All your code are belong to us! :roll: :roll:

The title is misleading. It should say CD Projekt RED "epically pwned". Ok seriously though, I hope the damages are minimal.

Caring1Inside job.

I agree without a blink of an eye

Sad day for PC Gaming cybernews.com/news/cyberpunk-2077-maker-cd-projekt-red-gwent-source-code-leaked-after-ransomware-attack/

mouacykWonder what an extradition to Poland will be like. Poland contributed some 8million into CDPR, didn't they?

Sorry but world doesn't work like that. Especially in Poland.

mouacykHave you seen the Chinese knock-offs? It's an opportunity lost in some markets, because now they can take stolen code, redress it, and sell it to a customer base that doesn't know any better.

I'm sure plenty are aware of the myriad of private mmo game servers out there... while a few are legitimately extending the life of an EOL product, the vast majority are profiting off work not their own by injecting micro transactions and cosmetic packages and letting people play at no charge. Who knows what potential malicious code could have been compiled into the released client binaries also...

Ofcourse, but that was always possible with or without 'source' code. Get a game copy and you're done, copying some assets does happen everywhere just like people snagging stock photos of the net and using them. Copyright infringement, really, more than it is theft?

And eh... is it really a loss to a triple A company to have some weird knockoffs of absolute gutter trash in the market?

Its an illusion you can control data like that, despite what many love to believe. We think that by having a metric ton of rules we can prevent stuff from happening. Lol. Right. If anything we should know better by now... not a single company, system or group of people has shown to be immune to all things human. The best thing you can strive for is 'mitigation'. Data management is like Covid in that sense, good luck getting to zero incidents, and there is a point at which rules take a major toll on usability of (a system) society, creating rebellious users that are more keen to not stick to them (and create leaks); or some event happens making people unhappy and willing to break rules explicitly.

This is why transparency of data can be such a powerful tool, and why it is in some ways inevitable. If you have to spend more money than you can make off the data to secure it, what's the point? That's herd immunity, right there: expose the data, and its no longer valuable.

aside from the "punishment" CDPR deserves of getting, it would have been a whole lot worst if whoever that hacked their vault and stole sensitive data really did get away with it.

BSim500It's bad they got hacked but +1 to CDPR for actually having functional offline backups and not paying a ransom. If everyone did this, this dumb Bitcoin ransomware problem would be solved already.

While everyone should obviously have good backup routines*, following basic security practices would also effectively block practically all such attacks;
- Keeping systems up to date (especially servers, firewalls etc.)
- Not running Windows for servers
- Restricting access to resources on a per user basis (not common universal passwords for everyone), this also allows revoking access easily when someone leaves.
- Have segmented networks, firewalls or VPNs controlling how and which computers can access each other.
And most importantly, you do security in layers. Sooner or later, one layer may be compromised, so detection and damage control is essential. Far too many companies operate in a way where just a virus or a bad actor on any computer can steal or damage everything. Many companies with thousands of employees have been hurt by a single compromised computer, if basic security practices were followed, this wouldn't be possible.

But often, the damage from accidents or incompetence can probably be even worse. I know of a concrete case where a sysadmin at one company typed rm in the wrong folder on their main source repository server! Oops, hundreds of projects gone. Luckily they had daily backups, but still, there were a lot of work lost for thousands of engineers.

*)
Some things may be hard to have up to date backups of, or loss of even a few hours of work can sometimes be very costly.

r9Maybe the hackers can fix CP2077.

Just give them 10.000 man hours, and then maybe…
The flaws of this game is severe to be fixed by a few tweaks.

ValantarIs stolen code really something that actually matters? I mean, do people compile their own games? I kind of doubt that. And if it allows hackers to crack things ... so what? They always find a way. Just patch it. Given that the game is sold DRM-free on GOG it's not like piracy is much of a concern for CDPR. So ... what, exactly, do they stand to lose from people having access to a bunch of source code?

I think this fear is mostly old thinking that source code is incredibly valuable and thinking that competitors would "steal" it and use it for competing products.

But source code isn't something that so is easily adapted to other projects. Even if your project have a super smart algorithm that I want, chances are that it will be harder for me to integrate yours than to write my own. And I would argue, the bigger the source, the harder it is to adapt it to your own purpose. In software engineering there is a lot of specific knowledge known only those who have written the source. If someone get their hands on a completed game engine, it would take them years to get familiar with the code base and redesign it to fit their own needs. By that time, does it really matter that much?
(Leaking an unfinished product is different though)
Major source code leaks has happened for years, both for games, Windows itself and even hardware designs (from Nintendo). I haven't seen the immediate emergence of cloned/derived software from any of these.

I hope we can get to a point where it's more common that game source code is available (but not necessarily free). It can still be protected by copyright, so if another company uses it without permission they can still sue. And if some random guy uses it, who cares, really? Companies have a lot to gain from embracing their enthusiast bases, they can provide a lot of cool additions or improvements to a product, for free.

efikkanMajor source code leaks has happened for years, both for games, Windows itself and even hardware designs (from Nintendo). I haven't seen the immediate emergence of cloned/derived software from any of these.

You have but to look at the knockoffs in China and third world countries. They're riddled with microtransactions and possibly malware, running on "private" servers behind vpns. Some of these markets are big enough that it's a great opportunity lost, even if selling at a fraction of the cost in more wealthy markets.

efikkanBut source code isn't something that so is easily adapted to other projects. Even if your project have a super smart algorithm that I want, chances are that it will be harder for me to integrate yours than to write my own. And I would argue, the bigger the source, the harder it is to adapt it to your own purpose. In software engineering there is a lot of specific knowledge known only those who have written the source. If someone get their hands on a completed game engine, it would take them years to get familiar with the code base and redesign it to fit their own needs. By that time, does it really matter that much?
(Leaking an unfinished product is different though)
Major source code leaks has happened for years, both for games, Windows itself and even hardware designs (from Nintendo). I haven't seen the immediate emergence of cloned/derived software from any of these.

I hope we can get to a point where it's more common that game source code is available (but not necessarily free). It can still be protected by copyright, so if another company uses it without permission they can still sue. And if some random guy uses it, who cares, really? Companies have a lot to gain from embracing their enthusiast bases, they can provide a lot of cool additions or improvements to a product, for free.

Exactly right, what else can you make easily with that other than... the game that's already there, but without the latest updates.

Or you can make Geralt pr0n with it. Well yay and well hello modding scene what did you do all these years

mouacykYou have but to look at the knockoffs in China and third world countries. They're riddled with microtransactions and possibly malware, running on "private" servers behind vpns. Some of these markets are big enough that it's a great opportunity lost, even if selling at a fraction of the cost in more wealthy markets.

Those markets are perfectly capable of imploding on their own. Gaming is like a learning curve, people get new systems to chew on, new mechanics, and they fall for all the psychological trickery involved, then get wiser. We all did. We all played our share of MMOs and grindy games with well managed dopamine shots and flashy bars filling up. We all raced for those high scores. The leaderboards in the arcade. The first guy to finish in a race.

Many of those concepts have been given more depth or are otherwise filled with new takes on those dopamine shots and how to manage them more effectively, fooling us once again ;) I recall a lootbox, MTX, skins, seasonal content, chapter-based releases, dailies, weeklies, monthlies, seasonal events, etc etc etc ad infinitum. That is also why those older concepts also work so well on the mobile space. Lots of new, gullible gamers. And the worst thing of it is, many of them have never known how glorious and worry/money free gaming could actually be. 'Pay 10 bucks to reset a timer that you're going to see a few hundreed more times' - and people do it.

The unfortunate thing is, it seems a lot of people also don't get much wiser. Is that an opportunity lost? The best way to combat that style of games is by bringing a real game. Its disturbingly easy and its part of the reason of CDPRs success. They did what few others were still doing and showed everyone there was still serious money in serious games. And not just them of course, but you get me.

Tsukiyomi91definitely an inside job. Not to say it's not a surprise but I don't think anyone outside of the company would do this for free or has the know-how of where the sensitive files are located.

Sigh.

What about a company having their security not in check? Never leave source-codes on a machine thats hooked to the internet.

efikkanJust give them 10.000 man hours, and then maybe…
The flaws of this game is severe to be fixed by a few tweaks.

A graphical glitch here and there is not such a severe problem. I'm not really counting consoles because why would you even want to play such a game on a console? It's not a casual "party shooter". I'm 50 hours into a second play through (around 300 hours total), and am yet to find a game-breaking bug which couldn't be fixed by reloading an auto save from 5 minutes earlier. I think it was the 1.06 patch which fixed most quest progression bugs, now there are just occasional graphical glitches. Some of which are quite funny actually, like all NPCs having a mohawk for a few seconds.

As for the attack: First of all, damn script kiddies. Looks like another wannabee hacker - script kiddie using Cobalt Strike. Kudos to CDPR for having a robust enough infrastructure to not care, sysadmins should get a hefty raise. Second, losing source code isn't such a huge deal as some seem to think. No one is going to create and sell copies of the games and no sane company is going to use stolen data in their products. Some top-tier modders might use the leaked REDEngine files in their work, but that's about it. Leaked HR/administration data can lead to targeted attacks and/or things like identity theft, but no more than someone digging up your electricity bill from the trash - which actually happens, so at least use a permanent market to cover your data. Seriously.

TheUn4seenA graphical glitch here and there is not such a severe problem. I'm not really counting consoles because why would you even want to play such a game on a console? It's not a casual "party shooter".

This part of your comment is what I reacted to with "sad". Why would you even want to play such a game on a console?, you ask? I'm gonna go out on a limb and say maybe it's because some people LIKE to play on console, or don't have money/time/skill to build a PC just to play the game "the way it's meant to be played"? Seriously, what makes console gamers and their gaming experience worth less in the eyes of some PC gamers? I've never understood the mindset of some in the "PC Master Race". :rolleyes:

Gmr_ChickThis part of your comment is what I reacted to with "sad". Why would you even want to play such a game on a console?, you ask? I'm gonna go out on a limb and say maybe it's because some people LIKE to play on console, or don't have money/time/skill to build a PC just to play the game "the way it's meant to be played"? Seriously, what makes console gamers and their gaming experience worth less in the eyes of some PC gamers? I've never understood the mindset of some in the "PC Master Race". :rolleyes:

The console gaming experience is just objectively worse than PC gaming can be. Yes, it takes more time, skill, and certainly in today's climate, money, to build a capable PC, but you do get better visuals, better performance and better gameplay out of it. And you can do a lot more with you PC than you can with your console.

That said, that's just my take on it. There's no hatred in my heart for the 'console peasants', I just enjoy what I do and hopefully everybody else does, too.

Gmr_ChickThis part of your comment is what I reacted to with "sad". Why would you even want to play such a game on a console?, you ask? I'm gonna go out on a limb and say maybe it's because some people LIKE to play on console, or don't have money/time/skill to build a PC just to play the game "the way it's meant to be played"? Seriously, what makes console gamers and their gaming experience worth less in the eyes of some PC gamers? I've never understood the mindset of some in the "PC Master Race". :rolleyes:

My personal opinion is that using a platform where you need aggressive auto aim, degraded graphics and comically simplified controls to be even able to play a game is just vastly less enjoyable and better suited to simple, casual games than more complex ones.
I'm not looking down on "console peasants", and I most certainly had some clashes with the elitist "PCMR" types. Everyone uses what they want or can and there is no place for any feelings of superioity or inferiority in that. That being said, playing a complex game like Cyberpunk 2077 on a console is like taking an old, rusty bike to a hard single track - you absolutely can, but your experience will be far from optimal and you need to understand that you will contend with a lot of problems.

hatThe console gaming experience is just objectively worse than PC gaming can be. Yes, it takes more time, skill, and certainly in today's climate, money, to build a capable PC, but you do get better visuals, better performance and better gameplay out of it. And you can do a lot more with you PC than you can with your console.

That said, that's just my take on it. There's no hatred in my heart for the 'console peasants', I just enjoy what I do and hopefully everybody else does, too.

Oh man, "objectively worse", statements like that make me chuckle every single time. I mean, the amount of fundamentally subjective criteria involved in saying a PC gaming is "objectively better" is downright staggering. For example, what constitutes "better gameplay"? Isn't that extremely dependent on the type of game and the preferences of the player? Aren't there games and play situations where the difference between, say, 720p30 and 4k60 or 1080p240 would be essentially imperceptible? Of course there are. And those games are just as valid benchmarks for what constitutes "better gameplay" as types of games that highlight these differences more clearly. And doesn't access play a part, along the lines of the saying that "the best camera is the one you have with you"? I.e. couldn't it be argued just as "objectively" that the best gaming experience is the one you're actually able to have in the highly subjective context of your specific life? I would certainly think so.

Statements like these also ignore the quite large amount of training and conditioning required just to actually perceive high-performance gaming as better. I'm not disputing whether "people can actually see more than 60Hz" or other nonsense like that (human perception can rarely be reduced to a single number, and is extremely dynamic and context-dependent, and also generally friggin amazing), but there's a distinct difference between being able to vaguely perceive that something is slightly different - such as motion being smoother - and being able to actually pinpoint why that is, whether and how it affects gameplay, and whether it is actually to the better. That requires training. Outside of "hardcore gamers" and hardware enthusiasts, it's likely that the average person would be able to perceive some sort of difference between, say, playing a fast-paced game at 60Hz or 120Hz, but the more important question is: would they care? Most likely not. And if you don't care, then the difference is rendered moot.

PC gamers and hardware enthusiasts have been in a decades-long cycle of conditioning into the belief that higher performance is always better (both by the community and importantly by marketing departments of PC, component and peripheral brands), which is strongly tied into the types of games that are presented as "real games" and the types of people seen as "real gamers". It's all a question of perception, identity and gatekeeping. Depending on the game there are obviously situations where higher performance can give an advantage, or where too low performance can make a game unplayable, but extrapolating this into an "objective truth" that PC gaming is universally superior is just pure, unadulterated nonsense. PC gaming discourse loves to present itself as if we have somehow gained access to a set of universal objective truths that other people simply don't know about, which just illustrates that the original irony of the term "PC master race" has long since been abandoned. The preference for high-performance gaming is just that: a preference. Taste. And taste is what? Subjective.

Now, this rant did come slightly out of the blue, and I'm by no means trying to "get" you in any way, nor trying to somehow say you're disingenuous in what you're saying - this is directed towards everyone and no-one, and certainly not you in particular, your statement just got me going down this path. But I think we all stand to gain from deluding ourselves less, and this is a case where that's pretty simple. There is no "objective truth" to the superiority of PC gaming. Humans do not engage with the world in non-subjective ways. It's a matter of preference. And having preferences is, in case it wasn't obvious, not just perfectly fine, but a core condition of being human. But presenting our preferences as if they were objective truths is a rhetorical and intellectual bad-faith tactic that serves no other purpose than to elevate "us" above "them". And that's a dangerous path to go down.

/rant

TheUn4seenA graphical glitch here and there is not such a severe problem.

I'm referring to the countless examples of objects flying around, falling through floors etc. These glitches are not graphical glitches at all, these are fundamental flaws in the game simulation, and isn't easily solved with a workaround or small change here and there.

TheUn4seenAs for the attack: First of all, damn script kiddies. Looks like another wannabee hacker - script kiddie using Cobalt Strike. Kudos to CDPR for having a robust enough infrastructure to not care, sysadmins should get a hefty raise.

It's either a fundamental lack of security, or an inside job (or both). Basic common security practices would have prevented the scale of this. Whoever was in charge of their security should probably be fired.

We hear a lot about massive conspiracies from government sponsored hackers using zero-day vulnerabilities or creative techniques to communicate with air-gapped devices, or techniques that can read your data through electromagnetic noise etc., but in reality, in 99.9% of cases people just fail the well-known basics.

Hi,
Big question is did twitter ban said hacker lol

efikkanI'm referring to the countless examples of objects flying around, falling through floors etc. These glitches are not graphical glitches at all, these are fundamental flaws in the game simulation, and isn't easily solved with a workaround or small change here and there.


It's either a fundamental lack of security, or an inside job (or both). Basic common security practices would have prevented the scale of this. Whoever was in charge of their security should probably be fired.

We hear a lot about massive conspiracies from government sponsored hackers using zero-day vulnerabilities or creative techniques to communicate with air-gapped devices, or techniques that can read your data through electromagnetic noise etc., but in reality, in 99.9% of cases people just fail the well-known basics.

Of the errors you mentioned I only saw boxes floating after dumping NPC bodies into containers, and I hardly think it can be called a fundamental flaw. A quest line being bugged in a game-breaking way is a fundamental flaw, as is savegame corruption. Both happened to this game and both were fixed a while ago. Also, what you mention is just a collision detection or physics engine not properly zeroing forces on item spawning problem. Both can be tricky to fix, but are not really fundamental. Unless, of course, you are one of the people who just need to be outraged all the time. I knew a guy like that, he truly believed that Bioshock is a horrible game and 2K Games should refund everyone for this blatant theft. Why, you might ask? Because he found a low resolution texture on a plant somewhere. Really, that was his only argument. Needless to say, it was the last time we spoke. The biggest annoyance I encounter in this game are broken item hitboxes. Just try picking up this new shiny gun laying next to a body. Nope.

"It's either a fundamental lack of security, or an inside job (or both). Basic common security practices would have prevented the scale of this. Whoever was in charge of their security should probably be fired."
You probably never worked in a corporate environment. The scale of such infrastructure simply requires some degree of simplification - you can harden anything to the point of being anything-proof, but then your employees will spend more time doing security checklists than working. And I can guarantee there will be some mid-level douchebag manager with a superiority complex who will write down all his passwords on a piece of paper he tapes to the screen and a cleaning lady who will take this card and sell the passwords. For tools like Cobalt Strike that's enough. Get a foothold, elevate from there. It may take some time and effort, but once you're in, you're in.
This happens to every company at some point, it's how they deal with the problem that shows their quality. Many big corporations actually prefer to pay and keep it quiet to avoid bad PR.

Valantar/rant

Yikes. I understand your rant wasn't directed at me, but all I'm saying is, the experience on a PC is objectively better than on a console. As I said, you get better visuals, better performance, and better gameplay. Sure, it comes at a price. Sure, availability is shit right now. We all feel that pain right now, console gamers and PC gamers alike. There's no we're better than you" mentality coming from me there.

TheUn4seenOf the errors you mentioned I only saw boxes floating after dumping NPC bodies into containers, and I hardly think it can be called a fundamental flaw.

Just search on YouTube, and you'll find plenty of videos of flying cars, characters shaking etc. These are not graphical glitches, these are fundamentally flawed physics simulations.

TheUn4seen"It's either a fundamental lack of security, or an inside job (or both). Basic common security practices would have prevented the scale of this. Whoever was in charge of their security should probably be fired."
You probably never worked in a corporate environment. The scale of such infrastructure simply requires some degree of simplification - you can harden anything to the point of being anything-proof, but then your employees will spend more time doing security checklists than working.

I think you missed the point. Those of us who have worked for various companies of thousands of employees knows security breaches are "inevitable", which is why skilled IT professionals knows to do security in layers. Sooner or later someone's Windows install will get a virus, some laptop or phone will get stolen, someone's password get compromised, some critical zero-day bug is discovered etc. This is why the servers and network infrastructure needs to be up to date, networks should be segmented in some way with firewalls, VPNs etc. Access to resources such as file shares, source repositories, databases etc. should be granted on a per user basis, and passwords should be different from their computer passwords. Any of these steps themselves will make anything 100% bullet-proof, but it's where you start. And if you do this in a sensible way, it's usually enough to stop catastrophic damage before you can intervene. This should be enough to prevent an intruder from getting all your corporate data or to destroy all your data, because the chances of someone breaking through multiple security barriers is fairly slim.

But once you got the basics right, you can consider further steps, including some kind of intrusion detection, honeypots, etc. But as you mentioned, taking things too far might result in wasted resources or even people finding ways around the system. This is why it's important to get the fundamentals right first, instead of focusing on a niche problem. And doing an overall balanced approach with good security isn't that hard.

efikkanJust search on YouTube, and you'll find plenty of videos of flying cars, characters shaking etc. These are not graphical glitches, these are fundamentally flawed physics simulations.

If a problem occurs for one in a thousand players, you're still going to have thousands of loudmouth YouTube kids screaming about it like someone took their lollipop. This is low-brow, primitive attention economy at it's worst. Filter it like this: If something works as expected, people don't really care to tell others about it. You only hear about the edge cases, so if millions upon millions of copies were sold and you hear a few hundred, maybe a few thousand people grumbling, it's not really that bad.

As for the rest - I really hope you are not responsible for any kind of security system. Just read about privilege escalation as an elementary basics. You can sandbox users or segment your network to your heart's content. If someone gets a foothold, starts snooping around and escalating horizontally and vertically, the only limiting factor is the attacker's skill. And we live in times when the tools you can get for free, buy or even rent are sophisticated to the point where such attacks don't really require years of learning. Hence my "damn script kiddies" remark, as everything points to a medium-skill, open source tool being used in this attack.

hatYikes. I understand your rant wasn't directed at me, but all I'm saying is, the experience on a PC is objectively better than on a console. As I said, you get better visuals, better performance, and better gameplay. Sure, it comes at a price. Sure, availability is shit right now. We all feel that pain right now, console gamers and PC gamers alike. There's no we're better than you" mentality coming from me there.

You apparently took that it wasn't directed at you a bit too far and didn't actually read: the key point is that what constitutes "a better play experience" is fundamentally subjective, and attempting to describe whatever criteria one has chosen to prefer as "objectively better" is a delusion. Period. Higher resolution is higher resolution. Faster framerates are faster framerates. Performance is performance (though what constitutes performance is itself quite complex). Neither are in any way objective criteria of better gameplay, as there cannot possibly exist any objective standard for such a thing - it's a culturally determined phenomenon, after all. Objectivity does not apply. If something was to be an objective criterion for gameplay, that would mean that it has a fundamentally determining effect on the quality of gameplay, and, well, a crap game at 250fps with fancy graphics, a boring gameworld, nothing interesting to do or see etc.? That's still a crap game. One can be of the opinion that these factors are the chief determinants of the quality of gameplay, and there are some arguments for thinking so (though there are also very good arguments for other factors being at least as important if not more), but that doesn't invalidate arguments for focusing on other aspects of the gameplay experience, nor does it take away from the fact that someone not thinking so likely won't actually care - so it's extremely unlikely that this will constitute better gameplay for them, even if it does so for you.

And I'm not saying that you're consciously expressing any kind of derogatory attitude either, nor do I have any basis whatsoever to comment on your opinions or ideals, but it's a rather simple fact that saying (whether to someone directly or nobody in particular) that "your choice of how to perform [activity A] is fine, but mine is better due to the criteria I and my peers have chosen to constitute "better performance of [activity A]" is an inherently derogatory statement, and that this discourse in PC gaming is fundamentally derogatory. That's just facts. And again, there are good arguments for why aspects of PC gaming are better, but choosing to focus on these aspects is a choice, and is thus subjective. The very claim of "my opinion is objectively true" (especially, but not exclusively when it actually isn't) is itself derogatory. I also think PC gaming is generally better than console gaming, but that's my tastes and my opinion, and no amount of arguments as for why I have that opinion will make it anything but an opinion. The derogatory part comes built in when one starts assuming that one's opinions are somehow objective facts, because that also necessitates the belief that the opinions of others are factually wrong. Which, again, you can think that they are, but that's another opinion. It's opinions all the way down.

TheUn4seenIf a problem occurs for one in a thousand players, you're still going to have thousands of loudmouth YouTube kids screaming about it like someone took their lollipop. This is low-brow, primitive attention economy at it's worst.

I honestly don't care what a bunch of adolescents scream about on YouTube.
I'm talking about the nature of some of the bugs. Those of us who have worked with graphics programming for many years got a good sense of understanding a bug just by observing it, and be able to tell if something is e.g. a shading bug, culling bug (there were some of those too), a synchronization issue or a flawed physics in the game simulation, without being familiar with the code base. Quite often, small graphical glitches are more an annoyance, while flawed game simulation often can be "game breaking".
Sometimes you can observe how well the game simulation is made by running it on a CPU that's barely fast enough. If you start to see objects flying around as a result of stutter (CPU limited, not GPU limited), it probably means the engine is using time deltas for calculating acceleration. Or if stutter causes objects to go through each other, fall through the ground etc., that probably means the simulation has "skipped" a few iterations. Both such examples are evidence of poor engine design.