STEAM GROUP
Harmony for Games HarmonyLib
Request To Join
STEAM GROUP
Harmony for Games HarmonyLib
60
MEMBERS
2
IN-GAME
12
ONLINE
Founded
March 22, 2021
Overview Discussions Events Members Comments
All Discussions > Cities Skylines > Topic Details
 This topic has been pinned, so it's probably important
I found Colossal Order Keylogger Jan 8, 2022 @ 10:25am
Beware of "Compatibility Report" MALWARE
I'm moving here various discussion bits on the topic of malware in the Cities Skylines workshop.

I have posted in several affected places variations on:

Originally posted by "Holy Water":
Beware, the purported "replacement" mod, "Compatibility Report" is MALWARE intended to spread misinformation. It declares that my own mods are abandoned and not supported, which is false, gives alternate URL's for my source, or no URL, and claims Chaos is retired, when in fact I maintain all his mods now. It also claims that several mods require Colossal Order's Harmony, when in fact they require Harmony (redesigned).

The author of "Compatibility Report", Finwickle is openly hostile to me and deletes my comments on that mods' page.


Response seen at "Mod Compatibility Checker" comments page:
Originally posted by "alborzka":
"Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy."

By definition, neither this mod nor Finwickle's mod are malware. That's not a matter of opinion, that's fact.

Response seen at "Harmony (redesigned)":
Originally posted by "Sir SheikhsPears":
@Holly Water OMG, do you even understand words you operate with?

"Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems or which unknowingly interferes with the user's computer security and privacy."

In a moment I'll learn from you that the earth is flat, and that the CO is actually working with reptilians.:steamthumbsdown:

The two responses are identical, and my reply applies equally:

Originally posted by "Holy Water":
Finwinkle's mod misinforms about the state of mods, and claims that Colossal Order's Harmony is a "successor" of Harmony (redesigned), and that several mods require Colossal's Harmony, whereas their respective authors made no such statement. (1) This misinformation seeks to get users to use a different library than authors have specified.

(2) Further, his mod makes the false claims that authors have abondoned their mods and there is no support.

(1) = interferes with the user's security and privacy, by trying to get them to substitute software with untested alternatives.

(2) is intentionally designed to deprive users of access to legitimate support, by persuading them no support is available.

I believe these facts would stand in a court of law, if you want to get technical.

Finwinkle's mod fits the commonly accepted definition of "MALWARE" perfectly.

I would add for completeness:

If you look at the "catalog" XML file in the "Compatibility Report" MALWARE source code, you'll find XML such as:

  • <Stability>
  • <Alternatives>
  • <Recommendations>
  • <Stability>

These tags are not accidental. They are intended to persuade the user to use other software as recommended by Finwickle, under the pretext of "MajorIssues", "Abandoned", "Unsupported" etc. Also, these are not attributes communicated by the respective mod authors, but are created by Finwickle. The language is intended to scare the user into believing they are using vagrant, broken, insecure software, and to lure them to use Finwickle's recommendations.

Most mod authors provide a direct support contact where mod users can engage with the author directly, usually through a forum post, a github "Issue" post, and often request specific information be provided about the problem to help them diagnose and assist the user, such as log files, game save, operating system, version of various other involved softwares, description of the issue, etc. This contact information is withheld from the user, as no related fields exist in the "catalog" the software uses as a source of "information". Instead, Finwickle leads users to believe the mod they are using is "unsupported", and implies it's futile to engage directly with the author of the mod. Instead, he proposes to use his recommended mods as solutions to any problems.

In computer software, security and privacy comes from end-users knowing and trusting that the software they use comes from the vendor they intend to engage with. It is essential for our (as users) security and privacy to engage directly with the developer, without middlemen, third parties. It is no accident that "Man in the Middle Attack" is a common phrase to describe the situation where a third party seeks to insert themselves between two parties:

"In cryptography and computer security, a man-in-the-middle, monster-in-the-middle,[1][2] machine-in-the-middle, monkey-in-the-middle,[3] meddler-in-the-middle[4] (MITM) or person-in-the-middle[5] (PITM) attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties" (Wikipedia - "Man-in-the-middle attack"[en.wikipedia.org])

Of course, when two parties such as user and developer deal directly, there is a relationship with implied accountability for privacy and security. A Man In the Middle seeks to compromise this relationship, while not being accountable (hence "attack").

To summarize:

The tags chosen by the Finwickle, the author of "Compatibility Report" indicate that this software is intentionally designed to deprive users access to information or which unknowingly interferes with the user's computer security and privacy

I believe "unknowingly" in this definition means "unknowingly to the user", not "unknowingly to the software/designer".

My conclusion, based my most rigorous interpretation of the facts, is that the mod "Compatibility Report" is in the legally technical sense, "MALWARE". I believe the sub-categories is best fits into is "adware" because it works by persuasion, and "trojan", because its name is designed to mislead the user into believe it provides a useful "compatibility review" service. In this last sense, it's akin to the myriad of "computer optimizer", "error cleaner" which are also malware in disguise.
< >
Showing 1-6 of 6 comments
Chaos Jan 8, 2022 @ 11:47am 
This "Report" is malware to benefit CO/boformer/Felix Schmidt, and their own Harmony, and Finwickle is not the honest author he wants us to believe.

At this time, the mod "Harmony 2.0.4-5 (EXPERIMENTAL)" (2399204842) has last been updated 23 Jun, 2021 @ 6:18pm, and has last seen any activity from the author 28 Jun, 2021 @ 8:03am

Also, at this time, the most current version of the Report's catalog, updated Jan 2, 2021[github.com] shows the experimental mod as "Stable". By Finwickle's standards, (6months since update -> "abandoned"), the mod should have been marked as "abandoned". Instead, it is given a squeeky clean bill with no markers indicating any semblance of an issue, as shown below, and at the source location in the url above. This "experimental" version is obviously untested, and given the history of breakages related to CO's harmony mod, should be regarded as highly unstable.

<Mod> <SteamID>2399204842</SteamID> <Name>Harmony 2.0.4-5 (EXPERIMENTAL)</Name> <Published>2021-02-17T20:37:00Z</Published> <Updated>2021-06-23T22:18:00Z</Updated> <AuthorID>76561198035630804</AuthorID> <AuthorUrl>boformer</AuthorUrl> <Stability>Stable</Stability> <StabilityNote /> <Statuses> <Status>DependencyMod</Status> <Status>TestVersion</Status> <Status>WorksWhenDisabled</Status> </Statuses> <ExclusionForNoDescription>false</ExclusionForNoDescription> <Note /> <GameVersion>0.0</GameVersion> <ExclusionForGameVersion>false</ExclusionForGameVersion> <RequiredDlcs /> <ExclusionForRequiredDlcs /> <RequiredMods /> <ExclusionForRequiredMods /> <Successors /> <Alternatives> <SteamID>2040656402</SteamID> </Alternatives> <Recommendations /> <SourceUrl /> <ExclusionForSourceUrl>false</ExclusionForSourceUrl> <ReviewDate>2021-12-12T12:00:00Z</ReviewDate> <AutoReviewDate>2022-01-02T13:24:25Z</AutoReviewDate> <ChangeNotes> <ChangeNote>2021-09-28: added</ChangeNote> <ChangeNote>2021-10-05: stability changed, DependencyMod added, TestVersion added, alternative 2040656402 added, added to [Group 10001] Harmony</ChangeNote> <ChangeNote>2021-10-23: author ID added</ChangeNote> <ChangeNote>2021-12-12: WorksWhenDisabled added</ChangeNote> </ChangeNotes> </Mod>


There is no doubt in my mind that Finwickle is a liar, that he intentionally designed and published his malware to steer users to Colossal Order's Harmony, and away from mine. Here is what my entry in his catalog looks like (very scary language):

