[HN Gopher] Counter-Strike Global Offsets: reliable remote code ... ___________________________________________________________________ Counter-Strike Global Offsets: reliable remote code execution Author : stefan_ Score : 51 points Date : 2021-05-14 20:13 UTC (2 hours ago) (HTM) web link (secret.club) (TXT) w3m dump (secret.club) | nick0garvey wrote: | Glad they published the process used to discover the exploit. | Interesting to follow along on how the weakness was found and the | relative simplicity of the actual exploit code. | | Can't help but feel like this entire class of problem should be | avoided with modern tooling. Even in a relatively unsafe language | like C++, a static analyzer could have flagged an unchecked array | access. | alkonaut wrote: | How can people contact big corporations and get no response? Are | the messages not being read? | | Or is there a weird culture of fear where you'd rather silently | _try_ to fix it without acknowledging that it exists, because | acknowledging a problem means taking some legal responsibility? | It wouldn't be the first instance of US law having weird effects | on human behavior but it does seem a bit far fetched. | munk-a wrote: | I think game development companies are forced to take a very | different approach from normal companies. Game developers face | frequent abuse from customers due to passionate feelings | involved with such an interactive media, programmers will get | hate mail (generally vaguely directed at least) and female | artists will get stalked pretty often - it's honestly a pretty | toxic community. | | Look, for example, at what happened to Hello Games after the | release of No Man's Sky - lots of people felt entitled to send | death threats and demands to the developers - the UK | authorities were regularly involved in threat assessment[1]. If | some LoL players[2] are willing to swat the other team after | losing a match then they're quite willing to go extreme lengths | if their favorite character gets nerfed. | | I think this frequently toxic community interaction really | impacts how game development studios interact with press and | the public. The folks reporting legitimate bugs might just end | up being buried in an avalanche of "BUG: My DPS damage is too | low" that overwhelms an already tetchy CS department. | | 1. https://www.theguardian.com/games/2018/jul/20/no-mans-sky- | ne... | | 2. I'd just like to reinforce that most of the people in a | community can be fine - it's the crazies that start a lot of | these problems, most folks won't swat you for beating them at | LoL. | brutal_chaos_ wrote: | > Or is there a weird culture of fear where you'd rather | silently try to fix it without acknowledging that it exists, | because acknowledging a problem means taking some legal | responsibility? | | That is probably one aspect of it for sure. I think the gaming | industry itself might have problems with sharing because 0days | in games could really mean no more purchases, at least for | awhile, and even then you have lost momentum from your | marketing. Also, for non-zero days, just bugs in general, look | at No Man's Sky or even more recently Cyberpunk 2077, so much | social backlash. | google234123 wrote: | Valve should be kicked off HackerOne. They seem to abusing the | service to trick researchers into submitting vulnerabilities | without providing any sort of compensation. Does anyone here work | at HackerOne? | rozab wrote: | These researchers could have earned plenty from making cheats | instead. Would make sense for Valve to pay these types to fix | their software instead of breaking it. | njbooher wrote: | They pay, eventually. They're particularly slow for game client | exploits. Much quicker for server-side issues. | throwaway3699 wrote: | More likely is nobody at Valve cares enough to actually monitor | or respond. There's plenty here about their bizarre corporate | structure which really falls flat at critical times. | codabool wrote: | I would go with this assumption. Best to assume neglect over | mal intent. | | This behavior was seen before too with the devs behind the | new Gmod in Source 2 (Alyx engine). They spent months trying | to get in touch with access and it came down to an employee | who ended up getting fired for neglecting responsibilities. | Now everything seems to be working out and open tooling is | being developed. ___________________________________________________________________ (page generated 2021-05-14 23:00 UTC)