Valve Bans Developer From Steam for Prank Exposing Vulnerability - Update

Mike Hoffman

In the middle of calibrations...
Sep 25, 2013
460
0
0
Valve Bans Developer From Steam for Prank Exposing Vulnerability - Update

[tweet t=https://twitter.com/tomasduda/status/479031656184295424]
Tomá? Duda placed a "Harlem Shake" prank on a Steam page to expose a vulnerability and was then banned by Valve.

Update: Duda has been unbanned!

After seeing the reactions across the multiple forums (including our own), this has been a divisive issue. While some people strongly feel Duda's ban was another example of corporate inhumanity, others highlight that his action was irresponsible and did exploit a vulnerability. Still, a number of people on both sides felt that Valve could have handled the issue better by addressing the exploit when it first came up or by recognizing Duda's intent. It seems that after some time, the people at Valve decided to lift the ban. It's unclear whether this is because the initial ban was a sudden reaction by some moderator or security personnel or if Valve considered the PR implications.

Original Story: [a href="https://twitter.com/tomasduda"]Tomá? Duda[/a], an employee of Euro Truck Simulator 2 developer [a href="http://www.scssoft.com/"]SCS Software[/a], has been banned from Steam after exposing a security issue with the service. According to his comments on [a href="http://www.reddit.com/r/Games/comments/289he2/dev_for_euro_truck_simulator_has_been_banned_from/ci8s6nq"]Reddit[/a], Duda had reported to Valve that certain code was permitted in the announcement pages for games that could allow for exploits.

While Duda was [a href="http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci8ebud"]talking with other Steam users[/a], this issue came up and he implemented a "Harlem Shake" style prank in an old announcement page for his company's game, Euro Truck Simulator 2. The code caused the screen to shake and play the "Harlem Shake" song from a [a href="http://knowyourmeme.com/memes/harlem-shake"]meme[/a] that has (thankfully) faded from common use. The fact that the code was placed into one of [a href="http://steamcommunity.com/games/227300/announcements/detail/1280454197518422269"]Duda's announcements from early April[/a] would suggest that this was meant as a way to prove the vulnerability existed and could be exploited and maybe draw attention from someone at Valve.

It did. Valve quickly fixed the page and returned it to its original state and then banned Duda for a year. Duda, [a href="http://steamcommunity.com/id/TimmyCZ"]who owns over 1,200 Steam games[/a], also [a href="http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci8ebud"]lost access[/a] to everything developer related as well. He still has access to his games, but he is [a href="http://www.reddit.com/r/Steam/comments/288azx/what_the_fuck_steam/ci900ly"]unable to participate[/a] in the Steam community. Duda took on the role of answering questions and posting announcements for SCS Software's games and is now unable to contribute in this way, nor is he able to be a part of the overall Steam community.

How dangerous is this security exploit? While the exact technicalities of the vulnerability are beyond me, [a href="http://www.reddit.com/r/Games/comments/289he2/dev_for_euro_truck_simulator_has_been_banned_from/ci8tz8j"]a portion of the Reddit thread discussing Duda's ban[/a] goes into the possibilities. Reddit users explain that it doesn't give a person direct access to your computer, but can trick Steam users and use data entered on the webpage. Key loggers, rerouted payments, or accessing other browser tabs are some of the theoretical problems that exist. For example, user purple_pixe states:
[blockquote]They can't do "harm" in the sense of a computer virus on your local machine doing harm to that machine, but they can still do all sorts of nasty things to your connection with the server.

Like making you think that the "Steam Store" you're sending your payment to is in fact the Steam Store and not a hijacked version of the same where all the money goes to whoever put the exploit up. (That specific danger may or may not exist with this particular exploit, but that's the general idea of why it's bad even in a sandbox)[/blockquote]

On the one hand, it's important that Valve address security concerns when they are brought up, and apparently Valve decided this vulnerability needed to be fixed once it was exploited. However, Duda did violate the Steam Subscriber agreement to implement his exploit, not to mention he is a representative of his company on that announcement page. Being forced to face repercussions for his actions is understandable, but Valve could be less severe with their penalty given the intent of Duda's prank.

Source: [a href="http://www.reddit.com/r/Games/comments/289he2/dev_for_euro_truck_simulator_has_been_banned_from/"]Reddit[/a]

Note: While researching this story, I found that Escapist user erbkaiser [a href="http://www.escapistmagazine.com/forums/read/9.852854-Valve-bans-Game-Developer-from-Steamworks-for-pointing-out-a-vulnerability"]posted[/a] about this in our forums yesterday!

Permalink
 

Eiv

New member
Oct 17, 2008
376
0
0
Why not do this the MS way? Employ him. Reward him. Don't bloody ban him. This will just stop people from coming forward in the future if they find a vulnerability. The way he went about it was wrong, but maybe it was to prove the concept. No point reporting something that doesn't exist.
 

hazabaza1

Want Skyrim. Want. Do want.
Nov 26, 2008
9,612
0
0
Agreed that this vulnerability is sloppy and needed to be fixed, but to do this and them complain about getting banned is somewhat... I'm not sure what it is but I think the dev has very little ground to stand on. If the agreement says "don't fuck around with the source code" then you don't do that shit, and if nobody is solving the issue you reported... I dunno, speak to someone personally? Surely the dev of a game on the store that sells as well as this one does has a steam dev on their friends list, or has someone who does.
 

Mike Hoffman

In the middle of calibrations...
Sep 25, 2013
460
0
0
erbkaiser said:
Thanks for the shout out Sigfodr :)
Not a problem. You were on it way before I found out about this, I thought it certainly deserved pointing out.
 

RandV80

New member
Oct 1, 2009
1,507
0
0
I'm interested in seeing how Valve/Steam follows up on this. I could be wrong but they don't seem to have a standardized bug reporting/reward system like say Facebook does, so it's entirely possible that his reporting got lost somewhere in customer support while his demonstration brought down the wrath of an entirely different & more authoritative ban hammer. Once things are all sorted out it could be appealed.

Another thing to keep in mind, Gabe likely isn't very fond of hackers after Valve got badly burned by the Half Life 2 source leak 10 years ago. When the German hacker eventually contacted him, Gabe played it cool sounding impressed and started talking about giving him a job, got the kid all excited and ready to come over for an interview, was going to even bring his family. But really Gabe wanted to take a crow bar to the punk, and was working with the FBI to bust his ass the moment he stepped on American soil. German authorities didn't really like that idea and arrested him first on their own turf.
 

Mike Hoffman

In the middle of calibrations...
Sep 25, 2013
460
0
0
RandV80 said:
I'm interested in seeing how Valve/Steam follows up on this. I could be wrong but they don't seem to have a standardized bug reporting/reward system like say Facebook does, so it's entirely possible that his reporting got lost somewhere in customer support while his demonstration brought down the wrath of an entirely different & more authoritative ban hammer. Once things are all sorted out it could be appealed.

Another thing to keep in mind, Gabe likely isn't very fond of hackers after Valve got badly burned by the Half Life 2 source leak 10 years ago. When the German hacker eventually contacted him, Gabe played it cool sounding impressed and started talking about giving him a job, got the kid all excited and ready to come over for an interview, was going to even bring his family. But really Gabe wanted to take a crow bar to the punk, and was working with the FBI to bust his ass the moment he stepped on American soil. German authorities didn't really like that idea and arrested him first on their own turf.
While going through threads on different websites about this, I was surprised by the number of examples like this people could cite. Of course, Valve is a company like any other and even though the Steam service is great, they will have problems on the corporate and interpersonal side.
 

Kenjitsuka

New member
Sep 10, 2009
3,051
0
0
I don't think Valve is overreacting too much.
He should've thought before acting like this on an account used for his job...
 

erbkaiser

Romanorum Imperator
Jun 20, 2009
1,137
0
0
Kenjitsuka said:
I don't think Valve is overreacting too much.
He should've thought before acting like this on an account used for his job...
The vulnerability existed (and according to some, still exists for onclick events) only in Steam announcements and the like, for which you need to have Steam Developer access.
He pretty much had to use his job account to prove a point.

That's also where the danger is, since Steam now has so many "indie" developers coming from Greenlight or self publishing, that the risk became greater and greater someone with malicious intent could exploit this.

Do you trust every game developer on Steam, including the ones making the shovelware? I don't.
 

Slash2x

New member
Dec 7, 2009
503
0
0
....... Wait they ONLY banned him for a year? I am ALMOST surprised at the comments in the thread, but not really.

Take this into context of another situation. A bank has a security flaw in their ATM, and at a company that has the contract to load software ads into the ATM(common in areas of America) an employee notices this fault. So as a joke to point out the issue after you put your card in the system, put in your pin, and request cash he makes it play the harlem shake for 60 seconds and flash the screen. The bank would press charges, and people would be IRATE.

MANY people have their credit card data in Steam, MANY people have hundreds of dollars in games on Steam. ANY hack or attack on that system is playing with a system that other people have invested money and or time into. As a DEVELOPER he should have known better as a gamer he should be appalled at himself.
 

Elfgore

Your friendly local nihilist
Legacy
Dec 6, 2010
5,655
24
13
This is a tough one to place judgement on. Perfect example of "does the ends justify the means?" I mean from one point, he did contact Steam and they did nothing. But hacking them isn't really a good option, a noticeable action and something they would have to respond to, but nonetheless a bad option. Maybe he should have tried harder, maybe Steam should have listened. I just think of what might happen if someone hacked that and played porn or something, Steam could be facing a massive lawsuit. I honestly cannot place judgement.
 

gigastar

Insert one-liner here.
Sep 13, 2010
4,419
0
0
He was banned for a Terms of Service violation. Nothing more, nothing less.
 

Sylocat

Sci-Fi & Shakespeare
Nov 13, 2007
2,122
0
0
So, will the internet finally pull its lips off Valve's dick for five minutes?

No, of course it won't.
 

DTWolfwood

Better than Vash!
Oct 20, 2009
3,716
0
0
Thanks Duda for your sacrifice. The Valve machine would not have done anything if not for your actions. You are a steam hero!

#lowerhis1yearban!
 

Areloch

It's that one guy
Dec 10, 2012
623
0
0
Wow, the comments.

The Valve hate is just hilarious.

Weither it was a security flaw or not, the fact is, this guy hacked steam, and exploited a security flaw.

This a) violates pretty much every TOS ever, and b) is fantastically illegal.

If Valve wanted to be the bad guy, they would press charges and he would absolutely go to jail. Banning him for a year(note, non-permanently) is astoundingly light. His jail sentence would definitely have lasted longer than a year.

If you follow tech circles at all, any time someone attempts to 'do good' by intentionally exploiting a security flaw to force recognition of it, the people that got hacked, unsuprisingly, are unamused. And usually press charges. And then the hacker goes to jail.



But nah, lets get pissed at Valve.