The entitlement of application authors to do whatever the fuck they want on your machine is astounding to me.
Root CAs, background processes 24/7, uploading of the full process list, clipboard spying, local network scanning, surveillance (aka telemetry) - when did developers decide that our machines aren’t ours anymore?
Bluecobra · 7h ago
This appears to be a server emulator for the defunct MMO Need for Speed World. My guess is that need they need to spoof the TLS certs and install local host entries to get the original game client to work.
vandalism · 7h ago
The certificate is used for nothing more other than checking whether the launcher is "signed". The whole scheme is full of security holes, the certificate check mostly seems like it was a programming exercise for the author.
There is no need for the certificate installation with regards to any emulation functioning. Also, worth noting that this is an ongoing issue: this reboot of the game still has a decent daily player count and the CA installation concern has not been addressed, the launcher still does this.
(It's also not a server emulator, it's just a launcher for the game client, used by players of the game.)
reactordev · 6h ago
Codesigning is expensive. You have to purchase a $500 cert and renew it every year. Or, you can issue your own CA capable of code signing and sign your own stuff. But the OS won't think it's really signed unless the OS also has the CA in it's trust store.
This is just a case of them wanting to save money on code-signing certificate renewal fees.
hamandcheese · 4h ago
Regardless of the intention, it most certainly is not just a case of saving a little money. At best it should be considered criminal negligence.
calcifer · 2h ago
> criminal negligence
Can we stop with this kind of hyperbole, please? It's an open-source project for a dead game. It does not come pre-installed with any hardware, nor is it required by any employer or government to be installed on your device. It's something you actively have to seek and install, and not even the person reporting the bug saw anything malicious happening.
Criminal negligence is a legal term with a specific meaning, and it is far removed from... whatever you think is happening here.
guessmyname · 7h ago
Add to the list exfiltration of $ENV (environment variables), which often include secret keys and app tokens. I have seen many young developers expose their $ENV on GitHub when other developers asks them to share their “go env”, or similar commands, while debugging a problem.
diath · 6h ago
It would be nice if desktop software had to explicitly request access to different APIs on the system (network, filesystem, etc) as well as only request access to specific filesystem paths, then give us prompts that list the permissions that the app wants. Something like pledge (https://man.openbsd.org/pledge.2) from OpenBSD/Serenity but integrated into the desktop systems GUI.
to11mtm · 6h ago
That would indeed be very nice, compared to the current standards out there for desktops...
Ironically, I -think- UWP tried to 'solve' this in some ways but OTOH adds new problems instead...
I also know Microsoft had a different idea when it came to .NET before core, where libraries could be run in 'Partial trust' but with 'Link Demands'... And I've never seen a shop actually do that right vs just YOLOing with 'full trust' and/or abuse of AllowPartiallyTrustedCallersAttribute...
Which I guess is a roundabout way of saying I feel like Microsoft has tried twice but completely lost the plot early on and failed to deliver a usable product (What even is the state of UWP questionmark, and .NET Code Access Security was given up in Core....)
drodgers · 6h ago
MacOS has been moving more and more in this direction, and it’s good.
askvictor · 7h ago
The alternative being a walled garden like Apple or (increasingly) Android, where they don't have access to anything (at least without a prompt asking if you grant said permission). If you run a system that lets you do what you want to it, you need to accept that others might try to do what they want to it, too.
01HNNWZ0MV43FF · 6h ago
Prompts are completely fine. I am happy with the prompts GrapheneOS offers me
chmod775 · 7h ago
This is software provided to you free of charge out of the goodness of their hearts. They don't owe YOU anything beyond not being intentionally malicious.
VoidWhisperer · 6h ago
The work being OSS and done free of charge doesn't excuse them from putting their users at unnecessary risk, especially when it is done so with only a one line mention in their github README and no mention on their website, which doesn't point towards the README at all
chmod775 · 6h ago
It should not, but they still don't owe it to you or anyone to change anything.
You're not paying them. There's no transaction. They're not even giving the software specifically to you, rather they're saying "this is free for anyone to pick up" - with no warranty of any kind.
When you pick up some free furniture from the roadside, it's on you to determine whether it meets your safety standards. If the free table you picked up has some defect, you most certainly don't ring someone's doorbell and demand rectification.
benreesman · 5h ago
Nah, distributing rootkits under false pretenses is a dick move.
That's not even a little controversaial. You put a thing on the web that says "Just a harmless XYZ" and it roots TLS forever?
Malware. Black and white.
vandalism · 5h ago
This assumes that all users are informed enough to make such decisions.
You cannot expect the average player of an online game to have the technical knowledge necessary to discern whether a piece of software is safe to use or not. Even if you could, you'd also be expecting them to take the time to do a proper analysis of such software, which I do not think is a reasonable premise.
What's more, this is open-source software we're talking about and you can actually relatively easily perform meaningful security checks; imagine if this were not the case.
hamandcheese · 4h ago
If I gave away free brownies that happened to be poison, but I really didn't mean to, I still probably should be held liable in some way.
If I was giving away free brownies, and someone kindly informed me that they were poison, and I continued to give them away, I belong in prison.
Edit: it seems like there's been no activity in the repo since before the issue was filed, so it's hard to say if the author can be considered to have been informed.
vandalism · 4h ago
There has been a new GitHub release in April of this year, however, it seems to have been made by a member of the community along with the commit it includes, instead of the original creator.
Edit: There seems to be activity on the author's account which points to the conclusion that they are aware of the issue and are making (still at least somewhat questionable) changes for a new (unreleased?) version of the launcher to address the problem.
As far as I am aware the launcher repo I linked in the original post is still the main launcher players use for the game, meaning people are still getting the certificate permanently installed.
xvector · 5h ago
No. Ethics in engineering exists. They have a moral responsibility to not install a root cert on unsuspecting users' machines.
I can build a bridge free of charge, optional to use, that doesn't mean it's not my responsibility to ensure its safety.
Root CAs, background processes 24/7, uploading of the full process list, clipboard spying, local network scanning, surveillance (aka telemetry) - when did developers decide that our machines aren’t ours anymore?
There is no need for the certificate installation with regards to any emulation functioning. Also, worth noting that this is an ongoing issue: this reboot of the game still has a decent daily player count and the CA installation concern has not been addressed, the launcher still does this.
(It's also not a server emulator, it's just a launcher for the game client, used by players of the game.)
This is just a case of them wanting to save money on code-signing certificate renewal fees.
Can we stop with this kind of hyperbole, please? It's an open-source project for a dead game. It does not come pre-installed with any hardware, nor is it required by any employer or government to be installed on your device. It's something you actively have to seek and install, and not even the person reporting the bug saw anything malicious happening.
Criminal negligence is a legal term with a specific meaning, and it is far removed from... whatever you think is happening here.
Ironically, I -think- UWP tried to 'solve' this in some ways but OTOH adds new problems instead...
I also know Microsoft had a different idea when it came to .NET before core, where libraries could be run in 'Partial trust' but with 'Link Demands'... And I've never seen a shop actually do that right vs just YOLOing with 'full trust' and/or abuse of AllowPartiallyTrustedCallersAttribute...
Which I guess is a roundabout way of saying I feel like Microsoft has tried twice but completely lost the plot early on and failed to deliver a usable product (What even is the state of UWP questionmark, and .NET Code Access Security was given up in Core....)
You're not paying them. There's no transaction. They're not even giving the software specifically to you, rather they're saying "this is free for anyone to pick up" - with no warranty of any kind.
When you pick up some free furniture from the roadside, it's on you to determine whether it meets your safety standards. If the free table you picked up has some defect, you most certainly don't ring someone's doorbell and demand rectification.
That's not even a little controversaial. You put a thing on the web that says "Just a harmless XYZ" and it roots TLS forever?
Malware. Black and white.
You cannot expect the average player of an online game to have the technical knowledge necessary to discern whether a piece of software is safe to use or not. Even if you could, you'd also be expecting them to take the time to do a proper analysis of such software, which I do not think is a reasonable premise.
What's more, this is open-source software we're talking about and you can actually relatively easily perform meaningful security checks; imagine if this were not the case.
If I was giving away free brownies, and someone kindly informed me that they were poison, and I continued to give them away, I belong in prison.
Edit: it seems like there's been no activity in the repo since before the issue was filed, so it's hard to say if the author can be considered to have been informed.
Edit: There seems to be activity on the author's account which points to the conclusion that they are aware of the issue and are making (still at least somewhat questionable) changes for a new (unreleased?) version of the launcher to address the problem.
https://github.com/Zacam/SBRW.Launcher.Net/commit/f09d911fca...
As far as I am aware the launcher repo I linked in the original post is still the main launcher players use for the game, meaning people are still getting the certificate permanently installed.
I can build a bridge free of charge, optional to use, that doesn't mean it's not my responsibility to ensure its safety.