Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I wouldn't be surprised if this is the work of a DDOS. I mean Ubisoft probably worked hard to make sure this wouldn't happen so they wouldn't get even more negative publicity. The only reasonable explanation I can think of for such a terrible failure is that anti-DRM people are DDOSing the servers.


Honestly, that is no excuse. Even if every black-hat hacker in the world had it out for a certain game, people who buy physical copies of the game should still be able to play it that day.


I'm not sure Nathans theory is correct but...

Botnets aren't particularly expensive to rent any more; you'd have to be pretty committed to taking ubisoft down but I reckon it's doable.


The point is, to prove a point a DDoS attack can be initiated against Ubi's authentication servers thus making the game unplayable for extended periods of time for legitimate customers only.

Even if Ubi takes DDoS into account, the DDoS might slow the servers down just enough to keep kicking people out of their games.


Agreed, on initial release the DRM server would be getting hit major amounts due to the massive amounts of pre-orders. You don't pre-order unless you're planning to play it in that first week it's on sale.


And we all knew that with the publicity surrounding the new DRM, something like a DDoS at release shouldn't have been a surprise. Ubisoft really should be prepared for these attacks.


If something you built into your software can get you negative publicity, maybe you shouldn't build it into your software?


From an article on Toms Hardware:

>It seems that the game may be making repeated requests for authentication between levels before allowing the player to continue.

>An early crack was also released for Assassin's Creed II (which hits Australia and Europe before North America's March 9 release), but those who have tried it say that they are unable to advance very far into the game without being sent back to the menu screen.

Maybe they are victim of accidental DDOS created by their own DRM security strategy. Maybe the consequences of the "repeated requests for authentication between levels" for hacked versions is what is causing the DDOS. Then hilariously, people who legitimately bought the game but can't connect try to download the hacked version and it only cause more authentication request and make things worst.


Even if it is a DDOS, the hackers are doing us a favor by reminding us how much DRM harms us as consumers.

Let's hope Ubisoft does the right thing, owns up to their epic failure, and patches all DRM out of their games.


Unfortunately, they're likely to simply deploy even bigger cluster of authentication servers and add the cost to the next game. Then it will fall down again. Lather, rinse, repeat.


Yeah, think of all the meetings they had to design this feature. They can't let those go to waste; better to have another meeting to decide how to beef up the network.

I love all the blog posts that say "don't hire good programmers because they will waste time programming something fun instead of doing work," but of course, in the real world, "doing work" is the much bigger productivity sink. Imagine how much better the game would be if all the resources on the anti-piracy team were programming the actual game instead. Maybe more people would be willing to pony up $60 for the game if it was better.


I don't think you'd feel that way if you were one of the people unable to play your fancy new game.


Maybe, but it's hard to feel sorry for anyone who knowingly bought into the deal. I will, on very rare occasions, purchase DRM'd products, but when I do I know full well it's my own darn fault if I end up losing access to them.


Not everyone researches the DRM in their games before purchasing. Some people just buy the box at Best Buy. Seems unfair to expect everyone to know these things ahead of time... shouldn't you be able to just buy a box at Best Buy, and rightly expect to play what you paid for?


Hence the "knowingly bought" qualifier. I sure agree that you ought to be able to expect your fair use when you drop your cash, but unfortunately the days are long since past when that's been the case for anything content related.


Ya that is true, ff they know what they're getting themselves into, I don't feel bad for them. If I had to guess, though, I'd say that the majority probably don't.


Ok, I'm against DRM too, but no, if this is a DDoS, the hackers are not doing anyone favours, because what's harming the consumers in this case isn't the DRM, it's the DDoS.


That's some twisted logic. The DRM is indeed what's harming the consumers. It doesn't matter who or what took down the servers: what matters is that Ubisoft's DRM won't let users play the game. If that DRM didn't exist, all the anti-Ubisoft hate in the world couldn't stop consumers from playing the game!

Ubisoft's DRM is what's hurting the customers. The DDoS (if that is actually what's happening) is just a side-effect, and probably an inevitable side-effect of DRM.


It doesn't matter who or what took down the servers

Sure it does. Just like it matters and should affect our responses whether a building was destroyed by earthquake or some dude who sets off a bomb under the building to prove that it couldn't survive an earthquake. Intention, while not everything, matters a hell of a lot. Illegal and malicious actions like these don't serve to punish the companies who use DRM, they just give them a scapegoat to blame. If, like me, you're against DRM, vote with your dollars and stay the hell away from companies who use DRM in their products.


There's a big difference between the earthquake case, where it's really unlikely that there's a dude who will actually set off a bomb, and here, where it's guaranteed that over the whole internet, there's at least one dude who is going to DDoS you. The fact that someone in particular actually sets it off and is therefore morally responsible for disconnecting all those users doesn't remove any blame from Ubisoft, who was releasing into the real world where the DDoS was guaranteed.


It actually doesn't matter how the building was brought down for the people who are in it -- what matters is that the building is down and they can't get to work/get out of the rubble.

We have this benchmark of "reasonable expectations" for designers of things. Sure, you could whittle endless years away contemplating and preparing for every conceivable eventuality, but we don't expect that of people because that's crazy.

However, we do install security in buildings because we know from experience that every once in a while you'll get a loon trying to blow the building up with a truckbomb or trying to shoot up the lobby. Security isn't perfect, but they perform reasonably in most situations.

We ask our architects to consider disaster resistance in building design because we know that it's plausible that the area may one day be affected by earthquake or some other calamity.

If either security or architects and engineers are found to be negligent of their duties to provide reasonable protections against violent crazy people and/or natural disaster, they are ostracized as seen fit by society. While they didn't cause the earthquake or the explosion, they knew, or should have known, that an earthquake or a violent assault might occur in the building they had designed and/or were assigned to protect.

If they were found to have prepared adequately and still failed, they are generally "let off the hook".

Now, in the case of a highly unpopular, highly publicized DRM scheme, do you think it's reasonable to assume that some out there might be interested in negatively affecting its operation such that people don't buy your game? A lot of people want to gob up the debut. I would say that it is reasonable, and that Ubisoft doesn't get any kind of pass for inability to ward off a DDoS in such a case.

Ubisoft is a big multinational company, publicly traded, with a lot of money. There's no good excuse to let their servers die from either DDoS, non-malicious overload (effectual DDoS), or other standard calamity.


While they didn't cause the earthquake or the explosion, they knew, or should have known, that an earthquake or a violent assault might occur in the building they had designed and/or were assigned to protect.

That is irrelevant to the fact that the idiot with the bomb wasn't doing anyone any favors, which was the point I was trying to make in my original comment. I guess I should have omitted the part about "what's harming the consumers" or changed it to "what's directly harming the consumers" to avoid all these knee-jerk responses from the anti-DRM brigade, which incidentally I consider myself to be a part of.


What if the online part of AC2 was not to do with DRM but, say, an online MMORPG portion.

And what if that was DDOS.

Who would you moan about?

Yes, the online DRM is sucky and a stupid idea. But if anybody is DDOS'ing the servers they are sucky and stupid too :)

There are right ways and wrong ways to protest about this.


AC2 is not an MMORPG. It's a single player game. If this was an MMORPG, then yes, there would be more understanding about the MMORPG side of things, but it's not. More to the point: Paying customers cannot play the game while non-paying customers can play the game.

Let's make this clear: Ubisoft went out of their way to build a system that prevents their customers from playing their game while non-paying customers can play the game.


> AC2 is not an MMORPG. It's a single player game

Yes, I know - MMORPG was simply an example. The main point is that if the content had been worth actual value to the consumer/player then those doing any DDOS would be getting equal flack for their actions.

Im sorry but it seems illogical to condone the idea that DDOS'ing the servers to prove a point as a good one :)

> Let's make this clear: Ubisoft went out of their way to build a system that prevents their customers from playing their game while non-paying customers can play the game.

I think that's a bit mis-representative.

Firstly non-paying customers can't play the game: so far I have not been able to find a crack that works fully. We've done some reverse engineering here at work (and we employ some smart bods who do this stuff to enterprise software) and the summation is "parts might be cracked, but definitely not all yet... ooh look at this bit...". The skid-row crack doesn't work for the whole game just part of it (independently verified). So far as I've read all those yelling "Told ya! It's cracked" haven't actually bothered to try it themselves!

Secondly they went out of their way to build a system that might prevent some customers playing the game. It's a silly, idiotic system they've invented but it should only affect those with dodgy or no internet connection... instead because of DDOS (unproven, and im not sure this is the case) all customers are affected.

They're all idiotic in my book :)



Ubisoft's DRM == malice.


Server and networks go down. It happens, and sometimes, no matter how much local testing you do, they only fail when you are at a huge number of users at a peak time (Sunday game playing). They should have expected it to happen and program accordingly.


That's what I meant, though. They would have expected large numbers of users. They knew how many copies of the game they sold, and should have planned their servers accordingly. Time will tell, though, whether it was a failure on their part or foul play.


