Unity is merging with ironSource a know malware provider

[Winterfire]

Even bigger reason to jump ship from it faster rather than later.
Especially for the devs i'm guessing.

What he really meant is that any game/software could be a potential malware. It is the reason why you should never blindly trust and execute anything.
Even a System.IO can be somewhat harmful.

Unity ain't getting it's reputation back after this one, and that reputation will only serve to drag down developers who chose Unity.

Reputation? What reputation? Before this dumb decision, they had done the exact opposite of good marketing by giving everyone the idea that Unity Games are bad because they sponsorize their logo on stuff that everyone can make on day 1 (and therefore run badly) while they give the option to take off their logo on games using the pro version (so pretty much any AAA company).

Their reputation has been in shatters for many years.

 

[gingisep]

I am fairly sure that is impossible, hence why I am also fairly sure that it is safe.

"Fairly sure" but you have no evidence of impossibility.

Shall we check on one random game using that version of unity?
Name one: I might want to try digging into it.

Also, dumb decisions aside, what would they gain from killing their own Game Engine?

That company culture made shift toward bad practices, means everything in that company will go in that direction:
Could take time to affect real games, but you know, you've seen it in Facebook and other big ones.

Management can take 'damaging actions' if they see a reachable economic goal, it happens everywhere.

I am just considering all those facts and being realistic about it, but you think I am a White Knight when I just do not follow the whole fear thingie.

In security there is quite a big difference between being aware of a potential issue, and claiming that its already happening.
The potential threat is there, just do your own evalutation.

 

[Winterfire]

Well, at any rate, Unity is done i think.

They have sped up the process, but Unity has been falling because of countless bad decisions made for years while new and better alternatives slowly replace it.

 

[Winterfire]

"Fairly sure" but you have no evidence of impossibility.

Shall we check on one random game using that version of unity?
Name one: I might want to try digging into it.

I have proven what I believe to be evidence in the piece of message you did not quote.
You can dig into my game (Legacy of Hestia) since it uses Unity.

That company culture made shift toward bad practices

There is a huge difference between bad practices and purposely taking a decision that will surely kill their Game Engine and therefore their pockets.

In security there is quite a big difference between being aware of a potential issue, and claiming that its already happening.
The potential threat is there, just do your own evalutation.

That means nothing though.
You can only claim that it is not currently happening in the small space you know, because it is the only thing you can prove.
Anything else is always a potential threat in future, because the future is unknown.

 

[OsamiWorks]

In security there is quite a big difference between being aware of a potential issue, and claiming that its already happening.
The potential threat is there, just do your own evalutation.

lol, are you really qualified to do a security evaluation? Is the average user qualified to reverse engineer the entire unity engine? How much do you really understand when you launch dnspy or ida?

 

[gingisep]

And to jump on what other ship ? Every RPG Maker game is a potential malware. Every Unreal game is a potential malware. Every Ren'Py Game is a potential malware. Every Game Maker game is a potential malware... Every fucking piece of software that is proceeded on your computer is a potential malware. Even this forum is a potential malware, through it's javascript applets and its ads.

You know the software security has its own literature: we just have a degree of trust we give into tools.

Nobody is perfectly sure about its own software anymore, ever heard of

You must be registered to see the links

?
That's why a big provider into gaming industry merging with a known maleware company is basically a drop of trust in the tools, and that's all that matters.

I don't have big experience with engines, but alternatives do exists:
from the 'raw' libgdx (Java),
to pygame itself (if you into python),
Godot (multiple languages and bindings),
there are a lot of things moving in Rust Languages,
frameworks for JavaScript/TypeScript,
and somebody even made games with PHP!

I have proven what I believe to be evidence in the piece of message you did not quote.
You can dig into my game (Legacy of Hestia) since it uses Unity.

I'll probably won't find anything, but will let you know if something catches my eye,
thanks for your permission.

There is a huge difference between bad practices and purposely taking a decision that will surely kill their Game Engine and therefore their pockets.

Of course, I do agree.
I'm just choosing a safe spot where I can receive the least possible damage.

That means nothing though.
You can only claim that it is not currently happening in the small space you know, because it is the only thing you can prove.
Anything else is always a potential threat in future, because the future is unknown.

I believe I gave you a better reply upper in this post: I just share my concern between other gamers.
I could just do my own and stay put as everybody else just lurking the topic.

 

[Winterfire]

lol, are you really qualified to do a security evaluation? Is the average user qualified to reverse engineer the entire unity engine? How much do you really understand when you launch dnspy or ida?

One does not need to be qualified to put a healthy dose of doubt before running or installing any software, as long as one does not fear monger or spreads misinformation without proof.

 

[OsamiWorks]

One does not need to be qualified to put a healthy dose of doubt before running or installing any software, as long as one does not fear monger or spreads misinformation without proof.

Im making a point and not arguing with you, he isnt qualified to tell people to do their own security evaluation

 

[gingisep]

Im making a point and not arguing with you, he isnt qualified to tell people to do their own security evaluation

are you?

 

[OsamiWorks]

are you?

lol Im not, but I at least know enough to play. There is a reason good security teams do evaluations for eachother, and its unrealistic to tell a user to do their own security evaluation. If you have ever worked in IT above L2, you would know that and not be telling users that bs advice

 

[LS47]

Guys, you do realize gingisep and VoidTraveller are trollling at this point? They probably have never even touched Unity or any game engine, and they're just spreading fear and replying with emojis. Don't waste your time with them.

 

[OsamiWorks]

Guys, you do realize gingisep and VoidTraveller are trollling at this point? They probably have never even touched Unity or any game engine, and they're just spreading fear and replying with emojis. Don't waste your time with them.

lol I imagine gingi is in inspect element, angrily googling things, finding out how to craft the perfect payload and once done, he'll maybe dm me his work in 20 minutes. Once he steals my session he can terminate my account forever and my life on the sex game forum will be over

 

[anne O'nymous]

You know the software security has its own literature: we just have a degree of trust we give into tools.

I know, I contributed at some of it, as well as the writing of some tools still used ; probably without much of my code nowadays. And reading you, I agree with LS47 , at must your knowledge is purely theoretical.

 

[gingisep]

,

And reading you, I agree with LS47 , at must your knowledge is purely theoretical.

90% of my work is server side, and last time I did work with decompilers was 20 years ago, so I'm pretty rusty and probably won't find anything in there

Its fun anyway to compare tools and techniques, so I can unfold my plan while the game finishes downloading.

My tools here are strace, grep, apparmor and ufw.
I plan to limit the program access to a narrow part of the disk, as well as firewall its network, log every syscall the exec is making, then dig into grep/bash and get suspicious sockets opening/dns calls.

Only after the 'external perimeter analisys' maybe move to a hex editor and try an actual dissection of the main binary file.

Pretty vanilla and available to any geek out there, but if you have any suggestions I'm listening

 

[Trickstar]

So all the unity games i downloaded already are fine or has this already happened?

 

[OsamiWorks]

Pretty vanilla and available to any geek out there, but if you have any suggestions I'm listening

I'm not going to roast the rest of this because people who say stuff like this are also the people who actually end up interested in cyber sec. Dont start with malware analysis, that stuff needs to be done in a lab because it will get into everything.

The basic tools you'll want to start with are wireshark, burpsuite, nmap, and

You must be registered to see the links

. If you want to transition into reverse engineering software then I don't know an easy way to start, I think dnspy for me was the best option because it was immediately practical. I started with Ida pro, and kind of want to learn ghidra, but my head ass is really stupid everything is difficult for me.

Even tho I failed this years ago and never retested, the

You must be registered to see the links

is what really what guided me into understanding. Its really basic but its an industry standard cert, all the information is free if you just google topics in the curriculum, you legitimately dont need to pay for it because the course straight up links out to free resources. The structure of it is what helped me to understand, think, and learn, even if I wasted mine.

 

[Winterfire]

So all the unity games i downloaded already are fine or has this already happened?

They are the same as before, nothing has truly changed.

