Season 3 Episode 6 Feb 18, 2021

CD Projekt Red Hack, a Florida Water Supply Hack, and a Major ‘Dependency Confusion’ Hack

Pitch

Hackers be hacking

Description

In this episode, we talk about engineers unionizing with other workers at Medium, Epic’s MetaHuman Creator, a hacker who broke into a water system in Florida, and a security researcher who breached over 35 big tech companies leveraging something called dependency confusion. Then we are joined by Pierre Leclerc, co-founder of 6 Eyes Studio, and game developer of the tactical RPG, Fell Seal, to chat about the recent hack of the game studio CD Projekt Red, and what one can realistically do with stolen video game source code.

Hosts

Saron Yitbarek

Disco - Founder

Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.

Josh Puetz

Forem - Principal Engineer

Josh Puetz is Principal Software Engineer at Forem.

Guests

Pierre Leclerc

6 Eyes Studio - Co-founder

Pierre Leclerc is co-founder of 6 Eyes Studio, and game developer of the tactical RPG, Fell Seal.

Show Notes

Audio file size

52573486

Duration

00:36:31

Transcript

[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.

 

[00:00:19] JP: And I’m Josh Puetz, Principal Engineer at Forem.

 

[00:00:22] SY: This week, we’re talking about engineers unionizing with other workers at Medium, Epic’s MetaHuman Creator, a hacker who broke into a water system in Florida, and a security researcher who breached over 35 big tech companies leveraging something called “Dependency Confusion”.

 

[00:00:39] JP: Then we’re joined by Pierre Leclerc, Founder of 6 Eyes Studio and Game Developer of the Tactical RPG Game, Fell Seal, to chat about the recent hack of Game Studio’s CD Projekt Red, and what one could realistically do was stolen video game source code.

 

[00:00:52] PL: Like a business person might think it’s a great idea to start with this whole code there. But as a software engineer, my mind is like, “Well, how much time are we going to save really? How much ease will it be to work with these systems, et cetera, et cetera?”

 

[00:01:09] SY: So this episode is chock-full of a bunch of stories about hacking. I’m so excited. But before we get to all of those, there were a couple of news bits that we thought were neat and wanting to quickly go through. You might remember earlier this season how we talked about the Alphabet Workers Union with Alex Gorowara, Senior Software Engineer at Google and Spokesperson for the Union. Well, the blogging platform, Medium, has now unionized, partnering with the same media labor union as the Alphabet Workers Union, the Communications Workers of America. This union includes the company’s engineers, editors, reporters, data analysts, marketers, designers, curators, producers, partnership managers, and administrators. So basically everyone.

 

[00:01:52] JP: Everyone.

 

[00:01:52] SY: Yeah.

 

[00:01:52] JP: Everyone’s here.

 

[00:01:53] SY: Yeah. I wonder, was there anyone who wasn’t part of this union?

 

[00:01:57] JP: Oh, ouch.

 

[00:01:58] SY: Yeah. In an announcement put out by the Medium Workers Union, they state, “We are organizing because both tech and media are at a crossroads and it is more important than ever that companies in both industries are equitable and supportive of their employees. This is the age of newsroom buyouts, startups folding, tech companies shifting more jobs to contractors and the general implosion of independent media. Tech and media companies alike are constantly changing direction, dissolving and reforming, pivoting and refocusing. This often creates business advantages, but it also upends worker’s lives. To thrive as a creative sustainable platform, Medium must support and protect its workforce and create the best environment possible in these turbulent times.” That was a good quote. It was really hard to argue with that quote. I was like, “Dang! You’re kind of right.” Like startups and big companies in general are just chaotic, especially the earlier they are, the venture back they are. There’s so much pressure and they can go in so many directions. And I feel them. I’m not mad at that.

 

[00:03:03] JP: This is really, really interesting. I’m also really fascinated by this because Medium is not anywhere on the scale of Alphabet and yet they’re going full force into this unionizing push. So I think this might be a cool model for other tech companies that are not the big Facebooks, Alphabets, and Apples. This could be an interesting blueprint for them to try to unionize as well.

