Nuclear Monster

  • Valve put out a statement today about the recent leak of user information via cached pages being presented to anyone who visited the Steam website on the 25th. Notably, if you didn’t visit the website during the attack, your information should be safe:

    On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

    The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

    If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

    Valve goes on to note that this issue did occur due to web caching rules implemented during a Distributed Denial of Service (DDoS) attack.

    Those types of attacks are extremely common, and extremely disruptive when they occur.

    Unfortunately I am very familiar with DDoS attacks, as the ioquake3 master server I operate for every game using the engine has been under daily assault for the past few months. Fortunately we don’t store sensitive user information within that project, though we have far fewer resources to deal with it I can’t get on board with Valve’s apology.

    It makes sense that mistakes are going to happen in responding to a DDoS, but it is extremely out of the ordinary for those mistakes to include leaking personal data. Valve says that they will contact those whose information was leaked, but the help offered by companies like Valve in response to past leaks has been to offer users time-limited subscription accounts at predatory companies that provide almost no legitimate identity protection services.

    We will see what Valve actually does in response for those who were affected, but this is not an acceptable kind of thing to have happen at what should be a fairly mature institution that has been in operation as an online storefront for over a decade.

  • The Steam website was completely broken for several hours today. Attempting to load any page on the site would give you another user’s version of that page including any personal details. This was also happening in the desktop client. Users on several sites produced screenshots that included blacked-out versions of pages that had other users’ details such as their billing address and Steam usernames. For example, I was able to load other people’s shopping cart just by visiting the regular cart page. Unlike many other services, the login username on Steam is to be kept secret.

    As of this writing, hours later, logging in to Steam via the website just takes you to a logged-out version of the Steam page. The SteamDB site (not affiliated with Valve or Steam) has written up a note about the outage and security leak with some assumptions about how it happened. I agree with their suggestion to not store credit card details with Steam, or any online vendor as Sony proved a few years ago when their online storefront was hacked.


  • Brilliant.

  • Cleany Gunhands:

    Hey there. Yeah, thanks for having me. My name is Cleany Gunhands, and I love to clean, but I also have guns for hands instead of regular human hands for hands. I’m stuck in a scary digital hell dimension where I’m thrown into a very messy house or cafe or something and, like, I have to stop a bomb sometimes. There are others there, and they’re always yelling at me, yelling, ‘Dang-it, Cleany! Stop shooting the fridge and help us make these walls strong! We need the strong walls! But I’m just trying to clean the fridge, but I can’t because I have hands that aren’t hands, but guns instead of regular human hands.

  • John Romero posted this video today to Vimeo in celebration of the 25th anniversary of Commander Keen. it’s the first publicly available footage of the Super Mario Bros. 3 demo that id software pitched to Nintendo. You might have heard about it from the David Kushner’s Masters of Doom book (Amazon, iBooks, Wikipedia) which is well worth reading if you haven’t already.