ZOS integrated spyware RedShell by mistake, deleted from live, still in PTS folder

idrankyourbeer

my reasons to renew my ESO+ subscription are getting smaller by the day.

Cpt_Teemo

Kuwhar wrote: »

karthrag_inak wrote: »

ADarklore wrote: »

Wow... I swear, all the paranoid people out there... now I know why so many people actually believe conspiracy theories.

I'm sure ZOS' TOS that we agree to, and they recently updated, includes a provision for them to utilize this. If you accepted the TOS, then you agreed to it, if you block it, then by all means they have the right to block access to THEIR game. If you wish to quit because of it, SEE YA!

I've been a data scientist for >4 years and this is nothing "paranoid". You can prove via information theory beyond a certain level of doubt the required info to uniquely identify a user just by their browser configuration (i.e. fonts installed, browser type, etc.) and, using this information, any surfing behavior can be attributed by multiple sources to a single individual. This is some of the information redshell is collecting.

There are minimal laws restricting the sharing of this "innocuous" information so it can be shared with multiple interested parties with impunity, who can aggregate this data and build profiles of hundreds of millions of people with surprising accuracy. I've done this before.

People are surprisingly "linear" in their behavior, and very simple models can be used to not only connect seemingly diverse behaviors with high accuracy, but also to predict future behaviors. Using a single hidden layer NN I was able to predict future purchases for a large commercial website (sundance) with around 95% accuracy, among their hundreds of thousands of customers.

I was also able, with minimal effort, to link their desktop and mobile devices, which always broadcast timestamped geo location information, illustrating locations and timing patterns.

The stories I could tell. This is uncool.

The paranoia comes from the fact that this isnt the only company or service doing this. Microsoft does it on their OS, ZOS has access to everyone of our IP addresses, even if you run a VPN its still possible to track you down.

The overarching point is what could or would someone do with this data?

Im not particularly happy about it but i also dont understand the outrage, cookies on browsers, OS telemetry, bank loans, car loans, insurance, credit cards, HOSPITALS etc etc etc all have insanely more damaging info but nobody blinks an eye.

I'm surprised they even need to stoop so low to install spyware without letting anyone know about it no matter how low key it is

LumbermillOverlord

karthrag_inak wrote: »

In the process of decompiling redshell.dll using MS reflection. Will update with results.

thanks

Zinaroth

ADarklore wrote: »

Zinaroth wrote: »

Yeah well if this is true then according to the GDPR demands ZOS will have to give us EU players full transparency on what data they are collecting and what they are using it for - which we will need to accept before they are allowed to collect this data. They will also have to give us a way to 100 % guaranteed delete any information they gathered from us without prior notice at any point we want - as many times as we want.

If it is indeed true that they did this without telling us they are already breaking the GDPR demands - which is in violation with European law and punishable by huge fines leading up to a ban of their services in the entire region if they do not adhere.

Yes I know, because ZOS, or rather, ZENIMAX, doesn't have enough money to have expensive lawyers who comb through all the laws before implementing anything.

Not officially informing us about collecting this data and their intent of usage along with instructions on how to delete said data is already a violation of these laws. It doesn't matter how many lawyers they have or the fact that they are based in the US - there are no loop holes for these laws; they are specifically made with the intent of not allowing big corporations to be able to weasel their way around it.

karthrag_inak

Kuwhar wrote: »

The paranoia comes from the fact that this isnt the only company or service doing this. Microsoft does it on their OS, ZOS has access to everyone of our IP addresses, even if you run a VPN its still possible to track you down.

The overarching point is what could or would someone do with this data?

Im not particularly happy about it but i also dont understand the outrage, cookies on browsers, OS telemetry, bank loans, car loans, insurance, credit cards, HOSPITALS etc etc etc all have insanely more damaging info but nobody blinks an eye.

I do more than blink an eye, and am quite aware of the disposition of my personal information. I also expect that a service that I pay for will not attempt to double dip, selling my information, without informing me. This is the beginning of a dangerous trend, I think - there's an information barrier in browsers that does not exist with a library running on a machine. Literally everything on a host machine is open to perusal to a dll executing on the host with, presumably, administrator privs.

Also, the institutions you mentioned have tight legal restrictions and oversight as to how they can dispose of that information. What ZOS has done here, with this 3rd party dll...not so much. I have expressly disabled all 3rd party connections that I have been allowed to disable in my account configuration, and yet here we are, with a 3rd party program running on my machine. This smells like class action to me, frankly.

Caran

It might or might not be a serious thing. It might or might not "spy" on me - but it has nothing to do with the game itself and I'd like to be informed before somebody installs such things on my computer.

