Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Hackers breach Electronic Arts, stealing game source code and tools (cnn.com)
140 points by svenfaw 48 days ago | hide | past | favorite | 114 comments

It reminds me of when unsuspecting thieves accidentally stole a container of Iridium-192 used for industrial radiography from a lab in Mexico, and were eventually arrested and taken to the hospital to be treated for radiation burns.


The FBI should keep an eye on hospitals for anyone showing up with burning bleeding eyes and a swelling itching brains and melting faces, from looking at EA's source code! ;)


The FBI should keep an eye on hospitals for anyone showing up with burning bleeding eyes and a swelling itching brain, from looking at EA's source code! ;)

Other symptoms include a tendency to participate in death marches, work from 9am to 10pm, abandon spouses and consider every day a crunch.


Archive of the covenant?

How is this connected to stealing source code of a computer game?

I'm under NDA so I can't tell you. ;) Just be thankful that The Sims doesn't have a "View Source" menu.

Here's an example of some highly toxic code they wasn't intended to escape the lab:


It’s a joke. EA = bad. Reminds me on the kind of comments that are ubiquitous on reddit, which is one of the main reasons I left there.

It’s witty and not dull, but does it bring any value to the discussion? I’d say not really

Hey at least I linked to some actual EA source code that will burn your eyes out. ;)

During that demo around 10:00, I accidentally fat-fingered the mouse and introduced a bug into the outdoor simulation. I couldn't figure out what I'd done or how to fix it, and we hadn't implemented "undo" in the code editor yet, so I just left it in. "There's all sorts of code like this in there. And it's kind of dangerous."


Google the commenter's user name.

Because EA makes bad games.

Is their plan to they sell it back to them in micro transactions?

The Stolen Bits DLC, available soon.

You will get the database table definition with the first release, and the actual records in a later DLC

Their plan is probably to sell better cheating software for online games.

Using loot boxes, of course.

One loot box per otherwise expected built-in feature, of course.

And next year they sell it again with the code indented with spaces instead of tabs.

Maybe sell as an NFT? /s

I don't think stealing is OK but I hope they managed to liberate C&C Generals 2 while they were in there

You've just inadvertently reminded me of that and now I'm probably going to be grumpy for the rest of my day.

Find the long lost Red Alert 2 source code!

There have been multiple attacks like this and it seems the stolen code is usually made public in the end. I presume people will look at it and reuse some concepts and I wonder if this could lead to the technical state of the industry becoming better as a whole.

In general the problem in the game industry isn't that people don't know better ways to structure their code, but that they are under extreme pressure to ship and get absolutely no time to refactor.

Between GDC presentations and published computer graphics papers, the game industry is actually quite open about sharing its best ideas.

Or SIGGRAPH for that matter.

I don't think EA has any tech that's sufficiently advanced over something like Unreal Engine, which is already source available. It's at least not perceptible in the games they publish.

Maybe I’m being naïve, but that seems naïve. EA is a very well-funded and complex company with a lot of fingers in a lot of gaming pies. To assume that none of their code is cutting edge or advanced seems unlikely

I could be entirely wrong though

When you consider how prone to patents the gaming industry can be, (and the fact that this is EA), I would be very careful before reusing concepts from here.

I am an adept of the free code as we should own the source code of the products we buy. It might be too early for society to adopt something this radical but I believe Stallman was right. Mainly that's why I stick to open source technology only.

And extend it to Hardware, Cars and so on.

So they basically stole a bunch of technical debt? Does EA owe capital gains tax now?

Hey, it's only debt if there's someone around that needs to pay it down. Once the skeleton crew that was left to crank out DLC's moves on to pastures greener after half a year, nobody's ever touching that shit again.

Not really sure what this changes for the games released.

I would say very little, in a way bad advertising is advertising which is good advertising.

It might reveal some part of the scenario or features, and put pressure on the teams, but other than that, who really cares? Fans will talk about it, and that's only what this is.

Maybe competitors might get an insight on what games are planning to be, but I doubt that there is much innovation, so meh?

And it's not like those engines have tremendous engineering secrets either ways. I mean GPU are documented, and special shader effects are not that so hard to come by, what is difficult is getting developers who are able to understand how GPU work and to take advantage of those ever changing GPUs and APIs.

I really don't think the game is going to be available in a pirated copy, seen that building such AAA games is pretty difficult for developers who are not part of their teams, not to mention all the copy protection mechanisms.

