[Update] RetroArch servers and repositories have been hacked

unnamed.png

Just a few hours ago, RetroArch/Libretro's servers and main GitHub repositories have been targeted by a yet-unknown attacker.
The attack begun with the buildbot server being crippled, which means any subsequent automatic buildbot builds, and netplay won't be available until a new server is setup for this very purpose.




After that, and a few moments later, the hacker moved on to attack Libretro's repositories at GitHub.
This attack removed the entirety of codes for certain cores, like Mame, Mame 2003, DosBox and many others, and only left a dummy ReadMe with a vague description of the core.




GitHub hasn't given any reply regarding what could be done in regards to the hacking to the GitHub repositories, but we'll keep updating this post as things go along.
The full overview of the attack and what was compromised on Libretro's side can be seen on their main Libretro.com page.

Hacker vandalised our buildbot and Github organization said:
Approximately 5 hours ago, we were the target of a premeditated cybercrime attack on our key infrastructure.

The hacker did the following damage:

  • He accessed our buildbot server and crippled the nightly/stable buildbot services, and the netplay lobby service. Right now, the Core Updater and Netplay Lobbies won’t work. The websites for these have also been rendered inaccessible for the moment
  • He gained access to our Libretro organization on Github impersonating a very trusted member of the team and force-pushed a blank initial commit to a fair percentage of our repositories, effectively wiping them. He managed to do damage to 3 out of 9 pages of repositories. RetroArch and everything preceding it on page 3 has been left intact before his access got curtailed.
We are still awaiting any sort of response or support from Github. We hope they will be able to help us restore some of these vandalised Github repos to their proper state, and also to help us narrow down the attacker’s identity.

We wanted to clear up some confusion that may have arisen in the wake of this news breaking:

  • No cores or RetroArch installations should be considered compromised. The attacker simply wiped our buildbot server clean, there is nothing being distributed that could be considered malicious to your system. Nothing has happened here and there is no need for any concern.
  • For the current time being, the Core Installer is non-functional until further notice. The same goes for ‘Update Assets’, ‘Update Overlays’, ‘Update Shaders’, and all the other online services that RetroArch users normally have access to (such as the netplay lobby services).
The IP he was using while doing this was ‘54.167.104.253’, which seems to lead back to AWS.

We’re still assessing the situation but moving forward, we think that it’s probably best not to go forward with the buildbot server that was compromised earlier today. We had some long-term migration plans for a move to a new server, but this was always pushed back because we felt that we weren’t ready migration-wise. It might indeed be the case this is the catalyst for just starting all from scratch with a new server instead of trying to migrate the old one over. This would mean that the more commonplace builds for Linux/Windows/Android would be immediately available, but all the specialized systems like consoles, old MSVC builds and whatnot would have to wait for later until we have adapted this properly to the new system.

Lack of automated backups
This brings us onto another key issue – the lack of backups. We last performed a backup of our buildbot server about a couple of months ago. The truth is that while we pay a hefty amount for the servers on a monthly basis already, there is simply not enough money to pile on automated backups as well. We could really use your support on Patreon to help lighten our financial burden here, especially since this now-pretty-much-mandatory server switch will likely cost us an insubstantial amount of money upfront while we keep the current server running for a month longer.

How will we restore things
So, how are we going to restore things? We hope that Github will be able to restore the affected repositories. If they are unable to do so, we could rely on the goodwill of users to source us with git repositories with the full history intact.

As for the buildbot? No idea to be quite frank. If we make the switch to the new server, you’ll get Android/Windows/Linux up and running early again but all other platforms will have to be added as we go along.

