Scrobbs

Steam client vulnerability released

Recommended Posts

Sweet. This coupled with the fact that I always use Paypal means that I'm safe. Even if someone got my account there's no way to buy anything without that password. I was worried for a second.

This is especially troubling for those who use the Steam Wallet. I always thought putting set amounts of money into a service to then buy stuff was dumb, but in this case a hacker has easy access to any leftover dosh.

Share this post


Link to post
Share on other sites
I still believe that this guy was more concerned with getting credit for his 1337 skillz than actually addressing any security problem.

And your only basis for that is that you want to believe because Valve is otherwise a good company. Sorry, I think they are awesome as well, that doesn't mean they don't make mistakes.

Share this post


Link to post
Share on other sites
And your only basis for that is that you want to believe because Valve is otherwise a good company. Sorry, I think they are awesome as well, that doesn't mean they don't make mistakes.
No, my basis is that the claim is that he was ignored for 4 months by Valve over a security concern. Which i consider highly unlikely when you look at how connected they are to the community.

Claiming you're being ignored by Valve is like saying you've been turned down by a prostitute. It's possible, but there's probably more to the story.

Share this post


Link to post
Share on other sites
No, my basis is that the claim is that he was ignored for 4 months by Valve over a security concern. Which i consider highly unlikely when you look at how connected they are to the community.

But that's exactly what I'm saying. You think he is lying because Valve has been responsive previously (in some cases, maybe the cases where they haven't been are not well documented). I'd rather believe him until proven otherwise. Companies are made of people and they make mistakes. I can imagine tens of scenarios/reasons why they may not have responded to him.

Share this post


Link to post
Share on other sites

From reading his twitter feed it sounds like his attempt to contact them included posting on the steam community forums, and PM'ing a forum moderator.

If you've used the Steam forums, you could understand why that's not the best way to share important information.

Share this post


Link to post
Share on other sites

I was tempted to call Forbin a blowhard ('cause I like the word "blowhard" to describe people, mostly) but if he has in fact disseminated this information solely through the Steam forums. . .heh. I've spent some time on there (more than I'd like) and Obi-Wan Kenobi's description of Mos Eisley fits. . .well, like an evil glove.

Share this post


Link to post
Share on other sites

I got the impression that that forum convo was recently after the release. He also notes that there was no way to initiate with a security contact.

Be that as it may, I have no real problem with his attempt at notoriety - the simple fact is I'm glad I know about it. With regards the issue of responsible disclosure, he's sat on it for 4 months; we are not in a position to judge valve's security response because there hasn't been one. After this release, has there even been a statement?

Share this post


Link to post
Share on other sites
No, my basis is that the claim is that he was ignored for 4 months by Valve over a security concern. Which i consider highly unlikely when you look at how connected they are to the community.

To me, that seems barely more than Steve Jobs' random short emails level of connectedness with the community.

Share this post


Link to post
Share on other sites
Not sure how it was related.

Also, I give Valve a lot more credit than simply being the best of the worst. They're one of the only companies that not only believes that treating customers well generates business, but it drives their business decisions as well.

So, let me ask you: Are they thinking of their customers when they don't ask them to confirm their password before a sale, or are they thinking of their bottom line? Because asking a user to verify their password before a sale would solve this problem easily.

Share this post


Link to post
Share on other sites

I'm saying it's debatable. It would almost certainly hurt their sales, because it would inconvenience their customers. I don't want to have to enter my password that often. I've worked on medical software that deals with PHI and challenges you for passwords all the time, it can certainly be used as a security measure, but it's a usability nightmare.

The best option would be to add a preference under your account security asking to be challenged every time you purchase a game (which would take effect the next time you typed your password). But I still don't see it as a clear cut decision.

And decisions, even ones that seem obvious, on major projects like Steam take time. That's what I take issue with. People that work on their own, have no idea how long it takes to settle debates, and move forward with a release plan. It's not just bureaucracy, it's due process.

You see it all the time where someone complains that some minor feature they want, should just be implemented because "it's just a couple lines of code". They're the backseat drivers and armchair quarterbacks of the development world. Nobody appreciates that developers have limited time, and a huge list of things they need to do sorted by severity and priority. If someone told me to change something of this scale on my current project in production, it would take me at least a day just to put my current environment to rest and setup a view of the code of the main branch in order to get started. It'd probably take a week or two of development to ensure all our modules were updated and rebuilt. Then QA would want a month to regression test that I hadn't blown up the whole site with my major refactor. And we'd have to figure out when the release window would be, and if we have time with the operations team to get it deployed to our staging and production environments. But before any of this would be able to take place, the management would have to agree that it's something worth doing.

So is it so surprising that when Valve is currently pushing out Steam Guard, that it's not an obvious conclusion for the management team that they should pull resources off projects they're currently working on.

Should it be fixed? Yes. Is it surprising that it wasn't hotfixed within 4 months given the complexity, the severity, the alternatives and the fact that they're working on launching their service to a new platform? No.

Would I rather I know about it than not? Probably. But I would rather not know about it, and in turn not have the whole NETSEC community know about it and have people start making tools to break in to other peoples accounts, while Valve is giving a reasonable amount of time to address the issue.

Share this post


Link to post
Share on other sites

That's the concept of full disclosure I think you're not getting. Bad people are likely to know about it anyway... Disclosing allows non-security people to take steps to protect themselves. Urge you to read the arguments from 100+ years ago that pretty much put the issue to bed. Not just in my view, which doesn't really matter in the community, but held by luminaries like Schneier.

I'm pretty sure that he wouldn't have released if they'd had even the vaguest communication with him. He's a researcher, why not engage?

Share this post


Link to post
Share on other sites

To be honest the whole full disclosure argument has been beaten into the ground a million times across a million mediums over a million years. You're either for it or you aren't. I personally think it's the way to go because:

  1. It forces companies to prioritise the fixing of things black hat communities are already using against people on a small scale and going undetected
  2. It gives consumers the chance to protect themselves from the aforementioned bastards rather than sit there vulnerable to it for months on end while it's fixed

The completely reasonable counter-argument is that it temporarily opens up more people to the exploit than would have been otherwise exposed — but that's only based on the assumption the hole is ever patched or is patched a relatively short time after exposure, and I know from experience that isn't always the case.

Companies can and do sit on security holes for months or even years because they think they can get away with delaying it until X is done, then it becomes after Y is also done, then Z, then A, then B, etc. Usually they're not even bad companies — they simply don't take it seriously enough. Such complacency is easily remedied by full disclosure.

It can also be dangerous for white hat hackers to get too involved with trying to resolve things with companies, because companies sometimes get nasty and start trying to do the guy in for hacking them even though he was really helping them out. As such white hackers usually keep a healthy distance from companies when exposing flaws, even if privately.

Share this post


Link to post
Share on other sites
That's the concept of full disclosure I think you're not getting. Bad people are likely to know about it anyway... Disclosing allows non-security people to take steps to protect themselves. Urge you to read the arguments from 100+ years ago that pretty much put the issue to bed. Not just in my view, which doesn't really matter in the community, but held by luminaries like Schneier.

I'm pretty sure that he wouldn't have released if they'd had even the vaguest communication with him. He's a researcher, why not engage?

What from my posts makes you think it's an issue of me "getting" that? I understand the theory, but I generally disagree with it. I think that when people provide their findings privately to companies, that it's usually the best route.

My personal opinion is that people with malicious intent benefit more from the publishing of security holes than the general public does. So if you're going to do it, you should be damn sure the company you're trying to help is not doing their job.

Share this post


Link to post
Share on other sites

So your idea of hackers is that they generally just wait around until a white hat publishes information, and then exploit it? They don't, say, find security holes themselves and then either exploit it or share it to other hackers.

Share this post


Link to post
Share on other sites

FYI, security researchers are also hackers. The difference is in the color of their hat. White hat hackers don't abuse the knowledge they gained, black hat hackers do. The thought that black hat hackers are not able to find the same security issues as white hat hackers is ludicrous.

Share this post


Link to post
Share on other sites
The thought that black hat hackers are not able to find the same security issues as white hat hackers is ludicrous.

:tup::tup::tup:

Forbin, there's an entire black market of 0 day exploits out there. Even if the white hat community had the budget to buy every exploit found and offered for sale by black hats, study it then shut it down as fast as possible, which they don't, economics would quickly put that out of reach as demand increased. Disclosure is by far the best policy.

Share this post


Link to post
Share on other sites
What from my posts makes you think it's an issue of me "getting" that? I understand the theory, but I generally disagree with it. I think that when people provide their findings privately to companies, that it's usually the best route.

My personal opinion is that people with malicious intent benefit more from the publishing of security holes than the general public does. So if you're going to do it, you should be damn sure the company you're trying to help is not doing their job.

Re: not getting it - your last paragraph. You say that 'people with malicious intent benefit more from the publishing of security holes than the general public does.'

Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

I understand completely that you may not agree with it, but I'd say that most of the security community (i.e. all top researchers, for example mutts, Schneier, the guys at SANS, and further down the 'tree', all of the people I have taken courses from, all of the colleagues that I have worked with in the past) agree with it. I'm not going to say that you're wrong - it's your opinion and I can't effectively say that, but I what I do say is that you should (respectfully) re-examine your position.

Apologies if I sound/have sounded a little combative, but it's something that I feel quite passionately about :)

Share this post


Link to post
Share on other sites
Re: not getting it - your last paragraph. You say that 'people with malicious intent benefit more from the publishing of security holes than the general public does.'

I understand completely that you may not agree with it, but I'd say that most of the security community (i.e. all top researchers, for example mutts, Schneier, the guys at SANS, and further down the 'tree', all of the people I have taken courses from, all of the colleagues that I have worked with in the past) agree with it. I'm not going to say that you're wrong - it's your opinion and I can't effectively say that, but I what I do say is that you should (respectfully) re-examine your position.

Apologies if I sound/have sounded a little combative, but it's something that I feel quite passionately about :)

I'll add another analogy, Achilles: if he had known about his heel then he would have worked harder to defend it, sure it would be possible to still injure him that way but the chance of catching him off guard would be lower.

Share this post


Link to post
Share on other sites

I agree that black hats in general are skilled enough to find anything a white hat can. But don't under estimate the population of script kiddies. Most people out there exploiting shit are just reusing what other people have learned.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now