Was thinking the same - companies are extremely protective of their source code. How many games out there truly have unique/interesting/hard tech in them? I can think of Spore; I can think of a handful of rendering engines, maybe Stalker, Wow of course but not many more than that

In tech, only ideas gets stolen. There are very few things that are really worth of being secret in software.

For games, hard work is just this: content (which has IP on it), debugging (which is specific to a certain game), handling GPUs (requires engineers, work is obsolete in 3 or 5 years), a few gameplay mechanics (cannot be patented).

Patents only matter when data is about some expensive, long term research that requires physical testing and labs, like a new molecule for a medicine, or some method or building a material.

Even when HL2 source code was stolen, it did not really matter.

Battlefield's multiplayer code should qualify.

Netcode technology is not a big subject worthy of secret.

Sure it's complex, but it's very use-case specific. Developers will often talk and share how they solve problems, so...

Perhaps they can now fix EA's broken games and give the players bang for their bucks.

They're claiming no 'user' data was breached. Is this just PR for "we have no clue if all your info (name, bank info, SSN, date of birth, etc) was stolen" or is it "We confidently know because we audited that data access and verified the audit logs were not breached so we know your data is safe."

My son interviewed at a gaming company that put two machines on everybody's desk. One connected to the internet for web/email and the other on a separate air-gaped network for development.

I wonder if this will become the norm.

Thats how it was in the defense business. Our radar software was not on the internet.

It makes things a little harder because reference aren’t available easily, and people didn’t read they’re email as frequently, but it was ok.

"Good artists copy, great artists steal."


Picasso never said that, even if it the quality of the quote is debatable.

> "Anytime source code gets leaked it's not good," said Ekram Ahmed, a spokesperson for the cybersecurity firm Check Point. "Hackers can comb through the code, identify deeper flaws for exploit, and sell that previous code on the dark web to malicious threat actors."

This seems like a strong argument against using open source codes. Should I take this argument seriously and avoid them?

No, he's being a bit stupid, security through obscurity is arguably no security at all however it makes identifying vulnerabilities _easier_.

The main issue for leaking source code of _games_, especially _multiplayer games_, is that people learn how to bypass the anti-cheat mechanisms which leads to a degraded online experience for everybody.

I worked on Tom Clancy's The Division and the mantra was always "write code like it will be public one day".

(in their case it meant don't get to persnickety about a library not working how you wanted or swearing about how Windows was batshit insane at times -- but it also applied to making sure you did't just assume the code wouldn't be read by malicious people)

There is much simpler solution about cheaters. Local servers to play on lan. Many games came with them.

That completely disregards the fact that local multiplayer requires you to have players who are geographically close, willing and able to gather at the same time in the same place. Also, some recent world events you might have heard about somewhat made these kinds of gatherings quite difficult or illegal.

hosting your own lan on openvpn is not trivial, but doable. Or, if you trust the provider, there are a few solutions such as Hamachi.

I don't think EA Sports would want to base their online strategy and business on the ideas being put forth here.

neither do I, but that doesn't invalidate the lan/self-hosted server idea.

Not everyone lives close enough to the people they are friends with to make this a feasible response, and there's still an active pandemic going on.

And other alternative is allow non official servers, then you can rent a server for yourself and invite your friends or make it public but you have the admin rights and options to configure it (like reducing the grind).

The multiplayer part of some games made the single player section worse, because of the drastic anti-cheating measures.

It's a question of information asymmetry.

It's always easier to be on the attacking side of cyber security. If the attackers have good intel, and the defense isn't organized, their work is much easier.

With (popular) open source projects, there are hundreds of eyeballs looking at the source and trying to fix security issues before they can be exploited.

The closed source project is typically less secure, but attackers also have less information to work with. Open source is typically more secure, but attackers have more information. Leaked closed source is the worst of both worlds.

The logical conclusion of your statement is that the strongest software would be projects that are collaboratively maintained by a large number of people, similar to an open source project, except behind the veil of confidentiality at a big company.

It has potential. But it is better than open source only if you trust all the maintainers in the organization. And previous maintainers who have now left the org.

And only if the codebase is routinely looked over and tested, no part of the codebase gets forgotten and becomes unmaintainable because somebody left the company.

Open source has the added benefit that maintainers typically don't disappear complete from the project overnight because they got a new job/were fired.

I wish I could find the tweets, but I've heard multiple times already from people reverse engineering software - it doesn't matter that much. With enough experience some actually prefer the disassembled / processed graph view of the real executed code rather than potentially more complex multiple levels of abstraction in the source. I'm sure it will be contentious and not everyone will agree, but at least it shows that the barrier really isn't that large.

But even then you have the whole area of protocol reverse engineering and data fuzzing which doesn't require the source at all.

while i think this statement is flawed anyways, there is a difference in being the only one who can find these flaws easily or being part of a community were everybody could do this if qualified.

Open source projects that have a high usage and high visibility have their flaws quickly fixed _because_ the code is open and for everyone to see. It's an iterative process that grows with the popularity of the project. Popular open source projects have been open for years and/or have lots of people that participate, review, report bugs, and fix them.

A closed source projects can have thousand of security bugs no-one will never know about. Since it's closed, it's hidden so no problem... until it's leaked.

The real win here would be access to server side code - account management, loot box rates, plus garden variety buffer overflows and hacks. Open or closed doesn't matter as much if it runs on a device you can control, you can always reverse engineer it. But for code you'd never get to run on your own device, you have more limited tools at your disposal. Even if they only got binaries of the server side code it'd still open up a lot of avenues.

There's a presumption that open source code has been looked at by independent researchers. "Many eyes".

In contrast, source code of games is a trade secret. It is being worked at by famously overworked developers. And companies in the industry are known to sit on vulnerability reports for months or years.

Don't ever install games on a machine you use for work or identity.

It’s very hard to believe that games are unique here.

Could you clarify what you mean by identity please?

I think they mean a machine you use to identify to do something official, like banking or interacting with government.

I never put on my gaming computer things that I use to identify myself with important entities:

- Banking.

- Insurance.

- Main Google account.

- SSH keys.

- GPG keys.

- Pictures of any important documents.

- Digital copies of any important documents.

Basically: the moment you start installing games on a computer, assume it makes its contents world read/writeable.

Can you link to any examples of this happening in the past? Like oops I installed The Sims and Starcraft and now my C:\ drive is on Shodan. With mobile games that sort of thing probably happens all the time since mobile apis are designed to let apps do it. But I'd be surprised if something like an EA game was responsible. The worst I've heard so far is a bug where Steam will `rm -rf` your home directory because Valve doesn't understand UNIX.

Yes and no. I would say it's less likely there's exploitable code in open source because it's so open.

This is a typical free BBC advertisement for a cyber security firm to use this data breach and source code leak as an example to lure the fearful and confused to pay for their consultation fees.

His argument is also complete horsesh_t to prop up the firm and to also spread FUD. Just look at this sentence: 'identify deeper flaws for exploit', tells you they don't even understand that you find the vulnerabilities first and THEN you develop an exploit for it.

Another "death sentence" of journalistic quality at the BBC whilst also advertising for firms that have clueless spokespeople.

As a survivor of the worst of The EA Spouse Era's abuse, karma's a bitch.

Reminds me of the time when Valve source code was exfiltrated.

Maybe a community-made Titanfall 3 will finally happen!

So part of their code is now kinda open source /s


Not sure what the benefit is of turning this into semantics. "Get a hold of" is what is implied here, everyone should understand that. As such, getting hung up on "stealing" is rather pointless.

it is likely that way because it is an argument that often comes up when discussing losses accumulated through piracy. were the argument typically is that not every copy should be accounted for a loss of sale. it does not really apply here because this game will probably sell the same amount as before someone got a hold of the code. And if it does not its likely because of some second order issue arising like not being able to fight cheaters...

I suppose. But, this has very little to do with piracy. The source code wasn't acquired in order to compile bootleg versions of the game, and thus leading to loss of sales.

This is the illegal gain of someone else's intellectual property. "Stealing" is a reasonable word to use in this context.

But the wider point is that "intellectual property" cannot effectively be "stolen", only "unlawfully obtained or reproduced". Nobody is ever deprived of IP or even its legally-created exploitation rights; it's only the market value of such IP that is allegedly affected.

I reckon we need a new word. "Pirating" has sort-of taken that space but it's not really good and it only covers distribution. It should be something that carries a meaning of "swindled", "wiped away", "theoretic-market-value-corrupted".

Freebooting. https://www.urbandictionary.com/define.php?term=Freebooting As coined in hello internet. (If the intent is indeed to re-package and profit)

If value is transferred by force, this is theft.

But there is no way to ascertain if value has actually been transferred. It's just fingers in the wind. EA could sell their games tomorrow and make exactly the same money they would have made before the hack.

Thise entire line of reasoning is reaching, it is rationalization for unethical behavior.

Stop justifying poor behavior. Just stop. Trust me, your cognitive dissonance will reduce, and life will overall get easier.

I doubt life will get easier when I don't question any established power-structure and just do (or pay) what I'm told.

