a days and how little they care about game issues until something like this happens.
Dolemite
Save the World! Use a Quote!
Many moons ago I used to host a dedicated Unreal Tournament server named "Mr.Toad's Wild Ride". It was on a P3-550 running RedHat 6. The only Linux box in my cabinet, all the other servers were FreeBSD.
One day my network went to crap, and I found that the switch had been overloaded with bogus MAC addresses. Turns out someone had hacked the Unreal Tournament box and put a very nasty packet sniffer on it. (Thank the gods for ssh.)
I had always assumed it was just the default state of a RedHat 6 box that had been easily cracked.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
While I agree that MS may do some things to keep their market share up which could be considered monopolistic, they have MANY valid reasons to exclude Java from Windows. They shouldn't be forced to include ANY 3rd party app in Windows. They make it easy to install Sun's Java if a user wants. That's good enough. I personally hate Sun's Java. It's a hog or resources on your system and the applications written for it are slow too. Sun is more than welcome to include their "crap" in their Unix/Linux OSs. Do you think that if MS developed
By the way... I was a 5 year Java developer. I tried
So funny because it's true.
I guess most Unreal tournament players are sub-adults.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
You know the figures, 7x faster than J2EE with 1/4th the code. It's true, I've developed in both and will attest to it.
Open source is great, I'll switch as soon as ASP.Net is ported to Linux. Till then, gimme my
Kazaa's next legal defense will be that their software is not a file-sharing service but really an instant messaging server with a security hole that can be exploited to give access to a user's hard drive.
Ergonomica Auctorita Illico!
Any company that chooses .net over other alternatives will get what they deserve. That will be a high cost in the future in the form of never ending payments to Microsoft.
.net without any knowledge of Microsoft's future pricing policies, commitment requirements and security policies.
Microsoft has demonstrated time and again that the customer comes second to Microsoft revenue.
A company IT manager should be fired for even recommending a commital to
These same companies will also be helping MS in their attempt to completly control internet standards. Control of standards by Microsoft will stifle competition and further ensure the company's future cost will be high.
http://saveie6.com/
what about the 'unlimited nukes' virus? Or the auto targeting lightning gun.
Do you need a website upgrade?
- Local and remote denial of service.
- Distributed denial of service (flooding remote computers with data packets to freeze it).
- Bounce attacks with spoofed UDP packets
This bit sounds an awful lot like the GameSpy reflection attack: you send them a forged UDP packet asking for some resource, they send out 400 times as much data to the poor bloke whose IP you put on it. Rinse, lather, repeat and you have yourself a pretty big DRDOS (not the guys MS killed, rather a Distributed Reflection Denial Of Service).
I hereby place the above post in the public domain.
Coutesy of Google Groups
Hey I'm a marketing number to be counted too.
... it's not connected to a network!" Smoe
-Joe "I Don't give a shite if my gamebox is hacked
(Also a 29 year old marketing d00d trying to figure out how many Unique Page Views per day slashdot gets to compare the vastness of the scheme of things;.)
If you really want to be paranoid, you can run a server inside a User Mode Linux VM which is only a little slower than a real box (only the system calls are emulated, not the instructions) and iptables on all IP connections into and out of the box.
It wouldn't solve every problem, but it would reduce the ill-effects of most worms.
Way back in the days of Quake 1, there was a problem with Quake 1 servers--if you sent a spoofed connect packet (20 bytes) to them, they would response with like 5000 bytes to the source address.. this is a case where it magnifies amount of traffic from the original source. There was a program called quakewar that exploited this. They fixed this for QuakeWorld, Quake2, 3, and all games based off these (Half-Life is based off QuakeWorld and Quake).. basically instead of responding with all the information necessary for the client to get in sync with the server, they send back a random number (a string actually about 8 bytes) that the connecting client must in turn send back. If the server never receives this, it won't proceed to send lots of data to the source address. I did a bit of stuff with a simple quakeworld proxy before so I'm sure about how this handshaking happens for Quake protocol games. Sure you can get all 10000 Half-Life servers to response to someone, but it won't be much more data than you could send out yourself. I assume the Unreal problem is that it doesn't do this little handshaking to make sure the source is real.
I'm very disappointed that many ISVs only get serious about security when someone rats to the press. As a member of the press, I'm all for it :) but it's still disappointing.
Rather like those investigative shows on TV which examine cases of customers getting raw deals, often for years, from vendors/shops/etc. But when the journos arrive, they're all smiles and terribly-sorry-we'll-make-it-all-better, paying off that one customer and still ignoring the many who are still being screwed the same way.
Why does it have to get to the stage of negative publicity before firms get a clue about customer service? Commercial reasons, obviously - customer care is overhead - but it's still sad.
...HOLY SHIT!
Which I suppose is what people would have been saying if a major exploit was ever created/and spread to their machine.
Are you local? There's nothing for you here!
A first security patch solving the main issues has been released to the liscensees about a week ago. The second one was released yesterday and solves most other issues.
