It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
Randalator: So they find X files with undocumented changes since the last commit ten days ago, what then? They don't exist in a vacuum, you cannot rollback those files and just keep the rest. So you lose whatever progress might have been made since then.

And the hackers might even have been able to sneak something into one of the commits. So first you have to establish since when unauthorised system access existed. Until then no progress can be made at all. That alone will set back any development progress for weeks. And afterwards you might lose X amount of progress on top.
I do enjoy the idea that people seem to think most businesses are sane enough to use a versioning control system with sanity checks, when most of them can't even be trusted to do sane backups.
low rated
avatar
Orkhepaj: but you can clearly separate the game code development from the rest of the system
avatar
Randalator: No you can't because all kinds of nasty surprises might have been introduced into the patch files. Imagine rolling out a patch containing a ransomware routine to customers. You HAVE to wipe those files.
Nasty things like bugs or stuff not working and breaking the game.
low rated
avatar
Randalator: No you can't because all kinds of nasty surprises might have been introduced into the patch files. Imagine rolling out a patch containing a ransomware routine to customers. You HAVE to wipe those files.
avatar
john_hatcher: Nasty things like bugs or stuff not working and breaking the game.
i think that's not the hackers code :D
New article (*) (in German) claims that the hacker/s got high (or maximum) prices:

It says "In einer folgenden Versteigerung im Darknet erzielten die Hacker Höchstpreise." which pretty much means what I said.

It also quotes this source:
https://www.bloomberg.com/news/articles/2021-02-24/cd-projekt-hack-severely-disrupts-work-on-cyberpunk-game-updates
which supposedly implies or says they have a credible source for the hacker/s having personal data of employees. This also implies that CDPR didnt store this data in a proper manner. Dont know if there is a law for that though. I think if that would have been user data it would be in breach of GDPR.

And the article also says that employees need to give their personal home computers (at least that is how I interpret it **) to CDPR for scanning. Maybe they suspect an inside connection to the hack and want to use this as pretext for accessing all private employee computers.

(*) https://tarnkappe.info/cd-projekt-red-cyberpunk-2077-patch-verzoegert-sich-nach-studio-hack/
(**) "Derzeitige Mitarbeiter, die laut Bloomberg coronabedingt größtenteils noch von zu Hause aus arbeiten, mussten ihre Computer für Malware-Scans an die IT-Abteilung von CDPR schicken."
avatar
Zrevnur: New article (*) (in German) claims that the hacker/s got high (or maximum) prices:

It says "In einer folgenden Versteigerung im Darknet erzielten die Hacker Höchstpreise." which pretty much means what I said.

It also quotes this source:
https://www.bloomberg.com/news/articles/2021-02-24/cd-projekt-hack-severely-disrupts-work-on-cyberpunk-game-updates
which supposedly implies or says they have a credible source for the hacker/s having personal data of employees. This also implies that CDPR didnt store this data in a proper manner. Dont know if there is a law for that though. I think if that would have been user data it would be in breach of GDPR.

And the article also says that employees need to give their personal home computers (at least that is how I interpret it **) to CDPR for scanning. Maybe they suspect an inside connection to the hack and want to use this as pretext for accessing all private employee computers.

(*) https://tarnkappe.info/cd-projekt-red-cyberpunk-2077-patch-verzoegert-sich-nach-studio-hack/
(**) "Derzeitige Mitarbeiter, die laut Bloomberg coronabedingt größtenteils noch von zu Hause aus arbeiten, mussten ihre Computer für Malware-Scans an die IT-Abteilung von CDPR schicken."
Oh, we misshandled private information, so we should have access to your private computers, because we totally got it right, now.

EDIT: As for legally, probably not. If there is, they surely nullified it with some sort of contract. Waiving your rights is SOP, anymore.

avatar
kohlrak: Wait, they're using an AV to find the virus instead of reformatting a computer known to be infected? Didn't theAV fail the first time?
avatar
Magnitus: Unless its for post-mortem analysis, the modus-operandi in 2021 is to throw a machine that misbehaves in the garbage and provision a new one.

Anyways, you can do that super easily if you are using a virtualization layer (any cloud provider or Openstack & alternatives for on-prem).

If you are operating on bare-metal, its a little more complicated (you got to reprovision your machine on the same hardware given that it isn't virtualized), but you should still have a setup in place to reprovision a machine fairly quickly.
My point being, the reason this stuff gets through AVs to begin with is because these viruses are encrypted and decrypted only at runtime after the AV has had a scan at them.
Post edited February 26, 2021 by kohlrak
low rated
avatar
kohlrak: My point being, the reason this stuff gets through AVs to begin with is because these viruses are encrypted and decrypted only at runtime after the AV has had a scan at them.
cant AV just scan them before run?
avatar
kohlrak: My point being, the reason this stuff gets through AVs to begin with is because these viruses are encrypted and decrypted only at runtime after the AV has had a scan at them.
avatar
Orkhepaj: cant AV just scan them before run?
That's what they do already, usually. The challenge comes from the thing called a "cryptor." They can work under 1 of 2 principles:

1. Decrypting an embedded payload and start a new process (i think this is the method they may have to use, now).

2. Decrypting an embedded payload and running it within the current process (needs executable sections to be writable in section flags).

The issue in particular is that companies pushing DRM demand either 1 or 2 be possible, because DRM will often use the same techniques, to keep people from modifying the binary files and re-releasing the product. The industry approved term is "obfuscation." It's also used for code protection (so people don't simply reverse engineer binaries for reasons other than simple piracy) and other things. Some obfuscation doesn't use these techniques, however those techniques are more reliable (but still not perfect, of course). The only thing an AV could do would be to constantly scan the executables while they're in RAM, but this is absolutely untenable in terms of cycles it would cost.

EDIT: To use an old analogy i've heard a long time ago, relying on an antivirus as anything other than a sort of "hail mary method" is "like jumping into a lake with a raincoat on, expecting to stay dry."
Post edited February 26, 2021 by kohlrak
avatar
kohlrak: My point being, the reason this stuff gets through AVs to begin with is because these viruses are encrypted and decrypted only at runtime after the AV has had a scan at them.
On immutable infra, the only "antivirus" you should need are programs that scan for ANY change on your filesystem other than very specific paths programs on the machine are expected to modify.

Metrics and centralised logging will make the system visible from the outside. Nobody should be sshing on it except if they need to troubleshoot when something goes horribly wrong and metrics/logs are insufficient to get to the root of the problem. Heck, the bastion to ssh into the machine should not even be there until you actually need to ssh into it (and it should be there only for the duration of your ssh session, you scrap it afterwards).

Most of the time, if somethings goes sideways, you just throw your vm in the thrash and provision a new one.

Immutable infra, that's what most people should be running in 2021. If they aren't, they should ask their ops team to get up to date.

Only notable exception to that should be databases and even then, if you're using a modern distributed database, you should be able to methodically destroy replicas and replace them with new ones, one by one.

Other possible mitigation point is if you are running things on baremetal and not vms (that's a bit more complicated to manage), but really, if you're using the cloud, which most people are at this point, then you're using vms and you'd better brush up your Terraform if you want to make the best us of your platform.
Post edited February 26, 2021 by Magnitus
low rated
avatar
kohlrak: My point being, the reason this stuff gets through AVs to begin with is because these viruses are encrypted and decrypted only at runtime after the AV has had a scan at them.
avatar
Magnitus: On immutable infra, the only "antivirus" you should need are programs that scan for ANY change on your filesystem other than very specific paths programs on the machine are expected to modify.

Metrics and centralised logging will make the system visible from the outside. Nobody should be sshing on it except if they need to troubleshoot when something goes horribly wrong and metrics/logs are insufficient to get to the root of the problem. Heck, the bastion to ssh into the machine should not even be there until you actually need to ssh into it (and it should be there only for the duration of your ssh session, you scrap it afterwards).