I've done quite a few independent 3rd party tech reviews of a number of game hosting providers, and was (and am) quite shocked at the absolute crap that I saw. Sure, a few were well done and at a level of quality you would expect based on their popularity and sales numbers, but quite a few were shockingly pieces of crap.

You're making the assumption that the hosting system they're using is the former, and not the latter.

While I don't know anything about their specific situation, I wouldn't just assume that they actually have their shit together.

It could very well be that the didn't design or implement a system good enough to handle the requirements of their DRM.


Oh, and I also have a possible theory as to why this is.

Game developers are, for the most part, quite smart.

When a game company, or any tech company, for that matter, runs into a problem that needs solving, they generally try and solve it in-house to start with. The normal traits that make a developer good at his job (problem solving skills, intelligence, confidence in his/her abilities, etc) sometimes are their own worst enemy, as they feel that they can solve that particular problem.

Very rarely have I found smart developers that understand and recognize their limits to the point that they suggest bringing in outside, professional help, rather than tackling the problem themselves. This makes them look bad to management and their peers, and can damage their ego. And it may seem like a fun challenge as well. They honestly think that they can figure out a solution to just about any problem, even if that problem is way outside of their skill set or experience.

Personally, my experience is in architecting large, scalable, fault tolerant systems, like online banking, offshore gambling, government stuff, and online global gaming systems.

I've been brought into more than a few situations where this has been exactly the case. Sure, the in-house devs have come up with a solution, and they're doing everything that a smart person would do for the first pass at a solution, but they don't have the experience to know what will or won't work down the road.

Their first iteration ran into the same problems that every other first iteration had, but their timeline, budgets, and marketing pressures don't afford them the luxury of improving it to where it should be.

I have the luxury of the experience to come in with knowledge of the 20th iteration of a solution, and can apply them early on in the process.

My current contract is just like that... I made design and implementation decisions early on that seemed to make no sense to the devs, even after I explained the reasoning, but now that we're 8 months down the road and they see those designs in action, they get it. And a lot of that also has to do with the devs lack of experience and understanding of what an operations team needs to run the system.

Anyway, this has been some of my experience, and it wouldn't surprise me to find that it could quite possibly be the case here.


I made design and implementation decisions early on that seemed to make no sense to the devs, even after I explained the reasoning, but now that we're 8 months down the road and they see those designs in action, they get it.

To what degree does this refute the YAGNI principle? If the initial phases of the project don't need those sophisticated aspects, why would you design them in at the beginning?

Don't interpret that as an attack. I'm really trying to resolve two principles that both seem obvious, but are in tension to some degree.


>> If the initial phases of the project don't need those sophisticated aspects, why would you design them in at the beginning?

Because history has taught me that it will be a definite requirement later on (as in when going live), and the amount of work involved with going back after the fact and incorporating it is insanely high versus designing it properly up front.

So that's not YAGNI, that's You Just Don't Know That You'll Need It.

That's where the experience comes in.

We're not talking about simple refactorings, etc., but major design decisons like technology stacks, architectures, etc.

For instance, the biggest issue I've run into is having a live MMO that had the "new" requirement to be able to troubleshoot and debug a single user among hundreds of thousands.

That is something best handled by a proper initial design, not a slight reworking later on in the process.

As far as I'm concerned, too many people take YAGNI too far. There's a compromise there, and that's where the experience comes into play.


> Very rarely have I found smart developers that understand and recognize their limits

This is the greatest problem in all areas of software development, not just games.


So they intentionally introduced a gaping DDoS vulnerability into their software? That doesn't exactly make me feel warm and fuzzy.

The buck stops with Ubisoft, regardless of whether it's a DDoS or not. There's no good software engineering reason for the failure of one of their servers -- or even all of their servers -- to imperil all of their users, yet they decided to design their product that way anyway. That means it's their fault when the inevitable occurs. (As it would have even without the DDoS, when they decide to shut the authentication servers down if not before.)

My grandmother could have seen this coming, and my grandmother has been dead for a long time.


Could happen to anybody, really. Who knows, next time I want to play Mafia some DDoS from some anti DRM nutcases will stop me. No, wait …


> The only reasonable explanation I can think of for such a terrible failure is that anti-DRM people are DDOSing the servers.

Don't forget Hanlon's razor.

It might be a DDoS, but given how stupid was the decision to implement such a DRM scheme in the first place, I would not be surprised if their incompetence also extended to a really lousy and unreliable implementation of the idea.


This. Any DRM scheme that tries to take away users' control over their own open hardware is both despicable and doomed. How smart can you be before you decide you'd rather not have that on your résumé?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: