[dafelst]

I have a friend who used to work at Valve as a software engineer - he mentioned to me that the entire source networking stack is chock full of unchecked buffers and all sorts of potential for fairly trivial RCEs, but due to Valve's internal structure (or lack thereof) there really isn't any incentive for anyone to fix them.

This was 5-6 odd years ago and he no longer works there, so things might have changed, but based on this tweet it seems unlikely.

[TazeTSchnitzel]

> due to Valve's internal structure (or lack thereof) there really isn't any incentive for anyone to fix them

This seems to be a common theme with problems at Valve.

[2OEH8eoCRo0]

This seems common in the industry at large. At my job it's impossible to fix an issue unless someone specifically puts in a ticket for it. I look at all the bugs in the code taunting me. Little landmines either nobody has stepped on yet or was too lazy to write a ticket for. Some tickets languish for years in the tracking system we use until the almighty scrum master doles it out. I am in hell.

[bartvk]

At my previous client, the scrum master didn't decide 100% of the work, we could pick a small percentage of technical items to work on.

[Lutzb]

The scrum master decides the work? Why has agile become such a mess?

[bartvk]

It’s been a while, I actually forgot a bit about the process, and I got it mixed up. Point being: tasks without a clear business driver were regularly brought into the sprint by devs.

[2OEH8eoCRo0]

Other people choose their own tasks off the backlog. I chose my own and got a talking to. :)

Our lead says that all work must come from the scrum master but in practice it is selectively enforced.

[atat7024]

Game devs don't optimize for security, because they're not incentivised to.

[klodolph]

This is a common problem in other parts of the software industry, but Valve is missing a piece of the solution.

The typical problem at software companies is that developers are incentivized only to write code for new features that will land them promotions and look good on their resume--but bugfixes and security work is not part of that.

Management can counteract this with top-down initiatives. Programs like "fix-it week" or teams dedicated to security with different incentives in place. For example, Google suffers from the "promotion-oriented programming" about as badly as any other company, but they manage to take security seriously.

Valve has "flat hierarchy", which goes in quotes because the hierarchy isn't really flat, it's just hidden. Because the hierarchy is hidden, it's harder to address large-scale problems like institutional priorities... because there are fewer people to delegate large-scale problems to.

[pjmlp]

And then their MMO/MMORPG server gets p0wned, with everyone taking advantage of extra virtual money, adding assets to their characters for free and auto aiming packet correction.

[serf]

and, as evidenced by Grand Theft Auto and Counter-Strike, players continue playing with hackers.

There is even reason for (say, for example) Rockstar to leave hackers alone in GTA : they act as artificial whales to lure real players into buying in-game currency in order to keep up/seek revenge.

There are a few games I can think of off the top of my head that have a symbiotic relationship with hackers.

[gameswithgo]

The kind of hacking that happens in first person shooters has nothing to do with security failures. It is fundamentally impossible to stop aim bots. All you can do is continually play cat and mouse games to make it harder.

[happyconcepts]

Why is it fundamentally impossible to stop aimbots?

[PowerBar]

Because the player's computer needs to know where the enemy is in order to render them on the screen, create footstep sounds, calculate shadows, etc. As long as the player has ultimate (root, admin, etc) access on that computer, it will always be possible for a program running with elevated privileges to read that enemy position data from the game's memory and make the required mouse movements to point at it and left-click.

The only way to prevent this is to remove elevated access from the player's computer. This has been done with varying levels of success on consoles, but even then it's only a matter of time.

[chayleaf]

because it requires you to distinguish between a human's aim and a bot's aim, which is pretty much impossible with a good enough bot

[KyleSanderson]

Indeed, there's still plenty of these.