 

[00:03:28] SY: Yeah. And I don’t know how you view the process of unionizing, but I’ve always seen it as the result of some type of problem. You know what I mean?

 

[00:03:40] JP: Yes.

 

[00:03:41] SY: Like there’s a problem internally, the workers were unhappy. They fought the management. They fought to be unionized. The management tried to squash it. I’ve always seen it as this kind of thing that spawned out of some type of huge problems, some type of internal mess that happened. But I don’t remember hearing anything about Medium. Right? Was there something that happened in Medium that caused this?

 

[00:04:03] JP: Not that I could see.

 

[00:04:05] SY: Yeah.

 

[00:04:06] JP: But I have also heard of an alternate origin story for unionizing, which is looking down the pike and it might not be an outward or a very public kind of conflict, but sometimes employees will notice, maybe change isn’t happening as fast as they want, or it’s not happening in the way they want, or they’re looking forward and they’re seeing potential problems down the road. And they’re kind of unionizing as a preemptive move.

 

[00:04:33] SY: Yeah. I do completely agree with the logic. I mean, I know, as someone who has worked at startups for many years, who has a startup, I mean, it is incredible that even sometimes the simplest decisions, the tough decisions can really change a worker’s life, at the very least a worker’s experience at the company, even if they keep their job, even if they keep their salary. Their day-to-day might change so significantly. I totally get the need to want to protect them as much as you’re protecting the business and the bottom line. So yeah, I totally get that. I also think it’s kind of interesting that they bring up media specifically, like media companies and independent media is imploding. I mean, even though we’re podcasting, I feel like I should think about the media industry more, but I haven’t. But it does kind of make me wonder, like, “What is the state of independent media? What does that actually look like? And is that an industry specifically that is more vulnerable to appending to chaos compared to other industries?”

 

[00:05:34] JP: I think we’ve definitely seen that happen in the last couple of years as print media has gone out of profitability. So many newspapers have closed. We’ve seen consolidation now among broadcast networks and television journalism and television mediums as well. I think we’re just seeing it accelerate in terms of what are the dominant forms of media, especially as things progress from a kind of push model where a studio pushes out a movie, a place pushes out a book, and it’s more of a pull model where consumers have so many more choices and so many more places to pull from. It’s obviously a very complicated subject, but that’s one of the things that I have noticed over the past couple of years is really happening in the media landscape.

 

[00:06:21] SY: And also, when I think about media, I can’t help but think about content creators, right? The individual artists who’s creating their own media, whether it’s a thriving blog, whether it’s writing their own personal, as like Substack, for example, has been really huge in helping to create some independent newsletter-based media. And so I’m kind of wondering, as independent media implodes, according to this quote, and as media companies consolidate and shut down and all that, I’m wondering where these creatives go and what type of structure, what’s the union equivalent for an independent content creator.

 

[00:07:01] JP: Yeah. I wonder if we’ll see something like the Actors Guild.

 

[00:07:04] SY: Right. Exactly.

 

[00:07:05] JP: I wonder if we’ll see something like a media guild where all the unions we’ve been talking about are always in the context of a corporation, a company, whatever. Yeah. I’m wondering if we’ll start to see like guilds and apprenticeships and some of those outside of company models for protecting workers’ rights and negotiating and doing those kind of things. It’s kind of an interesting idea.

 

[00:07:27] SY: Absolutely.

 

[00:07:27] JP: The next quick bit of news we want to go over is a sneak peek at an announcement made by Epic, creators of Unreal Engine, about their new product called MetaHuman Creator. So this is a cloud-based app that allows you to make incredibly realistic looking digital humans. This process could take weeks or months in the past, as you have to have a render farm to render these models. But Epic says that you can whip something up with their new tool in less than an hour. It’s kind of like a video game character creator on steroids. You’ve got to see this demo video to believe it. So we’ll post a link to the announcement and video in our show notes. The company says that within the next few months, they’ll open up an early access program and interested people can sign up now. Have you had a chance to look at this video, Saron?

 

[00:08:12] SY: Yes. Oh my goodness! It is equal parts, just incredible and mind blowing and also just terrifying. I mean, we already had Photoshop, right? So there's always this idea of like, “Can you trust a photo?” But now I really cannot trust photos at all. I will never believe a photo again in my life. It is shockingly realistic. What is that thing called the “uncanny valley” where it’s kind of trying to be photorealistic but not quite there and it’s kind of just awkward and uncomfortable to look at? That’s what I thought this was going to be. When I first read about it, I was like, “Oh, it’s going to be like another version, a slightly better iteration, but we’re still going to be in the valley.” But when I saw it, it’s so good. I cannot believe how good it is. Oh my goodness! You just have to watch it. You just have to watch this video.

 

[00:09:02] JP: I was digging through the release notes. They also point out that they’re going to have integrations with smartphone apps for doing motion capture. So that’s a lot of times where the Uncanny valley part comes in. You’ll see this incredibly realistic video of a person, and then the blinking looks wrong or you can’t see them breathing or things like that. The head tilts are like pretty robotic and that kind of gives it away, the things that we notice subconsciously. And so Epic says they’re going to be able to have a smartphone app that you’ll be able to photograph somewhat or videotape them. You’ll be able to record.

 

[00:09:40] SY: I still say videotape.

 

[00:09:41] JP: You’ll be able to record a person and use their motions as the basis for the motions of the fake people you create with MetaHuman Creator. It’s almost like doing a deep, fake video, but like in real time. It’s crazy.

 

[00:09:58] SY: Wow! Oh man, that’s mind-blowing. But, yeah, I mean really incredible powerful things to come to the VR world, to the AR world.

 

[00:10:07] JP: Right.

 

[00:10:08] SY: And that’s always been my biggest question is we’ve been saying for, I don’t know how long, VR is the future, right? It’s going to be VR’s time to shine. And I’ve always kind of wondered, I mean, like how good can it possibly be? Have you seen the movie, Surrogate?

 

[00:10:24] JP: No, I haven’t.

 

[00:10:24] SY: It’s not a very good movie to be totally honest, but it is about, or I guess Ready Player One is probably another example that you may have seen where it is a VR world, super realistic, it’s so realistic that people just live in that world. Right? They spent hours, days. They just get up to eat and poop and then besides that, they’re just living this world. And I’m just kind of like, “We’re never really going to get there.” You know what I mean? It’s not going to be that good. We’re going to get there. After watching that video, I am a believer.

 

[00:10:55] JP: I wonder if we’ll start to see like as we’re taking the time down from weeks and months to render something of this visual fidelity to a couple hours in a cloud-based application, I fully expect we’ll get to a point where it can be done in real time.

 

[00:11:10] SY: Oh yeah, for sure.

 

[00:11:11] JP: And then I wonder what kind of crazy stuff we’ll see, like your Zoom filters where you can put a top hat on someone are just going to look like child’s play compared to this. Right?

 

[00:11:22] SY: Yeah, being a cat on Zoom will no longer be viral.

 

[MUSIC BREAK]

 

[AD]

 

[00:11:46] SY: RudderStack is the Smart Customer Data Pipeline. Easily build pipelines connecting your whole customer data stack, then make them smarter by ingesting and activating enriched data from your warehouse, enabling identity stitching and advanced use cases like lead scoring and in-app personalization. Start building a smarter customer data pipeline today. Sign up free at rudderstack.com.

 

[00:12:09] JP: Are you looking to build a chat for your next big project? Save time building in-chat, voice, and video for mobile and web applications with Sendbird. Get to market faster with Sendbird’s UIKit, pre-built UI components, best-in-class documentation, and support for developers. Join companies like Reddit, Delivery Hero, Yahoo Sports, and Hinge. Start your free trial today at sendbird.com/devnews.

 

[AD END]

 

[00:12:35] SY: All right. So now let’s start our hacking news bonanza.

 

[00:12:38] JP: Oh, yes!

 

[00:12:38] SY: This first story is about how a hacker attempted to poison a water supply, which is not something I thought you could do with technology. So this is very, very strange. Officials said that this hacker had remotely gained access to some controls of the City of Oldsmar’s Water Treatment System. The hacker then was able to increase the amount of sodium hydroxide in the water, which if ingested in large amounts can kill you. Luckily, an operator saw this discrepancy and quickly reversed the change. The system that was breached, which requires a password, is a system that was set up in order for authorized users to remotely troubleshoot problems. And there are reportedly now other safeguards in place to prevent further hacking of the system. The hacker has yet to be identified.

 

[00:13:26] JP: This is crazy. This is absolutely crazy. So it boggles my mind that there is like basically a form on a computer somewhere in this Florida City’s Water Treatment Plant, where you just type in a number and it moves from a good level of sodium hydroxide, which the internet tells me is used to adjust the pH levels in water, that there’s just a web form where you can move that number from good, safe amount to kill everyone if they drink this amount.

 

[00:13:56] SY: Yeah. Can we also talk about how just purely evil this is? Everything about this is so evil. It feels like a silly plot in some action movie, like the villain goes in and hacks the water supply. I’m like, “Okay, that’s probably not a thing.”

 

[00:14:09] JP: This is a totally James Bond plot. Exactly.

 

[00:14:11] SY: Totally James Bond plot. And I was just kind of like, “This is ridiculous.” But it’s real. There’s a hacker who hacked into water. That is incredible, water of all things. You can hack into water.

 

[00:14:22] JP: My first question was like, “Why is this like a networked system?” Okay, I get it. So they can troubleshoot it remotely. Okay. I get that.

 

[00:14:31] SY: It’s fair. Yeah.

 

[00:14:32] JP: It’s kind of terrifying to me that the hacker has yet to be identified.

 

[00:14:35] SY: Yeah.

 

[00:14:36] JP: The news story talks about how an operator that was physically at the plant happened to look over and notice that the number is usually like 10 and instead it was like 11,000 and they were like, “Oh, that’s weird.” And they changed the number back. And then a little while later, the number popped back up to 11,000. That was the hacker changing the number. What?

 

[00:14:57] SY: Yeah. And I think to me, what is also confusing, I mean, now they’re safe cards, so this problem has probably been fixed. But to me what’s shocking is wouldn’t the system deny you the ability to poison people? You know what I mean?

 

[00:15:10] JP: Right.

 

[00:15:11] SY: Wouldn’t there be something in a system that’s like, “This is the range and the range only goes up”? Maybe there is some world in which you got to quickly, like the pH is so unbalanced that you need like a crazy amount of sodium hydroxide, like maybe that’s the situation that they’re thinking of. But I was also kind of like, “Why is this even possible? Shouldn’t there be a max that’s safe?”

 

[00:15:31] JP: There’s been a couple of interesting security write ups about this or talk about how much danger was there really because some water treatment people are saying that the system probably couldn’t actually add that much sodium hydroxide. That’s an incredible amount. But yeah, still, I think about when I have to make a new password for my bank and it takes me like half an hour to fulfill all the requirements. And evidently, I can just put lethal levels of sodium hydroxide on a form. It’s kind of nuts.

 

[00:16:02] SY: And you’re good. Yeah. No, really interesting news bit and really glad they have safeguarded that because that sounds terrifying.

 

[00:16:09] JP: Yeah, it’s also terrifying how many of these we don’t hear about. That’s also pretty terrifying. You wonder how often this is actually happening or how many close calls there are. This next story is about how a researcher pulled off a supply chain attack that was able to hack into over 35 large tech companies. Some of the companies targeted included Apple, Microsoft, Tesla, and PayPal. A security researcher named Alex Birsan was able to do this exploit with something called “dependency confusion”. So looking at open-source projects from large companies, he found references to packages that weren’t public such as a JavaScript module mentioned in a project at PayPal that had a PayPal prefix on it. It turns out many package managers prefer high version numbers or public versions of modules, which is how he got his code in the door at these companies. He created an NPM package with the same name as this PayPal package, but a higher version number, made it public and uploaded it to the public NPM registry. Inside that package, he embedded code that would phone home to his server and prove that the hack worked. He was able to use this technique with package managers in JavaScript, Ruby and Python.

