It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Insert your many gamers joke here:
low rated
And not a single announcement has been made on Gog. "Hey, quite frankly we don't give a shit, as usual, but at least you can buy Hunniepop 2 on Gog." - CD Project Red. Epically pwned. Lol.
avatar
Wishmaster777: And not a single announcement has been made on Gog. "Hey, quite frankly we don't give a shit, as usual, but at least you can buy Hunniepop 2 on Gog." - CD Project Red. Epically pwned. Lol.
Why would GOG make a statement? They are not CDPR.
At least we can buy HuniePop 2. Worth it!
low rated
avatar
Titanium: [Right shoulder, angel]: This is regrettable, damaging and wrong.

[Left shoulder, devil]: Investor relations documents you say?
Kinda like how some people got our hands on Nancy Pelosi's laptop during the raids. Surprise, nothing released. I'll bet we'll only have the damaging bit. Ignore the guy on the left, he's full of it.

On another note, looks like GOG is having trouble staying up. The bear's having trouble holding the world for the past hour.
low rated
I don't know... This looks alot like a generic one to me... I'm gonna go out on a limb here and say that someone goofed hard core and got a drive by on this one.
avatar
Wishmaster777: And not a single announcement has been made on Gog. "Hey, quite frankly we don't give a shit, as usual, but at least you can buy Hunniepop 2 on Gog." - CD Project Red. Epically pwned. Lol.
avatar
paladin181: Why would GOG make a statement? They are not CDPR.
Says CDP, not CDPR. I also noticed some issues with the servers in the past few hours, too. Would not be surprised if this was a driveby and they got everything 'cause i feel like everything's stored in the same place.
avatar
§pectre: Doesn't 2fa mean when they hack the email account they get access to everything instead?
avatar
joveian: Not if it is real 2fa, but GOG doesn't use that, only "2 step authentication". What they do (like the vast majority of online accounts) is fully tied to your email, with a few extra measures to make sure whoever is accessing you account has access to your email as well. The 2 step thing I suspect stores your IP address (or a small address range) and emails you before you can get access if you try to access from a different IP address (it doesn't use cookies like some sites do, which is nice for those of us who delete cookies on browser exit). The password reset I just did just in case also requries you to click a link sent to your email rather than allowing anyone already in the account to change the password. So be very careful with your email account :/.

I think GOG is fairly distinct organizationally from CDPR so I would guess CDPR doesn't have more access to GOG than any developer, but I could be wrong. Hopefully GOG will make a statement soon.

Since CDPR is obviously persuing an "any publicity is good publicity" route at this point they probably won't be hurt much if the code is publicly released and might benefit from extra publicity (as long as the comments aren't too embarassing). Also, the fact that they have recent backups puts them ahead of a huge number of companies in this situation.

https://www.theregister.com/2021/02/09/cd_projekt_red_hack/
Let me be blunt on 2FA:

1. They tend to let you know if you got in, by telling you to check your email.

2. Most people use the same passwords everywhere.

I had a few more, but they left my head. Stuff going on IRL, here, right now. If passwords are raincoats, then 2FA is wrapping your cellphone in tinfoil after putting it in airplane mode ('cause it may or may not hurt you).
Post edited February 10, 2021 by kohlrak
avatar
paladin181: The object of security is to make yourself a less desirable target. You do this through many ways, obfuscation (people don't know who you are or what you have) or obstacles (making getting your goods more trouble than it is worth). Rhere are many vulnerabilities to any network that connects to the internet at large. The only way to completely safeguard it is to never connect it to the world wide web.
Obfuscation is for suckers. Wait until you get your first malicious employee and you'll be done for. You need to protect from within as well as without. If your top level admins or senior data boys are out to get you, then its probably game over (those guys should be triple vetted), but anybody else should be manageable.

Otherwise, don't forget compartmentalising different parts of your system (putting a wall between the various parts of a city is not the same thing as just putting 3 outer walls). Ideally, different parts of the system should only have access to what they need to function and nothing more. It greatly mitigates losses when someone compromises something.

Also, you need good alerting (which hopefully won't get drowned out in a sea of noise). All the barriers in the world will only be momentary respite if you're not even aware that someone is trying to break in or has broken in and they have all the time in the world to do their thing.

avatar
paladin181: As to why they could? Probably because VDPR had their own in house IT team set up their net security and we've seen how CDP handles net.security and web coding with GOG.
I'd be lenient on this one. GOG is a medium-sized company and the security landscape is a clusterf*ck. Most places either don't have a dedicated security team or don't have one that is well integrated with the rest of the teams (ie, actually aware of what developers are doing on the ground).

Also, last time I checked, universities didn't really include security in their curriculum so its something graduates have to pick up afterwards on the job or in their own time. And then, you have a whole bunch of people who don't even have a formal education or some kind of certification that show they have at least a rudimentary grasp of sound software development principles (you can get mad coding skills and still be pretty ignorant of the underlying building blocks of software systems). I mean, you know that there is a problem when you take a good honest look at the number of junior, intermediate or even senior developers that don't even understand, abstractly without going into encryption details, how a certificate chain works.

Also, some people with genius-level intellect are spending all their time figuring out how to break into systems and not all of them are doing it as security professionals to report flaws. They will do clever mind-bogging things like do statistical inference to determine the approximate value of secret keys if the time to encrypt/decrypt is dependant on the value of the key or go through humongous codebases that a lot of real world systems depend on, patiently looking for that vulnerability that everybody else missed.

And to make it worst, you can't really test for that stuff, because most attack vectors involve interacting with the system in ways that would never occur normally under non-malicious usage.

