Comment

Comment on Block Blasters: Theft of $32k in crypto from a stage 4 cancer patient due to valve’s incompetence in allowing malware on their platform

ryathal@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago

This seems way too hostile to valve for what this really was.

source

Sort:hotnew top

lazynooblet@lazysoci.al ⁨2⁩ ⁨weeks⁩ ago
If it’s true they the malicious game has been available for a month then steam has some blame.

source
- AwesomeLowlander@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
  Why so? Assuming this is the 1st complaint against the game, what was steam supposed to do in the past month?
  
  source
  - kbobabob@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago
    Obviously, Steam is supposed to vet the source code of every game thoroughly before it ever gets put up for sale.
    
    source
    AwesomeLowlander@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
    I wonder how many people are taking your statement at face value without recognising the sarcasm…
    
    source
    -> View More Comments
    pulsewidth@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Dumb take. There are many ways to scan software without needing access to the source code.
    
    Do you think retail antivirus providers approach every developer of every program version to request a copy of their source code for review before they can verify it’d safe?
    
    source
  - Modern_medicine_isnt@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Steam could easily gave automation the installs and runs games in a sandbox. Then watches what they do. The things it needed to do to steal the crypto should be vastly different than what a game should be allowed to do.
    
    source
    dafta@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago
    This isn’t foolproof. A lot of malware these days is resistant to analysis because they can detect that they’re running in a sandbox and refuse to run the malicioua code.
    
    source
    -> View More Comments
    Die4Ever@retrolemmy.com ⁨2⁩ ⁨weeks⁩ ago
    There are so many ways malware could get through that. What if it waits for a specific date or a certain amount of progress in the game? This automated sandbox probably wouldn’t be smart enough to beat the game, certainly not with as many games as they have.
    
    source
    -> View More Comments
    dogs0n@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
    It isn’t easy as you say.
    
    If they could let us run games in a sandbox/virtualised area that would be amazing though. That’s a very big ask though.
    
    I do know that xbox consoles run games in their own hyper-v vm which gives extra protections to us from most malicious code.
    
    Obviously this would be hard for Steam to implement, but it would be a very nice measure.
    
    source
    -> View More Comments
    ryathal@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
    Malware creation and detection are billion dollar industries playing an eternal cat and mouse game with each other. These programs don’t just instantly try to steal every file the second they run.
    
    source
    -> View More Comments
    Nibodhika@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Have you seen the malware? It would have passed that test.
    
    source
    -> View More Comments
pulsewidth@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
It really isn’t. Scanning code for vulnerabilities should be at a very high standard for the dominant and most wealthy game platform on Earth.

Very standard practice for malicious software scanning is to install the program in a virtual environment and then monitor its processes to see if it’s performing malicious activities: eg keylogging while a background process (eg alt-tabbed), or if it interacts with browser data (trying to get saved auth cookies or saved account info), running searches for strings that are common for crypto wallets, etc.

Its entirely possible that Steam has dropped the ball in a big way here.

I can only imagine the animosity in the comments if it was from a game on the Epic store or Ubisoft UPlay…

source
- DreamlandLividity@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  There are so many ways to bypass what you describe, in addition to it not working for games with kernel anti-cheat etc.
  
  The real issue is all desktop OSes deciding everything should be allowed to access everything. Why is a game able to access your crypto wallet by default, without any permission required? This has been solved on phones for years.
  
  source
  - pulsewidth@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    And there are so many ways to detect the bypasses. It’s an arms race, and the most profitable games store of all time should really have a cutting edge system to deal with it is all I said.
    
    Windows should have better security too, but the two thoughts can be held in the mind at the same time.
    
    source
    DreamlandLividity@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Well, I just disagree with you. They are a distribution company, not a security company. I don’t see this as their job and I am not willing to pay more for games to have some far from perfect behavior scanning.
    
    source
    -> View More Comments
- Wispy2891@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  It’s trivial to detect running in a vm and behave differently
  
  It’s more like “why the industry standard to allow games installers to run as admin is widely accepted?”
  
  Or “why a crypto wallet needs to have unencrypted files in the user home, ready for exfiltration?”
  
  source
  - pulsewidth@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Its also trivial for apps detecting any trivial attempts at scanning if they’re running in a VM to be detected, and masked.
    
    Those are also valid concerns, but in an environment where admin rights are granted to games installers the vendor of the games (Steam) needs to adopt a highly curated and protective stance. To this date they provide zero details of their protection - their entire FAQ on malware on their store boils down to ‘if you find malware, please flag it on the store page for us to investigate’.
    
    If anyone is gonna claim the steam store is highly curated… I’d point out to them that a very large amount of their store is shovelware asset flips with very few purchases and installs. There are over 150,000 games on Steam, and tens of thousands of them would fall into that category.
    
    source
- ryathal@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
  Steam does scan for malware, which is why this is news. It’s notable that a game got through that was malware. You haven’t heard about other stores because it’s not worth the effort in targeting them. I wouldn’t be surprised to learn that most stores use the same vendor for malware scanning.
  
  source
  - pulsewidth@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    I didn’t say they dont scan for malware, I said it “should be to a very high standard”, fully understanding they already do.
    
    source
    ryathal@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
    It is to a very high standard. There’s been 14k games released this year alone which would be a .01% miss rate for malware games. If you compare against all games to account for updates that add malware after submission it’s basically 0 at .000001%
    
    source
    -> View More Comments
- Nibodhika@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  And it is very easy to detect you’re in a virtual environment and not do those things, or have a date to trigger the changes or something. The game had been out for a while when this happened without any issues. I just dug a little bit and it was opening a back door apparently, so as long as the attacker did nothing at that time it would have been impossible to detect. You had to know that it was malicious to look for it, then it was quite obvious, but with Valve needing to vet millions of games it’s not feasible to do a full scan of every update of every game.
  
  source
  - pulsewidth@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Its “not feasible to do a full scan of every update of every game”?
    
    My friend the scans are automated. Is Steam strapped for cash this month?
    
    Honestly the apologia here for Steam is pretty rank.
    
    source
    Nibodhika@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    No automated scan would have captured this, only a paid professional dedicating some time would (and only because this was an obvious attempt, a more subtle one would go unnoticed even by an expert) and that is not feasible.
    
    source
    -> View More Comments