It’s a shame what is happening to the emulation and homebrew community. When it isn’t developers leaving for greener pastures deciding it’s no longer worth it, prestigious developers like byuu are being forced to early retirement because of unsavory online gang-stalkers. In our situation, we can’t rule out the possibility that some of these attacks come from some of the same usual suspects (it isn’t the first time we’ve seen them abuse AWS for some of these attacks, we encountered them a year ago earlier targeting our lobby services). Whatever their aim may be, while they will not deter our will to continue working on this project, they have definitely increased our maintenance and cost burden for the time being. And for this we ask for your understanding and support as we attempt to come up with a plan to address these problems moving forward. Supporting us through Patreon is a great way of helping out, especially if we can reach the $1300 goal which means we can spend a bit more each month to make sure our stuff is properly backed up.

As if the complications with Android’s new store policies that requires us to coordinate with new contributors to come up with a workable solution was not enough of a headache, this comes along. With your help and support, we will overcome this and come out stronger than before.

Regarding the Android / Core Installer situation
While we’re on this subject briefly, while it’s off-topic, we felt the need to address this real quick. We will likely be making a version of RetroArch Android that is neutered ONLY for Google Play. It will mean that the Core Installer will not be available for this, and cores will come packaged in additional APKs that can be installed. Apparently there is a 50-core extra APK limit on this until it starts requiring a version of Android over version 8.0. So while trying not to artificially bump the Android OS system requirements, we’re deciding on a 50 core-APK limit for now. Hopefully we can fit nearly most of the cores within such narrow constraints.

On our download site (and on F-Droid), we will have a RetroArch Android version that will work as before – with the Core Installer feature completely left intact. We feel this is a much superior version to what will be available on the Play Store, but unfortunately Google will force our hand here.

UPDATE:
GitHub has replied back to Libretro, with the sad news that they don't have a way to restore or have a backup of the repositories Libretro had before the hack. It seems the restoration of the repositories will have to be done (alongside the help of other users) through full commit pushes that hold the entire history of the repositories:


UPDATE #2:
Libretro has restored the vast majority of the repositories back to shape. The only downside has been the loss of recent Pull Request:



UPDATE #3:
The buildbot is now back online, though not at the same extend as it was before the attack
http://buildbot.libretro.com/

Right now some builds for multiple platforms have been compiled, but some of those builds might be prone to failure.
I recommend trying them out only if you have your previous build backed up in case some compilation went bad.




:arrow: Source
 
Last edited by ShadowOne333,

VinsCool

Persona Secretiva Felineus
Global Moderator
Joined
Jan 7, 2014
Messages
14,393
Trophies
3
Location
Another World
Website
www.gbatemp.net
XP
21,688
Country
Canada
as much as i like retroarch...
you can just fuck off, this "id LOvE TO see YOu do BETTeR" attitude is complete cancer
you shouldnt have to be an expert in emulator/frontend development to criticize an emulator or not like it
Because you think that poster's attitude was better? Please.
 
  • Like
Reactions: Blake5100

64bitmodels

Professional Nintendo Hater
Member
Joined
Aug 1, 2019
Messages
1,240
Trophies
1
Age
16
XP
2,046
Country
United States
=
Do those devs plan on porting their emus to every platform RetroArch supports? Then maintaining it? NO? Then they can piss off.

Where is the native port of Gambatte to 3DS? Nestopia? Mame? FBN? Dosbox? Etc, etc...
They don't exist? That's what I thought. The devs who hate RA for these petty reasons piss ME off.
i dont think even a new 3ds could handle mame, fbn, or dosbox.
 

HaloEffect17

Hiya!
Member
Joined
Jul 1, 2015
Messages
1,302
Trophies
1
XP
2,382
Country
Canada
Is it just me, or does it seem like hackers have been more active than usual this year? Because it seems like a lot of high profile hacks/leaks/and breaches have occurred regarding stuff that's kind of trivial, all things considered.

Like, I remember when hacking groups would target corporations because said corporations were corrupt and/or in the moral wrong, but now, Nintendo's gotten three/four different leaks this year, and now we have RetroArch getting hacked.
Well, when you're stuck at home...
 

the_randomizer

The Temp's official fox whisperer
Member
Joined
Apr 29, 2011
Messages
31,284
Trophies
2
Age
36
Location
Dr. Wahwee's castle
XP
18,919
Country
United States
as much as i like retroarch...
you can just fuck off, this "id LOvE TO see YOu do BETTeR" attitude is complete cancer
you shouldnt have to be an expert in emulator/frontend development to criticize an emulator or not like it

Oh my, someone forgot their Prozac this morning. If you don't like RetroArch fine, but don't be a condescending prick about it or be fine with them being hacked, etc.

Use standalone emulators and stop bitching about "but it's hard to use!"
 
Last edited by the_randomizer,
  • Like
Reactions: Henx and ChronoTrig

Silent_Gunner

Crazy Cool Cyclops
Banned
Joined
Feb 16, 2017
Messages
2,696
Trophies
0
Age
27
XP
4,618
Country
United States
=

i dont think even a new 3ds could handle mame, fbn, or dosbox.


Except that it kind of can, as someone who tried to play KOF98 on it like, a month ago.

This is Silent_Gunner of the Thug Wire, and facts don't fucking care about your feelings!

Now, if only RetroArch didn't take 10 minutes to load a game on the New 3DS...anyone know why it does?
 

Dinomite

Well-Known Member
Newcomer
Joined
Jul 21, 2007
Messages
72
Trophies
0
XP
1,144
Country
Ohh, where's my popcorn....Juicy news!

What kid of "developers" don't backup their work and rely on Micro$oft to back it up for them? Sounds like incompetence to me.
 
Last edited by Dinomite,

Silent_Gunner

Crazy Cool Cyclops
Banned
Joined
Feb 16, 2017
Messages
2,696
Trophies
0
Age
27
XP
4,618
Country
United States
Ohh, where's my popcorn....Juicy news!

What kid of "developers" don't backup their work and rely on Micro$oft to back it up for them? Sounds like incompetence to me.

Honestly, these devs should just use some of the money they get donated and get themselves this HDD I just got: https://www.bestbuy.com/site/wd-eas...able-hard-drive-black/6406512.p?skuId=6406512

@m4xw, if I remember right, said he'd need about 5TB total to have a reliable backup of everything for RA. So why not? $100 isn't exactly a lot compared to some of the stuff I've bought personally. If he or whoever's responsible on the RA team wanted, there's even bigger HDDs that I'd argue are pretty affordable compared to how much they used to cost.

At the very least, it'd allow them to have a complete backup on their own personal hands to rely upon!
 

HarvHouHacker

Christian, Amateur Musician and Wii homebrew User
Member
Joined
Mar 24, 2019
Messages
1,054
Trophies
1
Location
The Point of Know Return
Website
gitlab.com
XP
2,102
Country
United States
Ouch! That smarts, I bet. If libretro reads this, I have a suggestion: perhaps he can make a copy of his work on GitLab, as well as GitHub? It's a free repo place, too. It has its own perks, including GitHub integration. Just a thought.
 

Captain_N

Well-Known Member
Member
Joined
Mar 29, 2010
Messages
1,893
Trophies
1
XP
1,712
Country
United States
Some basement troll must a got board that his E-Penis was to small.

I see they needed cash for regular backups of the site/repos...
Why cant they have the server data sent to a computer on one of the admins home connection? Is that above their skill set? We are not talking about 100 terabytes of data here. They dont need to pay a service to make backups.

Any repos that are updated/created can just be uploaded to one of their own home computers. an 8TB external WD drive is often on sale for under $179. you can often find working drives from old dvr boxes in the trash if they cant buy new drives.

As you all can see they restored it so someone must be smart enough to have off site backups.
Maybe someone on /r/datahoarders musta helped them....
 

m4xw

Ancient Deity
Developer
Joined
May 25, 2018
Messages
2,433
Trophies
1
Age
117
XP
6,787
Country
Germany
Honestly, these devs should just use some of the money they get donated and get themselves this HDD I just got: https://www.bestbuy.com/site/wd-eas...able-hard-drive-black/6406512.p?skuId=6406512

@m4xw, if I remember right, said he'd need about 5TB total to have a reliable backup of everything for RA. So why not? $100 isn't exactly a lot compared to some of the stuff I've bought personally. If he or whoever's responsible on the RA team wanted, there's even bigger HDDs that I'd argue are pretty affordable compared to how much they used to cost.

