[Update] RetroArch servers and repositories have been hacked

unnamed.png

Just a few hours ago, RetroArch/Libretro's servers and main GitHub repositories have been targeted by a yet-unknown attacker.
The attack begun with the buildbot server being crippled, which means any subsequent automatic buildbot builds, and netplay won't be available until a new server is setup for this very purpose.




After that, and a few moments later, the hacker moved on to attack Libretro's repositories at GitHub.
This attack removed the entirety of codes for certain cores, like Mame, Mame 2003, DosBox and many others, and only left a dummy ReadMe with a vague description of the core.




GitHub hasn't given any reply regarding what could be done in regards to the hacking to the GitHub repositories, but we'll keep updating this post as things go along.
The full overview of the attack and what was compromised on Libretro's side can be seen on their main Libretro.com page.

Hacker vandalised our buildbot and Github organization said:
Approximately 5 hours ago, we were the target of a premeditated cybercrime attack on our key infrastructure.

The hacker did the following damage:

  • He accessed our buildbot server and crippled the nightly/stable buildbot services, and the netplay lobby service. Right now, the Core Updater and Netplay Lobbies won’t work. The websites for these have also been rendered inaccessible for the moment
  • He gained access to our Libretro organization on Github impersonating a very trusted member of the team and force-pushed a blank initial commit to a fair percentage of our repositories, effectively wiping them. He managed to do damage to 3 out of 9 pages of repositories. RetroArch and everything preceding it on page 3 has been left intact before his access got curtailed.
We are still awaiting any sort of response or support from Github. We hope they will be able to help us restore some of these vandalised Github repos to their proper state, and also to help us narrow down the attacker’s identity.

We wanted to clear up some confusion that may have arisen in the wake of this news breaking:

  • No cores or RetroArch installations should be considered compromised. The attacker simply wiped our buildbot server clean, there is nothing being distributed that could be considered malicious to your system. Nothing has happened here and there is no need for any concern.
  • For the current time being, the Core Installer is non-functional until further notice. The same goes for ‘Update Assets’, ‘Update Overlays’, ‘Update Shaders’, and all the other online services that RetroArch users normally have access to (such as the netplay lobby services).
The IP he was using while doing this was ‘54.167.104.253’, which seems to lead back to AWS.

We’re still assessing the situation but moving forward, we think that it’s probably best not to go forward with the buildbot server that was compromised earlier today. We had some long-term migration plans for a move to a new server, but this was always pushed back because we felt that we weren’t ready migration-wise. It might indeed be the case this is the catalyst for just starting all from scratch with a new server instead of trying to migrate the old one over. This would mean that the more commonplace builds for Linux/Windows/Android would be immediately available, but all the specialized systems like consoles, old MSVC builds and whatnot would have to wait for later until we have adapted this properly to the new system.

Lack of automated backups
This brings us onto another key issue – the lack of backups. We last performed a backup of our buildbot server about a couple of months ago. The truth is that while we pay a hefty amount for the servers on a monthly basis already, there is simply not enough money to pile on automated backups as well. We could really use your support on Patreon to help lighten our financial burden here, especially since this now-pretty-much-mandatory server switch will likely cost us an insubstantial amount of money upfront while we keep the current server running for a month longer.

How will we restore things
So, how are we going to restore things? We hope that Github will be able to restore the affected repositories. If they are unable to do so, we could rely on the goodwill of users to source us with git repositories with the full history intact.

As for the buildbot? No idea to be quite frank. If we make the switch to the new server, you’ll get Android/Windows/Linux up and running early again but all other platforms will have to be added as we go along.

It’s a shame what is happening to the emulation and homebrew community. When it isn’t developers leaving for greener pastures deciding it’s no longer worth it, prestigious developers like byuu are being forced to early retirement because of unsavory online gang-stalkers. In our situation, we can’t rule out the possibility that some of these attacks come from some of the same usual suspects (it isn’t the first time we’ve seen them abuse AWS for some of these attacks, we encountered them a year ago earlier targeting our lobby services). Whatever their aim may be, while they will not deter our will to continue working on this project, they have definitely increased our maintenance and cost burden for the time being. And for this we ask for your understanding and support as we attempt to come up with a plan to address these problems moving forward. Supporting us through Patreon is a great way of helping out, especially if we can reach the $1300 goal which means we can spend a bit more each month to make sure our stuff is properly backed up.

As if the complications with Android’s new store policies that requires us to coordinate with new contributors to come up with a workable solution was not enough of a headache, this comes along. With your help and support, we will overcome this and come out stronger than before.

Regarding the Android / Core Installer situation
While we’re on this subject briefly, while it’s off-topic, we felt the need to address this real quick. We will likely be making a version of RetroArch Android that is neutered ONLY for Google Play. It will mean that the Core Installer will not be available for this, and cores will come packaged in additional APKs that can be installed. Apparently there is a 50-core extra APK limit on this until it starts requiring a version of Android over version 8.0. So while trying not to artificially bump the Android OS system requirements, we’re deciding on a 50 core-APK limit for now. Hopefully we can fit nearly most of the cores within such narrow constraints.

On our download site (and on F-Droid), we will have a RetroArch Android version that will work as before – with the Core Installer feature completely left intact. We feel this is a much superior version to what will be available on the Play Store, but unfortunately Google will force our hand here.

UPDATE:
GitHub has replied back to Libretro, with the sad news that they don't have a way to restore or have a backup of the repositories Libretro had before the hack. It seems the restoration of the repositories will have to be done (alongside the help of other users) through full commit pushes that hold the entire history of the repositories:


UPDATE #2:
Libretro has restored the vast majority of the repositories back to shape. The only downside has been the loss of recent Pull Request:



UPDATE #3:
The buildbot is now back online, though not at the same extend as it was before the attack
http://buildbot.libretro.com/

Right now some builds for multiple platforms have been compiled, but some of those builds might be prone to failure.
I recommend trying them out only if you have your previous build backed up in case some compilation went bad.




:arrow: Source
 
Last edited by ShadowOne333,

TheCasualties

Just trying to be helpful
Member
Joined
May 11, 2020
Messages
440
Trophies
0
Location
The Bardo Islands
XP
484
Country
Netherlands
Codex got a new job! :rofl2:


But seriously,sounds like some dude figured out a password. Most people probably wouldn't even notice, unless they try to update their cores right now.

Edit: dang they didn't have backups?
 
Last edited by TheCasualties,

Silent_Gunner

Crazy Cool Cyclops
Banned
Joined
Feb 16, 2017
Messages
2,696
Trophies
0
Age
28
XP
4,644
Country
United States
Is it just me, or does it seem like hackers have been more active than usual this year? Because it seems like a lot of high profile hacks/leaks/and breaches have occurred regarding stuff that's kind of trivial, all things considered.

Like, I remember when hacking groups would target corporations because said corporations were corrupt and/or in the moral wrong, but now, Nintendo's gotten three/four different leaks this year, and now we have RetroArch getting hacked.
 
Last edited by Silent_Gunner,

nashismo

Well-Known Member
Member
Joined
Jun 5, 2013
Messages
503
Trophies
0
Age
41
Location
Home sweet Home (Mi casita)
XP
1,145
Country
Chile
Is it just me, or does it seem like hackers have been more active than usual this year? Because it seems like a lot of high profile hacks/leaks/and breaches have occurred regarding stuff that's kind of trivial, all things considered.

Like, I remember when hacking groups would target corporations because said corporations were corrupt and/or in the moral wrong, but now, Nintendo's gotten three/four different leaks this year, and now we have RetroArch getting hacked.

Yes, while the true corrupt/liars get away with it. All the FAKE virus planners and the economy killers they are all happy laughing and no one does nothing to unveil their bullshit.

In oher words, I agree.
 

Dogson

Member
Newcomer
Joined
Jun 22, 2018
Messages
21
Trophies
0
Age
29
XP
555
Country
Sweden
Nintendo's gotten three/four different leaks this year

That hack wasn't this year, it was a hack back in 2016~2017, just one Nintendo internal server hack through iQue, once they noticed iQue requesting too much data they cut that off. The hacker who went by the name wack0 was caught and is serving a type of house arrest now. He also hacked into Microsoft during that time. Those were actual hacks unlike the Twitter scam which was a authority bluff through phone calls to gain access, and with libretro we don't know yet if it was an actual hack.

Anyway, someone else got hold of the supposedly 2TB of Nintendo data and has since been slowly releasing it, at first with some false misleading stories of it being beta cartridge dumps from a collector to muddy the traces. The Space World Pokemon leak and Pokemon Blue backsprites from two years ago, all from that same Nintendo server hack, we've since gotten a lot more betas and source codes, this will continue for a few more years for sure.

Hope that clears up what has been going on. People for some reason think Nintendo was hacked multiple times in a year, which doesn't sound probable or make sense if you think about it.
 
Last edited by Dogson,

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
35,811
Trophies
3
Website
trastindustries.com
XP
26,106
Country
United Kingdom
"no backups"
How much data are we talking here? Sort of thing the average computer person with the average internet connection would be able to grab often enough?
Or is this more a fault of trusting storing things on computers of others?

Fuckin' weak man. No clue who could possibly hold a grudge against RetroArch, or for what reason.
They have rubbed a few people the wrong way over the years. Drama happened at various points. Their licensing is often a source of contention.

Like, I remember when hacking groups would target corporations because said corporations were corrupt and/or in the moral wrong, but now, Nintendo's gotten three/four different leaks this year, and now we have RetroArch getting hacked.
I don't know if that particularly ever happened. Or at least no specific as much as "I don't like banks and really know sql injection, oh look this bank is vulnerable to a sql injection here and [checks] yep they are arseholes (though what bank isn't)".
A hacker/hacking group targetting a specific bank would fall under the umbrella of advanced persistent threat (APT) which is generally considered a myth.

Equally is Nintendo not a dubious company?
 

Xzi

Elden Lord
Member
Joined
Dec 26, 2013
Messages
15,236
Trophies
2
Location
The Lands Between
Website
gbatemp.net
XP
6,642
Country
United States
They have rubbed a few people the wrong way over the years. Drama happened at various points. Their licensing is often a source of contention.
So basically male Karens and assholes who just want to see the world burn, got it. Guess some people thought 2020 wasn't quite shitty enough as-is. :angry:

Maaan this is definitely gonna affect their timeline for the Steam launch, too. :(
 
  • Like
Reactions: Xabring

Silent_Gunner

Crazy Cool Cyclops
Banned
Joined
Feb 16, 2017
Messages
2,696
Trophies
0
Age
28
XP
4,644
Country
United States
"no backups"
How much data are we talking here? Sort of thing the average computer person with the average internet connection would be able to grab often enough?
Or is this more a fault of trusting storing things on computers of others?


They have rubbed a few people the wrong way over the years. Drama happened at various points. Their licensing is often a source of contention.


I don't know if that particularly ever happened. Or at least no specific as much as "I don't like banks and really know sql injection, oh look this bank is vulnerable to a sql injection here and [checks] yep they are arseholes (though what bank isn't)".
A hacker/hacking group targetting a specific bank would fall under the umbrella of advanced persistent threat (APT) which is generally considered a myth.

Equally is Nintendo not a dubious company?

I know there was some stuff Anonymous did back in the day.

As for Nintendo, based on that one video from Modern Vintage Gamer, I wouldn't be surprised if at least one of these leaks is due to someone at the chip company that's made chips for almost every major Nintendo console leaking things out due to being disgruntled for whatever reason as far as it looks to me, in addition to @Dogson said in regards to the iQue leak.

--------------------- MERGED ---------------------------

So basically male Karens and assholes who just want to see the world burn, got it. Guess some people thought 2020 wasn't quite shitty enough as-is. :angry:

Maaan this is definitely gonna affect their timeline for the Steam launch, too. :(

I wonder if it's that Reicast guy who had a meltdown on Reddit that led to the core name being changed to Flycast?
 
  • Like
Reactions: Xzi

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
35,811
Trophies
3
Website
trastindustries.com
XP
26,106
Country
United Kingdom
So basically male Karens and assholes who just want to see the world burn, got it. Guess some people thought 2020 wasn't quite shitty enough as-is. :angry:

Maaan this is definitely gonna affect their timeline for the Steam launch, too. :(
As ever some of the drama was from people with egos rather too large for their position in the world but some of them had a point from where I sat, and I am still not entirely sure what they have given the world; they are more or less just a frontend from what I can make out, which is fine but hardly anything to be particularly excited about.
 
  • Like
Reactions: GotKrypto and Xzi

You may also like...

General chit-chat
Help Users
    K3N1 @ K3N1: https://m.imdb.com/title/tt17047510/