Cpt_Teemo

Zinaroth wrote: »

ADarklore wrote: »

Zinaroth wrote: »

Yeah well if this is true then according to the GDPR demands ZOS will have to give us EU players full transparency on what data they are collecting and what they are using it for - which we will need to accept before they are allowed to collect this data. They will also have to give us a way to 100 % guaranteed delete any information they gathered from us without prior notice at any point we want - as many times as we want.

If it is indeed true that they did this without telling us they are already breaking the GDPR demands - which is in violation with European law and punishable by huge fines leading up to a ban of their services in the entire region if they do not adhere.

Yes I know, because ZOS, or rather, ZENIMAX, doesn't have enough money to have expensive lawyers who comb through all the laws before implementing anything.

Not officially informing us about collecting this data and their intent of usage along with instructions on how to delete said data is already a violation of these laws. It doesn't matter how many lawyers they have or the fact that they are based in the US - there are no loop holes for these laws; they are specifically made with the intent of not allowing big corporations to be able to weasel their way around it.

I consider this an act of someone literally bugging your home with cameras and such, its an invasion of privacy no matter how little or large it is.

xRIVALENx

karthrag_inak wrote: »

In the process of decompiling redshell.dll using MS reflection. Will update with results.

x64dbg works quite well for this if you run into problems with MS Reflection.

Merlin13KAGL

RinaldoGandolphi wrote: »

This is a big deal, far more then people realize.

I am not going to get into technical details, simply because most won't understand. What I will say is they are using a .DLL file to harvest hardware identifying information from your computer so they can track said information regardless if you delete cookies, browser cache, etc. You can get away from Facebook, Google, etc tracking...there is no getting away from this.

I have been here since the beginning, but this is the end of the road for me. This is simply unacceptable, and I really don't care what their EULA says. I consented to their Eula change under the impression they were going to use monitoring for Anti-cheat purposes(Steam VAC, Punkbuster, etc)....I didn't sign up to be tracked and followed for marketing purposes so they can sell more crown store content. This is akin to installing Spyware on my machine, and its a huge betrayal. I'll never buy another game again that Zenimax Online Studios has any part in publishing or selling.

this right here, is the beginning of the end...many of you just don't know it yet...things like this have a colorful history of killing games off, give it time. You won;t believe me now, but you will later down the road.

Sad too, I enjoyed my time here, I still enjoy the game even today, but there is no way I will continue to play under these pretenses.

So I guess this is the end of the road for me, maybe i'll come back if they remove this nonsense, if not, then its been fun. Say what you want about Google but they at least give you the ability to opt-out of this nonsense. You can only push things so far, and they have pushed me to the point I won't be pushed any further. Everyone has their own breaking points, and each persons point isn't always the same.

Take it easy folks, its been a fun ride.

Probably for the best, since you don't understand yourself.

It's a hardware ID. Windows does the same thing when you activate. It's nothing new, and it's not going away anytime soon, because it's an effective way to have pretty good odds of identifying a unique system without having to otherwise have the details about that system.

If you don't think Google analyzes your data anonymously, you're seriously deluded.

Chicharron

They have my credit card number, whatever else they spy from my computer, I do not care.

karthrag_inak

this is not just for spying by a single individual/corporation. This information is regularly shared/sold among 3rd parties who then use it to build comprehensive online behavior profiles, which are then shared/sold. On top of this, having a 3rd party dll executing on the host machine enables them to potentially access -everything- you have and do on your computer.

Cpt_Teemo

karthrag_inak wrote: »

If you remove the dll, the game won't launch.

^

RinaldoGandolphi

Merlin13KAGL wrote: »

Take it easy folks, its been a fun ride.

Probably for the best, since you don't understand yourself.

It's a hardware ID. Windows does the same thing when you activate. It's nothing new, and it's not going away anytime soon, because it's an effective way to have pretty good odds of identifying a unique system without having to otherwise have the details about that system.

If you don't think Google analyzes your data anonymously, you're seriously deluded.

[/quote]

I completely understand myself

I know exactly how Windows Activation works. They take hashes of your CPU, Motherboard, Hard Drive and other parts and use those parts to create a secret key that is used to activate Windows on that set of hardware. Most times you can change almost any part but the motherboard before it requires you to call MS or re-activate Windows as there is "leeway" in the hardware id algorithm they use so you don't have to re-activate for swapping a hard drive for example.

Your comparing Apple's to Oranges here...Activating a Copy of Windows has nothing in common in with playing an online game or data mining the way this Redshell dll is.

