23 votes

Nintendo pulls Switch game A Dark Room from eShop after dev reveals he sneaked in a basic code-editor as an "Easter egg"

12 comments

  1. [12]
    firstname
    Link
    I would be very interested to hear what the many programmers here on Tildes has to say about this, more specifically, is it a big security risk? And if it is, how would someone go about to hack...

    I would be very interested to hear what the many programmers here on Tildes has to say about this, more specifically, is it a big security risk? And if it is, how would someone go about to hack the switch through this interpreter?

    4 votes
    1. [2]
      natdempk
      Link Parent
      A lot of this really comes down to how this is implemented in my opinion. If by "Ruby interpreter" we mean a hard-coded list of commands that this system translates to Ruby-like operations which...

      A lot of this really comes down to how this is implemented in my opinion. If by "Ruby interpreter" we mean a hard-coded list of commands that this system translates to Ruby-like operations which don't expose any of the underlying Ruby language, then this is probably safe/useless for hacking the switch. If all you can do is math and drawing lines on the screen, this is probably useless.

      If this accidentally exposes any of the meta-programming aspects of Ruby or even certain parts of the underlying language, then this is basically a way for people to hack into the switch readily. Even the limited subset of commands approach may fall down if the author has forgotten about certain aspects, or even accidentally exposed insecure functions. For example with a quick Google search I found this post which details a Ruby interpreter escape using essentially just printing a formatted String:
      https://eyalitkin.wordpress.com/2017/06/02/mruby-vm-escape-step-by-step/

      It isn't hard to imagine that many more things like this are lurking in anything that exposes Ruby directly. It's notoriously hard to get this right in dynamic languages, as they often offer tools for re-programming parts of the language itself, and Ruby is no exception here.

      Entirely speculating here, but it's highly unlikely the author has covered all their bases here unless they omitted all of Ruby, and just built a new independent thing safely from the ground up. If they haven't done that, then this basically guarantees that at some point in time this becomes an exploit vector for the Switch, but who knows what they actually did.

      12 votes
      1. unknown user
        Link Parent
        As far as I know, it was a proper Ruby interpreter (apparently using a relatively old version of mruby).

        As far as I know, it was a proper Ruby interpreter (apparently using a relatively old version of mruby).

        2 votes
    2. [5]
      Adys
      Link Parent
      Urgh, fuck Nintendo is what I think about this. They're a backwards company regarding this sort of thing, hyperprotective of their hardware. They're the King of walled gardens. Apple is merely the...

      Urgh, fuck Nintendo is what I think about this. They're a backwards company regarding this sort of thing, hyperprotective of their hardware.

      They're the King of walled gardens. Apple is merely the gardener.

      8 votes
      1. [3]
        DanBC
        Link Parent
        To be fair the ease of piracy on 3DS lost them a lot of money.

        To be fair the ease of piracy on 3DS lost them a lot of money.

        2 votes
        1. balooga
          Link Parent
          My guess is, like with other forms of piracy, the money "lost" in this case would not have actually translated to revenue for Nintendo anyway. Some of it would, maybe, but only a small fraction.

          My guess is, like with other forms of piracy, the money "lost" in this case would not have actually translated to revenue for Nintendo anyway. Some of it would, maybe, but only a small fraction.

          2 votes
      2. firstname
        Link Parent
        I do agree, it´s all about money really. And i have never been able to support money first, everything else after up to this point, which all the large company´s like Nintendo live by. It is...

        I do agree, it´s all about money really. And i have never been able to support money first, everything else after up to this point, which all the large company´s like Nintendo live by. It is simply how the world works in our current society. We don´t build temples and churches anymore, we build world trade centers and the like. Money is our god in a way.

        I was more curious about the technicality of it, i`m no hacker. When my car breaks down i ask a mechanic, when the switch gets hacked i ask a programmer.

    3. [3]
      TheJorro
      (edited )
      Link Parent
      Nintendo systems have historically been hacked through code exploits in certain games, it's not really surprising that they'd quash any code interpreters snuck onto their store in a game. Even if...

      Nintendo systems have historically been hacked through code exploits in certain games, it's not really surprising that they'd quash any code interpreters snuck onto their store in a game. Even if the dev thinks it's too limited to be useful, that doesn't mean the hacking community can't find a way to exploit it—they've got a long and storied history of doing exactly that.

      Hopefully it's fixed soon, A Dark Room is an excellent game.

      8 votes
      1. [2]
        moocow1452
        Link Parent
        Would Nintendo let them back on the console? They knowingly pushed a version of the game that allowed outside code to be run and broke their agreement.

        Would Nintendo let them back on the console? They knowingly pushed a version of the game that allowed outside code to be run and broke their agreement.

        5 votes
        1. TheJorro
          Link Parent
          I don't see why not but this may very well be the first issue of its kind for Nintendo, so it's hard to say.

          I don't see why not but this may very well be the first issue of its kind for Nintendo, so it's hard to say.

          2 votes
    4. unknown user
      Link Parent
      Sure, it's a security risk, although in the end not a huge one. On the whole, the Switch's security is pretty good; the most notable vulnerability, Fusée Gelée/ShofEL2/memecpy, was due to an...

      Sure, it's a security risk, although in the end not a huge one.

      On the whole, the Switch's security is pretty good; the most notable vulnerability, Fusée Gelée/ShofEL2/memecpy, was due to an Nvidia screwup, and was nothing to do with Nintendo. plutoo gave a talk at 34c3 about Switch hacking, and everything is pretty well-isolated from everything else – even a malicious game (or Ruby code running inside a game) wouldn't really be able to do much.

      4 votes