Yesterday, noted security researcher (and Google employee) Tavis Ormandy published his discovery that Ubisoft's UPlay DRM installs a browser plugin that leaves your computer terribly vulnerable to drive-by attacks over the Internet. The plugin is meant to allow Ubisoft to start games on your computer over the Internet, but it lacks an effective authentication mechanism. This means that an attacker could check your browser to see if you have Ubisoft's DRM installed, and if it finds it, cause the plugin to run malicious software that hijacks your computer.
An early report on Hacker News characterized this as a "rootkit," which triggered a long (and tedious) debate about the formal definition of rootkits and whether Ubisoft's system qualified. To me, this seems rather beside the point, which is that Ubisoft's overall installation process involves a high degree of secrecy and obfuscation, because none of Ubisoft's users want DRM (some may not mind it, but it's a rare gamer who says, "Please install software on my computer that watches what I do and orders my computer to prevent me from doing things that displease a distant corporation"). As a result, security vulnerabilities that arise from sloppiness (or malice) are more difficult to discover and to put right.
PC Gamer got a rare and terse quote from Ubisoft on the issue, in which the company says it is "looking into" the issue, later updated with the statement that a "forced patch" has been issued to fix the issue (though this claim hasn't been independently verified by any source I can find).
There's more commentary on TorrentFreak, which places the DRM in context -- "seen as an essential part of life for many games developers." The Slashdot thread on the issue is lively, but also full of deeply misinformed legal speculation about which laws Ubisoft may or may not have broken in the process.
Medical devices have long been the locus of information security’s scariest failures: from the testing and life-support equipment in hospitals to the implants that go in your body: these systems are often designed to harvest titanic amounts of data about you, data you’re not allowed to see that’s processed by code you’re not allowed to […]
Timothy writes, “Diego Gómez is a Colombian conservation biologist. When he was a college student, he shared a single research paper online so that others could read and learn from it, just as he did. Diego was criminally prosecuted for copyright infringement, and faced up to 8 years in prison.”
The good people at Fight for the Future established OPERATION COMCASTROTURF to help you figure out if your stolen identity was used to file fake anti-net-neutrality comments with the FCC, but Comcast wants them shut down, and it’s prepared to commit barratry to get its way.
If you don’t want to get stuck footing the bill for a hit and run, this dashboard-mounted camera offers up to 2K resolution to make sure you always have a reliable witness, and it’s available in the Boing Boing Store for 30% off it’s usual price.The PapaGo mounts unobtrusively to your windshield to see everything […]
While some people still maintain that everything in Apple’s walled garden “just works” and is immune to the rampant malware of the Windows world, the reality is different. The Mac’s growing market share has made it a much more viable target for malicious actors, and its built-in tools aren’t always enough to fix things. Drive […]
Boasting an IPX6 waterproof rating, the Trakk Bullet Ultra Compact Waterproof Bluetooth Speaker resists dust and heavy rainfall. It’s currently available in the Boing Boing Store.The Trakk Bullet offers the same wireless convenience as other portable speakers, but few are built as tough as this one. Its utilitarian construction is designed to be a totally low-maintenance […]