Support NeoGAF

[ashecitism]

Update2: He's been unbanned and has partners access again.

Updated OP with Stump's post. See at the bottom.

Jesus fucking Christ, Valve. This for making you finally fix a vulnerability? Seriously?

https://twitter.com/tomasduda/status/478301124257411072

@jwilliamson1121 Just made Valve fix script tags in community announcements after several attempts for that. And this is my reward!

@tomasduda keep it in a private realm if you can, found an XSS in mod names in screenshots, reported and made it private, fixed 2 days later

@damon_gant I wanted to, I talked about this with a Valve guy few months ago. And Harlem Shake thing got a bit viral because it was funny.

@tomasduda Sounds like my other experience with Valve, which got me banned from the old forums after 4 weeks of silence

https://twitter.com/tomasduda/status/478301630610571264

I also lost my Steamworks Partner access.

https://twitter.com/tomasduda/status/478301717025800192

I was talking about the script tag vulnerability multiple times. No one fixed it. Now I did Harlem Shake for fun (yay for #steamdb).

https://twitter.com/tomasduda/status/478302961001836544

Imagine if someone used the vulnerability to steal users' session IDs? Redirected to a phishing site?

https://twitter.com/tomasduda/status/478303063166693376

http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci8ebud

Edit: I got banned for this for a year. Also lost access to the Steamworks Partner site too, so can't do anything dev related. Praise Gaben.

Harlem Shake is over, one of the Valve guys is fixing it at the moment.

Short version of what happened: <script> tags were allowed in community announcements. We were talking about weird Steam's HTML parsers in the #steamdb channel, and then Harlem Shake happened. Blame xPaw, Marlamin and Gran PC, of course.

http://www.reddit.com/r/Steam/comments/28980x/developer_of_euro_truck_simulator_2_receives_one/

http://www.reddit.com/r/Steam/comme...f_euro_truck_simulator_2_receives_one/ci8rwaf

Well, I saw on the channel that they were informed "months" ago, and the response was "It's not an attack vector because we trust developers".

We all know that Greenlight does not exist, and no dev account ever has or will be compromised (not looking at you heartbleed), so this stance is perfectly reasonable.

On one hand publicly showcasing a potential exploit is a pretty shit thing to do, but on the other hand he said he told Valve several times before yet they didn't do anything.

He works on Euro Truck Simulator 2 btw and said this won't affect the game.

edit:

Stump cleared some things up

Wow, it's a thread full of people responding about best practices for exploit disclosure when none of them know anything about best practices for exploit disclosure:



He did contact them, they declined to fix it.



This is considered one of several models for the right way to do things in the security community. When a vendor refuses to cooperate on a coordinated disclosure, full disclosure is the model that most security experts favour to prevent weaponized exploitation.



It wasn't a speed issue, they filed it as NOTABUG. In the security community, this typically leads to public disclosure.



Again, this is the right way to do this.



Making an exploit public in a benign form to force a patch before the exploit is weaponized is, in fact, one of the things that occurs in the security community.



This is not an apt metaphor here as stabbing a dog doesn't help you prevent a dog from being killed later. There's no need for metaphors at all. Everyone understands that software has vulnerabilities, and everyone understands there are a variety of industry best practices for disclosure. Filing something as NOTABUG is not an industry best practice for security.

In most cases the controversy with disclosing an exploit is that not only does the vendor need to patch, but sysadmins worldwide need to upgrade their existing software. So typically when you disclose a bug, your proof of concept is running on your own server or is a program that people can run on their own servers. This is a little different because only Valve needs to patch the bug, but we can still walk through the steps. It's also a little different because a user can't independently verify the exploit, since no one can just magically get Steamworks developer privileges.

The standard procedure for coordinated, responsible disclosure is:
- You discover an exploit by probing for an exploit in a benign, safe way, without causing harm
- You contact the vendor
- The vendor and you agree on a timeline for fixing and disclosure (because this is a service-side exploit, disclosure after the exploit is fixed is totally benign)

Typically vendors do not refuse to fix, they drag their heels on the timeline. The biggest controversy in the security community is about what level of heel-dragging is necessary before you move to disclose without a fix. In this case, the vendor refused to fix. As a result, there is no debate. The developer still waited several months, apparently.

The standard procedure for disclosure of an exploit in the absence of a fix is
- Develop a version of the exploit that is able to be shown as a proof of concept without hurting anyone
- Deploy the exploit in as contained a way as you can
- Release the details of the exploit, with the level of specificity you give in your disclosure relative to the impact you think the disclosure will have. In this case, the exploit itself is trivial (as Valve noted, it is apparently by design.) As a result, merely having a proof of concept is enough to convey the exploits to all others.