 

[00:17:19] SY: Wow!

 

[00:17:20] JP: So pretty wide base. So all in all, Alex Birsan came away with $130,000 in bug bounties, which honestly feels a little low considering the severity and the scope of the problem he’s uncovered.

 

[00:17:32] SY: That’s super low. I was like, “Wait, wait, wait. No, no, no, no, no. That should be like a million dollars of a bug bounty,” especially across so many companies, across Apple, Microsoft, Tesla, PayPal. I mean, those are huge.

 

[00:17:42] JP: Yeah. So he only got payouts from some of the companies.

 

[00:17:45] SY: Right.

 

[00:17:46] JP: So we’ll have a link to his article in the show notes. He points out how he did this hack, which companies he targeted. He’s very upfront about, for example, this JavaScript module that he uploaded to NPM that targeted PayPal. In the description, he clearly pointed out this is a security research package. It will phone home to my server. Do not use it in your random projects. This is like a proof of concept thing. So he wasn’t like trying to be sneaky, but it did point out the problem in the package managers that it just defaulted to these public versions, sucked it down and included it in the build systems behind firewalls at these companies.

 

[00:18:25] SY: Yeah, absolutely incredible. This is the white hat hacking that we need in the world. Right? This is how we protect our information and we protect our businesses. So shout out to Alex for doing it, but I’m also terrified that it worked.

 

[00:18:40] JP: Yeah. For what it’s worth, the companies are all addressing this, the ones that he targeted have all either come up with statements that they’re changing their build processes. The package managers have all kind of gone on record saying that it’s either a misunderstanding and how their options were used or they’re going to be committing some code to try to mitigate this in the future. So the whole community moved rather quickly. What’s amazing to me about this hack is that it really required no trickery or social engineering on the researcher’s part. It was just publish a library, boom, hack time.

 

[00:19:11] SY: Yeah. That’s incredible because it just didn’t seem hard.

 

[00:19:14] JP: Right. Right. Yeah. You’re used to hearing these hacks where it’s like some social engineering happens and you have to trick someone into giving you their password. This wasn’t anything like that at all. So I think it makes it even scarier.

 

[00:19:26] SY: Absolutely. Coming up next, we talk about the hack of the video Game Studio’s CD Projekt Red where hackers stole the source code of both of their massively popular games, Cyberpunk 2077 and The Witcher 3. You might remember that we talked about Cyberpunk 2077 earlier this season with Nathan Grayson of Kotaku.

 

[00:19:47] NG: There had been people on the team working like nights and weekends for like a year. So it wasn’t just like now we’re going to start crunching. It was like also there had been many people crunching for a while.

 

[00:19:59] SY: Joining us to shed some light on what someone can do with stolen video game’s source code is Pierre Leclerc, Co-founder of 6 Eyes Studio and Game Developer of the Tactical RPG Game, Fell Seal, after this.

 

[MUSIC BREAK]

 

[AD]

 

[00:20:30] SY: Are you looking to build a chat for your next big project? Save time building in-app chat, voice, and video for mobile and web applications with Sendbird. Get to market faster with Sendbird’s UIKit, pre-built UI components, best-in-class documentation, and support for developers. Join companies like Reddit, Delivery Hero, Yahoo Sports, and Hinge. Start your free trial today at sendbird.com/devnews.

 

[00:20:56] RudderStack’s Smart Customer Data Pipeline is warehouse-first. It builds your customer data warehouse and your identity graph on your data warehouse with support for Snowflake, Google BigQuery, Amazon Redshift and more. Their SDKs and plug-ins make events streaming easy and their integrations with cloud applications like Salesforce and Zendesk help you go beyond event streaming. With RudderStack, you can use all of your customer data to answer more difficult questions and then send those insights to your whole customer data stack. Sign up free at rudderstack.com.

