[themoonisachees]

I don't believe outright that it's a botnet (or maybe a botnet has separately taken advantage of it), but the CEO's reaction to me smells like a guy who either is completely incompetent and should not be writing security software, or a guy who wants to cheat, got his kernel driver approved by EAC and is mad about being found out.

I suspect the DDoS might also be coming from cheat users who are mad that light is being shined upon their incredibly powerful cheating method.

[jstarfish]

> smells like a guy who either is completely incompetent and should not be writing security software, or a guy who wants to cheat, got his kernel driver approved by EAC and is mad about being found out.

That's an interesting take. You think an anti-cheating tool might be being used for cheating? I hadn't considered that.

On further thought, in having such a backdoor present that isn't being exploited/resold, it does give the "proctor" unfettered access to the target device to legitimately look for cheating tools running with higher privileges than the user. I'm guessing most cheating tools need to run with system permissions to intercept API hooks and stuff, so you'd need a similar degree of access to detect that?

I don't think it's incompetence; the guy is clearly technically-minded enough to understand what the researcher is talking about and, rather than explain it, challenge him on it. I meet these types all the time-- he gets away with gaslighting kids all day, so when an adult who isn't placated by "you just don't understand"-type dismissals shows up and starts asking pointed questions, they get angry, hysterical and/or violent (the Phoenix Wright games capture this hilariously well). He's too defensive to not be hiding something; their collective response is too over the top.

If he's not selling access, the functionality of the product itself may well depend on this exploit, which would also be a compelling reason to suppress attention and refuse to address it.

[themoonisachees]

It most definitely is being used for cheating (all current EAC-bypass tools use this driver), the question is if the guy did it in purpose to cheat himself or not. It's debatable to say that he needs a driver to look for cheats, especially when you consider the kind of "cheat detection" going on here, but it's not completely out of question to do it either.

The product need not depend on this exploit. There are common best-practices one may use to secure access to driver calls. He's implemented like 1 of them. I think he's just an asshat who doesn't like being called into question, but there's a very real possibility that he took advantage of his whitelisted driver and is now mad he lost that advantage. I genuinely believe he's not the one DDoSing though, that's more of a cheating forum thing.