Valve Bans Developer From Steam for Prank Exposing Vulnerability - Update

[gigastar]

He was banned for a Terms of Service violation. Nothing more, nothing less.

*Facepalm*

Way to completely miss the finer details of the situation.

What finer details do i need? He should have known better than to actually exploit this weakness just because he didnt feel as if he was being heard.

That and only a year is getting off lightly. Other hackers just recieve permabans.

 

[erbkaiser]

I really cringe at the use of "hacker" for someone who just showed what was possible.
He did not hack -- he posted a script tag in the HTML of the update. That Valve stupidly had no protection against external scripts at all, and ignored all warnings that allowing this is a horrible idea for months, that is the issue.

I'm not arguing that Valve should not have taken action, but a warning to Timmy that a public reveal was not the best option instead of a year ban would be better. Even better would be a "thank you, we were stupid".

 

[WhiteTigerShiro]

He was banned for a Terms of Service violation. Nothing more, nothing less.

*Facepalm*

Way to completely miss the finer details of the situation.

What finer details do i need? He should have known better than to actually exploit this weakness just because he didnt feel as if he was being heard.

That and only a year is getting off lightly. Other hackers just recieve permabans.

1) He tried doing things the official way, and basically got ignored. The problem went unfixed.

2) He exploited the weakness in a completely harmless manner.

3) Had he NOT done the above, then the weakness would have just sat there until someone with malicious intent exploited it.

In this day and age, you cannot just sit on a weak spot in your coding and expect the best. Valve could have gotten MUCH worse by ignoring this vulnerability. At best, they have a sluggish system for reporting bugs and never saw his report; at which point they need to find a way to streamline things. At worst, they flat-out ignored his report upon seeing it, and basically deserved to get hacked. So either way you look at it, it's Valve's fault that he was able to take advantage of this vulnerability, yet he is found at fault for drawing their attention to it so that they could fix it (which took them all of 30 minutes).

So yeah, there's a whole lot more to the story than your black and white interpretation of things.

 

[FalloutJack]

Why not do this the MS way? Employ him. Reward him. Don't bloody ban him. This will just stop people from coming forward in the future if they find a vulnerability. The way he went about it was wrong, but maybe it was to prove the concept. No point reporting something that doesn't exist.

Yes, let's employ someone who messed with the system instead of just telling them about it, quietly. Hey, it worked like a charm in the fourth Die Hard movie. I think-

*POW!*

Whoa. Sorry, overloaded the sarcasm meter again.

 

[erbkaiser]

Hmm, Timmy deleted the tweet about it. Maybe Valve is wising up...

Or he got in trouble with his boss.

 

[Areloch]

He was banned for a Terms of Service violation. Nothing more, nothing less.

*Facepalm*

Way to completely miss the finer details of the situation.

What finer details do i need? He should have known better than to actually exploit this weakness just because he didnt feel as if he was being heard.

That and only a year is getting off lightly. Other hackers just recieve permabans.

So yeah, there's a whole lot more to the story than your black and white interpretation of things.

Except, it still boils down to this:

Valve did something foolish. So he responded with doing something illegal.

Nothing about his ban alleviates Valve of responsibility. However, Valve's culpability with the problem doesn't magically erase the fact he violated their TOS and did something illegal.

If they wanted to be "bad guys" they could easily press charges and get him jail time which would last far longer than a year.

Going to a bank and saying 'your website has a vulnerability' and then hacking their homepage when ignored, even if it was just a silly cat picture, would get you incredible amounts of jail time.

This is no different.

 

[erbkaiser]

Nothing about his ban alleviates Valve of responsibility. However, Valve's culpability with the problem doesn't magically erase the fact he violated their TOS and did something illegal.

If they wanted to be "bad guys" they could easily press charges and get him jail time which would last far longer than a year.

Erm, no. You can't get someone to go for jail for violating the TOS.

He did not hack any part of Steam -- he did not access anything he did not have access to, he did not change a single line of code. All he did was post in an old announcement, to show to his fellow devs that the problem Valve was ignoring, potentially could allow for disastrous effects.

 

[Areloch]

Nothing about his ban alleviates Valve of responsibility. However, Valve's culpability with the problem doesn't magically erase the fact he violated their TOS and did something illegal.

If they wanted to be "bad guys" they could easily press charges and get him jail time which would last far longer than a year.

Erm, no. You can't get someone to go for jail for violating the TOS.

