next »

[StealthAngel667]

I'm glad he at least gave a response to all this. Ignoring it would've been wrong, I think. I hope people will leave this game's programming alone now, and just enjoy it for what it is.

[frymaster]

I'm sorry, this is revisionism of the worst kind.  I actually signed up just to express my disappointment with the devs.

it sucks when people attempt to destroy the awesome creative things people make

actually, the original communication was an attempt to solve the problem with the hilariously badly-designed code, and the response was that not only was it supposed to be like that, but that they didn't care about people messing with the database, and in fact encouraged it:

http://i.imgur.com/eCYSF.png

I also note that despite the inference that this has all been sorted out, I can still, at time of writing, access this database.  Sure, someone may have restored from backups, but what's to stop people trashing the DB again?

Fuckups happen.  Hell, valve got sensitive steam details leaked after a forum hack (also a security no-no; the forum server shouldn't have had access to the steam servers), and I got an email from trion worlds the other day about them being hacked.  But the difference? They didn't try to pretend that is was supposed to be that way, or that it wasn't their fault.

[Jintek]

This whole thing blew, glad Tommy got a handle on it.  But this type of security hole should have never happened!

[Two Hacks]

Moral of this story: Make sure there are no glitches in your game, otherwise people will use them to fuck around with the game to prove a point.

[Jookia]

While I respect Edmund's alleged (there's no source that I can find) response, it doesn't actually tell us anything about Team Meat's position on this event. He goes on to say that it ruined the game's experience for the players and that he wants to make friends, none of those things are relevant. IMHO it seems to play the sympathy card and people's sympathetic emotions.

I'd like to stress that a few hours before the public knowledge of the hole was revealed, the guy who found it tried to inform Team Meat of the problem so it could get fixed, but Team Meat acted as if it was a feature, leaving a few options for the 'hackers':

• Don't do anything, and hope that nobody else finds the hole and exploits it for evil purposes.
• Harass Team Meat until they agree to fix the hole, or get ignored.
• Do something that will force them to fix it.

I bolded the option that the 'hackers' took. I personally can't think of any way to do this in this case without hurting the user, which justifies it in my mind. The important thing is that now the developers have to fix the problem.

As for the exploit, it's not like the hackers found some bizarre route or bug like with firmware hacking on consoles, the login details were in the executable. Team Meat trusted the user not to go poking around in it, and that only the game itself would use the details. There was no security at all. As another user in the Facepunch thread, the way they designed the system is one of the most insecure ways to do this that it wouldn't of even popped in to his head as an idea. I don't think it would even pop in to my head, let alone have myself consider it.

Another small thing that wasn't really revealed was that setting the name of a level to an empty string (I think that's what it was), would cause the game to crash, suggesting an actual security exploit. If that's the case, then sophisticated attacks could make their own level, quietly experiment for a few days and possibly find a way to inject malware or viruses in to the computer through a level name.

[Two Hacks]

This is what actually happened:

Q: "How do you reconcile laughing off the database issue as "fine" and refusing offers of help on twitter with being butthurt that there really was an issue on formspring?
"

Ed: "im not sure what youre talking about, i have no idea what the database stuff really is, i dont program, and when i woke up i only heard about what happened through random tweets.

from what i saw though tommy never refused offers because this was something he was going to fix, he just told people it was fine and to leave it alone so he didnt have to worry about fixing it while he was away for xmas. but instead of leaving it alone people somehow took it as a refusal and decided to try to break things.

either way everything is always backed up and tommy rolled everything back to a previous state before i even woke up that day... i honestly dont understand what the big deal is. seems like jerks just wanted to be jerks, but in the end all that happened was both of us lost faith in people."



you should all feel pretty assholish for what you guys did. >_>

[Jookia]

The 'hackers' were under the impression that Team Meat were simply ignoring the bug. At no point did Team Meat say that the bug was on the radar, going to be fixed, or tell people to leave it alone, or that the developer was away for holidays. Maybe this was a communication fault?

However, I do doubt this story. Super Meat Boy has had the feature since May 2011 (according to Wikipedia), the developers have had plenty of time to fix the gaping security hole, if it was on their radar.

