Scrobbs

Do you know if it is Valve's strategy or from an out-of-house marketing shop?

I'll take a guess and say that it's very effective, and cheap, marketing. So Valve not only years ago re-wrote the book on digital delivery, are now doing so with the build up. Are they actually going to take over the world in the next 10 years?

Edit.

Site is live. It hasn't changed much, truth be told, and sorry Ossk, any significant changes in the short term are beyond my meagre abilities. I did however, spent a happy day in the sun cutting some steps into the river bank and driving some posts in the ground to make a boggo rail to help canoeists drag their shit out. Felt nice to be actually *making* something. It's a bit heath-robinson truth be told, but I was dead chuffed with the result. Loads better than being stuck in an office! Off on a canoe trip this weekend down the Severn, Shrewsbury - Atcham on sat, and then maybe Atcham - Ironbridge on sunday. Looking forward to it!

Camelot. This is, you understand, a recommendation to STAY AWAY FROM IT! It is baws.

https://www.upsploit.com/index.php/advisories/view/UPS-2011-0019 Works for all client versions and steampowered.com. Pretty fundamental flaw in that it uses a static session token. Workarounds: don't store CC data server-side, change passwords often and don't access it on public networks. The guy told them about 4 months ago, they've consistently ignored him so he has released to force their hand.

That could end nastily - Baader-Meinhof infinite loop. The ultimate recursion.

Re: not getting it - your last paragraph. You say that 'people with malicious intent benefit more from the publishing of security holes than the general public does.' I understand completely that you may not agree with it, but I'd say that most of the security community (i.e. all top researchers, for example mutts, Schneier, the guys at SANS, and further down the 'tree', all of the people I have taken courses from, all of the colleagues that I have worked with in the past) agree with it. I'm not going to say that you're wrong - it's your opinion and I can't effectively say that, but I what I do say is that you should (respectfully) re-examine your position. Apologies if I sound/have sounded a little combative, but it's something that I feel quite passionately about

I think it was only this century that the colours were reversed. I.e. Pink was for boys and sky blue for girls. Reason being, pink is related to red, a 'strong' colour.

I was more bitching about being forced to buy 2 licences than anything else

Most of you guys are in the US I see. Damn, that sucks that they've split the servers by continents.

That's the concept of full disclosure I think you're not getting. Bad people are likely to know about it anyway... Disclosing allows non-security people to take steps to protect themselves. Urge you to read the arguments from 100+ years ago that pretty much put the issue to bed. Not just in my view, which doesn't really matter in the community, but held by luminaries like Schneier. I'm pretty sure that he wouldn't have released if they'd had even the vaguest communication with him. He's a researcher, why not engage?

I got the impression that that forum convo was recently after the release. He also notes that there was no way to initiate with a security contact. Be that as it may, I have no real problem with his attempt at notoriety - the simple fact is I'm glad I know about it. With regards the issue of responsible disclosure, he's sat on it for 4 months; we are not in a position to judge valve's security response because there hasn't been one. After this release, has there even been a statement?

Well, publishing it, as per 'Full disclosure' allows you and me to protect ourselves against the potential attack. Now you know about not storing your CC details server-side. I don't think I did anyway, but if I did I certainly wouldn't any more. That's it's value. Any patch will take time to release - meanwhile it could be exploited by black hats who had found out about it and not told valve, merely using it for their own ends. Hell, it might have been exploited for years already.

Hey! Where'd the 'You fucker!' go? I liked that bit...

I like Malmö, beautiful place.

That's the point: when you sign out, the session ID is not destroyed. The only time it changes is when you change your password: this is piss poor in anyone's book. If you have the session ID (in this case with steam) you don't need anything else - the system assumes that if the client session ID matches what the server thinks it should be, that's all it needs. Session management if done correctly means that new session ID is issued every time you log off, close the window, expires if you refresh the page etc. As for the advisories he's sent them, as far as I'm concerned, I'm satisfied that he's of the white hat variety, and trust him when he says he's told them multiple times with zero feedback. Regarding the disclosure, that's a 100+ year argument that was solved 100+ years ago (to my mind) by the locksmith trade, but applies equally to computer security. One I happen to fully agree with. http://en.m.wikipedia.org/wiki/Full_disclosure Your ire is mis-directed imo.

Got back to my place in Leeds - my g/f has spent the last week packing. Feels unusual to see the house that I've lived in for the last 10 years so bare. Moving personal items sat in a big van, furniture to be moved at a future time.

Has anyobe seen The Illusionist (2010) yet? S'posed to be pretty fine.

The client won't use a session ID to verify online play, rather it is used to authenticate your steam client session- i.e. When you start the client and login. For example, if someone managed to grab your session ID, it would act in lieu of password authentication for your account, so the evil client would effectively be masquerading as you. If your CC details were stored server-side, the evil client would then be able to just buy games etc. as you. That's how I imagine it would work. As regards cheating, if evil client started an aimbot, then it would still be linked to your account. This last is hypothesis, not tried it, but an assumption.

Changing your password forces the system to give you a new session token.

Despite handing the campsite over to me, my parents still get involved with booking people in and not telling me. Thus, already had a mix up with the bookings and over booked for the Easter weekend. Fucking marvellous. They should be away on holiday by now. This would not have happened.

By that he meant the most homo-erotic?

Well sure. But I get the impression he's been working on it for a while.