NOTICE [UPDATE 1] Libretro / RetroArch Targeted in Hacker Attack

In sad news for the hombrew and emulators communities across multiple scenes and platforms, I regret to inform our readers that several days ago Libretro/RetroArch was the victim of a targeted hacker attack. While it seems the end-users are safe from the damage (no cores or installations should be considered dangerous), the same cannot be currently said about the work of the development team behind the great all-on-one emulator we have come to know and love. A sizeable amount of Libretro/RetroArch repositories have been wiped clean, and the development team is working hard to see if Github will be able to help them restore the lost data. The nightly and stable buildbot services have also been crippled, and end-users are not longer able to update or downloads cores, assets, overlays and shaders. The netplay lobby service is also currently not working.

While the Libretro/RetroArch determines their next steps, including possibly switching to a new server (which would slow down the process in releasing console specific builds), they may soon be asking for users to supply git repositories with the full history intact. They have also asked for those wishing to help, to join their Patreon which was aiming to raise $1,300 a month to help with server and backup costs. As of writing, the monthly goal has been well passed, and donations are currently at almost $2,000 a month.

---

UPDATE 1 - The Libretro/RetroArch team have restored their buildbot server and github repositories. See the UPDATE 1 tab below for complete details.

---

Here are the official press releases from the Libretro/RetroArch team:​

Press Release UPDATE 1

• 
  
  
  
  Approximately 5 hours ago, we were the target of a premeditated cybercrime attack on our key infrastructure.
  
  The hacker did the following damage:
  
  • He accessed our buildbot server and crippled the nightly/stable buildbot services, and the netplay lobby service. Right now, the Core Updater won't work. The websites for these have also been rendered inaccessible for the moment
  • He gained access to our Libretro organization on Github impersonating a very trusted member of the team and force-pushed a blank initial commit to a fair percentage of our repositories, effectively wiping them. He managed to do damage to 3 out of 9 pages of repositories. RetroArch and everything preceding it on page 3 has been left intact before his access got curtailed.
  We are still awaiting any sort of response or support from Github. We hope they will be able to help us restore some of these vandalised Github repos to their proper state, and also to help us narrow down the attacker's identity.
  
  We wanted to clear up some confusion that may have arisen in the wake of this news breaking:
  
  • No cores or RetroArch installations should be considered compromised. The attacker simply wiped our buildbot server clean, there is nothing being distributed that could be considered malicious to your system. Nothing has happened here and there is no need for any concern.
  • For the current time being, the Core Installer is non-functional until further notice. The same goes for 'Update Assets', 'Update Overlays', 'Update Shaders'.
  The IP he was using while doing this was '54.167.104.253', which seems to lead back to AWS.
  
  We're still assessing the situation but moving forward, we think that it's probably best not to go forward with the buildbot server that was compromised earlier today. We had some long-term migration plans for a move to a new server, but this was always pushed back because we felt that we weren't ready migration-wise. It might indeed be the case this is the catalyst for just starting all from scratch with a new server instead of trying to migrate the old one over. This would mean that the more commonplace builds for Linux/Windows/Android would be immediately available, but all the specialized systems like consoles, old MSVC builds and whatnot would have to wait for later until we have adapted this properly to the new system.
  
  Lack of automated backups
  

  This brings us onto another key issue – the lack of backups. We last performed a backup of our buildbot server about a couple of months ago. The truth is that while we pay a hefty amount for the servers on a monthly basis already, there is simply not enough money to pile on automated backups as well. We could really use your support on Patreon to help lighten our financial burden here, especially since this now-pretty-much-mandatory server switch will likely cost us an insubstantial amount of money upfront while we keep the current server running for a month longer.

  
  How will we restore things
  

  So, how are we going to restore things? We hope that Github will be able to restore the affected repositories. If they are unable to do so, we could rely on the goodwill of users to source us with git repositories with the full history intact.
  
  As for the buildbot? No idea to be quite frank. If we make the switch to the new server, you'll get Android/Windows/Linux up and running early again but all other platforms will have to be added as we go along.
  
  It's a shame what is happening to the emulation and homebrew community. When it isn't developers leaving for greener pastures deciding it's no longer worth it, prestigious developers like byuu are being forced to early retirement because of unsavory online gang-stalkers. In our situation, we can't rule out the possibility that some of these attacks come from some of the same usual suspects (it isn't the first time we've seen them abuse AWS for some of these attacks, we encountered them a year ago earlier targeting our lobby services). Whatever their aim may be, while they will not deter our will to continue working on this project, they have definitely increased our maintenance and cost burden for the time being. And for this we ask for your understanding and support as we attempt to come up with a plan to address these problems moving forward. Supporting us through Patreon is a great way of helping out, especially if we can reach the $1300 goal which means we can spend a bit more each month to make sure our stuff is properly backed up.
  
  As if the complications with Android's new store policies that requires us to coordinate with new contributors to come up with a workable solution was not enough of a headache, this comes along. With your help and support, we will overcome this and come out stronger than before.

  
  Regarding the Android / Core Installer situation
  

  While we're on this subject briefly, while it's off-topic, we felt the need to address this real quick. We will likely be making a version of RetroArch Android that is neutered ONLY for Google Play. It will mean that the Core Installer will not be available for this, and cores will come packaged in additional APKs that can be installed. Apparently there is a 50-core extra APK limit on this until it starts requiring a version of Android over version 8.0. So while trying not to artificially bump the Android OS system requirements, we're deciding on a 50 core-APK limit for now. Hopefully we can fit nearly most of the cores within such narrow constraints.
  
  On our download site (and on F-Droid), we will have a RetroArch Android version that will work as before – with the Core Installer feature completely left intact. We feel this is a much superior version to what will be available on the Play Store, but unfortunately Google will force our hand here.

• 
  
  Buildbot and Github mostly restored – the current status and future plans​
  
  
  Thanks to m4xw and Xer The Squirrel, we have managed to:
  
  • Restore our buildbot server.
  • Restore the vandalised Github repositories.
  
  State of the buildbot server
  

  We have managed to restore most of the 1.9.0 stable downloads. Some files are still missing though, such as the PS2 stable and the non-RPX WiiU builds. Unfortunately, you'll have to wait until 1.9.1 before we release another stable.
  
  All the stable versions prior to 1.9.0 are all gone.
  
  As far as nightlies go, these should be fully operational again for now. There are some slight omissions, like right now there is no mainline MAME core and some other cores might also be missing, but overall, most of the stuff should be back again.
  
  The Core Installer should work again on any RetroArch build.

  State of the Github organization
  

  Most of the affected Github repositories have been restored. Unfortunately, there are some shenanigans with Github issues that were closed. For reasons unknown to us, these closed issues cannot be manually re-opened again. Unfortunately, Github hasn't really been of any help in this department, so we don't know what to do about this other than to simply move on and ask users to create new Github issues again for the affected repos.
  
  No real data loss has happened and things should be back to normal on the organization.

  New server
  

  Thanks to the massive outpouring of support on our Patreon in the wake of the attack, we now have the additional resources to massively beef up our server infrastructure. We are in the process of moving to a far more powerful server that will cover both Lakka and Libretro/RetroArch. We will go into more detail on this as we move closer to retiring the current buildbot server. For now, we are paying out of pocket for both while we are in the transition phase which will undoubtedly double our monthly bill for now, but we think it will be worth it in the end to our users. We again thank our users for believing in us and giving us the stimulus boost necessary to finally do something about our underpowered infrastructure. It is massively appreciated.

  What's next?
  

  No doubt, this attack has set us back some, and it has resulted in some weeks being lost that we could have otherwise put to good use elsewhere. Nevertheless, we believe we are on the road to recovery. We are working on a solution for the Google Play situation. We will create a separate version of RetroArch for Google Play without the Core Installer but with an alternative that is compatible with Google's recently updated TOS. We don't think this version will be better than the one you already know and use on Android, but you will always have the option of downloading the version w/ Core Installer support from our own website. We will not remove this version outright, it will stay existing next to the new Play Store builds.
  
  Other than that, we don't know yet when the next version of RetroArch releases. Ideally the new server will be ready by the time we get to it, since building new releases has been a pain on the current one and we really don't want to go through it again. We will see. For now, we thank you all for the massive outpouring of support and for giving us the means to finally do something about our situation.

  How to donate
  

  Remember that this project exists for the benefit of our users, and that we wouldn't keep doing this were it not for spreading the love with our users. This project exists because of your support and belief in us to keep going doing great things. If you'd like to show your support, consider donating to us. Check here in order to learn more. In addition to being able to support us on Patreon, there is now also the option to sponsor us on Github Sponsors! You can also help us out by buying some of our merch on our Teespring store!

The PSX-PLACE team wishes RetroArch/Libretro the best of luck in their current situation, and future endeavors.

NEWS SOURCE: www.libretro.com​

 

very disappointing news,along with PS3xploit being targeted recently,i wonder if we are to see more of these kind of attacks?
many thanks to the team as they attempt to fix things.

 

It doesn't suit you. I wonder what the person who did this was thinking. I wonder if he did this to deliver his own software. Because it's an organized attack. It can be difficult to identify the attacker because you can use GitHub via Tor. I bet he used Tor to open his account and did it. Hopefully GitHub can restore deleted projects. This is really unusual and sad news.

 

Corporations using their same hired hackers to attack the homebrew communities maybe? I figure once they have used the hackers to fix the bugs in their consoles why not spend a couple extra $ before cutting them lose and have them cause chaos back into the community. Just speculation of course but if I was the cat and had MS/Sony etc.. $$$ to burn it's what I'd do. Use the best of the best against the best of the best. especially when all these retro console makers still want profits any way they can.

 

...Bs....i wounder why...retro arch must of be planing a big realese...
good thing plenty pf ppl in the scene have alot of backups of all sorts of files ..

 

Why would somebody attack a nice project like retroarch? There's nothing to gain from attacking a free, community effort to play retro games!

 

Profil 1 : Someone who is mad because he couldn't sell "his" multi retro system 100$ because it was just rasperry with retroarch inside a nice box, and retroarch team caught him, because he was stupid enough to ask for a patreon, or to advertise on internet...

Profil 2 : Someone who is mad because he couldn't sell enough of his only 1 platform/50 games retro system 100$ because it's already free with retroarch ! (and your own backup ofc )

Profil 3 : Someone who is mad because his favorite platform is not supported correctly by retroarch -_-

Profil 4 : Someone who is mad because life is rude :p

 

Agh this is such a terrible time for this to happen. Anyone have a good build of retroarch for the ps3 that I could download?

 

Agh this is such a terrible time for this to happen. Anyone have a good build of retroarch for the ps3 that I could download?

i have one i installed in june,has the usual issue,freezes exiting second game you play after starting Retroarch,its fine otherwise.you are welcome to it,am i ok to upload it here admins?

 

Actually, looking at www.retroarch.com, it seems there has been an update to the article. I will try to update it ASAP.

But it seems like most of the stable builds are available for download once again.

 

I just checked, and the PS3 version is not up yet. @bazzarre , can you PM me a link so I can update our resource section?

 

Actually, looking at www.retroarch.com, it seems there has been an update to the article. I will try to update it ASAP.

But it seems like most of the stable builds are available for download once again.

i can confirm,ps3 1.9.0 here: https://xbins.org/libretro/stable/1.9.0/playstation/ps3/

 

I just checked, and the PS3 version is not up yet. @bazzarre , can you PM me a link so I can update our resource section?

I can wait a week if they ever decide to update it. But I just remembered I had a build on my flashdrive. It's from 5/6/2020. Although plopping it into the ps3 leads to a buggy mess with my controller always moving up on the menu for whatever reason..

 

i can confirm,ps3 1.9.0 here: https://xbins.org/libretro/stable/1.9.0/playstation/ps3/

Awesome! perfect timing

 

I can wait a week if they ever decide to update it. But I just remembered I had a build on my flashdrive. It's from 5/6/2020. Although plopping it into the ps3 leads to a buggy mess with my controller always moving up on the menu for whatever reason..

would that be that PSL1GHT by any chance?

 

would that be that PSL1GHT by any chance?

Yes it is

 

Yes it is

terrifying stuff.i have the same experience.i always scroll to the bottom of the page and go for "Stable Builds(Xbins)"

 

terrifying stuff.i have the same experience.i always scroll to the bottom of the page and go for "Stable Builds(Xbins)"

Sure thing, I wonder if any of the devs need it incase it got deleted in the hack. I'll hold onto it for now and just download the stable

 

Is it up again? Someone on youtube made news about it. I really want 1.9 on my vita and vita tv

 

Is it up again? Someone on youtube made news about it. I really want 1.9 on my vita and vita tv

https://buildbot.libretro.com/stable/1.9.0/playstation/vita/RetroArch.vpk