What the developer did
- Took an old news posting (so that no one would accidentally be clicking it)
- Added an exploit presumably to play the harlem shake song (annoying, but clearly not harmful)
- Disclosed

It's difficult to view a set of circumstances where the developer was being abusive or irresponsible here in the manner of his disclosure, or the timing.

 

[Tesseract]

i'm banned bee-otch, honk honk!

stay private, stay cool, stay safe

#valve

 

[Garrett Hawke]

inb4 "Praise Gaben. I'm sure he had a perfectly good reason to do this."

Spoiler

That really sucks for that guy though. Like yeah it was shit to expose the flaw publicly but I feel like when companies refuse to fix stuff, forcing their hand like this is the only way.

 

[Kade]

Why didn't he just email them and tell them about the exploit? What does he mean by "I was talking about the script tag vulnerability multiple times"? Directly to Valve or in general?

 

[Shining Sunshine]

Hmmm it's not cleared how he showcased it. Did he do it privately?

Valve is so backwards with this. Google literally pays people for showing them exploits and helping them patch Chrome and Android.

 

[HariKari]

If they're not going to fix it, he did the right thing. Saved them from their own idiotic decision to not address it.

 

[chuckddd]

There's a right way to do things and a wrong way to do things. When you can't tell the difference, you pay the price.

 

[Delta Assault]

Why didn't he just email them and tell them about the exploit?

Apparently, he did?

 

[jem0208]

There's a right way to do things and a wrong way to do things. When you can't tell the difference, you pay the price.

Sounds like the "right" way failed with Valve so he resorted to doing it the "wrong" way to force them to deal with the problem.

 

[DaBuddaDa]

Apparently, he did?

And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly.

 

[Tagyhag]

inb4 "Praise Gaben. I'm sure he had a perfectly good reason to do this."

Spoiler

That really sucks for that guy though. Like yeah it was shit to expose the flaw publicly but I feel like when companies refuse to fix stuff, forcing their hand like this is the only way.

To be honest, I wouldn't have exposed it publicly. Because if Valve didn't fix it and something wrong happened, the full blame would be on them. So, he did the right thing, but he shouldn't have had to in the first place.

Sucks for the guy, he only wanted to help.

 

[chrominance]

I'm not totally sure how you do a private proof of concept for something like this unless you get Valve involved (can you have private communities, even?), so if Valve really wasn't moving on this at all I can see why public disclosure would've been the only option available. Obviously we just have this guy's word against Valve's word (aka nothing except the ban) but so far the guy's story seems legit. If he wasn't on the up and up, why bother wasting the exploit on a silly meme post?

 

[Prophet Steve]

And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.

I doubt they responded, else he would know. And now it is suddenly fixed/they are fixing it.

 

[Hyun Sai]

There's a right way to do things and a wrong way to do things. When you can't tell the difference, you pay the price.

When people do things the right way and see no results, they do it the wrong way.

 

[Foffy]

And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.

Clearly his "entitled ass" wanted to help them address a security exploit. I'm sure those things should be taken care of when they're known, which apparently Valve failed to do on their own.

 

[DaBuddaDa]

Clearly his "entitled ass" wanted to help them address a security exploit. I'm sure those things should be taken care of when they're known, which apparently Valve failed to do on their own.

Maybe they felt the exploit wasn't severe enough to have to address immediately? Who is he to dictate to the full time developers of Steam what to prioritize and when to fix things? Maybe Steam developers know of fifty other security holes they are trying to fix first?

Like someone else said, there is a right way and a wrong way going about this, and this is absolutely not the right way.

 

[Archaix]

And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.

An entitled ass? "Entitled"? You fucking moron. He was trying to get them to fix a possible exploit and they didn't do shit because nobody at Valve felt like doing it that particular week so it got shoved to the customer service pile of "Eh, fuck it".

 

[Kintaro]

When people do things the right way and see no results, they do it the wrong way.

Then bitch about the response they do get. Keep it private.

 

[Delta Assault]

And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.

You either die a hero, or live long enough to see yourself become the villain.

 

[BibiMaghoo]

I don't understand all the harlem shake references. Can someone enlighten me before I realise how old and uncool I am. Thanks.

 

[Dolor]

Maybe they felt the exploit wasn't severe enough to have to address immediately? Who is he to dictate to the full time developers of Steam what to prioritize and when to fix things? Maybe Steam developers know of fifty other security holes they are trying to fix first?

Like someone else said, there is a right way and a wrong way going about this, and this is absolutely not the right way.

Tend to agree with this. Making it public makes everyone's stuff less secure and can make the work that has to be rushed worse.

 

[ZeroX03]

Valve is so backwards with this. Google literally pays people for showing them exploits and helping them patch Chrome and Android.

Didn't Google have a situation where they refused to listen to someone telling them about an exploit, so he exploited it to show them, then they acknowledged it and refused to pay him?

EDIT: Nope, it was Facebook. Dude posted the exploit on Zuck's page.

 

[Xpliskin]

Didn't he break the TOS when he showcased it and used it for the harlem shake ?

Warning about an exploit is one thing but making it public and actually using it is another imo, regardless of reasons.

 

[LTWood12]

#Snowden

 

[Kade]

It's shitty on Valve's part that they didn't fix it but you don't need to stab a dog to prove that it bleeds. Regardless of your intent, you just stabbed a damn dog.

 

[Dead Man]

I'm leaning more toward this:

Sounds like the "right" way failed with Valve so he resorted to doing it the "wrong" way to force them to deal with the problem.

Than this:

And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.

Since I'm not sure where entitlement comes into it other than your head.

 

[ashecitism]

Apparently this was Valve's response back then

Well, I saw on the channel that they were informed "months" ago, and the response was "It's not an attack vector because we trust developers".

We all know that Greenlight does not exist, and no dev account ever has or will be compromised (not looking at you heartbleed), so this stance is perfectly reasonable.

http://www.reddit.com/r/Steam/comme...f_euro_truck_simulator_2_receives_one/ci8rwaf

 

[BronsonLee]

Eh, this is a murky one. This is kind of like when hackers showcase an exploit publicly: It's almost always to force companies to fix it more than anything. I remember this came up with ATMs and pacemakers a few years ago.

But yeah, he should've known going public would've had some consequence. They weren't just going to let it slide

 

[Seiru]

Valve leaves a serious security exploit unfixed for months, and people are blaming a developer for making it public? Do you guys like getting your personal info stolen or something?

This is what you do when you find an exploit. First you inform the owner of the platform/website in private (which this developer did). Then, if they don't fix it in a timely manner, you inform everybody. This lets users protect themselves by avoiding the exploit, and forces the owner of the platform to fix their shit. The idea is that if you can find the exploit, somebody else with more sinister intentions certainly can (and they won't inform the owner in private).

This is basic stuff, people.

 

[yamo]

Valve just cancelled Half-Life 3 and put all resources to bug fixing instead. Thanks!

 

[King Gilga]

Dick move by valve.

Not surprised though, in my couple times of dealing with them, they have the worst customer service in the industry, and that's ignoring that week long wait times between responses.

 

[HariKari]

Apparently this was Valve's response back then

Wow. They should probably remind themselves that they're stewards to 75 million plus accounts and a whole lot of potential liability.

Scary how dumb corporations can be at times.

 

[Dr Amazon MD]

An entitled ass? "Entitled"? You fucking moron. He was trying to get them to fix a possible exploit and they didn't do shit because nobody at Valve felt like doing it that particular week so it got shoved to the customer service pile of "Eh, fuck it".

Calm down buddy it's just a post. And we're only hearing one side of the story here. No one's sure this guy is Robin Hood.

 

[KarmaCow]

Valve needs to get its act together being the stewards of Steam. It's not a self sustaining entity yet and now is the critical time if they plan on transitioning to that.

 

[Visualante2]

Valve should have fixed it.

 

[LurkerPrime]

This is a very worrying display of arrogance by Valve. It makes me wonder how SteamOS will turn out...

You either die a hero, or live long enough to see yourself become the villain.

Can't be quoted enough.

What is the stage before hero?

 

[Currygan]

shite move by Valve, which I understand has a terribad track record with dealing with this stuff, but as Nicholas Angel said, the law's the law

 

[ShinobiFist]

Dick move by valve.

Not surprised though, in my couple times of dealing with them, they have the worst customer service in the industry, and that's ignoring that week long wait times between responses.

And that's why I'm leaning more and more towards EA for PC gaming. EA's customer service and their policies are great right now.

 

[Not Spaceghost]

He did the right thing, if you can insert scripts like that and some one else found out before they "got around to it" it could have been absolutely devastating. Forcing them to do it was definitely the right move.

However, he should totally have expected this ban incoming for the way he handled it. Valve may have gone a bit over board though.

 

[Stumpokapow]

Wow, it's a thread full of people responding about best practices for exploit disclosure when none of them know anything about best practices for exploit disclosure:

Why didn't he just email them and tell them about the exploit? What does he mean by "I was talking about the script tag vulnerability multiple times"? Directly to Valve or in general?

He did contact them, they declined to fix it.

There's a right way to do things and a wrong way to do things. When you can't tell the difference, you pay the price.

This is considered one of several models for the right way to do things in the security community. When a vendor refuses to cooperate on a coordinated disclosure, full disclosure is the model that most security experts favour to prevent weaponized exploitation.

And they didn't fix it fast enough for his liking, so he forced their hand by exposing it publicly. What an entitled ass.

It wasn't a speed issue, they filed it as NOTABUG. In the security community, this typically leads to public disclosure.

Maybe they felt the exploit wasn't severe enough to have to address immediately? Who is he to dictate to the full time developers of Steam what to prioritize and when to fix things? Maybe Steam developers know of fifty other security holes they are trying to fix first?

Like someone else said, there is a right way and a wrong way going about this, and this is absolutely not the right way.

Again, this is the right way to do this.

Warning about an exploit is one thing but making it public and actually using it is another imo, regardless of reasons.

Making an exploit public in a benign form to force a patch before the exploit is weaponized is, in fact, one of the things that occurs in the security community.

It's shitty on Valve's part that they didn't fix it but you don't need to stab a dog to prove that it bleeds. Regardless of your intent, you just stabbed a damn dog.

This is not an apt metaphor here as stabbing a dog doesn't help you prevent a dog from being killed later. There's no need for metaphors at all. Everyone understands that software has vulnerabilities, and everyone understands there are a variety of industry best practices for disclosure. Filing something as NOTABUG is not an industry best practice for security.

 

[wildfire]

Valve leaves a serious security exploit unfixed for months, and people are blaming a developer for making it public? Do you guys like getting your personal info stolen or something?

This is what you do when you find an exploit. First you inform the owner of the platform/website in private (which this developer did). Then, if they don't fix it in a timely manner, you inform everybody. This lets users protect themselves by avoiding the exploit, and forces the owner of the platform to fix their shit. The idea is that if you can find the exploit, somebody else with more sinister intentions certainly can (and they won't inform the owner in private).

This is basic stuff, people.

Most people, let alone gamers, aren't aware of how the software development community does things which makes Valves response all the more surprising and flagrant.

 

[Barkley's Justice]

Eh, this is a murky one. This is kind of like when hackers showcase an exploit publicly: It's almost always to force companies to fix it more than anything. I remember this came up with ATMs and pacemakers a few years ago.

But yeah, he should've known going public would've had some consequence. They weren't just going to let it slide

This.

 

[Dragon Puncher]

And that's why I'm leaning more and more towards EA for PC gaming. EA's customer service and their policies are great right now.

I feel like I'm living in bizarro world when reading this post..

 

[Jimmyfenix]

I feel like I'm living in bizarro world when reading this post..

Why ?

 

[nephilimdj]

You think news like this will just lead to people looking for more holes.

It really is bad for valve, to think if they worded their reply differently. His trust would of been much larger.

 

[BronsonLee]

I don't wanna quote all of Stump's stuff there, but yeah, this is the general roadmap for this sort of stuff.

Someone finds bug
Reports bug to company
A: Company fixes it/promises to/gives timetable for fix/whatever
B: Company ignores/marks as notabug (what happened here)

If B happens, going public is usually the next thing. There are usually some minor consequences for it (like this), but most people kind of know the deal by now and accept that, if it means it gets fixed.

 

[Stumpokapow]

You think news like this will just lead to people looking for more holes.

People should be looking for holes. Bad guys are always looking for holes. Good guys looking for holes leads to more public awareness and more chances that holes are fixed before the exploits result in severe harm.

 

[FACE]

They haven't actually fixed it, lol: https://twitter.com/GranPC/status/478554937111371776

 

[Hyun Sai]

....

Thank you. Even without procedurial knowledge, common sense should be enough to understand why he did it.

 

[Rapstah]

What's a "community message"? Which developer accounts are allowed to post them? All of them? Does every game have a "community" section? Depending on a lot of things, ignoring the "exploit" of allowing Javascript in their HTML parser for "community messages" can make all kinds of sense or be the worst thing ever.

Corporations really hate it when you do what this guy did though. Could have told other developers about it and have them complain to Valve too instead if they found it serious enough. The dude certainly finds the issue serious enough.