Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Knowledgeable people can just add Steam to the set of applications that must be installed in its own isolated environment. How would the typical Steam user know to do that? Is there a prominent warning on the install screen informing users that Steam will be used to hack their machine and anything they have stored on it?


How would one achieve this on Windows short of having the entire Windows install be isolated from your main OS? I would assume most users would not want to run their games in a VM inside Windows for performance reasons.


It would probably be better just to have a separate partition with a separate OS install. Either way, as you indicate, this is an unusual imposition on the user. Valve are holding themselves to a much lower standard than one would expect.


Disable the Steam service. Run Steam only on a separate user session with limited rights (no admin and no access to your files). So essentially you'd have to manually switch user, via the login screen, to play your games.


You've missed "Install Steam somewhere inside separate user's home directory" to not dealing with UAC on each update.

I moved to separate Wintendo box which is the best solution.


As far as I'm aware, Steam makes its own folder writeable by everybody. Besides, you should get an error instead of the UAC if you're running as a non-admin account.

But yes, separate hardware is safer.


Could steam be legally liable for the issues bugs give to the end users if they know of the issud. I know they have TOS forbidding this but ToS need to take into account laws.


At some point this is less of a steam issue and more of a Windows issue. An OS shouldn't allow applications to compromise eachother.

Steam should maybe be liable if they are actively thwarting disclosure that would protect users but that's a tough thing to establish legally.


It's a Steam issue, given that background services don't have to run as SYSTEM, and yet Valve decided to have Steam's background service do precisely that.

Thankfully, the Linux version doesn't seem to have this problem (AFAICT).


I think it should become a Windows/Microsoft issue, to be honest. A good example is the recent Zoom vulnerability, the software made it possible to perform certain exploits on the user and operating system, so Apple stepped in and disabled the exploit. In this case, I think Microsoft should do the same in order to protect their users. My guess would be that the install base of Steam on Windows is as least on par with Zoom on macOS, if not many times larger.

In the end, Microsoft will get bad reputation for having an insecure OS (not to even mention Valve here, and in the long run it will hurt them as same as it did Adobe with their Flash stubbornness).


True; it'd be really nice if Microsoft started deprecating running non-essential things under the SYSTEM user. Windows could/should emulate the OpenBSD strategy of running services/daemons as unprivileged users dedicated to those services instead of as root.

Windows does support this functionality, and ultimately Valve's to blame for not using it, but you're right that Microsoft should be more proactive in encouraging good design and discouraging bad design.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: