Valve bans Game Developer from Steamworks for pointing out a vulnerability

[erbkaiser]

Tomá? "Timmy" Duda (@tomasduda), one of the developers of Euro Truck Simulator 2, was banned by Valve from the Steam Community and Steamworks for a year, for pointing out that Steam announcements were vulnerable to XSS script injection. After failing to get any response from Valve for a long time, he finally decided to showcase the vulnerability by adding a harlem shake script to an announcement.

Valve's response? They fixed the bug, and banned him for a year. This means he is now unable to patch his games. (Edit: okay, not quite that drastic, as SCS has more employees. Timmy is locked out though, and he was the SCS Steam community manager.)

What the hell is going on with Valve?

https://twitter.com/tomasduda/status/478301124257411072

Edit: reddit thread: http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci8ebud

Update: looks like there's a happy ending. The dev got unbanned
https://twitter.com/tomasduda/status/479031656184295424

 

[SacremPyrobolum]

His first mistake was using the Harlem Shake. No one wants to see that shit.

 

[Smooth Operator]

Well that means he hacked their system so to speak... there are some clear rules on that subject.
I'll agree that Valve need to listen up and sort their stuff when a problem arises, but that still doesn't permit one to break other peoples shit to make a point.

 

[Tohuvabohu]

Man, that sucks. A vulnerability is bad news and should be fixed immediately, and all he was trying to do was get Valve to listen.

But at the same time, maybe he shouldn't have taken it upon himself to showcase the vulnerability. He's a developer after all, with a game up on Steam, I don't think it's a good idea to risk your professional relationship with Steam, and your position to support your game, for the sake of getting a point across. Surely there must have been a better way to communicate this problem to Valve, even after trying and them not listening. When it comes down to it, the guy broke the rules, and procedures need to be followed.

That being said, Valve should review this case. If what the guy is saying is true and he tried to tell them about the problem for awhile. Then there was a failure of communication on Valve's behalf. It's not right for them to ignore the problem for such a long time, and punish him for what can ultimately be blamed on their own inaction. If they listened to him in the first place, this would've never happened. I have no idea how much this guy tried to communicate the problem to valve, but I still think there could have been a better way for the guy to prove his point than to exploit the vulnerability himself with a goddamned harlem shake. That's not the sort of behavior I'd expect from a professional videogame developer.

And ignoring a website vulnerability is not the behavior I'd expect from a major company like Valve.

All in all, there's faults to both sides here. But the original, and greatest fault falls on Valve. The guy broke the rules and was given a punishment as per procedure. But I think Valve should review the case and lift the suspension from him. After all, he was trying to help, and they didn't listen. And he should stop fucking around with Valve's websites and find a better way to communicate problems.

 

[erbkaiser]

Oh agreed, it is a foolish way to show the problem, but apparently Valve's response was sticking its head in the sand:

"We allow devs to use all html (unfiltered), because we trust them."

When you're faced with such dangerous ignorance, sometimes a harmless demonstration of the potential for malicious intent is the only option left.

 

[Tohuvabohu]

Oh agreed, it is a foolish way to show the problem, but apparently Valve's response was sticking its head in the sand:

"We allow devs to use all html (unfiltered), because we trust them."

When you're faced with such dangerous ignorance, sometimes a harmless demonstration of the potential for malicious intent is the only option left.

Maybe... I'm trying to picture myself in the guy's position, and I'm sure the frustration of not being listened to must have been great. But I'm not sure how I'd leverage my professional relationship with Steam vs the need to prove a point.

In the professional world when problems like this arise, every angle needs to be examined. Because that means there is a problem in the system. It's not entirely unreasonable to hand him a punishment off the bat for breaking rules, but an investigation should be conducted as well. They need to find out how the vulnerability came to be in the first place, and why his pleas to fix the problem went unheard.

It seems like his stunt, while annoying and embarrassing, had a positive effect of Valve finally fixing the problem. So, I think it's reasonable and fair to lift the suspension. They need to learn from this and improve their communications next time and make sure problems get fixed. I honestly hope the guy doesn't have to serve his suspension.

 

[Ninjamedic]

"Man, Sony were doucebags for suing that guy for exploiting their security with the PS3, they deserve everything they get!"

 

[NuclearKangaroo]

there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

valve shouldve paid attention to him earlier as well, but like a said, he REALLY shouldnt have done that, the ban itself says he violated the steam subscriber agreement

definitively terrible to see this happen tough

 

[erbkaiser]

Would it have been better if he had done nothing, and we'd have to wait for some scumbag dev (like the ones behind some of those crappy games Jim Sterling plays) to inject a script vulnerability to install trojans on people's machines instead?

Or imagine if a Bohemia Interactive dev got hacked, and they got access to his Steam Dev data. They could've posted an announcement to, say, the Steam page for DayZ, and infected millions of PCs.

The system was wide open. Still is apparently, Valve only partially fixed it. They only blocked tags, Javascript injected in attributes still works.

I agree it's not the smartest thing to do, but to ban a whistleblower for a year is excessive IMO.

 

[Geo Da Sponge]

I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

 

[NuclearKangaroo]

I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, hell even if they didnt theyd still be violating private property wouldnt they?

he still took advantage of the exploit

 

[erbkaiser]

but still stealing money, he still took advantage of the exploit

No, he used a harmless script to show what COULD be done.

From Reddit, Valve knew about this for months and ignored it. All that time someone could have done serious damage, it's pure luck that -- as far as we know -- nobody did anything yet.

 

[NuclearKangaroo]

but still stealing money, he still took advantage of the exploit

No, he used a harmless script to show what COULD be done.

From Reddit, Valve knew about this for months and ignored it. All that time someone could have done serious damage, it's pure luck that -- as far as we know -- nobody did anything yet.

he used the exploit even if it was harmless in the end, theres no question about that, he SHOULDNT have done that

 

[erbkaiser]

I'd rather see someone use a highly noticable and harmless script to scare Valve who are ignoring the issue, than a malicious thief infect Steam without anyone noticing until it is too late.

Guess we disagree then, @NuclearKangaroo

 

[Geo Da Sponge]

I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, he still took advantage of the exploit

But he didn't take anything... Nothing he did used the exploit against anyone, apart from using it to demonstrate that he could.

Listen, I don't like basing entire arguments off of metaphors, but in this case:

Bypassing bank security = Using the exploit

Leaving a note in the vault = Leaving a silly video to prove he'd done it

Stealing money = Using the exploit to give himself some advantage on Steam, or in anyway damaging Steam

Since he didn't actually do anything that damaged Steam beyond posting a silly little video (and you seem to be arguing that he didn't even have to do that for it to equate to stealing; just using the exploit was enough), that can't really be equated to stealing money, can it?

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

Or, to torturously stretch the bank metaphor even further, which is like breaking into the bank which you use, in order to specifically reach the deposit box which you own, in order to prove that it's not secure and therefore your stuff is at risk. But the bank bans you for a year for showing the gaping hole in their security, even after you pointed it out through the proper channels first.

 

[NuclearKangaroo]

I'd rather see someone use a highly noticable and harmless script to scare Valve who are ignoring the issue, than a malicious thief infect Steam without anyone noticing until it is too late.

Guess we disagree then, @NuclearKangaroo

it seems you edited your comment

anyways, the problem with your entire argment is that you think this was THE ONLY WAY to get Valve attention, when im willing to bet, there are many others that wouldnt be agasint the subscriber agreement, im not agaisnt the dev message, im agaisnt the way he decided to deliver it

 

[NuclearKangaroo]

I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, he still took advantage of the exploit

But he didn't take anything... Nothing he did used the exploit against anyone, apart from using it to demonstrate that he could.

Listen, I don't like basing entire arguments off of metaphors, but in this case:

Bypassing bank security = Using the exploit

Leaving a note in the vault = Leaving a silly video to prove he'd done it

Stealing money = Using the exploit to give himself some advantage on Steam, or in anyway damaging Steam

Since he didn't actually do anything that damaged Steam beyond posting a silly little video (and you seem to be arguing that he didn't even have to do that for it to equate to stealing; just using the exploit was enough), that can't really be equated to stealing money, can it?

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

Or, to torturously stretch the bank metaphor even further, which is like breaking into the bank which you use, in order to specifically reach the deposit box which you own, in order to prove that it's not secure and therefore your stuff is at risk. But the bank bans you for a year for showing the gaping hole in their security, even after you pointed it out through the proper channels first.

but then wouldnt you be violating private property if you broke into a bank to leave the note? even if you didnt take anything, see the problem is that the act itself is a crime, and sure enough what this guy did is agaisnt the steam subscriber agreement

the problem is that this dev took a drastic action, i bet there were other ways to get the message accross

but right now, he screwed himself and he screwed his customers and nobody is happy

 

[erbkaiser]

And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?
By all accounts, Valve was informed months ago, and decided to ignore it.

 

[Ninjamedic]

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

And in case my point above was ignored, given how GeoHotz was turned into a sort of folk hero in the wake of the PS3 Jailbreak, it's jaw-dropping to see someone who did far less being blamed for trying to procect his livelyhood. Worse, he went through the official channels and was promptly ignored and yet the the usual excuses are being brought out to defend Valve/Steam.

 

[otakon17]

SO! He warned them ahead of time, tried to get their attention to fix the problem and then when they ignored his pleas he showed them the error with a harmless but effective demonstration. And instead of thanking him for pointing it out and making sure it was fixed before something serious happened with it, they banned him for a year. They need to reverse this, it's bullshit. Not only that, what about all the poor sods that got ETS2? I don't like the game but dammit it's not fair to them either.