>>> Man am I happy I run steam as a separate user. [-22 points]
WHY DONT YOU TRUST GABEN
That's the bare minimum for me.
If the source engine was written in Rust THIS WOULD NOT HAVE HAPPENED
I run Steam inside Firejail. Good luck.
gg c/c++
meme
What the actual fuck
This.
can someone post an archive link that doesn't require me to run javascript
What are those (sand)niggers on? That voting system is absolute cancer. If you don't know anything about the subject, you'll just assume that he was wrong, yet there was not a single post disproving the fact that running software as an unprivileged user (or in a vm) doesn't protect you, but the downvotes/upvotes make it like they proved something. All the replies are some incomprehensible unrelated bullshit, I'm actually in doubt if this isn't some Markov chains conversation.
/thread
well, the original article/disclosure is an ad. this is literally the shittiest writeup i've ever seen, not to mention it was trivial to find this bug
archive.is
Steam:
- Steam store is HTTP-only, still vulnerable to session hijacking
- session hijacking doesn't care about 2FA
- all game downloads/updates/update announcements use HTTP-only
- data used for integrity checking is through HTTP-only, it is for error checking, not for security
- game files from Valve are never signed
- game folders have "777" permissions
- games usually have raw keyboard and screen access
- "game modes" in security programs mean allow everything everything which is not on blacklist
We wrote Valve security team several times. They never cared to even respond, so in March this year we forked some project to Steam specific script-kiddy-friendly easy MiTM. Of course no harm intended, we only include a feature which get people VAC banned from dota2 (it's a free game anyway).
To have the biggest impact we need some high profile targets easily available so we'll drop the whole thing on github right before The International starts hoping it gets more attention.
To add on to that.
- Uses fucking webkit/chrome as rendering engine
They could atleast use gecko if not one of it's more secure derivatives. Granted we are talking about C code here so YMMV.
Also is there someone here who doesn't run steam in a chroot jail in a VM as a seperate user with restricted resources for the security concience? steam = botnet because webkit/chrome.
but muh rank tho!111
(I assume dota has rank and such bullshit since every game ive ever seen since CS:S on steam does)
Webkit and Blink are objectively superior to Gecko for embedding. I contribute to a smallish project that uses them. They are, for example, available as Qt libraries with bindings for multiple languages.
But almost nobody uses Gecko that way. I know only one browser that uses Gecko and isn't a Firefox fork, Conkeror. I don't know the details of how it works, but in Debian it depends on Firefox and in Guix it depends on Icecat. It uses a full Firefox installation. Properly extracting Gecko was too hard.
Webkit has enormous issues, and Blink also has a few, but they aren't botnet. The botnet is in Chromium, not in the rendering engine.
Steam is botnet because it tracks you on purpose, not because of the rendering engine it happens to use. I don't run it in any kind of jail, I don't run it at all.
archive.fo
It's already been done. Your not looking hard enough.
Explain what you mean. What exactly are you embedding? Images, text, flash games, etc? Are you talking about superior performance? Or maybe security? Where is your proof?
>archive.fo
Not only is that not what people mean by botnet, because it doesn't reveal any information to a central authority, it's something Gecko does too by default. Stop posting about things you don't understand.
Then show me.
I'm embedding a browsing engine. How would I, for example, embed Gecko in a Python program? It's fairly simple for Webkit and Blink using PyQT and qtwebkit and qtwebengine respectively.
fugg how do i sandbox steam WHY IS IT SO FUCKING FLAWED
it has elo rating system similar to chess except it does not work for good reasons.
...
Didn't multiplayer Source games have an exploit that allowed sprays to expose malicious shit to other people? Source has always been fucky.
Remember when steam was caught spying on your traffic then mumbled something about 'mah vac' and no one cared?
Good times
will people ever grow up?
Thank you user you've made my day.
Thank you user you've made my day.
I run steam on a separate machine I've build just for games and games alone. I believe this is the best thing anyone can do if they don't want to stop playing PC games.
Have one machine for the serious business and one machine just for games where it doesn't matter if the botnet gonna boat.
Exactly.
Also, instead of assembling an entire new PC, you could just dual-boot. Preferably on different drives.
Easy, just download a version of xulrunner that's completely unmaintained and thirty releases behind on security patches :^)
Or you can be not retarded and not use steam, but I guess that's too much to ask for
all the first replies in reddit are bots
and there are a bunch of voting bots that vote down other bots
Yeah, but the botnet hardware is on the newest and fastest hardware.
I need steam to play some multiplayer games that won't let me play online if shit is pirated.
mfw [tor users can't post images]
jej
that doesn't save you from cross os rootkits, even on "non-botnetted" hardware. even having only one drive plugged in at a time is still not safe
...
5RuHL5LQnT9G dILVuFNNIS3U
Local Reddit user is retarded, news at 11.
NO STEAM NO BUY
Try a Steam whale. Just look for anyone with a ridiculously high Steam level. You can find them if you just go to someone's profile and select the highest level on their friends list.
As such
steamcommunity.com
steamcommunity.com
steamcommunity.com
They've likely have spent thousands of dollars on random Steam junk and are more likely to kick up a storm.
...
...
This and or target big names in say the e-celeb community for games like DOTA2, CS:GO or TF2
The more damage you cause the more people will take notice
drmcuck
it's not reasonable to expect gaym developers to write secure code. this is why things like Steam and Origin - where your entire list of games (even single player) can be stolen in one swipe - is a mistake