An important discussion on trustworthiness

With the recent malware attacks (people DM others to play test their game and download malicious exe stuff from their Itchio page), we can assume that players will be a lot more cautious towards new games, especially the ones that require you to download an executable file.

After some short discussions, I came to a few things a small fetish dev like me can do to increase new players trust when they look at the game page.

  1. Show effort
    Lots of screenshots and detailed descriptions of the game to show that you spent effort to make it. A malicious developer wouldn’t spend as much effort and their game page would probably have one or no screenshot + very basic description
  2. Encourage feedback
    A game with lots of comments and ratings is less likely to be a malware
  3. Make your game open source
    This is a surefire method to get trust from your players, although you will have to expose your game’s code which many devs do not like.
  4. Verify your game files with VirusTotal.com
    This is a bit technical to bear with me. First you upload the game executable files to https://www.virustotal.com/ and then get the resulting link with the checksum. Then post the link along with the downloads of your game so people can confirm that it has been virus scanned
    EDIT: It looks like VirusTotal’s T&Cs are a problem. By uploading something you give them rights to host and redistribute with no restrictions. Let me know if you have any good suggestions to prove that your game has been virus scanned
  5. Just make a web game, web games are mostly secure because modern browsers double as very secure sandboxes.
  6. Getting a code-signing certificate from services such as Digicert
    This is by far the best way to get trust because your game program will be signed with your signature. But getting a certificate can cost you $500+ and you also need to share your personal information to register.

Lastly, you yourself should also watch out when playing new games because they could potentially be malware! My favorite dev got their discord server taken over because they played a malware game on Itch. Make sure the game you’re downloading is trustworthy by watching out for the above signs, setup Sandbox to run them if you can.

Note that web games are not 100% safe, there can still be web games that are malicious exploits or phising, so still look out for any tell tale signs before you play one! Also keep your browsers updated to protect yourself from exploit attacks from websites and web games in general!

30 Likes

ok thank you for informing the dangers

Hello, I totally disagree with number 3 too much oftenly we find our work stolen and claimed by other people.
It’s ok for small projects, but for bigger projects I find it scandalous to ask that much.

1 Like

You’re absolutely right, in many cases its not feasible to make the project open source. But since most of us are small devs looking to get more players for our small games, I think its alright. Until we gather a good amount of following and take on larger, more robust projects

I applaud the idea, but have a few issues:

I agree that it builds trust, but going open source isn’t a real solution. There’s absolutely no guarantee that any pre-built version (which is what people mostly use) actually came from the source code supplied and doesn’t have any “extras” included. Unless you download the source, pick through it, and then build it yourself from the source there’s no guarantee it’s clean (even popular projects with lots of intelligent eyes on them have occasionally had less-than-savoury parts included). There’s also an assumption that a mysterious “someone else” is doing the job of checking the source isn’t mischevous.

VirusTotal’s T&Cs are a problem. By uploading something you give them rights to host and redistribute with no restrictions. Not happening. And if the end-user did it they could end up in all sorts of legal trouble - you’re assigning rights to VirusTotal that weren’t yours to give.

I wouldn’t trust a browser game any more than an installable one. Yes, the browser has a sandbox, but the browser is also the focus of many attacks - and if code gets out of the sandbox it’s right in there with all your personal stuff, logins, cookies, sessions and all the methods it needs to exploit them. Although The Incident wasn’t a browser game, the browser was the first place it went to exploit!

Some other suggestions:

This should be obvious, but don’t use pirated content or stuff that is “mirrored” other than on the dev’s chosen hosting. Somewhere along the way unsavoury things can get “added/patched/wrapped” into the original. The more tempting a pirate copy is, the more likely it’s been doctored.

Support your devs to the extent that they can afford to use code-signing certs on their games. At least the OS can then check what you’ve got is what the developer intended, and if their intentions aren’t honourable there are some consequences (assuming the CA is doing their job and verifying the developer).

2 Likes

Thank you for the great reponse!

Yup, the goal is to build trust, not to be completely 100% foolproof. There are malicious open source software out there, but its harder to do malicious things when your code is open source. I guess you can go one step further and release the hash of your distributions executable on your source repo so people can check them against the release posted on your game page.

I see, that’s a problem then. Do you have a suggestion for any similar service to show that the executable releases are virus free? It’s absolutely not practical to spend $500+ to get a code signing cert for small developers like us

I would trust browser games more simply because there are less angle of attacks possible because of limitations browsers place on the web apps. An executable can have nearly limitless power over your computer (ransomware can lock everything in your hard drive, an extra malicious exe can delete your personal files, …) while a web app is much more limited in what it can do even if it can perform exploits. And you can be protected from most web-based exploits simply by keeping your browser updated.

Again, I want to focus our discussion on how to build trust, rather than how to be 100% free from malicious attacks such as malware. Your solution to get code-signing certificate is the best one, but most of us don’t have $500+ to spend to register for one.

4 Likes

It really isn’t. Let me put by devious ba*d hat on:

  1. Fork a popular open source project, add fetish content, commit the changes to your public repo.
  2. In your local copy only: add bad-things, build, and generate the dist. Do not commit.
  3. Checksum the infected dist, post it and its checksums/hash alongside the untainted source.
  4. Post link to your repo where people will want to try it.
  5. Profit.

The repo is clean, a build from source is clean. The checksum will just verify that the end user has the infected pre-built copy I wanted them to get. Any attempt to verify the published checksums against a clean build from the source will likely fail because the packaged dist will contain timestamps and usernames that will be different from build to build anyway.

It all boils back down to, as you’ve rightly pointed out, whether you trust the developer.

Unfortunately bad actors know that too; it’s a basic of social engineering. That’s why the payload in these things often likes to exploit your contacts; messaging the infected person’s friends as though it was the person you trust providing the link.

I don’t know of an alternative to VirusTotal, and to be honest I don’t believe them to be untrustworthy. But, I don’t know the disposition of the owners in any future buy-out would be or what that might lead to.

Code signing certs are a stupid price for what they are. While they can be found for sub $100 annually, it’s still out of the question if you’re barely scraping together rent. And, at the end of the day it only really answers the question would the CA say they trust a person for a $500 (or $100) bung. You’d say you’re my bestest mate for a Benjamin wouldn’tcha?

On browser based attacks: on any given day I think it’s safe to say an exploit is available to break the sandbox for the right amount of bitcoin to the right (wrong) people. Once out of the sandbox, you’ve the same access as an executable run by the user (and I’m sure the same people will sell you tools to elevate your program’s rights too). The difference is that people trust a browser based thing more than an executable (which works in the favour of the attacker - afterall we are talking about trust here) and it’s going to propogate much faster (which you need as it will get shutdown faster).

I guess what I’m trying to say is that I don’t think you need to do anything specific to your code or game to earn trust. Being part of the community here for years and interacting for years is what earns that trust. It also provides us with the context to know if an out-of-the-blue DM, seemingly from you, with link and some text that doesn’t read like you wrote it is suspicious or not.

1 Like

Yeah thats how you would make a malicious open source dist. Are you sure you’re not one of the bad guys? :eye: :eye:

Jokes aside a good Samaritan might catch you by compiling the dist and checking the hash themselves but I do agree that doesn’t happen often.

You have to submit personal info when registering with the CA, so they might prosecute you if you use the cert to sign ransomware lol. Hence I still think signing your software is still the most trust worthy method

Yup, but the chances are much lower. But since trust is subjective we both can be right. Imo I trust web apps more because they are inside a secure looking sandbox, and I guess it might bite me in the ass when they actually manage to get out of the sandbox and use my credit card to buy all the bit coins xD

I can’t live in fear tho so I guess I’ll have to live with the fact that there’s a non-zero chance of that happening, and try not to have important info saved anywhere, along with 2FA everything I can.

1 Like

Maybe there could be a role for people with good sandboxes set up who would volunteer for testing.
People who upload games would put them up into a sort of waiting list for these people to get them first and make sure nothing bad is happening.

just another idea for the pile.

No (but you’re thinking the right way :innocent:) - I used to do code reviews looking for exploits so I have a different mindset for this kind of thing. Developers under time pressure usually are laser focused on getting the “good case” to work at all they don’t think about … other uses. I’ve seen some doozeys.

Not really possible. The dist is usually an archive of some kind and will contain time-stamps of the files indicating when the build was run. Even if the dist was of the clean source you’d end up with a different checksum/hash because of those even if the contents of the files are identical.

About that - at the low end the requirement seems to be a photo of your driving license. And all driving licenses are totally legal (not forged) and all photos can’t be digitally manipulated? The CA rigourously checked it was a valid license? I’m open to the idea that a sufficiently motivated bad actor could get a cert for a non-existant person at an imaginary address if they wanted to.

Still certs are probably the best we have.

2 Likes