How do indie game developers protect themselves from cyber-crime? Thread

	Posts
How do indie game developers protect themselves from cyber-crime? (Forums : Development Banter : How do indie game developers protect themselves from cyber-crime?)	Locked
Thread Options
Down22	Oct 26 2016 Anchor
Hello fellow devs. I've been making free games for a while, but the game I am currently working on is my first serious project that I plan to sell on Steam. I work with the help of one artist and a few closed testers. Thing is, now that I’m making a game for sale, I need to buff up my whole system to stay safe. So, what security advice should I take? Any examples of more popular indie game developers, and what they do to protect themselves? (Even the semi-popular ones count.) How do you guys protect yourselves? What do you do? (Or, is cybersecurity simply less of a concern for indie game devs because we’re not churning out triple As? I hope not. Security seems like something too important to ignore.) To add to the mix, I suffer from OCD and chronic paranoia. I have extreme anxiety and fears about getting hacked and having my game data stolen or deleted. I also fear having my Steam, Kickstarter or Paypal accounts hacked. With good reason too: Hackers' targets are normally small businesses like ours, and they look for vulnerable accounts and systems. I would be wrecked if someone were to hack my Kickstarter account and ruin everything, or even somehow steal my game or corrupt it. What would I say to my backers? "Sorry guys, the project is cancelled because it's destroyed. Now how do I refund everyone?" That sounds like a complete disaster. I also worry a lot about my reputation as a game developer. I had a very embarrassing past as a stereotypical teenager, where I posted a lot of nonsense, stupidity and drama on websites and forums. I worry about being spied on by hackers. What if a hacker were to show all my embarrassing past activities and postings I had on the Internet to my parents or friends? It would be very awkward for me. I’m also anxious about what would happen if people were to make up and spread rumours or gossip about me. Remember Phil Fish, that guy who developed Fez? When I read about how he got hacked, it scared the daylights out of me. He literally had his life destroyed by one blow. People said he had a bad reputation and was very rude towards fans. So now I’m really worried about offending consumers too. Then there’s the worry over getting doxed (having my real name, surname and address leaked out online). It’s really crappy in general to have so much of your private life revealed to the public. But say, say if I manage to hit the big jackpot. Get as famous as the guys who did Undertale, Five Nights At Freddy's, Starbound, Super Meat Boy, etc. Doxxing could get so much worse. Like with those YouTubers and Twitch streamers who get their phone number posted online, so their phone explodes with messages and calls. Or the poor things whose addresses are shown and get pranked with mass pizza deliveries and worse. And surely everyone has some kind of skeletons in their closets. Regrets, embarrassments, weird parts of themselves they don't want strangers to know. How do these people, who’ve reached a certain level of popularity, deal with having them? How do they deal with keeping their skeletons away from the public? Let’s not forget the biggest target for hackers is where big money lives. So that’s another worry if I do end up making good money out of my game. Lastly, no matter where my game-making takes me, staying anonymous is a big priority. I don't want stalkers or thieves to be able to reach me offline. I want to keep living my quiet, private life, but it seems like you can't if you want to hit it big. It seems like you can't make any sort of impact in the gaming industry at all, if you're not well known. What does someone do about that? Actually, I may already be too late to keep complete anonymity. I shared my game screenshots and details under my real name back when I knew nothing about cybersecurity. Also, my current project takes place in the same universe as my free games do, and my free games were posted under my real name. Looks like there’s no way of separating them… unless anyone’s got ideas? Maybe I wouldn’t have to worry about all this if I made my game really fringe and unpopular on purpose, but that’s really counterproductive. And maybe someone will say that I’ve got a weak mentality and shouldn’t be making games, just to save myself from all the stress. But making games is my greatest passion. I have wanted to make games ever since I was a kid, and I will never quit. So, could you please help me out here, guys? Anything you or people you know do to beef up your cybersecurity, beyond that of an average joe, to keep your games and your privacy safe would be really welcome. Sorry for the long post, and thanks for reading.
ExtraMedicated	Oct 28 2016 Anchor
I don't know much about what popular indie developers do, so the only advice I can give is the stuff you probably already know. Strong passwords, different passwords for different websites, stuff like that. And while hacking or data theft is a very valid concern (the company I work for used to use Code Spaces for many of our projects... Whoops!), I'd say the most important thing is to backup your stuff frequently (to multiple places). For me, I use Git (with TortoiseGit, so I don't have to touch a command line unnecessarily) for version control, but I keep the repository on a separate hard drive instead of having it online. Every week or so, I copy all that to an external hard drive which I keep in a fire-resistant container with reusable silica gel things to keep it dry. I obviously can't help you feel any easier about online activities, but if what I've heard about internet trolls is correct, then revealing that you're terrified of them isn't much of a deterrent. I realize that trying to fight OCD and anxiety with logic and statistics is about as effective as fighting drug addiction with the phrase "Just say 'no'", but just try to remember that virtually nobody really cares enough about other people's lives enough to go after them. At least that's what helps me sleep at night. I'm just glad that Youtube didn't exist until I was already almost done with high school, or else I might have posted some embarrassing shit as well.
TheHappyFriar	Oct 28 2016 Anchor
Not an indie dev, but some tips: 1) if you put stuff out there people will know you exist. 2) use a different computer for all your work vs all your play. 3) don't worry about protecting stuff until you have something to protect. 3b) 3rd party services have their own security, nothing you can do about it. Like above, good passwords. For ultimate security don't do anything online.
CMaxo	Nov 21 2016 Anchor
First error you would make is fearing the Net. You don't fear it, but controls it. Yeah, hackers are aiming for small companies... especially because they know small companies doesn't have the means or contact to track them back. Then how can you "fight them"? You don't. Instead you avoid them. How? 1) Have a working station that, while it might be connected to the Internet for things like software updates and such, doesn't stay connected at all time. 2) Backup your work every day (at least) on a portable device. Change the portable device every day and only switch for an older one when you have a couple of week's worth of backup. My usual advice as for storage is to buy a bunch of USB drives in bulk. You can get ones with 8GB for 3$-4$ each if you look for the Chinese manufacturers. (I usually buy 10 or 20 of them at once.) 3) Separate your local dev life from your online dev life. This is the hardest thing to do. Usually, even AAA companies either use an internal system or a second computer to manage anything "online related" such as social media and other stuff. Even if it your phone or your tablet, only use 1 device to manage things online and keep your working computer out of it if possible. Those 3 points are point that could protect you and not respecting 1 of them raise the chance you might get hacked... but also you should remember that the chance of you getting hacked is as high as the impact your game is creating. This means that, earlier, the chance your PC might get hacked is even less than the chance your phone or your tablet might get hacked or infected through just loading an app from iTune or Google Play. Also, avoid storing your work online as I doubt you'll wish to pay the price it cost to have an actual secure remote server for such a thing. That's how many games gets so "easily" leaked. The hackers doesn't force their way into someone's computer... instead, they simply soft-pass into the storing servers through backdoors... like how a thief can steal a 10k$ cappuccino machine by buying the space for 1 wooden crate in a store company and visiting his "investment".
jjc_uk Running late, but moving quickly	Jan 13 2017 Anchor
I know it's easier said that done - but the first problem here, I think, is fear itself. There's risk in anything we do - from crossing the road to lying in bed all day - and if we're not prepared to risk a little to move forward, we won't get anywhere. It's a long hard road to release a successful game that might attract cybercrime: to get there almost always has some kind of price. Normally, the price is just the loss of a little privacy, maybe a little more aggro and expectation from the general public. Maybe it's sacrifices made along the way, like losing family or your job or your health. Maybe it's the weight of expectation which sits on the next game. Not many developers get doxxed every day - or even ever. Most developers don't receive any kind of aggro - or even attention. The typical thing you'd expect from a succesful launch is stupid comments on articles, maybe on your social media feeds. You'll develop a skin for those quickly - and if you don't want to do that, then you can just avoid comments. It's worth adding that most developers who do receive abuse are targeted for a reason (although it never seems something justifiable - like having the temerity to be a women, for example). Phil Fish was highly antagonistic. So too is Anita Sarkesian. If you avoid shooting your mouth, getting in other people's business, and upsetting your fans, you're not likely to attract attention. I'd suggest that in the vast majority of cases, the crime/abuse that comes at a known developer is very, very manageable. You'll be fine. And a little dash of perspective: there are a lot of developers out there, releasing a lot of games. For every Stardew Valley or Owlboy, there must be thousands of projects which have dragged on for five years and failed. Or been released and been ignored. I do think it's wise to plan for success and understand what you might be getting into - but it's naive to assume that if you release the game, hordes of unwashed gamers will come to you. The hacking side is a little different because you're more likely to be involved in wider hack, in which case hackers get your data without knowing who you are. Which, depending on the data, might not even matter. Standard sensible practices are the answer to that. As said above, choose strong passwords and rotate them. Use local, offline backups and source control. Cloud hosted source control is super handy if you work from multiple locations, or have a team - but otherwise, you can download a copy of the server and run your own from home. But even if Github does get hacked and hackers get your alpha build, so what? They probably won't even be able to run it - let alone steal, finish and release it. But honestly, it all comes down to: try not to worry, be sensible and treat friends/partners well, and focus on the problems in front of you rather than ones that haven't happened yet. Positivity and confidence will be a lot better for your peace of mind than anonymity online. -- Orkward - the Space Ork Dating Game
beatlesfan317	Jan 14 2017 Anchor
Good points, jjc_uk. There is risk in everything we do. You probably have more to fear from using a debit or credit card in real life or having someone steal your identity from hacking tax records or a yahoo email account. -- Panic Mansion is a combination of a trivia game and an action-rpg. You must find your way through the Panic Mansion (like a panic room but a whole mansion) by completing quests, answering questions and defeating bosses at the end of each level.
TrollPurse	Jan 20 2017 Anchor
In regards to security, if you really are paranoid (as I used to be): Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible Publish and develop as a different entity, such as a company and use a proxy for all mail and registration (some lawyers and such services offer that) Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible Limit exposure of personal information online, if it is already out there, it is out there forever Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible Never trust anybody online Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible Have a seperate personal use computer and a seperatae business use computer Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible Backup, Backup, Backup, locally and to the cloud Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible Use hardware encryption like BitLocker with a TPM (Trusted Platform Module) Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible Have a seperate bank account for your business with a seperate credit card Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible Setup a VPN service for doing business outside of your local network (at home or in an office) Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible Emphasis on passwordS as each service will have a new password and username, if possible. Edited by: TrollPurse
2113industries	Feb 1 2017 Anchor
Luckily most indie devs don't have to worry about getting their money stolen, since we don't have any to steal. :p
eezstreet	Feb 7 2017 Anchor
I disagree with this point: , using your phone if possible If a hacker knows your phone number, all they need to do is call up the phone company.
TheHappyFriar	Feb 8 2017 Anchor
eezstreet wrote: If a hacker knows your phone number, all they need to do is call up the phone company. That's funny. My phone company refused to talk to my wife under any circumstances until I personally told them she could access it. They also needed my SN, address, & security code before I could go forward. They also don't have my e-mail address. It's a landline/dsl company only, so that could be why. I'd figure if someone already stole my SN they've got a lot more.
WarpQueen	Feb 16 2017 Anchor
You could get a Yubikey and use it where possible. Then two-step authentication where possible. Then a password manager for the rest, so you never have the same password in several places. The home security is harder. Sure you COULD use a computer that you disconnect, but that is really tedious. Monitor traffic in your router and check if something looks odd instead. Also, like people have been pointing out, make sure to keep proper backups. Preferably one on-site and one off-site. -- warpzonestudios.com

