It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
low rated
avatar
Wishmaster777: Had they released a statement regarding that thig they could have at least pretended that they care. But why should they. They are being very transparent about it - they do not give a fuck about us, their customers, nor our safety. They do, however, care about our money. And I am fine with that. Sure thing, they mind their money business. But then, knights in shiny armour like yourself come to save the poor princess Gog, who try to sell us little stories about how good the Gig is, and to teach us the legal regulations regarding the relation between Gog and CDPR. That is the bigger issue. Also, Gog has been pulling such genius moves recently, that we should totally trust them everything they say. Totally.
avatar
paladin181: I think you have confused me with someone else. I don't white knight GOG or anything. In fact, I've been a pretty straight forward naysayer of theirs for years. I dislike how they handle things, how bad their web coding is, how incompetent the support team are at times, and how completely mired in stupidity the forum software is, and they're too incompetent to fix it because the guy who cobbled it together in 1997 left and now trying to unfuck their site without a complete rewrite of everything is not feasible.

However, I don't needlessly bash them either. These are two different companies that dont share resources or employees. So make it seem like its one company with two fronts all you like, but that is an incorrect assessment. There is no need for GOG to respond to something CDPR did than there is for the shipping department to respond to people over what accounts payable did.

avatar
Wishmaster777: Sure. They should make presses when it suits them fine, and totally avoid addressing the problems. Nice logic, totally. I see no fallacy here at all. Totally.
avatar
paladin181: I'll only respond to this once, instead of thrice. Go ahead. What logical fallacy did I employ? They will promote an item they want to promote, and not items they don't They weren't attacked, why would they need to reassure you that they weren't? By the way, I wasn't hit by a car today. Someone near me was, but not me. Makes total sense to report on events that didn't happen.
If that's the case, why all the servr issues on gog's end all the sudden? Why do i keep seeing a bear holding the world?
avatar
Darvond: Looks like it's the clever work of a 12 year old.

Stay attuned to whatever you consider a reliable gaming news source for updates if we all have to change our passwords and credit cards or not.
You are giving internet users too much credit. It's entirely possible it's an adult. I've seen many writing even stupider things, over the internet.
avatar
kohlrak: If that's the case, why all the servr issues on gog's end all the sudden? Why do i keep seeing a bear holding the world?
To be entirely fair, that's not entirely an uncommon occurrence here.
low rated
avatar
kohlrak: If that's the case, why all the servr issues on gog's end all the sudden? Why do i keep seeing a bear holding the world?
avatar
Breja: To be entirely fair, that's not entirely an uncommon occurrence here.
No, but it's been really bad ever since the hack,and that's prior to the sale.

It's possible they took existing servers and repurposed them in an emergency, or they're getting internally DDoSed (since as we see the gog bear) using information gathered from the exploit, but i'll lean towards them sharing the servers. I assume the gwent accounts are tied to gog, too. And if they can deploy from that server, they have access to the GOG servers, and, thus, indirect access to user accounts at the very least.
Post edited February 11, 2021 by kohlrak
avatar
paladin181: By the way, I wasn't hit by a car today. Someone near me was, but not me. Makes total sense to report on events that didn't happen.
To draw a comparison between the accurate example of Gog and CDPR case, and your flawed example it would go this way: You and your sister were together in a car. You both had a car crash. Your sister was injured, and we know it, because she has tweeted about it. But we don't know have you suffered any injuries, because you did not make any statements about it.
Post edited February 11, 2021 by Wishmaster777
low rated
avatar
paladin181: By the way, I wasn't hit by a car today. Someone near me was, but not me. Makes total sense to report on events that didn't happen.
avatar
Wishmaster777: To draw a comparison between the accurate example of Gog and CDPR case, and your flawed example it would go this way: You and your sister were together in a car. You both had a car crash. Your sister was injured, and we know it, because she has tweeted about it. But we don't know have you suffered any injuries, because you did not make any statements about it.
Also, i don't think it would be particularly unreasonable to think that GOG would have mostly the same vulnerabilities. Someone going under the alias "HelloKitty" appears to be the person. There's some "hacking forums," involved, implying that the given message boards are not likely for hacktivism. I see no reason why our data would not be considered viable collateral for a threat, too, yet it did not appear to be. This implies to me that it was possibly someone who actually is either a customer or a former employee. However, the fact that they got in, if they were a customer, the weakneses were probably revealed to others and that means that more than one person compromised the system. We don't know how long they had control, either. We only know because GOG found out via the ransomware. They could've had this access for 2 or 3 years for all anyone knows. There might've been others who independently found the same vulnerabilities.

That said, keep in mind, they said CDP was hacked, not CDPR. Given all that's going on, i don't think they know whether or not our data was compromised. Their advice to their employees implies that they have no idea as to the extent of the damage.
Apparently they've put up the files for auction on an exploit forum for minimum 1 million USD. Insta buyout of 7 million.
avatar
paladin181: By the way, I wasn't hit by a car today. Someone near me was, but not me. Makes total sense to report on events that didn't happen.
avatar
Wishmaster777: To draw a comparison between the accurate example of Gog and CDPR case, and your flawed example it would go this way: You and your sister were together in a car. You both had a car crash. Your sister was injured, and we know it, because she has tweeted about it. But we don't know have you suffered any injuries, because you did not make any statements about it.
pretty good example
avatar
Breja: To be entirely fair, that's not entirely an uncommon occurrence here.
Some say bears holding up entire planets are portents of impending doom... especially when they look tiny and not particularly muscular. Quickly, somebody offer that GOGBear a gym subscription, or at least a discount coupon!
Post edited February 11, 2021 by WinterSnowfall
avatar
paladin181: how completely mired in stupidity the forum software is, and they're too incompetent to fix it because the guy who cobbled it together in 1997 left and now trying to unfuck their site without a complete rewrite of everything is not feasible.
To be fair, a lot of places are like this for some time after starting up.

