Publicado originalmente por ♥♥♥♥♥:

What security issues?

VAC cannot be open sourced by its nature. It's heavily obfuscated, even in object code form.

What?

Publicado originalmente por ♥♥♥♥♥:

What security issues?

Publicado originalmente por Ben Lubar:

Publicado originalmente por ♥♥♥♥♥:

What security issues?

VAC cannot be open sourced by its nature. It's heavily obfuscated, even in object code form.

Publicado originalmente por ♥♥♥♥♥:

What?

It means they can't let anyone know how it works, so that people who make cheating software can more easily figure out ways around it.

They also can't chance someone sneaking something into the source code like what nearly happened with a whole lot of Linux distros recently... it was literally just one single update from beta away from having backdoor code inserted into many Linux distro out there...

https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

It was only found because someone was running some very obscure test and noticed something slightly out of the ordinary. If it had not been for that one single person, running an odd test, no one would have noticed the backdoor code till it was too late.

Now imagine that happening with Steam... with over 1 billion accounts, over 140 million active users per month, all having a backdoor slipped onto their computer because someone didn't notice it.

Not likely to have an opensource client. as for open source games. That's up to the dev/pubs of the game in question.

There are a lot of parts of Steam that are open source. CEF, Proton, GameNetworkingSockets, etc. The rest of Steam isn't open source, and there are good reasons for that.

"It means they can't let anyone know how it works, so that people who make cheating software can more easily figure out ways around it."

I once heard that the server has to be authoritive and client must be seen as cheating and stop that from happening on server not client, because server is authoritive and says what client can do

"They also can't chance someone sneaking something into the source code like what nearly happened with a whole lot of Linux distros recently... it was literally just one single update from beta away from having backdoor code inserted into many Linux distro out there..."

bro what? open-source is there literally to prevent that!
do you have any idea how many backdoors windows and other proprietary games have?
exactly you don't because it's proprietary, you see 1 open-source game compromised and you think open-source is bad, it's not

"Now imagine that happening with Steam... with over 1 billion accounts, over 140 million active users per month, all having a backdoor slipped onto their computer because someone didn't notice it."

I can't, because those that approve commits should read and inspect what's being committed, I am not a developer, but I did use Git and collaborated on something
you're just saying that being dumb is impossible to do, but it's not bro, open-source is literally to help in preventing stupid mistakes like that and backdoors, but of course idiots are here and there
so no I can't imagine it, only you can with your silly imagination

and there's 100% a backdoor in your computer if you're running Steam because it's proprietary you're so funny bro

Publicado originalmente por Ben Lubar:

Yes, there are partially open source games on Steam. Some of them are even made by Valve. That's how every Source Engine game including mine got started.

https://github.com/ReactiveDrop/reactivedrop_public_src?tab=readme-ov-file#license

But there are no fully open source games on Steam because the Steamworks SDK is not open source. And as much as Valve wants to open source Source Engine, they can't because it also uses components that are not open source that they have access to under an NDA.

There are many reasons why it can be hard to open source something that wasn't originally open source. Often, even aside from security issues, there are factors the developers have no control over that prevent them from sharing their code.

There are fully open source games that just never invoke any Steamworks features. For instance several games using the GPL3 licensed GZDoom engine, but at the same time such games have no Steamworks features.

On the flip side the Steam client cannot become fully open source as it provides a critical component to support for DRM schemes.

Publicado originalmente por ♥♥♥♥♥:

"They also can't chance someone sneaking something into the source code like what nearly happened with a whole lot of Linux distros recently... it was literally just one single update from beta away from having backdoor code inserted into many Linux distro out there..."

bro what? open-source is there literally to prevent that!
do you have any idea how many backdoors windows and other proprietary games have?
exactly you don't because it's proprietary, you see 1 open-source game compromised and you think open-source is bad, it's not

xz-utils is not a video game. Steam actually does use LZMA compression for some things.

