Support NeoGAF

[charlequin]

If Microsoft is insecure, move to *nix.

This is absurd. Your advice to millions of companies with millions of users worldwide is to spend billions of dollars and immense work-hours revamping their entire infrastructure every time an OS vendor makes a bad call in prioritizing vulnerabilities? I think your position reflects that you're trying to protect one particular thing (companies' absolute control over their own systems) without considering the broader implications. If you think about the actual results of what you're proposing it becomes obvious pretty quickly why it is not viable.

Again, this is not an issue that's under any serious debate; these best practices are well established and agreed upon by security researchers all over the world.

I just think that making the exploit public doesn't help Valve to fix it.

This is incorrect. If it's a simple, five minute fix (which this one is), it forces Valve's hand and makes them properly prioritize the fix. If it's a complicated one, it gives Valve (or whoever) access to the community resources needed to fix the problem more quickly, as has happened with major encryption exploits we've seen in the past. Either way, responsible public disclosure almost inevitably has a positive security impact compared to keeping quiet about a vulnerability the vendor has refused to fix.

 

[Crimsonclaw111]

Hope this guy gets his account reinstated, this is some serious bullshit.

 

[Mr. Luchador]

Going to buy so many copies of Euro Truck Sim 2 during the Steam Sales, I'll show Gaben. I'LL SHOW HIM!

 

[Caesar III]

What kind of Announcements are meant here? Steam group announcements? Announcements in Steam Community? If the latter, do they rely on the announcement system of the underlying vBulletin? There you can configure if you want to allow HTML.

Anyway, dick move from Valve

 

[MutFox]

Why are people defending Valve?
They're not infallible, they made a mistake, and it's something they better fix.

The guy did it the right way cause Valve didn't seem to care.
Educated Steam users will make this a big deal.

The non-educated will continue to fanboy Valve in whatever case, sometimes it's warranted.
In others, like this case, you're more of a fan when you help out your favorite gaming company.

 

[ieptbarakat]

This is also the same guy who made the fake HL3 announcement using his Steamworks developer status that had the first letter of each line spell out penis.

They could just be tired of him acting on his own.

Edit: Not the same guy exactly, though he had a hand in it supposedly.

 

[LurkerPrime]

ieptbarakat, HL3 Internal Beta is uninspired. However, P.E.N.I.S. is applause-worthy.

Going to buy so many copies of Euro Truck Sim 2 during the Steam Sales, I'll show Gaben. I'LL SHOW HIM!

If anyone wants to see what Euro Truck Simulator 2 is actually like, here's a Quick Look of it by Giant Bomb. (Bonus: Quick Look of the Internet included for free!)

It's one of Giant Bomb's all-time best Quick Looks.

 

[Stumpokapow]

What kind of Announcements are meant here? Steam group announcements? Announcements in Steam Community? If the latter, do they rely on the announcement system of the underlying vBulletin? There you can configure if you want to allow HTML.

No, this isn't a BBCode exploit. It's that Steam developer accounts can use raw HTML on some of their public-facing pages in their community. The HTML parser, if it has any kind of input sanitization, does not sanitize against javascript (which actually presumably also means it doesn't sanitize against iframes, so there's another exploit vector right there).

 

[Mr. Luchador]

If anyone wants to see what Euro Truck Simulator 2 is actually like, here's a Quick Look of it by Giant Bomb. (Bonus: Quick Look of the Internet included for free!)

It's one of Giant Bomb's all-time best Quick Looks.

I've had it for a while, and it's awesome. I will buy gift copies for people on Steam, as it needs to be played. It's just one of those 'Must play to believe' games. Sorry for derail.

 

[ashecitism]

This is also the same guy who made the fake HL3 announcement that had the first letter of each line spell out penis.

They could just be tired of him acting on his own.

Not the same. Gran PC is a Stanley Parable dev, though he had a hand in this, just like the SteamDB guys. As in they found it, and then the Euro Truck dev 2 did the stunt.

 

[charlequin]

I want to reiterate, by the way, that this really is a five-minute fix. You take the HTML input provided by developers and, instead of saving it as-is, you run it first through HTML Purifier or the Sanitize gem. This is a bare-minimum basic best practice for any web application that allows any external user to create arbitrary HTML content.

 

[LurkerPrime]

I want to reiterate, by the way, that this really is a five-minute fix. You take the HTML input provided by developers and, instead of saving it as-is, you run it first through HTML Purifier or the Sanitize gem. This is a bare-minimum basic best practice for any web application that allows any external user to create arbitrary HTML content.

Valve's code is already free and pure, there's no need to sift it through a machine for some sort of "artificial cleanliness."

You're practically asking them to assimilate with the Borg now.

 

[Tacitus_]

Well, on one hand: The Linux community will surely step up and patch "SteamOS"/Steam's fork of Ubuntu so this isn't exactly a 1:1 case, yeah? That's only if Valve allows it and isn't "half-open" like Apple/OS X/BSD.

I'd be willing to bet that there's some proprietary stuff on top of the secure core. And that's ripe for exploitation if this sort of attitude persists / exists on the OS team.

 

[meanspartan]

This is also the same guy who made the fake HL3 announcement using his Steamworks developer status that had the first letter of each line spell out penis.

They could just be tired of him acting on his own.

Wait really? Ummmmmm.....Ya maybe I jumped the gun a bit then in condemning Valve.

 

[ieptbarakat]

Not the same. Gran PC is a Stanley Parable dev, though he had a hand in this, just like the SteamDB guys. As in they found it, and then the Euro Truck dev 2 did the stunt.

Ah, thanks for clarifying that.

 

[Nzyme32]

This is not some thing that is occurring for the first time in reality, NOTABUG is a classification in the vast majority of bug tracking systems. When someone submits an exploit and it is responded to as NOTABUG, that's a problem.

.......


I feel like people are responding intuitively to this case as though there aren't standards of practice that apply to this issue more broadly.

I am aware that there are standards for this sort of thing, but beyond that I, like most people here, have absolutely no clue about it, so we respond by trying to understand the rational behind such logic. I wasn't aware that what was said in Valve's email message is a classification of NOTABUG. I would have assumed with such a matter you would be very absolute about it and describe it in the same notation as NOTABUG. For someone like myself with no knowledge of it, it just sounds like they didn't clarify anything other than to say it isn't a priority. Again further to that, I had no idea convention would dictate that you can take this on in such a public manner to drive the point of the exploits risk home.

 

[Calabi]

I disagree. At no time should it acceptable to perform vulnerability testing without explicit permission from the system's owner. It is completely possible and acceptable for Valve to have accepted the risk on this particular exploit. That's an internal decision that this developer is not privy to. If the situation put his product at risk, he should have removed himself from the service (after which he could disclose that he "left the service due to security concerns with the Valve software")

But Valve isnt the one that is at risk its customers are. And the customers cant even be sure to trust Valve when things do go wrong with their account. Valve dont follow any best practices in anything, including customer service they couldnt give a fuck about what happens to your account its all automated, and they absolve themselves of any responsibility.

I'm really am moving the way of not trusting Valve anymore.

 

[Nzyme32]

But Valve isnt the one that is at risk its customers are? And the customers cant even be sure to trust Valve when things do go wrong with their account. Valve dont follow any best practices in anything, including customer service they couldnt give a fuck about what happens to your account its all automated.

I'm really am moving the way of not trusting Valve anymore.

Not only customers, but partners too. It's in everyone's best interest to close the issue rather than simple trust among those that have access

 

[Kinyou]

I hate this kind of stuff, you got some guy who genuinely wanted to help and then you punish him. I don't want to wait until one of the bad guys finds the exploit.

 

[Caesar III]

No, this isn't a BBCode exploit.

I know, what I meant was what system they are using. But you answered it already. The devs can use the full fledged HTML. That's indeed not that clever.

What I meant: when posting a VB-Announcement you can set if you want to allow HTML in exact this announcement. Doesn't help when someone gets access to this though.

thx for clarification!

 

[Stumpokapow]

But Valve isnt the one that is at risk its customers are?

Valve is also at risk as presumably whatever privilege theft attack would work against a user could work against a privileged account. If Valve devs actually have privileged accounts, then you could steal them directly. If not, then you'd probably just farm credentials until you pull an employee credentials and hope password reuse lets you recycle the credentials into something that is privileged

 

[Silver_key]

This position is both incorrect and dangerous. The security community cannot operate in an environment where the short-sighted preferences of platform-holders are prioritized over good security practices; that would lead to a dramatic increase in the volume of exploits successfully deployed against end users.