Or rather, somebody's life will probably get easier - just not mine.

Taking advantage, in any way shape or form, of someone else's efforts, against their will, which efforts and work product were not in public but expressly in private, isn't sticking it to the man or fighting the power structure.

It is just taking advantage of someone without their permission. That's all it is. There's nothing revolutionary or awesome about it. It isn't novel. It isn't creative. It isn't rebellious.

It is simply an unethical use of force.

When that someone enjoys disproportionate advantages in so many different ways, typically accumulated unjustly, and forces the world to follow certain rules in order to entrench such advantages forever, there is an ethical perspective where defying such rules is an act of resistance.

You are right that there are situations where that is true.

For most activities in the United States, in 2021, this mode of analysis is flat out wrong.

Realizing this distinction is a path to liberation.

Your insistence in using words like "liberation" gives a sense of your ideological zealotry.

That’s projection.

If you mean that it annoys you that any kind of copyright/IP violation is described as ‘stealing’ then I share your sentiment. This is a real crime though, and most people call this stealing.

I take it you think pirating things is not stealing either?

"Stealing" a digital product implies that every stolen copy is a net loss for the distributor. It's definitely not.

Of course, it's not like if you clone a file on your hard drive 10 times, the manufacturer of what you're cloning loses tenfold. But every person who has used the product without paying for it is such a loss. I don't know what the "every stolen copy" argument has to do with anything. Not everyone who downloaded would have bought. But that can't simply be calculated with some neat "every stolen copy" slogan. It is an argument to justify the thieves.

> but every person who has used the product without paying for it is such a loss.

i bought lots of products only after pirating them. would i not have done that i would not have bought many things at all. I also fondly remember simply not having the funds to buy software and pirating them was the only way to move forward. in both cases my "stolen" copy should not account for a loss of sale and the former even supported making a sale at all....

Your post is a bit unclear to me, I'm not sure which side of the argument you're defending, but

> every person who has used the product without paying for it is such a loss.

No, because like you said, that implies that you'd have bought the product if pirating it wasn't possible. If I want to pirate a game but it's not available, I won't buy it either.

> It is an argument to justify the thieves.

I'm not justifying "theft" - or piracy in this case -, I'm just saying that you can't equate the two. Piracy and theft are two very different things, with different motives, and different consequences of the distributor.

Stealing implies someone being deprived of something. I don't condone pirating but the argument isn't invalidated merely because it 'justifies' the act itself.

So how would you call it?

The "piracy is theft" motto is just false, but you can keep both words in their own context you know. So, I call that "piracy".

unauthorized copying / distribution.

A copy of the source code has been stolen.

... or been acquired without permission?

for me stealing implies change of possession. this does not apply here. what might have been taken is the possibility to monetize it the way they imagined or that they had been hurt by the PR afterwards and similar things. but nothing has been stolen everything is still in place were it was before and nothing is missing except for some of the confidence in their infrastructure security.

"Hello, I'm calling to report that the 16-digit sequence, expiration date, and 3-digit security code of my credit card have been replicated and are now known to persons whom I did not give permission to utilize."

"Sir, are you calling because your credit card was stolen?"

"It was not stolen!! I still retain possession."

So I'm reasonably sure that if you dont cancel the card after losing possession, you can be held liable for transactions that occur with the card at that point. Especially if your PIN is also compromised.

You're not liable for transactions that occur fraudulently when you still retain possession of the card.

So yeah, it's an important distinction.

... "hello, my credit card data has been acquired and used without permission. I still possess the card but want you to freeze the account and a new card mailed to me afterwards."

do you see how this is just more accurate?

It's not. And with more and more drm nowadays piracy is actually something of a must if you are to enjoy the product you paid for.

It's you paid for it, it's not a piracy.

you wouldn't download a car, would you?

me? if I could...

in the same way that you can steal secrets

When I copy your secrets, you no longer have secrets - just information that someone else also has. When I copy your code, you still have the code.

before you copy my code I own [the only copy] after you steel/copy it I no longer own [the only copy]

If you steal my secret code, then I no longer have secret code.

The question is whether the secrecy itself has value. I may perceive that it does, and you may conveniently perceive that it doesn't.

It's a dubious mindset, to believe that it's your own call to decide whether something should be of value to someone else.

They are still secrets so long as you dont go punlish them but use them yourself

Code is worthless on it's own.

Intellectual property is not physical. Think about it.


You have not been shadowbanned, but based on the quality of your comment maybe you should be.

lol it was before. looks like that how you get their attention.

this is a dupe

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact