Originally posted by Calv:

Originally posted by Salt Engineer:

It should be a painfully clear answer.

Ask Microsoft how the disclosure > patch > disclosure process works. Patching an issue doesn't always mean there's no longer an issue. It simply means the initial conditions have been altered, and the remediation needs to be tested.

Taking it a step further, the whole point for things like beta tests, play testing, etc is because as a developer, it's easy to overlook issues that may be present without realizing it. When you're too close to the source, sometimes you just filter them out. Third parties don't. Nor do they have HR breathing down their neck, or people within the organization that may play political games when they drop massive issues.

Furthermore, most developers writing code don't have offensive security backgrounds, so they may not even be able to spot serious issues.

So the answer is yes. Testing should occur regularly, particularly involving neutral third parties.

It's the whole reason Epic is paying out so well. To entice security people to discover and report rather than to use it against their product(s).

I appreciate the detailed answer, and agree that this is best practice.

To provide some context.

The question and original post that prompted me to ask the question, was that INCA replied to a query about the CVE and confirmed that they had fixed the CVE way back when it was raised, and that regardless, the file referenced in the CVE is no longer in use.

However, it was claimed that this isn't good enough. And instead the entire company and software must be audited by a third-party in order to prove that the CVE was fixed.

Which I found to be an extreme requirement and was curious if it was in fact a requirement for all companies when they patch a CVE.

Judging from your response, the answer is no. It is not a requirement.

Best practice is to have regular reviews, pen testing, bug bounties etc but all of that is aside from fixing a specific CVE.

It'd be nice if Arrowhead acknowledged any of this. Yet, they haven't, as made evident by their claims of it "not being a priority", and continued silence.

Odd how ignoring the concerns of consumers results in backlash...

Originally posted by Terotrous:

What you listed as the "conclusion" is not what the article says at all, it actually echoes many of the common complaints that people have, it's just very long so many people won't read it all.

One of the best parts is when they talk about the need for open communication, which obviously there hasn't been due to the complete silence on the anticheat front, and also that NProtect isn't a particularly good anticheat that really has little business being in a PVE game.

Yep, I have no idea why their technical director declined to comment... The continued silence on the topic of Gameguard is something I can't understand either.

Arrowhead themselves not long ago confirmed that they received a lot of complaints about Gameguard. There is a mountain of reports from HD2 players about severe issues Gameguard is causing, so the continued silence from the devs on the matter is not a good look, to put it mildly.

I really hope that Arrowhead finally addresses this topic and proceed to remove or replace Gameguard. Fingers crossed this happens as soon as possible.

Originally posted by Calv:

Originally posted by AUTI5T1X:

It'd be nice if Arrowhead acknowledged any of this. Yet, they haven't, as made evident by their claims of it "not being a priority", and continued silence.

Odd how ignoring the concerns of consumers results in backlash...

Why would Arrowhead acknowledge a CVE, that was raised 20 years ago, about a file that I can't find any evidence of having been used by gameguard this decade (largely because it was designed for older Windows OSes, and honestly, if you're running one of those OSes, you really don't have any grounds to be complaining about security).

It's related to software they themselves have paid to license in their product, which, last I checked, doesn't function in the same vain as it did 20 years ago.

On your note of not being able to find any evidence pertaining to a CVE. You not being able to find any evidence regarding GameGuard having any CVE's doesn't implicate that said evidence, doesn't exist. Let's not conflate our lack of findings, as being the same as those of others, to intentionally deflect any that are brought forth.

Additionally, and on your note of complaints related to operating systems. Who exactly are you to be obfuscating criticism for things in which it's not? Were I in your shoes, I wouldn't be so quick to gatekeep what does, and doesn't qualify as being "criticism", purely based on you not liking it.

Yet more lies and misinformation. It's nutty how many people believe Gameguard is harmless...

Originally posted by Calv:

Which I found to be an extreme requirement and was curious if it was in fact a requirement for all companies when they patch a CVE.

Originally posted by Calv:

Really?

So, every single company needs third party auditing whenever they patch a CVE?

Originally posted by Salt Engineer:

Anyone who has ever asked a child if they've done something wrong could tell you how that goes.

...

It is also a violation of the principle of least privilege. You want applications and users to run with the absolute least amount of privileges you can give them because if/when they are compromised the impact is minimized.

https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat

“Back then,” says Koskinas, “GameGuard was actually one of the ‘stronger’ anti-cheats, largely due to their willingness to do crazier stuff. A lot of these techniques are actually common sense or useless now, but back then, it was sort of atypical to be that wide of a watchdog. These days, it has held onto a reputation for being invasive, especially because it takes so much of its anti-cheat actions locally and instantly (closing windows, blocking processes, etc.)."

The only reliable cure for cynicism is good, honest, transparent communication, as well as a track record of following through on your promises. I often tell devs that if you don't explain why you're doing what you're doing, somebody will make up an uncharitable explanation and people will believe that instead.

Helldivers 2 Technical Director Peter Lindgren (who politely declined to comment for this piece)

Oh there's no doubt in my mind. Just taking the sample size from steam and Oak's massive list of reported problems - the chances of nPGG not being the cause of problems is minuscule. I have a feeling that if someone compared the reports of complaints from 3rd party apps from other games that have nPGG infections, you'd see similar symptoms.

It may be an April Fools post but it is still in horribly bad taste because this ♥♥♥♥ piece of software does so much damage for so many people.

Originally posted by Onimusha:

It may be an April Fools post but it is still in horribly bad taste because this ♥♥♥♥ piece of software does so much damage for so many people.

just be quiet, you'll wake up the idiot zombies that will eat your nerves away like a swarm of locusts xD

Originally posted by Salt Engineer:

Business requirement, no.

Sorry for the delayed response on this one. Just saw it since I've been skimming topics most of today. Just wanted to add that there are businesses where this is a requirement. Namely, the business I'm working for (Healthcare infosec) which is why I approach this from a stand point of 'You must prove your are trustworthy in detail' and why I scoff when I see blind trust and allegiance from certain users.

Every 1 and 0 must be accounted for in some fashion and then double checked. And then 6-12 months later, tripled checked again. In some cases, a single failure means immediate discontinuation, even if it impacts business (such as a 20 year CVE with no documentation of follow up)

But the CVE is only the tip of the iceberg when reports of issues persist seemingly without interruption. Considering we are in 2024 now, INCA has started off with a deficit and has a lot of ground to make up.

Originally posted by YMD:

Originally posted by Oakatusz:

When such an expert is saying these things and is only playing Helldivers II through a second burner PC because he is not willing to install it to his main PC due to Gameguard, anyone can put 2 and 2 together and see how dangerous and risky this software is.

They've already debunked that, it was actually Misinformation being spread by liars with an agenda.
I'm not going to waste anymore time commenting any further, the first link in my post already states the pros and cons weighed in by the real experts from reputable gaming companies with biggest playerbases, and why all these rumors you are trying to spread were never true to begin with.

Don't bother. Oak only reads the portion of articles that talk about possibility of negative things happening. He never reads the percentages or how it must occur. Nor will he acknowledge anything positive someone says.

He's sad and angry that people don't agree with his agenda.

Originally posted by Tharkkun:

Originally posted by YMD:

They've already debunked that, it was actually Misinformation being spread by liars with an agenda.
I'm not going to waste anymore time commenting any further, the first link in my post already states the pros and cons weighed in by the real experts from reputable gaming companies with biggest playerbases, and why all these rumors you are trying to spread were never true to begin with.

Don't bother. Oak only reads the portion of articles that talk about possibility of negative things happening. He never reads the percentages or how it must occur. Nor will he acknowledge anything positive someone says.

He's sad and angry that people don't agree with his agenda.

And yet, Oak is the one with the thread with unfathomable amounts of evidence pointing toward GameGuard being terrible software.

But nah, clearly the dude's pushing an "agenda", according to you...

Originally posted by YMD:

https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat

From real experts who've led anti-cheat for Riot Games, Roblox, and Fortnite.

EDIT: Given the amount of Misinformation being spread by shady people with either ill intentions or lack of understanding of how Anticheats work.

Conclusion: Anticheats are Perfectly Harmless and there are good reasons why they have to operate the way they do. And no they do not steal your porn data.

These people know what they're talking about and are very happy to compromise YOUR SECURITY if it makes their job easier. If it was their own system they had to blue team for, they'd hands down say, "Absolutely not." Ask anyone who works blue team security- the most base board security standard for hardening any network is scrubbing unnecessary software. Blizzard Entertainment also thought it'd be perfectly acceptable to dox their entire community until one of their senior CM's doxxed themselves to prove it was 'fine' and quickly turned opinion when people started sending him personalized pizzas to an address they wouldn't have otherwise known.


Does a PVE game need an anti-cheat that has kernel level access to your system? No. No it does not. Especially when it doesn't. work. In any other setting there would be zero justification for this kind of software to have this level of access. In a professional setting it wouldn't even be up for debate- I can't harden a network if completely frivolous software, which doesn't work, and has top level system access is allowed to exist on it. I paid for Helldivers, not a kernel level anti-cheat that doesn't even work. Invoking, "but other software" is just distilled cope. I don't care about other software, I'd have to evaluate that software on it's own merits. We're talking about HD2 here.


And your article is some of the sleaziest companies in the industry saying, "What, you don't trust us?"


No Riot, I don't.