He did not hack any part of Steam -- he did not access anything he did not have access to, he did not change a single line of code. All he did was post in an old announcement, to show to his fellow devs that the problem Valve was ignoring, potentially could allow for disastrous effects.

Reddit is currently not loading for me for some reason, so I can't read the in-depth on the situation, but it sounds like he went into steam announcements about his game, which he shouldn't have direct access to, and attached a code to modify them.

Is that correct?

If it is, that's basically illegal. In a legal sense, any unwanted access to a virtual system is considered a violation and is punishable by law.

If he DID have legitimate access to it, I'm not sure why Valve would care at all. So maybe I'm just missing some detail somewhere, but if he accessed something he should not have, that's illegal. My point with the TOS is that they have every right to ban him. The (potential?)illegality of the action is what would net him jail time if Valve so chose to press charges.

 

[Tohuvabohu]

1) He tried doing things the official way, and basically got ignored. The problem went unfixed.

2) He exploited the weakness in a completely harmless manner.

3) Had he NOT done the above, then the weakness would have just sat there until someone with malicious intent exploited it.

In this day and age, you cannot just sit on a weak spot in your coding and expect the best. Valve could have gotten MUCH worse by ignoring this vulnerability. At best, they have a sluggish system for reporting bugs and never saw his report; at which point they need to find a way to streamline things. At worst, they flat-out ignored his report upon seeing it, and basically deserved to get hacked. So either way you look at it, it's Valve's fault that he was able to take advantage of this vulnerability, yet he is found at fault for drawing their attention to it so that they could fix it (which took them all of 30 minutes).

So yeah, there's a whole lot more to the story than your black and white interpretation of things.

There are rules in place, and you receive a punishment if you break them.

Let's be serious here.

Any kind of professional workplace and company is like this. If you knowingly break the rules, there are procedures that will be followed, and in this case; he was handed a suspension.

I'm putting myself in his shoes, and it must have sucked. He was just trying to help, and draw attention to a potentially serious issue. And his pleas weren't be heard. That, SUCKS.

But I don't condone what this guy did. I'm sure he was in a frustrating position, but does that justify taking this kind of action? Like I said, I'm putting myself in his shoes, and I can't see this kind of action being worth it. Risking your professional relationship with Steam, your position to support your game, and possibly risk a part of your livelyhood? There must have been a better way to go about getting their attention and getting it fixed than this.

I've seen people handed suspensions in the workplace for less. Being sent away for something that happened out of sheer circumstantial bad luck. This guy took it upon himself to break the rules. You just can't do that kind of thing, especially as a professional.

However.

The original neglect and incompetence was Valve's fault. The guy broke the rules, so procedures are followed and he's suspended, okay. But an investigation should be launched to find out how this vulnerability came about in the first place, why it was never detected, why it was never fixed, and why his pleas for help went unheard. There sounds like some serious communication problems going on here, and Valve should accept responsibility for causing the problem in the first place.

While the guy shouldn't have done this, Valve should have addressed the problem way sooner. I see obvious faults on both sides here. Valve needs to correct the chain of events that led to this being a problem in the first place, and I don't think he should serve his entire suspension.

 

[erbkaiser]

Is that correct?

No, that's not correct. As a Steam developer, he is allowed to post and modify announcements for his game. In this case, Euro Truck Simulator 2.

He used that access, which he is fully entitled to, to post an external script in an existing (old) announcement.

The problem is that by doing this, he exposed publicly that Steam was vulnerable to XSS. And that is after he alerted them of the issue months ago, which Valve ignored under the conceit that they "trust their developers".
Rather than admit they were wrong to ignore it and fix it, Valve decided to ban him for it.

 

[whycantijustdeletemyaccount]

.

 

[Areloch]

Is that correct?

No, that's not correct. As a Steam developer, he is allowed to post and modify announcements for his game. In this case, Euro Truck Simulator 2.

He used that access, which he is fully entitled to, to post an external script in an existing (old) announcement.

The problem is that by doing this, he exposed publicly that Steam was vulnerable to XSS. And that is after he alerted them of the issue months ago, which Valve ignored under the conceit that they "trust their developers".
Rather than admit they were wrong to ignore it and fix it, Valve decided to ban him for it.

Ah, I see.

It read like he shouldn't have been able to modify old announcements, or otherwise didn't have access.

Knowing that, I still come down on the side of 'you can't be surprised when you get in trouble for exploiting vulnerabilities', but at the same time it probably wasn't necessary on Valve's part to do the ban. It does make me wonder who issues bans in cases like this. Since it falls outside your usual VAT or community bans. Hm.

Alas, I work in tech support, and I know that sometimes it takes a RETARDED amount of time for the upper echelons to get off their butts and implement a fix. Usually after it blows up in their face. Unfortunately, that's less a 'Valve is bad' thing specifically, and more just 'people in tech are horrifically lazy idiots' :/

 

[gigastar]

He was banned for a Terms of Service violation. Nothing more, nothing less.

*Facepalm*

Way to completely miss the finer details of the situation.

What finer details do i need? He should have known better than to actually exploit this weakness just because he didnt feel as if he was being heard.

That and only a year is getting off lightly. Other hackers just recieve permabans.

1) He tried doing things the official way, and basically got ignored. The problem went unfixed.

And thats where he should have stopped.

2) He exploited the weakness in a completely harmless manner.

3) Had he NOT done the above, then the weakness would have just sat there until someone with malicious intent exploited it.

In this day and age, you cannot just sit on a weak spot in your coding and expect the best. Valve could have gotten MUCH worse by ignoring this vulnerability. At best, they have a sluggish system for reporting bugs and never saw his report; at which point they need to find a way to streamline things. At worst, they flat-out ignored his report upon seeing it, and basically deserved to get hacked. So either way you look at it, it's Valve's fault that he was able to take advantage of this vulnerability, yet he is found at fault for drawing their attention to it so that they could fix it (which took them all of 30 minutes).

So yeah, there's a whole lot more to the story than your black and white interpretation of things.

And heres what you dont seem to get;

[HEADING=2]Good intentions do NOT justify illegal activity.[/HEADING]

He should have just left it alone and if someone else found the exploit before it was fixed and used it for malicious purpose then we would have legitimate reason to blame Valve.

But no, he went and engaged in illeagal activity.

Dev guy is in the wrong here, Valve is just following thier own proceedure. and dev guy is lucky that he wasnt simply permabanned and facing a lawsuit for what he did.

 

[WhiteTigerShiro]

[HEADING=2]Good intentions do NOT justify illegal activity.[/HEADING]

Except when they do.

 

[gigastar]

Good intentions do NOT justify illegal activity.

Except when they do.

The road to hell is paved with good intentions. If Valve did not rush to fix the exploit after his demonstration then all sorts of nonsense could have happened.

 

[WhiteTigerShiro]

Good intentions do NOT justify illegal activity.

Except when they do.

The road to hell is paved with good intentions.

Do you even know what that phrase means?

 

[gigastar]

Good intentions do NOT justify illegal activity.

Except when they do.

The road to hell is paved with good intentions.

Do you even know what that phrase means?

I know enough to know that it applies in this situation.

Anyway, this discussion bores me. No doubt youll take the last word anyway.

 

[Shamanic Rhythm]

And heres what you dont seem to get;

[HEADING=2]Good intentions do NOT justify illegal activity.[/HEADING]

He should have just left it alone and if someone else found the exploit before it was fixed and used it for malicious purpose then we would have legitimate reason to blame Valve.

But no, he went and engaged in illeagal activity.

Dev guy is in the wrong here, Valve is just following thier own proceedure. and dev guy is lucky that he wasnt simply permabanned and facing a lawsuit for what he did.

Violating terms of service =/= illegal. I am unaware of any jurisdiction where terms of service have been enshrined in litigation, but feel free to prove me wrong.

 

[gigastar]

Violating terms of service =/= illegal. I am unaware of any jurisdiction where terms of service have been enshrined in litigation, but feel free to prove me wrong.

Regardless of the context or lack of actual fallout, using the exploit counts as hacking. I am unaware of any jusridiction in the US where cybercrime gets a free pass.

 

[WhiteTigerShiro]

Good intentions do NOT justify illegal activity.

Except when they do.

The road to hell is paved with good intentions.

Do you even know what that phrase means?

I know enough to know that it applies in this situation.

Anyway, this discussion bores me. No doubt youll take the last word anyway.

You gotta love the ominous "Oh don't worry I know", like I'm supposed to just take your word for it; then followed-up with the immediate "BORED NOW!" cop-out so that you can make a quick escape. How does the phrase apply to this situation? Keep in mind, I'm not asking because I genuinely don't understand the phrase, I'm asking because I do understand the phrase, and know that you don't have an actual answer. My guess, from your black and white interpretation of the situation at hand, is that you're taking the phrase at literal face value, and that the instant the words "good" and "intention" are used back to back, that the phrase automatically applies.