The 2024 Wheel Reinvention Jam just concluded. See the results.

Question about changing game settings/options

Oh, ok. So to recap:

  1. Games run from a read-only location to prevent users from allowing malicious software to modify or compromise the executables (or other data).
  2. Windows can't trust if the game itself won't do any malicious thing so they may not let the game write to any saved files (or the game can also be installed in a read-only location).
  3. Saving settings and saved files in AppData, savedgames folder is a common solution as not only they are safe and writable but they're also "unique to computer user, so when someone else logs into their account and tries to play the game, their not getting all your save files or settings, which is just a nicer experience".

So here are some of my follow up questions:

  1. Aren't these AppData and savegame folders having security problems (the fact they can always be writable and the hacker now knows where to attack)?
  2. Is there any way to make the game more secure?
  3. Do you think Windows's way of dealing with these kinds of stuff is enough (e.g read-only folders, AppData/savedgames folder, etc)? What can Windows do more to help us?

Replying to mmozeiko (#26114)

Windows does not really care and does not want to prevent you from running programs by default. All it does by default is protect system files & different user files by not allowing unauthorized access to them.

It could do much more to security-wise, but because of backwards compatibility it won't. Otherwise a lot of older software would not work anymore.

Making something "secure" is not a simple thing. First you need to define risks, evaluate them, identify potential attack vectors. Only then you can start making software secure by guarding against specific risks / attack vectors. Doing something without knowing what you are guarding against is really bad way to approach software security.


Edited by Mārtiņš Možeiko on
Replying to longtran2904 (#26115)

The big thing that windows could do is move to an sandboxed app based model

like how phone apps work where each app has individual permissions for what it can access and the user must acknowledge each permission they assign.

But like Martins mentioned, a lot of existing programs will then just break


Replying to longtran2904 (#26115)

Microsoft introduced sandboxing in Windows 8, which was called "Metro Apps", but nobody wanted to use nor develop them.

The only way to get security by default is to limit what developers can do, but most developers realize that walled application stores have their own interests and might kick out competing products or manipulate ratings for their own profits.

Web applications tried to sandbox applications too, but only ruined the user experience (no right click, has to open a download dialog just to save changes, ugly vector graphics or slow loading) without any benefits to security (still need to block all scripts to avoid rootkits). As soon as web browsers could do dangerous things, all web browsers had to allow it or be the "broken browser" that nobody used. If you try to remove permissions from web sites to read the news, you notice that 95% of websites ask for permissions that have no benefits for the user, only to steal your browser history and sell it to criminals. Some sites will actively block you from viewing any content unless you run their malicious code.

You can install a sandbox or virtual machine if you want to run applications with better security on Windows, but this won't help the average users and won't block Microsoft's own malware.

Because there is no functioning democracy in software platforms, you only have the anarchy of Linux with incompatible dependencies, the renegade badlands of old Windows versions, or the police state of Apple telling you what to like or be unpopular for not liking each year.


Replying to ratchetfreak (#26117)

What does a sandboxed app-based model look like? And how much will it be different compared to the current way Microsoft does stuff?

Microsoft introduced sandboxing in Windows 8, which was called "Metro Apps", but nobody wanted to use nor develop them.

Just curious, is "Metro Apps" any good? Did nobody doesn't want to develop or use it because it wasn't that great, not well supported or documented, or people just find it limited and hard to develop for?

Because there is no functioning democracy in software platforms, you only have the anarchy of Linux with incompatible dependencies, the renegade badlands of old Windows versions, or the police state of Apple telling you what to like or be unpopular for not liking each year

How do other operating systems handle security (e.g macOS, Linux, IOS)?

What does a sandboxed app-based model look like? And how much will it be different compared to the current way Microsoft does stuff?

Look at Android and iOS development. That's how it looks like. Windows tried to do same thing with Metro apps because they wanted to push more into mobile platforms. But all that is abandoned now - even metro app craze seems to be dying now, as store accepts regular win32 apps too.

Just curious, is "Metro Apps" any good? Did nobody doesn't want to develop or use it because it wasn't that great, not well supported or documented, or people just find it limited and hard to develop for?

It was half-assed solution for MS to push into mobile marked. They tried to transform windows fully into mobile/tablet-like OS which failed terrible with Windows 8. Metro apps were way into that. But all that is abandoned now. They still have remains of metro style development as WinRT, but I don't see regular win32 dying anytime soon.

How do other operating systems handle security (e.g macOS, Linux, IOS)?

Desktop platforms are more or less the same. Some have a bit stricter rules out of the box, but they allow user to disable everything and do whatever they want (thus also allowing software to do whatever they want). And some have extra things you can turn on to audit & sandbox more things.

Mobile OS'es is where the strict security & control is turned up to guard against malicious apps exploiting other parts of system. Partially because there is sim card that must guarded. Partially because nowadays other critical services (payment, banking, passwords, etc..) are run on same OS that you want to isolate from others.


Edited by Mārtiņš Možeiko on
Replying to longtran2904 (#26120)

Android (since the Lollipop version) is based on NSA's Security Enhanced Linux, which creates one Linux user account per application, keeps application files in a folder owned by that Linux account, and then uses the manifest in the Java archive to request permissions from the user. In older versions of Android, the user would see the requested permissions and decide if the program should be installed or not, resulting in 24/7 notifications if you ever installed a game. In newer Android versions, the user can select which permissions to deny, and then be able to suppress all notifications while still being able to use the mobile application.

Metro was essentially just slower and more limited than traditional applications, for the sake of hardware independence. They were only available for fullscreen mode, but only offered basic office applications where forced fullscreen made no sense and the alternatives already on desktop were much more powerful. The only benefits would be on a Windows Phone, but people who wanted a Windows tablet just bought the Surface Pro and used it as a laptop instead. Then Metro Apps were remade to run in Windowed mode together with other applications, making it a useless emulator for a phone that nobody bought.

Linux handle security by patching security flaws in libraries even if they break backward compatibility. This is possible because the majority of software for Linux is open source and can be patched even if the original developers abandoned it, like how Libre Office replaced Open Office. But the terrible practice of demanding a specific revision of a dynamic library (needed that bug/security fix ASAP), removes the ability to patch things up once the next version arrives just as if the library was linked statically, but while also doubling the pain by having dynamic dependencies. Once other applications demand opposing versions of a shared dynamic library, of which only one can be installed at a time, the older software cannot be installed at the same time as the latest updates of mainstream applications. One needs to either run frequent updates with static linking (for math and GUI stuff), or allow newer minor versions of dynamic libraries with the risk of breaking (hardware or security related).

If you want the safety of sandboxing on Windows, you can just create a new account for running games without administrator access and have another account for banking and work. Even better is to use a removable harddisk for the operating system or find a power cable with a power switch (a bit difficult to solder the modern cables by hand).


Edited by Dawoodoz on
Replying to longtran2904 (#26120)