I keep seeing this all the time - it won't mean much for modding community because any mod created with help of the stolen source code will be taken down almost immediately by CDPR and rightfully so.
Uff there's some truth in that. Shame. Although some GTA code was leaked over time and it did help the modding community to some extent.
True enough if its hosted in countries that respect that sort of law.
But if its elsewhere, good luck with taking it down. There's a reason why certain torrent sites stayed alive for so long and kept coming back no matter how hard companies and government agencies tried to kill it.
It's possible the host them on torrent sites, sure, I just don't think it's very likely. Modders are doing what they do for fun and satisfaction of sharing their creations with community. In this case they would risk facing legal issues and they couldn't even share what they've made on nexus or moddb, places where 99% of people are getting their mods from. Too much of a hassle.
Respectfully, Training your business to recognize and prevent Social Engineering IS a basic hygiene. Business Email Compromise (BEC) which is what you're alluding to, is simply one of the latest variations of SE tactics. But to say that's not a Control Failure is to deny basic threat landscape realities.
Feel free to check out any of the Breach Industry Reports - all of them trend that of all the initial successful attacks resulting in a breach, nearly half were from Social Engineering, the remainder Hacking, Physical and Misuse. If you map that to a Common Attack Framework, that's a serious failure of basic controls. And these are reported or publicized breaches; it's estimated nearly 20 percent of the potential total go unreported on an annual basis, which would drive those numbers higher.
Last edited:
That and any reputable modding community would get rid of it before CDPR ever got involved.
I am genuinely curious as to who is the market for this. You can't exactly use your purchase openly.
Last edited:
@Casualclick In those lockdown times, you have to train them in urgency for compagnies that didn't allow homeworking.
You say it's easy to prevent. Yes, on site, of course.
But once they just use internet clients to check for mails instead of, for exemple, intraweb), and ask Robert from the accounting service with super fast training to check for emails and set a working environnement, he's alone and you're just f'ed up. In real world, not every compagny have ressources to provide dozens of IT member or laptops for each employee at the same time.
You say it's easy to prevent. Yes, on site, of course.
But once they just use internet clients to check for mails instead of, for exemple, intraweb), and ask Robert from the accounting service with super fast training to check for emails and set a working environnement, he's alone and you're just f'ed up. In real world, not every compagny have ressources to provide dozens of IT member or laptops for each employee at the same time.
Yeah, it stands to reason people working from home increases the vulnerability. On the other hand, there is a twitter link with a similar announcement from 2017. It makes ya wonder if the killer isn't calling from inside the house
.I don't know if we're allowed to speculate, but imo, the most valuable thing that was stolen wasn't the source code (modders would never pay for it and other companies would be charged with industrial espionage if they'd ever try to use it for their own gain), but CDPR internal documents and communications. Depending on the content, it might be very interesting to the investors and their lawyers.
Any document obtained this way would most likely be inadmissible in court. Not in the US at least, which is where the current lawsuits are happening. I don't see the more lawsuit inclined investors having any interest in this. Especially not if the alleged sale price is true.
Not to mention that the lawsuits, to my knowledge, are still without a lead plaintiff and basically dead in the water.
The most valuable thing is the hack itself. Since it is a loss of reputation for the company and it loses in market value.
A rival could buy CDPR.
Also, they should investigate bear investors in the days leading up to the information theft. They have been able to make money speculating to the downside.
Bitcoins are traceable. As soon as they try to exchange them for money or buy something in an online store, the police will get a name or address.
Unless they want to use bitcoins to buy drugs or a kidney on the Deep Web ...
Last edited:
Could be this, could be that. Some countries, China for example has huge domestic market and they don't care.
I seriously doubt this. Message attackers left said about leaking things to gaming media. If they had anything remarkable they were threatened to publish them to legal authorities to begin with.
There was also that hack on the old forum, years ago after TW3.Yeah, it stands to reason people working from home increases the vulnerability. On the other hand, there is a twitter link with a similar announcement from 2017. It makes ya wonder if the killer isn't calling from inside the house
It is said the hacker team / individual used a 0 day, so I won't accuse CDPR of laxism here.
Which is why you don't allow work email access from a non-business asset, or off-network (meaning non-VPN) connection, nor without a multi-factor authentication. This is exactly the kind of "convenience" which is a failure of basic hygiene. We have had these controls in place long before WFH became predominant, so that's not an excuse.
Financial controls that only require one level of approval for material amounts, especially in a publicly held company, are an automatic fail in both Internal and External audits. I get nervous authorizing hundreds of dollars. Who the hell casually approves hundreds of thousands or even millions without doing some additional checks?
If your controls were weak before Covid, they became non-existent after. Not an excuse - you had opportunity to fix it before a Pandemic. But as usual, most places need to be robbed before they realize the locks are inadequate.
If your data is your most valuable asset, treat it accordingly. Every opportunity you give to make business "easier" isn't just benefiting your lines, it's also making the attacker's job easier. Think about what could go wrong and mitigate accordingly.
Last edited:
Most of people ask themselves the same question. You have to be very sure of yourself to pay that amount of money for sources, especially in front of everyone in the world. The asked sum seems pretty naïve.
Sure, its worth for CDPR is over than that amount of money, and they allready have it. But others ? Do they really want to sell pirated content for years with the police looking for them to get their money back with a profit ? Interestingly sources they didn't try to sell concerns their only online f2p game.
(@moderators, feel free to cut that message if that's against the forum policy, I may be in a gray area there).
Post automatically merged:
You don't get it, mails are only a part of the problem. You have to teach Robert what is a VPN first, and how you double click on the rigth executable when Robert have allready trouble to install Teams, Skype, or anything like that. And this, by phone, since Robert can't move to the office.
What if your compagny is full of Roberts ?
Another problem is for small compagnies. My compagny is too small to have an IT dep. We are our own IT, like most small startups. One day someone told me "hey now you work on Linux, teach yourself, oh and btw you were a back/middle office dev, congrats, you're now our new web dev / devOP / IT member / security officer !" then I had to jump almost alone in penguin land, with web techs I knew from 10 years ago (I should have shut my mouth lol).
Last edited:
Unless you are a dedicated front-line worker whose job description prevents remote working (which by definition is NOT a globally deployed software developer like CDPR), you have a workforce that has at one point or even more, worked remotely.
Secondly, most software developers have issued multiple assets to their staff, meaning they have most likely one or more dedicated workstations in the physical office, and portable assets like laptops.
If a BYOD is deployed, at the bare minimum it has to have a VPN, and I quite frankly would be skeptical that CDPR would have an open connection to the Public Internet leading back into their internal network.
There is no excuse in 2019, never mind 2020 for lack of asset protection or authentication/authorization controls. Heck Office 365 and other Cloud based products made it real simple (and secure if you followed good deployment guidance) to extend the office into the Home.
No, those are simply lack of control assessment and adequacy. You can deploy tools quickly and safely, but if your baseline security posture was weak before, Covid didn't make it any stronger. Arguably the same controls were supposed to protect you in a Failover/DR where you might have had to work from an unprepared/cold site. The industries have touted that for years, yet those same controls are the ones they're counting on it protect them during those times. Simple weaknesses.
I doubt anyone would dispute any of this in an ideal world. I'm sure you'd agree it's not an ideal world.
Some firms that found themselves struggling to stay afloat because of stay-at-home orders in multiple countries did it, and safely and securely transitioned to a mostly remote workforce and business process.
It's not impossible, but like many things, basic weaknesses before Covid meant nothing was going to change because of a Pandemic. Firms didn't automatically mature their controls because of Covid. Which is why in my original post, basic hygiene failures lead to most breaches. People claim hygiene is strong, but the way successful breaches were perpetuated say otherwise.
Lots of them, none good. But you aren't allowed to say much about it on these forums.
Post automatically merged:
I don't know. Based on something a friend in a three letter agency told me some years back, I've just been assuming that any interest in it would probably be to identify things that might be exploitable in the future. But mostly I don't have a clue.
Last edited: