Bizarre.
Common wisdom. I just happens to not be true. People just aren't auditing random code on github for fun. Auditing code is hard, and time consuming. Most vulnerabilities are found by techniques like fuzzing, not by combing through thousands of lines of code.
Worth keeping in mind this isn’t a silver bullet. OpenSSL with Heartbleed comes to mind.
Unless they specifically hardcoded a back door into the game, I’m dubious a leak would result in an RCE so quickly, if ever.
AFAIK, parts of the source code have already been leaked since 2018 amongst certain circles outside Valve. It's only been in the past few days that this is now common knowledge.
The TF2 subreddit announcement: https://www.reddit.com/r/tf2/comments/g64t0b/data_leak_warni...
The original hl2 code leak was a fan from Germany that hacked into Valve's network and stole a version. https://arstechnica.com/gaming/2016/06/what-drove-one-half-l...
There are YouTube channels like VNN that rely on Valve leaks, but most of it seems like running `strings` on their update files. He does claim to have some inside sources, but they mostly seem to provide social commentary on Valve internal politics.
Refer to this r/Games thread for more details: https://reddit.com/r/Games/comments/g61v4x/_/fo6r9ef/?contex...
I’m slightly shocked with the phrasing in that post “It is definitely possible that someone could install a virus on your machine by just being in the same server.”
That.... seems like a pretty shocking security hole, unless they are talking about unknown possibilities, in which case the term “definitely” is a bad choice. If this can be done with the source, it could have been done before, no?
Game code is particularly known to be "spaghetti", "code cowoy"-style, where the result is more important than the form or correctness. I mean, that's art, after all, so that seems obvious.
And do you think a lot of companies update their games after they are out? Most often, the code is definitive, refactors are out of the question, etc. I've never seen a bug that fixes a security issue (CVE), let alone for old titles.
And that's when RCE is not by design. It is in Garry's mod, but that's for client-side mode scripted with lua, so theoretically sandboxed. Unreal Tournament 99 though, has plenty of servers that put some dlls for "anti-cheat" software on your computer before you join. That one probably sn't sandboxed.
While we talk about anti-cheat software, can we think a moment about everything that could go wrong with a piece of software that has a very deep access to the system, is sometimes in-house, and not necessarily audited, and whose functionality often includes:
* downloading challenges from servers, patch them into RAM and see what happens
* scan the RAM of the whole system, plus the filesystem, for known exploits
* upload parts of that RAM and filesystem to random servers for analysis
* take screenshots, log keypresses, monitor the system and upload all of this.
Takeaway: sandbox your games. There's a reason I run Steam in a flatpak, on Wayland... Convenience is part of it, but that's not the main one.
- https://hackerone.com/reports/542180
- https://nvd.nist.gov/vuln/detail/CVE-2020-9005
- https://nvd.nist.gov/vuln/detail/CVE-2020-7952
- https://nvd.nist.gov/vuln/detail/CVE-2020-7951
As for uploads, players used to be able to set custom models in quake 2 which were distributed to other players on the server. Though I am not sure if that was done by server admins in special cases for clan payers or members or if there was an actual upload mechanism in the game engine.
This analysis is on-point, and something a lot of sources seem to miss. A determined actor can find the exact same exploits with and without access to the source code, though I admit it is much more complicated without ("determined").
Sadly, OSX Catalina killed the game for Mac users because Apple recognized the extreme demand by casual users to break all their old 32bit applications.
I really hope something like TF2 resurfaces in some form again. I never liked the feel of Fortnite.
Valorant, a beta game from Riot, is then a blend of overwatch + csgo, making it closer to tf2 6s.
https://www.youtube.com/watch?v=ran_yU65Xmg
Honestly, i expected something a bit more involved than copy/pasting and scaling objects. And even then, this old ldjam game (Tale of Scale) does it better IMO:
http://ludumdare.com/compo/ludum-dare-25/?action=preview&uid...
(well, it doesn't do the copy part, just the scale part but still feels better)
Those non-euclidean rooms at the end of the video are sweet though. Honestly the most surprising thing is that we didn't actually see any of these in the portal games given that it's the same exact tech required to make it work as the portals themselves.
Edit: The concept looks boring, not the obviously unfinished tech demo
Most RCE's aren't carte blanche to run arbitrary code on a users computer, but are some way of triggering a particular code path on a remote computer.
And anyone who wants to compile it, needs a licence for those libaries, which in many times is free for noncomercial purposes, or students. Btw. what expensive libaries do exist in that area anyway?
My advice is to avoid getting tainted. Do not read the code.
Of course, archivists, please do archive it. Even if Valve does never open source this, it should be possible to preserve somewhat adequately, and it should be legal to publish, at some point in the future, in some country or another.
I have often heard it in the context of windows operating system developper which should be careful of not accidently introducing open-source code in the kernel if it might have a license that is not compatible with Microsoft's one.
It's good to be informed and take steps toward being safe, but we're talking about a leak where any meaningful security flaws have had multiple years to be patched.
Valve could possibly kill the server browser service for TF2 to stop people searching for servers but then people could just connect directly to the community server of their choice either from their favourites or by IP directly.
They could push an update via steam which bricks the game completely but that would piss off a metric fuckton of the userbase when the game is still playable with some precautions in place (playing on password protected servers with people you know)
A shutdown as you are suggesting would only work with a game with published provided multiplayer servers and no community servers.
I know I for one don't want to live in a world with only publisher provided servers, those games regularly have the servers shut down because they are no longer profitable for the publisher/devs leaving any remaing community out in the wind.
The DRM is super invasive as well, A lot of wine developers have to deal with denuvo repeatedly banning them as well as one user reporting that they were banned from valorant after plugging in their phone to charge it.
Using this code could I edit the character models so that certain characters looked like Sesame Street characters and then publish that game to my personal PC for my kids to have fun with?
