Larian Studios Forums Divinity - Original Sin Divinity - Original Sin - General No DRM-free copy in the retail version ?

I think we need to charter a tin foil factory to make all the hats that this thread needs.

No, all that is security basics, nothing new or unreasonable here. Read more about how DRM compromises security from security experts if you want to.

About why opening the client helps you can read here: https://en.wikipedia.org/wiki/Security_through_obscurity

Opera browser isn't open sourced, yet you recommended it earlier. Now, I use Opera, and have for many years now (through v12 anyway, I won't touch the new v15+), but your argument is bordering on paranoid. Don't get me wrong, I'm all for paranoia-based security. I practice it, and recommend it to my customers, but calling Steam a security risk because it's closed source is a bit over the top.

And as for the DRM aspect, when a game with Steam DRM implemented runs, all it does is check to make sure Steam is running and that you're authorized to run it. Hardly a security fear. Other DRM solutions, such as Starforce and even SecuROM, are much more dangerous, as they can run with Ring-0 access to your system. Steam DRM isn't even close to that level of danger.

Worst case, custom-created malware (which would initially avoid detection by AV scanners) to hijack your system, with the ability to (a) monitor keystroke and mouse movements to capture bank login details or (b) ransomware as mentioned previously.

More common uses for compromised systems include spamming and HTTP/DNS relays for "bulletproof" (typically spamvertised) websites, but this activity would be easily detectable and less profitable than the first two.

With Valve claiming to have over 65 million active accounts, anyone compromising their systems could have a malware bonanza. Since Valve have yet to come clean on the cause of their 2011 compromise (the only info I've found is a "we're still looking" update), it seems a fair bet that "responsible disclosure" isn't part of their vocabulary.For normal applications, Sandboxie is a valid approach. But Windows services have full access to the system and could, at least theoretically, bypass Sandboxie and other security software.

Services, drivers and any process allowed physical (low-level) memory access can disable or bypass security software (which itself relies on services and drivers) so one aspect of having a secure system is keeping programs that access these to a bare minimum. Any that applies triply to any with network access since they offer the chance of a remote compromise.

I will grant you that the auto-updating aspect of Steam, makes for a potential target, but quite frankly there are far easier ways for malware writers to get their code onto someone's computer (IE exploits being the most common). Malware writers, by and large, will choose the simplest method of distribution. Hacking into Valve's servers, modifying game/Steam code and triggering an update - one that would likely be caught and patched pretty quickly - is not a simple method.

First off, modifying game code would require that the people launch the game after the virus uploaded. There's a far better chance that the exploit would be caught and fixed before too many people launched it. If they modified Steam itself, that would require a restart of the Steam client before any changes would take affect.

Got it. Not concerned. But thanks for the reply.

I've run probably 5 years now on 5 systems with no viruses. If something spikes and if it is Steam related. I'll adjust then. Some people are all about security, some don't care and everything in-between. I'm reading that for some security it thee most important thing, I'm not that way. I don't have FBI targeted images to hide. I kid.

I read the news, it seems like pretty much everyone has been hacked (business wide) by now and they only come clean if they are darn near forced to come clean. This is the world we live in. I've yet to pay at all for compromises to such systems companies run. Now I have had my wifes purse stolen and had to kill a bunch of cards and get reissues on everything...

I didn't really recommend Opera. Any closed code has less potential for audit. That's a built in drawback. With browsers you at least have choices.



You hardly can guarantee what DRM does or does not, because the same DRM isn't open either. You assume that's what it does. Assumptions aren't enough when it comes to issues of trust and security. And by its mere definition DRM can never be trusted - ever. Simply because DRM itself never trusts the user by its own definition (that's the point of DRM - to consider user a potential criminal), and trust is a mutual relation, so DRM can always be viewed as a potential threat in return.

So, you're completely paranoid, then. Got it. As horrorscope said, not concerned. I've been using computers for over 20 years now, and have run virtually every MS OS from DOS 6.22 on up (save for NT 4 and earlier). I have, on a couple occasions, got infected by ignoring my own paranoia-based security methods (forgetting to run suspicious executables in a VM, for example), but I've always caught it and removed it right away. If Steam proves a liability, then I'll be concerned. Until then, it's just fear-mongering.

Not more than DRM which is paranoid that any user can infringe, and thus restricts all its users. That's a symmetrical treatment. DRM treats all users as [potential] criminals. So it's natural to treat all DRM as [potential] malware.

That is totally about one's perspective, nothing more than an opinion.

That's like locking your door (DRM) when you leave is treating everyone outside your house like a potential criminal. Not sure of analogy... but sounded good in my head while typing.

What I'm more interested in is when I see Steam hate and try to understand it at its core and then if there is really something there I should be paying attention to.

It's actually completely reversed. DRM is much more like placing a policeman in your house to watch what you do, just in case you decide to do something illegal. I.e. since DRM is present on your own computer and in your system, it's like an intruder whose purpose is to spy on you and treat you like a criminal. I doubt many would find it ethical if a police camera would be placed in their own home, yet for some reason they accept DRM as a normal practice.

Did you miss the part about GOG installers setting every game to run as administrator? Letting a program run with administrator access gives it access to more than just writing to protected directories. This is far more a security risk to users than Steam having a helper service running as admin (the Steam client itself is not running with admin privileges).

UAC is not designed to "annoy programmers and users into storing data outside the Program Files folder." It is designed to separate programs running with user access and full system access. Newer programs for Windows (properly written) are designed to be stored in the protected Program Files directory and store user data in the user's appdata directory. Storing programs outside of the Program Files folder is a good practice for older programs not written for the newer security scheme, but the directory permissions need to be set to give the user full read/write access to it or else it will trigger a UAC prompt for admin privileges.

The Steam service has a signed security certificate. If some kind of malware or virus infects it, you will know. GOG's games aren't signed, and having users run them as admin won't know if they become infected.

GOG recommending users turn off built in security components and run every one of their programs as administrator is ridiculous. You standing up for GOG's lack of security concern and setting every program up to run with administrator privileges, while blasting Steam for having a digitally signed service running just shows your bias against Steam.

See it's all a perspective and an opinion. No one is right or wrong. I'm not saying I'm pro DRM, but some people think any little bit is as bad as any DRM ever like StarForce. At one point it was redonkulous. Steam DRM, totally get it. We are trying to foster an industry so we get more content. Some things are just part of doing biz. In my world if the stuff works and doesn't get in my way... I'm ok.

I thought Snowden proved nothing is really protected.

Ohhh Shmerl needs an entire mountain of tin foil to keep the big bad hackers from reading his thoughts.

No, no DRM ever gets it. As I explained, DRM is always unethical because of its nature. It's violating privacy because it treats all users as criminals by default and the most dumb part of it is that it doesn't even work, since all DRM does is hindering users who pay for what they use, while having no effect on pirates who pirate the same thing with DRM being scraped off and never worry about it. That's surely never should be a "way of doing biz".

Steam is very open about what it's DRM does and how it work.

And why should you trust that if you they don't trust you by the mere fact of using DRM? To be open, the code has to be open. I'm yet to find such DRM. I doubt it even can exist.

IE may be the most common attack vector, but usually requires a visit to a malicious website so no exploit is likely to offer simultaneous targeting of 65 million users.
There are certainly many who target low-hanging fruit. But others have branched out, even into completely unexpected areas - so it's a fair bet to say anything that can be targeted some day will be. While it is fair to say Steam will be a harder nut to crack than many, the scale of the possible benefits make it an attractive target to the most talented and organised malware groups.
Except that someone did this a few years back and wasn't discovered until someone else gained access and used it to spam Valve's forums in November 2011. And neither group has been caught so far.
The Steam client itself is exploitable so can be used to run software without user intervention.

Steam is just a digital distributor of games. Steam doesn't force developers to use DRM on their game. Steamworks and its components are entirely optional. If a developer chooses to publish their game on Steam, they can use features of Steamworks WITHOUT implementing the DRM part, as D:OS does.

About trust, here is a clear explanation of the idea.

And here is an example of what DRM can easily become because of its very intent.