Support NeoGAF

[sheepishlord]

So i've been looking at the sony hack and who was the lead authority in the uk, the ICO (information commissioner office) fined them £250,000 ($396,100) for their mess up, there seems to be very clear rules in place if anything like this happens to a organization and what should happen.

Quote from ICO website:
A personal data breach is:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

When and how do we notify the ICO?
You must notify the ICO within 24 hours of becoming aware of the essential facts of the breach. This notification must include at least:
your name and contact details;
the date and time of the breach (or an estimate);
the date and time you detected it;
basic information about the type of breach; and
basic information about the personal data concerned.

When and how do we notify our customers?
If the breach is likely to adversely affect the personal data or privacy of your subscribers or users, you need to notify them of the breach without unnecessary delay. You need to tell them:
your name and contact details;
the estimated date of the breach;
a summary of the incident;
the nature and content of the personal data;
the likely effect on the individual;
any measures you have taken to address the breach; and
how they can mitigate any possible adverse impact.

You do not need to tell your subscribers about a breach if you can demonstrate that the data was encrypted (or made unintelligible by a similar security measure).
If you do not tell your customers, the ICO can require you to do so if we consider the breach is likely to adversely affect them.

more at source https://ico.org.uk/

So we have unauthorised disclosure of personal information, people effected not notified (yes we have a statement from gaming website but not everyone looks at them) but on steam itself? nope, emails sent out? nope. i hope the ICO go after steam for this and fine them because there response has been slow and unacceptable.

 

[Stumpokapow]

Just be clear - If I use PayPal to pay for stuff on Steam, I only need to worry about my email and name being out there because of this, right...?

Man, Valve fucked up bad on this... How can they not release some statement, to at least inform me whether I have anything to worry about?

If you do not have a stored address, then no one got your address. It's also not clear how many users were actually impacted, so one would assume that statistically you are not impacted at all--of course, in the absence of Valve providing any update, it's impossible to confirm you weren't.

 

[fantomena]

Wait? There are really a defense force for this?

I really like Steam and Valve, but this was a major fuckup which I hope bites Valves ass so hard.

 

[charlequin]

Thread title says this is fixed, is it or isn't it. Reading the latest updates is confusing as it makes it sound like its still broken.

It's fixed.

 

[Octavia]

Look at Chipotle. The problem for Chipotle isn't that people got sick, it's that they don't know what caused the sickness. They're cooking unions, bagging chicken, pre-chopping tomatoes, throwing the cilantro on the rice, they're scrambling.

To all the people that don't "get it," the fact that information that Valve wanted to keep private, suddenly became unprivate is a huge issue. Is this a simple issue where someone forgot to flip a value at the end, or is some system for handling customer data flawed at a very low level? I don't know, but Valve should know. They need to explain why the breach happened, not just acknowledge that it happened.

Fry them onions, Valve.

Exactly. Like I said before, I doubt I was even affected, so I have nothing to really be mad about there. What DOES annoy me is this isn't the first time they've messed up. It's a trust issue now, at least for me.

Last time it was ignoring the password field and getting access to accounts, this time it was personal pages with full addresses and phone numbers being displayed to the incorrect users. What's next? Another 'glitch' happens and all my games are just gone and I get banned from Steam because their support is notoriously awful and unhelpful? How can I trust that items I purchased are safe, and the information I used to obtain them is also safe? People can say "That's unlikely" but the fact that I'm even contemplating this is an example of how bad their service has been lately.

 

[JaseC]

Thread title says this is fixed, is it or isn't it. Reading the latest updates is confusing as it makes it sound like its still broken.

It's fixed. What hasn't been corrected is Google's cache of the account page, which, due to the issue, is showing someone's details.

 

[cartographer]

I think it will quite telling if by the end of next week Valve doesn't say anything.

By the end of next week Valve might have decided to have preliminary discussions in another three weeks about crowdsourcing the best way to begin the process of formulating a proper response.

 

[Alucrid]

Valve is just planning on selling hats to put on top of your account information so the next time your page gets cached incorrectly it'll all be covered by hats

 

[Large Professor]

I was away today, still no word from Valve?

 

[PayaV87]

I work at a telco company in a small european country, we had the same issue for half an hour. People were seeing eachothers accounts on our custumer care site. In my country, there is an actual law, that if you have the knowledge that the customers data are compromised, you immediatly have to make every step necessary to take down the site or you could face a few years in jail. When the legal department sent the actual law to us in email, my supperiors took down the whole website without hesitation. It was down for 3 days, until it was fixed. We compensated customers to the f ...... very much. Some of them got unlimited voice and data for a year over this. I don't see how Valve planning to get away with this without any form of compensation.

 

[Kwansu Dudes]

No one has experienced anymore symptoms correct?

 

[charlequin]

No one has experienced anymore symptoms correct?

All evidence is that the issue is 100% over now.

 

[Tainted]

I was away today, still no word from Valve?

Nothing apart from that statement released via Kotaku. I don't think we'll be hearing any more about it from Valve tbh

 

[Morrigan Stark]

It was a security breach plain and simple. There's no way around it. You can't shift blame to another entity like a group of hackers because it was Valve who did it. I cannot understand the defense for them screwing up and downplaying the bad parts of this and the legitimate criticism that no company should change configurations during the holiday rush. You always do that stuff before in preparation or after when things have settled down. Not to mention their configuration was not properly tested. Lack of response for hours was horrendous, not even an email to notify their users that steam will be going down for a moment and telling people to stay calm. No apology, just nothing at all from them that journalists had to beat a response out of them. We're expected to trust this company to handle our things with care but they're not, they don't really care as they just shrugged it all off like nothing happened.

Exactly.

Sony apologized for the hacks; they were victims of hacking, so it wasn't their own fuck-up, but they understood that they have a responsibility to their customers regardless, and took measures to deal with it. They didn't handle it perfectly, IIRC they waited too long to announce the breach, but they did warn the customers eventually, apologized, and compensated them despite having been attacked.

Valve wasn't attacked, or hacked. They just made the extremely poor decision of doing a config change/production release on Christmas day (seriously, anyone who's ever worked in web software dev knows this is a big no-no unless there's an extreme situation demanding it, even for a minor change), which was clearly not fully tested, did nothing for at least an hour (should have shut down the Steam storefront completely then until they patched it), didn't alert the customers, and then released a bullshit and completely unapologetic statement to the press. Pretty disgusting to be honest.

 

[sora87]

Is it safe to buy things yet then?

 

[Hylian7]

Have Valve still not said anything else about the incident yesterday? That's unacceptable if that is the case. Not communicating about something like whether Diretide is happening or CSGO updates is one thing, but security of people's personal information is entirely different and care needs to be taken there.

However I don't think people should always be jumping down people's throats that were saying how bad this actually way. For instance, Grief.exe is not a "Valve shill" or "Valve damage control". It wasn't a hack, but a major fuckup still on Valve's part. I'm still not sure if any credit card numbers actually got out because of this, but regardless, physical addresses and email addresses getting out is unacceptable. I really hope at the very least by Monday, we hear more from Valve on this front.

I can't remember when exactly it was, I think it was a year or two ago, but Steam was hacked, however only salted credit card numbers were compromised, so they were still encrypted. Right after this happened, Steam popped up a message on everyone's computers detailing the hack, and was signed by Gabe himself. I'm surprised they haven't done anything like that yet.

 

[Visualante2]

i hope the ICO go after steam for this and fine them because there responce has been slow and unacceptable.

You know the ICO fined a HIV clinic £250 for disclosing the names of a bunch of HIV+ patients right? It's more of an advisory body than anything it seems.

 

[charlequin]

Is it safe to buy things yet then?

There's no specific reason to believe there's any issue with using the client, loading the store, or buying things at this point.

 

[Kwansu Dudes]

All evidence is that the issue is 100% over now.

Just double checking. Might be some someone who experienced weird stuff, but thanks! Guess I'll use it now.

 

[orthodoxy1095]

There is no commitment to any one vision because there is only one leader at Valve by design and the company has grown too much to remain focused and for de facto leadership based on status to produce results. That, and everyone probably wanting to work exclusively on VR because it is the "coolest".

Too much structure and direction leads to corporate style focus group approved exercises in fillimg checkboxs, but too little leads to no games being made at all.

I must concede that I forgot they were working on VR actually, so in a freer environment, I guess that would be the more interesting target.

That said, I don't think there's anything necessarily incompatible about a "laissez-faire/libertarian-esque" development approach and a more structured and regimented security/customer service system. One can easily function without being significantly impinged on by the other.

 

[sora87]

There's no specific reason to believe there's any issue with using the client, loading the store, or buying things at this point.

Thanks

 

[Seyavesh]

Have Valve still not said anything else about the incident yesterday? That's unacceptable if that is the case. Not communicating about something like whether Diretide is happening or CSGO updates is one thing, but security of people's personal information is entirely different and care needs to be taken there.

holy shit dude i was on your account yesterday
sent you an email about it too

goddamn that is some crazy ass reach

 

[ElectricBlanketFire]

holy shit dude i was on your account yesterday
sent you an email about it too

goddamn that is some crazy ass reach

Wat.

What are the odds?

 

[SlipperyFishes]

Too much structure and direction leads to corporate style focus group approved exercises in fillimg checkboxs, but too little leads to no games being made at all.

Valve make games still?

 

[sheepishlord]

You know the ICO fined a HIV clinic £250 for disclosing the names of a bunch of HIV+ patients right? It's more of an advisory body than anything it seems.

I had heard about that story didnt know about the fine, only £250 thats sad :\

 

[Joni]

You know the ICO fined a HIV clinic £250 for disclosing the names of a bunch of HIV+ patients right? It's more of an advisory body than anything it seems.

It didn't reveal names, it only revealed e-mailaddresses. It did take into account that the organization was already taking actions to prevent stuff like that happening and that it was a small organization.

 

[Branson]

Everything seems fine on my end but I do want some confirmation either way if I'm ok to buy stuff again.

 

[kulapik]

It is safe to buy now but I think that until Valve releases an statement I'm not going to do it. I'll buy games from third party sellers, but not from Steam.

 

[orthodoxy1095]

Look at Chipotle. The problem for Chipotle isn't that people got sick, it's that they don't know what caused the sickness. They're cooking unions, bagging chicken, pre-chopping tomatoes, throwing the cilantro on the rice, they're scrambling.

But you see, with Chipotle it's your fault for going to Chipotle. If I get sick from eating at a restaurant, there is some responsibility I take from eating there.

Spoiler

/s

 

[Dunkley]

I was away today, still no word from Valve?

Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.

That's all they said.

 

[Nzyme32]

I was away today, still no word from Valve?

That's all they said.

Yep, that's all so far. Valve need to actually explain the situation and particularly talk to anyone that was vulnerable, since clearly plenty of people or only catching on to things now and are confused as to what happened and if things are good now.

A youtuber has done a really good basic explanation of what the issue was and why it happened for those who have no idea what all this cached pages stuff is - https://www.youtube.com/watch?v=dkSslseq9Y8

 

[Hylian7]

Wat.

What are the odds?

He's the third GAFfer that said he got my account during yesterday's shenanigans.

Also I never saw an email about it, interesting.

 

[Aarglefarg]

I searched Google for my Steam username looking at the last week and last 24 hours and got no hits, hopefully this means nobody saw it since nobody talked about it.

 

[Disaster Nebraska]

Yep, that's all so far. Valve need to actually explain the situation and particularly talk to anyone that was vulnerable, since clearly plenty of people or only catching on to things now and are confused as to what happened and if things are good now.

A youtuber has done a really good basic explanation of what the issue was and why it happened for those who have no idea what all this cached pages stuff is - https://www.youtube.com/watch?v=dkSslseq9Y8

Until we hear from Valve, I would hold off on trusting any "likely explanations", as the supposed caching issue still doesn't explain why this info was being passed to the cache unencrypted in the first place.

 

[Nzyme32]

Until we hear from Valve, I would hold off on trusting any "likely explanations", as the supposed caching issue still doesn't explain why this info was being passed to the cache unencrypted in the first place.

It isn't a "likely" explanation though - Valve have confirmed that the issue was due to a configuration change causing a caching issue, and that video explains that scenario, and what can / can't be done / seen

Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.

 

[Dunkley]

I searched Google for my Steam username looking at the last week and last 24 hours and got no hits, hopefully this means nobody saw it since nobody talked about it.

Did so too, searched other usernames me and my friends got as a countercheck and they definitely got mentioned while mine wasn't anywhere.

 

[Shin-Ra]

This morning was the first I heard of the empty-field login issue earlier in the year. Even if you're not affected directly, everyone should be contacted so they can reassess if they want to keep up-to-date personal details on the service.

 

[hardcastlemccormick]

It isn't a "likely" explanation though - Valve have confirmed that the issue was due to a configuration change causing a caching issue, and that video explains that scenario, and what can / can't be done / seen

They also said that the period was less than an hour when folks were reporting the issue for nearly two and a half.

They also said "no unauthorized actions were allowed on accounts beyond the viewing of cached page information" despite reports that CC information went missing.

I don't really think that statement is trustworthy.

 

[Nzyme32]

They also said that the period was less than an hour when folks were reporting the issue for nearly two and a half.

They also said "no unauthorized actions were allowed on accounts beyond the viewing of cached page information" despite reports that CC information went missing.

I don't really think that statement is trustworthy.

Fully agree with the first point and that is very clear. The only way it could be around an hour of accessability could be due to the time that Steam went down (at which point no one could do anything), then came back up and still had the issue.

Disagree on the second because I tried it myself and by the nature of the exploit and the people outside of Steam that were able to determine the exact same thing, they show that it was a caching issue. Trying to do anything with those account / checkout pages just throws you an error or asks you to log in

 

[Disaster Nebraska]

It isn't a "likely" explanation though - Valve have confirmed that the issue was due to a configuration change causing a caching issue, and that video explains that scenario, and what can / can't be done / seen

Not interested in what Valve has said to a journalist. It's not even on their main page lol. Also, there isn't a simple "configuration change" that would make this happen in Varnish or Akami (as stated plenty of times, I've worked with both). No one has offered a working theory as to the ACTUAL config that MIGHT have been changed to make this happen. Until then, this is hand waving. There is no config that I've ever seen in webhosting that says "pass pages to users who didn't request them". If there is, then it still means Valve isn't encrypting this info at all in the first place, which is worse depending on your perspective.

And even if there was enough stuff borked, it does not explain why this data was being passed to the cache unencrypted. The video explanation is correct in the sense that it COULD happen that way, but that's also assuming that a ton of standard security practices are also missing. Stuff like HTTPS/SSL would have to be missing. A basic session-data structure would have to be borked, since this kind of info is typically accessed in the following manner:

1) user logs in, which creates a session on the server and possibly on their own computer in the form of a cookie. The session is tied to the user's IP and/or the specific socket connection and/or the PID (all depends on how your software works).

2) Whenever the user tries to access information that requires an account and password, the server could ask the user to log in again to verify their credentials. Or, since this is 2015 and that would be hella annoying, the sever checks the session data or IP or whatever (again, depends on the software) and asked "Is this person authenticated to view this data?" The breakdown of this system doesn't result in one user being able to see someone else's data. The result is that NO user is able to stay logged in or it may make the page itself inaccessible.

3) With SSL, you have an extra handshake in there where the user's computer and the server both agree "okay, we need to communicate using encryption, so let's talk in this particular way for this connection, okay?" Because it is unique for that connection, it prevents a man-in-the-middle from observing what is transmitted over HTTPS. It also is designed to prevent someone else using the same encrypted connection to peek at why is being transmitted. In other words, you can't go "oh the server is encrypting connections in this very specific way for my specific connection, so I'm going to use that information to decrypt other users' connections." Nope. Doesn't work that way.

This is why it is very important to not simply accept "it was a config problem" at face value. The symtoms don't match the explanation.

 

[Skux]

He's the third GAFfer that said he got my account during yesterday's shenanigans.

Also I never saw an email about it, interesting.

Make that four! I remember seeing "hylian7" and then seeing another post about it, didn't realise you were a Gaffer

 

[Nzyme32]

Not interested in what Valve has said to a journalist. It's not even on their main page lol. Also, there isn't a simple "configuration change" that would make this happen in Varnish or Akami (as stated plenty of times, I've worked with both). No one has offered a working theory as to the ACTUAL config a that MIGHT have been changed to make this happen. Until then, this is hand waving.

And even if there was enough stuff borked, it does not explain why this data was being passed to the cache unencrypted. The video explanation is correct in the sense that it COULD happen that way, but that's also assuming that a ton of standard security practices are also missing. Stuff like HTTPS/SSL would have to be missing. A basic session-data structure would have to be borked, since this kind of info is typically accessed I the following manner:

1) user logs in, which creates a session on the server and possibly on their own computer in the form of a cookie. The session is tied to the user's IP and/or the specific socket connection and/or the PID (all depends on how your software works).

2) Whenever the user tries to access information that requires an account and password, the server could ask the user to log in again to verify their credentials. Or, since this is 2015 and that would be hella annoying, the sever checks the session data or IP or whatever (again, depends on the software) and asked "Is this person authenticated to view this data?" The breakdown of this system doesn't result in one user being able to see someone else's data. The result is that NO user is able to stay logged in or it may make the page itself inaccessible.

3) With SSL, you have an extra handshake in there where the user's computer and the server both agree "okay, we need to communicate using encryption, so let's talk in this particular way for this connection, okay?" Because it is unique for that connection, it prevents a man-in-the-middle from observing what is transmitted over HTTPS. It also is designed to prevent someone else using the same encrypted connection to peek at why is being transmitted. In other words, you can't go "oh the server is encrypting connections in this very specific way for my specific connection, so I'm going to use that information to decrypt other users' connections." Nope. Doesn't work that way.

This is why it is very important to not simply accept "it was a config problem" at face value. The symtoms don't match the explanation.

Admittedly I know nothing of the actual technicalities and workings of these systems, all I can comment on is what I tried multiple times with a separate account, and that it isn't possible to do anything on the pages that were shown, bringing either error screens or a log in screen. This matched the working theory at the time that it was a caching issue and fits in with what xPaw had to say

I'll speak on behalf of SteamDB here. We always tweet and post information on our blog only after verifying it ourselves, we didn't base our information on speculation, but rather on our own research. It was pretty clear that it was a caching issue, as it was caching the first non-cache hit on any url (you could easily test this by adding ?something=random to the url, and then loading it from another browser/machine while not being logged in).

I believe this was caused by a misconfiguration on Akamai (Valve's CDN), which caused this to happen. You can use Akamai's debug headers to get some interesting information, and during the issue it was showing X-Check-Cacheable: YES at all times, which is not good. There are no indications that anything could be done on your behalf (caching is read-only).

Yes, we know we know we shouldn't be speaking for Valve, but we find it more important to keep users aware of the issue. Our track record is pretty damn good in that sense, and if the response Gamespot/Kotaku received from Valve is indeed correct, we pretty much nailed our caching theory.

Before publishing the blog post, we had multiple people that work closely on Steam (besides us) proof read it too.

Which they explained prior to Valve's response as well. Since they are all in agreement, my assumption is that they must be all in the right ball park. Of course as I posted earlier, I don't read Kotaku or other gaming press, and I am still waiting for an offical response direct to Steam users as they have done previously. However with the amount of time that has passed, this doesn't seem likely - which is stupid in my opinion

 

[JaseC]

I'm thinking there was a misunderstanding between the person who provided the information and the person who informed the press about what happened, and what the latter was supposed to say is that the issue was resolved less than an hour after Valve was made aware of it. It makes no sense to blatantly lie about the duration of the problem when there is an overwhelming amount of reports to the contrary.

 

[Nzyme32]

I'm thinking there was a misunderstanding between the person who provided the information and the person who informed the press about what happened, and what the latter was supposed to say is that the issue was resolved less than an hour after Valve was made aware of it. It makes no sense to blatantly lie about the duration of the problem when there are an overwhelming amount of reports to the contrary.

Seems likely, but just it is amusingly just adding to the ever expanding examples of Valve's poor communication skills whether it is directly them or correcting misinformation

 

[cartographer]

I am still waiting for an offical response direct to Steam users as they have done previously. However with the amount of time that has passed, this doesn't seem likely - which is stupid in my opinion

Unless it's PR promoting a new product we should just assume no communication or token ineffective communication. This is their strategy.

 

[Nzyme32]

Unless it's PR promoting a new product we should just assume no communication or token ineffective communication. This is their strategy.

This hasn't been the case in the past:

Steam Forum Hack via official statement
http://store.steampowered.com/news/6761/
http://store.steampowered.com/news/7323/

Password Reset exploit via email to those affected

Dear Steam User,

On July 25th we learned of a Steam bug that could have impacted the password reset process on your Steam account during the period July 21-July 25. The bug has now been fixed.

To protect users, we are resetting passwords on accounts that changed passwords during that period using the account recovery wizard. You will receive an email with your new password. Once that email is received, it is recommended that you login to your account via the Steam client and set a new password.

Please note that while your password was potentially modified during this period the password itself was not revealed. Also, if you had Steam Guard enabled, your account was protected from unauthorized logins even if your password was modified.

We apologize for any inconvenience.

Stands to reason the at least "might" talk to Steam users, when they definitely should

 

[chrominance]

Also, there isn't a simple "configuration change" that would make this happen in Varnish or Akami (as stated plenty of times, I've worked with both). No one has offered a working theory as to the ACTUAL config that MIGHT have been changed to make this happen.

Apparently I have nothing better to do than look up Varnish configuration settings on Boxing Day, but here you go. Caching even when cookies are present.

Please note that this might quite easily end up serving content meant for one user to another, with all the chaos which can follow.

Varnish THEMSELVES point out that misusing that portion of the VCL configuration can lead to EXACTLY WHAT HAPPENED WITH STEAM YESTERDAY. Unless you are calling the people who make Varnish liars, then yes there is in fact a simple configuration change that could make this happen in Varnish. I really don't understand why you are so adamant that this cannot have been a cache issue and that Valve must therefore be lying about this. They have zero to gain from lying, especially since their stated reasoning already makes them look pretty stupid.

 

[Mountainmohawk]

There's a lot of information saying this and that. And circlejerks defending valve and burning them at the stake.

All I would like to Know is what do I need to do on my part to protect myself?

 

[Disaster Nebraska]

Apparently I have nothing better to do than look up Varnish configuration settings on Boxing Day, but here you go. Caching even when cookies are present.



Varnish THEMSELVES point out that misusing that portion of the VCL configuration can lead to EXACTLY WHAT HAPPENED WITH STEAM YESTERDAY. Unless you are calling the people who make Varnish liars, then yes there is in fact a simple configuration change that could make this happen in Varnish. I really don't understand why you are so adamant that this cannot have been a cache issue and that Valve must therefore be lying about this. They have zero to gain from lying, especially since their stated reasoning already makes them look pretty stupid.

You're still missing the second half of the equation: why is information that should be encrypted being cached at all?

What I'm saying is that, no, there's no configuration change that passes users info to one another AND ALSO bypasses basic SSL encryption and session-data protection. At that point, we're not talking about Varnish. We're talking about how the website is coded and how it passes information to Varnish in the first place.

 

[cartographer]

This hasn't been the case in the past:

Steam Forum Hack via official statement
http://store.steampowered.com/news/6761/
http://store.steampowered.com/news/7323/

Password Reset exploit via email to those affected


Stands to reason the at least "might" talk to Steam users, when they definitely should

Yes. And the other side of their communication is their terrible CS system. I think in general communication from them is either nothing or ineffective when weighing your examples with everything else.

Communication with customers is just not a priority for them.