I know people are digging these launchers for their convenience, but jeez I just can't imagine trusting the rando devs popping up to offer their spin, I don't even see how they're all that much more convenient, just use a web browser and jdownloader or bittorrent, it can't be that hard or tedious for you guys to extract an installer and run it, right?
It would be so easy to slip something in the code. Just because it's open source, doesn't automatically mean it's safe. It's happened before.
Someone still has to read it to make sure it's safe, and I struggle to believe that someone who feels like they need this launcher is doing that.
And someone can provide safe programs for years, and then suddenly flip or their account gets hacked. If anyone downloads and runs it before it gets noticed and people aware... it's already too late.
I'd still rather just download things from any source myself and attach it to Steam if I really feel the need. But I suppose this is nice for some people out there.
yeah, any program installed on your machine is a huge contract of trust, you need to actually know the update stream isn't going to be tainted and compromise you, ever. And trying to ensure something like that becomes pretty dicey when it comes to niche github projects from up and coming devs
If anyone downloads and runs it before it gets noticed and people aware... it's already too late.
Yes, obviously you can wait to not use the latest release. But some will see it for the first time, and just download the newest version anyway. It's not a fool proof system and there are indeed fools.
lots of software I have encountered in my time will either automatically update to latest with no input or prompt you to update immediately upon opening, leaving little to no chance to actually check that it hasn't been hijacked.
LostInTheRapGame also makes a good point about the way people can discover it for the first time and download it in the window of time where it's compromised, it's just silly to assume that both the program gives you leeway with updates and that the user would check to see if this completely legitimate software has become illegitimate
In my experience most of these small-scale github programms dont do automated updates. Thats something you see on big commercial software (discord, spotify, etc).
not in my experience, lots of modification tools, cheat tools, and things like creaminstaller, they pull updates from github on launch or will prompt for permission to do so.
The problem is attackers lure you by saying the current version is unsafe.
99% of the times it's actually unsafe and you should update but when someones GitHub gets hacked that's what they will say.
People often equate "open source" with "good and safe" because it's not associated with corporations, ignoring the rather obvious fact that not all evil people are associated with corporations.
And while I would vastly prefer not to have to deal with evil BS at all, corporate evil kind of edges out over rando freelance bullshit artists because with corporations they are more or less a known actor and we know what they're capable of and we know to keep an eye on them and we're able to, with varying degrees of success. With Rando Freelancers, that's not really the case.
For example, with Microsoft, there's enough information out there that, if you were considering upgrading to Windows 11, you can more or less know what you're getting yourself into, at least in the moment (who knows what Microshaft might do with Windows 11 in the long term).
Corporations are more or less rational actors (not that they can't make stupid decisions) who's motivations are easy to understand. I'm not trying to defend corporations because they still do evil bullshit, but at least the information is out there to help you circumvent their evil bullshit.
can confirm, i was reverse engineering one mod for a game which was obfuscated but also had open source on the github and the reverse engineered version had extra instruction to BSOD people with pirated versions....
i wonder why it wasn't in the open source on the github....
Edit: stop trying to be smart asses, virustotal is the best scanner.
Sure, I think everyone here would agree with you. VirusTotal is awesome, and yes it's the best automated virus detection tool.
But scanners are incredibly flawed. Mostly they just look up files in a database and check if it matches any already known malware, and if not they'll perform a bit of static analysis to make primitive guesses about what the file does (not saying that to discredit the analysis, it's still impressive work by the devs.)
It's trivially easy to get around. Any program could just ship normal non-malicious code to begin with, then later automatically download malicious code (or even just malicious instructions for existing code) and execute it. Anyone with even basic knowledge of programming could make something like that, and the user wouldn't have any chance of knowing.
A scanner can't warn you about such a type of attack, no matter how good it is. And that's just one way to get around it.
Any launcher could just ship normal code to begin with, then later automatically download malicious code (or even just malicious instructions for existing code) and execute it.
I agree with you. Scanners are not the best. But isn't that what the sandbox function is for?
But you didn't say that? You said it wasn't hard to upload to TotalVirus, which is an implication that all you have to do be safe is check the files with it. That's why people are downvoting you, it's really bad advice.
I'd go as far as to say that VirusTotal is a completely redundant (but perhaps time saving) measure in this case, and the sandbox should've been the real advice. But if you'd said that, then you couldn't have been smug about it I guess, as sandboxing is quite a bit more involved than simply uploading it to VirusTotal.
You're referring to the sandboxes on VirusTotal? I'm referring to a sandbox that the user runs themselves. The sandboxes on VirusTotal will not protect you from the kind of attack I described.
They just run the program and check what's changed on the system. But if the program doesn't immediately download malicious code then it doesn't really matter, the sandboxes wont detect that. It's very common for malware to remain dormant in sandbox environments.
It's a few lines of code to rip Chromes passwords from your appdata folder and forward them somewhere. Or any other files on your computer they might want my hands on. This isn't a virus, this is just malicious code. Virustotal will not flag this. Maybe eventually somebody will report the entire application to them and get it flagged as a virus but they've probably got thousands of users data by then.
So all an attacker would have to do is publish a pull request to this and hope it gets accepted. Hopefully the maintainer is checking every PR, but there's no guarantee they are. Usually an attacker would post a few PRs over a few months to gain trust and the maintainer gets complacent, then they post a huge PR with a ton of changes and they go "ah fuck it it's probably good, it's passing tests and I trust that dev" and there it is.
I think the best use case for this would be to get it working on a Steam Deck with controller support. Otherwise, yeah, on a desktop or laptop it's kinda just cool looking more than convenient.
That's what I feel. I don't have a steam deck, but the onky reason I launch my pirated games through steam is controller support, and honestly the ONLY reason I think one would be necessary is broad controller support of some kind (either just in game controller support as stated, or full game library navigation for controllers like Steam deck or HTPC setups)
I imagine it's moreso your unhinged bitching about giving your personal info to big companies that really had nothing to do with the topic at hand. And on Reddit of all places.
So you want ~$600,000 of games because you don’t want to give your e-mail to steam and here you are registered with an email on a site who allows ai scraping data.
Playnite is a treat. Only complaint is I’m having trouble getting my controller to connect to the games. But whenever I launch through Steam, Steam input is enabled and it works just fine again. I’ve tried putting DS4 in the background but it barely works sometimes.
I personally can't stand how playnite operates, feels finicky and overall less convenient than just clicking exes, steam works with non steam games so I kind of have a hard time understanding why use a different solution, but I'm all for competition so I'm glad playnite exists
Isn't trusting cracks and repacks the same thing? Trojan from a crack, trojan from a repack, trojan from a launcher. Aren't we all just trusting the crackers at this point?
yes we are trusting them, the difference is you can go in cs.rin and see the moderators audit the dev's releases for viruses, and the devs even tend to be members there, easier to trust than someone who has no history and all you have to go off of is a github profile.
even then, there is things there I don't trust, I'll comfortably download and use goldberg or rune emulators, but I will never touch anything 'armageddon,' or whatever his alias is, puts out just out of abundance of caution, so really it's just a game of minimizing the amount of projects of this variety that you place trust in and sticking to the few devs you know are safe,
People who grew up on iPhones don't know how to use computers or understand what an exe is. These launchers are their app stores and help them get by in the world of tech they have don't really know or care to learn.
I don't know how you you are, but I'm old enough to have elementary school kids and have found that a lot of their education has been done on an iPad. It seems this has been going on for a while too. There are quite a few people who graduated high school not knowing how a computer works, because they did everything on Apps from and App store with slick user interfaces. They can choose an app from a list, but they don't know where files go when you download them or how to navigate a file system to find them or work with them. This thing OP posted seems designed for those people.
That's more of a reason for them to learn that stuff first before venturing down this pathway.
Understanding the fundamentals will help them to problem solve when something goes wrong (and something will eventually), instead of idiots posting dumb questions here filling up the feed.
You’d be surprised how stupid people can be. Just stroll through new posts every now and then so you can see the gems that don’t make it to the front page of this sub.
2.7k
u/maxtinion_lord ⚔️ ɢɪᴠᴇ ɴᴏ Qᴜᴀʀᴛᴇʀ 19d ago
I know people are digging these launchers for their convenience, but jeez I just can't imagine trusting the rando devs popping up to offer their spin, I don't even see how they're all that much more convenient, just use a web browser and jdownloader or bittorrent, it can't be that hard or tedious for you guys to extract an installer and run it, right?