This was 5-6 odd years ago and he no longer works there, so things might have changed, but based on this tweet it seems unlikely.
This seems to be a common theme with problems at Valve.
The typical problem at software companies is that developers are incentivized only to write code for new features that will land them promotions and look good on their resume--but bugfixes and security work is not part of that.
Management can counteract this with top-down initiatives. Programs like "fix-it week" or teams dedicated to security with different incentives in place. For example, Google suffers from the "promotion-oriented programming" about as badly as any other company, but they manage to take security seriously.
Valve has "flat hierarchy", which goes in quotes because the hierarchy isn't really flat, it's just hidden. Because the hierarchy is hidden, it's harder to address large-scale problems like institutional priorities... because there are fewer people to delegate large-scale problems to.
The lack of care regarding source engine netcode extends to every part of the source engine, including Valve Anti-cheat.
The anti-cheat is trivial to reverse (several PUBLIC bypasses have existed for years on github, with zero patch), the engine source has been leaked, reverse engineered, and fiddled with by thousands of 14 year old kids. It is pathetically easy to bypass, for example, by changing a single byte in memory you can see through walls, see enemy money, etc. See this video I found about how miserably broken it is: https://files.catbox.moe/8e3bxz.mp4
It is in my opinion the greatest loss to gaming that a classic, legendary game like Counter-strike got completely ruined by lack of care by a company that profits millions off of the case unboxings.
> It is in my opinion the greatest loss to gaming that a classic, legendary game like Counter-strike got completely ruined by lack of care by a company that profits millions off of the case unboxings.
have you played the game in recent years? this has not been the case for me or the people I play with at all.
when playing on high trust-factor accounts, cheating is basically eliminated.
the experience for newer players is pretty bad but once you convince the system you're trustworthy, the algorithm does an extremely good job of not matching you with cheaters.
what valve lacks in boring, sensible solutions they make up for with interesting often much more complex workarounds (see: the open-world csgo danger-zone map shoved into a game with a room-based engine)
I know he couldn't be an expert but the person on my team says he can he blatant every game and never get banned because we're on prime. I don't want to believe that but then he had a lot of items and didn't mind spinbotting at all.
Yes, but this is not a technical fix. You just hope that accounts with more "value" cheat less. Which is true in most cases.
People think you're kidding, but it's really that easy on Source! For a while, the most popular TF2 (a Valve Source game) hack was created by a 15 year old. He made at least a million dollars in profit too! (can't remember if this factoid was verified or not, but he can definitely pay for college now) I wasn't as nearly as talented but I made some hacks for fun when I was 15 or 16 years old.
Yeah....no not exactly fun.
Luckily you can now report accounts for this, and with enough reports they will be auto-muted now.
The premise of bug bounties is that the reward amount is at the discretion of the program host and that the time incurred by developing a fix will influence the moment of payout, but refusing to pay and even communicate (for years!) for clearly eligible submissions is well beyond a reasonable interpretation of the conditions, and to consistently keep facilitating this abuse is simply fraudulent.
Some game companies (riot games) even install their anti-cheat software so that is loads in the ring 0 space. Even with their best efforts, cheaters will still prosper.
Might even go a step further and firewall my gaming machine off from the rest of my network.
Maybe we should we run the entire OS in the games hypervisor?
All of the anti-cheat solutions I've seen that run in kernel mode are none of those things. They make it well known that they're installing, are made by vendors that actively care about the security of their products, and are trivially easy to remove once they're no longer needed.
Many games package in outright spyware that siphon all kinds of data off your machine including browsing history. Kerbal Space Program was infamous for this (they removed the spyware at some point but I haven't checked recently if it was ever added back in).
Please post details. Were they literally mining user data?
https://www.theregister.com/2016/09/23/capcom_street_fighter...
https://mobile.twitter.com/TheWack0lian/status/7793978407622...
Their software also takes screen shots, walks the file system, scans people's processes... Any similarities to malware may or may not be mere coincidences. They're also known for false positives: banning people for receiving special strings via text message, unknowingly installing mods with hacks bundled in or due to the presence of development tools such as debuggers or even virtual machines. Good luck trying to reverse such a ban, the entire gaming community has already been conditioned to accept any decision as final and to even defend this practice. When coupled with DRM, this essentially means your license to play the game has been revoked with no refunds.
Why are separate machines required, rather than dual-booting? (i.e. Windows for games, Linux for everything else)
Most of the components have firmware that can itself be loaded with malware.
It is currently unclear whether there is a publicly available PoC or any exploitation going on in the wild.
[1] https://twitter.com/AntiCheatPD/status/1380873722966503426
I'll second that.
I discovered and reported a vulnerability with the Steam client's Bluetooth pairing process via hackerone.
The issue was confirmed but decided "out of scope" as apparently "within bluetooth range" runs afoul of the bug bounty's "require physical access" exclusion.
8 months later (I haven't exactly kept on top of this) they're still demanding I keep it confidential. I'll follow it up...
https://www.hackerone.com/disclosure-guidelines states that "After the Report has been closed, Public disclosure may be requested by either the Finder or the Security Team." - so if the report just doesn't get closed, you can't disclose through the platform, and https://www.hackerone.com/policies/code-of-conduct says "Disclosing report information without previous authorization is not permitted."
To me, that seems that you're not permitted to disclose the issue at all until the report has been closed and either 1) 30 days have passed and the security team hasn't requested an extension, or 2) "180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline".
Due to this, I refuse to report through HackerOne.
[1]: https://twitter.com/floesen_/status/1337107178096881666
It depends on whether you think there's a reasonable chance that someone may be using that exploit by now. Carrot and stick approaches do not work without a reliable stick.
Edit: I suppose it also depends on how much you value going through the exact same process with valve for other bugs in the future. But in a situation like this it seems like little would be lost.
HackerOne is almost certainly smarter than doing that because this would immediately ruin their reputation as a bug reporting platform (and expose that they're complicit in suppressing disclosure). They're much more likely to just ban the H1 account or issue some limited penalty.
Valve could potentially try, but the risk here also seems minimal: They also have a reputation to uphold, are experienced enough to know that suing security researchers paints a really bad picture and would draw attention to their vulnerabilities, and especially if their software is full of holes, this would almost certainly cause many people to disclose information about those.
There's a small chance you might still get the bounty, because you reported it first. And if not, because it's already disclosed by another party, you can cry foul on social media.
Full disclosure or no disclosure.