 

[AD END]

 

[00:21:32] SY: Here with us is Pierre Leclerc, founder of 6 Eyes Studio and Game Developer of the tactical game, Fell Seal. Thanks for being here.

 

[00:21:40] PL: Thank you for having me.

 

[00:21:41] SY: So let’s start by having you tell us about your game development background.

 

[00:21:45] PL: I’ve been working in the video game industry for a long time now. I guess my first job was with Activision, I don’t know, 20 years ago or something. And then I worked at various studios, EA, Gameloft, Topps. I’ve worked as an independent contractor and I had my own studio once before and now again, after I built more capital and connections and all that stuff. But I’ve been working as an independent developer for the past three years now. And that’s always been the end goal. So you could say that I finally reached where I want to be and it’s going well and we’re very happy with the status of things.

 

[00:22:26] JP: So talk a little bit about 6 Eyes Studio, how it came to be, and what you’re working on there.

 

[00:22:31] PL: 6 Eyes Studio, it’s my wife and I, she is an artist and I’m the programmer. So our studio was founded roughly three years ago. We started working on a singular title, Fell Seal, which is, I guess, the only title we have out right now. So we spent about two years and a half full-time working on that and a little bit of pre-work partial time. So that’s the title we released about a year and a half ago. And then we release a bit of DLC for it recently, like a big expansion package, if you will. And that’s what we’ve been working on so far. We’re pretty much done with that project and we’re going to move with a new project soon, although it’s been slightly delayed as we now have a new member to the family that’s four months old. That’s been very time consuming. So we’ve delayed our plans a little bit, but we’ll get back on the horse very soon.

 

[00:23:21] SY: Tell me a little bit about what being a game developer is like. What’s a day-to-day, an average day in the life of a game developer?

 

[00:23:28] PL: Well, I think the overall experience is fairly different depending on if you’re an independent game developer or if you’re working for a large studio or even a smaller studio. There’s a fairly big range of experience there, right? The independent part is definitely more like running a business. You have to worry about a lot of stuff and then you have to still find time to get work done while worrying about all the other things and paying salaries and contracts and all these things. It’s definitely challenging, but I mean, having your own business always is, and like I said, it’s what we’ve always wanted to do. But if you’re working for a bigger studio, I think it’s a fairly standard setup job. When I worked for EA or Activision or other big studios, it was definitely pleasant, it’s just you have less creative control over what gets done. But if you truly enjoy programming, it’s a fun experience. And they definitely have a range of challenging tasks in general for most programmers. I personally like it. I’ve been wanting to be a programmer since I was extremely young.

 

[00:24:31] SY: Nice. That’s great.

 

[00:24:32] JP: So hackers reportedly stole the source code to Cyberpunk 2077 and The Witcher 3 from video game studio CD Projekt Red and auctioned it off for an estimated $7 million. What are your initial thoughts from hearing this news?

 

[00:24:47] PL: I guess that’s a little surprising. Whenever I hear a large studios or even Sony getting hacked, I always wander up how the hell this happened, especially we have contacts with Sony, as an example specifically, and they’re so finicky with protections and you need to do all this, what I would qualify is often superfluid steps in your dealings with them. And yet, they still somehow get hacked. I guess these hackers are good at what they do, sadly. So, I mean, initial thought is always surprised like, “Oh, how did this happen?” And also, I sure hope it doesn’t happen to me, but I guess you’re not going to sell my stuff for $7 million. So I guess I’m not exactly a great target. So that’s definitely the first thought that I get upon hearing that. I mean, that’s a strange situation. I guess I’ll wait for follow-up questions. But at the end of the day, I mean 7 million, even if I had seven million, I definitely wouldn’t buy that stuff for seven million. I think most at least software engineers specifically, which is what I am, that’s my background primarily, don’t especially like working with other software engineer’s code. So why would I pay for that?

 

[00:26:00] JP: That’s a great point.

