Bundling GOG Galaxy without clear permission is NOT OK, page 7 - Forum

null.678 Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... User since {{ user.formattedDateUserJoined }} Friends since {{ user.formattedDateUserFriended }} Unblock chat User blocked This user's wishlist is not public. You can't chat with this user due to their or your privacy settings. You can't chat with this user because you have blocked him. You can't invite this user because you have blocked him.

Comment buried. Unhide

null.678

New User

Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... User since {{ user.formattedDateUserJoined }} Friends since {{ user.formattedDateUserFriended }} Unblock chat User blocked This user's wishlist is not public. You can't chat with this user due to their or your privacy settings. You can't chat with this user because you have blocked him. You can't invite this user because you have blocked him.

Registered: Apr 2010

From United States

Posted October 26, 2017

91

null.678: GOG installers elevate, so they always bypass UAC.

JMich: Yes. Do the stuff they install also bypass UAC? Some of it may, some of it may not. But that is why UAC is there, to stop quite a bit.

As soon as the installer is elevated, it can install services, drivers, etc that run with high privileges forever. Like, for example, Galaxy. If you run a malicious program and say yes at the UAC prompt, it's game over, permanently.

And as I said, if you run a malicious program and don't see a UAC prompt, that doesn't mean it hasn't bypassed UAC using various bugs or by-design back doors and installed permanent malware on your computer anyway. UAC was created by Microsoft to pressure software vendors to structure their software in a particular way. It doesn't actually provide any significant security to the end user.

null.678: I don't even know what you think your firewall is doing to protect you.

JMich: Log and potentially prevent any unauthorized access from a LAN machine to a WAN connection? Oh, you thought I meant a software firewall?

Yes, there are ways of running any kind of software on a machine and checking what happens. Whether you actually want to spend the time to properly set them up is up to you of course.

Oh, get real. You plan to discover malware by manually looking at every network connection your computer makes? Besides the fact that it would take you a day to review the connections made by the adtech in one random webpage these days, and that if GOG Galaxy was malicious it presumably would use the same exact connections to GOG servers for C&C that it does now, even if you find something you basically have to throw your computer in a dumpster.

This is a stupid argument. If you want to make it your full time job to inspect GOG's installers for malware, you may or may not find any that's there. None of this bears on what I said at all: running untrusted installers is dangerous and puts a lot of trust in the signer of the installer, so GOG shouldn't piss away that trust to get their galaxy install numbers up.

JMich Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... User since {{ user.formattedDateUserJoined }} Friends since {{ user.formattedDateUserFriended }} Unblock chat User blocked This user's wishlist is not public. You can't chat with this user due to their or your privacy settings. You can't chat with this user because you have blocked him. You can't invite this user because you have blocked him.

Comment buried. Unhide

JMich

A Horrible Human Person. If you need me, chat.

Sorry, data for given user is currently unavailable. Please, try again later. View profile View wishlist Start conversation Invite to friends Invite to friends Accept invitation Accept invitation Pending invitation... User since {{ user.formattedDateUserJoined }} Friends since {{ user.formattedDateUserFriended }} Unblock chat User blocked This user's wishlist is not public. You can't chat with this user due to their or your privacy settings. You can't chat with this user because you have blocked him. You can't invite this user because you have blocked him.

Registered: Apr 2011

From Greece

Posted October 26, 2017

92

richlind33: Are you suggesting that Galaxy should be treated as an untrusted program?

No.

null.678: It doesn't actually provide any significant security to the end user.

sudo disagrees. And UAC is quite similar to sudo.

null.678: Oh, get real. You plan to discover malware by manually looking at every network connection your computer makes?

I'm not. I say that a properly set up firewall can (and does) protect machines from unauthorized connections. But properly set up firewall is not the same as "built-in" firewall.

null.678: None of this bears on what I said at all: running untrusted installers is dangerous and puts a lot of trust in the signer of the installer, so GOG shouldn't piss away that trust to get their galaxy install numbers up.

And again, yes, running untrusted installers is dangerous. There are ways to mitigate said danger, if you have reason to believe that said installer is untrusted.
Bundling Galaxy to a game installer is not making the installer untrusted, unless you specificall don't trust Galaxy. In which case, you do have the option of dissecting Galaxy communications and seeing what it actually does. Unless of course you don't care to find out whether it actually is dangerous, but drop it just because it may be (which means dropping almost everything, including bluetooth, WPA2, PGP and RSA keys).

Post edited October 26, 2017 by JMich

Discover CD PROJEKT RED games

Highlights

Featured