Team Fortress 2 source code has leaked(techradar.com) |
Team Fortress 2 source code has leaked(techradar.com) |
Bizarre.
Common wisdom. I just happens to not be true. People just aren't auditing random code on github for fun. Auditing code is hard, and time consuming. Most vulnerabilities are found by techniques like fuzzing, not by combing through thousands of lines of code.
Worth keeping in mind this isn’t a silver bullet. OpenSSL with Heartbleed comes to mind.
Unless they specifically hardcoded a back door into the game, I’m dubious a leak would result in an RCE so quickly, if ever.
AFAIK, parts of the source code have already been leaked since 2018 amongst certain circles outside Valve. It's only been in the past few days that this is now common knowledge.
Sadly, OSX Catalina killed the game for Mac users because Apple recognized the extreme demand by casual users to break all their old 32bit applications.
I really hope something like TF2 resurfaces in some form again. I never liked the feel of Fortnite.
Valorant, a beta game from Riot, is then a blend of overwatch + csgo, making it closer to tf2 6s.
And anyone who wants to compile it, needs a licence for those libaries, which in many times is free for noncomercial purposes, or students. Btw. what expensive libaries do exist in that area anyway?
The DRM is super invasive as well, A lot of wine developers have to deal with denuvo repeatedly banning them as well as one user reporting that they were banned from valorant after plugging in their phone to charge it.
Using this code could I edit the character models so that certain characters looked like Sesame Street characters and then publish that game to my personal PC for my kids to have fun with?
The TF2 subreddit announcement: https://www.reddit.com/r/tf2/comments/g64t0b/data_leak_warni...
My advice is to avoid getting tainted. Do not read the code.
Of course, archivists, please do archive it. Even if Valve does never open source this, it should be possible to preserve somewhat adequately, and it should be legal to publish, at some point in the future, in some country or another.
I have often heard it in the context of windows operating system developper which should be careful of not accidently introducing open-source code in the kernel if it might have a license that is not compatible with Microsoft's one.
Most RCE's aren't carte blanche to run arbitrary code on a users computer, but are some way of triggering a particular code path on a remote computer.
It's good to be informed and take steps toward being safe, but we're talking about a leak where any meaningful security flaws have had multiple years to be patched.
Valve could possibly kill the server browser service for TF2 to stop people searching for servers but then people could just connect directly to the community server of their choice either from their favourites or by IP directly.
They could push an update via steam which bricks the game completely but that would piss off a metric fuckton of the userbase when the game is still playable with some precautions in place (playing on password protected servers with people you know)
A shutdown as you are suggesting would only work with a game with published provided multiplayer servers and no community servers.
I know I for one don't want to live in a world with only publisher provided servers, those games regularly have the servers shut down because they are no longer profitable for the publisher/devs leaving any remaing community out in the wind.
https://www.youtube.com/watch?v=ran_yU65Xmg
Honestly, i expected something a bit more involved than copy/pasting and scaling objects. And even then, this old ldjam game (Tale of Scale) does it better IMO:
http://ludumdare.com/compo/ludum-dare-25/?action=preview&uid...
(well, it doesn't do the copy part, just the scale part but still feels better)
Those non-euclidean rooms at the end of the video are sweet though. Honestly the most surprising thing is that we didn't actually see any of these in the portal games given that it's the same exact tech required to make it work as the portals themselves.
Edit: The concept looks boring, not the obviously unfinished tech demo
The original hl2 code leak was a fan from Germany that hacked into Valve's network and stole a version. https://arstechnica.com/gaming/2016/06/what-drove-one-half-l...
There are YouTube channels like VNN that rely on Valve leaks, but most of it seems like running `strings` on their update files. He does claim to have some inside sources, but they mostly seem to provide social commentary on Valve internal politics.
Refer to this r/Games thread for more details: https://reddit.com/r/Games/comments/g61v4x/_/fo6r9ef/?contex...
I’m slightly shocked with the phrasing in that post “It is definitely possible that someone could install a virus on your machine by just being in the same server.”
That.... seems like a pretty shocking security hole, unless they are talking about unknown possibilities, in which case the term “definitely” is a bad choice. If this can be done with the source, it could have been done before, no?
Game code is particularly known to be "spaghetti", "code cowoy"-style, where the result is more important than the form or correctness. I mean, that's art, after all, so that seems obvious.
And do you think a lot of companies update their games after they are out? Most often, the code is definitive, refactors are out of the question, etc. I've never seen a bug that fixes a security issue (CVE), let alone for old titles.
And that's when RCE is not by design. It is in Garry's mod, but that's for client-side mode scripted with lua, so theoretically sandboxed. Unreal Tournament 99 though, has plenty of servers that put some dlls for "anti-cheat" software on your computer before you join. That one probably sn't sandboxed.
While we talk about anti-cheat software, can we think a moment about everything that could go wrong with a piece of software that has a very deep access to the system, is sometimes in-house, and not necessarily audited, and whose functionality often includes:
* downloading challenges from servers, patch them into RAM and see what happens
* scan the RAM of the whole system, plus the filesystem, for known exploits
* upload parts of that RAM and filesystem to random servers for analysis
* take screenshots, log keypresses, monitor the system and upload all of this.
Takeaway: sandbox your games. There's a reason I run Steam in a flatpak, on Wayland... Convenience is part of it, but that's not the main one.
- https://hackerone.com/reports/542180
- https://nvd.nist.gov/vuln/detail/CVE-2020-9005
- https://nvd.nist.gov/vuln/detail/CVE-2020-7952
- https://nvd.nist.gov/vuln/detail/CVE-2020-7951
As for uploads, players used to be able to set custom models in quake 2 which were distributed to other players on the server. Though I am not sure if that was done by server admins in special cases for clan payers or members or if there was an actual upload mechanism in the game engine.
This analysis is on-point, and something a lot of sources seem to miss. A determined actor can find the exact same exploits with and without access to the source code, though I admit it is much more complicated without ("determined").
> No exposure to Microsoft code or reverse-engineering of Microsoft software
The function of the actual program that gets exploited is irrelevant to security risk.
I was referring to the relative importance in context of the parent comment. No need to conflate my words.
https://twitter.com/ValveNewsNetwor/status/12529744828321382...
He also re-tweeted this account of the events https://twitter.com/JaycieErysdren/status/125300494000139878...
tl;dr: A Valve employee in 2016 told Tyler about a few things Valve was working on. Tyler kept the chat log and shared it with friends. Unrelatedly, TF2 and CSGO's code was semi-publicly leaked in 2018, and one of the friends found and held onto that. Tyler and the friends worked on a fan project together named F-Stop, after an unreleased Valve project, but then one of the friends had a falling out with the rest of them and published this stuff together, probably to embarrass him for sharing the chat log and maybe to make him look involved in the TF2/CSGO leak.
A little more confirmation: https://twitter.com/TeamFortress/status/1253186403900420098
Finally, I like all the different modded servers out there and the ability to play casually when I want to just mess around.
I would disagree that these are 1:1 (they share some abilities at best) but would agree that elements of TF2 and their character abilities are indeed nearly 100% spread out across different characters in Overwatch.
E.g. Medic's uber = Ana's nano, engineer's teleporter = sym teleporter, engineer's turret = Torb's turret
That is a safe assumption, otherwise you'd have to believe that non-open source code is more closely audited - at greater expense, because businesses secretly prioritize security.
So, firstly IP rights may not be your only encumbrances, NDA's can be even more restrictive, since leaking information about a library may be covered, for instance.
Additionally, the IP of the game code itself may be encumbered, for instance with publisher agreements, or if your code is derivative, source for instance may still be considered partially derived from id code, which zenimax, or maybe some other party may own, and getting those rights may be difficult, (even if some large percentage may be released in the GPL'd id codebases) And if your core engine is IP encumbered, that may not be something you could "just release without"
So then someone is going to have to actually do the work of separating out all the third-party libraries, which may not be trivial depending on how many, and how well separated they are.
Then at any reasonably risk-averse company, somebody is going to have to do an audit, which could be a lot of work.
And then we might not just have other people's files to remove, while it may not be an copyright violation to reference API calls of a copyright work (I'm honestly not sure) It sure could be an NDA violation depending on the NDA. Not to mention code that may be derived from library samples. So you either have to cut out all of that code, or rework it to just not be in violation.
And lastly, most companies care enough about their reputation to not want to just dump a large pile of broken code in the wild (Maybe it'd be better if they would) but want to make sure it builds and runs. So once you've removed all those other bits, it may be a lot of work to just get everything building, or running again. And not to mention that asides from just IP issues, a lot of the build system may depend on local infrastructure, perhaps connecting to local databases, or cache servers, so you will want to make it work without that, and we also have to ensure no secrets are accidentally being divulged (maybe signing keys, or credentials to servers)
As I understand it, Valve licenses Havok, which they possibly use for any and all collision (or maybe just rigid-body stuff, who knows) and if so, even if you get the game running you may fall through the world, or perhaps not be able to move at all, which is hardly the TF2 we all want open-sourced. And that's just one possible library, maybe they use RAD Granny to do animation, etc.