<Mod> <SteamID>2399343344</SteamID> <Name>Harmony (redesigned)</Name> <Published>2021-02-17T23:51:00Z</Published> <Updated>2021-03-15T17:54:00Z</Updated> <AuthorID>0</AuthorID> <AuthorUrl>vanatu</AuthorUrl> <Stability>MajorIssues</Stability> <StabilityNote>There are several reports of mods having issues with this version. You are strongly encouraged to use the original Harmony mod.</StabilityNote> <Statuses> <Status>DependencyMod</Status> <Status>Abandoned</Status> </Statuses> <ExclusionForNoDescription>false</ExclusionForNoDescription> <Note>WARNING: Support is very limited for this mod. The author has been banned from the Steam Workshop and cannot update the mod anymore. Support and future updates might be done through https://steamcommunity.com/groups/HarmonyForGames.</Note> <GameVersion>0.0</GameVersion> <ExclusionForGameVersion>false</ExclusionForGameVersion> <RequiredDlcs /> <ExclusionForRequiredDlcs /> <RequiredMods /> <ExclusionForRequiredMods /> <Successors> <SteamID>2040656402</SteamID> </Successors> <Alternatives /> <Recommendations /> <SourceUrl>https://github.com/drok/Harmony-CitiesSkylines</SourceUrl> <ExclusionForSourceUrl>true</ExclusionForSourceUrl> <ReviewDate>2021-11-24T12:00:00Z</ReviewDate> <AutoReviewDate>2022-01-02T13:24:25Z</AutoReviewDate> <ChangeNotes> <ChangeNote>2021-09-28: added</ChangeNote> <ChangeNote>2021-09-28: source URL added</ChangeNote> <ChangeNote>2021-10-05: DependencyMod added, stability changed, alternative 2040656402 added, added to [Group 10001] Harmony</ChangeNote> <ChangeNote>2021-10-27: stability changed, Abandoned added, note added, alternative 2040656402 removed, successor 2040656402 added</ChangeNote> <ChangeNote>2021-11-24: source URL changed</ChangeNote> </ChangeNotes> </Mod>

The major issues in his malware

  1. The AuthorID is set to "0" to make it difficult for users to contact me directly. Other mods, including CO/boformer as shown above, show the correct SteamID
  2. Stability is set as "MajorIssues". The ultimate judge of any software's stability is the authors, and is based on the incoming bug reports. I have consistently addressed every issue report openly and transparently, and got to the root cause of the issue in every case. None of the reported issues so far turned out to be faults in my Harmony mod. However, in any case, it's not any third party's responsibility to report on the stability of software. Instead, the author (in this case me, the author of Harmony (redesigned)) is responsible to inform you, the users of the stability of the software I provide you with. It is my practice to thoroughly test every release, and investigate every issue report, as I wish to give you only the highest quality software. I stand by the the quality of my work, and to my satisfaction, I have done quite well on quality so far.
  3. Successors field is set as "2040656402", which is CO's harmony mod. This is a lie. just by inspection, my mod was published 2021-02-17T23:51:00Z, and CO's mod was published 2020-03-30T02:39:00Z, roughly a year earlier. In English, successor means something that follows. It's obviously a lie, intended to lead users to believe that CO's harmony is somehow superior.
  4. Statuses = Abandoned, DependencyMod. Also obviously a lie. Harmony (redesigned) is complete, fully tested, fully supported, production-ready software. I think "abandoned" implies "no updates" in Finwickle's vernacular. Being completed, released and tested, and having found no bugs, there is no need for "updates". The lack of updates, but obvious presence of prompt and thorough support, should be read as "rock solid software". Once again, this "abandoned" language is intended to make the user feel insecure and more likely to switch to Finwickle's "recommendation"
  5. SourceUrl = the URL that Finwickle gives is wrong, and obviously different than the URL I listed on the mod's description page. The URL I gave is for the exact version that the published mod was compiled with, while the URL Finwickle gave, is not a URL I listed anywere, but he fabricated (based on elementary understanding of how github URLs are formed), but it points to the "master" branch, which I happen to use as the development branch, ie, which is inherently more buggy than the release branch URL I published. The intention is to point users to an unreleased version of the code, which is never intended to be released specifically because it's not fully tested. He's trying to convince users of my mod that what they are running is the "development"/potentially buggy version.
  6. Note = editorial commentary about me being banned from the Steam Workshop. It is obviously a lie, as my work is still featured on the Workshop, and I am still able to assign other accounts to perform support and maintenance, as uploading updates. Holy Water is filling this duty. However, I remain in full control of my mods on the Steam Workshop. I am banned from CO's discussion forum, and Steam translates this to a ban from the forum on my own item pages. I don't know if this is intentional or a bug on Steam, but the fact remains, I'm not banned from the Workshop, and I still have full control. This lie is designed to deceive users into believing they are using a convicted person's work. Just because I'm not allowed to post on CO's forum, does not mean I'm not able to use the workshop to provide my users with high quality software.

