Originally posted by I found Colossal Order Keylogger:

Originally posted by Jixijenga:

Wait wait wait. So you're saying that you guessed with all of this?

No. I'm telling you where you can find the traces you need to convince yourself. I'm not giving readily digested and interpreted information, but pointing you to it, so you can capture and interpret it for yourself.

I think I won't reinstall CS and just call it a day. I really got bored of the game and now I don't know. You've made some pretty big claims and if you're not going to back them up I'm not going to argue with you about it because that is a lot more effort than I'm willing to put into some (probably merited) internet drama.

Originally posted by I found Colossal Order Keylogger:

It should be very simple to write a mod using harmony 2, patch the popsapi wrapper and dump the data supplied to it to a local file.

A packet capture would only contain data that the server specifically requested for a given user identifier/IP address/time of day, etc. Without knowing the protocol specification, you would be guessing if a particular packet capture is representative of all data exchanges with buffpanel.com (the domain where the data goes to)

Wait wait wait. So you're saying that you guessed with all of this?

Okay. So you said it was a keylogger. I would like to specifically know how you came to this conclusion. You've made this out to be a very serious thing, nefarious even, but how can you know that if you haven't done something as basic as analyzing a pcap? Everyone knows what BuffPanel is and what it does, this has been known for years. I don't have the game installed right now, but if it's anything like the other games then pops_api.dll can be stopped simply by setting a firewall rule for api.buffpanel.com and calling it a day.

A keylogger is a very specific claim and carries with it a very, very dark implication that Paradox/CO have been doing a lot more than market analytics. I am interested in this claim because it concerns me and I would like to know more about any keylogging CS might be doing.

Originally posted by I found Colossal Order Keylogger:

I think I got too close to a painful point for CO:

In my Harmony (redesigned) 1.0 update, I have added functions to clean up some of the existing malware in the code, although I have not reported in the release note the full extent of what I removed:

I removed the adware on the main menu (the 4 advertising windows around the menu itsef), but also:

I disabled "Paradox Online Publishing Services" module, which continually sends, labelled as "telemetry", all of the players interactions while the game is running (ie, all key presses, all mouse clicks). Here's how I labelled the deactivated components (this will is from the HarmonyMod/Sources/Cleanup.cs module, which will be in the source code when I push it shortly)

internal static Malware[] knownMalware = new Malware[] { new Malware() { category = "adware", types = new System.Type[] { /* Adware on the main menu */ typeof(NewsFeedPanel), typeof(WorkshopAdPanel), typeof(WhatsNewPanelShower), typeof(DLCPanel), typeof(DLCPanelNew), }}, new Malware() {category = "data exfiltrator", /* Data exfiltration to Paradox Interactive "Paradox Online Publishing Services = POPS" */ types = new System.Type[] { typeof(ParadoxAccountPanel), typeof(PopsManager), } }, };

While my version of Harmony blocks the "telemetry", which looks like a glorified keylogger, this data is still reported from all over the game codebase. The log file output_log.txt will contain fragments like:

Failed to send telemetry event: System.NullReferenceException: Object reference not set to an instance of an object at PopsManager.Buffer (TelemetryEntry telemetryEntry) [0x00000] in <filename unknown>:0 at PopsManager.Playthrough (UpdateMode updateMode, System.String mapName) [0x00000] in <filename unknown>:0

These errors indicate that the game code is unable to send "telemetry" out to Paradox Online Publishing Services (pops api)

The two modules which contain the keylogger are:

• steamapps\common\Cities_Skylines\Cities_Data\Plugins\pops_api.dll
  
• steamapps\common\Cities_Skylines\Cities_Data\Managed\PopsApiWrapper.dll

I think the amount and nature of exfiltrated data will astound anyone, and Colossal's current campaign of digital stoning against me is designed to discredit me ahead of the these revelation.

Originally posted by I found Colossal Order Keylogger:

Is telemetry anonymized

The data sent to Paradox is personalized with your paradox account login info. If you do not have a paradox account, it is personalized with your Steam account info.

The entire purpose of the "Login with Paradox" window on the main menu screen is to secure the linking of the "telemetry" data with your identity.

Could you post a packet capture? I am specifically interested in pops_api.dll.