Or if you want to allow people to buy the licenses to compile it, you still have to do almost all of the above, then setup the infrastructure to download the correct version, and set it up for builds, and that only works if they didn't make any internal modifications, or maybe they can setup a patch file that doesn't violate any copyrights, but that's also work. And that also implies that the company the libraries are licensed from still exists and is still selling, and still offers the old versions the game is built with. And now you have to release the engine under a license that's compatible with the third-party licenses, which given the precedent of using GPL that adds some extra complications.
So, yeah, there is a good chance it's possible but there is a varying amount of work, which is most likely at least a lot.
As for libraries that exist in that area, of the top of my head some examples:
* Havok/PhysX, physics library
* FMod/WWise, audio libraries
* Natural Motion, animation libraries
* Everything that RAD Game Tools offers, including audio/video codecs, compressors, animation libraries.
* Scaleform, animation libraries
* SpeedTree, tree modelling libraries
* Enlighten, lighting (global illumination) libraries
* Platform specific libraries
* NDA encumbered IHV libraries
Keep in mind, some of these are expensive, but some are more dependent on a corporate relationship, which is not the sort of thing that frequently offers a student or noncommercial version.
But I now go to bed, dreaming of a world, where Open-Source is the standard and IP and NDA madness forgotten ..
But if it is centralized, you should not be able to tamper with it, much, even if you have your own local version running?
The game mechanics seem largely the same with respect to a lot of the characters, but then they added in one-directional shields and turned it into team strategy game with much less room for individual skill -- again with no real ability to just run your own server and mandate a different playstyle.
There's plenty of room for individual skill, which goes beyond hitting Q. One-directional shields only reveal that teamplay is necessary, by themselves they don't add the necessity of teamplay. A poorly coordinated team doesn't do a good job. Even if both teams didn't use shield tank heroes, you'd still need just as much coordination.
There is an obvious reason why F-STOP wasn't finished though: Valve never finishes anything. Episode 2 came out 13 years ago.
edit: and for completeness, nowadays I feel compelled to point out that the latest half life game came out just a month ago
If flatpak works perfectly, I suppose an attacker could still steal the "cookie" that automatically logs you into Steam.
Ideally you want Steam to be sandboxed, and then Steam to in turn run all the games in individual sandboxes.
Steam itself has an interesting "Linux runtime" option for games, but it is unclear if that isolates things more than the status quo.
I don't know what I could do, short of replacing every executable in the steam directory with something that uses a mount namespace or a similar restrictive mechanism before launching the actual executable. Inject a modified libc to perform this on steam's exec call? I think the ball is in Valve's camp to improve this.
D:
People put up with that?
(when a client connects to a battle.net server, one of the early handshake steps is to download a fixed named MPQ file, which is a Blizzard proprietary archive protocol which contains a DLL that is loaded and a certain fixed named function runs from it, which will checksum your client binary and send the result to the server to compare and allow you to progress further)
And it's not even about trusting that Riot are not bad actors, tencent conspiracy nonsense aside, it's about leaving that trash running with that level of access in a way that some malicious process could use to elevate its permissions. That is the (ab)use case that worries me.
I still do it for fun, but not methodically, and not regularly. It's a great way to look at code, to learn, and sometimes it pays off.
e.g. Reporting a bunch of trivial predictable filename issues in GNU Emacs, including something referring to the (ancient) Mosiac support:
https://bugs.debian.org/747100
Fuzzing is definitely useful, and I've reported issues in awk, etc, but fuzzing tends to be used when you have a specific target in mind. I'd rarely make the effort to recompile a completely random/unknown binary with instrumentation for that.
In the closed source world, very few companies will pay for their source code to be audited, because it's expensive and time-consuming, and most only do it if they're required to.
And even when they do, in my experience, they usually end up buying an expensive automated report that provides little or no real insight.
That's totally what we are in the process of doing (with even two separated tools for even more wasted time!)
When writing integrations between third-party modules, the documentation was rarely enough, so with open-source ones, I generally went through at least half of the total (backend) source code of each to find all the hooks I needed and would semi-often find fairly standard security issues and report them.
In contrast, if a plugin was closed-source and obfuscated, I would just go bother their support, and so their code was never looked at by anyone other than the 2 core devs. When I inevitably had to reverse-engineer parts of the code anyways and discovered issues, I got far more "hey, you broke the EULA!" responses than "thanks for the report".
Talking from personal experience. Here are my though on it:
First, with Open Source software, you expose (potentially) what you write to the while world, as a consequence, you don't want to feel ridiculous by publishing atrociously bad code. In contrast, in a corporate environment, the code is not seen by so many eyes if at all, and even if read, the readers are roughly a known quantity.
Second, You have far more time/freedom, specially if it's a personal project, to think about design/code architecture, and to rework things if required. You can also spend time on things like unit tests, fuzzing, etc. Basically, you can more easily work on all these things that are "valuable" but difficult to "quantify/measure".
