hngopher.com

       [HN Gopher] Counter-Strike Global Offsets: reliable remote code ...
       ___________________________________________________________________
        
       Counter-Strike Global Offsets: reliable remote code execution
        
       Author : stefan_
       Score  : 51 points
       Date   : 2021-05-14 20:13 UTC (2 hours ago)
        
 (HTM) web link (secret.club)
 (TXT) w3m dump (secret.club)
        
       | nick0garvey wrote:
       | Glad they published the process used to discover the exploit.
       | Interesting to follow along on how the weakness was found and the
       | relative simplicity of the actual exploit code.
       | 
       | Can't help but feel like this entire class of problem should be
       | avoided with modern tooling. Even in a relatively unsafe language
       | like C++, a static analyzer could have flagged an unchecked array
       | access.
        
       | alkonaut wrote:
       | How can people contact big corporations and get no response? Are
       | the messages not being read?
       | 
       | Or is there a weird culture of fear where you'd rather silently
       | _try_ to fix it without acknowledging that it exists, because
       | acknowledging a problem means taking some legal responsibility?
       | It wouldn't be the first instance of US law having weird effects
       | on human behavior but it does seem a bit far fetched.
        
         | munk-a wrote:
         | I think game development companies are forced to take a very
         | different approach from normal companies. Game developers face
         | frequent abuse from customers due to passionate feelings
         | involved with such an interactive media, programmers will get
         | hate mail (generally vaguely directed at least) and female
         | artists will get stalked pretty often - it's honestly a pretty
         | toxic community.
         | 
         | Look, for example, at what happened to Hello Games after the
         | release of No Man's Sky - lots of people felt entitled to send
         | death threats and demands to the developers - the UK
         | authorities were regularly involved in threat assessment[1]. If
         | some LoL players[2] are willing to swat the other team after
         | losing a match then they're quite willing to go extreme lengths
         | if their favorite character gets nerfed.
         | 
         | I think this frequently toxic community interaction really
         | impacts how game development studios interact with press and
         | the public. The folks reporting legitimate bugs might just end
         | up being buried in an avalanche of "BUG: My DPS damage is too
         | low" that overwhelms an already tetchy CS department.
         | 
         | 1. https://www.theguardian.com/games/2018/jul/20/no-mans-sky-
         | ne...
         | 
         | 2. I'd just like to reinforce that most of the people in a
         | community can be fine - it's the crazies that start a lot of
         | these problems, most folks won't swat you for beating them at
         | LoL.
        
         | brutal_chaos_ wrote:
         | > Or is there a weird culture of fear where you'd rather
         | silently try to fix it without acknowledging that it exists,
         | because acknowledging a problem means taking some legal
         | responsibility?
         | 
         | That is probably one aspect of it for sure. I think the gaming
         | industry itself might have problems with sharing because 0days
         | in games could really mean no more purchases, at least for
         | awhile, and even then you have lost momentum from your
         | marketing. Also, for non-zero days, just bugs in general, look
         | at No Man's Sky or even more recently Cyberpunk 2077, so much
         | social backlash.
        
       | google234123 wrote:
       | Valve should be kicked off HackerOne. They seem to abusing the
       | service to trick researchers into submitting vulnerabilities
       | without providing any sort of compensation. Does anyone here work
       | at HackerOne?
        
         | rozab wrote:
         | These researchers could have earned plenty from making cheats
         | instead. Would make sense for Valve to pay these types to fix
         | their software instead of breaking it.
        
         | njbooher wrote:
         | They pay, eventually. They're particularly slow for game client
         | exploits. Much quicker for server-side issues.
        
         | throwaway3699 wrote:
         | More likely is nobody at Valve cares enough to actually monitor
         | or respond. There's plenty here about their bizarre corporate
         | structure which really falls flat at critical times.
        
           | codabool wrote:
           | I would go with this assumption. Best to assume neglect over
           | mal intent.
           | 
           | This behavior was seen before too with the devs behind the
           | new Gmod in Source 2 (Alyx engine). They spent months trying
           | to get in touch with access and it came down to an employee
           | who ended up getting fired for neglecting responsibilities.
           | Now everything seems to be working out and open tooling is
           | being developed.
        
       ___________________________________________________________________
       (page generated 2021-05-14 23:00 UTC)