- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or register to comment.
I had the mod installed in the timeframe were it had the malware. Fuck me.
But what really pisses me off is that i read about it first here on lemmy. Not on the Beamng forums/repository, not in the game, not in the steam announcments of the game. Like you distributed malware over your platform and the policy of you fucks is just to stay silent? Meh.
Why would it be in-game or a steam announcement? The malware was in a mod, not the base game. Mod authors can’t post game announcements. So, at best you get a comment of the workshop or on nexus.
Because Beamng runs their own mod repository which is even accessible ingame. This isnt about some random mod hosted on a randrom 3rd party site. This mod was released and distributed over servers and a services which Beamng as a company runs themselves. So reading a whole ass month after the incident my system and my passwords were potentially compromised fucking sucks. I’m not blaming them that the mod got uploaded. I’m blaming them that they made no attempts to publicly communicate: “yo, a mod containing malware got uploaded to our service and 3000 users downloaded it before we got informed that it was infected. If you happen to have downloaded the mod in x timeframe your system was likely compromised. Sorry yadda yadda”
Because it’s supposed to reach affected users as quickly as possible, and a Steam/ingame announcement is the best way to do that? Slay The Spire made such an announcement when a popular mod was infected, and even though I didn’t use that mod, I still appreciated the outreach and care.
Why are you acting like it’s such a crazy idea to use broad announcement channels to reach all affected users?
It’s not a crazy idea. But it’s also perfectly reasonable for the game publisher to not involve themselves with mods.
Well, but they involve themselves with mods quite a bit: https://www.beamng.com/resources/
It’s not reasonable when it means their users are possibly affected by this vulnerability without being informed. Even if it’s mod stuff, they have a responsibility towards their customers - and it’s not like it hurts them in any way.
This made me think, okay, this particular exploit uses malicious code in a mod that targets an old embedded chromium vulnerability, and can be fixed by updating the game’s dependencies. This game started a dozen years ago, but it’s still being worked on.
How many retro games that are not still in development could have vulnerabilities like that? Especially moddable games.
Outdated chromium…Like the steam overlay?
Or electron
Oh yeah. That too :|
Another thing I think about sometimes is how games can be malicious too. The trend in PC gaming for a while now is “flavor of the month” where every couple months a huge breakout title comes out and everyone plays it for a few weeks.
The expectation from these games is that they run like shit despite being a fifth as graphically complex as a bigger budget game. What stops them from slipping a coin miner in for half a day at the peak of their popularity?
Schedule 1 for example. I love this game and I’m not accusing them of anything, just an example. Let’s be honest. It runs at 100fps when it could run at 1000fps. Say the dev finally optimizes it, pushes the optimizations and a coin miner in a hotfix patch with no patch notes post on Steam. Six hours later the dev removes the coin miner and pushes that as a major patch with a patch notes release calling it the “optimization update” or something. We’d be none the wiser.
Don’t take this as me saying not to support indie titles but it’s a little weird that millions of people install untrusted closed source code from 1-3 devs all at the same time every couple months.
It could happen, but especially if the game has at least some popularity on a platform like Steam I expect someone more tech savvy than average would smell a rat and start looking, or ask around, and it’d be found out.
I don’t know exactly how those work, but I imagine on top of weird CPU usage it would make very suspicious network calls too. There’s always a guy that sees stuff like that and goes “where the fuck are my cycles and packets going?”
Yeah you’d think, but when I worked in cybersecurity the thing that freaked me out the most is how often this just doesn’t happen. It can happen immediately or it can take ages.
Mods that contain code always feel sketchy to me. How much can I trust whoever made this dll or such?
If you want extended mod support, you kinda need it though. Stuff like Minecraft and Rimworld come to mind.
Rimworld has very good official mod support that lets you do quite a lot with completely safe XML configuration files. But as soon as you want to deviate a bit from what the vanilla game allows, you’d have to code that and embed it as a DLL in your mod.
Almost all gameplay or UI mods are DLL mods or depend on one. Quick survey : I have about 250 DLLs from my active mod list.
I know, and I hate it. I think the only way to fix this would be to support some limited scripting language, but that also sucks for other reasons.
Open source would also help with trust.
I literally have a Rimworld mod that calls an external python script as a feature.
It’s a special case, of course said script is not part of the mod package, it has to be installed manually. What it does is allowing generating portraits for characters externally.
I even rewrote the script to use local generation, but the one provided as an example calls an online API.
That’s why I prefer to get mods from trusted sources, like Nexusmods or the Steam Workshop.
Does it really help? Not a concern troll, just curious. Do they check code like Play Store’s verified?
They certainly don’t review code, but on those there must be at least a scan for the most obvious malicious stuff. I am not sure it’d detect something hidden like in the article though. After all even on the guy’s PC it was only detected once it tried to actually download stuff.
The good thing about workshop is visibility, if someone notices something shady it’ll be known fast. Not perfect, but probably better than getting your mods from random sites nobody knows.
Every mod that adds functionality can do everything the User can do, except when its sandboxed (for example factorio, TES without script extender). Its really a huge attack vector.