Its a mean world out there and if putting something important in production doesn't terrify the living daylight out of someone, then they're probably not the right person to manage a production system. It is a beast.
Post edited February 10, 2021 by Magnitus
avatar
paladin181: The object of security is to make yourself a less desirable target. You do this through many ways, obfuscation (people don't know who you are or what you have) or obstacles (making getting your goods more trouble than it is worth). Rhere are many vulnerabilities to any network that connects to the internet at large. The only way to completely safeguard it is to never connect it to the world wide web.
avatar
Magnitus: Obfuscation is for suckers. Wait until you get your first malicious employee and you'll be done for. You need to protect from within as well as without. If your top level admins or senior data boys are out to get you, then its probably game over (those guys should be triple vetted), but anybody else should be manageable.

Otherwise, don't forget compartmentalising different parts of your system (putting a wall between the various parts of a city is not the same thing as just putting 3 outer walls). Ideally, different parts of the system should only have access to what they need to function and nothing more. It greatly mitigates losses when someone compromises something.

Also, you need good alerting (which hopefully won't get drowned out in a sea of noise). All the barriers in the world will only be momentary respite if you're not even aware that someone is trying to break in or has broken in and they have all the time in the world to do their thing.

avatar
paladin181: As to why they could? Probably because VDPR had their own in house IT team set up their net security and we've seen how CDP handles net.security and web coding with GOG.
avatar
Magnitus: I'd be lenient on this one. GOG is a medium-sized company and the security landscape is a clusterf*ck. Most places either don't have a dedicated security team or don't have one that is well integrated with the rest of the teams (ie, actually aware of what developers are doing on the ground).

Also, last time I checked, universities didn't really include security in their curriculum so its something graduates have to pick up afterwards on the job or in their own time. And then, you have a whole bunch of people who don't even have a formal education or some kind of certification that show they have at least a rudimentary grasp of sound software development principles (you can get mad coding skills and still be pretty ignorant of the underlying building blocks of software systems). I mean, you know that there is a problem when you take a good honest look at the number of junior, intermediate or even senior developers that don't even understand, abstractly without going into encryption details, how a certificate chain works.

Also, some people with genius-level intellect are spending all their time figuring out how to break into systems and not all of them are doing it as security professionals to report flaws. They will do clever mind-bogging things like do statistical inference to determine the approximate value of secret keys if the time to encrypt/decrypt is dependant on the value of the key or go through humongous codebases that a lot of real world systems depend on, patiently looking for that vulnerability that everybody else missed.

And to make it worst, you can't really test for that stuff, because most attack vectors involve interacting with the system in ways that would never occur normally under non-malicious usage.

Its a mean world out there and if putting something important in production doesn't terrify the living daylight out of someone, then they're probably not the right person to manage a production system. It is a beast.
You've made some serious considerations there, sir. Specially the part about how students are graduating with incomplete formation in a necessary area such as security.
I've read it patiently and pleasantly, as a studant myself, so, I thank you for the shared knowledge.
avatar
Magnitus: -LONG SNIP-
The problem with IntSec teams is that they're a lot like IT teams; they're best when they're invisible as that means all is well, which to idiot management teams & bean counters raises the question of, "What are we paying you for?" to which most engineers have trouble kneeling down to their semi-sentient simian counterparts to say in lay terms in a summarized cliff notes what they do.

But as many have repeatedly said in this thread, the weakest link isn't your firewall, but that receptionist who chews bubblegum on a phone call who gets socially engineered into letting someone past the gates who so happens to be carrying an outside USB stick.

And nobody thinks to manage the groups or wheel to prevent content not specifically from within the building from even being allowed to execute (though I'm not even sure Windows has such fine grain control, even with group policies because it's that backwards at times.)

I don't even work in InfoSec or IT and these are just some basic things that came to mind.
avatar
Darvond: I don't even work in InfoSec or IT and these are just some basic things that came to mind.
You nailed everything as if you do.
avatar
Darvond: I don't even work in InfoSec or IT and these are just some basic things that came to mind.
avatar
Plokite_Wolf: You nailed everything as if you do.
It would be nice, if only for informational matters, to know how the hack relates to GOG. Was anything from GOG taken, is anything or anyone at risk. Is there nothing to fear...etc.

Just something simple and quick to either put us at ease, or give us an alert to change things up if we need to.
avatar
Darvond: I don't even work in InfoSec or IT and these are just some basic things that came to mind.
You may not work in InfoSec, but you got it right indeed (hit the nail on the head, as they say). Not even the most secured software infrastructure can withstand social engineering attacks. Training people to have a security mindset is rarely done and most times a big part of the problem.
Post edited February 10, 2021 by WinterSnowfall
avatar
WinterSnowfall: You may not work in InfoSec, but you got it right indeed (hit the nail on the head, as they say). Not even the most secured software infrastructure can withstand social engineering attacks. Training people to have a security mindset is rarely done and most times a big part of the problem.
Would it be too telling that I once watched a DefCon video on elevator hacking?
avatar
Wishmaster777: And not a single announcement has been made on Gog. "Hey, quite frankly we don't give a shit, as usual, but at least you can buy Hunniepop 2 on Gog." - CD Project Red. Epically pwned. Lol.
avatar
paladin181: Why would GOG make a statement? They are not CDPR.
Maybe for the same reason for "to enter CDPR forum you need GOG account".
Yes, GOG is not CDPR, but they are from the same family of CDP so there could be some data share.
Even if GOG's users are safe, GOG should at least inform them that they are safe.
avatar
Darvond: Would it be too telling that I once watched a DefCon video on elevator hacking?
Hey, whatever makes you more interested in keeping your data secure.