The metaphor is a bit stretched for the purposes of content marketing a startup. The major difference between vulnerability researchers and the speedrunning community is that speedrunning is highly collaborative and open. There are massive speedrunning Discord communities for each game, and even before Discord existed, tricks and hacks were discovered iteratively just by many people watching other people do them often unintentionally and trying to figure out how they work (a common trend in every Summoning Salt video).
Nintendo doesn't care if people find ACE in decade-old games (usually) and post decompiled versions of games on GitHub so people can find out how they tick, but vulnerability researchers can't do that unless they want to risk causing a legal shitstorm.
Yes, the differences are substantial.
It's also worth noting that although some speedrunning may be akin to vulnerability research, the vast majority of speedrunners are "only" practicing and replicating exploits demonstrated by others. They're in different columns.
Also speedrunners are really bad historians. Their documentation is usually loose google docs links, placed on a discord channel. IF that sounds like there's little to none versioning and little to none searchability - precisely.
I am reminded of the top Super Mario players all congregating for a run on GDQ, only for a complete random fan to come to them and ask "So... if you were all stuck trying to optimize this one pipelfor over half a decade... Why didn't any of you just do the Devil's Spell?"
To which the speedrunner's reaction is: "Wtf is the Devil's Spell".
It happened to be a trick that was documented nearly 2 decades prior.
Kind of, but even an average runner can experience a bug or refine a strategy through repeat practice, which they often share with the community through streamed runs or discords.
You tend to have certain people who are more interested in glitch finding and spend most of their focus on that over actually running the game. Then you have TAS runners (often overlap with glitch hunters) who make TAS-only runs to determine what the absolute limit is in a game. Finally, you have the remaining 95% of the community, runners grinding the game over and over.
Strategies from TAS often are repurposed by speedrunners, perhaps most famously in Mario 1 any%, where several strats used by top runners were once considered infeasible for humans.
Correct. TAS usually means to use a tool that lets them painstakingly play the game on a frame-by-frame basis (usually 1/60th of a second), each frame making the theoretically optimal input.
Probably because vulnerability research is binary - you either have an exploitable bug out not. The fact that people write in depth about things they've found means a culture of openness, IMO.
I think if they're active in the speedrunning community, then they're already well aware of this! And for a fun additional example to add to this article, you can often find TAS'ers talking about arbitrary code execution. The legendary GDQ run of TASBot's alternate ending to OoT[0] utiziling an ACE exploit they found in that game absolutely blew me away.
I forgot the details, but I think I saw a YouTube upload of a streamer who wrote flappy bird into super Mario by like… jumping at apples at specific times. Or some weird thing like that lol. I’ll try to find it later on my computer
I love Ocarina of Time speedruns. The sheer level of love that went into that specific run was sooooo beautiful, and like the fact they made it internet live.. via an N64...?
I want to shout out ZFG if ppl arent aware cause he has IMO done the most technically impressive real time speedrun of any game - specifically the 100% SRM run he did is inscrutably insane. But it wasn't just about him - it was an effort by so many people. The number of glitches and exploits that have been found by the community, as well as the NP hard routing and tools created for finding angle perfect setups by various people..
It's straight up community driven exploit art. And it's like yeah, the fastest way to beat the game is to practically manually manipulate memory to redirect specific function calls to give you stuff you need and float around and purposely void out facing exactly a 1/65536 perfect angle setup a hundred separate times to randomly jump around to various rooms in the game?? Wowwwww
And the community around it is so wholesome. The sheer amount of collective curiosity, ingenuity, and effort to dismantle and exploit a 20+ year old game for no other purpose than going fast.. idk. Love it.
TAS: Tool-Assisted-Speedrun. A kind of speedrunning, where control inputs aren't given by humans, but are carefully pre-programmed into a bot that will replay them. This allows to do things that would otherwise be veeeeery difficult (and sometimes impossible) for humans.
GDQ: Games Done Quick, the name of the Youtube channel.
OoT: Ocarina of Time, a beloved Zelda game from the 90s.
ACE: Arbitrary Code Execution. A vulnerability that lets you run whatever you want. You can use it to skip huge parts of the game, therefore achieving the fast speedrun
I've wondered myself why there's so little overlap between these two closely related interests of mine. Some of it seems to be the "But I don't want to cure cancer. I want to turn people into dinosaurs." effect, where some of the people working on exploiting games ONLY care about what can be done in their one game of interest - it doesn't always generalize to interest in using the same techniques against everything else.
Of course there's also the fact that exploiting 20-30 year old games is just vastly easier than modern software, due to the total lack of mitigations in them. And that's on top of the fact that with popular games, you're building on decades of reverse engineering work rather than (potentially) starting from scratch. And the arguably superior toolset (savestates etc).
But I think a very big factor is the one this blogpost is trying to address - most people just don't know anything at all about the vuln research industry, which is not exactly searching for attention in the ways that speedruns broadcast to hundreds of thousands of viewers for charity are.
Because actual gaming vulnerability researchers that do know who they are are called cheaters and are mostly active in cutthroat PvP games, not single player ones. Just ask the developers of Rust (the game, not the language), they know everything about it. They were one of the very few devs to ask the community to do what all communities in such games always do anyway - find exploits and glitches, and publish them on Youtube. As a result, they ended up with a game that is pretty robust to item duplication and general exploits.
Actually this implies there's probably an opening in YouTube for someone to make vulnerability videos in the style of speed run videos. And then poaching some of that audience, and riding the sponsorship opportunities. Not my skillset but yeah, I could definitely see that working.
Since speedrunners who find glitches are obviously very technical, do they usually already have some sort of day job in tech? I imagine it might be easier and just as lucrative to work on some CRUD app 9-5 and devote the rest of their time to research/streaming, and may be preferable to overloading their brain with even more of the same kind of research.
As an n=1 data point, that was my exact situation for a while. Also a lot of the people who put out high effort stuff are college students, which works for the same reason.
More interestingly and more surprisingly, some of the people who work on exploiting games _don't_ do any sort of tech work and have no background in compsci - they're purely self educated just for the sole purpose of breaking the one game they're interested in. This was the case for some of the biggest contributors to ACE in Zelda Ocarina of Time.
I know a speedrunner who turned down a promotion beyond their data job because they were in a role that they already had automated a large chunk of, and wanted to stay in it so they could keep pretending to be busy at work while instead practicing speedruns.
For HN reference, MrCheeze is well known and has done quite a lot of work over the years glitch-hunting in older games. (and is cited in the SethBling video posted several times in this thread)
This is absolutely and obviously true. Vulnerability researchers watch tool-assisted speedrun videos with jealousy. Side-note: when we did Microcorruption, game devs outperformed everybody but elite vuln researchers.
Microcorruption is basically just a Zachtronics game, if you squint, which I always thought was a fun framing. Reading the blog posts about Starfighter/Stockfighter definitely made me think of video game style exploits, too, if not the same type of glitches. Video game players love to find ways to sell items to NPCs and then buy them back at a lower price for infinite money...
That rules. That last level was Nick Carlini and Hans Nielsen, both of whom have done awesome things since then; we just interviewed Nicholas on cryptanalytic attacks against LLMs:
No doubt about this. Game-devs, modders, map-maker/hackers get hands
on such a breadth of skills (graphics, sound, scripts, network) inside
a contested environment that means a lot to them they naturally feel
at home in cybersec.
I watched the world record speedrun of Subnautica the other day and someone was kind enough to have posted a comment with a full list of all the bugs he exploited to beat the game in 28 minutes.
It was quite mind boggling. When I played the game I barely encountered a single bug or glitch - it seemed pretty polished! - but in actual fact there were 100’s of outstanding bugs, years after the game’s release and multiple updates.
If you look in the top-right corner at 0:19, the build being played is "Sep-2018 61056", strange for a Dec 2024 speedrun. Presumably that specific old version was used because the glitches it relies on have been fixed in current versions.
A lot of speedruns will not only use specific versions of online patchable games, but old games will have players use specifically Japanese or European physical copies for the same reason: there are glitches that are only present on the Japanese version of Pokemon Red/Blue that were fixed for the NA release, for example. Some of the time it gets really weird, like people specifically using the Wii Virtual Console re-release of a game in order to take advantage of its emulator being different from physical hardware - which is (usually) allowed, because it's still an "official release".
Sometimes simply because the japanese Text is shorter, taking less time to display. And there are also games that run at different speeds on NTSC vs PAL versions.
It's doubtful that there is one piece of software that does anything non trivial that has bugs, even short command line programs. The best we can hope for is that bugs don't seem to cause too many problems.
> It's doubtful that there is one piece of software that does anything non trivial that has bugs, even short command line programs.
TeX and Metafont and other Knuth programs come pretty close.
There's also programs that have been proven correct. (And the proof systems themselves are usually fairly small and can have multiple independent implementations. Or at least the core of these systems that everything hinges on.)
They may have a set of skills and focus that overlaps with vulnerability researchers, but they are doing a different thing.
It's like saying, "hunters are photographers, they just don't know it yet" or "taxi drivers are f1 drivers..."
Resist the urge to collapse the world into the world view you already have. Resist the urge to treat every skill and hobby like a professional one for work. Let people enjoy things.
I co-authored the current fastest TAS of Super Metroid (video: https://youtube.com/watch?v=m-Gt57ur7OA, writeup: https://tasvideos.org/8214S). Our run involves exploiting a race condition in the game's sprite animation system, which under the right set of circumstances can cause the game to try to execute code from unmapped memory. We manipulate the behavior of enemies in the room to precisely control the timing of the exploit such that some hardware DMA fetches happen at the same time as the reads from the unmapped memory, which influences the results of the reads through bus capacitance & gives us enough control to redirect the program counter to the controller input registers, at which point we have full arbitrary code execution. That's not even "overlapping", that straight up is vulnerability research & building an exploit chain.
Granted, that's the extreme end -- most speedruns don't go anywhere near that deep into the weeds. But every sufficiently well established speedrun community has people who specialize in reverse-engineering, understanding the game mechanics, and figuring out exploits. Most of my day-to-day participation in the Super Metroid community isn't working on methods of full-on arbitrary code execution; but I do spend a lot of time doing things like looking at boss AI, investigating inconsistent speedrun strats to find out how to normalize them, writing tooling to help people practice, figuring on how to reproduce a weird glitch someone encountered, etc.
The article describes very strong similarities, definitely more that between a taxi and F1 drivers; read the sections "Glitch hunting is reverse engineering" and "…And it’s vulnerability research".
Though it's too bad that cyber security is not as intrinsically fun and interesting to a lot of speed runners as video games. A large part of what allows speedrunners to spend hours searching for glitches and exploits in these games is that they're having an absolute blast while doing it! Also exploiting glitches in decades old games is generally pretty accessible and doesn't have a high barrier to entry like cyber security.
Many moons ago I used to speedrun Goldeneye and Perfect Dark on the n64. This was in the very early 2000s. I was pretty good but by no means the best.
It's strange to see many of the people I used to hang out with on AIM and MSN messenger now have legendary speed runs and entire lore threads and wikipedia pages written about them.
I think the itch you scratch doing speedruns is a lot like the itch you scratch doing any kind of creative coding and/or exploit research.
I'm a speedrunner, and I'm pretty sure this is well known -- and accepted as standard in some categories! It's a pretty well accepted standard (to the point of the headline being almost a mild offense!).
In the gaming world, undefined software behavior is critical to this sort of thing, we see this especially in some games like the legendary exploits found in the Ocarina of Time speedruns for example.
I mean, in Super Mario World, SethBling did code injection to manually run a version of Flappy Bird (how ironic given the origin of the pipes!) in the game. By hand. No savestates. It took forever and the run through is really and truly fascinating: https://youtu.be/hB6eY73sLV0?si=nIP07o_fa6O9rauW
I speedrun things other than games as well -- and so the generalization is not just that we are security researchers, we are people who fundamentally learn the "shape" of a thing very, very well, and ways that this shape can be used to get from one state on that shape to another.
In conclusion -- yes, it can be something as simple as security research! But the joy and the beauty of speedrunning is something so much bigger and beautiful than that -- though it certainly is one outcome that can be had!
It's a super interesting premise, and I like it too.
We should distinguish those in the community that actually discover new glitches from those who simply practice what others have uncovered, though. Those aren't always the same person.
Yeah, there's definitely shades. I think for most games the people who find glitches and drive forward this kind of research usually aren't actually that good of runners themselves. But for TAS runs, where there isn't as much of human skill component and technical execution is more important, they're usually closer aligned. And in any case the speedrunners and glitch discovery people are all in the same discords together talking about the game.
The only speedrun I can personally do is the Warios Stadium N64 Mario kart level where you can hop over the wall right at the start!
My favorite from Baldurs Gate 3 is where a speedrunner found that if you kill Shadowheart and stuff her in a box, you can quickly get through the story. Sucks for her!
Speedrunners have an emotional attachment to video games from childhood. It’s why the most competitive categories are classic games like Mario. They take something you and I are familiar with and play it to such a degree it becomes a new experience.
You can’t look at the meta skills around speedrunning and expect them to transfer with a similar drive or interest.
What it probably indicates is that a large number of talented youth never had an outlet for their skills which rewarded them. So their most meaningful experiences became video games instead of say, electrical engineering or teaching math.
I also think a lot of speedrunnimg tecniques demontrate the "anything can happen" nature of undefined behavior in an viscerally, not-purely-theoretical way. What happens when you don't take undefined behavior seriously? Well, then Mario can backward longjump into a parallel universe and teleport enemies on a whim.
Unless you are using tools and rigorous methods you are just playing around. Just because most games are all broken in easily predictable ways doesn't mean every new game creates a hacker.
It's more correct to say "speedrunners show that almost all game developers are bad at software engineering".
sometimes good at creating fun games, but quick to say "you are holding it wrong" when you breath on the thing and it blows up.
Lots of speedrun strategies require surprisingly sophisticated tools. People will decompile/disassemble code to figure out what is going on. They'll run the game in an emulator and peek at memory values to figure out how the game works and how to manipulate it. They'll use these tools to set up their game state so that there's a sequence of bytes in RAM, then cause program execution to jump to these bytes, to run arbitrary code execution.
Here's a video of a speedrunner explaining some of the things he did to get two arbitrary code executions working together to speedrun Super Mario All-Stars + Super Mario World: https://www.youtube.com/watch?v=_MbaZY2DOW0 (it's about 15 minutes)
Here's the same runner using one of those arbitrary code executions to inject Flappy Bird into Super Mario World instead of just warping to end credits: https://www.youtube.com/watch?v=hB6eY73sLV0 (it's about 6 minutes)
He didn't get to that point just by random pressing buttons until something interesting happened. He got to that point because he understands the Super Mario World memory layout well enough to manipulate it and execute the instructions that he chooses for it. That's vulnerability research any way you want to slice it.
Even ignoring this weird definition of a "hacker", you've shown how little you know about how many exploits in games are found. They often involve stepping through the assembly of the game to understand how a glitch works and how to use it in a useful way. Not just "screw around in a game until you suddenly discover a useful trick"
I'd say that's the rarer approach, though. Yes, some arbitrary-code-execution strats go that far, but by far most glitches used in speedrunning are found by either creative use of game mechanics, just screwing around in the game, or by accident (there are a few general techniques that can apply, e.g. wedging something into a corner and spamming buttons is likely to result in a clip or some kind of high-speed ejection, due to the general weaknesses of physics engines). Only a few, older, very popular games get taken apart to the degree you describe. Watch a few GDQ runs, and see how many times the runner goes "we have no idea why that works, but it does".
I think it’s a harsh interpretation to say they’re bad because a determined hacker can break their game. Games aren’t security critical software, so they’re not going to get the level of investment needed to prevent this kind of thing that, in practice, hurts nobody.
That’s to say nothing of exploits that can only be used by TAS software. That’s like saying my car is a piece of shit because it’ll not survive being driven into a volcano.
Yes, exactly. Detail-oriented, fault-finding domain experts. Bridge the idea that functional testing, perf testing, and the like are certain aspects of security. (Stealth) training folks to cultivate a hacking mindset.
I mean this is pretty obvious, they are both trying to glitch software to get a desired but unintended outcome.
I think if anything vulnerability 'researchers' should study speedrunners more than the opposite. They are shockingly successful and they have shown again and again that there is almost no limit to how much you can glitch software.
The metaphor is a bit stretched for the purposes of content marketing a startup. The major difference between vulnerability researchers and the speedrunning community is that speedrunning is highly collaborative and open. There are massive speedrunning Discord communities for each game, and even before Discord existed, tricks and hacks were discovered iteratively just by many people watching other people do them often unintentionally and trying to figure out how they work (a common trend in every Summoning Salt video).
Nintendo doesn't care if people find ACE in decade-old games (usually) and post decompiled versions of games on GitHub so people can find out how they tick, but vulnerability researchers can't do that unless they want to risk causing a legal shitstorm.
Yes, the differences are substantial. It's also worth noting that although some speedrunning may be akin to vulnerability research, the vast majority of speedrunners are "only" practicing and replicating exploits demonstrated by others. They're in different columns.
Also speedrunners are really bad historians. Their documentation is usually loose google docs links, placed on a discord channel. IF that sounds like there's little to none versioning and little to none searchability - precisely.
I am reminded of the top Super Mario players all congregating for a run on GDQ, only for a complete random fan to come to them and ask "So... if you were all stuck trying to optimize this one pipelfor over half a decade... Why didn't any of you just do the Devil's Spell?"
To which the speedrunner's reaction is: "Wtf is the Devil's Spell".
It happened to be a trick that was documented nearly 2 decades prior.
> the vast majority of speedrunners are "only" practicing and replicating exploits demonstrated by others
So they are red teamers :p
In this analogy, they are only retesting things reported by a previous red team who did that target.
I take it that you are unfamiliar with the average jailbreak enjoyer
They are script kiddies ;)
Kind of, but even an average runner can experience a bug or refine a strategy through repeat practice, which they often share with the community through streamed runs or discords.
You tend to have certain people who are more interested in glitch finding and spend most of their focus on that over actually running the game. Then you have TAS runners (often overlap with glitch hunters) who make TAS-only runs to determine what the absolute limit is in a game. Finally, you have the remaining 95% of the community, runners grinding the game over and over.
Strategies from TAS often are repurposed by speedrunners, perhaps most famously in Mario 1 any%, where several strats used by top runners were once considered infeasible for humans.
I knew that TAS meant “a computer” but for those, like me, who forgot/ didn’t know, TAS stands for “tool-assisted speedrun”.
Correct. TAS usually means to use a tool that lets them painstakingly play the game on a frame-by-frame basis (usually 1/60th of a second), each frame making the theoretically optimal input.
Yes, and even for TAS you usually have a division of labour between people who find the exploits and people who create the TAS itself.
Vulnerability research, in my experience, has been pretty collaborative and open - especially in the bug bounty space.
The bug bounty space is incredibly hostile because of the money involved.
Just about every project has a bug bounty, but you'll be hard pressed to find any online discussion about works in progress towards a reportable bug.
Probably because vulnerability research is binary - you either have an exploitable bug out not. The fact that people write in depth about things they've found means a culture of openness, IMO.
I think if they're active in the speedrunning community, then they're already well aware of this! And for a fun additional example to add to this article, you can often find TAS'ers talking about arbitrary code execution. The legendary GDQ run of TASBot's alternate ending to OoT[0] utiziling an ACE exploit they found in that game absolutely blew me away.
[0] https://youtu.be/PNbkv_DJ0f0?t=3112
I forgot the details, but I think I saw a YouTube upload of a streamer who wrote flappy bird into super Mario by like… jumping at apples at specific times. Or some weird thing like that lol. I’ll try to find it later on my computer
https://youtu.be/hB6eY73sLV0?si=pF-etE5W-xZhoVBf
here is the link for anyone curious
Just when I thought I’d seen it all...
Thank you for sharing this!
Shells, not apples. Making it an actual shellcode!
That would be SethBling who performed that.
I love Ocarina of Time speedruns. The sheer level of love that went into that specific run was sooooo beautiful, and like the fact they made it internet live.. via an N64...?
I want to shout out ZFG if ppl arent aware cause he has IMO done the most technically impressive real time speedrun of any game - specifically the 100% SRM run he did is inscrutably insane. But it wasn't just about him - it was an effort by so many people. The number of glitches and exploits that have been found by the community, as well as the NP hard routing and tools created for finding angle perfect setups by various people..
It's straight up community driven exploit art. And it's like yeah, the fastest way to beat the game is to practically manually manipulate memory to redirect specific function calls to give you stuff you need and float around and purposely void out facing exactly a 1/65536 perfect angle setup a hundred separate times to randomly jump around to various rooms in the game?? Wowwwww
And the community around it is so wholesome. The sheer amount of collective curiosity, ingenuity, and effort to dismantle and exploit a 20+ year old game for no other purpose than going fast.. idk. Love it.
Here's a commentated tool assisted human-like run (but not live): https://www.youtube.com/watch?v=R8EE9FXeJnE
And the actual run: https://www.youtube.com/watch?v=Sdxdwnpi-wU
TAS, GDQ, OoT, ACE WDTAM?
TAS: Tool-Assisted-Speedrun. A kind of speedrunning, where control inputs aren't given by humans, but are carefully pre-programmed into a bot that will replay them. This allows to do things that would otherwise be veeeeery difficult (and sometimes impossible) for humans.
GDQ: Games Done Quick, the name of the Youtube channel.
OoT: Ocarina of Time, a beloved Zelda game from the 90s.
ACE: Arbitrary Code Execution. A vulnerability that lets you run whatever you want. You can use it to skip huge parts of the game, therefore achieving the fast speedrun
I've wondered myself why there's so little overlap between these two closely related interests of mine. Some of it seems to be the "But I don't want to cure cancer. I want to turn people into dinosaurs." effect, where some of the people working on exploiting games ONLY care about what can be done in their one game of interest - it doesn't always generalize to interest in using the same techniques against everything else.
Of course there's also the fact that exploiting 20-30 year old games is just vastly easier than modern software, due to the total lack of mitigations in them. And that's on top of the fact that with popular games, you're building on decades of reverse engineering work rather than (potentially) starting from scratch. And the arguably superior toolset (savestates etc).
But I think a very big factor is the one this blogpost is trying to address - most people just don't know anything at all about the vuln research industry, which is not exactly searching for attention in the ways that speedruns broadcast to hundreds of thousands of viewers for charity are.
Because actual gaming vulnerability researchers that do know who they are are called cheaters and are mostly active in cutthroat PvP games, not single player ones. Just ask the developers of Rust (the game, not the language), they know everything about it. They were one of the very few devs to ask the community to do what all communities in such games always do anyway - find exploits and glitches, and publish them on Youtube. As a result, they ended up with a game that is pretty robust to item duplication and general exploits.
Actually this implies there's probably an opening in YouTube for someone to make vulnerability videos in the style of speed run videos. And then poaching some of that audience, and riding the sponsorship opportunities. Not my skillset but yeah, I could definitely see that working.
Since speedrunners who find glitches are obviously very technical, do they usually already have some sort of day job in tech? I imagine it might be easier and just as lucrative to work on some CRUD app 9-5 and devote the rest of their time to research/streaming, and may be preferable to overloading their brain with even more of the same kind of research.
As an n=1 data point, that was my exact situation for a while. Also a lot of the people who put out high effort stuff are college students, which works for the same reason.
More interestingly and more surprisingly, some of the people who work on exploiting games _don't_ do any sort of tech work and have no background in compsci - they're purely self educated just for the sole purpose of breaking the one game they're interested in. This was the case for some of the biggest contributors to ACE in Zelda Ocarina of Time.
I know a speedrunner who turned down a promotion beyond their data job because they were in a role that they already had automated a large chunk of, and wanted to stay in it so they could keep pretending to be busy at work while instead practicing speedruns.
For HN reference, MrCheeze is well known and has done quite a lot of work over the years glitch-hunting in older games. (and is cited in the SethBling video posted several times in this thread)
This is absolutely and obviously true. Vulnerability researchers watch tool-assisted speedrun videos with jealousy. Side-note: when we did Microcorruption, game devs outperformed everybody but elite vuln researchers.
Microcorruption is basically just a Zachtronics game, if you squint, which I always thought was a fun framing. Reading the blog posts about Starfighter/Stockfighter definitely made me think of video game style exploits, too, if not the same type of glitches. Video game players love to find ways to sell items to NPCs and then buy them back at a lower price for infinite money...
I got more satisfaction out of solving the last level of micro corruption than I probably have from beating any game.
That rules. That last level was Nick Carlini and Hans Nielsen, both of whom have done awesome things since then; we just interviewed Nicholas on cryptanalytic attacks against LLMs:
https://securitycryptographywhatever.com/2025/01/28/cryptana...
No doubt about this. Game-devs, modders, map-maker/hackers get hands on such a breadth of skills (graphics, sound, scripts, network) inside a contested environment that means a lot to them they naturally feel at home in cybersec.
I watched the world record speedrun of Subnautica the other day and someone was kind enough to have posted a comment with a full list of all the bugs he exploited to beat the game in 28 minutes.
It was quite mind boggling. When I played the game I barely encountered a single bug or glitch - it seemed pretty polished! - but in actual fact there were 100’s of outstanding bugs, years after the game’s release and multiple updates.
I assume this is the speedrun you're talking about: https://www.speedrun.com/subnautica/runs/ylp925xm
If you look in the top-right corner at 0:19, the build being played is "Sep-2018 61056", strange for a Dec 2024 speedrun. Presumably that specific old version was used because the glitches it relies on have been fixed in current versions.
A lot of speedruns will not only use specific versions of online patchable games, but old games will have players use specifically Japanese or European physical copies for the same reason: there are glitches that are only present on the Japanese version of Pokemon Red/Blue that were fixed for the NA release, for example. Some of the time it gets really weird, like people specifically using the Wii Virtual Console re-release of a game in order to take advantage of its emulator being different from physical hardware - which is (usually) allowed, because it's still an "official release".
Sometimes simply because the japanese Text is shorter, taking less time to display. And there are also games that run at different speeds on NTSC vs PAL versions.
Wait, does this mean it is possible to disable the quarantine gun and board the rescue ship instead of building your own rocket?
It's doubtful that there is one piece of software that does anything non trivial that has bugs, even short command line programs. The best we can hope for is that bugs don't seem to cause too many problems.
> It's doubtful that there is one piece of software that does anything non trivial that has bugs, even short command line programs.
TeX and Metafont and other Knuth programs come pretty close.
There's also programs that have been proven correct. (And the proof systems themselves are usually fairly small and can have multiple independent implementations. Or at least the core of these systems that everything hinges on.)
They really aren't, they are speedrunners.
They may have a set of skills and focus that overlaps with vulnerability researchers, but they are doing a different thing.
It's like saying, "hunters are photographers, they just don't know it yet" or "taxi drivers are f1 drivers..."