The 'hacking' had no overall negative effect, and I see no reason for the 'hackers' to feel bad if it means that Super Meat Boy will end up as a better and more secure product.

[Baldr]

The password and the username where in the executable. This is no where near a bug but a design choice, a very poor one. Any one with some knowledge could have simply found it.

To add insult to injury that account had all right so they could do whatever they wanted to.

Yes the bug thing is a lie, its like blaming the door when there is broken into your home when you gave the entire village a key an directions to where you live.

[Sr. Domi]

Agree with the new users. They werent trying to fuck everything, they discover and exploit and later contact Team Meat to help them. Team Meat didnt give a fuck, so the hackers has to start making some shit as a way to show what could happen.

Imagine than some hacker really tried to fuck everything and he acted even worse.

What really this make me worry is about the next Team Meat games. A lot of you know all the bad things that SMB has: 1 year old Mac port, 6 months for SMW, glitches and bugs, this last hack...

My point is: This happened, it could happen again. I guess that I wont preorder their next game. I want to be sure about what Im buying. (Of course, if the game looks interesting for me, but that's normal)

[SpikedRocker]

My view on this is that the devs put their lives into games, for people to "go out of their way" to point out a flaw/hole in their programing, probably opened the end result to occur.  It seemed to me the people who are "trying to help" really in the end caused this to happen.  I believe there are more secure ways of communicating this problem than twitter.  But this probably was discussed at length on Facepunch as well (I can only assume), which lead to a person who had no inkling of care, to try to destroy all he could.

Should this have happen no.  I'm not defending the dev's here, but I do not condone your actions.  Just because you can do these things doesn't mean you should.  It just deflates a persons passion and drive for what they are doing.  It does no one any good.  I almost can't wait for the day when there are actually consequences for people who do these types of things, instead of having people waste time/money/effort into changing/fixing code.

[NMe]

It's funny how I had to enter 5 (FIVE!) different CAPTCHA's in order to register here, yet the developers act so casual about something as serious as a publicly available database that has been proven to be accessible by people that had no business in this database. Yes, it's annoying that someone wiped the data but no, it's not their fault. Team Meat made a horrible mistake in their design by:

• using a model that pivots around database that is accessible through the internet
• putting the login data inside the executable for the world to see
• giving full access to the database user when read access should be more than enough
• ignoring multiple messages from concerned players

This is not just leaving the door open, this is posting inventory lists containing every valuable thing in your house on every street post with a skeleton key for every door taped to it. And then, when you get a call from concerned neighbours, saying: "I don't care if people look at my stuff."

The dev team made some horrible mistakes and every decent programmer should know better than this. Data should be made available through some sort of API (be it SOAP, REST or whatever else) and not under any circumstances by providing direct database access.

[azaz]

It's funny how I had to enter 5 (FIVE!) different CAPTCHA's in order to register here

And then they send your username and password in plaintext to your mail account. That's great.

I came here to express my deep disappointment in how this all have been handled by Team Meat. The condescending attitude is just awful; if anything, a developer that's been made aware of a security flaw (any, but *especially* one of this size) should be grateful, not casually dismiss it. That behaviour is not acceptable.

Thing is, I'm a customer. I've bought Super Meat Boy twice on PC, and I would probably have picked it up on XBLA because I don't have a controller for the PC. I will not, however, give Team Meat any cash -- ever again -- until they fix their shitty attitude.

[Polari]

Just posting to say I 100% agree with what all these 1-post users are saying.

[Two Hacks]

I hate to be bumping this old thread, but I just wanted to add this: http://www.formspring.me/Tommunism/q/291081586479215147


This is Tommy's answer as to what happened. I honestly would think this would change anyone's opinion who thought hacking into the server was "helping" team meat. Think about it logically; It was unnecessary and destructive. I think for the most part, this was just done for the entertainment for the people at facepunch who can't find better ways to have fun other than ruining great things at every chance they have.

I'm not demanding that anyone changes what they think, just giving a final input on this.

[Vex69]

What kind of idiot goes out and does this?