Thread Options

Down22

Oct 26 2016 Anchor

Hello fellow devs. I've been making free games for a while, but the game I am currently working on is my first serious project that I plan to sell on Steam. I work with the help of one artist and a few closed testers.

Thing is, now that I’m making a game for sale, I need to buff up my whole system to stay safe. So, what security advice should I take? Any examples of more popular indie game developers, and what they do to protect themselves? (Even the semi-popular ones count.) How do you guys protect yourselves? What do you do?

(Or, is cybersecurity simply less of a concern for indie game devs because we’re not churning out triple As? I hope not. Security seems like something too important to ignore.)

To add to the mix, I suffer from OCD and chronic paranoia. I have extreme anxiety and fears about getting hacked and having my game data stolen or deleted. I also fear having my Steam, Kickstarter or Paypal accounts hacked. With good reason too: Hackers' targets are normally small businesses like ours, and they look for vulnerable accounts and systems. I would be wrecked if someone were to hack my Kickstarter account and ruin everything, or even somehow steal my game or corrupt it. What would I say to my backers? "Sorry guys, the project is cancelled because it's destroyed. Now how do I refund everyone?" That sounds like a complete disaster.

I also worry a lot about my reputation as a game developer. I had a very embarrassing past as a stereotypical teenager, where I posted a lot of nonsense, stupidity and drama on websites and forums. I worry about being spied on by hackers. What if a hacker were to show all my embarrassing past activities and postings I had on the Internet to my parents or friends? It would be very awkward for me.

I’m also anxious about what would happen if people were to make up and spread rumours or gossip about me. Remember Phil Fish, that guy who developed Fez? When I read about how he got hacked, it scared the daylights out of me. He literally had his life destroyed by one blow. People said he had a bad reputation and was very rude towards fans. So now I’m really worried about offending consumers too.

Then there’s the worry over getting doxed (having my real name, surname and address leaked out online). It’s really crappy in general to have so much of your private life revealed to the public. But say, say if I manage to hit the big jackpot. Get as famous as the guys who did Undertale, Five Nights At Freddy's, Starbound, Super Meat Boy, etc. Doxxing could get so much worse.

Like with those YouTubers and Twitch streamers who get their phone number posted online, so their phone explodes with messages and calls. Or the poor things whose addresses are shown and get pranked with mass pizza deliveries and worse.

And surely everyone has some kind of skeletons in their closets. Regrets, embarrassments, weird parts of themselves they don't want strangers to know. How do these people, who’ve reached a certain level of popularity, deal with having them? How do they deal with keeping their skeletons away from the public?

Let’s not forget the biggest target for hackers is where big money lives. So that’s another worry if I do end up making good money out of my game.

Lastly, no matter where my game-making takes me, staying anonymous is a big priority. I don't want stalkers or thieves to be able to reach me offline. I want to keep living my quiet, private life, but it seems like you can't if you want to hit it big. It seems like you can't make any sort of impact in the gaming industry at all, if you're not well known. What does someone do about that?

Actually, I may already be too late to keep complete anonymity. I shared my game screenshots and details under my real name back when I knew nothing about cybersecurity. Also, my current project takes place in the same universe as my free games do, and my free games were posted under my real name. Looks like there’s no way of separating them… unless anyone’s got ideas?

Maybe I wouldn’t have to worry about all this if I made my game really fringe and unpopular on purpose, but that’s really counterproductive. And maybe someone will say that I’ve got a weak mentality and shouldn’t be making games, just to save myself from all the stress. But making games is my greatest passion. I have wanted to make games ever since I was a kid, and I will never quit.

So, could you please help me out here, guys? Anything you or people you know do to beef up your cybersecurity, beyond that of an average joe, to keep your games and your privacy safe would be really welcome. Sorry for the long post, and thanks for reading.

ExtraMedicated

Oct 28 2016 Anchor

I don't know much about what popular indie developers do, so the only advice I can give is the stuff you probably already know. Strong passwords, different passwords for different websites, stuff like that. And while hacking or data theft is a very valid concern (the company I work for used to use Code Spaces for many of our projects... Whoops!), I'd say the most important thing is to backup your stuff frequently (to multiple places).

For me, I use Git (with TortoiseGit, so I don't have to touch a command line unnecessarily) for version control, but I keep the repository on a separate hard drive instead of having it online. Every week or so, I copy all that to an external hard drive which I keep in a fire-resistant container with reusable silica gel things to keep it dry.

I obviously can't help you feel any easier about online activities, but if what I've heard about internet trolls is correct, then revealing that you're terrified of them isn't much of a deterrent. I realize that trying to fight OCD and anxiety with logic and statistics is about as effective as fighting drug addiction with the phrase "Just say 'no'", but just try to remember that virtually nobody really cares enough about other people's lives enough to go after them. At least that's what helps me sleep at night.

I'm just glad that Youtube didn't exist until I was already almost done with high school, or else I might have posted some embarrassing shit as well.

TheHappyFriar

Oct 28 2016 Anchor

Not an indie dev, but some tips:

1) if you put stuff out there people will know you exist.

2) use a different computer for all your work vs all your play.

3) don't worry about protecting stuff until you have something to protect.

3b) 3rd party services have their own security, nothing you can do about it. Like above, good passwords.

For ultimate security don't do anything online.

CMaxo

Nov 21 2016 Anchor

First error you would make is fearing the Net. You don't fear it, but controls it.

Yeah, hackers are aiming for small companies... especially because they know small companies doesn't have the means or contact to track them back.
Then how can you "fight them"? You don't. Instead you avoid them. How?

1) Have a working station that, while it might be connected to the Internet for things like software updates and such, doesn't stay connected at all time.

2) Backup your work every day (at least) on a portable device. Change the portable device every day and only switch for an older one when you have a couple of week's worth of backup. My usual advice as for storage is to buy a bunch of USB drives in bulk. You can get ones with 8GB for 3$-4$ each if you look for the Chinese manufacturers. (I usually buy 10 or 20 of them at once.)

3) Separate your local dev life from your online dev life. This is the hardest thing to do. Usually, even AAA companies either use an internal system or a second computer to manage anything "online related" such as social media and other stuff. Even if it your phone or your tablet, only use 1 device to manage things online and keep your working computer out of it if possible.

Those 3 points are point that could protect you and not respecting 1 of them raise the chance you might get hacked... but also you should remember that the chance of you getting hacked is as high as the impact your game is creating. This means that, earlier, the chance your PC might get hacked is even less than the chance your phone or your tablet might get hacked or infected through just loading an app from iTune or Google Play.

Also, avoid storing your work online as I doubt you'll wish to pay the price it cost to have an actual secure remote server for such a thing. That's how many games gets so "easily" leaked. The hackers doesn't force their way into someone's computer... instead, they simply soft-pass into the storing servers through backdoors... like how a thief can steal a 10k$ cappuccino machine by buying the space for 1 wooden crate in a store company and visiting his "investment".

jjc_uk Running late, but moving quickly

Jan 13 2017 Anchor

I know it's easier said that done - but the first problem here, I think, is fear itself. There's risk in anything we do - from crossing the road to lying in bed all day - and if we're not prepared to risk a little to move forward, we won't get anywhere. It's a long hard road to release a successful game that might attract cybercrime: to get there almost always has some kind of price.

Normally, the price is just the loss of a little privacy, maybe a little more aggro and expectation from the general public. Maybe it's sacrifices made along the way, like losing family or your job or your health. Maybe it's the weight of expectation which sits on the next game. Not many developers get doxxed every day - or even ever. Most developers don't receive any kind of aggro - or even attention. The typical thing you'd expect from a succesful launch is stupid comments on articles, maybe on your social media feeds. You'll develop a skin for those quickly - and if you don't want to do that, then you can just avoid comments.

It's worth adding that most developers who do receive abuse are targeted for a reason (although it never seems something justifiable - like having the temerity to be a women, for example). Phil Fish was highly antagonistic. So too is Anita Sarkesian. If you avoid shooting your mouth, getting in other people's business, and upsetting your fans, you're not likely to attract attention.

I'd suggest that in the vast majority of cases, the crime/abuse that comes at a known developer is very, very manageable. You'll be fine.

And a little dash of perspective: there are a lot of developers out there, releasing a lot of games. For every Stardew Valley or Owlboy, there must be thousands of projects which have dragged on for five years and failed. Or been released and been ignored. I do think it's wise to plan for success and understand what you might be getting into - but it's naive to assume that if you release the game, hordes of unwashed gamers will come to you.

The hacking side is a little different because you're more likely to be involved in wider hack, in which case hackers get your data without knowing who you are. Which, depending on the data, might not even matter. Standard sensible practices are the answer to that. As said above, choose strong passwords and rotate them. Use local, offline backups and source control. Cloud hosted source control is super handy if you work from multiple locations, or have a team - but otherwise, you can download a copy of the server and run your own from home. But even if Github does get hacked and hackers get your alpha build, so what? They probably won't even be able to run it - let alone steal, finish and release it.

But honestly, it all comes down to: try not to worry, be sensible and treat friends/partners well, and focus on the problems in front of you rather than ones that haven't happened yet. Positivity and confidence will be a lot better for your peace of mind than anonymity online.

--

Orkward - the Space Ork Dating Game

beatlesfan317

Jan 14 2017 Anchor

Good points, jjc_uk. There is risk in everything we do. You probably have more to fear from using a debit or credit card in real life or having someone steal your identity from hacking tax records or a yahoo email account.

--

Panic Mansion is a combination of a trivia game and an action-rpg. You must find your way through the Panic Mansion (like a panic room but a whole mansion) by completing quests, answering questions and defeating bosses at the end of each level.

TrollPurse

Jan 20 2017 Anchor

In regards to security, if you really are paranoid (as I used to be):

Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible
Publish and develop as a different entity, such as a company and use a proxy for all mail and registration (some lawyers and such services offer that)
Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible
Limit exposure of personal information online, if it is already out there, it is out there forever
Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible
Never trust anybody online
Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible
Have a seperate personal use computer and a seperatae business use computer
Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible
Backup, Backup, Backup, locally and to the cloud
Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible
Use hardware encryption like BitLocker with a TPM (Trusted Platform Module)
Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible
Have a seperate bank account for your business with a seperate credit card
Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible
Setup a VPN service for doing business outside of your local network (at home or in an office)
Have strong passwords for each individual service, set up two factor authentication for each, using your phone if possible
Emphasis on passwordS as each service will have a new password and username, if possible.

Edited by: TrollPurse

2113industries

Feb 1 2017 Anchor

Luckily most indie devs don't have to worry about getting their money stolen, since we don't have any to steal. :p

eezstreet

Feb 7 2017 Anchor

I disagree with this point:

, using your phone if possible

If a hacker knows your phone number, all they need to do is call up the phone company.

TheHappyFriar

Feb 8 2017 Anchor

eezstreet wrote: If a hacker knows your phone number, all they need to do is call up the phone company.

That's funny. My phone company refused to talk to my wife under any circumstances until I personally told them she could access it. They also needed my SN, address, & security code before I could go forward. They also don't have my e-mail address. It's a landline/dsl company only, so that could be why. I'd figure if someone already stole my SN they've got a lot more.

WarpQueen

Feb 16 2017 Anchor

You could get a Yubikey and use it where possible. Then two-step authentication where possible. Then a password manager for the rest, so you never have the same password in several places.

The home security is harder. Sure you COULD use a computer that you disconnect, but that is really tedious. Monitor traffic in your router and check if something looks odd instead.

Also, like people have been pointing out, make sure to keep proper backups. Preferably one on-site and one off-site.

--

warpzonestudios.com