It's been around for a long time but as far as I know this security issue hasn't been abused yet.
Of course the fact that Epic released patches doesn't mean that all the games using Unreal have been patched yet.
One of the exploits allows you to run your own code on the machine running an unreal engined game. It should be possible to exploit this bug on the xbox with Unreal Championship, too. That would a way to run unsigned code on a unmoddified xbox. Unreal Championship would be something like a boot cd for linux.
As far as I know Xbox games are running at Ring 0 for speed reasons, so it should be possible to get complete control over the xbox and run Linux or other code without a modchip. Other networked games could have similiar problems, so that scheme could work with other networked games too.
Jan
And why are you saying I am in shitty company? I'm not a website adminstrator you fucking moron.
I hate liberals. If you are a liberal, do not reply.
Saying there isn't going to be a lawsuit
Figure I'd toss in my 1/50 of a Euro at current exchange rates.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
The one reason I was hesitant to play Unreal Tournament on the web was because there seems to be no way to stop it from automatically downloading new maps.
I routinely scan all my downloads if I'm not familiar with the server.
A goal is a dream with a deadline
Ill know better next time.
Date: November 26, 2002
r ibes 2
Released: January 16, 2002
Version: All up to current.
Bug: Server status port replies to spoofed UDP packets
with large amount of data.
Affected Games:
Quake
Quake 2
Q3: Arena
Half-Life
Counter-Strike
Sin
Soldier of Fortune
Daikatana
Unreal Tourn.
Quakeworld
Unreal
Rune
Gore
Tribes
T
Serious Sam
Serious Sam 2
CC: Renegade
Global Operations
Jedi Knight 2
Battlefield 1942
America's Army
Unreal Tournament 2003
Return to Castle Wolfenstein
Medal of Honour Allied Assault
SoF2 Double Helix
SoF2 Double Helix Demo
Alien vs Predator 2
NeverWinter Nights
V8 Supercar Challenge
UDP is a connectionless protocol of which the source ip and port can easily be spoofed. If you've read the introduction, you can probably
see where I'm going with this.
The BF1942 status port will reply an amazing amount of requests, and although I have only personally tested this to 50 kbytes/sec, I
dont see any reason why you couldn't go even higher.
When these requests are received, the reply is sent to the source host which, in this case, we have spoofed. This causes a huge packet flood
to your victim, therefore you now have your DoS.
When tested, a single upstream of 4 k/s to the BF1942 server yielded over 550 k/s being sent to the victim host. When the victim's host
receives these packets on a UDP port which is open (commonly found to be 135 (MS/DCE RPC), 53 (DNS), and so on), the downstream to that connection will be flooded. If you sent to an unreachable port on the victim's host, the victim's stack will respond with "Unreachable"
responses which will also flood their upstream.
A personal firewall will such as ZoneAlarm will not prevent this DoS, as it is simply a flood of information being sent directly to the victim's computer. To stop this DoS from reaching the victim, the port you specify would have to be blocked before reaching their system. Ports you would find particularly useless would be ones that are commonly blocked by ISPs before reaching the customers: (139/NetBIOS, and so on). A firewall will only prevent the victim from responding with ICMP Unreachable packets.
* Packets can be sent steadily, no wait time needed for refresh.
This is an attack that can easily flood any system slower than the game server, and do it anonymously because the UDP packet source is spoofed to that of the victim. This is very similar to the "smurf" attack that was used in the late 20th century. =)
The attack does not only affect the bandwidth of the host and the victim, but it also tends to eat up a nice chunk of memory and CPU power on the server.
This low amount of required upstream would allow a simple modem user to send a hefty DoS to a T1 or higher.
Due to the fact that Battlefield 1942 servers tend to require a lot of bandwidth to operate, you are very likely to find that nearly any server will have more than enough bandwidth to handle the task. EA has many of their servers hosted on OC3 lines.
In many ways, this exceeds the severity of the smurf attack method.
Example theory of risk:
T1 (1.54 mbps) FULL DoS:
1 server needed @ ~220 k/s or more (a 20 player server will do).
1 - 2 k/s* upstream needed from attacker (~14.4 baud modem)
A single user dialed up at 14,400 bps can topple a T1.
A single dial-up at 56k (31.2kbit up) could DoS 2 T1s at a time.
Worst of all Proof-of-concept code is at the wild =/
More information at Securityfocus. This is the remote exploit which seems to be a UDP amplifier.
If all ISPs actively put in anti-spoofing filters on all their routers then this type of denial of service attack could be greatly reduced as blackhats would only be able to spoof IPs & UDP services to their own segments.
But no, most ISPs probably take a router out of the box, type a few commands and take it into production.
and mod me down to redundant if you like, as this has been said before in a hundred other threads
you admit you are just repeating what you read elsewhere?
-1 Blatant
Didn't you know that's what it meant when people said, "I OWNERZ JOO!!"?
You may not have gotten first post, but you got BEST POST.