Hacker News new | past | comments | ask | show | jobs | submit login
‘Counter Strike’ Bug Allows Hackers to Take over a PC with a Steam Invite (vice.com)
269 points by jbegley on April 13, 2021 | hide | past | favorite | 151 comments



I have several thousands of hours logged in CS:GO since it was released in 2012, and Valve's lack of concern with this particular exploit seems to mimic their inattentiveness to so many other aspects of the game. With the massive following that the Counter Strike franchise has and the boatloads of cash they continually bring in from digital cases/keys/skins, they most certainly have the resources to put out these types of fires immediately. Instead, they have taken a bare minimum approach to community outreach and maintaining a game that touts a 26 million player count each month [0]. The cheating situation is the most prominent example of how little focus the game earns from its developers. Compared to how other popular FPS titles (Valorant) handles anti-cheat, CS:GO is years behind. It's not uncommon to face at least one or two players a day who are using some form of cheat (some more obvious than others). Reporting the player does nothing, and when you visit their player profile on Steam and see accusatory comments about cheating going back months or years, you can be confident that your report will have little-to-no impact -- chalk it up as a loss and hope for more honest opponents next time. I've even seen exploits in the wild that can be used to prevent anyone else in the server from reporting a cheater in the game's UI; spinbots that can kill an entire team with perfect aim accuracy within a couple seconds; bunny hop scripts that allow for movements rates that far exceed what is normal when running -- basically things that some basic AI/ML should be able to detect with relative ease. Fortunately, other third-party services have built large player bases by offering their own in-house anti-cheat software and matchmaking service which is far more effective, but I digress. It's unfortunate to see something with such great potential get so little TLC from a company that is more than capable.

[0] https://blog.counter-strike.net/


I think Valve's ineptitude in regards to CS:GO becomes easier to explain when considering their history with Counter Strike.

The game that became 1.6 wasn't even their game. It was a mod for the original Half Life and they hired the modders after it got popular.

Then CS:Source came around the same time HL2 did. That is to say it exists only because HL2 did, and Source is just HL2 with guns (lol). It was very divisive in the pro scene and the majority of professional players rejected it.

GO's history is even worse. It wasn't even meant to exist at first; Hidden Path were porting CS:Source to consoles and Valve decided that it could live as its own game. They release it in 2012 and, by all accounts, it sucks. Nobody plays it. Things begin to change when they create a virtual economy (skins) and admittedly do actually improve the game a fair bit. It's only when the game sees those improvements (2013-14?) that the pro scene finally moves from 1.6 to GO.

So the situation in 2021: The most popular game on Steam is a game which, according to Valve themselves, shares 75-85% of its code with a game released almost 20 years ago (Half Life 2), and which everybody knows is a complete and utter mess under the hood (thanks in part due to the source code getting leaked, also thanks to ex-devs sharing their stories of their time working on CS:GO). This along with Valve being notorious for just not having the internal incentive structures to get bugs fixed (hence GO's spaghetti code)... it's easier to understand (but not excuse!) Valve's attitude for serious security flaws like these.

I am similar to you in that I have about 1000 hours in CS:GO, and I've spent many 1000s of hours watching the pro scene. I love Counter Strike, but with Valve the way it is, I don't see how these fundamental flaws will ever get fixed. Look at how they're allowing Valorant to decimate the North American CS scene, just like they allowed Overwatch to take from TF2's player base back in 2016.


> just like they allowed Overwatch to take from TF2's player base back in 2016

Overwatch isn't really taking TF2's crowd though. On the surface they're similar, but mechanically they are worlds apart. Overwatch is highly polished; TF2 is downright clunky by comparison. But it allows custom servers and player scripting/mods. Blizzard is far too tight-fisted for that to realistically happen for Overwatch. TF2 also has all kinds of interesting movement mechanics due to the source engine, that overwatch just really doesn't have. Overwatch's format of merely 6-person teams means you can't really goof around like you can with TF2's 12 and 16-person teams.

I'm sure a lot of players checked out overwatch but didn't stop playing TF2 as they're simply very different games. TF2 also did release major updates albeit infrequently until the jungle inferno update back in ~2017. Now it's just radio silence apart from small seasonal updates.

I'm not as familiar with CS (only played a few dozen cs:go matches), but just from playing both that and valorant I feel like it's going to be a similar situation. Valorant is more polished but it just plays wildly different due to the player abilities.

Valve is neglectful regarding these games (look at how DotA 2 is treated by comparison), but I doubt trying to compete would've helped very much.


There were people from TF2's competitive scene which is also 6v6 who left to go play Overwatch since there was actual money to be made since Blizzard was funding prize pools.


Almost whole competitive scene (already dying thanks to Valve) of TF2 migrated to Overwatch the moment it was available. When the pro players migrated, so did the casuals.

Overwatch can be a different game now, but when it started it had a huge community that resembled TF2 at the start. It wasn’t at all about the mechanics.


> But it allows custom servers and player scripting/mods. Blizzard is far too tight-fisted for that to realistically happen for Overwatch.

Overwatch got the Workshop in 2019, which, while a fairly limited visual programming thingamajig, still allows for some pretty impressive stuff.


There are some incredibly creative mini games and training scenarios. Very impressive stuff.


Anecdotally speaking, I stopped playing TF2 a few months before Overwatch came out, and playing Overwatch has killed any interest I might have in getting back to TF2. I don't think I'm an outlier.

The games aren't that dissimilar.


Is there an alternative of CS 1.6 that runs on Linux and newer MacOSs and doesn't need a quantum computer run (I mean relatively moderate specs :))? I think CS:GO was made unnecessarily heavy without any substantial improvements over 1.6.

I also liked Project IGI - simple mission game. I am not into gaming really. Sniper Elite is like this by any chance?

These were the only games I liked and I'd like to try something like that again. I like normal/realistic game plays - no extra/exotic powers or sci-fi cartoonish elements to a game.


pure speculation on my part, but I also suspect the people at valve have simply never liked counterstrike. they didn't come up with the core gameplay (nor did they design the most popular maps), and compared against the rest of the valve portfolio, it really isn't their style to begin with.

I'm sure it's a major main to maintain and occasionally add features to such an old codebase, but imo the apathy runs deeper than that.


I agree, this is essentially what I was getting at in my original comment. Counter Strike is not Valve's game. They picked it up when it got popular and since then have done less than the minimum. And despite this they generate hundreds of millions each year off of it? Perfect.


Source was the worst thing to ever happen to North American CS.


I'm old and I liked Source when it dropped. I never understood all the hate.


Direct TV created a gaming league called CGS that played CS:Source because it had better graphics than 1.6. It was the first time pro CS players in the US could get contracts (25-35k a year? It wasnt much). This league forced all of the top talent in North America to move to Source. The game was buggy, trash with horrible hitboxes, netcode, audio issues, cluttered maps (with actual trash in them) and unpredictable, overly-complicated physics.

Source hitboxes: https://youtu.be/fdRpYaQA8cU

At the time, many 1.6 players still had single/dual core CPUs and source would run at 20-80 fps, when gamers were just starting to get 100+ hz monitors. There was no mass migration of players, due to gameplay and performance issues. The game really wasn't ready for eSports level competition (and never improved to that point)

CGS failed after 2 years, and most of the pros retired afterwards.

During that time, the European 1.6 scene was flourishing. The death of the NA scene was a huge blow to international play. The compLexity roster that was drafted into CGS could have been one of the best NA teams of all time.

Fun fact, the first player drafted in CGS was a female. https://en.m.wikipedia.org/wiki/2007_Championship_Gaming_Ser...


I sucked at CS at the time so couldn't tell a difference. After getting decent at CSGO though I can see how a game with certain changes in gunplay would be a turn off. I enjoyed source casually though and switched over completely.


It split the community. Source had poor weapon balance and the hit boxes were too big.


Are any top players really leaving CSGO for Valorant? Or just washed players and players who could never break into the upper echelon?


Yeah it’s mostly 2nd tier players who can see a salary bump from switching or have been banned from CS for previous rule violations.

I hope Valorant kicks Valve into gear a bit. I have played many hours of both and CS:GO is a much better game (simplicity, balance, opportunity for individual skill) but we will see...

An interesting thing from an esport perspective: Riot tightly controls Valorant matches, whilst Valve will let anyone run and monetise a CS tournament. I think this will make CS a more healthy scene in the long run.


Yes, top players really are leaving CS for Valorant, though this is mainly limited to the NA scene afaik (two examples who were on top teams: Ethan[0] and nitr0[1]).

Other than that, it is mainly those washed players leaving, yes. Which still isn't healthy for the scene, and means the NA CS scene effectively doesn't exist any more (this isn't hyperbole, there are only two good NA teams right now and both were flown out to Europe by their orgs to compete there instead).

[0]: https://www.hltv.org/player/10671/ethan

[1]: https://www.hltv.org/player/7687/nitr0


As with most things in life, those that are at the top have little reason to switch to something new. When everyone else moves on and new talent comes up, that is when you see things change. I wouldn't be surprised though if both games and pro scenes co-exist successfully.


While valve is indeed quite neglectful, the reason they're "behind" on anticheats is because they don't run extremely invasive ones like EAC (Easy Anti-Cheat) or Vanguard (what Valorant uses). These operate exactly like malware/rootkits that you just have to trust. Blegh. Even if I wanted to run those (I do not), they don't work on linux anyways.

So I'll stick to cs:go and tf2 community servers, thanks.


Exactly. Valve leads the way on non invasive anti cheat. These scummy anti cheat devs are not people I want with keys to my computer.

Who is worth trusting? The answer is complicated and depends on many things. Anti cheat developers do not deserve anyone’s trust until they are open.

https://youtube.com/watch?v=ObhK8lUfIlc

https://www.theregister.com/2013/11/20/esea_gaming_bitcoin_f...


> Anti cheat developers do not deserve anyone’s trust until they are open.

As in open source? I can't imagine that would go too well—my impression is that anti-cheat is almost entirely security by obscurity (because they have no other option; trying to beat the owner of the computer you're running on is a losing battle).


This is certainly true for client-side anti-cheat, but there's little reason server-side anti-cheat can't work just as well. They've been incredibly successful in chess and (from what I've heard) virtual cycling. These are generally based on statistics and while they can't catch the very subtle cheaters those generally aren't a problem outside of actual tournaments.


Ah, very good point.


While I would never want to use a malware of an anticheat, you're not quite right about Linux. EAC works on Linux, however it does not work through Proton. The developers must release a Linux build themselves if you want to use it. The effect is the same because they frequently don't bother to do so of course


Didn't EAC drop native support for Linux when they were acquired by Epic Games?


I understand it’s a security conscious person’s opinion to prefer non-invasive anticheat systems, but I personally would prefer to have a choice. Run two versions, one with invasive anticheat and guarantee for no cheats, one less invasive but more cheat prone.

I real cost of hours spent with cheats on cs:go for me is too high.


The funny thing is that you cannot "guarantee for no cheats". It's just software that runs on the players computer and there are cheats for both Valorant and League. So your choice is more between the two versions a) less invasive but cheats and b) installing a kernel driver and maybe a rootkit but cheats.


As someone who also has thousands of hours in counter strike, you are either playing up the number of cheaters in the game (many do this, because they don't like to admit when someone is simply better), or have been extremely unlucky. I'm assuming here that you are talking about prime matchmaking, I don't have much experience with non-prime.

Valorant anti-cheat is a throwback to early 2000s malware, not really years ahead.


TF2 is exactly the same. It's a great game, tons of people still buying items from the store, just slowly being choked out by developer neglect.

I guess they're just printing so much money from the steam store that it's hard for anyone to care any more. I'm curious if we will ever see a great game out of valve again.


Did you try Half-Life: Alyx? It was incredible, imho. I can't stop going back to it.


I enjoyed Alyx but ... I wish there were more AAA VR games that were not horror (scary) games. I almost didn't make it past chapter 3 of Alyx where you're in the dark with zombies and a flashlight. And, I think I played most of the game from that point on with the sound turned way way down. It's just too intense for me.

I don't know what to suggest. Even Boneworks which is not "horror" is too scary for me. I walk through it with my tension level at 11. I made to chapter 7 before I decided it wasn't worth it to continue.


I agree with you. I also found it to be at the limit of my scary tolerance.

...but I also sort of liked that. :)


I don't find there to be much replay value. I played it once, speedran it a few times, and then played it with the developer commentary. I am looking forward to their next VR game and hopefully they don't shove smooth locomotion it last second like they did with Alyx.


First sentence:

> I don't find there to be much replay value.

Second sentence:

> I played it once, speedran it a few times, and then played it with the developer commentary.

If that isn't replay value, what is? How often do you replay Single Player games _with_ replay value then?


I absolutely loved Half-Life: Alyx and always recommend it when talking about VR games. Still, I see what they mean about replay value.

I've played Alyx once and fully intend to play it again with developer commentary. Valve's commentary mode is always a treat. But beyond that I don't see myself coming back to it often. Just like with Portal.

On the other hand, I have played through Half-Life 2 quite a few times. Of course, there are also open world games like Breath of the Wild or Skyrim where I have many hundred hours of time spent.


lol this is true, I guess they meant they didn't replay it as much as they'd like to, or those replays weren't as fun, but to me it seems that playing a single player game multiple times over, doing different things each time, seems like pretty darn good replay value.


I’ve put hundreds of hours individually into most of the Fallout games. There are so many side quests and crazy things that can happen, character options, things to explore, ways to accomplish goals that I can keep going back.

I played Final Fantasy VII Remake twice, because they made the game so you can’t get everything by going though just once and I also wanted to get the PS trophies. So I replayed it, though I found it tedious and annoying at times. I don’t remember how many hours I spent but certainly under one hundred.

I’ve replayed all these games, but I wouldn’t say the latter has replay value.


I have thousands of hours in TF2, but less than 50 in Alyx. A game with good replay value has me coming back to play it day after day. A single player game like Alyx is going to have worse replay value, but that doesn't mean I think the game is bad.


I think smooth locomotion is an unfortunate reality of current VR hardware; If most of your userbase gets uncomfortable from non-smooth locomotion, it makes sense to design for the smooth locomotion as a first-class experience.


BTW you are backwards smooth locomotion is where you move around with a joystick.

Most of the user base doesn't get sick from smooth locomotion though. Maybe teleport was better back when the project started in 2016, but in Q1 2020 especially after boneworks which came out in Q4 2019 people would see Alyx as dated. Smooth locomotion wasn't even in the game from a Q4 2019 build of the game. Continuous turning didn't even make it in until after the game was released.


HL:A was one of the first games I played on VR, and teleport was a necessity.

Now I can handle smooth locomotion, but at the time it'd make my stomach lurch.


I looked into what was going on with CS:Go after trying to get back into it a few years ago, and noticing just how horrifically bad the amount of cheating was.

The most damning thing for me wasn't just the subreddits dedicated to just indexing valve's lack of attention, or the way they appear to genuinely make money off of the cheating ecosystem.

The worst was when I learned that VAC (their anti-cheating platform, IIRC) was so bad (at the time) that it appeared to only ban exact binary matches for detected cheats.

So if you wrote a cheat, that eventually, ages later did end up getting banned by VAC, all you would have to do would be to go back to your source, rename a few functions and files, recompile to a new binary, and you'd be good to go again.

As a sidenote, I just attempted to find the article that documented what I said above, and I found github repositories like this instead: https://github.com/danielkrupinski/VAC-Bypass The fact that things like this are front page google responses to phrases like "VAC Ban" (what I typed in google), really demonstrates just how abysmal Valve's performance is here.


That VAC Bypass is rather crude... but I guess it works.

When my friends and I wrote some cheats in the past we used to hook VAC so that when it wanted to run we'd unload our hooks/cheats and let it complete scanning as normal, then once VAC was completed we'd re-hook and re-load our library/hooks.

This also allowed us to iterate on development by having live-reload of the .dll on disk by unhooking, reloading dll, and rehooking.

This was back in the days of Counter Strike: Source, when it first came out.

The day it was first released on macOS was fun too... Valve forgot to strip debug symbols on their macOS, so we were able to dump all of the debug symbols and get a much better idea on what to hook/look for and what the various structures were used for!


That was a pretty smart approach!

At least in the past, admins on servers had the option to intervene and ban people (although they could be bypassed as well). Nowadays games opt for having entirely managing servers, sadly.


I've played CSGO and ran amateur LANs for years. People online talk about how bad cheating is but I've barely run into it. Admittedly most of my time has been right in the middle of ranks so maybe cheaters are mainly at the lower and higher ends and I'm using on Prime matchmaking.

Usually when someone accuses another player of cheating they are just tilted and reacting to getting out aimed or seeing something suspicious due to how netcode handles lag/ping differential with interpolation, which is adjustable.


Try making a new account, that isn't eligible for Prime matchmaking (because you haven't played the prerequisite number of games or whatever yet), and see if you can even get into Prime before quitting entirely out of frustration with cheaters. Or at least that was my experience. 12-13 games in a row of being headshotted across the map through walls or by spinning guys in the sky was enough to get me to swear off the game.


On the other hand, I cheated once (I was bored with TF2's new gameplay, and a teenager) 11 years ago , and got a lifetime VAC ban, while most die-hard cheaters would probably laugh it off and create a new account (especially now that it is f2p). Lifetime bans hardly seem proportional if you are on the receiving side.

The solution to cheating problems isn't necessarily technical, it's also social, and I think it reflects a bigger issue in our society, also present on social platforms. When anyone can interact with strangers and behave however they want, there's going to be trolls and others, motivated by the feeling that they can't be held accountable for ruining someone else's fun (or, just not realizing they are not having healthy interactions).

Lots of online platforms have developed lots of ways to cope with this, from karma systems to moderators, to social credits, to ID verification. Couldn't games take a page from that book?


It sucks that developers only crack down on cheating when it hurts a revenue stream. I'm sure if people figured out how to clone hats, valve would hire an entire independent team to come in and work overtime for a blank check until its fixed.

Rockstar only cared about cheating in GTA5 because people were duplicating in game money that Rockstar was trying to sell you for real money. They didn't care about cheating in GTA4 because it didn't affect any potential revenue since it only affected people who had already bought the game.


I had a brand new computer that i built at the start of the year. 100% new hardware. Brand new install of windows. Installed Steam, installed CS:GO. And I was unable to play because Steam flagged my system for cheating. The fix was to run some random steam exe found in the steam install directory. I guess it caused Steam to re-scan my system?

Not the same level of frustration as a permaban. But I was pretty annoyed that I had to jump through hoops on a brand-new system. Really weird.


Steam is terrible software. It's been losing track of my games lately, so every time I want to play something I have to wait around for 5 minutes or so for steam to rediscover the local game files it had already installed. Download management is terrible too, frequently coming to a crawl or stopping entirely. It's not my ISP throttling me, either, because this only happens with steam and not when I am downloading other massive things from other places.


I've not experienced those issues. In fact Steam is the best at stealing internet bandwith from everything else.


I've recently broken into GN ranks on CSGO and am watching suspected cheats ... I can only think the first dozen videos are a test of me, because algorithmically spotting the cheating seems like it would be super easy. About half of mine so far only look at the floor, get only awp headshots. I mean, really?

I guess scammers money is just as green.

There are loads of farming accounts that just walk in a circle. Why do they put those players in matches with real players. If you're not going to ban them then at least honeypot them.

All seems needlessly lackadaisical.


Yeah, and annoyingly the paid platforms (like, FACEIT) have way fewer obvious cheaters - but also (due to the increased competition) a lot of subtle ones. Part of the problem is also related to the game going free-to-play, instead of taxing cheaters through time & cash, it's just time.


Faceit AC is technologically superior, it's not just the payment on-boarding. The cheats for faceit cost $200+ and are all private. There are free, open source, undetected cheats for CSGO that are VAC undetected for 4+ years. The difference is staggering


Agree on all counts - I'm just saying that if you dislike losing to obvious spinbots, then FACEIT is much better - but still have many (less obvious) hackers.

[On the topic of cheating, and as a comparison to CS:GO ... ] What's hilarious really is how common and in plain sight the Dota 2 cheats are: there are loads of cheat engines which people can even write their own Lua scripts to manage: and are hosted on Github. They have VK pages, customer support, registered companies, online reviews ... zero legal action taken against any of these companies that I'm aware of - and very limited work done to make the cheating more difficult.


Yeah, valve just doesn't care in the slightest, it doesn't require a kernel AC, but the slightest of changes could get tens of thousands of people banned using a free public cheat....

Faceit is essentially the gold standard to be honest. definitely it if you want a higher level of gameplay without cheaters. Wish there was a faceit for silvers, though


An unknown number of overwatch matches are not recent games, but landmarks for behavior. Indeed you are being tested far more than you are training the system.


It's always unfortunate when a presumably valuable asset - CS:GO brought in over $400M in 2018 [1] - does not receive the attention it deserves, nonetheless requires, for continued successful operation.

We see this with other games as studios spend more time preparing "future IP" and less time preserving their existing. One example is Bungie's Destiny franchise. Studios need to continue monitoring - and interacting with - their playerbase to find a middle that satisfies all. Bungie made a decision a few months ago that has been reversed, per community feedback about the massively negative impact said decision would have on the game and its playerbase.

Studios like Valve, Bungie, and others truly need to step up what is essentially customer service, especially as the digital entertainment market only continues to grow and open up even more opportunities for success than before.

[1] https://www.statista.com/statistics/808773/csgo-revenue/


I have a CSGO inventory worth over $40k.

They also do little for scamming and impersonation. People send me and I've even randomly come across profiles that have cloned my own name/picture/profile page in an attempt to scam people by impersonating me (using my inventory page to lure them in, hoping they won't notice the URL).

Virtually every friend I have met through CSGO that has skins has gotten scammed out of at least $100. Any time I give friends a knife to borrow or to have, they immediately get dozens of friend requests from scammers. The first time I gave a friend a knife it was stolen within two weeks by a fairly sophisticated scam.


Wasn't their 'solution' for this to eventually allow private inventories? Feel like at some point the number of scammers adding me dropped rapidly and I think it was for this.


That helps a bit but actually it gives another way for the scammers to trick you. They have private inventories and give some BS reason for having it private. People that actually actively trade and invest never have private inventories because otherwise how would you trade? Also most other people don't set theirs to private either if they have anything nice because they want to show it off.


It’s me! Your cousin! Got any spare butterfly knives?


Several! But not for you ;)


I bought one for $90 a few years ago. It's truly wild how many video games I could buy if I sold it today. I'm not sure if I'll ever buy that many video games again in my life.


Valve fixed the cheating problem for me with the latest operation. In “Broken Fang Premier” mode with high trust-factor, I would get back to back games with friendly players, none of whom appeared to be cheating.

Now they have made that mode free and it’s garbage once again. Oh well, it was great while it lasted...

I tried Face It to escape this, but it was even more toxic than match-making. No obvious hackers though.


You are absolutely right. This lackadaisical attitude towards their games was present in CS:S as well. Security, gameplay, performance. All of it takes a back seat to milking the cow.


It's interesting to see because HN tends to constantly shit on Riot because of that anti cheat


I've said it before, I'm saying it again: this is the reason I sandbox steam (I run it in a flatpak).

Remote code execution vulnerabilities galore in games that haven't been patched in decades. UT99 servers can send dlls, so some even do it on purpose back then. It doesn't require much: imagine a RSS feed on a game menu. The parser has a RCE. The domain name expires. It doesn't take much.

For now, some anti cheat systems do not work on Linux. If that's the price to pay for avoiding these invasive tools, then so be it. I don't want a 0day in some random anti cheat system to ruin my day/year/life.


Flatpak is backed by Linux containers, which are not designed to be secure against hacks. Flatpak (like Snap) is a convenience to distribute and install apps, not a security protection.


They actually do have sandboxing which would help. I'm not sure of the full extent though. See:

- https://snapcraft.io/docs/security-sandboxing

- https://docs.flatpak.org/en/latest/sandbox-permissions.html

However, in my (limited) experience, apps that actually do a lot of things have most of the sandbox features disabled anyway (network, disk access, etc.).

Note that AppImage is similar, but contains no sandboxing.

I've taken to running steam and other untrusted software under a separate user account. It's probably not ideal, and it's annoying to switch accounts to use certain software. But at least it may help limit the damage if the software is hacked as everything is contained within the throwaway account.

I'm sure one can do a lot better with selinux/apparmor/firejail, but it would probably take a lot of work to get it set up properly.


While most Flatpaks by default aren't all tuned up, you can easily set overrides for them, see `man flatpak-override`. There also exist `Flatseal` which is a GUI for doing so.

AppImage can be used with Firejail.

Firejail use is trivial to setup, we try to keep out of box breakage minimal but still strict, just `sudo apt install firejail && sudo firecfg` + a logout and back in. Disclosure: I am one of the core Firejail contributors.


Thank you for firejail! I use it to sandbox Zoom, which is one of the few proprietary tools I need to use for work, and it works perfectly.


Telling people "just use flatpak and you are safe" is plain wrong and dangerous.

Containers are _not_ safe, that's why Amazon created firecracker, and Google created gVisor.

Containers are a _convenience_, not a security measure. All security precautions apply to container apps as any other apps.


Flatpaks aren't docker containers, though. They should be safer. The most glaring hole in most flatpak is X11 access.

There have been some flatpak CVEs in the past, but I wonder what your claim of them not being secure is based on, other than general principles: yes, there could be a bug in the sandbox, but besides that?


Valve's development practices are apparently good for a chuckle.

https://www.youtube.com/watch?v=k238XpMMn38

The devs don't seem like they have enough time to deal with the code they have to write, let alone respond to security issues. (not their fault, of course)


This was funny. But, to be fair I've seen comments like these in every game I've looked through the source of.


Valve seems to have like 6 developers that work there and since nobody seems to fucking manage the company (literally, this is how they operate) I am not surprised at all. How they managed to put together half life alyx at all is astonishing.


Not only put it together, but make it really good too! Idk how they work but it doesn’t make sense to me.


Their development philosophy makes sense on the face of it. People, properly empowered, left to work on what they think is best, might produce really great results.

Unfortunately most of the time they don't produce any results at all.

Last time I heard there was less than a dozen developers "in charge" of Steam. Everything else was an ancillary project that sprung up and shut down around it.


Valve is a dream job because of that philosophy. It's like the golden age of Bell Labs (which got us things like C and Unix...). "We're printing money. Let's get a bunch of smart people together and see what they come up with."

Valve has made enormous leaps in the quality of gaming on Linux. If they keep that up, I don't care if they never release or update another game ever again. They also designed the Index, which is probably the best VR headset on the market right now, and are engaged in VR research in general. HL Alyx (which I want to play, but don't have the hardware to do so yet) is basically a tech demo...and that's really what Valve has always done. They make tech demos that just happen to be full games that people like. The lack of a Half-Life game for so long speaks more about the lack of anything revolutionary in gaming for multiple decades.


> Valve is a dream job because of that philosophy

I recommend going through @richgel999's tweets (he's an ex-Valver) for an exactly opposite opinion, with a plethora of arguments for it.


That mountain of money they're sitting on probably helps.


A mountain of money does not necessarily (or even likely) make a good game. Yet Alyx was one of the best titles of 2020 and probably the best VR game ever made. Color me impressed by Valve’s game development team, regardless of the incompetence of their security practices


Forcing users to install steam for half life 2 was the best decision they have ever made


Worth noting that it requires clicking the invite. Still bad, but something you can easily avoid if you know to be suspicious.


The invite exploit is far from the only one, supposedly

- RCE through malicious game invite (reported 2 years ago)

https://twitter.com/the_secret_club/status/13808687591292969...

- RCE through loading a malicious map/level (reported 5 months ago)

https://twitter.com/the_secret_club/status/13809661705227509...

- RCE through connecting to a malicious game server (reported "months" ago)

https://twitter.com/the_secret_club/status/13809601207257333...

- RCE through connecting to a malicious game server, again (reported 2 years ago)

https://twitter.com/the_secret_club/status/13812019496479047...

- RCE through connecting to a malicious game server, again, again (reported a year ago)

https://twitter.com/bienpnn/status/1381616325391384577

The creator of SteamDB also says he was paid for an exploit that was never fixed...

https://twitter.com/thexpaw/status/1381621297982103553

...and one of the above RCE finders says Valve has fixed bugs in one game while not fixing it in others

https://twitter.com/bienpnn/status/1381627400467804161


Suspicious of an invite? Back around my college years it was very common to get an unexpected invite to a game. Usually friends decided they wanted to play a game and then want to grab whatever other friends are available to fill out their team. In that case you just spam invites and take the first people who accept it.


If its not someone you just played with and isn't on your friends list, I feel like most people don't really interact with the message. CSGO has had so many skin scammers through chats that it's basically expected that you're being hit up by someone trying to get into your account for skins or trade scam you.

This is much worse than those situations, but luckily (and unluckily) I think the CSGO culture is fairly prepared to avoid random invites to parties.


If the attacker gets code execution on just one victim, it should be possible to send invites to all of their friends. So you can't rely on just interacting with people you know well.


Personally I usually text or am texted by the relevant friends, we jump in discord, and then we hop into a game, pretty much in that order


It's not going to be suspicious if someones account is compromised, or gets a virus that sends an invite to all their friends. Official interfaces like 'invite' should never be need to be viewed with suspicion


"Just don't click on the link" is probably the greatest example of wishful thinking in all of computer security.


>something that you can easily avoid

Yes, you can easily avoid every exploit if you create a list of 1000 buttons to not click on in certain cases because they are "suspicious".


I remember there was a DEFCON talk about anti-cheating measure for counter strike and speaker just noted casually that Valve just scans all processes running on your machine during a match and determines what's a cheating process and what is not via a blacklist. Which begs the question what can't Valve do vis Steam?


Any software running on your machine can do this unless it is sandboxed. In fact many games go even further and install kernel level rootkits to make sure you are not running unapproved software.

See https://www.osnews.com/story/131665/riot-games-maker-of-leag...


Reminds me of Warden used (at least in the heyday) by Blizzard to prevent cheating in WoW. In the automation community they ended up having to use rootkits to hide the process, as previous methods of spoofing the return signal were denied in Blizzard vs. Glider over EULA infringement.