When Valve marks this NOTABUG, what they're saying is "we don't care if someone's system is exploited or data stolen using our website." This guy is doing this to force them to reconsider that foolish and irresponsible position.

These rules aren't something that this guy just made up; they're best practices, honed over decades, for a global security community. They work better than what you're suggesting and will not be changing any time soon.

I'm sorry if I made it seem like i don't agree with full, responsible disclosure. I was just bringing up some issues with what we expect from companies, risk acceptance, and consequences.

 

[Storm360]

Going to buy so many copies of Euro Truck Sim 2 during the Steam Sales, I'll show Gaben. I'LL SHOW HIM!

I know this is a joke, but if you really do want to buy copies, I suggest buying them elsewhere, they all activate on Steam anyhow, but external keys don't give valve the cut of sales

This is also the same guy who made the fake HL3 announcement using his Steamworks developer status that had the first letter of each line spell out penis.

They could just be tired of him acting on his own.

Edit: Not the same guy exactly, though he had a hand in it supposedly.

Gran-PC is just one of the devs friends basically, they aren't really connected outside of that, and his game (Stanley Parable) and the dev in question (Euro Truck Simulator 2) are unconnected

 

[kmg90]

This is really important here. Losing your account is one thing, but you'd be risking everything if you run an OS that's maintained with the mindset of "security holes are not bugs, they're features as we trust people".

Really dangerous precedent.

It's almost like they are taking cues from another software developer that they recently started to publicly criticize.

http://zerodayinitiative.com/advisories/ZDI-14-140/

 

[LiegeWaffle]

You are replying intuitively about how you think business should be run, instead of understanding what actually happened here. It is simply not possible that Valve's staff cannot fix the flaw. It is a trivial fix. It is a trivial bug. It's a basic input sanitization bug. And it's something that any web developer on any web app would be aware could be an issue. Valve themselves even know because almost every place on Steam uses BBCode instead of raw HTML input to avoid sanitization exploits. This particular sanitization exploit requires about two to three lines of code to fix per input screen that is impacted. The steps you are proposing are simply not relevant. Look at the nature of the exploit, and if you are in a position to understand how the fix would not be trivial, THEN make this argument. Don't just say "but what if". And note that your hypothetical doesn't apply anyway, because they told him they wouldn't fix it. The evidence suggests that the dev was aiming for no disclosure, or a responsible coordinated disclosure. The reason he made a public disclosure was because Valve had no interest in fixing it. This is standard operating procedure on this issue.

Is it actually as trivial to fix as that? My assumption would be that they already have all those existing HTML posts and can't just simply switch to BBCode; sanitizing HTML correctly is a non-trivial task, and they would have at least have to go through trouble of finding an appropriate HTML sanitization library, auditing it and integrating it with their codebase. Alternatively, they could try to play the game with same-origin policy and moving developers' posts out of Steam's origin. Neither of those sound quite trivial to me, so I'm not suprised (though disappointed) that they did not want to deal with that. Please correct me if I'm missing some detail here.

 

[flux1]

Isn't this the same with most digital distributors and online services? iTunes does it, xbox live does it, origin does it. The only difference is the services you lose access to. I'd assume that this situation of updated Terms of Service is also covered in the original terms of service agreed to when signing up

No, other services let you keep using your stuff if its downloaded and a new EULA comes up you don't agree with. I tried it with my 360 once and all the games downloaded and registered to it still worked fine, I just couldn't get back on Live. Same with Origin.

As stated before, there isn't an excuse to let a security flaw they know about pass as "Well no one that could use it would." You never know when someone's username/password might get compromised and an unauthorized user can try this. Especially for something that is a simple fix.

Stuff like this and their customer support quality are bad, but they know they have most customers cornered. No matter how mad people get, most won't leave because their games are stuck tied to Steam. So they can coast along and even have people defending them for it.

 

[maniac-kun]

How about using your fucking brain when you stumble upon something like this?

 

[TheSeks]

I'd be willing to bet that there's some proprietary stuff on top of the secure core. And that's ripe for exploitation if this sort of attitude persists / exists on the OS team.

Yeah, that's the scary thing. But the same could happen to Apple if some sort of proprietary function was found in the open-sourced code. But, IIRC Darwin/BSD offshoot Apple forked from BSD is no longer "open-source," so that's not really a problem for OS X/Apple anymore.

Valve's attitude over this and copy-write infringement (DotA/CS incidents) is a bit bone-headed. They'll perma-ban you even if you apologize and basically yell at the community to "police yourselves harder and don't do this again." :/

 

[Easy_D]

It is a well known fact that Valve's support team is shit. Unfortunately. Hopefully this event brings about some kind of change.
There are tales of people contacting Support over an issue only to be turned down, file it a week later and have their issue fixed. It's as if everything is decided by the whims of whoever is behind the lever at the time.

 

[charlequin]

Is it actually as trivial to fix as that? My assumption would be that they already have all those existing HTML posts and can't just simply switch to BBCode; sanitizing HTML correctly is a non-trivial task, and they would have at least have to go through trouble of finding an appropriate HTML sanitization library, auditing it and integrating it with their codebase.

It really is. Pre-baked libraries that handle this functionality exist in PHP, Python, and Ruby, all of which will have reasonable default sanitization setups either out of the box or easily available online. Any custom-built CMS platform should be easy to roll in a filter like this; in worst case, run a scheduled job every few minutes that cleans up any database entries that aren't marked as sanitized. I cannot imagine any real system where this would be a difficult fix.

How about using your fucking brain when you stumble upon something like this?

How about you using your eyes to read the thread you're posting in?

 

[Morrigan Stark]

Is it actually as trivial to fix as that? My assumption would be that they already have all those existing HTML posts and can't just simply switch to BBCode; sanitizing HTML correctly is a non-trivial task, and they would have at least have to go through trouble of finding an appropriate HTML sanitization library, auditing it and integrating it with their codebase. Alternatively, they could try to play the game with same-origin policy and moving developers' posts out of Steam's origin. Neither of those sound quite trivial to me, so I'm not suprised (though disappointed) that they did not want to deal with that. Please correct me if I'm missing some detail here.

I'm a web developer, and I assure you, sanitizing HTML is trivial. As charlequin said, there are built-in libraries that do exactly this in just about any web programming language out there. Patching the hole and creating a script to fix the non-sanitized existing posts would be something that would take me less than an hour of work.

Not only does Valve has no excuse in not fixing this, but their reaction to the whole thing has been extremely shitty.

 

[demolitio]

ieptbarakat, HL3 Internal Beta is uninspired. However, P.E.N.I.S. is applause-worthy.



If anyone wants to see what Euro Truck Simulator 2 is actually like, here's a Quick Look of it by Giant Bomb. (Bonus: Quick Look of the Internet included for free!)

It's one of Giant Bomb's all-time best Quick Looks.

Came for the story in the OP, left with some good laughs watching this video. What a game.

 

[ab.aeterno]

I'm a web developer, and I assure you, sanitizing HTML is trivial. As charlequin said, there are built-in libraries that do exactly this in just about any web programming language out there. Patching the hole and creating a script to fix the non-sanitized existing posts would be something that would take me less than an hour of work.

Not only does Valve has no excuse in not fixing this, but their reaction to the whole thing has been extremely shitty.

Even setting aside how trivial it is to fix the issue after it was discovered, I'm shocked they thought it wasn't an issue at all in development. This shit should never have made it to prod, and that it was seemingly a design decision (!!!) is worrying. What other security issues are open to developers because they "trust" them might there be? Scary thought.

This should have been baked in from the first iteration along with whatever SQL Injection protection they might have.

 

[draetenth]

Well, this is disappointing news to read. I hope Valve fixes the exploit and reverses their decision on the Dev.

 

[Morrigan Stark]

Even setting aside how trivial it is to fix the issue after it was discovered, I'm shocked they thought it wasn't an issue at all in development. This shit should never have made it to prod, and that it was seemingly a design decision (!!!) is worrying. What other security issues are open to developers because they "trust" them might there be? Scary thought.

This should have been baked in from the first iteration along with whatever SQL Injection protection they might have.

Good point. It'd be more forgiveable if it were an oversight; that can happen to anyone. But it was this way by design? For real? That's insane.

 

[Sibylus]

Well, this is disappointing news to read. I hope Valve fixes the exploit and reverses their decision on the Dev.

If you're in the Steamworks Dev group, there may be an announcement related to that.

 

[ashecitism]

Kotaku article: http://kotaku.com/kid-developer-pranks-steam-gets-suspended-from-steam-1591730839

"Timmy essentially lives on Steam", Pavel Sebor, CEO of Czech studio SCS tells Kotaku in an email, "keeping an eye on everything happening there, every little gossip, every little new feature, parsing source code changes, he frequently suggests fixes and improvements directly to Valve. That's why I hired him really so that he can help us push our games towards closer Steam services integration, his insight into the whole system is really deep."

"Over the course of last year", Sebor explains, "Timmy has found more than one vulnerability in Steam's systems, always dutifully reporting them. This one was already reported a few months ago too, then forgotten about, but as he explained to me a short while ago, just yesterday it popped up in discussion in a closed discussion group of a few like-minded guys, and verified to still not be fixed. So Timmy supposedly wanted to play a little joke on somebody at Valve, and injected a proof of concept code into an old-forgotten announcement post, what he thought was deep enough under layers of new stuff that nobody would discover it by chance. Valve were on it within 30 minutes with a fix."

We've also contacted Valve for comment on this story, and will update if we hear back.

yeah good luck

 

[HariKari]

yeah good luck

I think the dev in question got tired of them not fixing it and their hand-waiving "devs are not an attack vector" excuse. Can't say I blame him, given how damaging the exploit could be if used maliciously as outlined earlier in the thread.

 

[Evrain]

Kotaku article: http://kotaku.com/kid-developer-pranks-steam-gets-suspended-from-steam-1591730839
yeah good luck

One moment, didn't he also mention that Valve had only partially fixed the exploit?
Moreover, on Twitter there was a pic of a Steam support alert, then nothing more.

Sadly, I fear he was struck with threats of even worse sanctions should he keep spreading his story.
EDIT: and indeed, everything disappeared from his profile. I seriously hope this is not Valve trying to bully Duda, would picture them in a rather ominous light.

 

[Storm360]

Just a update

He's been unbanned now, and has Steamworks access again

 

[charlequin]

Just a update

He's been unbanned now, and has Steamworks access again

It's almost as if Valve's response was completely unjustifiable and pointless!

 

[Saintguine]

Whilst I say the guy should be effectively pardoned by Valve, he really ought to just send an email detailing the exploit which is standard procedure with white hat hacking.

EDIT: Valve didn't fix it after the guy reported it multiple times? You should have not been fucking incompetent and actually did your job to protect your customers instead of pandering to your fanboys by beating LOL HL3!!11 into the ground.

 

[LiK]

Just a update

He's been unbanned now, and has Steamworks access again

Haha, good news

 

[SteveWinwood]

Just a update

He's been unbanned now, and has Steamworks access again

oh hey

 

[TheSeks]

It's almost as if Valve's response was completely unjustifiable and pointless!

Good to see that the vocal backlash(?) got them to relent.

Valve really needs to be a little less insane with their bans when it comes to some things like this.

 

[SteveWinwood]

Good to see that the vocal backlash(?) got them to relent.

Valve really needs to be a little less insane with their bans when it comes to some things like this.

I like to think it would have been reversed solely because someone else would have happened to notice it regardless of whether it had an outcry or not.

But I also view it as mostly a mistake instead of actual maliciousness.

 

[graywolf323]

Just a update

He's been unbanned now, and has Steamworks access again

the fact that it was how they initially reacted is still worrisome, if there hadn't been a backlash and articles I'm not sure they would have cared

Valve really needs to get their shit together

It's almost as if Valve's response was completely unjustifiable and pointless!

doubt they'll ever admit it though

 

[Calabi]

I'm betting it was Gabe that stepped in similar to the Diretide event. He's probably the only self correcting mechanism in there, if for someone reason he goes, Valve would probably tear itself apart. I'm wondering if inside Valve it isnt a bit like a cult where they believe wholly in there way.