Most of the time, if somethings goes sideways, you just throw your vm in the thrash and provision a new one.

Immutable infra, that's what most people should be running in 2021. If they aren't, they should ask their ops team to get up to date.

Only notable exception to that should be databases and even then, if you're using a modern distributed database, you should be able to methodically destroy replicas and replace them with new ones, one by one.
yeah especially with a large dev team, wonder what system cdpr actually had, maybe would result in many face punch pictures
avatar
Orkhepaj: yeah especially with a large dev team, wonder what system cdpr actually had, maybe would result in many face punch pictures
To be fair, a lot of people are not doing it, it's horrible. They'd rather do 10 units of work than 2 units of work and 2 units of learning. work dumb, work harder.
low rated
avatar
Orkhepaj: yeah especially with a large dev team, wonder what system cdpr actually had, maybe would result in many face punch pictures
avatar
Magnitus: To be fair, a lot of people are not doing it, it's horrible. They'd rather do 10 units of work than 2 units of work and 2 units of learning. work dumb, work harder.
i bet thats how most companies work , they think the old known ways are the best to continue with , the unknown is too dangerous or something
Post edited February 26, 2021 by Orkhepaj
avatar
kohlrak: EDIT: As for legally, probably not. If there is, they surely nullified it with some sort of contract. Waiving your rights is SOP, anymore.
You are from US. In EU such things work differently. 'Waiving your rights' as a customer or lowly employee (in terms of the context being critical private information) is mostly impossible here - such parts of contracts are likely invalid.

And in parts of Europe (Poland too I think but dont know for sure) trade unions and such can be quite powerful and have major say in such things - but I dont know if that relates to CDPR.
low rated
avatar
kohlrak: My point being, the reason this stuff gets through AVs to begin with is because these viruses are encrypted and decrypted only at runtime after the AV has had a scan at them.
avatar
Magnitus: On immutable infra, the only "antivirus" you should need are programs that scan for ANY change on your filesystem other than very specific paths programs on the machine are expected to modify.

Metrics and centralised logging will make the system visible from the outside. Nobody should be sshing on it except if they need to troubleshoot when something goes horribly wrong and metrics/logs are insufficient to get to the root of the problem. Heck, the bastion to ssh into the machine should not even be there until you actually need to ssh into it (and it should be there only for the duration of your ssh session, you scrap it afterwards).

Most of the time, if somethings goes sideways, you just throw your vm in the thrash and provision a new one.

Immutable infra, that's what most people should be running in 2021. If they aren't, they should ask their ops team to get up to date.

Only notable exception to that should be databases and even then, if you're using a modern distributed database, you should be able to methodically destroy replicas and replace them with new ones, one by one.

Other possible mitigation point is if you are running things on baremetal and not vms (that's a bit more complicated to manage), but really, if you're using the cloud, which most people are at this point, then you're using vms and you'd better brush up your Terraform if you want to make the best us of your platform.
Don't get me wrong, i believe an argument should stand or fall independent of their speaker, but i really must ask of your familiarity with the subject matter. Indeed, the notion of keeping everything in a VM, doing constant scrubs and all that is great on paper and indeed idealistic. The problem, however, is that these computers are actually designed to do something. I'm sure you'd have a canary seeing the things i've seen passed off as "security" in things like hospitals (where you and i would certainly be in agreement as woefully inadequate). However, these machines serve a purpose outside of strictly being black boxes holding data. Removing SSH, for example, until you need it would require someone to man the office at all times just to enable or disable it. Moreover, VMs, even with hardware virtualization, still don't have the processing power necessary to accomplish the tasks most likely occurring: Cyberpunk 2077 isn't going to be debugged in a VM. Or are you talking about a gateway in particular, and not all the servers as a whole? Also, with all those precautions, you should be made aware that there exist viruses that target VMs, to bypass this kind of protection.

It's more reasonable to only give servers with specific purpose specific types of access. The fact that, supposedly, code and employee data were stored on the same servers shuold be highly queestioned. I only do it, because I don't have the money for such protection. A corporation should be expected to have more servers to dedicate these processes to. If they were properly distributed, how the hell was there a setup that allowed someone with access to the dev server get their hands on employee and investor databases? That's just asking for this kind of attack to happen by a disgruntled current or former employee.
avatar
Magnitus: To be fair, a lot of people are not doing it, it's horrible. They'd rather do 10 units of work than 2 units of work and 2 units of learning. work dumb, work harder.
avatar
Orkhepaj: i bet thats how most companies work , they think the old known ways are the best to continue with , the unknown is too dangerous or something
Not all old things and ideas are broken: we're still using printf in most CLI programs, at the end of the day. The problem is the bits that aren't safe, like gets. Some of the new stuff is more secure, and some of it is alot worse. Corporations are a slightly different beast than a common non-corporate company. Corporations are almost legally obligated to old ways.
avatar
kohlrak: EDIT: As for legally, probably not. If there is, they surely nullified it with some sort of contract. Waiving your rights is SOP, anymore.
avatar
Zrevnur: You are from US. In EU such things work differently. 'Waiving your rights' as a customer or lowly employee (in terms of the context being critical private information) is mostly impossible here - such parts of contracts are likely invalid.

And in parts of Europe (Poland too I think but dont know for sure) trade unions and such can be quite powerful and have major say in such things - but I dont know if that relates to CDPR.
Yet GOG and everyone else still pushes EULAs. I understand their enforce-ability is suspect, but the seem to have some degree of power if they find their origins in europe as well. Meanwhile, i'm not entirely opposed to the notion, but there needs to be some kind of limit on it, some immutable rights, while also making room for things like reasonable NDAs. I'm particularly worried about how selective enforcement of contracts can change existing contracts (especially things like marriage and prenups).
Post edited February 26, 2021 by kohlrak
low rated
avatar
kohlrak: Yet GOG and everyone else still pushes EULAs. I understand their enforce-ability is suspect, but the seem to have some degree of power if they find their origins in europe as well. Meanwhile, i'm not entirely opposed to the notion, but there needs to be some kind of limit on it, some immutable rights, while also making room for things like reasonable NDAs. I'm particularly worried about how selective enforcement of contracts can change existing contracts (especially things like marriage and prenups).
these should be regulated, companies shouldn't write their own eulas, they should only pick one from the predefined ones government accepts and clearly show to the buyer which one is it, so the buyer just can check it on the gov portal and once read it and know surely there is no hidden crap in it somewhere. Only then these would be acceptable.
low rated
avatar
kohlrak: Yet GOG and everyone else still pushes EULAs. I understand their enforce-ability is suspect, but the seem to have some degree of power if they find their origins in europe as well. Meanwhile, i'm not entirely opposed to the notion, but there needs to be some kind of limit on it, some immutable rights, while also making room for things like reasonable NDAs. I'm particularly worried about how selective enforcement of contracts can change existing contracts (especially things like marriage and prenups).
avatar
Orkhepaj: these should be regulated, companies shouldn't write their own eulas, they should only pick one from the predefined ones government accepts and clearly show to the buyer which one is it, so the buyer just can check it on the gov portal and once read it and know surely there is no hidden crap in it somewhere. Only then these would be acceptable.
And in another thread you say you're anti-authoritarian. XD

But anyway, i believe this gives government way too much power. I believe laws should be written such that a contract's enforce-ability is dependent upon when the agreement was made, first and foremost. From there, a little more chaos would be fine: NDAs can exist, but, perhaps, with a timer and only be enforceable on specifics (like, GOG could say that a deal between the two is private, as well as certain details, but not details of reasonable consumer interest, such as whether or not an update process appears automated on GOG's end, but specifically still barring specifics about what types of files they see [I don't need to know that GOG uses, inno, really, but it would be nice to know some examples on GOG's rejections of updates and on what grounds, as well as whether or not those grounds were valid]).