Valve is resting on their laurels and their 30% commission and lack of any minimum standards for game submission is making gaming worse.


Valve won. They won a long time ago.

They're like in a similar situation to Google where nothing else they do is ever going to make more money than their primary source of income (Steam). Except instead of releasing a bunch of half-assed products which are eventually abandoned like Google does, Valve just does nothing.

Also, unlike Google, Valve is a private company. So they don't have any pressure from anyone to do anything. They just gotta have enough people in the office to keep Steam's servers running.


They are being unwon right now by Epic and Xbox Game Pass for PC.


Lol... just a few years ago (5ish?) steam had an exploit where you could click lost password, enter the targets username, and immediately set a new password for that account with no confirmation whatsoever.


I remember that. In the early 2000s you could download any game from Steam's servers, even ones you don't own. Counter Strike Source originally had a format string vulnerability in player name. Setting your name to %s will crash the game. Where do we get a full list? The idea of running games on the same machine you bank on (via insecure websites with 90s security) is ludicrous.


haha. ive seen name formatting issues in tons of games as well. paired with the fact that this was before 2 factor was available and people had million dollar skin inventories probably made their support team (or lack there of's) week terrible. im pretty sure you can still download any game from steams servers but now they come encrypted unless you actually own them (i could be completely wrong on this)


Google's Project Zero should look into this. It is not the first time that Valve slept on known and reported vulnerabilities.


Games also require root access to the machine for the sake of DRM and ineffective anti-cheating software so it's impossible to contain the damage they do.


CSGO does not require root access for anticheat nor DRM.



This is a much bigger problem than just Counter Strike. I'm pretty confident there are 1000+ games on the steam store that have vulnerabilities where a simple link or network packet while gaming can exploit a user's machine.

Both MS and Steam really need to work on locking down Windows.


MS already did that. UWP apps are sandboxed. They even recently made an OpenGL implementation over DirectX 12 (vendor implementations are incompatible with UWP sandbox).

A few games in Microsoft Store are actually properly sandboxed as the result. For example, We Happy Few.


I received similar radio silence when I recently reported a bug to a major sports league. I had access to all their ticket inventory, including bar codes, PII, and the ability to transfer the tickets to my own account.

As secret club shows alludes to on Twitter, it's a little jarring when you don't even receive a response from an entity that you're reporting to in good faith. It's more than disappointing. I feel for their frustration. I hope someone at Valve picks this up internally.


Counter-Strike is the most played game in Steam as of the moment. There are a lot of players who played countless hours throughout their life. Even though there is much feedback from their players, they should filter those that are very important, like hacks and exploits. It's just appalling to think that the most played game in the source engine is the one that hasn't fixed this issue yet.



Hasn't Valve been in the news a number of times now for ignoring bugs and strong arming people on HackerOne into not disclosing them?

At this point you should probably assume all of Valve's products are riddled with security bugs that are being sold to the highest bidder and act accordingly.


People love to complain on HN about how companies like Google only incentivize developers to create new revenue streams rather than maintaining them however some former employees claim Valve takes that concept and turns it up to 11.


Just publish the exploit. That'll get Valve off their bottoms once public lobbies start to install ransomware with cryptominers.


I think the more likely scenario would be this:

Player with a multi million dollar skin inventory gets everything stolen and sues valve on the grounds that they were negligent custodians of their service.


The fact that this is wormable is huge.


Funnily enough the same group found a wormable exploit in Valve's Alien Swarm, a mostly forgotten game with a tiny playerbase, and Valve fixed it in 3 months.

https://secret.club/2020/10/30/alien-swarm-rce.html

Meanwhile CS:GO, their flagship game with over a million daily peak players, has numerous wormable RCEs reported and ignored for as long as 2 years.

Valve works in mysterious ways.


I think the difference with this exploit is that according to the people who found the exploit, it affects all Valve games that use the Source engine, not just CS:GO like the article says. Trying to fix it could end up breaking multiple games if it's done incorrectly.


Does requiring action from the next victim still classify it as wormable? Almost any malware good send messages to friends trying to social engineer them into running malware.


It doesn't meet the strict definition of wormable, but the user action required for it to spread is so benign that it's pretty close

A CS:GO player getting an invite to play CS:GO from someone on their friends list isn't likely to raise any red flags


No excuses for Valve or the seriousness of this, but I believe the user needs to “accept” the invite. I did not see that mentioned in the article.

Edit: My mistake, I thought there were accept/deny buttons for invites. In the example video they only have a link: https://youtu.be/rNQn--9xR1Q


The very first sentence in the article is """Hackers could take control of victims' computers just by tricking them into clicking on a Steam invite"""


ive been following this for a while and am glad its getting a lot of coverage since apparently valve cant be bothered to take a break from their money printer to fix a remote code execution!


> A security researcher alerted Valve about the bug in June of 2019.

Holy shit, Valve. Really? Nearly two years later and this is still exploitable.

Edit, further on:

> This is not the first time Valve has been slow to respond and fix reported vulnerabilities. In 2018, Motherboard reported that a security researcher found a bug in Steam that allowed hackers to take over victims' computers—a bug that had been present for 10 years. In 2019, Valve banned a security researcher from its bug bounty program, prompting him to publish the exploit publicly.

