f13.net

Original post: http://seclists.org/fulldisclosure/2012/Jul/375

Mass media articles are calling it a "rootkit" but it doesn't seem that that's really the case (i.e. it doesn't patch the OS at a low level). Forbes article: Hacker Claims Ubisoft "Uplay" DRM Is A Rootkit And Poses Security Risk (http://www.forbes.com/sites/adriankingsleyhughes/2012/07/30/hacker-claims-ubisoft-uplay-drm-is-a-rootkit-and-poses-security-risk/)

Supposedly Ubisoft has released a "forced patch" to "fix" this issue:

http://www.strategyinformer.com/news/19190/ubisoft-patches-uplay-rootkit-issue

The harder they try to squeeze, the more cash will slip through their fingers.

Yeah but you know, they lost Sinij's rubles at least.

Da svidaniya, comrade.

Those statistics are meaningless because the AC series (like 90% of mainstream games) really focuses on console releases, which are unaffected by Ubisoft's draconian DRM. At this point I really wonder why they bother releasing them on PC; they get such negative press every time they do shit like this that it risks damaging their brand of mostly solid console titles.

I suspect their PC sales figures are just fine.

Sales don't mean profits rk47.

Be very careful about Ubisoft's "sales" figures. A lot of that isn't actually real. Take a look at how they shuffle numbers from one subsidiary group to another. Better yet, take a look at the parent company and see what's going on. At the end of the day, they've been losing a lot of money, and it's pretty well buried in their financials.

Better yet, take a look at how they "sold" 9M copies of Assassin's Creed 2, yet lost $59M that same year. It doesn't add up, and the reason is they enjoy some very creative accounting.

Heh, Firefox just killed my UPlay plugin  :awesome_for_real:

Ubisoft's DRM could be considered draconian right up to the point that Diablo 3 launched.

Oh come on, I'm not a D3 fan but let's not be sandy vaginas about it. D3 is an online game, same as LoL or any mmo, it may be offensive to make D3 online but that's not the same as DRM.

Ubisoft's online-only DRM is pretty much exactly the same as D3's.

Except for the whole remote access thing?

You mean with the Uplay Passport that costs $9.99 just to access their DRM?

You mean the security flaw that they patched?

And Paelos, the Passport is the same online pass code that EA, THQ, and the rest have started doing. Shit, I'd pay Blizzard an extra $9.99 for an offline mode for D3.

Just for the record, I never bought any of the DRM-contaminated Assassins Creed sequels despite wanting to. So Sinji is not the only one. I just don't make a big deal out of whom I don't give money to, which isn't the same as condoning such practices.

D3 is an online game, you couldn't play it offline if you wanted to because many files(specifically loot) are kept server side.   You can still crack ubisoft games and play them fully offline, you can't really do that with D3 or other online games.  Yes they are similar and offensive in their own respect but it's really apples and oranges.

I'm another who avoids Ubisoft games because of their DRM and on-line requirement. Did the same for D3 (requiring me to be online while I play single player games [and that's what D3 is to me] just bugs the shit out of me).

They are different, but it had the same affect for me.

Exactly, and take a look at their stock holdings as of late. They blow. It's a terrible business idea and it's costing them money.

I will never pay Ubisoft for another game, no matter what it is while they continue this practice.

EDIT: I mean FFS, THQ just did a reverse split to keep it's stock from being DELISTED. The company is in terrible shape, and EA is at the lowest it's been in over 13 years.

Count me in on this as well. I bought the first AC on the 360 used because I didn't want to get these assholes any money, and I've avoided all of the AC games on PC because of the DRM, even ones that didn't have that DRM.

So reading a bit: Uplay isn't the DRM, or even part of the DRM.

The flaw was in their wonky "all our games" central launcher thing, which included a browser plugin to launch the games. The plugin accepted far too much about what to launch, which was the arbitrary code execution flaw.

While installed with the games, it's got shit to do with their DRM or always on anything: it's an attempt to make a browser launch page nobody gives a shit about that failed pretty hard.

