Dev Report - Grim Dawn Item Assistant
Conversation
I contacted Marius without any backthoughts regarding his tool since its always nice to have people with similiar intrest and programming knowledge in your contacts and you might even meet great people too, ofcourse i cant proof good intentions (how could i). When i contacted him i offered the website template that i created some years ago for all kinds of tools and programm i create. (Visible here : http://gdsm.420weedwizard.bplaced.net/) The template consists of free non commercial parts of html/css/js plugins and frameworks. Biggest part of it is ofcourse Bootstrap, html/css framework. I offered to send him all the original files for usage for his own distribution website of his tool (item assistant). Since he also uses the same VB2010 visual plugins as my tool GDSM i thought he might be intrested.
[Initial conversation start over skype]
Me
Hey
15:47 Marius
Hello there
Me 15:47
Hey so i got a bunch of people specially from the GD community that wanted to talk with me or that i gave my contacts to. Mind telling me who you are ;D ?
15:48 Marius
item assistant dev
Me 15:49
slipperypete then
pretty solid work you got going there
i checked your site for download and stuff for the tool
looks like you got some inspiration somewhere ;D
you want me to zip the original website for you so you can work with the same plugins and stuff ?
Marius
aaaaaaaaaaah, right… you’re the stash manager guy
hehe
nah, anything better than a blank page with a blue download link is a huge improvement for me, i tend to shy away from web stuff ![:wink: :wink:](https://forums.crateentertainment.com/images/emoji/twitter/wink.png?v=9)
I have the complete chatlog that can be publishd if necessary.
As i already stated when i contacted him i didnt have anything bad in mind or had a bad impression of his tool.
I then corresponded with a friend of mine and developer. He is known in this community aswell and can decide for himself if he wants to be a part of this.
When i realised that it might be a good idear to get these 2 people together so they are in contact too in case one of them has questions about each other projects or just in general to increase the knowledge and connectivity in the dev community of GD. He then proceeded to tell me that he, i quote : “Would rahter burn in hell than have something like his tool published on my website or even use it.”. I was surprised since i did ofcourse not read through the whole thread that has 28 pages right now. He then told me about the fact that the programm logs and sends certain computer informations to a web interface. I thought i should check that out and ensure that there is indeed nothing shady going on - more about this in the Technical aspects.
Technical - Logged Informations
(Code comments added by myself)
Error Report Functions
private static ILog logger = LogManager.GetLogger(typeof (ExceptionReporter));
private static List<long> ReportTicks = new List<long>();
private static int maxForcedReports = 2;
private const string URL_CRASHREPORT = “http://ribbs.dreamcrash.org/iagd/crashreport.php”; // Link that Crash Reports get sended to.
private const int MAX_REPORTS_PER_COOLDOWN = 3; // Maximum Crash Reports send within 60 seconds (REPORT_COOLDOWN_MS).
private const int REPORT_COOLDOWN_MS = 60000; // 60 second time window to limit the amount of crash reports.
Function used for identifing users.
public static string UUID
{
get
{
if (string.IsNullOrEmpty(ExceptionReporter._UUID))
{
try
{
ManagementScope scope = new ManagementScope(string.Format("\\{0}\root\CIMV2", (object) “localhost”), (ConnectionOptions) null);
scope.Connect();
ObjectQuery query = new ObjectQuery(“SELECT UUID FROM Win32_ComputerSystemProduct”);
foreach (ManagementBaseObject managementBaseObject in new ManagementObjectSearcher(scope, query).Get())
{
string @string = managementBaseObject[“UUID”].ToString();
if (@string.Distinct<char>().Count<char>() >= 5)
{
ExceptionReporter._UUID = ExceptionReporter.ToHash(@string);
return ExceptionReporter._UUID;
}
}
}
catch (Exception ex)
{
ExceptionReporter.logger.Debug((object) ex.Message);
ExceptionReporter.logger.Debug((object) ex.StackTrace);
}
ExceptionReporter._UUID = ExceptionReporter.ToHash(Environment.MachineName);
}
return ExceptionReporter._UUID;
}
}
The final string gets hashed and then halfed to be sended as a user id to be able to differanciate between logs recieved. The Information that gets hashed here is the UUID ( more here ) and the Machine Name.
Hash Function
private static string ToHash(string toHash)
{
byte[] buffer = new byte[toHash.Length * 2];
Buffer.BlockCopy((Array) toHash.ToCharArray(), 0, (Array) buffer, 0, buffer.Length);
string str = BitConverter.ToString(new SHA1CryptoServiceProvider().ComputeHash(buffer)).Replace("-", “”);
return str.Substring(str.Length / 2);
}
Usage Report Functions
public static void ReportUsage()
{
try
{
string s = string.Format(“version={0}&winver={1}&uuid={2}”, (object) Uri.EscapeDataString(ExceptionReporter.VersionString), (object) string.Format("{0}.{1}", (object) Environment.OSVersion.Version.Major, (object) Environment.OSVersion.Version.Minor), (object) ExceptionReporter.UUID);
HttpWebRequest httpWebRequest = (HttpWebRequest) WebRequest.Create(“http://ribbs.dreamcrash.org/iagd/stats.php”);
byte[] bytes = new ASCIIEncoding().GetBytes(s);
httpWebRequest.Method = “POST”;
httpWebRequest.ContentType = “application/x-www-form-urlencoded”;
httpWebRequest.ContentLength = (long) bytes.Length;
using (Stream requestStream = httpWebRequest.GetRequestStream())
requestStream.Write(bytes, 0, bytes.Length);
using (HttpWebResponse httpWebResponse = (HttpWebResponse) httpWebRequest.GetResponse())
{
if (httpWebResponse.StatusCode != HttpStatusCode.OK)
{
ExceptionReporter.logger.Info((object) “Failed to send anonymous usage statistics to developer.”);
}
else
{
new StreamReader(httpWebResponse.GetResponseStream()).ReadToEnd();
ExceptionReporter.logger.Info((object) “Sent anonymous usage statistics to developer.”);
ExceptionReporter.AddReportTick();
}
}
}
catch (Exception ex)
{
ExceptionReporter.logger.Fatal((object) ex.Message);
ExceptionReporter.logger.Fatal((object) ex.StackTrace);
}
}
This function sends the information gathered in a declared interval (every few minutes/seconds) to the following .php file : “http://ribbs.dreamcrash.org/iagd/stats.php” (More about the final conclusion below)
A function that allows the deactivation of sending reports.
public static bool IsDevVersion
{
get
{
return ((IEnumerable<string>) new string[3]
{
“90143FEBD82F6A9727C0”,
“20BE935C917714A35D66”,
“C753E011C0F9B98B4BCD”
}).Contains<string>(ExceptionReporter.UUID);
}
}
(Reasonable for development, no reason to not include it for everyone as a toggle feature.)
And yes those are his UUIDs.
Conclusion - Logged Informations
The following information get gathered to be concluded to a unique end user id. Computer Name + Windows UUID hashed and halfed. Operation System, Operation System Version, Tool Version Information. In addition since these informations can be logged by a .php website file : IP Adress + All Informations regarding it (Internet Provider, Country,…).All this results in a system that allows tracking of peoples habits in terms of when they use the tool and partially even how they use it (crash reports). It is arguable that these informations are not important. In my personal opinion and also from a developer view there is NO excuse to gathering these informations in the first place except anonym error reports. The programm also contains a Automatic Update part what allows the developer of this tool to publish updates to the public and all of its users. These updates are having a huge potential in terms of virus infections that get implemtented by the developer himself. To remind you : He logs every programm start and how long its running. This results in the fact that he is able to monitor the amount of users his tool has right now. Alot of programms do include a option to auto update its own, your choice if you trust someone that already saves alot of usage information without even telling you - he only admitted to saving informations upon people calling him out about it. The fact that it does contain a auto update function is a additional risk if using a programm from someone with those amounts of ambitions towards user information. The auto update function is switchable between : stable and beta versions but not able to be turned off. This means he even knows what users use what kind of version of his tool. Ofcourse his intentions are as unsure and unproofable as mine. In addition to this gathering of informations without a clear disclaimer being illegal in all states of america and also in the majority of europe including russia,germany,denmark, sweden, finland - his website is hosed in finland so i guess he is finnish.
All i request is a disclaimer above the download telling people about the information that gets gathered and maybe even a way to turn that off.
In the mean time due to his personal refuse to comply i have written this text to explain everything related.
I think this is reasonable and anyone that thinks i am wrong can happily continue to use his programm with all of its bad sides and ofcourse all good sides. Eventhough with all this spy stuff going on i cant recommend this tool at all. I would like to see changes in the future and would go as far to say if youre still using GDSM (my tool) switch to this one since this is far superior in comparision when these issues have been resolved.
I would also like to say :
Anonymity, adjective “anonymous”, is derived from the Greek word ἀνωνυμία, anonymia, meaning “without a name” or “namelessness”. In colloquial use, “anonymous” is used to describe situations where the acting person’s name is unknown. It can be said as not using your own name, simply. Some writers have argued that namelessness, though technically correct, does not capture what is more centrally at stake in contexts of anonymity. The important idea here is that a person be non-identifiable, unreachable, or untrackable.
The informations that get gathered ARE NOT ANONYM by definition. They are backtraceable with Hardware ID and IP Adress.
Want to turn his bullshit off ? Check here.