 

[00:26:01] SY: Yeah. And that kind of leads into our next question, which is what do you do with this code? I mean, just realistically speaking, you buy this code for $7 million. What’s next? What do you do?

 

[00:26:12] PL: I don’t know. That’s a good question. I’ve worked at a lot of big studios before. So what I can tell you is that most of these studios, they have their own ways of doing things, their own pipelines for assets, their own organization. So even if you hold a source code for The Witcher 3, I mean, maybe you could build it, but could you alter it easily? That’s a different question because artists have specific workflows to get things done and then they need to be processed in specific ways. And all of this pipeline thing might not necessarily be part of whatever data dump they got in the sense that it’s knowledge, it’s people, it’s the creative artist person, knowing which strange little buttons to press. It’s not always obvious. When you work at these big studios, there’s always a lot of tribal knowledge that gets passed along to employees. So I’m not even sure easily one could grab this stuff. Maybe they’re super well-documented and everything is easy to use, I guess. But I can’t say I’ve seen that before. So I wonder about that part first. What can you even do with it? And then the other part is let’s say you’re a company and you buy that stuff and someone notices it. Okay, you’re getting sued. Or is it going to alienate your fan base? I mean, in all honesty, I’m guessing maybe like a Chinese company might be interested in buying that since they don’t seem to have much care for copyright laws there, as far as I understand it. But I’m having a hard time picturing a US-based game company buying that stuff. What are they going to do with it? I don’t know. I admit, I don’t know what I would do with it personally.

 

[00:27:54] JP: Right. So if next week I unveiled my new games, Cyberduck 2077, it’s going to be pretty suspicious. Let’s hypothetically say we were to purchase the source code. What parts could we take out of it? How a modern game project, how entangled are the various bits of art and music and game systems? Is it a big ball of code and systems that’s all intertwined or can you actually take little pieces out? Or does it just depend?

 

[00:28:25] PL: Yeah, that depends. I mean, personally, the way our stuff is set up is very compartmentalized. So you could fairly easily replace things, if you knew how to package the assets. We do use it on preparatory systems for that as an example. But I know a lot of studios, in their animations, they might bake in sounds. They might bake in even timings for various things like controls or actions. It’s surprising the way some people set up things. So it might be fairly intricately intertwined or it might not be. But at the end of the day, if you think about it, right? Unreal is already selling their engine. Of course, it’s not the same as a fully made game. But as you say, if you’re trying to not make it obvious that you’re using someone else’s code, if you reuse all the assets, the art, the visuals, that’s going to be very obvious, right? Because that's the end-user's stuff. So anyone can notice that. Now the code under the hood, it’s always more difficult to notice, right? As an example for our game, when we get praise, everyone praises their music, their graphics, the design of something. No one ever praises the code, right? How would they know?

 

[00:29:40] SY: Yeah.

 

[00:29:39] PL: I mean, the best you’ll get is, “Oh, it’s not very buggy.” Okay, gee, thank you. So the code itself is definitely tougher to tell, although a programmer itself might notice, like personally we use Unity. And whenever I purchase a game that’s using Unity, I can tell immediately that it’s using Unity. There’s all these signs. So perhaps a CD Red Projekt person could tell that this is their code running. I would not know. It’s a tough one. I wonder what one could really do with this and how obvious and easy is going to be to use. I’m sure there’s something that can be done. But like I said, I just wonder if buying the unreal engine might not give you roughly more mileage because it’s set up to be expanded. Whereas this is not necessarily set up in a way for other people without the tribal knowledge to use it easily. Right?

 

[00:30:29] SY: It sounds like using the entire game and just building it as it is and basically just making a copy of it is probably not the thing you want to do. But I’m wondering, does it make sense to use it the way we use open source projects where we use gems, we use different libraries for very particular parts of our projects? Not the whole thing, but we use the components to build up certain things. So I’m wondering, does it make sense to buy source code for these games for $7 million to use pieces of it to run parts of our game? Does that make sense?

 

[00:31:06] PL: In my estimate, the seven million price tag just screams no. I don’t think there’s any engine worth that amount of money. I don’t think it’s reasonable. I don’t think you’re going to recoup your money easily with that amount of money. Maybe if the sun was smaller, but even then like someone making their own in-house engine, it’s not necessarily made in a way to easily work with other engines, with other systems, with other pieces. So it could easily be fairly monolithic. So while you could peel for some pieces of code in there, like maybe their file system, their save system or the interface with consoles, again, these are not things worth anywhere near this sum of money. So I really find it questionable. Like I said, to me, the only thing that might make sense and the seven million price point seems to even deny that is a company in a country that doesn’t care too much about copyright laws, buying the whole thing and then, I don’t know, minorly tweaking it and selling it there almost as is. Maybe that would work. It’s questionable for sure. But I think that might be feasible perhaps.

 

[00:32:17] JP: But if someone were to use parts of the stolen/illegally purchased code, you could bring it out on the PC, no problems. How does the certification process work with Sony, Microsoft, and Nintendo? Would they catch something like this?

 

[00:32:36] PL: I don’t think they would catch it, per se. I mean, the certification process is mostly centered right around meeting their guidelines, which involves usually terms and using the right terms and having the right controls for the player and all sorts of requirements they have for the platform. But I don’t think Nintendo, Sony, and Microsoft, in general, they don’t give a rat’s ass about any of that stuff. Now CD Projekt, they’re pretty big, right? So if they put some pressures on them, they would probably look into that. But if someone stole my code and brought it to Microsoft, if the game looked good enough, they would probably grab it. They would probably publish it and they probably wouldn’t care at all. And if I voice a complaint, they’d be like, “Good luck proving it.” Or they wouldn’t care.

 

[00:33:26] JP: Got you. Okay.

 

[00:33:27] PL: As a specific example, the first title I released like 12 years ago, it was an indie game, that title was called Black Sigil. It was for the DS. And without getting into too much detail, our publisher never paid us or released any of the sales number. And we approached Nintendo telling them like, “Look guys, could we at least have the sales numbers so that we know a ballpark idea of what we should be maybe getting that we’re not getting?” And it was not possible. They never released these numbers to us. And we were listed as the official developer of the game. So I think that kind of illustrates the point that they’re business oriented. They don’t necessarily care about the developers that much, unless they have enough pool. Like if EA, when there was a similar story, that’d probably be different.

 

[00:34:17] JP: Got you.

 

[00:34:18] SY: Is there anything else we didn’t cover that you’d like to talk about?

 

[00:34:21] PL: I think from what I read, they stole the source code and financial data and other aspects, maybe the second part, like all the financial data and all that stuff could be of more use to some other people, perhaps, maybe.

 

[00:34:38] JP: Yeah. I think it is pretty mystifying who exactly would buy this.

 

[00:34:41] SY: Yeah.

 

[00:34:42] PL: Again, my perspective is definitely as a software engineer, right? So perhaps someone that’s more of like a business person might think it’s a great idea to start with this whole code there. But as a software engineer, my mind is like, “Well, how much time are we going to save really? Or how much ease will it be to work with these systems, et cetera, et cetera? And how obvious would it be anyway?” So as a software engineer, it’s definitely not where I would invest my money.

 

[00:35:12] JP: Can you imagine coming into work on Monday and they’re like, “Hey, great news, everyone, we’ve got the source code”? It’s like, “What?”

 

[00:35:20] PL: It’s definitely like working at a bigger studio and stuff. This is exactly what would happen. One day you get up and they’re like, “Guys, we bought this third-party engine thing for you guys. It’s going to be great. And we mandate you to use it now.” And all the engineers are like, “Okay, now we just lost a year of all the work we’ve done and it’s going to take a year to learn this thing and then a year to debug it. Why would you do this without consulting us?”

 

[00:35:48] SY: Well, thank you so much for joining us.

 

[00:35:50] PL: No problem.

 

[00:36:01] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show on Apple Podcasts.