They have very limited money when they start so they'll either hire a very small team of cheap in-house developers (I try not to stereotype, but I've observed a pattern where a lot of those developers implement the whole thing in php) to implement their website or they'll outsource the coding to a small company, specialised in making websites on the quick. Either way, the rule of the game is to implement everything yesterday on a shoestring budget.

Even if the developers involved were top notch developers (they usually aren't... most of them haven't updated their skills enough to use anything better than php afterall and often will lack awareness of sound design patterns/standards like using proper REST for http apis even over a decade after such patterns have become widely known), the time constraints pretty much guarantee that the resulting system will suffer from significant technical debt right out the door.

From there, they'll hopefully start making money and the amount of income they generate will dictate the future quality of the system. If they make tons of cash, they'll be able to hire one or more teams of skilled developers with more time to improve the code (at that point, they'll either do a complete rewrite from scratch or slowly refactor away the legacy codebase, depending on how much of a mess things really were and how much resources they can invest).

If they don't make as much money as originally anticipated (keeping in mind that their primary goal is to turn up a healthy profit, they won't hire a crack team of developers if it will eat away a significant portion of their profits, even if they could do so while remaining green), then technical debt won't be repaid (or will be repaid extremely slowly) and the system will probably remain cr*ppy for the remainder of the company's lifespan (after which it will, thankfully, be shelved).

Given that we don't have access to GOG's financial information (and frankly, I haven't taken a look at their codebase, though the fact that they are still working in php is definitely not a good sign), its hard to know exactly what is happening there.
Post edited February 11, 2021 by Magnitus
avatar
Magnitus: Even if the developers involved were top notch developers (they usually aren't... most of them haven't updated their skills enough to use anything better than php afterall and often will lack awareness of sound design patterns/standards like using proper REST for http apis even over a decade after such patterns have become widely known), the time constraints pretty much guarantee that the resulting system will suffer from significant technical debt right out the door.
Yes, time and legacy code are a programmer's worst nightmare.
The only think they leak is the source code of games apparently, the mayor problem so far is Gwent, that is a full online game and probably will have access to some vulnerabilities with the source code, respect the other games, is more worked related, they release a toon of work for others to use.
Apparently they've sold the rest of the information now, no confirmation what price. Crazy stuff
avatar
WinterSnowfall: You may not work in InfoSec, but you got it right indeed (hit the nail on the head, as they say). Not even the most secured software infrastructure can withstand social engineering attacks. Training people to have a security mindset is rarely done and most times a big part of the problem.
avatar
Darvond: Would it be too telling that I once watched a DefCon video on elevator hacking?
Or, perhaps, you have watched the (classic!) Sneakers?
avatar
Plokite_Wolf: You nailed everything as if you do.
avatar
GreywolfLord: It would be nice, if only for informational matters, to know how the hack relates to GOG. Was anything from GOG taken, is anything or anyone at risk. Is there nothing to fear...etc.

Just something simple and quick to either put us at ease, or give us an alert to change things up if we need to.
+1
avatar
Dogmaus: On Twitter but not a word on GOG forum...shows how much they care (as we already know).
avatar
HunchBluntley: To be fair, GOG forums aren't a CDPR news blog.
If there are any security implications for the GOG side of things (and they may or may not even know yet if there are), I would hope they'll send out e-mails to all potentially affected customers. Announcing something like that in a forum that only a small fraction of your customers regularly visit probably wouldn't be particularly effective at getting the word out.
Perhaps if someone with (access to) authority were to make a long-form journalistic report into the breach on the forum?

avatar
Breja: Exactly. "Do not be alarmed, GOG has not been affected by the recent CDP hack" (if that is indeed the case) would also be a statement worth making. And if that is not the case, well then they definitely should let their users know rather than assume they all follow CDP on twitter/will find this thread.
avatar
paladin181: Would you honestly believe them if they did release a statement?
Depends on how it is written; is it possible to assuage the Gell-Mann cynicism?
avatar
Magnitus: […] Though yes, technically, the internal details of the server-side are now exposed. The obfuscation is gone. […]
I always adhere to Auguste Kerckhoffs's assumption (from his 1883 book La Cryptographie Militaire), usually recast as:
The enemy knows the system.
CE Shannon's maxim (1948, A Mathematical Theory of Communication).
avatar
scientiae: Or, perhaps, you have watched the (classic!) Sneakers?
Unfortunately no. Nor have I seen Hackers or even Get Smart or The Man from Uncle.
avatar
Magnitus: -Snop-
Don't forget that GOG deliberately limits their talent pools by forcing the idea of having to work in house in Poland. Now, I'm not exactly well versed in technical pools of workers, but I can't exactly recall any accolades of technical collages/universities in Poland; most of those happened in Hungary.

Go on, read any of the 6 or so applications for software applications, and you'll find they all contain the same line somewhere around the middle end; and I quote: "The hired individual will need to work in-house, in our office based in Warsaw, Poland."

Even now. During a global pandemic, when telepresence would be a much smarter thing to mention.
Post edited February 11, 2021 by Darvond