Uplay is part of the DRM. When Uplay is down, like it was at the start of the Steam Summer sale, you can't play those games.

Doesn't Ubi crank back the DRM to "check on start" instead of "always online" so long after release?

Pretty sure I remember that for AC2, as I held off buying it until I read that changed (and it got below $10, coincidentally).

They have the same back end servers (auth wise), but the browser plugin in question is not part of the DRM.

I host a dozen products out of my datacenter. If my DC goes dark, product A and product B do not work. This does not mean they're the same product.

This is me nit picking along the same lines as the "it's a root kit!" news bullshit. It's an arbitrary code execution exploit in a browser plugin for their game launcher page. The plugin is not required for the DRM to function, and it's only relation to the DRM is that it's installed by the game's installer. If you disable this plugin, your ubisoft games will still start with no hacked exerequired. Ergo, not part of the DRM.

I'm fine with bitching about Ubi's shit DRM, I just get annoyed by poor representations of exploit severity and impact. I'll also rant for an hour about how "local denial of service" is not a good way to describe "our code has a crash bug that would never have been called a denial of service exploit in the 90s"

It's not a rootkit. Then again, I don't think it really matters if it isn't.

The fact is that Ubisoft is becoming notorious for putting in DRM wrapped in the guise of a "service". If they can provide an actual service out of this Uplay thing (ie - gamer options, trading post, multiplayer matching, discounts, etc) then it makes more interesting and palatable. That's a give and take with the consumer I can at least understand and respect. In that regard, Ubisoft gets the understanding that the gamers are buying their product, and the gamers get some value for actually being online constantly. That service also has to work, remain stable, not give your computer AIDS, and actually do what it promises.

You said:
Uplay *is* part of the DRM.

Simple question: if you disable this plugin, can you start a DRM protected game?

The answer is yes, because the plugin is never used by the DRM. Uplay's auth servers may be part of the DRM, but the browser plugin has no functional relation to digital rights management in any way, shape or form. It is not used to authenticate or verify the ability to launch the application, it is not required to be on the system or enabled to run the application. It's a web launcher. A really really stupid one that never actually checks to see what it should be allowed to launch.

It's not a rootkit, and it's not DRM. It IS quietly installed when it has no functional reason to be which is troubling. It's a browser plugin for their idiotic web points/achievements thing much like rockstar's social network deal or BF3's website. It has an arbitrary code execution flaw. News outlets do not understand computer security, and are using the words they know: "rootkit" and "DRM". Because "this dumb shit browser plugin for their achievements website will run any code from any website because it's fucking stupid, and that would allow a malicious site to execute commands as the current user" is a harder story for people to immediately understand. But people have been trained to know "rootkits = bad" and gamers have been trained to read anything DRM fucking them over yet again.

Seriously, I really don't like Ubi's DRM or their desire for me to never play their games on PC again. But it's a very simple exploit in a browser plugin. Not a rootkit in their DRM.

Kild, you're being imprecise. The plugin is not "Uplay". It is one little tiny piece of Uplay. The entire Uplay package taken as a whole IS part of the DRM.

I decided I felt like playing a game of Anno 2070 last night. Game wouldn't run at all, but after about a minute of hanging Uplay started patching itself. OK, fine. Fix the scary shit the internet is yelling at you about. You really have no choice.

I start playing and about 5 minutes in I lose connection to UPlay, which is fine, I can keep playing. I run out of tools and my tool supply chain isn't up yet, but I need some to finish the supply chain buildings. That's cool, I can buy some (as is usual at game start) and have them delivered to my Ark- ffffffuuuuu, I then remember that the DRM requires a Uplay connection to have your ark inventory be accessible. I am left with no choice but to wait it out, restart, or begin googling for Molotov cocktail recipes.

Technically, we're talking about two different UPlay components. Pragmatically, I'd prefer most people consider UPlay as a single, terrible entity and use that misunderstanding to affect their purchasing decisions. Fear makes a fine motivator.

I'm sure that someone, somewhere will crack D3 so that people can play offline, if it hasn't happened already.

It seems to me that the difference is more marketing than substance and that Blizzard has more goodwill to fall back on than Ubisoft. If Ubisoft turned all of its titles to online multiplayer at any time, thus justifying its always online requirement, I don't think it would stop gamers screaming, "DRM!" at them.

I'd stop screaming "DRM!", but I'd just start screaming "fuck you and your required online bullshit in my singleplayer game!" like I do with D3.

I don't really see why that would be the case. UbiSoft has been producing good games for just as long as Blizzard, and selling them at a similar rate.

The difference isn't just marketing or goodwill even though that's part of it. Blizzard has offered actual services with their online requirements. SC2 offered their ladder system and matching with tournaments and whatnot. D3 offers the RMAH, upgraded friends matching, and hosting.

Nobody wants to be online all the time just to prove they aren't a fucking criminal.

That's pretty much my stance.  D3's multiplayer drop-in/drop-out system and RMAH make online-only a legitimate requirement, even if I don't particularly care for the features themselves.  I would love to mod D3 to hell and back and still have a multiplayer system that's 80% of what we got, but that's not the game Blizzard decided to make.  (And I stopped playing D3 before the RMAH even launched I think.)

"Cloud save backup" is something that many other services provide without a online-at-all-times requirement so that doesn't pass the bar.  And that's all that Uplay has to my understanding.

A RMAH is not an advantage for a single-player game, it just means you are getting screwed two ways.

Avoided ubisoft games just on principle, but always happy to see them look stupid in public.

D3 was never intended to be a single-player game through any part of its development process. That's where the expectations gap started. The RMAH makes total sense in the multiplayer game they designed. It was established for well over a year in advance exactly what the intent of the game was going to be. Whether or not that's what people wanted is debatable, but people need to stop saying Diablo 3 is a single player game. It's not.

I'm not sure why I'd care about that.  If Ubisoft intended all through their development process to force players to save games online, that's not going to change my opinion of their DRM. 

I don't see much difference between Blizzard artificially mandating that D3 be an "all online, all the time" game and Ubisoft mandating that their titles be all online all the time.  If you want to play either game multiplayer, you're going to be connected to the internet anyway, and if you wanted to play it single player, you're going to be equally inconvenienced by the online only requirement no matter which company you're going with. 

The idea that they couldn't do an offline Diablo game is just about as unlikely to me as the idea that they couldn't design Assassin's Creed in such a way that it could work without cloud saves.  Blizzard chose not to, obviously, but that doesn't mean their choice is any more valid than Ubisoft's, to me.

You should care because intent is a very huge part of the consumer-company relationship. I believe the difference between Blizzard's online only thing and Ubisoft's online only thing is intent. Not just the company's intent, but the perceived intent of their actions.

Which shit is less smellier of the two?

Brown shit or Yellow shit.

Hmm. They're both shit.

Oh yay.

C'mon guys. We're in this together.

Torrent that shit.

Fight da powah.

 :why_so_serious:

Too much effort. Thanks to steam I have enough games from developers not trying to screw me over I can just ignore the developers who do.

The only painful part is you know we'll see Ubisoft doing press releases saying the reason their sales are tanking is due to piracy  :uhrr:

The Always Online of Diablo 3 wasn't accepted because it was integral to the game, it was endured because people thought Diablo would be that good of a game.

No game Ubisoft has to offer has that "must play" quality.

Diablo's implementation is worse. At least the ubisoft version doesn't require a latency penalty when you want to play single-player or have to break its single-player loot model to convince you need a player driven auction house to enjoy the game.

... they're both retarded and reason enough not to buy the game though.

We didn't know that when Diablo 3 came out, though. And we still trusted Blizzard.

I actually like the AH idea, even though the implementation of it wasn't good enough due to the loot issues.

I still think the loot issues are a direct result of itemization with the AH in mind, but this is getting off-topic.

This.