Third, people working on OSS projects are generally a bit more motivated, either because it's their subject of interest, or because of the general appeal of OSS.
Forth, often with OSS, you actually have more resources/service available to help with code quality. CI, static analysis, dependency auditing, etc is one click/integration away. In a Corporate environment, the procurement for such services can be off-putting, integration setup can be an up-hill battle, and there can be strong restrictions regarding external services.
Just as an example, in a previous job, I tried to get budget for a Jenkins server, never got it, so I ended-up "stealing" an old abandoned server from another project, once I got it I ran into issues not being able to configure the post commit hooks to trigger a CI build. Heck, in this job, even my home desktop was a 3 or 4 times better development machine than my work laptop.
Things are changing slowly, having a good code coverage is more and more a goal if not a company policy, code review processes are more and more common, companies are a bit less paranoid about trusting external services for CI/analysis/fuzzing. But from what I have been able to see in most of my job, proprietary code bases tend to be lower quality than most OSS projects. Even the code I've produced in my free time tend to be better than the code I've written at my job.
It's not an absolute however, you can still have terrible OSS code bases, it's just you are a bit more geared towards better code quality in OSS projects.
Yes, they do: https://www.fsf.org/blogs/community/who-actually-reads-the-c...
Plus. many companies, Microsoft included, open up their source code to partners.
The openness of source code has little correlation to its security.
No, just the important code that everyone is running.
[1] https://arstechnica.com/information-technology/2014/04/tech-...
> It just happens to not be true.
I think it's true, free and open source code, on average, is more likely to have been audited to a greater extent. I think most people confuse "audited to a greater extent", "coverage" and "security". The paradox here is: Merely increasing the chance of fixing bugs do not automatically guarantee security by itself, nor guarantee a sufficient code coverage.
For example, if the codebase has 10 serious RCE exploits, if it's a binary-only program, the pentester may be able to find 3, but if it's FOSS, the community might be able to find 5. Yet, the remaining RCE exploits are still exploits. And paradoxically, a project can have fewer exploits than a binary-only alternative in a numerical measurement, yet, the mere discovery of a new exploit can create a huge storm and lead to the perception of the software being less secure, even if it's objectively false in a numerical measurement.
My opinion is, free and open source code, in general, often objectively reduces the number of exploits comparing to its binary-only alternative. It doesn't eliminate exploits. The important question here is code coverage - A group of random hackers browsing code can never replace a systematic review (organized by the community or otherwise). Nor it makes the software inherently secure, a program that uses suboptimal programming techniques is more prone to exploits and more reviews cannot change the fact. However, the exploits discovered and fixed by a group of random hackers are still real security improvements.
For example, OpenSSL, even before Heartbleed, were attacked by researchers around the world, some exploits involved advanced side-channel and timing attacks. The bugs they discovered and fixed are real. Now imagine a binary-only OpenSSL in a parallel universe, called CloseSSL (while other conditions - such as an underfunded development team, remain the same), in this universe, fewer exploits are discovered and fixed, and it may be more vulnerable to timing attacks than the OpenSSL in our universe, so objectively it's more "secure". But both are vulnerable to Heartbleed, in other words, being more "secure" in a numerical measurement does not translate to real world security, on the other hand, the numerical measurement showing the superiority of FOSS by itself, is nevertheless real. Of course, real-world programs do not behave like an ideal model, being FOSS or not also correlates to other variables such as the the size of funding or audit coverage. My argument is only an ideal model treating all variables as independent variables.
I call it the anti-Linus's law: Given more eyeballs, not all bugs are shallow, unless there's enough eyeballs. But it's always better than fewer eyeballs.
> Most vulnerabilities are found by techniques like fuzzing, not by combing through thousands of lines of code.
Having the source code available allows pentesters and auditors to use compiler-based instrumentation for fuzzing, which is more efficient than binary fuzzing.
I will concede that is pretty valid point. My argument is basically that there is the false sense of open source code being "more secure" because of an assumption that "the community" is checking it thoroughly. Most people will just grab it off of github and run it, without giving it a second thought at all. Generally speaking you don't get high quality full code audits for free, pentesters and auditors generally like to get paid and aren't out there testing github code-bases out of the goodness of their heart.
> [...] OpenSSL adds a wrapper around malloc & free so that the library will cache memory on it's own, and not free it to the protective malloc. [...] So then a bug shows up which leaks the content of memory mishandled by that layer. [...]
> OpenSSL is not developed by a responsible team.
Heartbleed is reading beyond the intended bounds remotely. I don't think there were similar attacks before hand, but I could be wrong. I only have a base level knowledge here.