If they are going to install low level software on my computer they better be very sure it's properly coded.
Companies are often incompetant with security code. If you are expecting high quality secure code with consumer level software, you will often be disappointed.
Which is why going the full disclosure route prevents them from being insulated from their mistakes - otherwise, it becomes a moral hazard to keep playing nice with the approach to disclosure.
I don't subscribe to "never attribute to malice that which is adequately explained by stupidity". I'm not citing sources - hence it's just my opinion. Reminds me of google wifi slurping and hundreds of other cases where everyone plays dumb and swears it was all a misunderstanding. It never is. Until you get caught. And if not that it's a rogue trader, rogue reporter, rogue programmer, rogue scapegoat.
I'm not going to do any kind of full disclosure here (I know this is lame) but I work in video games so I know what it looks like from the other side. We're not all idiots here, we just do as we're told.
As a Vancouverite, I've seen enough layoffs to believe this entirely (you're fungible and replaceable). Still, I don't think that Ubisoft intentionally created a security issue, just that they didn't care about one that happened and deadlines were coming.
I didn't mean to imply that video game programmers were stupid... :)
I was saying it seems more likely to me that any random developer making a stupid mistake like this seems more likely than a company having real motivation to create this kind of security hole.
I suppose, alternatively, this could have been an individual developer's intent. An exploit like this would get a pretty penny on the exploit market, I'd think.
It's not a "feeling" when all evidence points to the fact that, like every security vulnerability ever, a feature was added that had unintended consequences. There's no way it's malicious: Ubisoft can't do anything with this that they can't do everywhere else in the actual applications themselves!
Who says it was malicious on Ubisoft's part? It could easily have been a rogue developer that saw an opportunity to install a backdoor on a ton of machines.
It could also have been the Russians, who planted a mole in Ubisoft's quality assurance division and, over time, laying low in a foreign country gaining the respect of his peers and bosses, slowly worked his way to the top of the food chain...
...where at last he installed his Russian Rootkit.
Or maybe some programmer added a feature that was insecure and they moved on to work on some bug that was crashing level three?
Usually both. (Note that with the internet you also have to be dumb, too, to believe you are not eventually going to be caught, no matter how malicious you are.)
