I mean, I pirated the Windows 10 installation on my gaming PC. Massgrave scripts helped out though, so there’s that.

That said, I’m wiping Windows soon and installing LMDE. It’s the last Windows PC in my house (minus W11 work laptop - that doesn’t count though).

An OPSEC community would probably say no, so I probably don’t need to ask in those communities. But I’m curious about a (digital) pirate’s perspective on this issue…

Still committing OPSEC crimes, but I’m not as bad as I could be :P

I mean, the sources listed here are supposedly “safe” right? But honestly, how much would you trust these “safe” sources?

I think we’re talking about different sets of standards. Even with that in mind, my own “trusted” list is a much smaller handful of any list posted online. Trust in pirate spaces shouldn’t mean at face value and should be constantly tested with stuff like virustotal. It just means I haven’t been compromised or seen anyone else report back with an infection for a long stretch of time on a specific website. There’s always occasional breaches as malware enthusiasts test the waters now and then, usually not with a big/popular release. Stuff that could fly under the radar. Usually it comes down to whether or not that website has an active comment section or forum with active mods/admins who stamp it out continuously. I tend to prefer traditional bulletin board forums. rutracker.org or cs.rin.ru. I still don’t touch any file right away. I let other people be the “brave” lab rats. See if any squeal first. I tend to avoid niche application piracy entirely. Those seem (and have been in my youth) to be the virus hotbeds cracked by total unknown entities. Plus I don’t mind paying for independent / small company niche software. Often enough in those cases I can find a free open source alternative anyways.

It’s worked out so far. I haven’t been compromised in my adult years. But this isn’t some “do as I do” thing, it’s basically internet street smarts. Comes with experience and infections. I minimize risk and can trust my gut now, but I acknowledge it’ll never be risk free.

When doing sensitive tasks like banking or filing taxes, do you:

>Use a different OS on the same machine? (Dualboot)
>Or put the pirated content inside a virtual machine?
>Or just use a completely separate computer?

Separate computer. An otherwise useless old laptop running Fedora. OPSEC would probably say it’s not good enough because it’s on the same network as computers which installed pirated software.

And since PC is much different than a Smartphone:

Would the extra sandboxing on Smartphones make pirating games on a Smartphone much safer compared to on a PC? (Not that there are much mobile games worth playing, just curious)

GrapheneOS here which does sandbox better than most, but I don’t use my smartphone for anything sensitive. That’s really without trying to, it’s just not something I ever felt the need to use a smartphone for. I’m not as familiar with Android/Linux as I am with Windows. I know exactly where to periodically check for telltale signs of infection on Windows. I can still bend that OS to my will even as it gets worse for most end users. I’m less sure of myself on anything else. Working on that, HTPC is Fedora KDE spin now. Like you say, not much mobile games to play. I think I’ve bought like…3 ever. So, never felt much need to sideload. I usually stick to F-Droid and NDS emulators anyways. I have a Picross / Picross 3D addiction.

Non-installed/non-executable files such as .mp4 .mkv .mp3 .pdf .epub, are mostly safe right? I mean, you are using another program to opening it, not executing a file, there aren’t much attack vectors as long as the video player / ebook viewer is up to date right? (Or am I understanding it wrong?)

Usually, but sometimes there can be a flaw in a specific application exploited. I don’t think I know of any from media formats outside of maliciously edited ROM files smc or v/z64 for cartridge based system emulators like extremely outdated ZSNES or Project64 1.6 specifically.

I mostly just avoid running pirated software. If I have to, I run the executable bits through stuff like virustotal first. And I keep my system updated.

I run a few games posted by johncena141 on 1337x, so I consider it secure enough :p

Honestly I don’t run pirated software at all anymore. The risk is too high. If it’s a game then I’m happy to pay for it, and open source software covers pretty much everything else for me.

The only exception is switch games but they run through an emulator which is quite safe.

Most media files are safe but I’ve heard that PDFs of all files can be vectors.

Seems like most pirated software does a good job of trying to cut software off from internet communication so that it doesn’t get sniffed out on an add-on or update query. I don’t trust most software companies anymore as far as security goes either. So the short answer is at least personally, after scanning everything before and after installation and check network monitor for anything that looks weird while running, yes I consider my system secure still.

Curious what “safe” list you are referring to?

I’ve never run it because I have had zero evidence to tell me it would be safe. I do run older games in emulators up to PS2. I see no issue with that.

When you’re discussing your own OPSEC (Operational Security for those unaware), you have to evaluate and determine your personal threat profile. Generally speaking, you need to determine what risks you’re willing to accept, what risks you’re willing to mitigate, and what risks you will not tolerate. There’s a whole field of IT dedicated to this but the general idea is for you to understand that there is no perfect solution and everything is a trade off.

There is an inherent risk to downloading pirated software, especially software that you use for private activities (e.g. finances, etc.). With today’s landscape of mining crypto, I’d go so far as to say almost any pirated software is at risk of this.

I would agree that generally playing media files is relatively low risk (though there was a vulnerability I read about a few years back of a zip-type attack. The details allude me at the moment).

But for executables, you basically have two options:

• spin up a VM to host your executable, sandboxing it from everything else.
• trust the people who are providing the executable and run it on your computer

Personally, I avoid pirated executables. More often than not I can find a similar open source product that I can download. My risk tolerance is not only low, but I don’t see the benefits of using a particular company’s software especially if an open source is available.

I don’t know if the malware that could be in these games work on Linux, but I take my time in picking torrents and pick ones through uploaders I know

Publisher matters. Some random website advertising a disk cleaning utility could be malware while a Fitgirl repack most definitely isn’t. Installing something from an official Ubuntu software repository is also pretty safe, while something from a 3rd party repository or community development library could be malware. I also generally trust PDFs from Anna’s Archive and Libgen or Internet Archive, because of the reputation loss to them if it were. You can minimize your risk to a tolerable level this way.

I don’t consider anything with Windows safe. I do all of my non-gaming computing on my laptop with Linux.

the games I pirate are all in my Lutris app which I installed as a flatpak on Linux, so they don’t have the necessary permissions to change important files.

also I install them in the virtual C: drive, and they normally shouldn’t thouch the virtual Z: drive. I don’t think a hack would do that because installing malware on the windows drive should be enough for most people pirating games

My tax machine is a VM. On another server (proxmox)

I’m running the games in Linux, using Lutris as a launcher with a default configuration that wraps them in a firejail sandbox (for anybody interested, you add firejail as the “command prefix” under Global Options or in the System Options of the game) which amongst other things blocks networking.

In fact I went and figure out how to do all that exactly because I wanted to run pirated games in Linux in a safe way and you can’t just rely on the lower probability of Windows games of having code that tries to determine if it’s being run with Wine and accesses Linux-specific functionality and files if it is.

PS: That firejail stuff also works for Linux native games (it just wraps whatever you’re running to start the game, be it Wine or directly the game Linux binary).

Clean copies of GOG games can be hash-checked. The only pirated games I really fuck with are GOG.

Although I wouldn’t be too worried even if I did because I’m in Linux, and anything I did would be sandboxed and closed off from the rest of the system since it’s running in a compatibility layer.