So, every line in Finwickle report is a lie, intended to compromise the privacy and security of the users of my software.

Rest assured, dear users, that my software remains fully supported, until I announce personally that I decided to set an end-of-life. I will give you as much notice as possible when, and if that should be necessary. However, I expect that CO will be out of business, or Cities Skylines will be obsolete before I abandon my software.

Anyone telling you otherwise is lying. I will communicate any updates or bug reports, or recalls, or other issues with you, directly, and not through any middle-men, especially not self-appointed, interested, men-in-the-middle. It's not an accident that I ended the description page of my mod with:

Use "Harmony from Chaos" and accept no substitutes
Last edited by Chaos; Jan 8, 2022 @ 11:51am
#1
Ysharros Jan 8, 2022 @ 1:42pm 
"Use "Harmony from Chaos" and accept no substitutes"

I did, I do, and I shall continue to do so.

As an aside, the courtroom-adjacent level of drama engendered by this whole thing, and the pettiness shown by CO & associates, is mind-boggling to me.
#2
Shibi ReShibi Jan 28, 2022 @ 4:20pm 
Wow.
Way to convince me to pirate next Cities Skylines if CO ever decides to release it's golden eggs chicken.
#3
I found Colossal Order Keylogger Jan 28, 2022 @ 6:34pm 
Originally posted by KZW Shibikami con un plan:
Wow.
Way to convince me to pirate next Cities Skylines if CO ever decides to release it's golden eggs chicken.

Two wrongs don't make a right, but I would suggest there are other games much more reputably developed and run. Transport Fever 2 is nearly the same genre, it's been keeping me entertained, it it performs far, far better than CSL. It has a huge workshop, and no DLC piecemeal sales tactics.
#4
YuLun Jan 29, 2022 @ 10:09am 
Originally posted by Holy Water:
Two wrongs don't make a right, but I would suggest there are other games much more reputably developed and run. Transport Fever 2 is nearly the same genre, it's been keeping me entertained, it it performs far, far better than CSL. It has a huge workshop, and no DLC piecemeal sales tactics.

It's true that Transport Fever 2 (TF2) is better, performance, graphics, impressing mechanisms etc. It's one of my wishlist games. But, as far as i know, TF2 only focus on transport (obviously, from naming) while for CSL still have a more complete control over city (also obvious), such as infrastructures, emergency response and districts. I know some TF2 mods like cargo port mods and highway service mods and etc. but these are introduced by mods. (Please correct me if i'm wrong)

I can't agree CSL made mechanisms good but at least acceptable to play. For me this is the only reason I stick with CSL while acknowledged of all CO's ridiculous and shameful (at least I think, CO could be proud of these) stories. Solving traffic isn't the only reason for me to play city building games or simulation games, I would like to have some control over other fields since this makes me feel like I truly own the city and this city is alive, not a random picked somebody to help an imaginary city out of troubles (months of locked traffics jam for example).

I do had a concept of an ideal city building game and I'd like to share if anyone wants to know, I'll find somewhere to post it :)
#5
I found Colossal Order Keylogger Feb 1, 2022 @ 2:13pm 
I love it that the Finwinkle, the author of the malware if fully aware of the claims against him, and has not disputed them, 3 weeks later.

The trolling on my item pages has intensified somewhat, but I now have an automated way to handle it.
#6
< >
Showing 1-6 of 6 comments
Per page: 1530 50

All Discussions > Cities Skylines > Topic Details
Date Posted: Jan 8, 2022 @ 10:25am
Posts: 6
Start a New Discussion

Discussions Rules and Guidelines