So I have a game I am only wanting to share with my friends but thanks to a guy who hacked one of my friend’s account, the phrase “hey I made a game I want to you try” is now suspicious on discord. As a stop gap I’m offering to jump in to voice chat as a way to show my friends its actually me asking and my account didn’t get hacked, but I was wondering if the unity community has any ideas or ways you have all gotten around the current discord issues.
Long story: My friend, we will call him Bob, got a message from one of his friends asking if Bob could play their game. Bob’s friend got hacked, and the file was some kind of hacking software that gave the hacker access to his discord account. After a long battle my friend got his account back but it was still traumatizing to all of us because the hacker got abusive once we started calling them out. So sharing files has been scary.
Yeah it’s a really annoying issue ><
A friend of mine received such a message too, but luckily did not click. That information went around in many large Discord servers and people are rightfully suspicious.
Here what such a scam message can look like for your information:
Supposedly there are also better English variants out there and even bots that try to mimic the victims normal greeting\talking style.
Guess safest is to announce that you are working on a game in time and show some screenshots first. Not jump out of the blue with a link.
Of course this only works until the neverending loop of hackers improving their tactics and destroying peoples trust goes into the next round x.x
@Murgilod It’s a general recommendation to not click any links at all, so even WebGL build is not really an universal solution…
Edit: Maybe sharing here in the forum and linking the forum would be a somewhat safe way, since “forum.unity.com” should sound trustworthy enough, lol (short, universal .com domain names usually are owned by some proper company).
This is not true at all and, in fact, a webGL build on a trusted site like itch.io has been the standard recommendation for sharing tests for this very reason.
Nope, and we remove exes when we find them linked. It’s not safe to download .exes from the forum. Period. WebGL is the only safe way. Feel free to quote me on discord or any other media.
And what about games that involve native DLLs and thus cannot be ported well to OpenGL?
Or when OpenGL simply is not the target platform for other reasons?
Guess when it’s my turn, I’ll have to rely on people trusting me due to screenshots etc.
Create a zip archive of your project and upload it to VirusTotal. This is a free service that will scan the archive and provide a report of what the virus scanners detect. If it finds nothing malicious it will outright say that at the top of the screen. Just provide the report wherever you provide the download. Ideally on a site like Itch.io.
For example here is the report for Corgi’s raytracing demo.
Well, that assumes the exe contains a known virus, and not just software that’s malicious in design. You could create a pretty nasty little exe that if given permission would cause havoc.
If the assumption is that all software is malicious by default, then the user won’t be able to ever use anything. As anything can be malicious.
At the moment a good form of a software behavior would be (in my opinion):
Zip archive or 7z archive with no installer. Because the user can’t know what the installer is doing, and installer can request elevated privilegies and wreck things. In the past it was common for installers to wreck fonts.
The application never requests elevated/admin privileges and can be installed without them.
Signature/checksum is a good idea so the user can verify that the package came from you and not from someone else.
That can be tied to virus total. If virus total scans your package, there’s nothing found, and checksums match, it means the package is less likely to be maliciously designed.
At the moment most operating systems run in restricted mode without admin privileges’, which is a good practice. So, if software does not require admin/root for installation/operation, it can deal less damage.
Would be great to go further and implement full sandboxing by default, where an application is only allowed to modify its own data folder or a few folders where it has been granted permission to operate.
Indeed, it only shows that I probably haven’t let someone else infect my stuff. If you fundamentally don’t trust me then you shouldn’t be running my stuff at all, and if you’re concerned about being the target of deliberate attacks then you need to secure yourself accordingly.
And that probably involves not downloading untested software onto sensitive machines at all.
