Hacker?
Changing the clock is hacking now? Really?
A 10-year-old hacker has won the admiration of her adult peers for finding a previously unknown vulnerability in games on iOS and Android devices. The young girl, who has adopted the hacker handle CyFi, discovered the timing related bug after she got bored with the slow progress of a FarmVille-style games. For example, crops …
Yes, setting the clock forward to gain an advantage in online gaming is a (simple) hack. If you can make the program behave in an unintended way, you are hacking it. It is hacking as is setting the clock backward to fool "trial" software into a "forever trial" status, for example. Easy, stupid, but still a hack.
"Yes, setting the clock forward to gain an advantage in online gaming is a (simple) hack. If you can make the program behave in an unintended way, you are hacking it. It is hacking as is setting the clock backward to fool "trial" software into a "forever trial" status, for example. Easy, stupid, but still a hack."
No, it is a "bug exploit". Alternatively it is a "clever yet unintended use of game mechanics".
Hacking involves gaining unauthorized access and/or inserting your own code.
Repeatedly changing the clock in small increments so as to circumvent a programmatic method implemented to stop the abuse, yes. Just because it is simple doesn't mean it isn't a hack. In fact, if you go all the way back to the earliest definition as in "an elegant hack" the simpler and more obvious but not thought of, the better.
Taking advantage of any implementation glitch in a game would be a hack. Changing the system clock to gain advantage in Farmville is not all that different from skipping most of Ravenholm in HL2 with physics tricks or taking advantage of disappearing sprites in Duke Nukem 3D -- something around when I was ten -- to beat the Cycloid Emperor with very little effort. It shows that you've spend plenty of time playing the things, are reasonably intelligent or at least observant and inquisitive, and have some vague idea of how they work. It is a hack in the sense that you are playing the game in a way unintended by its creators, but it hardly makes you a hacker or your "hack" news. Nonetheless, good going for the ten-year-old and good going for DefCon. Maybe their outreach will interest at least a few more kids in considering careers which are vaguely useful.
Previously unpublished perhaps, along with a lot of other trivial things. It's a bad programmer who trusts the user's system to tell the truth about such things as the system time.
Having said that, I have a number of instant messages sat on Skype which appear to be from the future because I reset my PC's BIOS and failed to notice that the clock setting was in 'merkin format (mmddyyyy) until I'd been using it for a few hours. I mean seriously, who came up with that? It's like telling the time with the seconds between the hours and minutes. And honestly, why does Skype not timestamp messages with a server time?
It's because Merkins say a date as "January first" while we Limeys says "The first of January".
The irony of course is that Independence Day is "The Fourth of July".
El Reg readers know that the Americans are right to put month before day, it's just that they have the year position wrong.
"Us 'ere Limeys also say "ten past five" for a time, but we don't write it as "10:17""
<sarcasm> I would hope that we don't write "ten past five" as "10:17". I'm kind of hoping that we write "ten past five" as "5:10". </sarcasm>
Of course, I might have just been doing it wrong all these years.
This is not a new discovery. The wife and her family have been doing this for yonks to cheat this kind of game. Saying a 10 year old discovered it seems a bit late.
Also, this isn't a "vulnerablility". It is a flaw in the game to prevent cheating, but i can't see it as an attack vector.
On the BBC it was implied that this would let arbitrary code be run on the system...
http://www.bbc.co.uk/news/technology-14443001
(As for the comment above that it indeed is "hacking" in an online game -- note that its obviously NOT an online game here, as that kind of trickery is checked against... it only worked "if shutting down wifi" etc.)
don't bitch at me for your own idiocy.
Whether this means just blocking the postings like a geek, or unfriending the people who send you the messages is entirely up to you. Or perhaps you should go in and remove yourself from the game settings. Because the last time I checked, I'm limited to 50 messages to people for a given session, and I sure as hell try to make sure I'm getting something back for the messages I'm sending. Which means they only go out to people who are listed in the game as playing the game.
Ah yes... At the same age I was rewiring the joystick port of my TI-99/4A to connect it to under carpet pressure pads I had made from tin foil, bubble wrap and bin liners, so that my intruder detection program could sound the alarm and log entry and exit from my bedroom for when my horrible little brother came to nick stuff off me. lol.
I also "invented" a new limitless power supply for street lights for my toy cars, using bell wire, 1.5v torch bulbs and a mains power cassette recorder lead... this was slightly less successful, as shoving the bare ends of bell wire into 240v mains had the effect of vaporising said torch bulbs instantaneously. You live and learn. Kids eh!? :-D
...but a few years later on an amiga. changed all the planet names etc on frontier:elite2 to humorous words. also the intro credits. that was pretty cool
deksid got me into "hacking" (worked fine as long as the CRC was unchanged), which i very rarely see anymore in my professional life as a contractor. hit the hex dude!!!!! :)
i 'hacked' a football manager game on the spectrum 128 so I had a limitless cash to build my team.
More recently (10 years ago) i created a champions league patch for the PSone emulator on PC playing one of the first versions of PES, using hexedit, I altered all the players, and built new 3d stadia by directly editing the hex to move the 3d polygons around, remember doing a new Villa Park.
I can't have been much older than 10 when I was messing with the clock to speed up the gestation period of virtual cats in the "Catz" PC game.
I also took a hex editor to some of the virtual creatures, but never managed to create anything more interesting than garden variety deformaties.
At least the Petz games had some rudimentary genetics built in. As such they were more stimulating than watching corn grow.... and always ending up with the exact same type of corn.
Corn is a simple thing really, if you're that interested in it, surely you would set asside the space and time to grow some REAL corn? And I did that too when I was 10. Well not corn exactly, but potatoes.
How many of these kids would still be interested in farming if you handed them a shovel?
The hack isn't the story here, the impressive thing is that she notified the developers before posting... at aged 10 I probably wouldn't have given a crap about the software authors and wouldn't have any real idea of how it would affect them had I posted the hack.
"The 10-year-old presented her findings last weekend in Las Vegas at the very first DefCon Kids, the new pint-sized campaign conference to DefCon. "
Methinks some adult/s may have been involved, as not many 10 year olds would be able to get themselves to a conference like this...
As mentioned, it's not a hack. It's also not something that can ever be defended against really, unless you have a network time server for the game to check against (which this apparently doesn't). The host device's time settings are gospel.
Unfortunately, I can't say I'd have done this when I was 10. But only because my C64 didn't have a real time clock that I could manipulate like this. Do creating my own Action Replay codes to search for the "number of lives" register count??
I have several programs running on my server that crash if the clock changes by more than a small amount when it checks. That even means that I can't just synchronize the clock with a time server suddenly. Unfortunately, it does require the ability to approximately track the passing of time instead of absolute time. Which would mean that the game would either need to have a timer running in the background or make the user actually play for that time instead of just walking away. Alternatively, the system could provide a function that only counted clock tics and didn't care about the absolute time.
Though, really, I find it odd that the phone lets you change your system time willy nilly like that in the first place. The clock is just too important to a number of standard functions for that to be sensible.
Zynga games could be hacked to allow you to do stuff without having hundreds of "friends" actively playing the games, or requiring you to part with vast amounts of real money to do anything useful.
Those limitations quickly turned me off the "freemium" "social games", as to make significant progress requires you to have oodles of "friends", all of which are (a) online 24/7, and (b) are willing to throw real money at the games in order to buy stuff with "cash". Oh, and (c) trying to direct the output to Friend Lists is annoying - click the padlock, select customise, select Specific friend, type in the name of the friend list, click OK, click Post. G+ is soooo much easier to send stuff to specific groups of people - and if (when) they develop an apps platform, they can ensure only people who already play that specific game get spammed, that could encourage Zynga addicts away from FB. Although it would be much nicer if Zynga and any games company that either spams contacts mercilessly or runs a "freemium" service are barred from G+ :)
Meanwhile, installing Skype on mum's Windoze box tries to persuade you to install a games platform - anything to do with their Facebook tie-up?