 

[gingisep]

The basic tools you'll want to start with are wireshark, burpsuite, nmap, and

You must be registered to see the links

.

We are not on the same page:
I'm on the defending side, protecting my system from a potentially malicious software (the game).

The tools I listed are a bit raw but coveres the same surface, at least system-wise, and have a more generic scope.

If you want to transition into reverse engineering software then I don't know an easy way to start, I think dnspy for me was the best option because it was immediately practical.

I just know the old way: gdb, memory dumps, hex editor.
I do this out of fun and nostalgy, let me dig into the raw indexes even if I'd just probably get lost in them. ;-D

Even tho I failed this years ago and never retested, the

You must be registered to see the links

is what really what guided me into understanding. Its really basic but its an industry standard cert.

I periodically did prepare a summary of the OWASP reports and detailed into the most relevant one, for my employer.
Its something I always keep an eye on, but lately I need to cover other stuff.

thanks for answering, though, at least I know it wan't just a regular strawman attack

 

[jkj54]

a lot game on here will vanish from because of unity decision to use ironSource
and unity and rpg maker just made deal with next version of rpg and unity called RPG Maker Unite
I wonder if RPG Maker will walk away from unity and cancel RPG Maker Unite if unity going to use ironSource

Yeah sadly this will happen this site might do that to protect the end user and or devs switch engines to avoid the loack of downloads do too engine choice.

Thanks for the heads up btw.

Your welcome

So all the unity games i downloaded already are fine or has this already happened?

This only affects the next unity engone update and future titles if there using a fully updated engine development kit.




To the whole what about AAA situation we already have AAA games with malware/spyware I posted the old days with securrom then you got lost planet 1 or the old ea games launched with virus earlier 2000's today its denovu with its foreced online monitoring program.

Those always online games some have pc kernel access with nsa approval to spy on you when those server go offline the game will no longer work it has already happened.

I personally use console/cheap old pc if i want to play a risky game console cheap to replace pc quick drive wipe compared to my main pc rig and if im AAA playing on main pc i have a list to watch-out for/avoid.


Oh lets not forget rockstar pc launcher and there games 0 security on everything just recently they lost control over Gta V were you can be playing single player but a hacker/modder can kill you do to that games online 24/7 requirment on pc this happpend to popular streamers including that one that likes to do speedruns.


In the end its up to the end user to assess the risk and see if its worh playing the game and or supporting the developers the whole point i made this thread to educate this community on this deal so going forward you can judge yourself if that unity game is worth it.


The gta 5 speedrun that was destroyed by modders can be seen here @

You must be registered to see the links

Every company on every front is trying to screw the customer make every extra penny but there are some that are still good out there so watchout everyone.

 

[anne O'nymous]

My tools here are strace, grep, apparmor and ufw.

You expect to test potentially malicious code, and at no time you chroot before starting it ?
Hmmm, not really interested by Linux, did they finally have jails, or is chroot still their best solution ? Not that it's a bad one.

[...] get suspicious sockets opening/dns calls.

Without at least tcpdump it will be totally useless. You'll never know if the game is checking if an update is available, or if it's doing something malicious. And also, do not expect DNS queries from malicious code. A connection that wasn't preceeded by one is the first thing you should looks for.

Only after the 'external perimeter analisys' maybe move to a hex editor and try an actual dissection of the main binary file.

Dissection that would lead nowhere. There's a reason why security labs analyze live code and not raw binary, or even raw disassembled code. XORing malicious code, hidden in the executable data segments or not, is just the oldest, and most basic, way to prevent obvious detection. In the 80's, when I was on the demo scene, some had the habit to use part of their data as XOR value to obfuscate a part of their innovative code. Expecting that, in 40 years, authors of malicious code haven't found better ways to mutate their code is naivety.

If you want to dissect the game, use the tool adapted to it, dnSpy. What you'll get wouldn't necessarily be more trustworthy. But at least it would be readable enough to see if something is odd and surely not the code that will be effectively proceeded. And, of course, if the code is not mutated, you'll find it relatively easily if you're familiar with C# and dotNet.