At the very least, it'd allow them to have a complete backup on their own personal hands to rely upon!
4-8TB x 7 is the worst case of storage usage.
Probably more like 15TB storage will be required for continuous replication
 
Last edited by m4xw,

Silent_Gunner

Crazy Cool Cyclops
Banned
Joined
Feb 16, 2017
Messages
2,696
Trophies
0
Age
27
XP
4,618
Country
United States
4-8TB x 7 is the worst case of storage usage.
Probably more like 15TB storage will be required for continuous replication

Is that for mirroring every small change made to whatever you and other RA devs work on?

I guess I'm looking at it from a "guy working alone, only uses the backup HDD for archival purposes" perspective.
 

m4xw

Ancient Deity
Developer
Joined
May 25, 2018
Messages
2,433
Trophies
1
Age
117
XP
6,787
Country
Germany
Is that for mirroring every small change made to whatever you and other RA devs work on?

I guess I'm looking at it from a "guy working alone, only uses the backup HDD for archival purposes" perspective.
We are talking about the whole production infrastructure from webserver, build envs, etc.
 

Silent_Gunner

Crazy Cool Cyclops
Banned
Joined
Feb 16, 2017
Messages
2,696
Trophies
0
Age
27
XP
4,618
Country
United States
We are talking about the whole production infrastructure from webserver, build envs, etc.

Well...

...that sounds a bit more complicated than what I use my backup HDDs for...if only I was out of debt and owned a Synology and some WD Red HDDs that are full fledged HDDs and not those SMR ones.
 

Jay1983

Well-Known Member
Newcomer
Joined
Nov 12, 2010
Messages
65
Trophies
0
XP
127
Country
I have a recent set of files for Android version, if they need that and there's a place to send it.
Not all cores though ... Nintendo, Sega, Sony systems and Atari 2600.
 

64bitmodels

Professional Nintendo Hater
Member
Joined
Aug 1, 2019
Messages
1,240
Trophies
1
Age
16
XP
2,046
Country
United States
Oh my, someone forgot their Prozac this morning. If you don't like RetroArch fine, but don't be a condescending prick about it or be fine with them being hacked, etc.

Use standalone emulators and stop bitching about "but it's hard to use!"
as much as i like retroarch...
really don't know where you got that one from, i also don't think retroarch is very hard to use. i just think people should stop saying "you should be able to do better" to people who don't like their favorite software or thing- thats putting you on the same level as the jackass poster that says "lol WHO USES reTrOArCh lolOLoL whAT A PiECE of sHIT SoFtWARE LOLOLoL sO GLAd THeY gOT hAckeD loloLOL"
you shouldnt have to be a programmer or a emulator developer to not like retroarch. when someone says something like "id love to see you do better" or "let me see you make your own *insert software/game here*" it just immediately ticks me off- stuff like that on the internet is so toxic
 

HideoKojima

Well-Known Member
Member
Joined
Jan 17, 2018
Messages
1,012
Trophies
0
Age
25
XP
1,883
Country
United States
Oh yeah, kid, you backing your library in three places is just the same as backing up multiple git repositories that have literally years of commits and builds plus the redundancy and automation.

Jesus Christ, that's why nobody likes developing emulators/homebrew anymore, non coders think they know everything about everything because they coded "hello world" by seeing a youtube video and shitpost in internet forums.
Know it all boy lol
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
3,474
Trophies
1
Age
39
XP
3,274
Country
Argentina
Well I don't have any Retroarch installed save the Sega Genesis and SNES emulators for 3DS and I haven't updated those since last year.

This just shows why having backups is so important.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    KenniesNewName @ KenniesNewName: Adults have earned the nick name lil