Nuclear Monster

  • If you’ve ever used Linux, you’ve probably heard of the Debian distribution of the Linux kernel and the associated software that make up the thing that you run on your computer or server. It hasn’t been everyone’s first choice for a distribution, but so many other projects owe their inner workings to borrowed code from the Debian project.

    Valve’s SteamOS.

    Ubuntu Linux.

    There are dozens more here, over a hundred more here, and the maintainers of packages for Debian contribute to hundreds of other free software projects that keep the very fabric of the internet and systems that serve you in the rest of your life functioning and it’s been going for twenty-two years.

    Debian is just one of the massive projects that Ian Murdock created, and he’s passed on. Murdock’s recent employer, Docker, has posted a memorial as has Debian.

    A few months before he passed, Ian wrote an excellent post about how he came to find out about Linux and the people who made it:

    I became enraptured not so much by Linux itself as by the process in which it had been created–hundreds of people hacking away at their own little corner of the system and using the Internet to swap code, slowly but surely making the system better with each change–and set out to make my own contribution to the growing community, a new distribution called Debian that would be easier to use and more robust because it would be built and maintained collaboratively by its users, much like Linux.

  • Valve put out a statement today about the recent leak of user information via cached pages being presented to anyone who visited the Steam website on the 25th. Notably, if you didn’t visit the website during the attack, your information should be safe:

    On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

    The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

    If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

    Valve goes on to note that this issue did occur due to web caching rules implemented during a Distributed Denial of Service (DDoS) attack.

    Those types of attacks are extremely common, and extremely disruptive when they occur.

    Unfortunately I am very familiar with DDoS attacks, as the ioquake3 master server I operate for every game using the engine has been under daily assault for the past few months. Fortunately we don’t store sensitive user information within that project, though we have far fewer resources to deal with it I can’t get on board with Valve’s apology.

    It makes sense that mistakes are going to happen in responding to a DDoS, but it is extremely out of the ordinary for those mistakes to include leaking personal data. Valve says that they will contact those whose information was leaked, but the help offered by companies like Valve in response to past leaks has been to offer users time-limited subscription accounts at predatory companies that provide almost no legitimate identity protection services.

    We will see what Valve actually does in response for those who were affected, but this is not an acceptable kind of thing to have happen at what should be a fairly mature institution that has been in operation as an online storefront for over a decade.

  • The Steam website was completely broken for several hours today. Attempting to load any page on the site would give you another user’s version of that page including any personal details. This was also happening in the desktop client. Users on several sites produced screenshots that included blacked-out versions of pages that had other users’ details such as their billing address and Steam usernames. For example, I was able to load other people’s shopping cart just by visiting the regular cart page. Unlike many other services, the login username on Steam is to be kept secret.

    As of this writing, hours later, logging in to Steam via the website just takes you to a logged-out version of the Steam page. The SteamDB site (not affiliated with Valve or Steam) has written up a note about the outage and security leak with some assumptions about how it happened. I agree with their suggestion to not store credit card details with Steam, or any online vendor as Sony proved a few years ago when their online storefront was hacked.


  • Brilliant.

  • Cleany Gunhands:

    Hey there. Yeah, thanks for having me. My name is Cleany Gunhands, and I love to clean, but I also have guns for hands instead of regular human hands for hands. I’m stuck in a scary digital hell dimension where I’m thrown into a very messy house or cafe or something and, like, I have to stop a bomb sometimes. There are others there, and they’re always yelling at me, yelling, ‘Dang-it, Cleany! Stop shooting the fridge and help us make these walls strong! We need the strong walls! But I’m just trying to clean the fridge, but I can’t because I have hands that aren’t hands, but guns instead of regular human hands.