When you’re discussing your own OPSEC (Operational Security for those unaware), you have to evaluate and determine your personal threat profile. Generally speaking, you need to determine what risks you’re willing to accept, what risks you’re willing to mitigate, and what risks you will not tolerate. There’s a whole field of IT dedicated to this but the general idea is for you to understand that there is no perfect solution and everything is a trade off.

There is an inherent risk to downloading pirated software, especially software that you use for private activities (e.g. finances, etc.). With today’s landscape of mining crypto, I’d go so far as to say almost any pirated software is at risk of this.

I would agree that generally playing media files is relatively low risk (though there was a vulnerability I read about a few years back of a zip-type attack. The details allude me at the moment).

But for executables, you basically have two options:

• spin up a VM to host your executable, sandboxing it from everything else.
• trust the people who are providing the executable and run it on your computer

Personally, I avoid pirated executables. More often than not I can find a similar open source product that I can download. My risk tolerance is not only low, but I don’t see the benefits of using a particular company’s software especially if an open source is available.

Strangely enough I’ve found that some kid in India or Russia distributing his crack doesn’t do it to control my PC or to infect it.

Big corporations that install root kits or use hyper invasive cheat software (even when no competitive mode even exists) are far more insidious and untrustworthy.

I worry more about the hidden telemetry of big apps more than some crack being infected. Hell even MS virus scan will throw up false flags because the software just isn’t a registered dev or will quarantine an exe in error (libremonitor for example).

When engaging in criminal activity, you have no “legal” recourse for malicious behavior, so you work on the web of trust instead.

If you can’t trust the software, nor the publisher, nor the hash verified by however many seeders, then don’t download it in the first place. Me personally, considering I install indie porn games on the regular and never once gotten a virus that I know of, I think it’s worth it to trust others.

Of course you could always go into paranoid zero trust mode but sometimes being a social being means trusting the criminal serving you free shit isn’t ratfucking your data

yes. pirated software is suprisingly secure most of the time.

im also not running windows. malware not meant for proton is gonna have a bad time working.

Publisher matters. Some random website advertising a disk cleaning utility could be malware while a Fitgirl repack most definitely isn’t. Installing something from an official Ubuntu software repository is also pretty safe, while something from a 3rd party repository or community development library could be malware. I also generally trust PDFs from Anna’s Archive and Libgen or Internet Archive, because of the reputation loss to them if it were. You can minimize your risk to a tolerable level this way.

I dont run non free software. All games are in emulators or i buy them on steam or get them free on epic and play via heroic.

Any ebooks or pdfs are scanned on virus total and one positive result is enough to get deleted. I also only read them on an old tablet and old kindle both from around 2011/12 with networking disabled. They are only used for this purpose.

the games I pirate are all in my Lutris app which I installed as a flatpak on Linux, so they don’t have the necessary permissions to change important files.

also I install them in the virtual C: drive, and they normally shouldn’t thouch the virtual Z: drive. I don’t think a hack would do that because installing malware on the windows drive should be enough for most people pirating games

I personally run all my games in Bottles (flatpak) with sandboxing on. Even if a game is available for Linux I still run the Windows version inside Bottles just so it’s slightly safer.

No, I try to treat that machine like a quarantine zone, I have a two PC setup and that’s part of the reason for it. So basically I don’t log into online accounts on that one (except relatively unimportant accounts for convenience, like Steam), and I don’t do important stuff on it

I mean, I pirated the Windows 10 installation on my gaming PC. Massgrave scripts helped out though, so there’s that.

That said, I’m wiping Windows soon and installing LMDE. It’s the last Windows PC in my house (minus W11 work laptop - that doesn’t count though).

My tax machine is a VM. On another server (proxmox)

I run such games on Linux now, mostly with wine/proton. There is some risk, sure, but I’d largely say that system is still secure. If something comes by and wipes out the system, I have snapshots of anything important, including root and home. If those are gone, I have versioned backups offsite and maybe offline. I don’t expect to receive any malware targeting my somewhat esoteric software choices from windows games, so I feel okay logging into a secure sevice, for example, but I may have to adjust this in the future.

With regards to smartphones, I think there are so many holes that it’s not much more secure, if any, than a paranoid desktop setup. From time to time I have installed random APKs and had extreme anxiety each time. I am massively more paranoid about my phone as I don’t have real control over what’s running on it. Hoping for more competitive open source solutions in the future.

Generally speaking, opening non-executable files is fine. There are and have been specific exploits which allow arbitrary code execution, but it’s dependent on the application/library loading them. The bigger danger is files disguised as other things. This is especially bad on Windows as it likes to hide that information from users, or just execute random embedded vbscripts, or whatever. Also see the recent whatsapp mimetype bug/exploit. Certain things pose more of a risk than others. PDFs (thanks adobe) can embed arbitrary javascript which is meant to be executed. Same as web pages, of course, but browsers have a lot more attention to sandboxing.

Edit: I don’t really run cracked software anymore, but I have VMs ready to go if need be. Would recommend others do the same.

pdf files can contain javascript code that can run when it is opened. but when using complex formats (I think almost all video files, pdfs), it can happen that the software that understands it makes mistakes when reading it and making sense of it, and an attacker tries to make use of this to trick your software into doing something that wasn’t intended by its creator. this is how it can happen that an mp4 file (or mkv, others, …) cannot contain executable code (according to specification), and yet it can

in the case of pdf files, bundled fonts may be another source of problems

Let’s not be fooled by memes and buzz. Crackers don’t crack it to infect your computer and make money. They do it to le t others play the game. They benefit by getting to play some other game someone else has cracked and distributing. And maybe they enjoy it as it’s challenging. Cracking isn’t about infecting people’s computers. When some pirated game comes with some ransomware or trojan injected, probably it’s been done by someone else whose passion is totally different than that of the cracker. They take the crack, modify it and then redistribute it malware injected. So, maybe, by downloading popular torrents, I mean if you make sure it comes directly from the cracker group, you can avoid malware except the spyware the game manufacturer has put into it, of course.

Clean copies of GOG games can be hash-checked. The only pirated games I really fuck with are GOG.

Although I wouldn’t be too worried even if I did because I’m in Linux, and anything I did would be sandboxed and closed off from the rest of the system since it’s running in a compatibility layer.