Summary: https://user934.com/2025/04/29/investigating-suspicious-beha...
I encourage you to cease contributing to the enshittification of the web.
Also, what did you expect from cheap no-name IoT shit? As we say, the S in IoT stands for Security...
I don't think the author of this piece found it useful to speculate though and I have to agree. No need to break out pitch forks - let those involved get to the bottom of it.
We have seen prototypes that can make network requests out of the sandbox, call winapi functions, and do anything else with the same privileges as the game, which, worst case, is admin because players like running things as administrator. All of those exploits are fixed, now.
The issue remains one of the largest problems in the community, and sites that are well known for distributing mods with malware (which is pretty common) are at the top of Google search results.
BeamMP allows mods on servers, which causes clients to download and then execute code from those mods. That's a huge attack vector and BeamMP has been working hard to warn users and to come up with ways to prevent problems; but without funding (BeamMP is free) there is a limit on what can be done. The infrastructure costs already are sky high for supporting the crazy amount of users they have.
Sadly, everyone involved loves NDAs - I can only hope that companies start doing writeups, but I doubt it. So that's all the inside info I can give ;)
I remember when FPS games first embraced the mod community back in the late 90s many of them had their own dedicated scripting engines (QuakeC, UnrealScript, later quake 3 arena had "real" c programs but they were compiled to a custom bytecode interpreter) that didn't have free reign over anything but the game state and that seems like a much better way to do things. Games used to have options to let you automatically download requisite mods from servers and it was safe to do so, at least in theory. I have no doubt that at some point in time there was a ROP vulnerability that could've been used to turn this into a devastating malware vector but at least then the scripting engine wouldn't be functioning as designed.
What I meant is, I have ideas I like to explore but a two-liner blog post won't entice anyone.
For example on https://user934.com/2025/04/22/securing-home-and-smb-network... I mix several ideas together and define the test plan (chapter 5), and let LLM fill in the blanks. Plus I clearly identify it as mostly written by LLM, which is better than most SEO garbage spam. So I think I've achieved a good compromise.
[0] Like you're some kind of activist or maybe in an oppressive regime
In short; you need to give Lua power over your program in some way, and that's the weak link. Lua itself can run with zero access to the world, but then you have nothing more than a calculator or config file.
It's also really good to hear such an open and direct description of how things were/are, too. Clarity defeats the risks around obscurity of the unknowns. When the general public is given more info to work off of, they have a better idea of where the risks are, and how they can defend from, or if they are malicious - attack from, accordingly. The sharing of that information simply works to define what the areas of concern are for everyone involved.
Is there a business model? Just Patreon? It seems unbelievable that’s enough.
This all works because the only expenses are necessary operational costs, for example server costs for the backend.
All developers, support, moderation, etc., which was around 53 people when I left in January, are volunteers and do not get paid. This is mostly because it would not be sustainable, because when you pay people, you have to pay them in accordance with local laws like minimum wage. Nobody, not even the founder, is taking money out for themselves.
I hope that answers your question! And it's great to hear when people use it :)
davikr•1y ago
[0]: https://news.ycombinator.com/item?id=41063489
pixl97•1y ago
Honestly with most developers I know, unless they also have a strong security background, it's not weird or surprising at all. Security features (almost?) never make debugging easier. When confronted with a failure that presents challenges devs will disable things that limit access or otherwise randomize the output in order to catch the problem and then 'hopefully' come tighten it back up when they are done. Unfortunately the second part rarely happens unless you have security auditors follow you around.
pjmlp•1y ago
However it is indeed a quixotic battle in some scenarios, regarding security best practices.
LegionMammal978•1y ago
The lesson I'd take here is "don't embed a web browser to run untrusted code unless you can keep it up to date 24/7". Hence the popularity of Lua interfaces for mods. Or even the alternative JS engines built for such purposes.
ortichic•1y ago
pjmlp•1y ago