Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ @lemmy.dbzer0.com

ERROR: Earth.exe has crashed @lemmy.dbzer0.com

4d ago

Do y'all still consider the machine you run pirated software/games on to still be "Secure"?

Not sure if this fits here...

An OPSEC community would probably say no, so I probably don't need to ask in those communities. But I'm curious about a (digital) pirate's perspective on this issue...

I mean, the sources listed here are supposedly "safe" right? But honestly, how much would you trust these "safe" sources?

When doing sensitive tasks like banking or filing taxes, do you:

Use a different OS on the same machine? (Dualboot)
Or put the pirated content inside a virtual machine?
Or just use a completely separate computer?

And since PC is much different than a Smartphone:

Would the extra sandboxing on Smartphones make pirating games on a Smartphone much safer compared to on a PC? (Not that there are much mobile games worth playing, just curious)

(PC in this context referring to all personal computers, regardless of OS)

And last question:

Non-installed/non-executable files such as .mp4 .mkv .mp3 .pdf .epub, are mostly safe right? I mean, you are using another program to opening it, not executing a file, there aren't much attack vectors as long as the video player / ebook viewer is up to date right? (Or am I understanding it wrong?)

50 comments

Honestly I don’t run pirated software at all anymore. The risk is too high. If it’s a game then I’m happy to pay for it, and open source software covers pretty much everything else for me.
The only exception is switch games but they run through an emulator which is quite safe.
Most media files are safe but I’ve heard that PDFs of all files can be vectors.
- I hadn't really thought about it until reading this comment but I am definitely the same. I use to pirate so much software back in the day. But, I really just find myself looking for projects on GitHub that fit my needs.
  I pirated a video upscaling program just to test it out. Topaz I think it was. But it was mostly just curiosity because it was very niche in it's performance improvement over it's open source alternative video2x.
  That's literally the only software I can remember pirating in the last 10 years.
  If it's good and requires a one time purchase. I buy it. Unraid is obviously going to be an example of that for a lot of people here.
  I think I've spent more money donating "coffee" to good open source projects though. And going windows free for over 3 years now has been a big part of that. I can't stand when I have to use Windows now. Work still forces it on me. But I literally only use it to SSH into my redhat VM.
  All my piracy is media these days. And that's only because the streaming services have basically reached the point that cable did back in the late 2000s.
  Piracy has always been based on convenience rather than cost for me. "Piracy is a service issue" is the famous quote. Additionally it's about services not giving you ownership over the thing you purchased. Which is what a lot of software has become.
  
  Yeah, Gabe Newell definitely was quite forward thinking when he came to that conclusion, and I can definitely say it works well for my Steam Library.
  Honestly at this point the main force that brings me to hunt for media is subscription services, since it always feels like a rug pull compared to alternatives. I paid for things on GOG, I get to keep the installers and back them up. I bought things on Steam, I'm not charged to reinstall or use them on other devices, and I can still download games that are delisted now (RIP poker night at the inventory).
  Now that Blu-rays are going the way of Google Stadia, getting phased out, all I can really do is just rip any media I already have and download what I may need. FOSS tools have already replaced any subscription software I would use for my engineering work.
  
  Yeah I used to pirate Adobe software religiously. Every version. Now I just use inkscape and suffer through the occasional GIMP session.

Publisher matters. Some random website advertising a disk cleaning utility could be malware while a Fitgirl repack most definitely isn’t. Installing something from an official Ubuntu software repository is also pretty safe, while something from a 3rd party repository or community development library could be malware. I also generally trust PDFs from Anna’s Archive and Libgen or Internet Archive, because of the reputation loss to them if it were. You can minimize your risk to a tolerable level this way.
- what about z-library?
  
  If memory serves, Anna's links to them if you check their "3rd party sources" links when doing an ISBN search.

When engaging in criminal activity, you have no "legal" recourse for malicious behavior, so you work on the web of trust instead.
If you can't trust the software, nor the publisher, nor the hash verified by however many seeders, then don't download it in the first place. Me personally, considering I install indie porn games on the regular and never once gotten a virus that I know of, I think it's worth it to trust others.
Of course you could always go into paranoid zero trust mode but sometimes being a social being means trusting the criminal serving you free shit isn't ratfucking your data
- Instead the one that actually ratfucks my data is the game manufacturer that I've paid $100 for the game.

I run a few games posted by johncena141 on 1337x, so I consider it secure enough :p
- If that dude hacked into your machine, you wouldn't see him anyway 🤷🏻‍♂️
  
  He'd be using Bing (search engine) and be Chilling
  
  He'd probably just upgrade your drivers to the latest stable version for your distro and fix all those W: prints you see whenever a guide tells you to "sudo apt update".
  You know who you are and you're me.

I don't know if the malware that could be in these games work on Linux, but I take my time in picking torrents and pick ones through uploaders I know
- That's likely safe. But...
  Most malware isn't trying to make your computer unusable anymore. That was the old days when people just wanted their "hacking" acknowledged.
  You can definitely still be running a crypto miner if you sudo'd something stupid you downloaded on Linux.

No, I try to treat that machine like a quarantine zone, I have a two PC setup and that's part of the reason for it. So basically I don't log into online accounts on that one (except relatively unimportant accounts for convenience, like Steam), and I don't do important stuff on it

the games I pirate are all in my Lutris app which I installed as a flatpak on Linux, so they don't have the necessary permissions to change important files.
also I install them in the virtual C: drive, and they normally shouldn't thouch the virtual Z: drive. I don't think a hack would do that because installing malware on the windows drive should be enough for most people pirating games
- Thanks for the new rabbit hole 😂

I personally run all my games in Bottles (flatpak) with sandboxing on. Even if a game is available for Linux I still run the Windows version inside Bottles just so it's slightly safer.

Clean copies of GOG games can be hash-checked. The only pirated games I really fuck with are GOG.
Although I wouldn't be too worried even if I did because I'm in Linux, and anything I did would be sandboxed and closed off from the rest of the system since it's running in a compatibility layer.
- A compatibility layer like Wine is not a replacement for a true sandbox. Although Wine may have some basic sandboxing capabilities, the default wine configuration grants access to your home directory, which something like ransomware could take advantage of.
  
  and even if you remove the Z: drive letter, in my understanding the software can still access your filesystem if it was prepared to call linux specific kernel functions, or if it has a copy of its own glibc or musl and is prepared to use it

I run such games on Linux now, mostly with wine/proton. There is some risk, sure, but I'd largely say that system is still secure. If something comes by and wipes out the system, I have snapshots of anything important, including root and home. If those are gone, I have versioned backups offsite and maybe offline. I don't expect to receive any malware targeting my somewhat esoteric software choices from windows games, so I feel okay logging into a secure sevice, for example, but I may have to adjust this in the future.
With regards to smartphones, I think there are so many holes that it's not much more secure, if any, than a paranoid desktop setup. From time to time I have installed random APKs and had extreme anxiety each time. I am massively more paranoid about my phone as I don't have real control over what's running on it. Hoping for more competitive open source solutions in the future.
Generally speaking, opening non-executable files is fine. There are and have been specific exploits which allow arbitrary code execution, but it's dependent on the application/library loading them. The bigger danger is files disguised as other things. This is especially bad on Windows as it likes to hide that information from users, or just execute random embedded vbscripts, or whatever. Also see the recent whatsapp mimetype bug/exploit. Certain things pose more of a risk than others. PDFs (thanks adobe) can embed arbitrary javascript which is meant to be executed. Same as web pages, of course, but browsers have a lot more attention to sandboxing.
Edit: I don't really run cracked software anymore, but I have VMs ready to go if need be. Would recommend others do the same.

I’ve never run it because I have had zero evidence to tell me it would be safe. I do run older games in emulators up to PS2. I see no issue with that.

pdf files can contain javascript code that can run when it is opened. but when using complex formats (I think almost all video files, pdfs), it can happen that the software that understands it makes mistakes when reading it and making sense of it, and an attacker tries to make use of this to trick your software into doing something that wasn't intended by its creator. this is how it can happen that an mp4 file (or mkv, others, ...) cannot contain executable code (according to specification), and yet it can
in the case of pdf files, bundled fonts may be another source of problems

Strangely enough I’ve found that some kid in India or Russia distributing his crack doesn’t do it to control my PC or to infect it.
Big corporations that install root kits or use hyper invasive cheat software (even when no competitive mode even exists) are far more insidious and untrustworthy.
I worry more about the hidden telemetry of big apps more than some crack being infected. Hell even MS virus scan will throw up false flags because the software just isn’t a registered dev or will quarantine an exe in error (libremonitor for example).

My tax machine is a VM. On another server (proxmox)
- You do your taxes on a VM? FreetaxUSA works just fine on Linux.
  
  Why is it always like this...
  Not everything and everyone is in the US.
  I also prefer Windows to Linux in the desktop environment. As for my server tasks, I mostly prefer Debian and if needed I'll use Windows Server (obviously unlicensed/not activated).
  I'll use what fits for the task. :)
  Edit: Also not a bad thing to separate a machine that holds sensitive data (even if they are encrypted) from another with a higher risk rating. Even if it's Linux, Mac OS, Unix or whatever based.

I'm on Linux, using Bottles to run pirated games. It adds a little bit of sandboxing, compatdata is usually a weird environment for malware to effectively work in (unless the malware is written specifically for it), if the game is really sketchy then I'd just disable network access for bottles flatpak too just to make sure.
All in all, I do sometimes have a little bit of paranoia and look through processes to see if there's anything running and periodically go through some folders to see if there's anything weird or unusual there, I'd still consider my machine to be safe.
As for the last question, PDF's are an attack vector and should be used with caution. As for other file types, it depends on the software you use to run them - if it's something pretty barebones that just plays it then it's usually fine, but if its something more complex and reads some custom data embeded into those files, then it can be a vulnerability. Not a security expert though, but it's the gist I got from looking at some historical vulnerabilities.
- First thing a malware would do is to replace top/ps and related utilities, to mask itself. Or directly replace kernel calls. You will not notice by just checking running processes

yes. pirated software is suprisingly secure most of the time.
im also not running windows. malware not meant for proton is gonna have a bad time working.

Seems like most pirated software does a good job of trying to cut software off from internet communication so that it doesn't get sniffed out on an add-on or update query. I don't trust most software companies anymore as far as security goes either. So the short answer is at least personally, after scanning everything before and after installation and check network monitor for anything that looks weird while running, yes I consider my system secure still.
Curious what "safe" list you are referring to?
- Curious what “safe” list you are referring to?
  This community's wiki/megathread

An OPSEC community would probably say no, so I probably don’t need to ask in those communities. But I’m curious about a (digital) pirate’s perspective on this issue…
Still committing OPSEC crimes, but I'm not as bad as I could be :P
I mean, the sources listed here are supposedly “safe” right? But honestly, how much would you trust these “safe” sources?
I think we're talking about different sets of standards. Even with that in mind, my own "trusted" list is a much smaller handful of any list posted online. Trust in pirate spaces shouldn't mean at face value and should be constantly tested with stuff like virustotal. It just means I haven't been compromised or seen anyone else report back with an infection for a long stretch of time on a specific website. There's always occasional breaches as malware enthusiasts test the waters now and then, usually not with a big/popular release. Stuff that could fly under the radar. Usually it comes down to whether or not that website has an active comment section or forum with active mods/admins who stamp it out continuously. I tend to prefer traditional bulletin board forums. rutracker.org or cs.rin.ru. I still don't touch any file right away. I let other people be the "brave" lab rats. See if any squeal first. I tend to avoid niche application piracy entirely. Those seem (and have been in my youth) to be the virus hotbeds cracked by total unknown entities. Plus I don't mind paying for independent / small company niche software. Often enough in those cases I can find a free open source alternative anyways.
It's worked out so far. I haven't been compromised in my adult years. But this isn't some "do as I do" thing, it's basically internet street smarts. Comes with experience and infections. I minimize risk and can trust my gut now, but I acknowledge it'll never be risk free.
When doing sensitive tasks like banking or filing taxes, do you:

>Use a different OS on the same machine? (Dualboot) >Or put the pirated content inside a virtual machine? >Or just use a completely separate computer?
Separate computer. An otherwise useless old laptop running Fedora. OPSEC would probably say it's not good enough because it's on the same network as computers which installed pirated software.
And since PC is much different than a Smartphone:
Would the extra sandboxing on Smartphones make pirating games on a Smartphone much safer compared to on a PC? (Not that there are much mobile games worth playing, just curious)
GrapheneOS here which does sandbox better than most, but I don't use my smartphone for anything sensitive. That's really without trying to, it's just not something I ever felt the need to use a smartphone for. I'm not as familiar with Android/Linux as I am with Windows. I know exactly where to periodically check for telltale signs of infection on Windows. I can still bend that OS to my will even as it gets worse for most end users. I'm less sure of myself on anything else. Working on that, HTPC is Fedora KDE spin now. Like you say, not much mobile games to play. I think I've bought like...3 ever. So, never felt much need to sideload. I usually stick to F-Droid and NDS emulators anyways. I have a Picross / Picross 3D addiction.
Non-installed/non-executable files such as .mp4 .mkv .mp3 .pdf .epub, are mostly safe right? I mean, you are using another program to opening it, not executing a file, there aren’t much attack vectors as long as the video player / ebook viewer is up to date right? (Or am I understanding it wrong?)
Usually, but sometimes there can be a flaw in a specific application exploited. I don't think I know of any from media formats outside of maliciously edited ROM files smc or v/z64 for cartridge based system emulators like extremely outdated ZSNES or Project64 1.6 specifically.

I'm running the games in Linux, using Lutris as a launcher with a default configuration that wraps them in a firejail sandbox (for anybody interested, you add firejail as the "command prefix" under Global Options or in the System Options of the game) which amongst other things blocks networking.
In fact I went and figure out how to do all that exactly because I wanted to run pirated games in Linux in a safe way and you can't just rely on the lower probability of Windows games of having code that tries to determine if it's being run with Wine and accesses Linux-specific functionality and files if it is.
PS: That firejail stuff also works for Linux native games (it just wraps whatever you're running to start the game, be it Wine or directly the game Linux binary).

Any questionable software I have is coming up on 4 years old now, most of it is older than that. I move them to a new machine every time I upgrade, simply because I don't trust torrents anymore.
Honestly, I don't trust PDFs anymore unless they're from places I know are "safe" which kind of sucks because I've been getting back into RC as a hobby and it's hard to find non-pdf plans. I prefer vector files, but I'm having to try my luck with jpg and png files.
A lot of the programs I used to use have been surpassed by current FOSS projects, and I've been replacing them as I can. Finding an open source laser engraver program that isn't shit is proving difficult.

I mean, I pirated the Windows 10 installation on my gaming PC. Massgrave scripts helped out though, so there's that.
That said, I'm wiping Windows soon and installing LMDE. It's the last Windows PC in my house (minus W11 work laptop - that doesn't count though).

I don't consider anything with Windows safe. I do all of my non-gaming computing on my laptop with Linux.

I dont run non free software. All games are in emulators or i buy them on steam or get them free on epic and play via heroic.
Any ebooks or pdfs are scanned on virus total and one positive result is enough to get deleted. I also only read them on an old tablet and old kindle both from around 2011/12 with networking disabled. They are only used for this purpose.

Let's not be fooled by memes and buzz. Crackers don't crack it to infect your computer and make money. They do it to le t others play the game. They benefit by getting to play some other game someone else has cracked and distributing. And maybe they enjoy it as it's challenging. Cracking isn't about infecting people's computers. When some pirated game comes with some ransomware or trojan injected, probably it's been done by someone else whose passion is totally different than that of the cracker. They take the crack, modify it and then redistribute it malware injected. So, maybe, by downloading popular torrents, I mean if you make sure it comes directly from the cracker group, you can avoid malware except the spyware the game manufacturer has put into it, of course.

50 comments