Resist the urge to collapse the world into the world view you already have. Resist the urge to treat every skill and hobby like a professional one for work. Let people enjoy things.
In some cases, it is exactly the same thing.
I co-authored the current fastest TAS of Super Metroid (video: https://youtube.com/watch?v=m-Gt57ur7OA, writeup: https://tasvideos.org/8214S). Our run involves exploiting a race condition in the game's sprite animation system, which under the right set of circumstances can cause the game to try to execute code from unmapped memory. We manipulate the behavior of enemies in the room to precisely control the timing of the exploit such that some hardware DMA fetches happen at the same time as the reads from the unmapped memory, which influences the results of the reads through bus capacitance & gives us enough control to redirect the program counter to the controller input registers, at which point we have full arbitrary code execution. That's not even "overlapping", that straight up is vulnerability research & building an exploit chain.
Granted, that's the extreme end -- most speedruns don't go anywhere near that deep into the weeds. But every sufficiently well established speedrun community has people who specialize in reverse-engineering, understanding the game mechanics, and figuring out exploits. Most of my day-to-day participation in the Super Metroid community isn't working on methods of full-on arbitrary code execution; but I do spend a lot of time doing things like looking at boss AI, investigating inconsistent speedrun strats to find out how to normalize them, writing tooling to help people practice, figuring on how to reproduce a weird glitch someone encountered, etc.
The article describes very strong similarities, definitely more that between a taxi and F1 drivers; read the sections "Glitch hunting is reverse engineering" and "…And it’s vulnerability research".
Interesting article!
Though it's too bad that cyber security is not as intrinsically fun and interesting to a lot of speed runners as video games. A large part of what allows speedrunners to spend hours searching for glitches and exploits in these games is that they're having an absolute blast while doing it! Also exploiting glitches in decades old games is generally pretty accessible and doesn't have a high barrier to entry like cyber security.
At its most extreme, this crossover gets you things like arbitrary code execution on Super Mario World.
EDIT: There was supposed to be a link here. https://www.youtube.com/watch?v=jnZ2NNYySuE
Opens with an AI-generated image, I'm gonna assume the text is from the same source and close the tab.
Also no author listed on the article. Just "a Senior Cyber Engineer".
Not just an AI-generated image. A hideous AI-generated image.
There's low-effort, and then there's nearly-no-effort, and 100% I assume that the text of the article is equally garbage.
Antithesis is using this idea to improve its bug-finding product: https://antithesis.com/blog/zelda/
Many moons ago I used to speedrun Goldeneye and Perfect Dark on the n64. This was in the very early 2000s. I was pretty good but by no means the best.
It's strange to see many of the people I used to hang out with on AIM and MSN messenger now have legendary speed runs and entire lore threads and wikipedia pages written about them.
I think the itch you scratch doing speedruns is a lot like the itch you scratch doing any kind of creative coding and/or exploit research.
I'm a speedrunner, and I'm pretty sure this is well known -- and accepted as standard in some categories! It's a pretty well accepted standard (to the point of the headline being almost a mild offense!).
In the gaming world, undefined software behavior is critical to this sort of thing, we see this especially in some games like the legendary exploits found in the Ocarina of Time speedruns for example.
I mean, in Super Mario World, SethBling did code injection to manually run a version of Flappy Bird (how ironic given the origin of the pipes!) in the game. By hand. No savestates. It took forever and the run through is really and truly fascinating: https://youtu.be/hB6eY73sLV0?si=nIP07o_fa6O9rauW
I speedrun things other than games as well -- and so the generalization is not just that we are security researchers, we are people who fundamentally learn the "shape" of a thing very, very well, and ways that this shape can be used to get from one state on that shape to another.
In conclusion -- yes, it can be something as simple as security research! But the joy and the beauty of speedrunning is something so much bigger and beautiful than that -- though it certainly is one outcome that can be had!
This is an interesting premise. I especially like framing speed runners as researchers
It's a super interesting premise, and I like it too.
We should distinguish those in the community that actually discover new glitches from those who simply practice what others have uncovered, though. Those aren't always the same person.
Yeah, there's definitely shades. I think for most games the people who find glitches and drive forward this kind of research usually aren't actually that good of runners themselves. But for TAS runs, where there isn't as much of human skill component and technical execution is more important, they're usually closer aligned. And in any case the speedrunners and glitch discovery people are all in the same discords together talking about the game.
The only speedrun I can personally do is the Warios Stadium N64 Mario kart level where you can hop over the wall right at the start!
My favorite from Baldurs Gate 3 is where a speedrunner found that if you kill Shadowheart and stuff her in a box, you can quickly get through the story. Sucks for her!
Speedrunners have an emotional attachment to video games from childhood. It’s why the most competitive categories are classic games like Mario. They take something you and I are familiar with and play it to such a degree it becomes a new experience.
You can’t look at the meta skills around speedrunning and expect them to transfer with a similar drive or interest.
What it probably indicates is that a large number of talented youth never had an outlet for their skills which rewarded them. So their most meaningful experiences became video games instead of say, electrical engineering or teaching math.
I also think a lot of speedrunnimg tecniques demontrate the "anything can happen" nature of undefined behavior in an viscerally, not-purely-theoretical way. What happens when you don't take undefined behavior seriously? Well, then Mario can backward longjump into a parallel universe and teleport enemies on a whim.
Also competitive gamers and pannenkoek, which I can't fit into any category. But the man found all of the bugs in super mario 64 and then some.
For every fun thing there is a boring version someone will pay you for that has none of the real reasons or joy in it.
some speedrunners that compete in categories where glitches are allowed and who find the bugs themselves can be labeled hackers.
It's fairly rare to see people consistently find glitches across games, only distorsion2 comes to mind.
Nope. I completely disagree.
Unless you are using tools and rigorous methods you are just playing around. Just because most games are all broken in easily predictable ways doesn't mean every new game creates a hacker.
It's more correct to say "speedrunners show that almost all game developers are bad at software engineering".
sometimes good at creating fun games, but quick to say "you are holding it wrong" when you breath on the thing and it blows up.
> using tools and rigorous methods
Lots of speedrun strategies require surprisingly sophisticated tools. People will decompile/disassemble code to figure out what is going on. They'll run the game in an emulator and peek at memory values to figure out how the game works and how to manipulate it. They'll use these tools to set up their game state so that there's a sequence of bytes in RAM, then cause program execution to jump to these bytes, to run arbitrary code execution.
Here's a video of a speedrunner explaining some of the things he did to get two arbitrary code executions working together to speedrun Super Mario All-Stars + Super Mario World: https://www.youtube.com/watch?v=_MbaZY2DOW0 (it's about 15 minutes)
Here's the same runner using one of those arbitrary code executions to inject Flappy Bird into Super Mario World instead of just warping to end credits: https://www.youtube.com/watch?v=hB6eY73sLV0 (it's about 6 minutes)
He didn't get to that point just by random pressing buttons until something interesting happened. He got to that point because he understands the Super Mario World memory layout well enough to manipulate it and execute the instructions that he chooses for it. That's vulnerability research any way you want to slice it.
Even ignoring this weird definition of a "hacker", you've shown how little you know about how many exploits in games are found. They often involve stepping through the assembly of the game to understand how a glitch works and how to use it in a useful way. Not just "screw around in a game until you suddenly discover a useful trick"
I'd say that's the rarer approach, though. Yes, some arbitrary-code-execution strats go that far, but by far most glitches used in speedrunning are found by either creative use of game mechanics, just screwing around in the game, or by accident (there are a few general techniques that can apply, e.g. wedging something into a corner and spamming buttons is likely to result in a clip or some kind of high-speed ejection, due to the general weaknesses of physics engines). Only a few, older, very popular games get taken apart to the degree you describe. Watch a few GDQ runs, and see how many times the runner goes "we have no idea why that works, but it does".
I think it’s a harsh interpretation to say they’re bad because a determined hacker can break their game. Games aren’t security critical software, so they’re not going to get the level of investment needed to prevent this kind of thing that, in practice, hurts nobody.
That’s to say nothing of exploits that can only be used by TAS software. That’s like saying my car is a piece of shit because it’ll not survive being driven into a volcano.
Hacking is playing around, that's what hackers will tell you. You are conflating hacking with penetration testing or "formal" disciplines like that
I remember watching a video about this a while ago....it was a fresh perspective into a side of security research I didn't consider.
Worked with the folks at Zetier previously. They’re bright. Go work with them if you want to do some cool VR stuff.
Maybe QA as well
Yes, exactly. Detail-oriented, fault-finding domain experts. Bridge the idea that functional testing, perf testing, and the like are certain aspects of security. (Stealth) training folks to cultivate a hacking mindset.
And some vulnerability researchers are just prosecution speedrunners!
what about the road runner?
I mean this is pretty obvious, they are both trying to glitch software to get a desired but unintended outcome.
I think if anything vulnerability 'researchers' should study speedrunners more than the opposite. They are shockingly successful and they have shown again and again that there is almost no limit to how much you can glitch software.
[dead]
[dead]
LOL another business exec or MBA bro trying to flood the cybersecurity market, you guys are seriously reaching here.