“Pretty sure it’s a type of bigotry I just invented to suit me”.

People are downvoting because they can’t read it and this is an English language forum. They’d do the same to commenters posting everything in latin - it’s not helpful to post like this in this community, which is why repeat offenders become downvote magnets (or just blocked).

People would also downvote if comments were being posted in latin or mandarin on an English language comminity: its unreadable to most of the participants and thereby negatively contributory to the discussion.

remembers Gofer programming language from CS unit and shudders

Every Catfriend build since v2 has been reproducable. Most apps on F-Droid are and they are encouraging it for all devs, to build trust.

https://verification.f-droid.org/packages/com.github.catfriend1.syncthingfork/

Update from Simon aka imsodin, Syncthing Maintainer

tl;dr for android users: No need to switch apps at this time, the current install continues to work and is safe. If you can disable app auto-updates, please do that for now to be on the safe side.

Good news: Had a good chat with @nel0x. He is a collaborator on researchxxl’s repo and just marked those releases as “pre-release”, which prevents the obtainium auto-upgrades. So we are back to no immediate risk for users and we can take it slowly, trying to establish communication and more context. It’s still possible and imo likely that nothing nefarious is going on, just a very suboptimal handover that needs clearing up. There’s no need to go dig for repos on github, the technicalities of continuing to publish an app are not an issue - the open/relevant points are about a possible direct continuation of the existing app (or not), the time/effort that needs to be volunteered to publish an app and the trust in whoever does that. Hopefully we can work something out. If you are interested in helping maintain the app, let us know, other than that imo nothing to do here except if you are a user, to do the above in the tl;dr and every now and then check-in on the status (now and then being more like every week than every hour 😉 ).

https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/58

Sounds like a really good reason not to use Obtainium, if any repo you have tracked for updates can just redirect you to a completely different repo If they have the keys - and throw no complaints when updating to an entirely different apk.

With F-Droid they at least have to have the same signing keys, and the code must be a replicable build by F-Droid’s internal apk signature copying process - meaning the code for the supplied APK always matches the code on the repository for the build.

Two reasons: laziness (glue trap goes in the bin without having to clean it, and effectiveness (not much escapes them).

Both are bad reasons, given the additional environmental costs and inhumane method.

I don’t like Obama but the Nobel Prize Committee has the opportunity to do the funniest thing here.

Give Michelle Obama the peace prize.

Edit: lol ok a Venezuelan working to remove an illegally-elected president is a great second choice and should chafe Mango Mussolini badly.

The Onion used to have much more subtle buffoons and villains to satirise. It’s definitely much harder for them now, I was eating the onion on this one also. Spider senses tingled when I read this line though - far too clean of a segue for Trump, and the disjoint is an after-thought, which made it read false.

“I don’t think it would kill the committee to give me the prize, not that these boats couldn’t easily kill them, easily.”

I played a few DoTA games with friends while this was occurring and twice during gameplay approximately 10 seconds of play experienced some server-side lag for everyone in the game - there were moments of confusion that rapidly passed. Steam ops team did well.

Truly a tremendous impact and a fantastic use of the attackers time and resources.

Haven’t seen anyone say this so I will: if your home isn’t Fort Knox or a billionaire bunker, then presume it will be broken into. If they don’t steal your shit, they might just smash it for funsies. If you’re running home lab, you probably don’t have the money to turn your home into Fort Knox, but even if you did you’d probably be better off removing the need:

1. back important data up to another site automatically: Friends house, family, cloud, etc. Preferably far away.
2. encrypt everything that’s got private data on it, both onsite and remotely.

Then you don’t have to worry about theft or damage or fire. Congrats, you’re doing better than probably 50% of businesses-grade setups.

The difference is that passworded zip files are used to distribute malware regularly. For a few reasons such as they’re very simple to use (malware creators are often lazy) and they can be generally be unpacked with preinstalled libraries or programs on the OS. A random encrypted file will require a DLL or runtime that can unpack the blob, and antivirus engines find that kind of stuff packaged together very sus.

Thanks for the effort digging. This does not actually point out any game doing it in particular though, and it’s actually a perfect example of a working antivirus picking up a suspect file (a password protected archive) in a game’s install tree.

This is from Aug 2024 and could even be from one of the games that distributed malware. Its absolutely something that Steam should be blocking/flagging for manual review, and a huge red flag that any developer would use this as a tool for distributing their game content.

Good it is not when the recommendation from security experts and reporters is to avoid any Steam games with low numbers of installs / reviews and betas from small companies. That’s where we’re at now.

https://www.bleepingcomputer.com/news/security/verified-steam-game-steals-streamers-cancer-treatment-donations/

Nobody reviews game code, as game code is not supplied, only binaries with their relevant resources. There are many security providers that would be able to provide better service that whatever Valve is doing - but who knows, because they keep tight-lipped about it every time there’s an issue, and just patiently await their defenders to hand-wave any concerns.

It literally contained a known version StealC malware in its payload, and had basic python scripting with the Telegram bot code and access tokens left visible to researchers (very bad OSINT). This was not sophisticated scripting, nor novel malware, just some script kid that sourced the whole setup on Telegram. The malware would easily have been captured by a competent security company’s automated scanner.

https://www.bleepingcomputer.com/news/security/verified-steam-game-steals-streamers-cancer-treatment-donations/

Citation please for any indie dev using passworded zip files to lock game content. That would be a pretty dumb approach given all retail security suites / antiviruses will flag a password-protected archive as suspect by default (because they’re so commonly used in the past to distribute malware).

All they’re expected to do is pay for upstream providers to scan their submissions (eg third party security providers), no need to hire new staff. This is the fourth instance publicized this year! They should communicate regarding issues like OPs - but like usual, it’s crickets.

They’ve already missed four instances of malware this year that have been publicly reported. How many have other storefronts missed?

I don’t see why asking them out to improve is an unbalanced response or unfair, given the enormous budget they have and the market dominance.

Who said you need to pay more for games? Steam already takes thirty percent of sales (for the vast majority of sales), they are a $10b+ game distribution company… They’re worth more than several leading security/antivirus companies combined.

I just don’t understand the mindset people get around Steam. They are a business that makes a fortune distributing games, run by a billionaire - they are not a little indie company struggling under the weight of their success.

Well since Steam provide absolutely zero details about their scanning process (or even if it exists), seems like conversely people are making a lot of really complementary assumptions about Steam, no?

This is certainly not the first malware distributed by Steam - this is in fact the fourth publicly-known instance just this year.
Seems like they need to step up their game if you ask me.