The larger issue is that anyone who controls a Steam developer account has the right to install unsandboxed software on any user’s computer who owns a game from that developer.
And you have to remember that the party in control of the account doesn’t even need to be the people who originally developed the thing. Publishers go under and get purchased all the time. It’d also be possible to compromise the build systems of a publisher.
This one apparently was caught by users after acting in a particularly-incautious fashion. But it’d be pretty easy to have code that doesn’t do that. An example would be putting, say, an intentional buffer overflow in a game that phones home. That’s pretty hard to catch, and deniable if it is. Then the game reports enough information to indicate whether a user is a desirable target.
There hasn’t been a “big disaster” yet, or at least not one we know about, but I don’t think that there’s going to be a real fix other than having Steam switch to having games run in some form of isolated sandbox.
I wonder how hard it would be to sandbox most games. We have things like en.m.wikipedia.org/wiki/Sandboxie and most games would have a fairly simple access list.
tal@lemmy.today 6 days ago
The larger issue is that anyone who controls a Steam developer account has the right to install unsandboxed software on any user’s computer who owns a game from that developer.
And you have to remember that the party in control of the account doesn’t even need to be the people who originally developed the thing. Publishers go under and get purchased all the time. It’d also be possible to compromise the build systems of a publisher.
This one apparently was caught by users after acting in a particularly-incautious fashion. But it’d be pretty easy to have code that doesn’t do that. An example would be putting, say, an intentional buffer overflow in a game that phones home. That’s pretty hard to catch, and deniable if it is. Then the game reports enough information to indicate whether a user is a desirable target.
There hasn’t been a “big disaster” yet, or at least not one we know about, but I don’t think that there’s going to be a real fix other than having Steam switch to having games run in some form of isolated sandbox.
theterrasque@infosec.pub 1 day ago
I wonder how hard it would be to sandbox most games. We have things like en.m.wikipedia.org/wiki/Sandboxie and most games would have a fairly simple access list.