I'm pretty appalled by this.


the dedicated server situation was (is?) pretty dire back when i hosted a few SRCDS instances. here's a small taste: https://wiki.alliedmods.net/SRCDS_Hardening#Current_Exploits

not to mention that the commands themselves obey absolutely zero *NIX conventions at all. Left a bad taste in my mouth ever since


If you want to see something really appalling, looking into the "coaching bug" that was recently exposed. It was known for years by Valve and it wasn't patched. It wasn't until the exploit was made public that dozens of professional CS coaches were banned.


That wasn't a security or privacy issue and nobody forced those coaches who abused it


I don't know any context on the situation, but if there was a mechanic that's known and been around for years, bug or not, wouldn't anyone using it have an edge over anyone not using it? Therefore people need to use it to stay competitive?


No because in sports you have rules that you must follow or there are consequences. This bug is considered an exploit and therefore it is against the rules to use.


Yes but this is Esports. Bugs are famously used competitively. The entire super smash brothers melee tournament circuit uses bugs to wave run; if you don't use the bug you won't be competitive. People practice using this bug and others like skipping animations. Most competitive FPS games had something similar, like being able to reload cancel or bunny hop. Things that are legitimately bugs, that you won't learn until you hear about them.


Read about the bug: https://en.wikipedia.org/wiki/Counter-Strike_coaching_bug_sc...

Yes, bugs are used competitively but communities will often come to consensus on which bugs are allowed and which aren't.

I think for the most part when you see a bug it's easy to tell if it'll be acceptable for competitive use. Bugs that allow enable more counterplay or raise skill ceilings are usually fine. Bugs that give you an unfair advantage or go against the spirit of the game are usually not.

FWIW I think bugs in the latter bucket should be fixed asap. While you can forbid exploits in a tournament, these kinds of bugs can ruin ladder play.


Like I said - "This bug is considered an exploit and therefore it is against the rules to use."

Exploits aren't allowed. If a bug isn't considered an exploit and isn't explicitly against the rules they are fine to use them.


I wonder who sets these rules? Like when wave dashing came to the competitive super smash bros scene, who decided that this would be allowed or banned? It seems to me it would depend how widespread it is. Maybe the tournament runners already knew how to wave dash so it was in their interest to keep this technique they already mastered legal, versus if they didn't know how to do it yet they might have banned it, like how they've been so careful to empirically place each character into different tiers for the sake of balance.

I can see how leaning into exploits for competitive can ruin the noncompetitive community, and later take out the competitive one that feeds off this community. I used to play chivalry: medieval warefare, which was a lot more fun of a game before the competitive community figured out the frame perfect meta and ruined the game for everyone else who doesn't have hours and hours of free time to throw at practicing the metagame alone, which is most gamers I imagine.


The tournament organizer chooses the rules.


Counter-Strike's culture is not like that.


Bunny hopping is an exploit that characterizes counter strike from other FPSs actually. It's a glitch that takes practice to use effectively and was never an intended feature of the game. People use scripts and mods to use this glitch more effectively.


Yeah and if you do it on most servers you will get permanently banned.


In tournament play you are allowed to bunnyhop without scripts. It's harder and less usefull in csgo but still done. Most servers aren't gonna ban you for bunnyhopping unless you are doing nothing but bunnyhopping around the map the entire game. You won't get a vac ban.


Bunneyhopping is nerfed. You cannot do it for more than a few seconds without scripting.


You can do it for quite a while with mousewheel = jump (which isn't considered scripting). Doing it effectively / keeping the speed does require practice. Was way easier in 1.6 and source tho.


Are you also under the impression that most Olympic medalists aren't doping?

Following the rules doesn't get you very far when cheaters don't get punished.


Well in this case the cheaters did get punished. Quite harshly. So I'm not sure what your point is, if you even had one?


That the mere existence of rules is not enough. They must also be enforced.

Basically, I think you're letting Valve off the hook. Sure, the competitors shouldn't cheat, but Valve should also make sure they create an environment in which cheating isn't incentivised. In the world of software, a few years is a long time. Leaving a known bug that gives a massive competitive advantage unfixed for that long borders on negligence, especially when the fix is relatively trivial.


They are enforced and, again, this exploit was an example of that.

Yes Valve could do a better job at supporting esports. But there will always be in-game exploits as well as out of game methods to cheat so ultimately it is down to the individual participants to cheat or not.

Also these tournaments are run by third parties on third party servers. Valve isn't even involved except for a small role in the once a year majors (that haven't happened for like two years now). So saying this isn't enforced just because Valve didn't fix a bug makes no sense because Valve isn't the company that enforces these things anyways.


> It was known for years by Valve and it wasn't patched.

This is not true. Once the exploit became known, Valve released an update same day.


It seems genuinely unbelievable it was being used for as long as it was without someone finding out


If it was known it could have just been low priority since it's a weird bug that doesn't even apply to the built in competitive mode.


According to pro players, this isn't true - Pita claimed he contacted Valve's twitter a long period of time before the whole ESIC investigation blew up.


Now think about this... Steam is running on nearly every gamer's PC. That's what I'm more worried about than exploits in individual games.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: