[ndriscoll]

But what I'm saying is why do they need to install updates? If the only open port is your software, who cares if curl or ssh or whatever is out of date. Worst case, you shut it down if it ever does get compromised, and there was nothing anyone could do with that machine because it was underpowered and firewalled to only allow incoming connections on your game port and no outgoing connections. Unless there's an exploitable vulnerability in the Linux networking stack or their server application, everything else doesn't matter. If they run it in fargate, Amazon will take care of Linux patches, so it's only their application server that matters. Games usually use custom UDP protocols, right? So there's no off-the-shelf library for them to patch in their application.

Same deal with people talking about windows requiring new hardware really: for most people the answer should be "good, it'll stop rebooting to update now". Almost everyone is behind a firewall that doesn't allow incoming connections (it can't by default because of NAT). The only point of entry is the browser, and if you stay off the seedier parts of the web and have an adblocker, that's not really an issue either. Your bank or Spotify presumably aren't going to be dropping malware on your machine via old browser exploits.

You can't do that kind of thing if you're under some auditing regime, but they're not, right?

[klausa]

Because that's not how videogames in 2023 (or the past ~decade plus) have worked.

You need, at a very minimum:

— login system that also works with consoles

— persistence for users stats (maybe not for some kinds of games)

— matchmaking service (which really wants a persistence system for SBMM)

— make sure your systems aren't actively being exploited (you don't want to accidentally run a botnet)

— make sure nobody is "hacking" or modding the game (what's the point of keeping the severs up if they're filled with aimhacking bots)

— monitor the services to make sure they're up

— potentially patch the games on multiple platforms if you need to make a backwards-compatible change to fulfill any of the above.

— also potentially update your games if the console vendors make changes to their stacks

I agree that it sucks that the services are being shut down without any alternatives being provided, and I wish there was a way to force the publishers to support them for longer or provide an OSS servers options; but it is definitely not "free" or "easy" to provide these services for years.

[ndriscoll]

You already have the login and database systems though. And who cares if someone mods or hacks the game; you were going to abandon it. If people are still having fun, you've added some incremental happiness to the world. If an OS vendor breaks your game that you otherwise would've abandoned, that sounds like something the users should take up with the OS vendor (really, it's something the users should take up with the OS vendor regardless, but if you've already decided you're done supporting it, that definitely applies). Or on PC they can avoid patching/"upgrading".

Basically, unless someone takes control of your servers or other players, if the alternative is to shut it down, why not just leave as-is and not maintain/support it? If an impactful exploit is found, then shut it down. Preemptively shutting it down because the experience might degrade is silly; shutting it down will definitely break it.

[roygbiv2]

So you want the unsupported, unmanaged, not monitored game server - that will get hacked - access to the credentials database that holds emails, password, names, addresses and possibly payment details?

You also want users to contact the the OS devs when their old, unmanaged, not updated game no longer works? Or you want the users not to install important security updates because they want to play one old game?

None of what you've said really makes sense in the the enterprise IT world. AS it's already been previously stated to you, you can't just spin up a VM and host your game on it, it just doesn't work like that. There are plenty of valid reasons for that in the thread already.

[ndriscoll]

Why would a game server database have payment details or passwords or PII? That's insane to start. It's a video game server, not a bank. It shouldn't have anything important on it. Even auth is handled by platforms/stores (which are maintained) for some time now, right? So the actual game servers just receive tokens for the user?

> Or you want the users not to install important security updates because they want to play one old game?

If the OS vendor is releasing patches that break user programs, then yes. This anti-customer attitude of move fast and break (other people's) things (without their consent) needs to die.

Historically, games were designed so that you very much could just spin up a VM and host it. Has that competence been lost? I'm not seeing why things aren't designed to continue working. It's not difficult to do.

[roygbiv2]

You want separate logins to purchase dlc?

You also now want the current login severs to continue to support the old game logins and handle auth for them? So we're still supporting the old game, still maintaining it.

These old unmaintained, unmanaged servers you want to run get hacked they distribute malware to your users. Whoops, the hosting provider finds out, the business account gets locked, now nothing works.

They get hacked a different way, they start mining bitcoin, your hosting provider finds out and locks the business account, whoops, now nothing works.

They get hacked a different way, they intercept the api calls to the auth servers. They use the auth tokens to break into people's main accounts, use that for phishing attacks, steal millions of dollars. Whoops.

>it's not difficult to do.

That's the point you don't get. It is difficult. Standards change, security changes, things NEED updating or things go wrong, people lose confidence in you, you dont make any money and you go out of business.

Spin up an old version of minecaft on an old version of Linux, see how long it lasts before it all goes wrong.