Gabe Newell Gives Away Personal Steam Password

[E-Penguin]

Well, as long as it doesn't become obligatory, I'm fine with it. The idea of tying my steam login to one computer is not a good one. For others it might be, but for me, that'd be unworkable. Still, interesting challenge. Would be embarrassing if someone manages it, but I guess the advantage is even if someone does get around it then they'd just fix whatever they did and nobody would be able to do it again.

I don't think you tie it to just one computer. You can have one steam account on several computers but you have to register them first.


EDIT: Or something like that.

 

[Scorched_Cascade]

*snipped*

The way this system works is that the system hardware has a unique key built into it when it's manufactured, and each application would also have a unique key. There is an encryption algorithm built into the hardware that generates rotating security codes based on the application key and the hardware key, which change every few seconds. Whenever you try to authenticate, you'll send Valve your username/password like normal, and you'll also send them a generated security code from the hardware on your machine. Valve will then try to validate the security code based on Intel's encoding system and the hardware key that they have stored on their server as the one you authorized on your account. If they don't match, you can't log in, even with the correct username and password.
*also a butchered quote to save space*

Oh I see thank you. I was thinking along the lines of a spiked website or the like to get a piece of spyware onto their machine that would monitor authentication requests and then feed these passwords into another program present on your machine that wood spoof your hardware ID to theirs. While I realised that this would only affect a tiny amount of people and would be very hard, and take a while to figure out the programs, I forgot that the data packets would be encrypted (*slap head*)

So the only way is to figure out the encryption process (borderline impossible without a massive time investment), find out the victim's hardware key, work out what the password should be at the time of authentication and spoof it? Along with finding out their actual username and password of course. That all depends on the encryption logarithm though.

I'm working on the basis that computers can not generate true random events and so there must be some equation the encryption uses? Can you even spoof hardware ID? Is the encryption logarithm stored locally and different for every machine? If so I don't buy it, a computer mind may be able to think of infinite variations of a logarithm but a human mind can't to program it and there is also the problem that servers for programs like steam would also have to have infinite decryption keys.

Seems like a lot of work just to get access to a steam account but now Gabe has challenged the world he has thrown down a gauntlet. There are a lot of obsessives out there who would love to be the first to break it. We also have MIT types who will see this as a great puzzle breaking game and no doubt intelligence agencies that will want to figure it out in case it becomes more widespread in program usage.

It reminds me of the lock theory (don't know its actual name). No matter how good a lock you make someone will be able to break it but the idea is to make it so hard it's not worth their time to do so. For example someone who can scrub door locks can get through your average household door in less than a minute, if they bring a pick gun it's even faster and if they bring a screwdriver? They can be through the door in seconds. So why do we still lock our house doors? We do so because locking them deters your average joe thief and they hopefully move on. Drawing attention to yourself by says "Ohhh look at my shiny lock, you can't get in here but I bet there are all sorts of goodies in here if you did" just defies the point.

People will hack this purely because he just waved it in their face and said you can't do this. [.paranoia.]Unless of course it is some kind of honeytrap to catch people who are at the level to be able to actually break it[/paranoia]

 

[Randomologist]

I really don't think this is his real account. It's probably one he had set up, which as the big cheese at Valve I shouldn't think is hard to do.

 

[Ninonybox_v1legacy]

well...this kind of news is good for me......BECAUSE I DON'T WANT MY STEAM STOLEN FOR THE 3RD TIME.

 

[GeorgW]

This is an awesome marketing stunt, but NEVER mess with the internet. It will be hacked, and ep 3 will be stolen, and all the world will rejoice.
I will bet $10 that someone breaks into Gabe's house or makes the system think it's his computer and steals his account.

 

[thatcanadianguy]

wait a second.. doesnt this undermine the entire 'download a game in your library to ANY computer' thing steam has going for it?

 

[Cousin_IT]

The important question is not can you log onto steam with that password, but can you get onto any of Newell's other emails or password protected systems?

 

[Wicky_42]

The way this system works is that the system hardware has a unique key built into it when it's manufactured, and each application would also have a unique key. There is an encryption algorithm built into the hardware that generates rotating security codes based on the application key and the hardware key, which change every few seconds. Whenever you try to authenticate, you'll send Valve your username/password like normal, and you'll also send them a generated security code from the hardware on your machine. Valve will then try to validate the security code based on Intel's encoding system and the hardware key that they have stored on their server as the one you authorized on your account. If they don't match, you can't log in, even with the correct username and password.

Doesn't that mean, though, that with a series of interrogations of the transmitted security code you could potentially brute-force the encryption algorithm? Especially if you have some idea of how it works, say from reverse-engineering a chip with the encryption engine on? I mean, even if the code's changing every 30 seconds based on the same engine and seed, surely with enough of the codes you could work your way back and copy the original code :/

EDIT: Also, 30 second window to re-use the security code? I'd have thought that could be exploited - if you could listen in on his machine's traffic, spot the code when he logs into his account or authenticates something and log in as well... does Steam support multiple users? I dunno... still, scope for exploit, I'd have thought

 

[Pandalisk]

"Dectected" is a Valve meme in the making, like Valve time

Wow, i was confused when i saw the title, i was thinking he leaked Other Steam users personal details, Phew.

This SteamGuard looks promising

 

[Poopie McGhee]

Spot the spelling error.

I don't dectect anything.

---

I wonder, what happens if someone has an identical PC build? Do they somehow log serial numbers as well? I'm not entirely familiar with this hardware security concept.

It doesn't work that way. (and it wont work at all on all but the newest intel CPU's).

This is like having a specific code in your computer that no other computer on the planet has.

I'm sure there's a way to crack it, but just having an identical PC won't do the trick, because the internal code number (or whatever it actually is) would still be different.

The problem with this is that it can be used by a company to screw you over later.
Making sure something you buy will only work on one computer. Ever.

Yeah... A very scary technology disguised as something 'useful'.

The same thought occured to me as well, with all the money I've invested in STEAM despite not liking the digital platform (hey those sales are tempting!) I don't want to lose it all whenever I next get a new PC.

It's already a fact of life on game consoles.

Wiiware & the virtual console is all well and good, but if I lose my console for any reason, it's all gone. (And there is literally no way to transfer it. - Although, it appears Nintendo has noticed this problem with their systems, and created a way for 3DS downloads to be transferred between units.)

I don't know if the PS3 and Xbox 360 are quite that bad, but somehow I'm not inclined to think they're much better. (There's no incentive to do any better than that on a closed proprietary system.)

See though, Steam is not supposed to be as restrictive as the consoles.

You do make a good point though, this DRM nonsense gets worse and worse because we are all playing a game of "cross this line, now cross this line, etc...". In other words, seeing the restrictive DRM of the consoles as normal is bad.

In a 360, it's all tied to your account.

 

[Aeshi]

I really want somebody to steal his computer and then use it to log in.

 

[CardinalPiggles]

A Reddit user tried to use said log-in and password.

Needless to say, it didn't work.

Spot the spelling error.

Dectected instead of Detected

 

[TheEndlessSleep]

Spot the spelling error.

I don't dectect anything.

DeCTected...

 

[newbienator]

Did that translator just repeat what Gabe said, only with an accent?

 

[ThreeKneeNick]

This powerful technology could be used for evil

 

[Erja_Perttu]

Spot the spelling error.

I don't dectect anything.

DeCTected...

You've got to be kidding me...

OT: What a wonderful idea, here's hoping it actually works! I dislike people hacking my stuff, so roll on things which prevent that!

 

[benbenthegamerman]

I tried this earlier, it "dectects" a wrong processor.

Pretty cool though.

Edit: Wow, ninjad, I should write faster.

Your avatar is fucking hilarious. i just wanted to say that.

OT: This man does indeed have balls of adamantium.