This doesn't really help though, for a supply chain attack, because you're still going to need to decrypt those keys for your code to read at some point, and the attacker has visibility on that, right?

Like the shell isn't the only thing the attacker has access to, they also have access to variables set in your code.

For example, for vars to be read, you’d need the compromised code to be part of your the same project. But if you scan the file system, you can pick up secrets for any project written in any language, even those which differ from the code base that pulled the compromised module.

This example applies directly to the article; it wasn’t their core code base that ran the compromised code but instead an experimental repository.

Furthermore, we can see from these supply chain attacks that they do scan the file system. So we do know that encrypting secrets adds a layer of protection against the attacks happening in the wild.

In an ideal world, we’d use OIDC everywhere and not need hardcoded access keys. But in instances where we can’t, encrypting them is better than not.

(And that sort of ephemeral-login-for-aws-tooling-from-local-env is a standard part of compliance processes that I've gone through.)

Warner Bros anachronistically keeps this website online would be a simple fix; here used to reference and to point out that maintaining an untouched 1996 promotional site at it's original location is not typical for the lifecycle of a website, usually the publisher would rather redirect clicks to some current offer.

Othwerwise there is no anachronism here with the website itself, just it's location under the original URL and not in some archive only.

The website itself fulfilled its purpose for promoting the movie when it was released and simply continues to exist.

You wouldn’t call posters, magazines, or other artifacts from the ’90s anachronistic just for still existing. Being retrievable doesn’t make something outdated by itself.

“Anachronistic” would apply only if a new promotional site were created today to look like this—though that would more likely be called “retro.”

Or if the movie industry insisted on using CSS-free table layouts for all its promotional websites, similar to other norms or laws that feel anachronistic because they no longer match current needs.

Sadly the whole piece reads like it was written 80%+ by an LLM too, seriously why all the emojis? But apparently this is where content is heading in general.

GTA VI will probably run single player on proton fine, GTA V does. Multiplayer will probably not.

The multiplayer with kernel level anti cheat will keep Sony safe through at least another generation; Microsoft is less safe as they're so vulnerable this generation anyway.

This isn't really true. As GP said, there isn't a kernel level anti cheat for linux. You can switch a flick on BattleEye to run on linux but it wont be a kernel level as it is on windows. So there is an incentive for them to not turn it on because it simply is the worse version than the windows one. As far as I know even on windows you get cheats even if it is kernel level. Meaning, allowing linux you'd probably be flooded with cheaters if you already get them on windows.

There's an easy way to not get cheaters, or at least to slow down their impact: stop making your games "free to play". When cheaters have to buy 60€ games everytime they get b&, eventually they'll run out of money.

For example, the top 10 games in Korean PC bangs last week were:

1. League of Legends

2. PUBG (I think)

3. Fifa

4. Valorant

5. Overwatch 2

6. Sudden Attack (a KR FPS game)

7. Maple Story

8. Lost Ark

9. Dungeon Fighter Online

10. StarCraft (Brood War, I believe)

The next 15: Diablo 2 Resurrection, World of Warcraft, Diablo 4, Lineage, Eternal Return, Path of Exile, Warcraft 3, Black Desert, Cyphers, Aion, Path of Exile 2, Diablo 3, StarCraft 2, Tales Runner, Final Fantasy 14.

Lineage and Brood War weren't even made in this millennium!

I didn't name any franchise. I only mentioned Battlefield to compare it with the mentioned Duck-Game, as they are both on Steam where everyone can see the numbers. I mean if we are talking about the real big numbers, then we would be with Minecraft, Roblox, Fortnite, LoL, which are all not on Steam; making number-checking a tad harder.

> Games like Battlefield are up there, but I don't think they're the games people mainly play over the years.

As a Franchise it seems moving Fifa, very popular, but also seasonal peaks. Each new version shoves in players for a while, until they are satisfied again. Though, I don't really play them, so it's just external observation.

A linux native game called Banana got almost a million concurrent player peak (compared to #1 CS2 having only 1.8M). This didn't exist 10 years ago - the gaming landscape is entirely different in 2025.

This call that gamers generally play 1 game only is extremely dated especially when flavor of the month games are extremely in right now. I'm sure Valve with the biggest gaming dataset in the world didn't just dive into this blind.

1 - https://steamdb.info/charts/

It's not guesswork, it's reading the statistics. Gaming Reports are regularly showing that the majority of gamers and income is with only a handful of games/franchises.

> You can actually see gaming distribution on open steamdb[1] stats and every year the amount of games avg player plays grows higher and higher.

Yes, because the market grows. But look at the numbers, the top is always with the same games, with the same numbers, which are usually in a complete different league then the rest. The Top 5 Games have usually 10-20 times as many players as every other games. And, be aware that this is only Steam. The gaming market is much, much bigger than just steam. Steam is kinda its own bubble with a skewed view.

I'm not saying steam or indie-market is small, but people looking at PC and Indie-games develop a kind of natural filter for the real behemoths of the market.

> A linux native game called Banana got almost a million concurrent player peak

We have at the moment >3 Billion Players. 1 Million gamers for a shady shortlived hype-game is not bad, but it's not even remotely winning the market, or setting a trend. At best, it's setting a trend in a specific niche. Valve wiped out billions of value in CS-Skins some week ago. That's more market-influence than a free game with shady skin-business will ever gain.

It is essentially a software toy people left running to generate random items some of which ended up being speculated on generating some money for "players".

The pressure to get more games on your platform has never been as low as it is today and has never been this low on Steam itself. You could spend a lifetime with the current Steam library and never feel bored.

From product pov Valve feels very comfortable and I bet they have the data to back up this move with basically unlimited war chest. If anything I feel like Valve is pressuring game developers of these major games here - not the other way around.

Not everyone experiences gaming the same way.

Yeah exactly. Depending how much you care about playing with friends compared to playing at all you might make that choice.

That's exactly how console sales worked in the past. I bought an Xbox because all my friends were playing Halo, and I wanted to join in...

The recent phenomenon of games supporting cross-play out of the gate is probably eating into this, but exclusives were a hell of a moat back in the day.

As a gamer, why would you want to spend a few hundred bucks on a gaming box, when it isn't able to play the biggest hits? Who would want to deliberately limit their ecosystem to indie games?

There's a nonzero chance that BF6/GTA6/etc becomes a thing that everyone wants to play. If all your friends are raging about how much fun it is and are all playing together, aren't you going to regret buying a Steam Machine?

Sure, you can still play Super Meat Boy, but that doesn't matter - they regret what they can't do.

Is it you, or is it the children? No, it's definitely the children who are wrong.

Sony's in trouble; their crown jewels are all on PC right now! You can buy a Steam Machine next year and play all the Spider-Mensch, the Lost Hose, the Ghouls of Yo-Kai!

It's almost certain no one bought a Steam Deck primarily to play DotA, and it remains to be seen if any has a meaningful impact on the Steam Machine, but I doubt it.

Why would I want to limit my options for occasional AAA gaming to the graphics supported by a particular console, when I can spring for GeForce Ultimate for a month and play BF6 with amazing graphics at 120 FPS, on my TV or my laptop, or my iPad or my phone? And play with even better graphics two years from now, as the state of the art advances.

Sure a different option would likely be best for people who know they want to play AAA, all the time. Although, even for many of these people, the Steam machine is probably a great second box for many, that gets you however many 100s or 1000s of titles they have in their Steam library.

But a fear based "you might miss out occasionally" argument is unpersuasive. Especially in a world where some games are exclusive. My swanky new PlayStation is no help if everyone is raving about the new Nintendo game.

???

Look at steam top 100, sure there are 2 or 3 games you wont be able to play on there, but there rest work just fine. And sure there are popular games outside steam, but even if none of them worked (which is not true), for most gamers its a non issue. (And Valve is probably not really concerned about them)

The only games this limits are online competitive (most of the time FPS) games. There are plenty of gamers, myself included, that have 0 interest in such games.

In short even if 0 online FPS games are playable on steam console(which is not true), there are still 10s of millions of gamers, who wouldn't care.

As far as why wouldn't people pick something that can play 100% of games is because they cant. Even the best PC cant play Nintendo games, not all PS games are on PC or xbox, etc. You always have a trade off. And plenty of people still buy PC's,Deck, PS5's and Switch consoles.

My guess id more people won't buy it because, they want better specs, not because a few games wont work on them.

But that still leaves millions, potentially tens of millions of people.

That thing is going to run a ton of games that other consoles don't.

Few customers are going to replace their PC with it, but if you have the cash and want to add a sleek console to your living room that will also stream from your desktop in a pinch, it's probably a great deal.

Now, with IA cheating being the norm now, I think Valve has a real chance to add a microchip to "certify" its console and so playing Fornite (or over 3A) on it.

Will be a added value over a gaming PC, I don't think they will miss this opportunity for too long.

I am expecting the day Microsoft decides to take all their studios out of Steam, if SteamOS starts to be too much of a pain.

The value proposition is basically play your existing Steam library (and emulated games but that will be left unsaid) in 4k on your TV with an interface suited for it. I am not sure they are that dependent of upcoming games.

I will probably buy one because I really enjoy my Deck and I would like to play some more taxing games on a large screen from time to time and I’m never going to buy a PS5 because I have no interest in tying myself to Sony and playing exclusively on my TV.

That is going to be a no go for any SteamOS device when an highly anticipated game gets released on day 1.

Maybe playing with the anticheat enabled makes you immune to being reported for cheating (because they can verify down to the kernel level that you aren't), but you can still play without it (but without the immunity from being reported).

Obviously they wouldn't do this in today's market because there's no incentive to do so, but if a significant portion of gamers moved to Linux, offering a Linux solution might become a reasonable choice for game studios.

I can imagine a whole scene popping up where everyone cheats to the max, creating whole new game modes.

That would be very interesting. I also bet that people would start developing bots that play the game better than a human could and eventually it would essentially turn into digital BattleBots.

And anyway I (and many other people!) have valid keys for basically all widevine streams extracted from supposedly secure android devices. That DRM approach ended up failing miserably and torrent sites are full of WEB-DLs.

Also some services will just downgrade you to a lower quality stream if your device doesn’t have the appropriate keys.

Gamers don't like playing with cheaters.

You could be playing against an AI model specifically trained on that game. No anti cheat is going to detect that.

I imagine that if this happens, it will be followed by popular Linux distros finally becoming serious about their Secure Boot implementations, instead of simply shimming it or seen as a rarely-used feature reserved for enterprise distros like RHEL.

Some of us actually think that having some sort of validation that our OS hasn't been tampered with is a feature and not a bug. It's only a problem when companies parlay that validation into anti-consumer DRM - but that's a political problem, not a technological one.

All the platforms that went all-in on secure boot like things and attestation are anti-consumer hellholes that slurp all your data. The evidence just does not look good. Maybe Linux is different, but it's swimming against the tide here. It would be the first of it's kind.

There’s Dota 2, CS2, TF2 all of which are much better games that you’ve listed, and thousands games more.

And you can absolutely play GTA, thankfully without horrendous online. The only thing steam should do is to ban their shitty launcher for eternity.

In order to 'win' a console generation there needs to be support for the games people want to play. Capitalism is a literal popularity contest, and any console that doesn't have Fortnite, COD, FIFA, etc won't win, regardless of what you or I might think of the games.

The reason why Steam can't win a console generation is simply because Microsoft, Sony, and Nintendo have enough sway over publishers (especially ones they own) than they stop popular games being available on a rival platform. They market it as 'exclusives' but really it's just anti-consumer.

Point being that if changes are a given, then it's possible for it to run on Linux in the future.

CS:GO is the highest grossing game on Steam, according to some sources, all agree its top 5.

Why is that irrelevant?

Roblox made $3.6B in 2024. Fornite makes $3-5B/year for the past ~decade.

Genshin Impact is estimated to make ~$10B this year.

Not only in revenue, but all of the above have way more cultural impact/awareness too.

The pond is very big, but it's easy to miss that if you're in a bubble in that pond.

That's fine! I was surprised too.

Something I've learned with age is it's better to have a laugh together than throw out more cover.

thats not irrelevant

But it's fairly scummy how it doesn't seem to send you any email, the payments have a very vague generic coding like "AMZ2318971239", and the actual subscription management is super buried. I only noticed it, after years of using Amazon a fair bit, when I went deep into my account panes looking for something else.

> On January 24, 2025, security researchers from Kudelski Security disclosed a vulnerability to us through our Vulnerability Disclosure Program (VDP). The researchers identified that Rubocop, one of our tools, was running outside our secure sandbox environment—a configuration that deviated from our standard security protocols.

Honestly, that last part sounds like a lie. Why would one task run in a drastically different architectural situation, and it happen to be the one exploited?

They only published a proper [2] disclosure post later once their hand was forced after the researcher's post hit the HN front page.

[1]: https://news.ycombinator.com/item?id=44954242

[2]: I use that term loosely as it seems to be AI written slop.

Someone made a mistake. These things happen.

> and it happen to be the one exploited?

Why would the vulnerable service be the service that is exploited? It seems to me that's a far more likely scenario than the non-vulnerable service being exploited... no?

> Someone made a mistake. These things happen.

Some company didn't have appropriate processes in place.

For ISO27001 certification you at least need to pay lip service to having documents and policies about how you deploy secure platforms. (As annoying as ISO certification is, it does at least try to ensure you have thought about andedocumented stuff like this.)

Yes but that's kind of the point - they say this issue that takes you directly from code execution to owning these high value credentials was only present on rubocop runnners but isn't it a bit coincidental that the package with (perhaps, since they chose it) the easiest route to code injection also happens to be the one where they "oops forgot" to improve the credentials management?

It just seems very convenient.

I don't think this is necessarily bad. Compared to people who only dabble in things, someone who spends a decent amount of time on something actually is "pretty good" at it even though they might not be top tier to people within that same culture.

I think there is some popular (dan luu?) blog about this. You can actually pretty easily be in the top 1% of skill or knowledge on something, and while that doesn't make you a world expert by any means, it does kinda make you an expert to an average person. My 1600 rating is very good within the pool of people who know what chess is and can play it, even though it's not impressive at all for people who actively play chess.

Also, most people who are good at something let their actions speak.

The difference between good and mediocre is significant. To the point that I cannot return a good tennis player’s serves. The difference between mediocre and post beginner is just as significant.

Two nice things about golf - the handicap system let's two players of different level engage in fun competition. (Yes, handicaps can be manipulated, but for the most part aren't. )

Second a very good player can play with a bad player, and both can have fun. The social factor is more important to the fun, and I've enjoyed tight games with people with hugely disparate handicaps.

With tennis I always want to play either someone just a little bit better than me. Someone who can help me get a bit better all the time. My enjoyment of the game depends a lot on their performance.

Both are enjoyable in their own right.

I only experienced something like this once, late 90s. We thought of ourselves as pretty ok StarCraft players until we got some visitor to a lan party who basically demolished everyone. This was pre-ladder iirc so you only played a handful of games online.

Tennis of course is harder. You can only be as good as the people you are playing with.

That’s the appeal of Dunning-Krueger. It’s become a blanket label for every moment of ignorance or confident stupidity someone sees in others.