The reason this is specifically an open source problem is that a lot of open source projects are written by volunteers, and when Lasse Collin looked for someone to help maintain xz-utils, someone on a mailing list recommended Jia Tan. It's possible (and likely) that Jia Tan is not a real person who ever existed. There have been some fascinating attempts to figure out who Jia Tan might actually be.

https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
https://www.wired.com/story/jia-tan-xz-backdoor/

Publicado originalmente por Crashed:

Publicado originalmente por Ben Lubar:

Yes, there are partially open source games on Steam. Some of them are even made by Valve. That's how every Source Engine game including mine got started.

https://github.com/ReactiveDrop/reactivedrop_public_src?tab=readme-ov-file#license

But there are no fully open source games on Steam because the Steamworks SDK is not open source. And as much as Valve wants to open source Source Engine, they can't because it also uses components that are not open source that they have access to under an NDA.

There are many reasons why it can be hard to open source something that wasn't originally open source. Often, even aside from security issues, there are factors the developers have no control over that prevent them from sharing their code.

There are fully open source games that just never invoke any Steamworks features. For instance several games using the GPL3 licensed GZDoom engine, but at the same time such games have no Steamworks features.

Good catch - I've updated my post.

Publicado originalmente por ♥♥♥♥♥:

"It means they can't let anyone know how it works, so that people who make cheating software can more easily figure out ways around it."

I once heard that the server has to be authoritive and client must be seen as cheating and stop that from happening on server not client, because server is authoritive and says what client can do

Thats not how cheats work. If they did then cheating in games would have been long dead.

Cheat is run on the clients end, as in the gamers end. It usually accesses memory (ram) and changes values or looks for certain things.

The cheat detection by most anti-cheat software is done on the clients end and must be detected on the clients end.

There are many different kinds of anti-cheats but even the most invasive ones that dig deep into a computer and even run when the game is not running don't stop cheats all the time.

Its again an unending game of whack-a-mole. Cheat maker makes a cheat. Eventually the anti-cheat maker gets their hands on it, figures out how it works and how to detect it and updates their cheat, this can take days or weeks or longer to figure out in some cases.

Cheaters are banned, cheat maker alters their cheat enough that the anti-cheat no longer picks it up (this can take as little time as minutes or even hours) and cheaters are back cheating at a game.... and it just keeps going on like that till one of them gets tired and stops.

Publicado originalmente por ♥♥♥♥♥:

"They also can't chance someone sneaking something into the source code like what nearly happened with a whole lot of Linux distros recently... it was literally just one single update from beta away from having backdoor code inserted into many Linux distro out there..."

bro what? open-source is there literally to prevent that!
do you have any idea how many backdoors windows and other proprietary games have?
exactly you don't because it's proprietary, you see 1 open-source game compromised and you think open-source is bad, it's not

First of all, it wasn't a game that was compromised, it was for a program that is in linux distros that are run by millions of people, someone of them running on servers for companies.

There are so few of these happening now for games because Linux takes up just a tiny fraction of gaming. But open source is not just limited to Linux, its also windows too. So making it open source opens up literally a billion different accounts on Steam. 140+ million active accounts every single month, 30+ million active accounts a day.

That is a HUGE target for someone to slip a backdoor into.

Publicado originalmente por ♥♥♥♥♥:

"Now imagine that happening with Steam... with over 1 billion accounts, over 140 million active users per month, all having a backdoor slipped onto their computer because someone didn't notice it."

I can't, because those that approve commits should read and inspect what's being committed, I am not a developer, but I did use Git and collaborated on something
you're just saying that being dumb is impossible to do, but it's not bro, open-source is literally to help in preventing stupid mistakes like that and backdoors, but of course idiots are here and there
so no I can't imagine it, only you can with your silly imagination

and there's 100% a backdoor in your computer if you're running Steam because it's proprietary you're so funny bro

If you can't imagine it from happening, then you can't imagine a way to stop it. People didn't think getting a backdoor into linux was possible... yet it happened and it was literally days away from being put into an update that would have been uploaded to thousands, maybe even 10s of thousands of computers or more.

It was only found because 1 single person thought it would be fun to run some obscure testing on their machine that was running a beta and happened to notice some "slightly" odd numbers for something and decided to look into it.

Do I know there is no backdoor in Steam? No. But I put trust in the Valve employees to not put something like that into their software because if it was ever found, it would more then likely be the end of Steam/Valve.

Do I trust that 1 single person that is unknown to many other people could slip stuff into an open source version of Steam over weeks/months or even years of updates that could open a backdoor onto peoples computers.... I didn't think it was possible with open source stuff.... but now I do know its possible. So it makes me second guess open source software and how safe it is.

Again the back door that would have been automatically updated in many linux distros and would have been automatically updated in many linux based servers was only 1 update which was just days away and was only detected because one person wanted to run one single unrelated test for something very obscure and noticed something strange that most people would have just ignored or not even noticed and then took their own time and tracked down what the issue was that was causing the slightly higher cpu power usage.


Oh and it turns out that they might have messed up and tried to push the date for the backdoor fast because there was some other update that was happening in another part of linux that would have blocked that backdoor without even knowing about it. So they think who ever do it, was in a rush trying to get it in once they knew about that other update. They had been doing a long con and had been working on it for close to 2 years I think it was.

The person who did push to get it updated, and put the code in seems to have vanished. Some think it was a state sponsored act (as in an attack by some countries government).

sorry for delay I wasn't able to comment, very limited posting on free acc, probably 10 per day

"There are a lot of parts of Steam that are open source. CEF, Proton, GameNetworkingSockets, etc. The rest of Steam isn't open source, and there are good reasons for that."

I'd like to hear them then

and @Ben Lubar what you said doesn't really change anything

@Crashed I don't exactly know what you mean by DRM or how it works, maybe for proprietary games that part can be like a DLC addon but base Steam and stuff be open-source

it says I'm posting too frequently, no idea what the waiting period is now :(


@Gwarsbane
"Thats not how cheats work. If they did then cheating in games would have been long dead."
I see no other way, there can only be 2 choices for cheaters: manipulate the client game locally somehow or send forget information over the network to server somehow
I know some stuff because I watched some gamedevs :/

"The cheat detection by most anti-cheat software is done on the clients end and must be detected on the clients end."
Exactly why the war on cheats will never be over

"First of all, it wasn't a game that was compromised, it was for a program that is in linux distros that are run by millions of people, someone of them running on servers for companies."

So what's your point?

"There are so few of these happening now for games because Linux takes up just a tiny fraction of gaming."

It's stay that way until there's enough games for people to consider linux

"That is a HUGE target for someone to slip a backdoor into."

You obviously don't understand how open-source collaboration works... someone makes a commit and at least 1 trusted person should review it (the one who approves commits), and in the xz case that dude failed, it's not open-source fault, it's that mainteiner's fault, do you think there's more security or something when it comes to collaboration on proprietary software projects? Lol no there's so much less people and just the same they could be malicious too and pretend it was a accident if they get caught

"If you can't imagine it from happening, then you can't imagine a way to stop it."

I can't imagine it because I already know a way of stopping it, do I have to spell out everything for you?

"People didn't think getting a backdoor into linux was possible..."

Why do I have to repeat myself? Of course it's possible, it depends on user error and that's what happened with xz, someone overlooked something, it's not the source availability to blame, it's the user error, are you blind?

"No. But I put trust in the Valve employees to not put something like that into their software because if it was ever found, it would more then likely be the end of Steam/Valve."

And how do you think anyone would find out that?

"I didn't think it was possible with open source stuff.... but now I do know its possible. So it makes me second guess open source software and how safe it is."

You should second guess your way of thinking because source code was available to everyone, it's people's fault that not enough people checked the commits good enough or at all

Publicado originalmente por ♥♥♥♥♥:

"That is a HUGE target for someone to slip a backdoor into."

You obviously don't understand how open-source collaboration works... someone makes a commit and at least 1 trusted person should review it (the one who approves commits), and in the xz case that dude failed, it's not open-source fault, it's that mainteiner's fault, do you think there's more security or something when it comes to collaboration on proprietary software projects? Lol no there's so much less people and just the same they could be malicious too and pretend it was a accident if they get caught

Except the backdoor wasn't committed to the repository, and the person who added the backdoor was the maintainer.

Same thing, it also should be reviewed by other people, it's also user error, what are you talking about?