Valve bans Game Developer from Steamworks for pointing out a vulnerability

[Dr.Awkward]

Given the growing amount of situations happening with Steam it has me wondering if Gabe doesn't want to manage Valve anymore. Between the program he spearheaded to assist his son's interest, the opening of the floodgates on Steam, the growing focus on introducing and expanding Marketplace to their games and less focus on generating new non-F2P IP (and their Steam client), and not to mention the clique-like groups that have formed within the unfocused development hierarchy, it wouldn't surprise me if Gabe "retires" in five years only to come back to join his son's newly-formed development studio a year later. But that's all speculation...

 

[NuclearKangaroo]

Valve/Steam ignoring perfectly reasonable requests and demands? I'm nowhere near surprised, is this a good time to mention how Steam's customer service is so poor it's technically illegal in the UK?

Remember when Steam was heralded as the "saviour of PC gaming?" Yeah me neither. Valve has used up all of their goodwill over the last two year as far as i'm concerned.

Also that Harlem Shake example sounds hilarious, +1 interwebz to that guy. Not like Steam will reverse the ban though, that would be far too reasonable of them, listening to their community even. Dangerous thinking.

Remember when Steam was heralded as the "saviour of PC gaming?" Yeah me neither. Valve has used up all of their goodwill over the last two year as far as i'm concerned.

Two Years? They've been like this for the longest time, hell they're responsible for almost every anti-consumer precadent in gaming. They were just good at PR.

wow, just wow

lets conviently forget euro truck simulator 2 is a reasonable success thanks to steam and it got into steam in the first place thanks to greenlight, a system that allows users to vote for games to be added to steam, man is almost as if *gasp* Valve DOES listen to its community!, but yeah, Valve is evil

Are you serious?

Have you seen how much of a mess Greenlight is? Or more specifically, how many incidents we've had of absolute trash completely circumventing it while other, genuinely popular games wallow in it? Setting up an automated voting system is not a substitute for genuinely paying attention to feedback and communicating with the developers and consumers who use Steam!

Look, Euro Truck Simulator 2 being successful on Steam was not due to Valve being amazingly generous, or thoughtful, or listening to the community beyong being told what people wanted to buy. They don't have to be grateful for their game being a success on Steam when Steam is pretty much the only option going at the moment; there are other digital distribution sites out there, but let's be honest, getting onto Steam is pretty make-or-break for most games of that size.

So you've got this situation where Steam has virtually no quality control and ignores virtually all communication beyond being told what they can sell to people, but they're still getting lauded by people like you who will be grateful for them just selling things... C'mon, let's be honest. What were this guy's options? Keep talking and getting ignored, like everyone else who tries to contact Valve? Or risk Steam, which he relies on to make a living, getting seriously compromised?

But another thing that occurs to me... And this is a big thing... You do realise that all the guy did was make it so that the Harlem Shake played when people viewed a specific community announcement for Euro Truck Simulator 2? And that in pretty much all other cases, developers are allowed to put up almost anything up on those, like linking to trailers with all kinds of content and so on. So what he was editing was something he had every right to edit, it's just that he edited it in a way that could alternatively be used for far more nefarious purposes, so... Yeah. He's getting in trouble purely for the method he used, when if he'd just had a linked YouTube video of the Harlem Shake that would be fine.

greenlight was a response to devs and customers compalining about steam being too closed to indie devs, greenlight was made much more lenient after devs compalined it was still too closed, not everyone complains its too open, are you still going to argue they dont listen to the community?

and thats the problem, the community is not a single entity or person, so is pretty much impossible to please completely [http://www.gamespot.com/articles/limiting-the-number-of-steam-releases-would-be-insane-says-rust-dev/1100-6419985/], but its beyond clear valve is atleast trying


yes steam is popular everyone knows that, have you stopped and thought about why? why does it attract so many devs, big and small? they provide a great service and usually listen to feedback

what other options he couldve taken?

let me see, he couldve tracked other devs and together try to get Valve attention about the issue, if hes so defensive about his living i assume most other devs on steam also are

he could made a post about on his game, which today had a peak of almost 5k people playing concurrently

http://steamcharts.com/app/227300

he couldve tried to contact kotaku or other gaming blogs about the issue

why is breaking the rules plan B?

he violated the steam subcriber agreement, thats the reason for his ban, it doesnt matter if its Harlem Shake, Rick Roll or whatever, he broke the rules


plus from what i understand aparently the only way he tried to contact valve is via a tweet and an email, so yeah

im not defending valve for not listening, but 2 wrongs dont make a right

 

[Ninjamedic]

im not sure its being ignored, but QA issues are fairly recent, it took valve some time to come up with a solution for their previous closed nature, im sure they will come up with a sorting solution for their openess problem at the moment, i think user reviews and tags aim directly to something along those lines,

But as we've seen, the devs are given carte blanche to moderate the forums meant specifically for discussion of the game. The fact that Air Control go onto greenlight let alone got released shows that there needs to be a standard set. At this point, Valve no longer gets the "wittle game company" excuse, they're big enough to handle a near monopoly of PC gaming purchases and DRM, they should have more than enough spare employees to handle this.

plus valve time, lets give it a little more time, even from a business standpoint, it doesnt benefit valve in any way to have shitty games steal the spotlight of good games which are obviously going to sell more

We're talking about a security hole that can allow any dev to put anything into a computer through the steam client, this is a big deal, Valve Time was a stupid enough thing when it was used to explain a mission pack taking several years to make, you can't honestly use it with something as serious as this.

as for the topic, im just asking people to be more fair, yes valve failed to listen once more, but the guy DID break the rules, both parties made mistakes

Fair enough, but this isn;t like Valve is the innocent and helpless victim in all of this, they're a big company. And if we're going to hammer EA, Sony and Microsoft when they fuck up, it's only fair and consistent that Valve gets it's due.

 

[NuclearKangaroo]

So Microsoft hires people who break their systems, while Valve...Ignores them, bans them if they demonstrate the vulnerability, and then continues to not fix it?

valve never asked for this tough

seriously tough, the guy broke the rules, you dont give him a cookie just because he proved he could

the guy NEEDED to exhaust all the other alternative before to this

 

[Amir Kondori]

Wow, the first thing Valve has done that really disgusts me. If this guy was really trying to work with Valve to get this exploit looked at and patched for over a year then good for him for forcing the matter and shame on Valve for their heavy handed response.

 

[teebeeohh]

why didn't he just, you know, point out the flaw. just post somewhere public that it exists, if you get access to the nuclear launch codes and the military doesn't care wouldn't you tell people that they are insecure instead of launching nukes?

 

[NuclearKangaroo]

im not sure its being ignored, but QA issues are fairly recent, it took valve some time to come up with a solution for their previous closed nature, im sure they will come up with a sorting solution for their openess problem at the moment, i think user reviews and tags aim directly to something along those lines,

But as we've seen, the devs are given carte blanche to moderate the forums meant specifically for discussion of the game. The fact that Air Control go onto greenlight let alone got released shows that there needs to be a standard set. At this point, Valve no longer gets the "wittle game company" excuse, they're big enough to handle a near monopoly of PC gaming purchases and DRM, they should have more than enough spare employees to handle this.

but there was a standard, until all the devs complained the system was too slow, at this point id say it doesnt matter what kind of garbage gets into steam (as long as its legal and doesnt break the site rules) just make it harder to find and make good games easier to find, and i think thats eventually where valve is heading

as for the devs being moderators... yeah now im convinced that is a terrible idea, i can see why they did it, but its too easily exploitable

plus valve time, lets give it a little more time, even from a business standpoint, it doesnt benefit valve in any way to have shitty games steal the spotlight of good games which are obviously going to sell more

We're talking about a security hole that can allow any dev to put anything into a computer through the steam client, this is a big deal, Valve Time was a stupid enough thing when it was used to explain a mission pack taking several years to make, you can't honestly use it with something as serious as this.

no, in that context i was talking about the store curation and the issue of openess

as for the topic, im just asking people to be more fair, yes valve failed to listen once more, but the guy DID break the rules, both parties made mistakes

Fair enough, but this isn;t like Valve is the innocent and helpless victim in all of this, they're a big company. And if we're going to hammer EA, Sony and Microsoft when they fuck up, it's only fair and consistent that Valve gets it's due.

personally i hold valve at a much higher standard, they are no jesus, and they are certainly a business, but i feel they treat me with respect so i dont really care if they want to make money, plus usually they try to find solutions that benefit both the end user and the developers

 

[SexyGarfield]

To those saying he had other options, you're right. Standard operating procedure for independent security researchers that happen across a vulnerability is to warn the admins and if nothing is done after a reasonable amount of time publish the vulnerability and how to do it.

Which would you have rather happened, everyone (bad actors included) knowing about it and several exploits slipping under the wire before Valve finds out and patches their shit or one person posting a harmless harlem shake video directed at a small portion of his own customers?

Edit: I haven't read his agreement with valve but I doubt publishing a security vulnerability violates them.

 

[jackpipsam]

Valve is acting more and more arrogant by the day.

I have become less interested in using Steam over the last 6 months due to the crap they let on there.
Also people acting like Valve is the best thing in the world, is meaning they can enter a state where they can do what they like, it's just like console fanboyism the way some people act about Steam.

 

[Geo Da Sponge]

*Big Snip*

I'm sorry, I just want to break something down...

You think it would have been much better if he'd decided to inform as many people as possible about a potential security risk? Yeah! I can see no way that could have gone wrong or got him into worse trouble! Instead of just demonstrating there's a vulnerability without actually revealing how it's done, he should have just started spreading the news to people playing his game or new sites. Although he'd have to actually be quite specific about what the vulnerability is, or else the story on Kotaku or whatever would look like this:

"Person says Steam has a security vulnerability! He can't actually say any more than that, but this is big news on its own!"

All of your other plans involve spreading information on how it's done. That could have gone very, very badly. Also, what kind of unprofessional company considers an email "not enough?" When you send someone an email, they should read it. You shouldn't have to orchestrate an entire campaign of demonstrations just to say "There's a problem here, fix it". Anyway, his approach clearly worked. Valve did notice.

But now they've decided to ban him for a year just for demonstrating their incompetence (and what else can you call it when there's a blatant vulnerability in your system and you don't fix it when you get emailed about it and apparently it's still not properly fixed). Because, hey, he broke the rules! And it is well known that the rules of Steam are a power far greater than common sense or reason, because if they let one person off because he did nothing harmful, then... Then... Well, they wouldn't actually have to let anyone else off if they didn't want to, because it's entirely their choice how they enforce those rules.

 

[qeinar]

I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

there are rules, he shouldnt have done that

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, he still took advantage of the exploit

But he didn't take anything... Nothing he did used the exploit against anyone, apart from using it to demonstrate that he could.

Listen, I don't like basing entire arguments off of metaphors, but in this case:

Bypassing bank security = Using the exploit

Leaving a note in the vault = Leaving a silly video to prove he'd done it

Stealing money = Using the exploit to give himself some advantage on Steam, or in anyway damaging Steam

Since he didn't actually do anything that damaged Steam beyond posting a silly little video (and you seem to be arguing that he didn't even have to do that for it to equate to stealing; just using the exploit was enough), that can't really be equated to stealing money, can it?

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

Or, to torturously stretch the bank metaphor even further, which is like breaking into the bank which you use, in order to specifically reach the deposit box which you own, in order to prove that it's not secure and therefore your stuff is at risk. But the bank bans you for a year for showing the gaping hole in their security, even after you pointed it out through the proper channels first.

but then wouldnt you be violating private property if you broke into a bank to leave the note? even if you didnt take anything, see the problem is that the act itself is a crime, and sure enough what this guy did is agaisnt the steam subscriber agreement

the problem is that this dev took a drastic action, i bet there were other ways to get the message accross

but right now, he screwed himself and he screwed his customers and nobody is happy

Actually it's more like he first sent a note to the bank saying that you can break in and notes on how to break into their bank. They send you back that they trust their customers not to break into their bank. Then he breaks in and leaves a note.

 

[NuclearKangaroo]

They didn't ban him for "pointing out a vulnerability", they banned him for hacking the motherfucking system.

While true, it's still counterproductive. This guy had no malicious intent from what it looks like. Hope in this year of his suspension they contact him and work with him to resolve the vulnerability, at least, if the ban doesn't get reversed.

It's like disabling a house's alarm system and vandalizing it "just" to show the owner that you and possibly someone else could. I guess I'll go get a better alarm then but it's still illegal and you're still going down.

You ever see "It Takes A Thief"? Those guys tore up houses to show people just how vulnerable their places were. This is the same scenario, except that he told them repeatedly about it, they did nothing then did something innocuous to prove that there was a fault before it could actually be taken advantage of. No one asked him to do this he did it to it wouldn't get out of hand. The guy doesn't deserve to be banned, he should be commended for finding it before it got out of hand and word spread of the fault to those with less altruistic natures.

so he can freely break the rules and receive no consequences because he did it for "the greater good"? was this really HIS LAST DEPERATE MEANSURE? i think there were other options, contacting more devs and together try to contact valve

his game is played by almost 5k people, maybe he could make an announcement there

http://steamcharts.com/app/227300

writing some article for a gaming blog like kotaku or something like that

why was breaking the rules plan B?

