Valve bans Game Developer from Steamworks for pointing out a vulnerability

 Pages 1 2 3 4 NEXT
 

Tomáš "Timmy" Duda (@tomasduda), one of the developers of Euro Truck Simulator 2, was banned by Valve from the Steam Community and Steamworks for a year, for pointing out that Steam announcements were vulnerable to XSS script injection. After failing to get any response from Valve for a long time, he finally decided to showcase the vulnerability by adding a harlem shake script to an announcement.

Valve's response? They fixed the bug, and banned him for a year. This means he is now unable to patch his games. (Edit: okay, not quite that drastic, as SCS has more employees. Timmy is locked out though, and he was the SCS Steam community manager.)

What the hell is going on with Valve?

https://twitter.com/tomasduda/status/478301124257411072

Edit: reddit thread: http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci8ebud

Update: looks like there's a happy ending. The dev got unbanned :)
https://twitter.com/tomasduda/status/479031656184295424

His first mistake was using the Harlem Shake. No one wants to see that shit.

Well that means he hacked their system so to speak... there are some clear rules on that subject.
I'll agree that Valve need to listen up and sort their stuff when a problem arises, but that still doesn't permit one to break other peoples shit to make a point.

Man, that sucks. A vulnerability is bad news and should be fixed immediately, and all he was trying to do was get Valve to listen.

But at the same time, maybe he shouldn't have taken it upon himself to showcase the vulnerability. He's a developer after all, with a game up on Steam, I don't think it's a good idea to risk your professional relationship with Steam, and your position to support your game, for the sake of getting a point across. Surely there must have been a better way to communicate this problem to Valve, even after trying and them not listening. When it comes down to it, the guy broke the rules, and procedures need to be followed.

That being said, Valve should review this case. If what the guy is saying is true and he tried to tell them about the problem for awhile. Then there was a failure of communication on Valve's behalf. It's not right for them to ignore the problem for such a long time, and punish him for what can ultimately be blamed on their own inaction. If they listened to him in the first place, this would've never happened. I have no idea how much this guy tried to communicate the problem to valve, but I still think there could have been a better way for the guy to prove his point than to exploit the vulnerability himself with a goddamned harlem shake. That's not the sort of behavior I'd expect from a professional videogame developer.

And ignoring a website vulnerability is not the behavior I'd expect from a major company like Valve.

All in all, there's faults to both sides here. But the original, and greatest fault falls on Valve. The guy broke the rules and was given a punishment as per procedure. But I think Valve should review the case and lift the suspension from him. After all, he was trying to help, and they didn't listen. And he should stop fucking around with Valve's websites and find a better way to communicate problems.

Oh agreed, it is a foolish way to show the problem, but apparently Valve's response was sticking its head in the sand:

"We allow devs to use all html (unfiltered), because we trust them."

When you're faced with such dangerous ignorance, sometimes a harmless demonstration of the potential for malicious intent is the only option left.

erbkaiser:
Oh agreed, it is a foolish way to show the problem, but apparently Valve's response was sticking its head in the sand:

"We allow devs to use all html (unfiltered), because we trust them."

When you're faced with such dangerous ignorance, sometimes a harmless demonstration of the potential for malicious intent is the only option left.

Maybe... I'm trying to picture myself in the guy's position, and I'm sure the frustration of not being listened to must have been great. But I'm not sure how I'd leverage my professional relationship with Steam vs the need to prove a point.

In the professional world when problems like this arise, every angle needs to be examined. Because that means there is a problem in the system. It's not entirely unreasonable to hand him a punishment off the bat for breaking rules, but an investigation should be conducted as well. They need to find out how the vulnerability came to be in the first place, and why his pleas to fix the problem went unheard.

It seems like his stunt, while annoying and embarrassing, had a positive effect of Valve finally fixing the problem. So, I think it's reasonable and fair to lift the suspension. They need to learn from this and improve their communications next time and make sure problems get fixed. I honestly hope the guy doesn't have to serve his suspension.

"Man, Sony were doucebags for suing that guy for exploiting their security with the PS3, they deserve everything they get!"

there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

valve shouldve paid attention to him earlier as well, but like a said, he REALLY shouldnt have done that, the ban itself says he violated the steam subscriber agreement

definitively terrible to see this happen tough

Would it have been better if he had done nothing, and we'd have to wait for some scumbag dev (like the ones behind some of those crappy games Jim Sterling plays) to inject a script vulnerability to install trojans on people's machines instead?

Or imagine if a Bohemia Interactive dev got hacked, and they got access to his Steam Dev data. They could've posted an announcement to, say, the Steam page for DayZ, and infected millions of PCs.

The system was wide open. Still is apparently, Valve only partially fixed it. They only blocked [script] tags, Javascript injected in attributes still works.

I agree it's not the smartest thing to do, but to ban a whistleblower for a year is excessive IMO.

I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

NuclearKangaroo:
there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

Geo Da Sponge:
I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

NuclearKangaroo:
there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, hell even if they didnt theyd still be violating private property wouldnt they?

he still took advantage of the exploit

NuclearKangaroo:
but still stealing money, he still took advantage of the exploit

No, he used a harmless script to show what COULD be done.

From Reddit, Valve knew about this for months and ignored it. All that time someone could have done serious damage, it's pure luck that -- as far as we know -- nobody did anything yet.

erbkaiser:

NuclearKangaroo:
but still stealing money, he still took advantage of the exploit

No, he used a harmless script to show what COULD be done.

From Reddit, Valve knew about this for months and ignored it. All that time someone could have done serious damage, it's pure luck that -- as far as we know -- nobody did anything yet.

he used the exploit even if it was harmless in the end, theres no question about that, he SHOULDNT have done that

I'd rather see someone use a highly noticable and harmless script to scare Valve who are ignoring the issue, than a malicious thief infect Steam without anyone noticing until it is too late.

Guess we disagree then, @NuclearKangaroo

NuclearKangaroo:

Geo Da Sponge:
I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

NuclearKangaroo:
there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, he still took advantage of the exploit

But he didn't take anything... Nothing he did used the exploit against anyone, apart from using it to demonstrate that he could.

Listen, I don't like basing entire arguments off of metaphors, but in this case:

Bypassing bank security = Using the exploit

Leaving a note in the vault = Leaving a silly video to prove he'd done it

Stealing money = Using the exploit to give himself some advantage on Steam, or in anyway damaging Steam

Since he didn't actually do anything that damaged Steam beyond posting a silly little video (and you seem to be arguing that he didn't even have to do that for it to equate to stealing; just using the exploit was enough), that can't really be equated to stealing money, can it?

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

Or, to torturously stretch the bank metaphor even further, which is like breaking into the bank which you use, in order to specifically reach the deposit box which you own, in order to prove that it's not secure and therefore your stuff is at risk. But the bank bans you for a year for showing the gaping hole in their security, even after you pointed it out through the proper channels first.

erbkaiser:
I'd rather see someone use a highly noticable and harmless script to scare Valve who are ignoring the issue, than a malicious thief infect Steam without anyone noticing until it is too late.

Guess we disagree then, @NuclearKangaroo

it seems you edited your comment

anyways, the problem with your entire argment is that you think this was THE ONLY WAY to get Valve attention, when im willing to bet, there are many others that wouldnt be agasint the subscriber agreement, im not agaisnt the dev message, im agaisnt the way he decided to deliver it

Geo Da Sponge:

NuclearKangaroo:

Geo Da Sponge:
I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, he still took advantage of the exploit

But he didn't take anything... Nothing he did used the exploit against anyone, apart from using it to demonstrate that he could.

Listen, I don't like basing entire arguments off of metaphors, but in this case:

Bypassing bank security = Using the exploit

Leaving a note in the vault = Leaving a silly video to prove he'd done it

Stealing money = Using the exploit to give himself some advantage on Steam, or in anyway damaging Steam

Since he didn't actually do anything that damaged Steam beyond posting a silly little video (and you seem to be arguing that he didn't even have to do that for it to equate to stealing; just using the exploit was enough), that can't really be equated to stealing money, can it?

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

Or, to torturously stretch the bank metaphor even further, which is like breaking into the bank which you use, in order to specifically reach the deposit box which you own, in order to prove that it's not secure and therefore your stuff is at risk. But the bank bans you for a year for showing the gaping hole in their security, even after you pointed it out through the proper channels first.

but then wouldnt you be violating private property if you broke into a bank to leave the note? even if you didnt take anything, see the problem is that the act itself is a crime, and sure enough what this guy did is agaisnt the steam subscriber agreement

the problem is that this dev took a drastic action, i bet there were other ways to get the message accross

but right now, he screwed himself and he screwed his customers and nobody is happy

And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

Geo Da Sponge:

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

And in case my point above was ignored, given how GeoHotz was turned into a sort of folk hero in the wake of the PS3 Jailbreak, it's jaw-dropping to see someone who did far less being blamed for trying to procect his livelyhood. Worse, he went through the official channels and was promptly ignored and yet the the usual excuses are being brought out to defend Valve/Steam.

SO! He warned them ahead of time, tried to get their attention to fix the problem and then when they ignored his pleas he showed them the error with a harmless but effective demonstration. And instead of thanking him for pointing it out and making sure it was fixed before something serious happened with it, they banned him for a year. They need to reverse this, it's bullshit. Not only that, what about all the poor sods that got ETS2? I don't like the game but dammit it's not fair to them either.

Just in case anyone fails to grasp the potential security risk of this -- on Windows, the main platform Steam is used on, STEAM BYPASSES UAC BY DESIGN (using the Steam Client Service).
Let that sink in for a second.

This exploit allowed anyone with Steam developer access to place ANY Javascript on a Steam announcement, which means it will automatically be on Steam's front page in the 'Recently Updated' section, and any script contained on that page will be executed by the built-in Steam browser with elevated user access.

Could the bug have been directly used to damage him? If not, then why did he care? Preventative measures are never taken by companies as big as Valve. Better let them burn at their own volition than try to save them from their own shortsightedness.

Good intentions don't get you far when directed at people like them. I hope he gets unbanned though.

This is starting to sound like an even more ridiculous premise to the 3rd Die Hard movie....

that's the way valve works. fix it when shit hits the fan. as big of a fan as I am I say let them burn a bit next time. then maybe they'll take it seriously.

erbkaiser:
And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

couldnt he contact more devs to try to make his voice be heard? couldnt he start a campaign to let people know theres a potential exploit, he could even put an ingame message in his game or something

there ARE ways

NuclearKangaroo:
there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

valve shouldve paid attention to him earlier as well, but like a said, he REALLY shouldnt have done that, the ban itself says he violated the steam subscriber agreement

definitively terrible to see this happen tough

Well, I think it would play out more like this article when two 14-year old students were able to hack the Admin mode of an ATM.

Link

Title's kinda misleading, dude. You make it sound like Valve banned him because they didn't want to hear what he was trying to tell them. He got banned for hacking their system. In fact, I'm more than willing to bet he was expecting to be banned after they fixed the vulnerability. Maybe he can make an appeal later, but for the moment, he'll just have to live with his decision.

Valve's community management isn't a judicial system. They're going to ban whoever breaks the rules, period. They aren't meant to make judgments on whether or not you broke the rules for the right reasons.

EDIT: Just so we're clear, I'm not condemning the guy for what he did. So long as he's willing to live with the consequences, I'd say job well done. If, however, he's going around crying about it on the internet, that's where I have no sympathy. He doesn't need defending, and Valve doesn't need condemnation.

erbkaiser:
And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

Yes. He is a game developer with a business relationship with Valve. He is not a security expert under the employ of Valve. He did well in reporting the vulnerability to Valve, but that is where both his responsibility and rights end on that subject. By going a step further and exploiting the vulnerability, he left himself open to potential consequences for his actions.

It's fine to take a moral stand that conflicts with ethics and legality, but you have to be willing to accept that your actions may have a negative personal outcome. Anything less is childish.

NuclearKangaroo:

erbkaiser:
And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

couldnt he contact more devs to try to make his voice be heard? couldnt he start a campaign to let people know theres a potential exploit, he could even put an ingame message in his game or something

there ARE ways

Contacting devs? That is how he got banned in the first place. He was in the Steam dev IRC and they were talking about the exploit. To prove what he said existed, he altered the update to show the Harlem Shake -- Valve finally noticed, and banned him.

The Stanley Parable dev showed the same exploit still exists for attributes (not published, but valid): https://twitter.com/GranPC/status/478554937111371776
I wonder if Valve will ban him too.

Sanunes:

NuclearKangaroo:
there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

valve shouldve paid attention to him earlier as well, but like a said, he REALLY shouldnt have done that, the ban itself says he violated the steam subscriber agreement

definitively terrible to see this happen tough

Well, I think it would play out more like this article when two 14-year old students were able to hack the Admin mode of an ATM.

Link

the situation is slightly different tough, the developer already knew this exploit worked, the kids didnt

he shouldve looked into other options before doing this, breaking the rules ideally shouldnt be the plan B

They didn't ban him for "pointing out a vulnerability", they banned him for hacking the motherfucking system.

Valve/Steam ignoring perfectly reasonable requests and demands? I'm nowhere near surprised, is this a good time to mention how Steam's customer service is so poor it's technically illegal in the UK?

Remember when Steam was heralded as the "saviour of PC gaming?" Yeah me neither. Valve has used up all of their goodwill over the last two year as far as i'm concerned.

Also that Harlem Shake example sounds hilarious, +1 interwebz to that guy. Not like Steam will reverse the ban though, that would be far too reasonable of them, listening to their community even. Dangerous thinking.

erbkaiser:

NuclearKangaroo:

erbkaiser:
And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

couldnt he contact more devs to try to make his voice be heard? couldnt he start a campaign to let people know theres a potential exploit, he could even put an ingame message in his game or something

there ARE ways

Contacting devs? That is how he got banned in the first place. He was in the Steam dev IRC and they were talking about the exploit. To prove what he said existed, he altered the update to show the Harlem Shake -- Valve finally noticed, and banned him.

The Stanley Parable dev showed the same exploit still exists for attributes (update since removed): https://twitter.com/GranPC/status/478554937111371776
I wonder if Valve will ban him too.

wait, did he post that update? thats what i think got the eurotruck dev banned

The Wykydtron:

Remember when Steam was heralded as the "saviour of PC gaming?" Yeah me neither. Valve has used up all of their goodwill over the last two year as far as i'm concerned.

Two Years? They've been like this for the longest time, hell they're responsible for almost every anti-consumer precadent in gaming. They were just good at PR.

Seems the title was misleading; he was actually banned for EXPLOITING the vulnerability, not for merely talking about it as the title suggests.

 Pages 1 2 3 4 NEXT

Reply to Thread

This thread is locked