this post was submitted on 27 Dec 2023
73 points (100.0% liked)

Games

16742 readers
818 users here now

Video game news oriented community. No NanoUFO is not a bot :)

Posts.

  1. News oriented content (general reviews, previews or retrospectives allowed).
  2. Broad discussion posts (preferably not only about a specific game).
  3. No humor/memes etc..
  4. No affiliate links
  5. No advertising.
  6. No clickbait, editorialized, sensational titles. State the game in question in the title. No all caps.
  7. No self promotion.
  8. No duplicate posts, newer post will be deleted unless there is more discussion in one of the posts.
  9. No politics.

Comments.

  1. No personal attacks.
  2. Obey instance rules.
  3. No low effort comments(one or two words, emoji etc..)
  4. Please use spoiler tags for spoilers.

My goal is just to have a community where people can go and see what new game news is out for the day and comment on it.

Other communities:

Beehaw.org gaming

Lemmy.ml gaming

lemmy.ca pcgaming

founded 1 year ago
MODERATORS
top 8 comments
sorted by: hot top controversial new old
[–] conciselyverbose@kbin.social 39 points 10 months ago (2 children)

This is how you communicate a security breach.

[–] KoboldCoterie@pawb.social 25 points 10 months ago (1 children)

Seriously, 27 hours from when it first happened to report it to users? Especially when most of that intervening time was spent recovering things? That's stellar. We're lucky to hear about corporate breaches in 6 months.

[–] conciselyverbose@kbin.social 23 points 10 months ago (1 children)

It's also incredibly clear and gives a lot of information on when you do and don't need to be worried. I'd probably take the extra steps to verify I wasn't exposed even if I was in one of the "you're OK" categories, but I appreciate the detail on principle.

It's weird that "we got hacked" is going to get me to try out a mod, but here we are lol.

[–] sugar_in_your_tea@sh.itjust.works 4 points 10 months ago (1 children)

The same is true for other stuff too. For example, I'm more likely to use a password manager if they handled a breach responsibly than an unproven service. I'm looking for essentially three things from a breach:

  • when did they detect it, and what was their immediate response?
  • how transparent were they in communicating the breach, and did they need to make amendments later? (more tolerance if they're quick with reporting the breach)
  • what changes did they make to ensure it doesn't happen again? Were those changes merely to patch this vulnerability, or did they notice other vulnerabilities?

Breaches happen, so I'm mostly interested in how their existing security ops mitigated the fallout (e.g. did they properly salt passwords, have transaction limits on the DB, etc), and how thorough the investigation was. A good org will be much stronger after a breach than most competitors, so if everything checks out, they're probably a safer bet going forward.

[–] conciselyverbose@kbin.social 4 points 10 months ago (1 children)

Given the scope of this project (a non-commercial free mod), I would honestly not judge them harshly for a much poorer response. It's not their job; if they took a couple days to notice during the holiday season, then weren't able to say much more than "we think you're fucked if you have this mod installed", a lot of harm might be done, and they'd definitely see a lot of criticism, but I'd understand. For a small team that don't do security, especially one who aren't even selling their product, getting hacked has the potential to be extremely overwhelming, and you very possibly don't have the expertise or resources to investigate properly.

Instead, they put a bunch of real companies to shame. (Some of those companies have breaches that are a lot more complex in scope, but still.)

[–] sugar_in_your_tea@sh.itjust.works 1 points 10 months ago

Yup, I 100% agree. I absolutely take the size of the org, the risk to me (e.g. medical info is more impacted than game playtime), and how much I paid into account when evaluating a response.

This was a way better response than I could ever hope for from such a project.

[–] imPastaSyndrome@lemm.ee 1 points 10 months ago

Yeah that was incredibly incredibly clear

[–] Neato@kbin.social 18 points 10 months ago* (last edited 10 months ago)

Important info:

-The breach window was roughly 1:30 PM-2:30 PM Eastern (1830-1930 UTC+0) on 12/25.
-Downfall is safe to launch once more, and has been since roughly 2:30-2:40 PM Eastern on 12/25 (1920 UTC+0 on 12/25).
-If you did not launch Downfall in the breach window, you're clear.
-If you got an automatic update for Downfall on 12/25 but did NOT launch, you're clear.
-If you launched Downfall via the Steam Workshop (meaning you actually launched Slay the Spire), you're clear.
-If you did launch Downfall on 12/25 and succeeded and everything looked normal, you're clear.
-If you did launch Downfall on 12/25 and saw a command-prompt like screen, that starting spitting out a bunch of text after about 10 seconds, you're in the clear. That was actually just the Java log which we usually keep hidden, but accidentally left visible when we restored the game.
-If you did launch Downfall on 12/25 and got a 'no .exe found' type of error, you're clear. That was us exploding the game to prevent anyone else from being affected.
-If you did launch Downfall on 12/25 during the breach window and got a Unity library installer popup, please continue to read. You may be also at risk.