Ursprünglich geschrieben von Snepderg:

I find it misleading to claim that corrupting your savegame and leaking your IP through Steamworks are anywhere close to an RCE. I have yet to see anyone irrefutably claim that Webfishing stole their their credit card details or anything of the sort, and I would be skeptical if more people didn't come forward for that.

Furthermore, depending on what information you share someone could just as easily use social engineering to figure out your IP, with little to no technical skills required. Do you have your home town set on your Steam profile? Can I Google your username and find social media where you have posted about things you did in the city? People with a lot of free time can and will use information you post online, so it's up to you to decide what you're comfortable with, and to understand that you cannot be private on the internet if you're posting publicly.

More to the original point, RCE stands for Remote Code Execution (commonly associated with an ACE or Arbitrary Code Execution). While it is plausible that if you can brick someone's savegame remotely there could be an exploit, I feel like many people are jumping to conclusions here. One does not necessarily guarantee the other.

Frankly I would love to be proven or disproven (preferably the former) on this, but I doubt any security analysts with credentials are willing to spend their time on that for what is most likely a nothingburger.

You're saying a lot of words without really commenting on the reality of the situation. There is a confirmed RCE exploit for Webfishing. Diving into social engineering and other avenues for attackers to take does not exactly address the core issues of this thread. It is not safe to play this game anymore.

Ursprünglich geschrieben von Resonance:

Ursprünglich geschrieben von Snepderg:

I find it misleading to claim that corrupting your savegame and leaking your IP through Steamworks are anywhere close to an RCE. I have yet to see anyone irrefutably claim that Webfishing stole their their credit card details or anything of the sort, and I would be skeptical if more people didn't come forward for that.

Furthermore, depending on what information you share someone could just as easily use social engineering to figure out your IP, with little to no technical skills required. Do you have your home town set on your Steam profile? Can I Google your username and find social media where you have posted about things you did in the city? People with a lot of free time can and will use information you post online, so it's up to you to decide what you're comfortable with, and to understand that you cannot be private on the internet if you're posting publicly.

More to the original point, RCE stands for Remote Code Execution (commonly associated with an ACE or Arbitrary Code Execution). While it is plausible that if you can brick someone's savegame remotely there could be an exploit, I feel like many people are jumping to conclusions here. One does not necessarily guarantee the other.

Frankly I would love to be proven or disproven (preferably the former) on this, but I doubt any security analysts with credentials are willing to spend their time on that for what is most likely a nothingburger.

You're saying a lot of words without really commenting on the reality of the situation. There is a confirmed RCE exploit for Webfishing. Diving into social engineering and other avenues for attackers to take does not exactly address the core issues of this thread. It is not safe to play this game anymore.

cONFIRMED by who?

What article can I find out about this supposed RCE? I've tried searching, can't find one.

Ursprünglich geschrieben von Barnie Blaha:

cONFIRMED by who?

What article can I find out about this supposed RCE? :smoke::fishman: I've tried searching, can't find one.

I second this.

Ursprünglich geschrieben von Resonance:

Ursprünglich geschrieben von Snepderg:

I find it misleading to claim that corrupting your savegame and leaking your IP through Steamworks are anywhere close to an RCE. I have yet to see anyone irrefutably claim that Webfishing stole their their credit card details or anything of the sort, and I would be skeptical if more people didn't come forward for that.

Furthermore, depending on what information you share someone could just as easily use social engineering to figure out your IP, with little to no technical skills required. Do you have your home town set on your Steam profile? Can I Google your username and find social media where you have posted about things you did in the city? People with a lot of free time can and will use information you post online, so it's up to you to decide what you're comfortable with, and to understand that you cannot be private on the internet if you're posting publicly.

More to the original point, RCE stands for Remote Code Execution (commonly associated with an ACE or Arbitrary Code Execution). While it is plausible that if you can brick someone's savegame remotely there could be an exploit, I feel like many people are jumping to conclusions here. One does not necessarily guarantee the other.

Frankly I would love to be proven or disproven (preferably the former) on this, but I doubt any security analysts with credentials are willing to spend their time on that for what is most likely a nothingburger.

You're saying a lot of words without really commenting on the reality of the situation. There is a confirmed RCE exploit for Webfishing. Diving into social engineering and other avenues for attackers to take does not exactly address the core issues of this thread. It is not safe to play this game anymore.

If a confirmed RCE exists, then grincher et al. would be utilizing it. ♥♥♥♥♥♥♥ around with steamworks and networking packets IS NOT ♥♥♥♥♥♥♥ REMOTE CODE EXECUTION.