I am not deluded in the slightest, of course Google analyzes data, but they also make it easy to opt out, and they also didn't bundle a new .DLL program in their latest version of Chrome to harvest all my hardware, harvest all my hardware serial numbers

Cadbury

All I want to know is, how does this connect back to the Illuminati?

karthrag_inak

karthrag_inak wrote: »

In the process of decompiling redshell.dll using MS reflection. Will update with results.

it's not a dot.net dll so c/c++. Much more difficult, but I'm still interested in seeing what I can find out.

Marginis

Cadbury wrote: »

All I want to know is, how does this connect back to the Illuminati?

Illuminati. Freemasons. Aliens. ALIENS. 9/11 was an inside job. Chemtrails. The Earth is flat! Lizard people.






Well, I guess we've confirmed Half Life 3 again.

Rawkan

The same people claiming tinfoil probably denied what Facebook was doing as well.

Bucky Balls

A cursory examination of ...game/client/debug/redshell.dll yields the following surmised from recognisable system calls:

Information gathered:

• desktop dimensions
• your locale information based on system language
• your operating system version information (eg. windows 7 and related data)
• your cpu capabilities in terms of supported instruction sets (eg virtualisation enabled)

In my view, this information is not sufficient to uniquely identify you nor even your machine - all it might say is 'machine using German language running windows 7 ultimate has various maths functionality enabled'.

capabilities implied:

• internet connectivity (which equally implies it can be firewall blocked if it bothers you)
• data encryption (fair enough, particularly if external internet connectivity exists)
• error capture/message formating
• precise timing

For those interested in winapi specifics(not comprehensive):

• IsProcessorFeaturePresent
• VerifyVersionInfo
• CryptProtectMemory (and other crypt32.dll function calls)
• various Winhttp.dll function calls

It does not launch if you run eso64.exe directly. I suspect - but do not know - that this library exists simply to generate machine specific debug data for game crashes and report it.

Incidentally, I bought my game via steam but never use either steam nor the eso launcher (except for patching) to launch the game.

karthrag_inak

if anyone is interested, the decompiled cpp file for redshell.dll (not the one in /debug/) is available here :

https://nofile.io/f/38euVu05rMw/redshell.cpp

it's not for the faint of heart, particularly since it has embedded library functionality and arcane structuring, but maybe some folks might enjoy attempting to rebuild/reinterpret it.

Bucky Balls

karthrag_inak wrote: »

if anyone is interested, the decompiled cpp file for redshell.dll (not the one in /debug/) is available here :

https://nofile.io/f/38euVu05rMw/redshell.cpp

it's not for the faint of heart, particularly since it has embedded library functionality and arcane structuring, but maybe some folks might enjoy attempting to rebuild/reinterpret it.

Thank you - might be worth a look when I can find some time.

Minno

Marginis wrote: »

Cadbury wrote: »

All I want to know is, how does this connect back to the Illuminati?

Illuminati. Freemasons. Aliens. ALIENS. 9/11 was an inside job. Chemtrails. The Earth is flat! Lizard people.






Well, I guess we've confirmed Half Life 3 again.

Game over mannnnnnnn.

PouletRico

karthrag_inak wrote: »

if anyone is interested, the decompiled cpp file for redshell.dll (not the one in /debug/) is available here :

https://nofile.io/f/38euVu05rMw/redshell.cpp

it's not for the faint of heart, particularly since it has embedded library functionality and arcane structuring, but maybe some folks might enjoy attempting to rebuild/reinterpret it.

I'm pretty sure decompiling and sharing code it's something illegal. Or, at least, would infringe any User Aggrements... Just telling tho.

Minno

Have we figured out how to block it?

Marginis

+1 to the tech guys coming into this thread and laying down some info. More information is never a bad thing.

karthrag_inak

Here's their agreement :

https://redshell.io/privacy-policy

since ZOS didn't link to it, this is what they are doing, or at least this is what they admit doing.

Minno

karthrag_inak wrote: »

Here's their agreement :

https://redshell.io/privacy-policy

since ZOS didn't link to it, this is what they are doing, or at least this is what they admit doing.

Thanks!

Here's the segment that applies to us:
"Players Information We Collect

Customers that use our Services to track the use of their game will provide us with information regarding the characteristics and activities of their Players, including information regarding game purchase activity and in-game events such as DLC purchases. Red Shell obtains this information as a result of data being sent to our servers from our SDK in a Player’s game. The data collected by the SDK includes information such as IP address, SDK version, anonymized User ID, timestamp, Developer API Key, OS version, screen resolution, timezone, system language, installed fonts, installed web browsers, and in-game events. Player’s data collected by the Red Shell platform is presented to our Customers to analyze the performance of their marketing and the performance of their game."

So we went from "reduce the code to make the game lag less" to "let's shadow install a data compiling service that takes alot of our consumers data streams to stream to another server so we can monitor what they like in order to make *** they will buy".

ZOS needs to tell Bethesda marketing to get less greasy lol.

karthrag_inak

PouletRico wrote: »

karthrag_inak wrote: »

if anyone is interested, the decompiled cpp file for redshell.dll (not the one in /debug/) is available here :

https://nofile.io/f/38euVu05rMw/redshell.cpp

it's not for the faint of heart, particularly since it has embedded library functionality and arcane structuring, but maybe some folks might enjoy attempting to rebuild/reinterpret it.

I'm pretty sure decompiling and sharing code it's something illegal. Or, at least, would infringe any User Aggrements... Just telling tho.

It's a 3rd party program that I did not expressly allow on my machine, and as such, until demonstrated otherwise, I consider it malware. As such, decompiling/analyzing it for its impact and purpose is, as per DCMA 1205(I), considered fair use.

More information can be found here :

http://scholarship.law.marquette.edu/cgi/viewcontent.cgi?article=1087&context=iplr/

billp_ESO

A couple of questions:

- Are they gathering machine information only? Like what CPU, how much mem, graphics, etc? That would help them figure out what their player base is. That seems totally fine.

- Or are they also gathering your browsing information that has nothing to do with the game? So if you looked up kitten mittens, ZoS would sell that information to marketers?

PouletRico

karthrag_inak wrote: »

PouletRico wrote: »

karthrag_inak wrote: »

if anyone is interested, the decompiled cpp file for redshell.dll (not the one in /debug/) is available here :

https://nofile.io/f/38euVu05rMw/redshell.cpp

it's not for the faint of heart, particularly since it has embedded library functionality and arcane structuring, but maybe some folks might enjoy attempting to rebuild/reinterpret it.

I'm pretty sure decompiling and sharing code it's something illegal. Or, at least, would infringe any User Aggrements... Just telling tho.

It's a 3rd party program that I did not expressly allow on my machine, and as such, until demonstrated otherwise, I consider it malware. As such, decompiling/analyzing it for its impact and purpose is, as per DCMA 1205(I), considered fair use.

More information can be found here :

http://scholarship.law.marquette.edu/cgi/viewcontent.cgi?article=1087&context=iplr/

I was more concerned about sharing it.

One solution, I think, would be to block the api.readshell.io DNS on outgoing requests (in the windows firewall or a other software). Not sure the game would launch, could give a try tonight.

billp_ESO wrote: »

A couple of questions:

- Are they gathering machine information only? Like what CPU, how much mem, graphics, etc? That would help them figure out what their player base is. That seems totally fine.

- Or are they also gathering your browsing information that has nothing to do with the game? So if you looked up kitten mittens, ZoS would sell that information to marketers?

I think that the purpose of RedShell is to match game user with internet user. Match a player profile with their Facebook profile (for example). So I think that the game is gathering data related to your PC/Game, and then, they use data from Facebook to enrich them and make a whole new profile, having data from your game + from your Facebook profile.

LumbermillOverlord

PouletRico wrote: »

karthrag_inak wrote: »

PouletRico wrote: »

karthrag_inak wrote: »

if anyone is interested, the decompiled cpp file for redshell.dll (not the one in /debug/) is available here :

https://nofile.io/f/38euVu05rMw/redshell.cpp

it's not for the faint of heart, particularly since it has embedded library functionality and arcane structuring, but maybe some folks might enjoy attempting to rebuild/reinterpret it.

I'm pretty sure decompiling and sharing code it's something illegal. Or, at least, would infringe any User Aggrements... Just telling tho.

It's a 3rd party program that I did not expressly allow on my machine, and as such, until demonstrated otherwise, I consider it malware. As such, decompiling/analyzing it for its impact and purpose is, as per DCMA 1205(I), considered fair use.

More information can be found here :

http://scholarship.law.marquette.edu/cgi/viewcontent.cgi?article=1087&context=iplr/

I was more concerned about sharing it.

One solution, I think, would be to block the api.readshell.io DNS on outgoing requests (in the windows firewall or a other software). Not sure the game would launch, could give a try tonight.

billp_ESO wrote: »

A couple of questions:

- Are they gathering machine information only? Like what CPU, how much mem, graphics, etc? That would help them figure out what their player base is. That seems totally fine.

- Or are they also gathering your browsing information that has nothing to do with the game? So if you looked up kitten mittens, ZoS would sell that information to marketers?

I think that the purpose of RedShell is to match game user with internet user. Match a player profile with their Facebook profile (for example). So I think that the game is gathering data related to your PC/Game, and then, they use data from Facebook to enrich them and make a whole new profile, having data from your game + from your Facebook profile.

ok pls post the results later