2 wrongs dont make a right, just because valve doesnt listen you dont have to break the rules

Wow, so they should set up an entire PR campaign so that Valve gets of their fat asses (hur hur Gabe Newell joke)and does their fucking job (even when this dev practically did half their job for free)? That's a pretty sad state of affairs, I can't see how anyone could defend such practices. But then... here you are.

so now the only way to prove something can be broken is by breaking it?

im sorry i dont share that point of view

 

[NuclearKangaroo]

*Big Snip*

I'm sorry, I just want to break something down...

You think it would have been much better if he'd decided to inform as many people as possible about a potential security risk? Yeah! I can see no way that could have gone wrong or got him into worse trouble! Instead of just demonstrating there's a vulnerability without actually revealing how it's done, he should have just started spreading the news to people playing his game or new sites. Although he'd have to actually be quite specific about what the vulnerability is, or else the story on Kotaku or whatever would look like this:

"Person says Steam has a security vulnerability! He can't actually say any more than that, but this is big news on its own!"

All of your other plans involve spreading information on how it's done. That could have gone very, very badly. Also, what kind of unprofessional company considers an email "not enough?" When you send someone an email, they should read it. You shouldn't have to orchestrate an entire campaign of demonstrations just to say "There's a problem here, fix it". Anyway, his approach clearly worked. Valve did notice.

But now they've decided to ban him for a year just for demonstrating their incompetence (and what else can you call it when there's a blatant vulnerability in your system and you don't fix it when you get emailed about it and apparently it's still not properly fixed). Because, hey, he broke the rules! And it is well known that the rules of Steam are a power far greater than common sense or reason, because if they let one person off because he did nothing harmful, then... Then... Well, they wouldn't actually have to let anyone else off if they didn't want to, because it's entirely their choice how they enforce those rules.

you realize valve must get thousands of emails every single day, is not completely unreasonable to imagine his claims were buried beneath 180 emails saying "give me free games gabe you fat fuck"

the approach did work, he got banned for a year and his customers will have a harder time getting their game updated, nobody is happy

the rules of steam are a legal document you sign, so yes you have to abide by them, i dont even know if he couldve been sued

you dont prove something can be broken by breaking it


imagine for a second that every time someone found an exploit the first (or second) thing they did with it is use to troll or to be obnoxious just so it caught valve's attention and theyd fix it, and valve gave people a green light for that

yeah thatd be annoying

 

[cikame]

For every real issue from an intelligent person like this, there are thousands of complaints from people about their virus ridden pc's, i don't blame Valve completely but they could be a bit quicker sometimes.

 

[SexyGarfield]

you realize valve must get thousands of emails every single day, is not completely unreasonable to imagine his claims were buried beneath 180 emails saying "give me free games gabe you fat fuck"

He sent several messages over the course of several months and you would think dev emails be elevated above those 180 "fat fuck" emails.

 

[NuclearKangaroo]

you realize valve must get thousands of emails every single day, is not completely unreasonable to imagine his claims were buried beneath 180 emails saying "give me free games gabe you fat fuck"

He sent several messages over the course of several months, and you would think dev emails be elevated above those 180 "fat fuck" emails.

i didnt know that, regardless, he still broke the rules in a situation where i believe the other options werent exhausted

 

[The Wykydtron]

Remember when Steam was heralded as the "saviour of PC gaming?" Yeah me neither. Valve has used up all of their goodwill over the last two year as far as i'm concerned.

Two Years? They've been like this for the longest time, hell they're responsible for almost every anti-consumer precadent in gaming. They were just good at PR.

Ah hell, i'm relatively new to this whole PC gaming thing, I thought they were still decent for awhile. I only started seriously just over a year ago, before then Steam was just window dressing for Team Fortress 2. My first real experience of how broken it is was when my one friend had his account frozen cuz of Paypal problems, y'know you use too much money in one transfer so banks and similar just have to stick their head in. A problem that Paypal itself had sorted out a week or so after the incident, meanwhile his Steam account that he had the same Paypal connected to it was frozen for roundabout 3/4 months investigating (and I use that word in the loosest possible way) the same problem and he had to go through the hell of ringing up the Steam complaints/support line several times.

Did I mention illegal in the UK yet? I don't understand how anyone can attempt to defend Steam when that's a clear fact (Sale of Goods Act 1994, give it a quick runover if you're that bored) Cuz Steam's customer support and refund policy is just that god awful. I can't stress this enough, their way of running customer service is illegal. "Nah man" they still say, "Valve is perfectly fine, saviour of PC gaming" Valve doesn't listen to petty things like "laws" though right? Hell they can't even listen to their own customers. They've got more hats to design.