Ursprünglich geschrieben von mookid:

tbh he needs to work with a company or sell it to a studio who knows how to deal with games this big, one person isn't enough to handle like ~16k people joining daily asking for multiple changes or at least i think he's just working on this by himself

Do NOT encourage an indie dev to sell to a studio. The game will lose all of its soul and get $40 worth of DLC that was originally part of the base game. Don't you EVER tell an indie dev to do that ♥♥♥♥, you hear me?

Ursprünglich geschrieben von Resonance:

Ursprünglich geschrieben von Snepderg:

I find it misleading to claim that corrupting your savegame and leaking your IP through Steamworks are anywhere close to an RCE. I have yet to see anyone irrefutably claim that Webfishing stole their their credit card details or anything of the sort, and I would be skeptical if more people didn't come forward for that.

Furthermore, depending on what information you share someone could just as easily use social engineering to figure out your IP, with little to no technical skills required. Do you have your home town set on your Steam profile? Can I Google your username and find social media where you have posted about things you did in the city? People with a lot of free time can and will use information you post online, so it's up to you to decide what you're comfortable with, and to understand that you cannot be private on the internet if you're posting publicly.

More to the original point, RCE stands for Remote Code Execution (commonly associated with an ACE or Arbitrary Code Execution). While it is plausible that if you can brick someone's savegame remotely there could be an exploit, I feel like many people are jumping to conclusions here. One does not necessarily guarantee the other.

Frankly I would love to be proven or disproven (preferably the former) on this, but I doubt any security analysts with credentials are willing to spend their time on that for what is most likely a nothingburger.

You're saying a lot of words without really commenting on the reality of the situation. There is a confirmed RCE exploit for Webfishing. Diving into social engineering and other avenues for attackers to take does not exactly address the core issues of this thread. It is not safe to play this game anymore.

Care to elaborate? This just seems like fearmongering as I've seen a lot with this game. As a well versed programmer i'm not trusting your word on a supposed RCE exploit with absolutely zero evidence besides "just trust me bro"

Ursprünglich geschrieben von Resonance:

Bots that keep scraping for IP's plague the game and the developer has done nothing to stop it. Why can't private islands be offline? Why does it require a connection to the internet? The only "safe" way to play this game is to use a VPN. It's insane to me that this game is permitted to be sold given the complete lack of basic security standards.

Ok how do you program it so it works? Guys a solo dev and this game feels like a high-school/ college project that got eay too popular way too quick

Take off your tinfoil hats good god.
I bet most here use windows without encryption. None of you seem to have a clue what you're talking about at all and I suggest maybe informing yourself with some research before spouting nonsense.

Ursprünglich geschrieben von hoodwinker:

And this is where we see uneducated people being concerned about their IP despite note knowing that it's literally used everywhere and not a secret. It's not a security issue it's the base of P2P which helps the game to avoid centralized issues, supports potential LAN connectivity for an Offline support.

Educate yourself. It should not be an issue.
Or what do u think they are gonna do, hack a bunch of furries? There are higher value targets... literally anything.

You're an idiot. You're probably one of the problems. Yeah, your IP is publicly available and can be found, but offering it up on a silver platter to script kiddies with mal intentions is not okay. Educate yourself moron.

You kinda have to offer your IP up to connect to multiplayer services. I thought that would be obvious. Especially in P2P, brokered or otherwise. If they know where to look, they will find it.

Enough with the fearmongering. Stop giving script ♥♥♥♥♥♥♥♥ the attention they're begging for.

IP is public information. This is information all clients require to establish a connection. You can read IPs of other players in EVERY ONLINE GAME. Players getting your IP is not a security issue, but intended behavior.

The things you can do with someone's IP is pretty limited. However, one thing that may be scary is your IP can be used to get your nearest city.

Using a VPN can hide your IP, but keep in mind you are still sending your IP to the VPN service. I don't personally think these services are above spreading your info.

Ursprünglich geschrieben von r1x:

lot of you dont know what you talking about. we really just mining this game for data, there's no RCE

Exactly.

Ursprünglich geschrieben von r1x:

lot of you dont know what you talking about. we really just mining this game for data, there's no RCE

Damn, even the script chuds themselves are tired of the fear-mongering?

Ursprünglich geschrieben von Kaynex:

IP is public information. This is information all clients require to establish a connection. You can read IPs of other players in EVERY ONLINE GAME. Players getting your IP is not a security issue, but intended behavior.

The things you can do with someone's IP is pretty limited. However, one thing that may be scary is your IP can be used to get your nearest city.

Using a VPN can hide your IP, but keep in mind you are still sending your IP to the VPN service. I don't personally think these services are above spreading your info.

in a p2p game yes, which this happens to be, but most games that have a central server try to do their best to obscure them from others. GTAV has a similar problem here due to this and the anti-cheat stuff never fixed *that* problem