WickedWhims = Spyware?

[Deviancy]

Using "spyware" may be a bit extreme but I'm relatively new to Sims 4, the first time I started using WW was with the March release of the mod.  But this morning I started the game and it popped up a message about how I was using an older version of whims and if I'd like to go to the website to download the latest version.  Yes, it did have an option to never show the pop up again, which I clicked on.  But how did the game know it was an older version?  I have all online functions of the Sims 4 disabled via the options, so that tells me that something in the coding for Whims connects to a server to detect which version I'm using, and I don't like that at all.

So my question is this, is there an option to disable the mod from never ever checking?  No offense to Turbo, but I like my privacy and have total control of what programs are allowed to connect to anything, it also causes a load delay when it checked this morning.  I haven't tested it since telling it not to ask again, so I'll see if my load time goes back to normal.  I'd also like to disable the wickedwhims notification that's in purple that pops up every time I load the house I'm currently playing, as well as the Basemental Drugs notification, there's just no reason those need to pop up more than one time after installation.  I'm going to run through the settings in a few moments to see if I can disable them without having to disable all notifications,   Again, no disrespect to Turbo, I just think those things should be set to all be disabled.  

[Ariathos92]

or...the mod comes with a list of Sim4 game versions that are currently live at the time you're installing the mod. Any time you start the game and mod recognises a game version that's unknown to it, it assumes you're playing a newer patch.

I don't know if that's the case, but there's many logic function that don't require connections/ servers/ back door shenanigans.

Edited May 28, 2021 by Ariathos92

[jyotai]

No in this case the mod actually told me today that a new version was available.

 

Last night when I had it and the new patch going, it did not give that notice.

 

So the mod, much as I like it, does have the ability to fire off a check to 'somewhere' - send data, and get data back.

 

 

[PetPatPut]

1 hour ago, jyotai said:

No in this case the mod actually told me today that a new version was available.

 

Yes, it does that. I've had WickedWhims for about a year, and occasionally, when I open my Sims 4 game, it will tell me a new version is out. It is basically the same thing Origin does at launch when it has an update, or Sims 4 itself when there's a patch (like yesterday).

So yes, Wicked Whims obviously checks to see if it is a new version whenever it is fired up. Whether you accept that or not boils down to whether you trust Turbodriver to act in your interest in this matter.

[TURBODRIVER]

You're absolutely right to be concerned about your privacy! Mods can be unsafe, as there are no rules the they need to obey to when it comes to communication with the internet. Disabling online features in settings or going Offline Mode in Origin is only for Origin/Game functionality, mods are a separate thing. I am concerned about it myself and downloading script mods from weird dark places of the internet can result in data from your computer being stolen. Yup, it's as simple as that, you cannot be sure what mods might do to your computer. This isn't of course a new thing, any mod to any game might end up being spyware but we put trust in creators that they wouldn't ruin their reputation and the time they put into their work just like that. I get that's not very reassuring but that's just the reality and so far I haven't heard of that happening in the Sims community.

 

As for WickedWhims/WonderfulWhims. No actual data is ever sent from your computer to the internet. A request is sent to connect with a website and download a text file that contains the current live version of the mod. The entire process occurs on a separate thread so it's not halting the game from working. Nothing more is ever downloaded or uploaded. Saying that you don't want to be told about available updates doesn't stop the online check, as I cannot verify your choice ahead of time due to that data being saved in your save file, but it won't display the message. I can see how that sucks or might seem iffy, so I will change it to check an external file instead of save files which will prevent the unnecessary request. This is something I've implemented years ago so I didn't put too much thought into it back then. I did on the other hand investigated how secure this method is.

 

I am concerned about security, as downloading basic information like that is the only safe usage of this functionality. Why? Well because there's no way to use real encryption, which means the communication happens through a standard HTTP, and that very much sucks. The benefit is, that if you do want to see what WW does, you can use a simple network monitor and everything will be visible and clear to read. And interception of this connection won't matter as the downloaded data is heavily parsed and sanitized.

 

This is how the function to retrieve the version information looks. It's a very basic method that works with the limited release of Python that is offered to modders.

You can see the two urls that are used to connect to depending on the release of WW. If successfully downloaded, the text file is decoded and checked if it's the right size and if it contains the right information. There isn't really a way this could be unsafe.

 

REQUEST_HEADER = {
    'User-Agent'     : 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11',
    'Accept'         : 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Charset' : 'ISO-8859-1,utf-8;q=0.7,*;q=0.3',
    'Accept-Encoding': 'none',
    'Accept-Language': 'en-US,en;q=0.8',
    'Connection'     : 'keep-alive'
}

VERSION_CONTROL = None

def _retrieve_version_control():
    if is_patreon_release():
        url = "http://wonderf.cluster026.hosting.ovh.net/raw/wiw_pat_version.txt"
    else:
        url = "http://wonderf.cluster026.hosting.ovh.net/raw/wiw_pub_version.txt"

    try:
        request = urllib.request.Request(url, None, REQUEST_HEADER)

        with urllib.request.urlopen(request, timeout=4.0) as response:
            VERSION_CONTROL = _parse_version_control(str(response.read().decode("utf-8")).strip())
    except:
        pass

def _parse_version_control(version_data):
    if len(version_data) <= 1 or len(version_data) > 10:
        return None

    version_data_split = version_data.split('|')

    if len(version_data_split) < 2:
        return None

    try:
        return tuple([int(v) for v in version_data_split])
    except:
        return None

 

[Deviancy]

6 hours ago, TURBODRIVER said:

You're absolutely right to be concerned about your privacy! Mods can be unsafe, as there are no rules the they need to obey to when it comes to communication with the internet. 

 

Based on the coding you shared, if it no longer does the check once one clicks "dont ask again" or whatever the option I clicked on was, I see no big issue.  Some tech has gone a little too 1984, I love tech but I love my privacy more, so I'm not down with the cameras, drones, or smartphones really, or all the auto checking my system to see if it needs updates.  I gut most of the stuff, but I can't gut it all, and Windows 10 really makes it hard.

And don't get me started on DRM, if I buy a game it should be mine, I shouldn't have to pass checks each time I run the game or need Steam to play it, which is why I love GOG.  

In short, you made a great mod, some dig DD but I find DD to be less fun, and the animal thing, while I have an issue with those who throw a fit when people request animal stuff since I'm anti censorship, I personally don't give a damn about pet stuff..  The only sex/dog animation stuff that would be amusing is having a horny dog hump a sims leg like real dogs actually do, I'd find it amusing if they did that once in awhile autonomously, but other than that, no need for bestiality in my world.

Edited May 29, 2021 by Deviancy