Valve Announces Massive Steam Server Intrusion

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

Hey gabe

As a show of good will, how about something extra? We trusted steam, now they have our encrypted credit card info and billing addresses. Origin looks mighty tempting right about now.. with BF3 and all... =)

Re:Hey gabe

[kelemvor4]

Origin looks mighty tempting right about now.. with BF3 and all...

Sure, if you don't mind handing over an inventory of everything on your PC and letting origin do what they want with the information... http://decryptedtech.com/index.php?option=com_k2&view=item&id=257:eas-origin-may-be-a-little-too-intrusive&Itemid=138

Re:Hey gabe

[ludomancer]

You're just being stupid for the sake of comedy right?

Amazon.com looks good right now.
Fuck, even Best Buy looks good right now.

Origin looks like the exact same crap, but with a much less trustworthy company in charge of it. EA would sell all that personal information straight to the hackers if it meant they could turn a profit.

Re:Hey gabe

[Mashiki]

Even after this, I still trust Valve more than I trust EA. Hell Valve could kill kittens and use their blood to fuel their servers, and I'd still trust them more than EA. One only needs to look into the past and see how much EA has treated not only their customers as dirt, but their employees.

Re:Hey gabe

[rahvin112]

The could require a ritual human sacrifice every time I start a game and I would STILL trust them more than EA.

It would be better if they didn't have the database but encrypted info isn't much value as long as they didn't get the salt values or private keys with the data.

Re:Hey gabe

[Ant+P.]

Yeah, so far Valve's credit card database has been stolen, but EA customers are the ones getting money stolen from their bank accounts.

Re:Hey gabe

[rapidreload]

Hell Valve could kill kittens and use their blood to fuel their servers

Wait... are you saying kitteh sacrifices are NOT part of standard server administration? Shit, I'm not quite sure what my boss is going to say when he finds out how I run things...

Re:Hey gabe

[moderatorrater]

Assume they got the salt values, since those are stored in the database with the hash almost every time.

The encryption keys are more of a question mark, but if an attacker is able to get your databases and deface your site, it's probably a good bet that they got your keys as well.

Re:Hey gabe

[bronney]

Only if the sacrifice is a virgin female.

Re:Hey gabe

[logjon]

That depends on how it was done and where the keys were stored. Could be something as simple as SQL injection. Doesn't mean their entire server cluster got compromised.

Re:Hey gabe

[Bert64]

Just because the data was "encrypted", doesn't mean it's secure... The data has to be used somehow, so the keys necessary to decrypt it must be somewhere and if the data needs to be used online then the keys must be online too making it less encryption and more obfuscation... Basically only a matter of time and skill to work out where the keys are stored and how to use them.

Re:Hey gabe

[c0mpliant]

That would be pretty stupid in fairness. Salt is used to feck up a rainbow table attack, even if they got the salt values they would need to generate new rainbow tables. If you followed password guidelines (long, complex) it should be ok, it takes too long to generate salt tables for anything beyond 9 characters I disagree with your assesment about the encryption keys, yeah its possible they have them, but its more likely they don't have them. There are any number of ways to get access to your databases and deface your site without them

Re:Hey gabe

[Xest]

I hate to defend EA but that article sounds like a complete load of paranoid bollocks.

What EA say is:

"EA may also use this information combined with personal information for marketing purposes and to improve our products and services."

What the article says is:

"Now, many companies collect hardware and peripheral data along with the installed version of the OS for a customer, but to actually say that a userâ(TM)s personal information can be used for marketing is a little bit much."

Sorry what? EA hasn't said anything about extracting personal information from your computer or anything, they've just said they may combined the technical information (i.e. your hardware specs) with personal information for directed marketing. Now, I don't like this but this is nothing new, this is what Valve do too. Certainly on the evil scale I don't even think it's any worse than tracking cookies on the internet using my habits to personalise advertising too me yet people let that happen day in day out without a flinch.

That article seems to sell this EULA as some evil new thing, that's absolutely horrendous and terrible, but it looks to me like every other software EULA I've seen in the last few years - there's certainly nothing in there that you haven't accepted if you've played many other games in the last decade.

The article even quotes this bit:

"âoeEA will never share your personal information with third parties without your consent. We may, however, share anonymous, non-personal, aggregated and/or public information with third parties."

Which they then turn into this:

"The hitch here is that by clicking on the âoeI agreeâ check box you are giving your consent."

Sorry, no, you're agreeing to the EULA, not giving your consent to pass on your data to a 3rd party.

Again I hate to defend EA, by that URL is pure 100% paranoid FUD. It's like the person that wrote it has just figured out that EULAs contain some bad shit or something - well duh, yeah, they have, for a long long time.

But hey, they got their page hits now I guess, that's all that matters. Oh, and just ignore the tailored banner ads powered by tracking cookies and benefiting from the on page Facebook and Twitter integration that link in your personal details with your page visit and ad views, none of which you were even warned about in an EULA before you visited the page will you?

Re:Hey gabe

[inasity_rules]

I wouldn't worry. He'd be too scared to say anything. Just smile and wave....

Re:Hey gabe

[LoudNoiseElitist]

Did you seriously just make a remark about private and sensitive data and then fucking mention Origin?

No, surely you didn't.

Oh wait. You did.

Re:Hey gabe

[snemarch]

Better if they sacrifice attractive males - more virgin females for the rest of us.

Re:Hey gabe

[WarlockD]

I trust my dog not to poop in my kitchen more than I trust EA with any of my information.

Doesn't mean I am going to toss out my dog or not buy BF3:P

Re:Hey gabe

[Anguirel]

From what I understand, the data is used in an encrypted form, and there is no way to decrypt it (at least, not on the server directly). It's a one-way encryption function, and they never need to manipulate or view the data so encrypted after they've stored it. When you type in your password, they run the same encryption function on what you typed and see if it (now encrypted) matches the stored encrypted data.

Re:Hey gabe

[moderatorrater]

I think you mistake what a salt value is. The salt value should be different for every password stored in the database so that a rainbow table can't be generated at all. It forces the attacker to crack each password in the database separately.

As for the encryption keys, again, as soon as they have access to the database they have the hash values for the admin users and can start acting as an admin on the site. Once that happens a good attacker can leverage that to even greater access to the system, either by cracking the admin user's passwords and seeing if they used the same one on the servers or by leveraging admin tools, which often have less security than the front end.

So, like I said, the salt values are probably on the database table since they have to have one salt per user, and the encryption keys are less likely to be compromised but the safest assumption would be that they have been since they now have some damn good leverage to continue exploiting the servers.

Re:Hey gabe

[I+Read+Good]

You just linked to a reddit post of a screen shot from 4chan. Are you retarded? How is that informative?

Re:Hey gabe

[Mashiki]

I dunno. EA shitting on the living room rug is a high possibility. :P

Re:Hey gabe

As I understand it, salted and hashed credit card numbers have been exposed and some forum auth credentials. While not a good indication of security practices, it is not as serious in and of itself.

Proper back end hashing and encryption?

Awesome. Sounds like they were doing things right.

Re:Proper back end hashing and encryption?

[ackthpt]

Awesome. Sounds like they were doing things right.

Yeah, sounds like they did better than most businesses *cough* Sony *cough* who probably kept everything in a big ol' text file.

which was named readme.txt

Re:Proper back end hashing and encryption?

[pixelpusher220]

please, they aren't that stupid.

They called it 'dontreadme.txt'

Re:Proper back end hashing and encryption?

[muon-catalyzed]

..until some external auditor confirms this better start the identity theft ritual (credit cards pull etc.)

Re:Proper back end hashing and encryption?

[BenJCarter]

"People in cars cause accidents....accidents in cars cause people" Sorry for off topic. Sig made me lol!

Re:Proper back end hashing and encryption?

[X0563511]

All my cards already got compromised. Whee. I think some merchant somewhere was doing exactly what the PCI-DSS council says not to do.

Fortunately they all have 'zero liability' - wonder how long that will last? In my case, the best the hackers got were deactivated card numbers and a password that just became useless.

Re:Proper back end hashing and encryption?

[hairyfeet]

Exactly, as long as they used good solid encryption (after all technically encryption could include ROT13 so we can't judge by simply saying its encrypted) along with salting one shouldn't have anything to worry about, although it does make me feel a little better about never having them save my CC numbers for future purchases.

But frankly they'll have to do a lot worse to run me off, because between Steam, GOG, and Amazon I don't have to deal with irritating retail anymore which makes me VERY happy. Steam also makes it easy to just gift games to my nephews without any hassle, and frankly where else is there to go? Origin? I wouldn't trust EA any farther than I can throw their fattest CxO, looking at their EULA it pretty much reads as "We can do what we want, when we want, tough shit". The second i start seeing 'third party" in the EULAs I start backing away as IMHO the usually ends up being a code phrase for "We sell your info to anybody with a dollar". No thanks, Steam "just works".

Re:Proper back end hashing and encryption?

[Zaphod+The+42nd]

please, they aren't that stupid. They called it 'dontreadme.txt'

If I could mod this 6 Funny I would.

Re:Proper back end hashing and encryption?

[Imrik]

I think people would be more inclined to read dontreadme.txt than readme.txt, people are funny like that.

Re:Proper back end hashing and encryption?

[icebraining]

Uh, no. Sony stored over 1M password in cleartext.

http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html

Re:Proper back end hashing and encryption?

[MagusSlurpy]

Don't forget the 12,700 credit card numbers stored in cleartext. But that's no biggie, because only a thousand of them were still active Sony customers.

Re:Proper back end hashing and encryption?

[Mitchell314]

If only they just named it EULA.txt, nobody's information would have been stolen. :P

Re:Proper back end hashing and encryption?

[Sycraft-fu]

Zero liability will last until the law is changed. The reason they all have it is they are required to by law. You are not responsible for any unauthorized purchases on a credit card.

Re:Proper back end hashing and encryption?

Haha, a sony fanboy who doesn't actually know what he's talking about. Who would have thought?

Re:Proper back end hashing and encryption?

PCI-DSS is somewhat flawed...
For one thing if you have your servers in an active directory domain, the domain controller itself can be considered out of scope for the audit, despite the fact that if you compromise it you now have full control over the member servers. They state that it's ok so long as "the permissions are set correctly", while completely ignoring the fact that if you compromise the device responsible for setting those permissions then they're all rather useless.

Similarly the requirement to encrypt card data is often negated by storing the keys on the same systems, which really only raises the bar very slightly vs having the data sitting around in plaintext.

Most of these standards are created by non technical people who don't really understand the implications.

Re:Proper back end hashing and encryption?

[mobby_6kl]

I don't see why you trust Steam then, seeing as how you couldn't throw their fattest CEO very far either.

Re:Proper back end hashing and encryption?

[ZeRu]

Far more likely it was named passwords.txt

Re:Proper back end hashing and encryption?

[Canazza]

yes, but with gabe you can use portals to fling him.

Re:Proper back end hashing and encryption?

[hairyfeet]

Because Gabe strikes me as the type of guy you could go get a beer with while the CxOs at EA strike me as the kind that would skip out while you were taking a piss just to stick you with the tab.

Call me weird but attitude and how you treat those around you counts for something with me and old Gabe has always seemed like a pretty straight shooter. Plus when Steam actually has a sale its a SALE, with EA it has always been "hey we're giving you a dollar off, its a whole dollar!". Last Steam sale I picked up the FEAR 1&2 series, 5 games for $6.79. Now be honest can you EVER picture EA allowing even ONE game much less FIVE to be sold for less than $7?

I'm just glad I got my boys on Steam as I fricking HATED dealing with Xmas shopping for them,as everything they wanted always seemed to be back ordered. Now they are counting down to the Steam sale to see how many games they can score. Go Steam!

Re:Proper back end hashing and encryption?

[heathen_01]

No thanks, Steam "just works".

Steam may not be as bad as EA, however it is still DRM, and "Steam just works" is demonstrably false.

Re:Proper back end hashing and encryption?

How about people who tried to purchase in Steam via PayPal?

Re:Proper back end hashing and encryption?

[X0563511]

Most of these standards are created by non technical people who don't really understand the implications.

Rather, they seem to be implemented by non-technical people who don't really understand the implications. When this is NOT so, you find that well secured systems tend to be 'naturally' compliant.

Re:Proper back end hashing and encryption?

[pixelpusher220]

whooosh

Re:Proper back end hashing and encryption?

[wjousts]

Because Gabe strikes me as the type of guy you could go get a beer with

Beer? You sure that ain't cool-aid?

Re:Proper back end hashing and encryption?

[michelcolman]

I just tried to change my Steam password after reading this article. First I got a window "busy", then a second window "Steam cannot process your request at this time, try again later". Wonderful.

Re:Proper back end hashing and encryption?

[X0563511]

Didn't have any trouble myself.

Sounds silly, but try changing your download location first in the settings, you might have better luck connecting via a different 'path'

Re:Proper back end hashing and encryption?

You do realize that all of the PSN CC info was encrypted and the passwords hashed just like this, right? The fact that such blatant falsehoods get modded 5 is pretty fucking atrocious. This community should be ashamed of itself.

Re:Proper back end hashing and encryption?

[Pence128]

From an above post: A brief Sony password analysis.

Re:Proper back end hashing and encryption?

[cbsmth]

Awesome. Sounds like they were doing things right.

To be blunt and brutish: No, no and *no*. Until not that long ago, I too believed that hashing and salting was the Right Way, but it seems Moore's Law got us on that one as well. As this article explains, most general-purpose hashing algorithms - like SHA2 and (the hopefully obsolete) MD5 - are designed for speedy computation, not for password security. Salting adds a layer of security indeed, fighting the much clamored rainbow tables, but it turns out CPU cycles are easy enough to come by now to crack truly *vast* amounts of "bad" hashes in nominal time. If you currently rely on SHAx or MD5, suspect you might one day need to design a password storage system, or simply have an interest, do read that article right away, then do some more research.

Hilarity

[OverlordQ]

Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

Love to see the hivemind at work.

Re:Hilarity

The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

Re:Hilarity

[mr_da3m0n]

I think it may have to do with Gabe being honest about it and immediatly going "Yeah it happened, here's what they got, terribly sorry about that :(" Also given the man's track record, I'd personally be more forgiving, when comparing to Sony's track record.

Re:Hilarity

[Gravatron]

Sony announced it rather quickly, brought the network down till it was fixed, and gave everyone free games and a year of ID theft protection. What, exactly, was Sony's major problem in how they handled things?

Re:Hilarity

[ewanm89]

Well steam fundamentally different from sony:
1. No-one told you you had to store credit card details in steam, they support paypal which prevents this being an issue.
2. At least they told their users in a prompt manner.
3. It sounds like the information was properly encrypted and stored, this did not sound true with Sony.

Re:Hilarity

[gman003]

There was much miscommunication last time - a Sony executive said the credit card info was unencrypted. Which immediately launched a massive wave of "WTF?" from everyone with even a passing knowledge of security.

There's also the fact that the intrusion targeted the Steam forums, which have distinct accounts from Steam itself. People probably use the same password on both (I think I might've), but it's still slightly better.

And you can't forget the main difference - people can still play their games. During the Sony hacks, people were locked out of online play for quite some time. And people (being stupid) care more about getting their CoD on than not getting their credit cards stolen.

Still not unforgivable, but the fact that Valve is immediately going "we fucked up, we're trying to fix it, here's exactly what's going on" rather than Sony's "We are aware of outages but won't even say that we got hacked for several days". Honesty counts for a lot.

Re:Hilarity

Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

Love to see the hivemind at work.

They owned up to it immediately, they didn't wait several weeks, and deny anything happened several times.

Re:Hilarity

[Gravatron]

CC info was indeed encrypted on Sony's end, it was personal details like address that was not.

Re:Hilarity

[ewanm89]

Shall we go into how they fired their whole network security team the week before, or the fact the attacks on Sony were orchestrated as a retaliatory strike on them for certain lawsuits (I'm not saying it's right) just there were lots more factors to those specific attacks than just "we were hacked".

Re:Hilarity

[ewanm89]

The forum account password and the steam account password are linked.

Re:Hilarity

[somersault]

No-one told you you had to store credit card details in steam

Did somebody tell you to store your credit card details on PSN?

Re:Hilarity

[Moheeheeko]

The fact that all evidence suggests that all credit card info was unencrypted on the Sony server. And no, Sony didnt announce shit until the network had been down for 2 weeks, up until that point they just claimed "matinence"

Re:Hilarity

[bloodhawk]

The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.

Re:Hilarity

Valve is being upfront, and transparent. Sony would barely admit they were hacked initially with details of the hack getting worse over the weeks after the hack. The difference here is Valve is telling everyone exactly what they need to know upfront. Please troll elsewhere.

Re:Hilarity

Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:

1. Completely shut down the service for a week with no explanation.
2. Keep the service offline for an additional month after admitting that they had been compromised.
3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.

I think that about covers the differences.

Re:Hilarity

[gman003]

Yes - but some Sony exec stated otherwise, which caused no end of confusion even after they corrected the statement.

Re:Hilarity

[Stan92057]

It Sounds Like?? That doesnt make me feel any safer.

Re:Hilarity

[Local+ID10T]

The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.

If you think this situation is anything like being raped -you do not know what rape is...

Re:Hilarity

[Kenja]

And of course the large number of CC fraud reported by Sony customers right after the event lends some credence to the idea that the numbers where not encrypted, or at least not encrypted well.

Re:Hilarity

[Gravatron]

Citation needed? I remember them saying the CC info was indeed encrypted. And they announced it sooner then that I believe.

Re:Hilarity

[Joehonkie]

Yes, this is exactly like being raped. At a police station. Exactly the same.

Re:Hilarity

[Gravatron]

Who cares? A exec misspeaking doesn't suddenly mean it was all in clear text.

Re:Hilarity

[Kenja]

Unless you disabled the security checks, you can not log into steam from an untrusted computer. If you try to do so, you will be asked to enter a code that is emailed to the account holder.

Re:Hilarity

[Baloroth]

Ummm, no? Unless you mean something weird by "linked", forum and Steam accounts are separate.

Re:Hilarity

[Gravatron]

Except the hack was really all that mattered in the end. I still hope they find the SOB's that did it and have their pimply arses thrown in jail. You see i'm a bit bitter about entitlement complexed hackers stealing my info because sony wouldn't let them pirate games.

Re:Hilarity

Yeah... it's more like getting roofied, and then being told about it 4 days later.

Re:Hilarity

[Cyberllama]

Well, let's start with the fact that PSN intrusion was just one of 23 separate incidents for Sony within a time frame of just a couple of months.

Re:Hilarity

You see i'm a bit bitter about entitlement complexed hackers stealing my info because sony wouldn't let them pirate games.

Then you'll be pleased to know that this is not in fact what happened.

Re:Hilarity

[Daetrin]

In the period between when the exec, a reasonable authority figure in this case, said the credit card info was unencrypted and when it was confirmed that it actually was encrypted it was entirely reasonable for everyone to be worried and pissed off at Sony. Finding out the truth later is a pretty good reason to stop worrying (as much) but it provides an entirely different reason to be pissed off at Sony.

Re:Hilarity

[Gravatron]

Do you have a citation for the exec part btw, I honestly don't remember that. And again, in the end the info was properly secured. I don't see why people keep bringing it up as a bash against them over, and over again. Hell, it's been mentioned several times in this thread alone.

Re:Hilarity

[X0563511]

Ignoring the rape comparison, I would be happy they admitted it. Would you prefer they pretend it didn't happen, and go "la la la la we didn't see it"?

Re:Hilarity

[X0563511]

Yea, and how many people you think probably use the same password? Not everyone knows of such things as keepass.

Re:Hilarity

[Kenja]

The password doesn't mater. You cant log into Steam from an untrusted computer without access to the email account.

Re:Hilarity

[Kenja]

Think I understand what you're saying, what if they use the same password for gmail etc. That's an issue to be sure. Especially if you used the same gmail account to register with steam.

Re:Hilarity

Yes just like PR drones saying "CC data was encrypted" doesn't suddenly make it true.

The simple fact is that Sony has frequently screwed it's customers, lied to them, defrauded them and put them at risk.
There is no customer trust in Sony left except for gullible fools. The same can not be said of Valve

Re:Hilarity

[Sitnalta]

Yes, but Sony stored customer data as PLAIN TEXT. Their security was a joke and they deserved all the bad press they got.

Valve on the other hand had all sensitive data encrypted. Which means that the hackers likely got nothing but useless gobbledygook.

Re:Hilarity

[LordLimecat]

Because when Sony was hacked, NOT ONLY were they offline for a month, and NOT ONLY were their restoration estimates wildly inaccurate, but additionally they were storing data either unencrypted or weakly encrypted, so that the upshot was 62+million records were compromised.

In this situation, the data seems to have been well protected so that they simply need to make sure no "gifts" were left by the intrusion, and run an audit on their network. They dont need to, for example, buy 1 year of crappy credit protection for all of their customers.

Incidentally, I think Sony's followup to the hack was pretty good, though it doesnt really excuse the mess they caused. Compensation for downtime? Check. Credit protection (albeit only for a year)? Check. Free games, and other goodies? Check.

In a lot of ways, these scenarios show the worst, and the best, of capitalism. Sometimes it leads to short-sighted cost-saving; but at the end of the day the corporation is beholden to its customers, and as we saw (with sony) and are seeing now, the corporations will work REALLY hard to win back your favor if they screw up. And in this situation, I dont think theres evidence yet to suggest endemic lax security at valve-- it could very well be an admin whose password was weak or who wrote it down.

Re:Hilarity

[CastrTroy]

Did they really "force" you to provide that information? Do they "force" you to buy games off them? If you don't like the terms of service, then don't buy from them. Personally I don't use my credit card at any online store that doesn't expressly state that the information isn't saved on their servers. There's no reason they should need to maintain this information. I have no problem entering the information each and every time I want to purchase something. For many sites I'll use Paypal, so that they don't even have access to my credit card number in the first place.

Re:Hilarity

[Gravatron]

Well, they stored passwords and CC info as encrypted, but so did Sony. It's just FUD that Sony stored everything in clear text.

Re:Hilarity

[Unoriginal_Nickname]

Be warned, the following is only hearsay:

The CC info was encrypted in the database, and Sony used a separate internal-facing server to handle credit card transactions. The problem is, the transaction server wasn't configured properly; unencrypted credit card numbers and billing information were being recorded in Apache logs.

Re:Hilarity

[cheekyjohnson]

Analogies don't exist, I guess.

Re:Hilarity

My question is if everyone else seems to know something you don't, why don't you just go look it up.

You are the one making claims against the norm. Why don't you go get a link and prove everyone wrong and get some +1 Informative. Cause you sound like a fucking apologist.

Re:Hilarity

[Charliemopps]

It's amazing what being generally nice to your customers, delivering what you promise and not trying to ass-rape them at every turn can get you when you finally do screw up isn't it?

Re:Hilarity

[ProfanityHead]

The forum account password and the steam account password are linked.

Only if you are stupid.

Re:Hilarity

If you for one minute believe that there can exist a secure network , you know nothing about networks.
Further you nothing about Battlestar Galactica.
and like the other gent pointed out you nothing about rape either .....
 

Re:Hilarity

[artfulshrapnel]

Well, the PSN network requires you register a credit card to make any real use of it (like playing games online, for example). This card must be registered directly with Sony.

Steam, by contrast, accepts PayPal, which is a financial institution with appropriate levels of security for such storage.

So yes, they did tell you to store your credit card details with them.

Re:Hilarity

[AsmordeanX]

Trust this man, he speaks from experience.

Re:Hilarity

[Baloroth]

In fact, this is why I have decided not to change my Steam password. If I get a notification that someone tried to access it, I know the password were compromised, and can act accordingly.

Re:Hilarity

Agreed. The blind devotion to Steam is really sad... from my experience with their customer support staff they don't give a shit about their consumers.

Example: Pre-ordered/Pre-loaded FEAR 2 through steam to "play it early". On the witching hour, FEAR 2 no work. I contact support. 3 days later FEAR 2 still no work and customer support sends me a generic support email about how to make sure the game works in windows vista and to make sure my files are defragmented. It was a whole week before I could start playing the game.

I agree that Sony botched up for sure, but the idea that Steam is "ok" because they were honest about it, is still unclear. From what I understand Sony told consumers about it a day after it happened, where as Steam took 4 days. How the issue is being handled by Steam has also yet to be realized since its so close to the time it was stolen. Sony is relatively inexperienced at handling these issues and it showed, Steam should be able to bounce back much quicker and hopefully not just offer the whole "we are really sorry you are screwed, but now you can download the entire valve game pack for just 5 dollars... blah blah blah." -Gabe

Just please think critically about Steam for once... they are a corporation/publisher who wants your money just as bad as Sony does.

Re:Hilarity

[hairyfeet]

Frankly I don't care if the exec said it was protected by Shaka Zulu, what I DO care about is how many reports of people immediately after that said 'Hey somebody used my CC number!"

Remember ROT13 is still considered encryption, its just useless encryption. Considering how many pissed off customers were popping up saying their CC got used i'd say Sony got the heat they deserved because whatever they used was obviously piss poor.

Re:Hilarity

[Requiem18th]

The analogy is exaggerated as fuck but he's got a point. They force you to give them personally identifiable information for not much good reason. It sells game items, why does it have to know a user's real name home address, phone number etc, etc.

I liked TF2, I was willing to buy hat, actually I am interested in getting some hats. I'm even thinking about getting Portal 2 and Mass Effect. Except Valve doesn't want my money.

I have money, I'm willing to send them a money order, heck I can mail them cash, or a check. Ideally I should be able to buy a prepaid card on some 7/11 as I can do to get music from iTunes.

They don't even need to keep billing me for a continued service, there is a "Steam Wallet" now so why do they need a permanent CC number from me? And I hate Paypal, so the only option for me is a CC. Why does buying a virtual hat require paperwork?

Re:Hilarity

It seems you're trolling and obviously lack basic reading comprehension (it's OK if you're a retard, we'll help you out), but:

Valve salted/hashed the passwords and encrypted stored card data. So the attackers got encrypted data. BFD unless they can decrypt it. That's the whole point of encryption in the first place: if someone does get it they can't do anything with it.

VS

Sony apparently had it all in plain text.

Re:Hilarity

I remember them saying the CC info was indeed encrypted.

wrong

And they announced it sooner then that I believe.

wrong again

Re:Hilarity

[tomstockmail]

Then screw heresy, here's the actual source.

One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.

Re:Hilarity

Passwords != CC info... Passwords you want to be hashed, it is better than encryption. CC info, by contrast, can't be hashed because you need to reproduce it for the CC company and thus you have to settle for encrypting it. Don't confuse these 2 things, the security needs are quite different.

Re:Hilarity

The only offered identity theft because they were forced to to save face. Because yes, there was a severe lack of information for at least a week and over a month of downtime.

Re:Hilarity

I have money, I'm willing to send them a money order, heck I can mail them cash, or a check.

Why does buying a virtual hat require paperwork?

HAHAHAHAHAHAHA!!! Oh wait, you're being serious. So you want to send them pieces of paper to buy games, then you ask why they need paperwork? Get off the pipe, dude.

Re:Hilarity

[jmhysong]

Wrong on number two. Valve did not tell its Steam users about this intrusion. They did not send out any emails or Steam IMs to their members, they didn't mention this on the Steam news page, and in fact they didn't mention it anywhere on Steam at all. The only place this intrusion is mentioned is on the forum. They're happy as punch to tell me through Steam that I can buy freaking Wallace and Gromit for 66% off but they don't inform me that all that my personal information has been compromised? That is shameful.

Re:Hilarity

[DarwinSurvivor]

Our family plays on PSN regularly and we have NEVER given Sony any CC numbers. We even bought a couple games later on, also without cc (7-11 gift certificate).

Re:Hilarity

Buy a prepaid Mastercard or Visa. Problem solved.

Re:Hilarity

[mgiuca]

They didn't support Paypal when I first started using Steam in 2004, so any sufficiently old user did have to store credit card details AFAIK. (I certainly have, and I don't think I would have if there was another alternative.)

Re:Hilarity

Only basement-nerd asshole males would think that comment was funny.

Re:Hilarity

6 days, and no it was encrypted...
[src]
http://www.computerweekly.com/news/1280095790/PlayStation-Network-credit-card-information-was-encrypted-says-Sony
http://www.hollywoodreporter.com/news/sony-playstation-credit-card-information-183311

Nice try.

Re:Hilarity

[Daetrin]

It took about 5-10 minutes of searching to find the exact reference, but here you go.

So technically speaking the passwords _weren't_ encrypted. I remember when that bit of news came my friends and i were all very curious to know what kind of salt (if any) they were using, but we're all geeks at a software company so we're a bit more clued in about such things. In fact i don't remember if the salt question ever got answered.

As for why it keeps getting brought up, especially in this thread, it's because people keep asking why Sony was treated more harshly than Valve seems to be getting treated now. The answer is that Sony took forever to say anything about what was going on and the made a habit of releasing partial bits of information, some of which were confusing or misleading. The encryption issue is just one of those bits the handling of which upset people.

PSN was hacked between April 17th and 19th. It took a day or three before they shut down the servers without saying a word. It was three more days before they admitted there had been a data intrusion, and another three days before they admitted that user data had been compromised and days more before they admitted that personally identifiable information had been compromised.

If Valve starts dribbling out more bits of previously unrevealed information over the next few weeks (not just details on the aspects they've already confirmed) then the amount of goodwill currently being displayed will erode very fast.

Most of us don't feel that it's possible to prevent all security intrusions, but it is possible for companies to be responsible and forthright about it when it happens.

Re:Hilarity

[Kalriath]

Not entirely true - some credit card merchant gateways permit you to tokenize the credit card info and re-charge them without ever re-sending (or storing) the details. In these cases, the merchant only ever sees your details once - when they send them in to be tokenized. And the token is also usable only by the original merchant - so the worst a hacker could do with it is forcibly give your money to the merchant.

Re:Hilarity

[Kalriath]

*checks email*

Nope, Valve didn't tell me about it at all. Sounds like Valve fails as hard as Sony on point two. In fact worse, since Sony at least sent me an email.

Re:Hilarity

[Kalriath]

Actually, technically Valve still haven't told their customers about it. I see no email in my inbox informing me about the breach. Steam is running on my machine and I see no "update news" informing me about the breach. From what I understand, you'd only know about it if you read their forums. To me, that doesn't count as "informing the customers".

So Sony told customers "x" days after it happened, and thus far Valve still haven't.

Re:Hilarity

Encryption doesn't mean the data is safe. We don't know what kind of encryption. Maybe the freaking key was right there too. Even if it wasn't, that's what a botnet and amazon cloud services are for. Hell a couple of GPUs might be able to crack it. It's a matter of time. Courtesy of the announcement, they know they got credit card numbers for sure.

Re:Hilarity

[xero314]

Do you have a link to the "large number of CC fraud reported"? From what I recall no fraud has ever been linked to the sony hack. The total number of reported cases are lower in percentage than in the general populous.

Re:Hilarity

[tomstockmail]

>Passowrds != CC info... Then here's the source where they say the Credit Cards were encrypted (I probably should have linked this one). >Q: Was my personal data encrypted? A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Re:Hilarity

[ThatsMyNick]

Well according to sony they did not encrypt the password, but they did hash the passwords. They also refused to comment on whether they salted the hashes or not. Salting makes a biiiiig difference, and I would say Valve and Sony's security are different.

And its not FUD, sony initially said that credit card information was encrypted and the rest were not. People simply assumed the passwords were not hashed. Sony came back and said, well, they are not encrypted, but they were, indeed, hashed. Unless Sony planned this FUDs themselves, I dont think these stories are FUD.

Re:Hilarity

[X0563511]

My point is some people use the same password for their email.

Even worse, those of us who have really old accounts? Our steam sign-in name _is_ our email address... and having talked to support in the past, changing the name of an account is a large pain in the ass. You basically have to take a full inventory of your account and any relevant product keys...

My meaning is that there must be a percentage of users where the attacker has their email address AND password, and so could log right in and clean up the email chain behind them.

Re:Hilarity

[Bert64]

While i don't especially like paypal, their transaction method is far more suited to online use than credit cards.... Infact, the whole card idea is fundamentally flawed.
Your effectively walking around with a huge bundle of cash, and every time you want to buy something you hand over the entire bundle and trust the retailer (or any strangers that get close enough) to only take the amount you want them to and give you back the rest.
You wouldn't conduct cash transactions in this way because that would be totally stupid and yet thats exactly how credit/debit cards work.

Re:Hilarity

[flimflammer]

The analogy is exaggerated as fuck but he's got a point. They force you to give them personally identifiable information for not much good reason. It sells game items, why does it have to know a user's real name home address, phone number etc, etc.

The billing address is for billing, obviously, and is also likely potentially related to game regions. Some credit cards require this information for online purchases. Some only require small bits (zip code, etc), some don't require anything at all. You don't have to supply your phone number. At least it was never required when I set things up.

Also, I'm not sure why you seem to think this but you don't need to keep your credit card number stored on the site. At all. Ever. Not at one point in time was this ever required. You need to provide the information at purchase but they don't need to hold onto the information. It can be removed from their service instantly after purchase. It's mere convenience to allow them to keep it. The odds of having your information stolen in the small window of time at each individual purchase is much smaller than you being lazy and allowing them to keep the information.

I'm also fairly certain you can buy prepaid visa/mastercards and fill them for use on Steam. I used one once before years ago. I have no idea if this is still possible. If so then the idea of buying prepaid steam cards is somewhat moot, but I would still like to see steam specific gift cards at some point in time.

Re:Hilarity

[flimflammer]

This is honestly the most insightful thing I've heard all night.

Re:Hilarity

I was RAPED at a POLICE STATION and it's not EXACTLY THE SAME.

Re:Hilarity

[Chucky_M]

Wrong on number two. Valve did not tell its Steam users about this intrusion. They did not send out any emails or Steam IMs to their members, they didn't mention this on the Steam news page, and in fact they didn't mention it anywhere on Steam at all. The only place this intrusion is mentioned is on the forum. They're happy as punch to tell me through Steam that I can buy freaking Wallace and Gromit for 66% off but they don't inform me that all that my personal information has been compromised? That is shameful.

When you start steam it provides you this message in the main popup box where they normally try to sell you preorder crap.

Re:Hilarity

[Kugrian]

[quote]2. At least they told their users in a prompt manner. [/quote]
The hack happened 5 days ago, and this is the first statement even confirming it happened. That's a long time on the internet.

Re:Hilarity

[somersault]

Well, the PSN network requires you register a credit card to make any real use of it (like playing games online, for example)

No, it doesn't.*

*source: played many PS3 games online, never had to pay to play any of them in 4 years.

Re:Hilarity

[GauteL]

"This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it."

No. Nothing like that. One of the cases you are talking about is a forgiveable error or misjudgement. The other is rape. I have no idea how you thought that was an acceptable analogy, but your use of the analogy was in itself a forgiveable error or misjudgement. So how others should react to it, depends on how you deal with your error. The correct way would be to apologise, correct the error and take better precautions the next time.

If people deal with mishaps in this way, I see no problem in forgiving them and moving on.

Re:Hilarity

At least rapists have the decency not to mock you on pastebin.

Re:Hilarity

[Ginger+Unicorn]

If it wasn't about rapists, I would put this as my .sig.

Re:Hilarity

[heathen_01]

This technology has been arround for a long time. I don't understand why gateways still allow merchants to store CC details.

Re:Hilarity

[inasity_rules]

That is why I never reuse my email password and made it a long complicated sentence.... So, I might reuse the password from steam on something else, but the email is unique and (hopefully) secure...

Re:Hilarity

[wjousts]

in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

So Valve is run by tiny cocks? I feel sorry for Gabe's wife.

Re:Hilarity

I stopped buying Sony after their rootkit scandal... I laugh every time they screw over their customers because... what sort of idiot is STILL buying Sony stuff?

Re:Hilarity

[Cato]

Another big difference - SteamGuard is an opt-in feature of the Steam client authentication (not the forums) that emails you a verification code any time a new browser or PC is used. For those who have enabled this, it makes the theft of a password almost a non-event - to such an extent that Gabe Newell actually gave out his password when they announced this (which he may live to regret, but it shows confidence in their setup).

Re:Hilarity

[Cato]

After the Sony hacks, some countries were down for many weeks - in Japan it was something like 2 months before PSN services returned, I think.

Re:Hilarity

[badran]

You do not have to store the info on their server, you can just enter every time you want to make a purchase.

Re:Hilarity

4. Allow unencrypted credit card data to be stolen.

Except that this never actually happened.

PSN users reported suspicious activity on their cards

And there are some Steam users reporting suspicious activity on their cards. If you look at the numbers involved, this was a certainty in both cases.

and I know my bank sent me a new card due to the breech.

As a safety precaution. And Sony also voluntarily paid for credit monitoring.

Score:5, Interesting

Slashdot, you're officially full of shit. This community fancies itself as a bastion of logic and reasoning, yet this blatantly false information gets Modded 5 Interesting? What a fucking joke.

Re:Hilarity

[Isaac+Remuant]

I'd probably shorten it to "having a positive image" but yeah, I completely agree.

Re:Hilarity

[man_the_king]

Well, the PSN network requires you register a credit card to make any real use of it (like playing games online, for example). This card must be registered directly with Sony

Ah, a lie from someone who has never played a game on PSN. Not sure if you are a 360 fanboy or just your standard /. Sony-hater, but FYI, Sony does NOT require you to register your CC for playing games online.

Re:Hilarity

[man_the_king]

Except that the person above was asking about a citation for the CC info on PSN being unencrypted, NOT the passwords.
Nice of you to so NEATLY sidestep that particular question and go off onto your Sony-bashing tangent. Good (troll)work.

Re:Hilarity

[man_the_king]

Valve would also have to do the following "to be on Sony's level":
7. Offer up to 4 free games
8. If Valve had anything like a premium subscription offering, offer their customers up to 2 months of free premium sub.
9. Offer a month of free movie and music service.
10. Offer a year of free ID Theft protection.

Nice of you to forget all that though.

Re:Hilarity

[man_the_king]

On Slashdot, all you have to do to be modded up is go off on a rant of Sony-bashing.
Guaranteed positive Karma
Most of /. = Bunch of hypocrites

Re:Hilarity

Except that this never actually happened.

Actually, it did happen, just not as part of the PSN breach.

Sony Confirms Stolen Credit Card Information
Sony Online loses 12,700 credit card account numbers, 24.6 million accounts compromised

It was stolen from SOE (the part that does the MMOs) and not the part that does PSN.

But none-the-less Sony did have unencrypted credit card data stolen from them, and it happened just after Sony announced 77 million PSN accounts had been compromised, so it's not hard to see why people confuse the two.

Re:Hilarity

[gman003]

I don't recall opting in to that particular feature. I think it's actually an opt-out feature - I know it can be disabled, but (annoying as it sometimes is) I don't see why you would.

Re:Hilarity

[Anguirel]

No, you're effectively walking around with blank IOUs. You hand one over as a transaction and trust the retailer to write down the correct amount, and trust that no one else standing around is making copies of the IOU. Then when you get your statement, you can say "Hey, someone wrote the wrong number for this IOU," and have the Credit Card company revert the transaction, paying nothing until the matter is resolved, either directly or by the courts, or you can say "Hey, I never handed out that IOU, someone made an illegal copy," and the Credit Card company reverts the charge and contacts the appropriate police agency to track down the offender to recover the illicitly obtained cash. Additionally, many of the elements of these transactions are recorded, making tracking of such problems significantly easier to track.

I can see how you might be confused, especially as people have lost confidence in most credit and financial institutions, but I'd say that credit card transactions remain, on average, safer for the average consumer than cash, albeit with no real possibility for anonymous transactions or arbitrary non-retail transactions.

Re:Hilarity

[Anguirel]

Since you've posted this multiple times -- do you have a Steam Forum account? From what I've read, that's the only set of accounts that was compromised, and thus it doesn't affect the majority of Steam users. I don't know anyone who actually uses the Steam Forums, so I don't know if those people have been contacted directly or not.

Additionally, I've seen 4 notices, directly from Steam, in the past 2 days. Every time I log in (twice at work, twice at home) I get a pop up with the current offers -- the first page of this has been the "Sorry, this hack thing happened" message from Gabe.

Re:Hilarity

[Yvan256]

I check my emails every day. I start Steam maybe twice a month when I have time to play a game.

Re:Hilarity

[Zebidiah]

I found out through Steam. I finished playing a game and closed the game down. At this point Steam brings up some advertisements about the latest releases or deals in a separate window, instead this time it had a message fro Gabe explaining what had happened.

Re:Hilarity

[Kalriath]

Hmm. It's possible I might not. I was under the impression from the text of the announcement as posted here and so forth that a Steam database had also been breached - specifically

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.

If that is just the forum users then it does not affect me which might explain the lack of an email. However, they should still be notifying all customers even if only to say that "at this time we believe that your account was not among those compromised".

d'oh

[terrox]

and I just joined Steam recently.. damn.

Encrypted

Why isn't EVERYTHING on their server encrypted?

Re:Encrypted

[cheater512]

Cause the encryption key would also have to be on the server?

Re:Encrypted

[ewanm89]

well, technically it could be on a separate server to the database server or the webserver, but generally once one has access to one of the three they have enough access to the other two if they were segregated.

Re:Encrypted

[Firehed]

Because it's highly impractical if you want your audit logs to be in any way useful (also if you don't want your key rotation to take months). It's also pointless overhead when it comes to non-sensitive data. Get a name and city, and there's a good chances you can get phone number, full street address, and more from whitepages.com (and similar sites). Several years ago, people got this same info from things called phone books.

I'm disappointed to hear this happened, but assuming they're correct in their belief that the encryption keys were not compromised I'm not worried. I don't think anything was compromised that isn't about four seconds worth of Googling away, with the exception of the list of games I've bought (oh, no!)

Re:Encrypted

[koolfy]

Then how do they manage the credit card numbers ?
They cannot simply hash them, they need access to the actual cleartext data at some point.

My bet is on one or several servers containing one or several decryption keys.

So the question remains. Why not encrypt EVERYTHING ?

Re:Encrypted

[Cley+Faye]

with the exception of the list of games I've bought (oh, no!)

Not even a google away (it's only a guess) : http://steamcommunity.com/id/firehed/games/?tab=all

Re:Encrypted

[Baloroth]

Yeah, and the list of games is about 2 seconds away on steam anyways. Wait, less than 2 seconds. Lets hope Valve is right that their encryption is secure (also, it sounds like they think the hackers might not have gotten a chance to download the information.)

Re:Encrypted

[laffer1]

Performance. If you encrypt everything, you have to decrypt on every web page request to their forums. That is going to take a lot of CPU type if it's a decent algorithm. Most likely it wouldn't be in order to make it work at all.

Also, if you encrypt everything, it's impossible to search. You would have to decrypt ALL THE DATA to do a search or it would have to be stored unencrypted in an index. It just doesn't make sense.

Finally, as you pointed out the server would have to have the decryption key. If they root the web server, they can get access to the key and then use it to decrypt everything anyway.

Re:Encrypted

[kyrre]

That is not true. Credit card companies offer a token, a hashed edition of your credit card number, that can be used for subscriptions or stored credit cards at their servers. The hash is combined with the merchant id making it useless outside of the single merchant. Encryption cabbot ptevent credit card numbers from being copied, Hashing does.

In comparison with Sony?

[Commontwist]

Sounds a bit quicker (once they discovered the problem) and sincere from what I remember of Sony's 'efforts' when PSN got hacked.

Re:In comparison with Sony?

[salemboot]

PSN Admins just never noticed for whatever reasons, playing games... looking at p0rn... Same thing it seems with kernel.org they were too focused on releases and deprecations.

Re:In comparison with Sony?

[IronSight]

TBH Valve wouldn't have found the intrusion if the forums weren't defaced. If the hackers were smart they would have left the site unscathed. Who knows how long they had all of our info. Kinda scary really.

Re:In comparison with Sony?

[Gravatron]

Keep in mind, Said defacement was on the 6th, and we are just now finding out about the stolen data on the 10th. Sony was hacked on 4/19 and everything was known, officially, on the 26th, but some info like they admitting the hack was known a few days before. We still don't know the date someone first hacked into Steam.

DRM rocks!

Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...

Re:DRM rocks!

If you already purchased the game, why would you enter real/valid information into steam?

I can understand if you are buying online with a credit card or if they are shipping to you, but just an online account there is no reason to give true information, it just causes these exact problems.

Re:DRM rocks!

[Spad]

As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.

Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.

Re:DRM rocks!

[Khyber]

When you bought HL2 on disc, you had to make a Steam account.

This was back in the days of, what, the GeForce 6 series?

Re:DRM rocks!

[cheekyjohnson]

I don't see why you'd have to do it for Steam, though (especially for a game you've already bought).

Re:DRM rocks!

[Baloroth]

Because these days it seems like it's either Steam or Securom (or *shudder* worse). I'll take Steam, TYVM.

Re:DRM rocks!

[MacGyver2210]

Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...

The easier solution would have been not to provide any real information. If you already bought the game, you don't need credit card info for anything. Unless it was a subscription MMO, in which case you know exactly why you needed to provide your info. Even when you need to pay for things, use PayPal instead of giving them your information directly.

Considering what they got from their servers, they can't use your information, and most likely can't even read it. Identity theft implies they can read your identity. Chill out.

Re:DRM rocks!

I have one steam game, "The Orange Box". But not going to buy anything else. This mishap further supports my stance. However, I came to this conclusion when I was denied playing single player mode when my Internet connection was down for 4 days due to a storm. I had power but Charter was down. No TV and no Internet. Think I could enjoy an offline game... nope. Steam wouldn't let me login off-line. You can go offline if you expect to be down and then you can play. Great, so with all my other storm preparations I need to ensure that Steam is up to date, all my games are up to date (2 conditions for off-line), and then enter off-line mode.

Screw you DRM, Steam and Valve.

Re:DRM rocks!

As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.

Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.

Most of your list requires information for Multiplayer. Steam is DRM for Single Player.

The ones in your list that are Steam-like I don't support or use.

Re:DRM rocks!

[artor3]

Liar! If you had purchased the game outside of Steam, then you didn't enter ANY personal info into Steam - just a (throwaway) email address and a username/password. If you bought the game in Steam, then you had the option to pay in Paypal or to tell them not to store your info.

The only way you're at risk is if you:
a) Chose to buy a game in Steam
b) Chose to pay with a credit card
c) Told Steam to remember your info

Are you on EA's payroll, or are you just so pathetic that you feel the need to make up lies with which to criticize video game companies you dislike?

Re:DRM rocks!

[artor3]

Liar. If you try to start Steam without an internet connection, it pops up a window with two options "Retry" and "Start in Offline Mode". You absolutely do not need to go into offline mode ahead of time. Did you really think no one would catch that lie?

Re:DRM rocks!

[Squiddie]

You still have to make a Steam account if you buy some retail games. It's just DRM, and while less intrusive than most, it's still horrible. I can't even give my old games away, which is crap, since I have friends that would usually take my old games, now they don't get squat.

Re:DRM rocks!

[Billlagr]

You still have to make a Steam account if you buy some retail games

Fallout NV being one of the offenders

Re:DRM rocks!

[mgiuca]

Not saying the other DRM services are right either... And yes, lots of other websites have your personal info, but they all need it. Clearly, if I buy a game in a box and I am forced to give my personal details out over the Internet just to play it, that is an unnecessary storage of my personal info. Ideally, you want to tell things like credit card numbers to as few people as possible.

Re:DRM rocks!

I dont have to sign up on xbox live to play single player games.

MMO's arent single player games

& Rockstar social club is just as much of an imposition as steam is, which is why i no longer purchase games from valve OR rockstar.

Re:DRM rocks!

[zigmeister]

No he's probably not lying. I've had the exact same problem. I'll explain it as best I can (I don't know why it happens):

Your computer is connected to the 'net with steam running. You shut down steam, disconnect from the internet completely, then restart steam. Then steam does all kinds of weird shit like it claims it's updating itself or "connecting"... after a while it finally pops up and says I can't connect to to a steam server what would you like to do? 1) Retry 2) Start in Offline Mode. Select option 2 (obviously) then steam says it's "connecting" (sigh) again, then it says something like could not connect to a steam server at this time. The only option is to close the window.

As far as I can tell the workaround to play in offline depends on the game. For all games this was required: start steam with a working internet connection, select go/restart into offline mode while connected to the internet, then quit steam, then disconnect from the internet completely, then start steam in offline mode normally at your leisure. That worked for most games but it was also incredibly annoying; the buddies I LAN with don't have a 'net connection and I forgot to go through this process before going over once or twice.

For some games (The Orange Box falls into this category) I had to have the game updated, then start the game while connected to the internet IF it had been updated since it was last played, then go through all the normal stuff I listed above. If I didn't do all of this the game would not start in offline mode even if steam would. Yet more games completely refused to start and I never figured out how to workaround that (none of the above worked.)

For the GPs sake: I managed to fix the issue by uninstalling steam then nuking the contents of the steam folder on the drive. But it still does some weird shit but w/e. Also I haven't bothered reporting or complaining because I have heard that Valve ignores complaints about offline mode not working so...

Re:DRM rocks!

[Kalriath]

The number of times I've tried that only to be told by Steam that I cannot enter offline mode and offered only the option "Quit" is astronomical. Steam is not perfect, and for all intents and purposes it isn't even good.

You can also only enter offline mode for a limited time even if it does work by the way... and 4 days exceeds that. So the GP would have been gameless for at least 1 day.

Re:DRM rocks!

[flimflammer]

This being modded +5 Insightful is shameful. Not only do you not need to input any personal information to create an account for an already purchased game, but you never need to leave said personal information on the Steam servers when you do decide to purchase something directly through Steam. It can be removed immediately after the purchase of a product.

Hating DRM is fine, folks. We all do. But try to actually read what was written before you go blindly agreeing with the first guy who has a bone to pick with DRM.

Re:DRM rocks!

Why does that make it any better?

Re:DRM rocks!

Ah, the horribly misinformed Steam-fanboy in action.

Each and every Securom protection I've encountered in the last years was a mere online activation. At most you have to supply some serial number, once. No permanent internet connection, no checking in each time you play, no client overhead, no personal information, no troubleshooting additional software, no extra account to track, no spyware to monitor my computer use, no adware trying to push more games on me and so on.

But yea, "Steam is so great and better than everything I know nothing about but prejudice and decade old rumours".

Re:DRM rocks!

As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.

There is a simple way to avoid shit like that.
If the game requires registration or in any way tries to bind you as a parson to it, just pirate it.
No game is worth giving up you personal information, no matter how fun.
If you feel like being legal you can still buy the game and throw it the trash or whatever.

Re:DRM rocks!

[HopefulIntern]

Was going to say something like this. As far as annoying DRM goes, Steam is not the worst. All of my Steam games have been purchased offline, in a shop. I did have to sign up to Steam to play them, but all they need is an email address, of which I have many.
What *does* annoy me is that when I get a spare 30 mins to play a game and Steam isn't working or available for some retarded reason, and all I want is to play the single player campaign for a game. Why do I need their permission to play games I already bought?

Re:DRM rocks!

[sammyF70]

same problems here, which is why I avoid Steam as much as possible. A working internet connection is *NOT* a given, and when you decide you want to play some single player game and just can't because Steam acts like that you are entitled to be pissed off and call it a smegging piece of garbage (which it is).

Re:DRM rocks!

It's either Steam, Securom or no DRM at all, because some third party removed it. In this case I take the latter. And if I choose to archive that copy I'll still be able to use it in ten, fifteen years, given that I also archive the hardware it ran on or I'll be able to emulate that hardware. Try doing that with a game you purchased on Steam now, I bet either Steam itself will be defunct and your expensive games not available anymore or you'll have to repurchase it in an emulation container (maybe it'll be called Windows7Box or something in that line, maybe even a GPL version of that program that'll happily run your DRM-free copy will exist...). No, thank you, put that Steam somewhere where the Sun won't shine. I don't get why everyone happily surrenders to that steaming pile of garbage. F*ck Steam, f*ck DRM!

Re:DRM rocks!

[Necreia]

Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.

People or companies doing stupid or restrictive things en mass does not somehow make it right.

Purchasing a single-player game and having to tether it to a registration system is idiotic for the reason in the main article here. This continuing push to centralize all data in these private hubs is starting to show the flaws.

Re:DRM rocks!

No, not DRM as opposed to DRM.

I bought Portal 1 & 2. Both require Steam sign up. I didn't install them from the disc, though. You see, I got an extra copy from a pro-customer site, which doesn't require Steam signup. You might have heard of it, it's called The Pirate Bay.

None of my personal information was stolen in this attack, as it wasn't even there, and my Portal discs sit unopened on the top of my closet.

Now, the question for the guys at Valve... I could have gotten the games from TPB without paying anything. This time, I bought the games, but when all you get for paying is identity theft, why would I pay next time?

Re:DRM rocks!

[swingerman]

While it may be the case that these inherently online services have our personal information, the original commentor's post voices a viable concern. Why should I be forced to give *another* online outfit my personal information just so that I can play a game:

1. (1) that I purchased from a brick-and-mortar store;
2. (2) that either has no online component or where I do not plan to use any such component; and
3. (3) where the requirement that I provide my personal information to such an online outfit is not clear until *after* I have opened the package and tried to install the software from the CD or DVD that I hold in my hot little hands and *after* I have eliminated my ability to return the game to the store for a refund!

I should be free to choose with whom I share my personal information *before* being committed to providing that information or being out the money I paid for the game. That is a dichotomy which should not exist. That said, now that I have been bitten by the infernal catch-22 once, I am closely scrutinizing every single game that I consider buying and if I see "Steam" or "Valve" anywhere on the writing on the outside of the box it goes back on the shelf. I may be disappointed, but "Steam" is *not* getting any of my business and no retail establishment will benefit from receiving any money from me for any games infected with the "Steam" requirement.

Re:DRM rocks!

I love how when someone points out that consumer privacy and/or benefits have been sacrificed unnecessarily, one of the first retorts is always "don't blame them, everyone's doing it".

How does that make it better? That doesn't excuse Steam. Rather, it means that the same condemnation applies to them.

The poster's point was that there's no invariant rule of the universe that says a game can't be purchased and played without also having to suffer some crappy perma-service or big brother intrusion.

Re:DRM rocks!

Well ... no - only thing you need to provide Steam to play a game you bought in a shop is your email address. You only need to provide your name/address/CC data when you buy things directly in Steam, and hw would you imagine it otherwise?

Re:DRM rocks!

Not lying, and your a jerk for assuming it. As others and you have already posted, a window pops up asking to start in offline mode. I select yes and then it gives me an error saying I couldn't. I have been playing through Portal 1 again (first time was a pirated version with no steam account) before I went out and bought Portal 2. I couldn't play because Steam wouldn't allow it. 4 days later I checked to see if Steam was updated and maybe that was my problem, nope.

I'm older now and don't want to pirate. However, I will not be buying Portal 2. There's also many other games out there where I don't care at this point, and will not pirate Portal 2. I will simply not play it. Shame, heard it's a fun game.

My big dilemma now is that Diablo 3 is coming out soon and it has always on Internet connection for single player mode. Crap.

BTW, this is the New England area. We have been without power twice this year for 3 days (Irene and the recent storm). Some people for an entire week. Although I didn't lose power this second time, the adjacent neighborhood did. I believe this is where Charters equipment was.

I had other things I could do, but being denied an old single player game because of Steam is just BS.

Re:DRM rocks!

You don't need to put in your personal information to play games you have already purchased. Unless you consider your username, password, any email address, and the answer to a challenge question as "personal information" which, if lost, would make you "a victim of identity theft."

You only give your billing address and credit card information to purchase games via Steam, and if you don't like that then you can still buy via PayPal which preserves your personal information.

Re:DRM rocks!

What personal information?

All that Steam has from me is a username that I made up, a password that nobody can use because of Steam Guard, a throw away email address. A list of games that this account owns and data related to the games, like hours played and achievements.
All games have been payed by cash / prepaid cash cards.

Good luck with this stolen identity.

Re:DRM rocks!

The fact that other places have screwed you over with DRM and private data acquisition doesn't mean it's okay for Steam to do so. I like Steam, but your response to the previous guy's argument that his righteous anger against being required to sign onto Steam to play the game he bought is poorly conceived. To analogize: if someone complains they were beaten unfairly by the cops, a valid argument is not, "Quit, whining, lots of cops beat other innocent people in other cities all the time."

Way to keep us informed?

[feidaykin]

Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...

Re:Way to keep us informed?

[The+MAZZTer]

The funny thing is the HACKERS sent out a mass e-mail to everyone with a steam forums account, advertising some steam hacks (either they are stupid and were advertising themselves or they were framing another group). Also I never actually got Gabe's email, I only read about THAT on Joystiq first.

Re:Way to keep us informed?

[Kral_Blbec]

No kidding. I didn't get any email about this. Posting it on the forums is half-assed at best. Still better than Sony's no-ass attempt though.

Re:Way to keep us informed?

Funny you should say that - I just logged into steam and had that message pop up as the first thing it did, good luck getting any cash out of my account though - I max it the day I get paid :-D

Re:Way to keep us informed?

[Gravatron]

Sony was quite public about it, what are you talking about? I got emails about it, and they sent out press releases about it IIRC.

Re:Way to keep us informed?

[Kenja]

Only forum account information was lost. If you try to connect to the forums you are told and forced to change your password.

Re:Way to keep us informed?

[Rockoon]

My guess is that they are sending out emails, but since they literally have tens of millions of regular users (and certainly tens of millions of users that havent connected in a long time), that might takes some time.

Re:Way to keep us informed?

[cstdenis]

It sounds like they are. The article says "...below is the full email from Gabe Newell to Steam members."

Keep in mind Steam has a hell of a lot of members. It can easily take several hours to send out that many emails.

Re:Way to keep us informed?

[Ihmhi]

Steam has the ability to push out news to everyone, as well as updates. I am well aware of this as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases. I'm also notified when the client has to update.

I'm pretty sure that they have a way to push out a notice to everyone - I'm just wondering why they haven't done it yet.

Re:Way to keep us informed?

[IICV]

The announcement also pops up after you stop playing a Steam game. Normally there's some ads when you do that, but currently the first thing that shows up is the text that Slashdot posted here. It's actually quite effective, because normally you get pictures and ads and things instead of a wall of text, so it stands out.

Re:Way to keep us informed?

two weeks AFTER it happened

Re:Way to keep us informed?

[pete_p]

You can disable the annoying ad when you leave a game, btw. It's the "Notify me (with Steam instant messages)..." checkbox in prefs under interface.

But yeah, they probably should have pushed a notice through Steam.

Re:Way to keep us informed?

[Mashiki]

Funny. From the time Sony was hacked to the time I go an email on an account that was a one-time use for something particular it took them nearly 3 weeks to send out an email.

Valve took their forums offline on the 7th, reported that they were attacked the same day. And reported today exactly what had been taken. I dunno 3 days, all the major gaming sites covered it...

Re:Way to keep us informed?

[koolfy]

Of course they did.... two weeks after downing PSN claiming it was for maintenance.

They HAD to do so eventually, but the point is they went into denial mode for weeks before admitting the fuckup.

Re:Way to keep us informed?

I got an email prior to reading about it here. Not much prior, but prior.

Re:Way to keep us informed?

[X0563511]

They did? I never got that one myself.

Re:Way to keep us informed?

[X0563511]

as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases.

Sounds like you don't like this.
1. Steam Menu
2. Settings
3. Interface Tab
4. Uncheck the "Notify me..." box near the bottom

Re:Way to keep us informed?

[DnaK420]

i got an email. so gabe just does not like you.

Re:Way to keep us informed?

[watermark]

I just got a notice from the Steam client with pretty much the exact wording above.

Re:Way to keep us informed?

[HiThere]

O? Not the way I remember the stories.

I seem to recall around a week for claims that it was maintenance, or something. (I'm not real clear, as I won't buy anything with the Sony name on it, but that's my memory.)

The shame is that Sony was one a prime company. Of course, so was HP. I haven't quite gotten around to deciding to never do business with HP again, but I'm getting lots closer with various succeeding stories.

This story didn't make me decide not to do business with Steam. What decided me on that was the entire "We'll rent you access to merchandise that you purchase. When we stop bothering to host it, you're hosed" model. If you think that's an acceptable deal, then I can't really complain. It's your choice. I don't find it acceptable.

So I'm rather biased against Steam, and it still sounds like they pretty much did things right. Quite as opposed to Sony (though I'll admit that half my memories are from their root kit fiasco). Sony has in the past exhibited constructive malice towards their customers, so I don't see any reason to cut them any slack at all. And if an official spokesman for Sony says that credit card info was released in clear text, I'm going to take his word for it. If someone else who is also an official later denies it, there's been a huge number of people put to a tremendous amount of inconvenience, so I don't decline to blame Sony. These are the people who hired contractors to put a root kit on audio CDs. And then removed it so sloppily that your system would be wide open to any web site you visited it. And *THEN* refused to pay for the damages.

Re:Way to keep us informed?

[Gravatron]

you mean 7 days. Hack occurred on the 19th and the full disclosure of what was taken was on the 26th iirc.

Re:Way to keep us informed?

[Rossman]

Um, if you use the Steam client, it pops up a window with the statement from Newell....I'm not sure they can do much better than that!

Re:Way to keep us informed?

[Anubis+IV]

Sony was quite public about it, what are you talking about?

They may have been public about the fact that there was a breach, but they were incompetent in their handling of it. And based on my e-mail archives, they never fully informed their customers of the extent to which the intruders compromised their servers. Specifically, Sony only sent out two e-mails related to the PSN outage to all of their customers: one on April 28th to say that accounts had been compromised, but that there was no evidence of credit cards having been compromised at that time, and another on June 5th to announce the Welcome Back package. From what I can tell, there was NEVER a mass e-mail to inform their PSN customers that credit card information had, in fact, been stolen, nor did they ever send out a mass e-mail to announce their identity theft protection program (or maybe I just didn't get it because I signed up for it before they sent it?).

Here's a complete timeline including other announcements besides e-mails:
January or February 2011 - Sony is told by security experts specifically why their server security sucks
Early April - Various PSN outages, some because of planned Anonymous DDoS attacks
April 17th-19th - PSN compromised (source: Sony's April 28th e-mail)
April 21st - PSN goes down as Sony realizes something is up
April 23rd - Sony blames outage on external intrusion; makes no mention of compromised accounts
April 24th - Sony starts "rebuilding" PSN after attack; still no mention of compromised accounts
April 26th - Sony admits that someone may have some account information for their 77M accounts
April 27th - Sony confirms that some data was stolen
April 28th - First e-mail to customers gets sent; says there is no evidence yet of credit cards having been compromised
May 1st - Sony confirms that 10M users had credit cards compromised; promises PSN up by week's end (spoiler: it didn't happen); doesn't send an e-mail
May 2nd - SOE goes down after they realized it was compromised too
May 3rd - Sony admits 24.6M SOE accounts were compromised
May - Lots more drama as Sony makes promises to have PSN up but then reneges on them repeatedly
June 2nd - PSN finally comes back up
June 5th - Second e-mail to customers gets sent; tells them that the Welcome Back package is now available; makes no mention of credit cards, identity theft, or how to sign up for their free identity theft protection program

I'd hardly call it a model to follow, and I'm still hoping that Valve will make a point of e-mailing their users in the next few days. It's fine to take a few days for something like this while you track down the details, but it does need to get done properly at some point. Sony never did it properly.

Re:Way to keep us informed?

[Mashiki]

Sounds about right. The first email I got from them was on May 4th.

Reply-To: no-reply@soe.com
MIME-Version: 1.0
Message-ID:
Subject: [Bulk] Important Customer Notification
Date: Wed, 04 May 2011 15:05:17 -0700
To: xxxxxxx
From: "Sony Online Entertainment"

Re:Way to keep us informed?

[captjc]

It is also interesting to note that the daily deal on Steam today is "Day of Defeat." Coincidence or message?

Re:Way to keep us informed?

[Anubis+IV]

Yeah, I forgot to note that I'm not an SOE customer, so I didn't know what e-mails they sent your guys' way. What all did they say in that message?

Re:Way to keep us informed?

[bluemonq]

Not only are they sending emails out, it also appears as the first item in the Steam News window.

Re:Way to keep us informed?

Yeah it's strange that I read about this on slashdot instead of getting an email from steam.
Just another reason I hate steam and only have 2 games through them because they required it to even play the game.

Re:Way to keep us informed?

[Mashiki]

This is the canuck version but here ya go:

May 4, 2011
Dear Valued Sony Online Entertainment Customer:

Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, province, zip, country), email address, gender, birthdate, phone number, login name and hashed password. Customers outside the United States and Canada should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-Canadian customer credit or debit card numbers and expiration dates (but not credit card security codes) may have also been obtained - we will be notifying each of those customers promptly.
There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.
We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.
We apologize for the inconvenience caused by the attack and as a result, we have:
1. Temporarily turned off all SOE game services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOEâ(TM)s services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.
We are committed to helping our customers protect their personal data and we will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in regions in which such programs are commonly utilized.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-866-436-6698 (Monday to Friday 15:00 to 22:00 GMT excluding holidays) should you have any additional questions.
Sincerely,
Sony Online Entertainment LLC
***These emails are being sent by Innovyx, our third party email distributor, and will contain either 'soe.innovyx.net' or 'soe.sony.com' in the sender field. If you have any questions conc

Re:Way to keep us informed?

[Ihmhi]

Addendum: Responses to my post seem to have gotten the impression that I don't like this, but I guess my humor doesn't always translate well across the Interwebs. I actually don't mind hearing about the latest games and deals. d:

Also, one or two friends I've notified have said that they had gotten such a notice pushed out to them today, but I haven't seen it. It might be because Steam crashed when my computer pooped it's brains today (I had to force-quit). Oh well, I've changed my password and I've informed all of my friends.

Re:Way to keep us informed?

[Cl1mh4224rd]

They did? I never got that one myself.

I did. I had completely forgotten about it until I read The MAZZTer's comment. I kind of shrugged it off as the usual email spoofing, but it still seemed odd at the time that it made it through Google's spam filter.

The email, with redactions by me:

Subject: Come join [redacted], a gaming resource community
From: webmaster@steampowered.com

Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks? Visit [redacted]. It's safe, secure and undetected.

Along with hacks, we've also got some general discussion sections, hacking tutorials and tools, porn, free giveaways and much more. This site has been conditioned to meet all your needs in terms of resources so be sure to take a look and tell us what you think.

Thanks again,
the [redacted] team.

Re:Way to keep us informed?

[mjwx]

It is also interesting to note that the daily deal on Steam today is "Day of Defeat." Coincidence or message?

It's also Remembrance day. A vast conspiracy indeed.

Re:Way to keep us informed?

[shutdown+-p+now]

I'm pretty sure that they have a way to push out a notice to everyone - I'm just wondering why they haven't done it yet.

They did - that's precisely how I found out. But those things pop up only after you close a game you've been running, or restart Steam, not at any random moment (which kinda makes sense).

Re:Way to keep us informed?

We have three family members who belong to Steam and none of them (including me) got any email from Steam.

Re:Way to keep us informed?

Funny you didn't go to the source and log on to Steam to verify the veracity of your claim, as I just did. The Pop-Up News window displayed this exact text as soon as I logged in.

Re:Way to keep us informed?

Good that steam has an option "Notify me (with Steam instant messages) about additions or changes to my games, new releases, and upcoming releases." which conveniently also turns off the display of this warning.
Wouldn't wan't to be interrupted in my gaming pleasure with this hacker nonsense.

Re:Way to keep us informed?

[CronoCloud]

Yep, direct e-mail on the 26th, I just checked it.

Re:Way to keep us informed?

[CronoCloud]

Was it a station SOE account?, IIRC they weren't certain those were affected so they sent those accounts information later, after the PSN users

Re:Way to keep us informed?

[Splab]

Odd, I haven't gotten a mail nor does anything in the steam client I have indicate they have had any kind of trouble.

Re:Way to keep us informed?

I'm surprised too. There was nothing in the "update news" as the game I was playing downloaded updates this morning. Just the usual bug fixes. I realize it is supposed to be news about updates, but they put all sorts of other things in there and you'd think they'd make an exception for this kind of news.

It doesn't help that the ONLY thing I use the e-mail account for that is attached to Steam is Steam-related stuff. I don't read it regularly. Ever.

Re:Way to keep us informed?

[JohnnyBGod]

Nope, never got it.

Re:Way to keep us informed?

It's a strange way idd, Sony at least sent an email, but that was a more sever breach. Steam at least added a message on login and to be fair there is no evidence that anything more than forum passwords have be obtained.

Re:Way to keep us informed?

This. This right here.

Valve gets zero credit for the way they handled this. If they really valued their customer base, they'd have made sure everybody knew. I don't use the Steam forums, so this Slashdot story was my first heads-up.

Re:Way to keep us informed?

It was broadcast via steam on the news update. Can't fire it up without the news popping up.

Re:Way to keep us informed?

[tibman]

I did too. But right after playing a game of DOW2, blam! a message from Gabe.

Re:Way to keep us informed?

sheit... I read in a newspaper yesterday that it happened on Sunday... WTF, Slashdot is behind as usual, repost, nothing to see move on.

Prevention

[salemboot]

SQL Injection? Come on Valve. Get your Database Specialist some training.

Re:Prevention

[Bobfrankly1]

SQL Injection? Come on Valve. Get your Database Specialist some training.

Where are you getting SQL injection from? Database access != SQL injection.

Re:Prevention

[X.25]

SQL Injection? Come on Valve. Get your Database Specialist some training.

And you know it was an SQL injection because ... ?

Re:Prevention

[laffer1]

This comment makes absolutely no sense. Let's say it was SQL injection, then it would be a programmer's fault.

Oh Shi-

I accidentally just like Sony!?!

How hard are the passwords to crack?

[Galaga88]

I'm not worried about my Steam password, I can go change it when I get home, it was fairly complex, and it's not a reused password anywhere else, but how hard would it be to crack these?

For those of us who aren't cryptography experts, does cracking one of the easy passwords (love, password, money) then help crack the more complex ones (m4sT3rm!nd)? I'm guessing this is crypto 101 stuff.

I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)

Re:How hard are the passwords to crack?

[Kenja]

Keep in mind, you cant log into a steam account from an unregistered computer (assuming you didn't turn the security checks off). If someone tries, they need to enter a code that gets emailed to you. So I'm having a hard time figuring out what anyone can do with the information other then build a list of email addresses to try and use for phishing scams. Granted, if you stored your CC number in steam you may have a problem.

Re:How hard are the passwords to crack?

[Beryllium+Sphere(tm)]

No, each one is an independent problem.

None of the weaknesses that have been discovered in common hashes allow reversing them (which is in general impossible anyway since an infinite number of inputs could lead to the same hash, it's just infeasible to find them).

The "crack" is just high-speed testing of possible passwords. Modern cracking software is actually fairly sophisticated about trying substitutions on dictionary words.

Use a passphrase unless there's some stupid limit on password length.

Re:How hard are the passwords to crack?

[Spad]

General rules are: Mixed case/numbers/symbols all make them hard to crack but not as much as making them longer.
Cracking simple encrypted passwords will not help you crack any more complex ones unless Valve have done something horribly wrong in terms of encrypting them.

Re:How hard are the passwords to crack?

Of course people stored their CC numbers in steam. Steam gamers buy alot of games.. and they trusted Valve. So yes, alot of people are screwed. including this anonymous coward.

Re:How hard are the passwords to crack?

I'm not worried about my Steam password, I can go change it when I get home, it was fairly complex, and it's not a reused password anywhere else, but how hard would it be to crack these?

For those of us who aren't cryptography experts, does cracking one of the easy passwords (love, password, money) then help crack the more complex ones (m4sT3rm!nd)? I'm guessing this is crypto 101 stuff.

I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)

You should probably read this:

http://xkcd.com/936/

Re:How hard are the passwords to crack?

[alcourt]

Knowing one password does not materially help attacks on other passwords. However, depending on the algorithm used, it may be possible to brute force the password. For example, if the old Unix crypt(3c) algorithm is used, then most passwords can be brute forced in reasonable time now. Recent advances have led to use of the graphics card on your system to perform those attacks.

Longer hashes like MD-5 are significantly harder as they support a much longer search space, but few people use a password over twelve characters. Certainly, any password under seven characters should be considered vulnerable, regardless of algorithm used to salt/hash them.

Assuming (big if) they are using standard password hashing algorithms, long (at least 15 characters long) passwords that are pasted, not typed because they are completely randomly generated is your best protection in such cases.

Passwords are just evil though.

Re:How hard are the passwords to crack?

[mug+funky]

gabe says the passwords are salted.

this means random strings of text are added to your password before hashing.

this is extremely difficult to crack - leaves you having to bruteforce it, as rainbow tables become nearly useless.

Re:How hard are the passwords to crack?

[Kenja]

I am a steam customer, I buy a lot of games, I dont store my credit card information any place other then my wallet. And keep in mind, the CC numbers them selves may not have been taken. They are in a separate table and s the email says, they have no evidence that it was touched.

Re:How hard are the passwords to crack?

Cracking a few passwords would reveal how steam salt the passwords before hashing. This would help in cracking other passwords by being able to apply the salting to dictionary based attacks etc

Re:How hard are the passwords to crack?

[LordLimecat]

General rules are: Mixed case/numbers/symbols all make them hard to crack but not as much as making them longer.

Wrong, unless you are talking really short passwords, in which case youre REALLY wrong.

For starters, lower case, 5-character passwords have 11million possibilities. A 4 character, mixed case alphanumeric has 14million. As you add characters, the difference widens.

And for the SHORT passwords, there are already rainbow tables for lowercase-only up to 7 characters widely available. Mixed alphanumeric are harder to find and generate, and if you add symbols, rainbow tables start to become worthless. Additionally, when you have that short of a password, it is generally HIGHLY susceptable to dictionary attacks if it is single case alpha-only.

You want a good password? Go for one or two characters shorter (assuming you have more than 8 characters), and add one or two character classes instead-- preferably a non-standard symbol like alt+15 or alt+21 (which work in most scenarios, and are unlikely to be in a hacker's scope).

Re:How hard are the passwords to crack?

[Spad]

Sorry, poorly phrased.

What I meant was that if your password is "password" (i.e. 8 character lowercase) then it's one of ~208 million possibles. Making it "Pa55w0rd" (mixed case + numbers) ups that to ~218 billion, whereas adding just one character and making it "passwordd" ups it to ~5 trillion and is arguably much easier to remember.

Re:How hard are the passwords to crack?

[Spad]

Ugh, sorry, my math is way off, you need to add 3 letters to get higher complexity than adding mixed-case + numbers but it's still generally easier for people to remember 3 extra letters than a random combination of case and numbers.

Re:How hard are the passwords to crack?

Ok. But if the server was compromised, could the hackers not just grab the code that encrypts and decrypts the data, including the salts used? I know in php it is simple to encrypt and decrypt but most (disphit) devs just leave the salt in the code. Encrypting the salt won't work if it is referenced in the code and available on the server. What do you do?

Re:How hard are the passwords to crack?

[Zaphod+The+42nd]

Just enable Steam Guard, which requires additional authentication from unknown IPs. Boom.

Re:How hard are the passwords to crack?

My question is, have the attacks stopped and is the path of intrusion blocked?
Is it useful to change your password now, or would the hackers simply come back and grab the new one as well? Or even worse, have they perhaps modified the server software to automatically send them any new passwords unencrypted as you set them?

Re:How hard are the passwords to crack?

The passwords are hopefully stored in one way non-reversible hashes, not encrypted. There is no decrypt, even with the salt. To compare a password, you would compare a hash of the entered data with the hash that's in the database and see if they match.

To get the password, you'd have to find a same grouping of letters that creates the same hash as the password, which takes forever as they aren't reversible (We're also assuming the passwords aren't hashed using a compromised hashing algorithm). Rainbow tables are generated to provide a quick way around this; they're basically a list that says this password = this hash. So they can just look up the hash in the table and grab the password. Adding a salt makes those common rainbow tables useless as the hashes won't match the ones in the database, so the hackers would have to generate their own tables. This is very time consuming, even if they had the salt. In addition, as a 3rd level of complexity, even if the salt was stored right next to the password in the database, but unique for each account, the hackers would need to create a rainbow table for each account to retrieve a matching hash.

Those devs aren't (always) dipshits.

Re:How hard are the passwords to crack?

[LordLimecat]

Yes, it was.
8-length mixed alphanumeric=2.18 *10^14 (218 trillion)
8 length lower case= 2.08 * 10^11 (208 billion)
9 length lowercase = 5.4 * 10^12 (5 trillion)

You are correct, as was I-- for just 2 characters, mixed case + numbers provides more security. Adding 3 characters rather than mixed case theoretically is better-- but if it results in a dictionary word, it is far far worse. Numbers + mixed case help mitigate dictionaries quite a bit.

Additionally, lowercase only rainbow tables are going to be more common than mixed-case, since mixed case tables are much larger (2^n larger where n is length).

Re:How hard are the passwords to crack?

[zippthorne]

m4st3rm!nd isn't nearly as complex as you think. It's barely more secure than "password" excepting that password is the first password in the password dictionary...

DId you not read the xkcd a few weeks ago about this very subject?

Re:How hard are the passwords to crack?

[laffer1]

A common approach is to make a long list based on a dictionary. Some software will generate the list and also add numbers to it. Then the hashes are computed for each word and tested against the hashed password. They don't actually need to match the word just something that hashes equivalently to it. So there's actually more than one "answer" that works.

The program is that you can generate a list in a few days and using modern graphics cards, crack quite a few things in a short amount of time. Some websites make it harder by combining something unique with each password before it's hashed. That way one table won't work for every password to test.

Re:How hard are the passwords to crack?

They have the salts and hashes. Doesn't matter too much now how complex your pw was.
Pay Pal has a bad history as well.
I don't know their steam's environment, but if you've had your card on file in the past, your info could still be in the db, but marked inactive in case you were a returning customer or something.
at this point, I wouldn't assume your data is safe.
This goes for any infomation you hand out. You're assuming it's safe on THEIR servers.

Re:How hard are the passwords to crack?

[Splab]

How do you suppose steam charges your credit card without storing the CC?

If you have used a CC, they have it on their books and it might be compromised.

Re:How hard are the passwords to crack?

Did you know that using a bunch of random words as password offers as much protection as a string including non-alphanumeric characters? It's true, and easier to remember.

Re:How hard are the passwords to crack?

Even moreso if unique account info is also added to the password before hash, so the hashes for common passwords aren't visibly the same.

Re:How hard are the passwords to crack?

[jgtg32a]

I'm about 99.99% certain if they did that it would be a massive violation of PCI

Re:How hard are the passwords to crack?

m4sT3rm!nd might not be as complex as you think. The better password cracking programs out there will try common substitutions to dictionary words. So it might be that 'love', 'password' and 'money' get cracked within seconds whilst 'm4sT3rm!nd' takes a few hours. Either way you're screwed.

Re:How hard are the passwords to crack?

[gajop]

Aside from a single crypto class I had at my university, and a friend who's an expert at these things, I don't know much.

However, from what little I could grasp from the summary, they were using salts (and hashes, which is the bare minimum) to save passwords.
The main idea of salts is to prevent people using rainbow tables (precalculated password -> hash mappings), and just doing reverse lookups to obtain a password from hashes.
However, it still doesn't mean any real security if they didn't use at least something as good as bcrypt for hashing (bcrypt actually encrypts salts with hashes iirc), MD5 and SHA can be cracked fast enough on todays computers.

I'm much more worried about credit card information, how exactly have they been encrypting it (remember, they had to access it themselves)? They had to keep the keys for decryption somewhere, and it's worrying if those keys are compromised.

Re:How hard are the passwords to crack?

It entirely depends on length and complexity. If your password is made of random characters from a US keyboard, then every character in it makes it 100 times harder to crack. It becomes uncrackable (today) somewhere around 11 characters in length.

On the other hand, if your password is a word, a permutation of a word ("p@ssw0rd"), or from a limited set of characters (all lowercase) then you are toast. Sorry.

A pass phrase 20+ characters in length might stand a chance, so long as it isn't something predictable.

Re:How hard are the passwords to crack?

[Just+Some+Guy]

Use a passphrase unless there's some stupid limit on password length.

I use 1Password to generate and store unique passwords for every site and service I use (but any other secure generator would do as well). Assuming a site uses hashes correctly, good luck cracking passwords like "rdLRslj67aqJ".

Re:How hard are the passwords to crack?

[Ash+Vince]

I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)

I have been meaning to update the credit cards I have stored on my steam account for ages. Both of them have been cancelled recently as they got cloned when I was visiting Prague.

Hope whoever stole the customer data has lots of fun when they try and use them :)

Re:Fuck people.

I hate you too.

Dear Bethesda

[phrostie]

please don't make me use Steam to use a game i've bought disks for.

Re:Dear Bethesda

[ADRA]

Its either that or you have antiquated schemes from the likes of EA where you still (in this day in age) keep the disc in the drive for the entire time playing the game. I'd hate doing that today and I'm pretty bad at jumping between games in a given sitdown.

Re:Dear Bethesda

[phrostie]

I'd rather use the disks

Re:Dear Bethesda

[Nidi62]

Actually, now EA makes you use their version of steam, plus have to go through a web browser to play single player or multiplayer (BF3)

Re:Dear Bethesda

[cheekyjohnson]

Or they could just... not do any of that.

Re:Dear Bethesda

[geminidomino]

OR they could just stop being tossers about it at all.

But that would require admitting that three decades' plus of copy protections/DRM schemes were a complete waste of resources, so yeah, I agree with parent. At least with the ancient "disc required" I know I can reinstall the damn game on my new laptop, or a few years down the line after a system crash, or whatever.

Until Valve either takes out the "we can close your account whenever the fuck we want" clause from the T&Cs, or changes the "option" to "guarantee" that they will provide standalone copies of purchased software, Steam can rot and they can blow me. I don't care if they're everyone's darling compared to EA (not saying much). "They wouldn't do that" doesn't hold much credibility as long as they feel the need to keep the ability to "do that" in reserve.

Re:Dear Bethesda

Those aren't the only 2 options. Oblivion didn't have any protection (at least in the original US release) and it sold very well.

Skyrim, unfortunately, uses steam... A single player game, purchased on DVD, and it requires a connection to the mothership before it will grant you the privilege of playing.

SO thankful right now

[ludomancer]

I really love Steam. I can't recount the number of times someone broke into my house, stole my entire game library, AND my credit card, and then used my credit card to buy tons of other games on it, and send mail to all my friends posing as me. Steam is so worth the convenience of not having to get out of my chair, go to a store, and pick up a physical copy of entertainment that I will probably revisit for years on end.

Thank you Valve!!

Re:SO thankful right now

[grantek]

I (no sarcasm) love Steam, and didn't expect a large-scale intrusion like this, but after the fun and games around the PSN intrusions, I removed my CC details from my Steam account.

It was so easy to buy games with a couple of clicks, and I do miss that, but I must admit a little smugness now over my decision...

I just hope Paypal is on top of their security, because by design they're more heavily linked into people's finance.

Re:SO thankful right now

I really love Steam. I can't recount the number of times someone broke into my house, stole my entire game library, AND my credit card, and then used my credit card to buy tons of other games on it, and send mail to all my friends posing as me. Steam is so worth the convenience of not having to get out of my chair, go to a store, and pick up a physical copy of entertainment that I will probably revisit for years on end.

Thank you Valve!!

Let me know when this actually happens and you might actually have a valid point. You're being intentionally dishonest. There's a big difference between what you described and "our forum server was compromised and they may or may not have seen some *encrypted* billing data."

Re:SO thankful right now

[Baloroth]

And this incident hasn't added to that count at all! Unless you know something we don't, a) steam accounts weren't compromised, b) CC numbers weren't compromised, and c) pretty much everything important that was compromised was either hashed and salted (forum passwords only, separate from Steam accounts) or encrypted.

Of course, if someone did break into your house and steal your game collection, you would have nearly zero chance of getting it back. With Steam, you almost certainly could.

Re:SO thankful right now

Or, you know, you could have actually gotten out of your chair, gone to a store, and picked up a physical copy of whatever. But you didn't. Sounds like you've been enjoying the convenience just fine up until this point, just like the rest of us. Don't be a tool.

Re:SO thankful right now

[LordLimecat]

I really love Steam. I can't recount the number of times someone broke into my house, stole my entire game library, AND my credit card, and then used my credit card to buy tons of other games on it,

Are you saying thats happened? The article doesnt mention that. They mention an intrusion where nothing seems to have been taken, things were properly salted and encrypted, and the issue was noticed quickly.

If you have contrary evidence, Im sure it would make a good news story, you should probably report it.

hah

[geekoid]

Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.

Re:hah

[Bobfrankly1]

Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.

You're just upset *backstab* because you have difficulty *MEDIC!!!! backstab* spy-checking as a *backstab, cloak* pyro. Perhaps if you stopped standing in one place *backstab, backstab, miss, backstab* and developed your pyro techniques, you would find spies to be *sapper, backstab, die from being on fire* easy prey.

Re:hah

Now this one made me smile. :D

Re:hah

What?

Re:Fuck people.

[geekoid]

You could learn about bias confirmation and statistics,. Then you would realize that the vast majority won't do something like that.

This is Valve's fault

[Liambp]

I'm a fan of Steam but I am a mad as hell that they let this happen. It is not as if they weren't an obvious target given the number of game companies that have been hit before.This is Valve's fault. They screwed up big time and a limp apology from Gabe Newell doesn't make me feel any better.

Re:This is Valve's fault

[Ihmhi]

To be fair, they could be the best company in the world and it would still take time for them to figure out what exactly happened and how they are going to remedy it. Give them some time. Accidents happen, mistakes happen, and there's really no way of knowing what the end result will be until they've had time to investigate further and decide on a solution. The fact that Steam got this information out so quickly is a good sign in my eyes.

Re:This is Valve's fault

If somebody wants to hack a company, eventually they will break in. What sets Steam apart is the multiple contingency layers they had that Sony did not, IE encrypting the credit card numbers, salting the password hashes, using steam guard...etc

Expect compensation once there is a case where all the checks fail, but I don't think you'll be seeing cc activity that isn't your's soon.

Re:This is Valve's fault

[Spad]

Until we have real information about how they were hit, it's difficult to make any assumptions about how badly Valve may have screwed up.

Re:This is Valve's fault

[f()rK()_Bomb]

How exactly did they screw up? It seems to me they did everything right. Encrypted, salted, hashed passwords and data. Having a break in is not a screwup, it's virtually impossible to make a computer connected to the Internet invulnerable. You seem to think valve handed a hacker the keys like Sony did, which we don't know, but seems unlikely considering how careful valve were about encrypting the data.

PCI Compliance

Why does Valve store Credit Card numbers? I thought this was a big no-no.
Before you respond, credit card profiles (name, address, cc#) can be stored by the secure merchant gateway rather than your local database. You only store a unique key like a GUID that can only be used by your merchant account.

Re:PCI Compliance

[X0563511]

Yep. That's called a reference transaction. Someone needs to go do some homework before continuing to accept credit cards.

Re:PCI Compliance

Uh, no. You are allowed to store encrypted credit card numbers.

Accidental irony

[Shillo]

Today's daily deal on Steam is: Day of Defeat.

Couldn't have made a better choice myself.

Re:Accidental irony

[RobDollar]

Brilliant observation! Also, the original DoD is a great game, worth picking up if you don't mind your details being published to the internet.

Re:Fuck people.

[mark_elf]

In this thread, bias confirmation and statistics prove that people are good. Don't hate them!

Skyrim DRM

So, how's that Steam requirement for your single player game working out for you, Bethesda?

Re:Skyrim DRM

[flimflammer]

Probably perfectly fine because anyone who purchases Skyrim in shops doesn't need to enter any personally identifiable information in order to create a Steam account. The only requirement is a throwaway email address.

Whew!

[Bobfrankly1]

Good thing I just followed the e-mail that just arrived and changed my password then! I'm fortunate to have found it in my junk mail. Weird that Steam is requiring social security numbers to change passwords now.

Re:Whew!

[the_Bionic_lemming]

I would of liked to have an email instead of finding out a week later on Slashdot.

Re:Whew!

[Jorl17]

I don't think you got the joke ;)

Re:Whew!

[the_Bionic_lemming]

I got the joke, and realized at the same time the joke was on us.

Getting an email a week ago would of allowed me to actually start changing passwords before there was a chance of financial loss.

A post on a forum that I seldom visit means jack shit to me when an email saying "you might have problems" would be a better heads up. Maybe even letting me know when I go into steam to play my games would of been cool.

If it hadn't been for slashdot, I'd still be exposed to credit fraud.

This is why I don't

[s.petry]

I trust no company to hold my data on the internet, plain and simple. I hope I'm not alone in stating that quality and security on the Net took a back seat long ago to IP law, and profit margins. If you put it on the Interwebtube, expect that a bad guy has it. It's a sad reality, but still a reality.

And yes, shame on Steam for not notifying users the day they discovered the problem. Finding out 4 days later, from an external company is not excusable. I'm sure they will blame a 3rd party for the break in claiming it's not their code or design that's the problem too.

Re:This is why I don't

[artfulshrapnel]

They sent out an email the day the incident occurred. I have in my inbox archive right now.

If your email is out of date, or you've told it to treat Steam notifications as spam mail, that's not their fault.

PCI standards

[Coolhand2120]

Like most other "too big to obey rules" companies Valve just ignores PCI standards of keeping credit card information. PCI standards require that adherents not keep credit card information in a digital format, making it impossible to steel. Of course Valve can't be bothered to allow the annoyance of filling out a credit card form to break the urge to buy their [another persons] software. Now if you've ever used steam your credit card data is most likely compromised.

It sounds to me like they don't have a clue how many servers were compromised so I'll just go ahead and assume the hackers have the encryption key for the CC data and salt for the hashes. Now a simple rainbow table is required and then the hackers have your password/email - hope you don't use the same password on your banking site! Valves way of saying "thanks for using Steam".

Re:PCI standards

I'll just go ahead and assume the hackers have the encryption key for the CC data and salt for the hashes.

Now a simple rainbow table is required and then the hackers have your password/email

You clearly have no idea how or what a rainbow table is used for.

I would rather my CC be encrypted in a database someplace then have it written down on a piece of paper in the clear for the garbage man to find when they are taking out valves trash.

Re:PCI standards

PCI standards require that adherents not keep credit card information in a digital format

That's not even remotely true.

Re:PCI standards

[Coolhand2120]

You clearly have no idea how or what a rainbow table is used for.

From Wikipedia: Rainbow Table

A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes.

I design software that stores password hashes. It uses the same cryptographic hash functions to store passwords (SHA1 probably). If you have the salt you can use a rainbow table to figure out the hash. That's the only reason rainbow tables are used, so clearly you don't know what you're talking about.

I would rather my CC be encrypted in a database someplace then have it written down on a piece of paper in the clear for the garbage man to find when they are taking out valves trash.

That's right, you would rather suffer from a hypothetical problem that hasn't and probably would never happen, than suffer from the problem that actually did happen, again and again to numerous large companies. You can lock up your building enough to prevent garbage men from taking your un-shredded trash, but can you lock up your computers enough? Wait. That's a rhetorical question, the answer is no.

Re:PCI standards

[Coolhand2120]

Maybe you should read the PCI guidelines before you shove your anonymous foot in your coward mouth. From the doc:

Investigations after compromises consistently show common PCI DSS violations, including but not limited to:

Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data. I could find Requirement 3.2 but I'm pressed for time right now.

Read the all the docs here:
https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

Make sure you're right before you tell other people they are wrong.

Re:PCI standards

Not true about PCI standards. There are levels of standards regarding what can be kept, how it can be stored, what measures are used to control access to it, and what policies are in place to enforce all that. The levels determine what degree of auditing is required. But there's no simple "You can't keep it in digital format" nonsense. It's a massive bureaucratic mess that no normal person can comprehend. You need the equivalent of a law degree just to understand the basics.

Re:PCI standards

[alcourt]

PCI DSS does not prohibit storing the full payment account number (PAN) electronically, as long as it is encrypted. The note on PCI DSS 3.2.1 specifically talks about retaining the PAN in the normal course of business. PCI DSS 3.2.2 does prohibit storing the security code printed on the back, or the full magnetic track data. PCI DSS 3.4's requirement to render the PAN unreadable when stored makes it clear that storing that credit card number is permitted, if it is properly protected. The definition of properly protected is given.

I read the announcement as saying that the same database that housed some of the forum data also housed PAN data, but that they were claiming that table of the database was encrypted and thus don't believe it compromised.

One could argue that PCI DSS 2.2.1 (implement only one primary function per system) as violated, but that is debatable based on the few details publicly available.

There is too little available to gauge the incident at this time and guess specific PCI compliance failures.

Re:PCI standards

[alcourt]

PCI DSS 3.2 refers to the types of data that are not permitted to be stored. This does not necessarily include the actual credit card number. The original statement of payment account numbers not being permitted to be stored digitally is false. That does not refer to the magnetic track data or the card verification code (the number on the back of the card).

PCI DSS 3.4 discusses the requirements if PAN data is stored. One option, and a frequent subject of discussion in PCI certifications in my experience, is the encryption of such data and protections around ensuring all such data is encrypted and that the encrypting key is itself encrypted with a separate key that is independently protected.

The common failure is to accidentally store the magnetic stripe data or the CVV code. Even in encrypted form, that is prohibited.

Re:PCI standards

[alcourt]

No law degree required, just fairly straightforward computer security for the most part. There are subtleties, but if people actually read the entire thing, it is amazing how clear much of it is.

Re:PCI standards

[Kalriath]

Uh, the rule is that you may not store the data in the magnetic strip - not that you may not store the credit card number. If you'd bothered looking up requirement 3.2 rather than declaring that you're too busy, you would have looked less silly. Requirement 3.2 clearly states:

Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.
Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
* The cardholder‘s name
* Primary account number (PAN)
* Expiration date
* Service code

Re:PCI standards

[flimflammer]

Now if you've ever used steam your credit card data is most likely compromised.

Bullshit. You can remove credit card information at any time. You don't need to allow Valve to hold onto it for you. Unless you really think Valve holds onto the information for spite even after you click the link they have always provided for them to remove it from their servers.

Re:PCI standards

[flimflammer]

Wow, coming from the guy suggesting people be sure they are right before they call others wrong, you are a hypocrite. You are absolutely wrong. There is nothing in the PCI guidelines that suggests you cannot store credit card numbers. Try actually reading 3.2 which you claim to be too busy to read and your entire premise is blown entirely out of the water.

Re:PCI standards

[Stray7Xi]

If you have the salt you can use a rainbow table to figure out the hash.

No you can't. 1-8character alphanumeric SHA1 rainbow table takes up 160GB. Add even 12bit salt and that becomes 640TB. You know what used a 12bit salt, legacy unix systems. Modern salts are effectively immune to rainbow tables. I'd wager the salt has more entropy then most peoples passwords.

I design software that stores password hashes. It uses the same cryptographic hash functions to store passwords (SHA1 probably).

SHA1 is unsuitable for storing passwords, use bcrypt. SHA1 is designed to be a fast algorithm and is vulnerable to moore's law. Fast hashing algorithms are a weakness for password databases because it makes bruteforce cracking faster. A modern laptop can churn out more then 100k sha1 hashes per a second. Bcrypt is designed with a cost parameter that you can tweak how difficult the hash operation is. As computers get faster, you raise the cost and then the next time person logs in you store the more secure hash.

Just because you're writing security software doesn't mean you're doing it right. I refer you to Schneier's Law:
Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.

Re:PCI standards

[slater.jay]

From the same article you quoted:

A rainbow table is ineffective against one-way hashes that include salts. For example, consider a password hash that is generated using the following function (where "." is the concatenation operator): saltedhash(password) = hash(password.salt) or saltedhash(password) = hash(hash(password).salt).

The salt value is not secret and may be generated at random and stored with the password hash.

Which software is it you design? I'd like to know so I can avoid it at all costs in the future.

Steaming pile

[Culture20]

I reiterate for posterity: I will never buy any game that requires Steam or any other DRM that prevents me from installing it twenty years from now or forces me to give up personally identifying information (especially CC numbers).

Re:Steaming pile

[Akzo]

You don't have to enter any personally identifying information to make a steam account; Username, email and password is all it takes and seeing how there are already methods of bypassing Steam when loading games I doubt you would have any Steam related trouble playing games in 20 years.

Re:Steaming pile

Good. Then there's no chance I will every run in to you in a game. I love an ecosystem that removes morons naturally.

Re:Steaming pile

[PowerCyclist]

I don't hate the idea of DRM, just the common implementation. For me, it seems a necessary evil in order to ban bad players who hack or exploit the game, however, there's no reason this can't remain anonymous and I don't want to get email about games -EVER. Finally, DRM on the game media itself is a fracking abomination for which it's creators should be drawn and quartered. If I want to make a backup copy of my game because CD media is horrifically fragile, that should be my right.

Re:Steaming pile

Get real. Do you spend your time today playing 20 year old games? Do you use only cash when buying gas for your car? I agree that sometimes DRM is not worth the hassle, but DRM'd games on Steam are about as unobtrusive as DRM can get. Besides, Steam does not require you to store the CC number on the Steam server - you only need to provide the CC for purchase.

Re:Steaming pile

[quietwalker]

That's just close-minded thinking.

Just wait till the crack comes out, like normal people who don't like DRM do.

Funny story: The 'help' team associated with steam don't understand when you ask what servers and ports you need to block to ensure your machine doesn't access their systems by accident. They sent me help for opening holes in my firewall.

Re:Steaming pile

20 years from now there is a good chance that such an old game would be incapable with what ever computer your running it on.

Re:Steaming pile

[artor3]

You don't need to give up your CC number (or any personal information) unless you are buying a game with your CC. How, exactly, do you think they should handle credit card purchases?

Re:Steaming pile

[Ash-Fox]

How, exactly, do you think they should handle credit card purchases?

They should be using a laser and an artificial satellite.

Re:Steaming pile

[gman003]

I use Steam. I'm anonymous save for my credit card info - had I cared, I could have paid via Paypal or one of the other methods (they actually have Steam ATMs in Russia - you can pay in cold hard cash), but just giving them the card directly was easier. I don't ever recall handing over my name or address, although I may have forgotten (aka [citation needed]). I'm comfortable with the level of privacy I have with Steam - you may not be, and that's fine.

The only emails I've ever gotten from Steam are the security "we've detected activity on a new computer, here's the verification code you need to authorize it". Since that's a security measure focused on my security, not theirs, I see no problem with it (and it can be disabled anyways). Think of it as DRM that gives you access to the kill switch as well.

Oh, and there is a backup copy system in Steam - Steam->Backup and Restore Games. If you really, really want, you can even host your own Steam Content Server (provided you meet certain hardware and business requirements).

Re:Steaming pile

[Culture20]

Do you spend your time today playing 20 year old games?

Yes. You don't?

Re:Steaming pile

[Ash-Fox]

I reiterate for posterity: I will never buy any game that requires Steam or any other DRM that prevents me from installing it twenty years from now or forces me to give up personally identifying information (especially CC numbers).

Hi, I have a game called on Steam called "Commander Keen", it's over 20 years old now and it works on my 64bit Windows 7 computer.

Re:Steaming pile

[Culture20]

20 years from now there is a good chance that such an old game would be incapable with what ever computer your running it on.

I can run a full emulator on current hardware that I still need to slow down for older games. Twenty years from now, I'm betting it will be similar.

Re:Steaming pile

[shione]

Personally identifying information - use prepaid CCs

You can go into offline mode, backup your hard drive and run that image using virtualization in 20 years time.

Re:Steaming pile

How about by NOT storing the CC details? Or any other personally identifiable information. They can take whatever information that they need at the time to make the payment, then DELETE IT unless I specifically ask them to hold on to it.. And make deleting the information the default action. And warn people about the possible security implications if they do decide to trust a third party to hold all of their details.

There's simply no need for them to have all of your details, except maybe for some sort of marketing-related intelligence gathering exercise.

This kind of thing is happening way to often, and until there's enough of an incentive (legal or otherwise) for these companies to put real effort into securing our data, they will continue with the lax attitude to security that they have. It's just not on.

Re:Steaming pile

[geminidomino]

Do you spend your time today playing 20 year old games?

More time than I spend playing 2 year old or younger games, yes.

Currently replaying the original Final Fantasy using the "Duane and Brand0" party.

Re:Steaming pile

20 years from now there is a good chance that such an old game would be incapable with what ever computer your running it on.

I can run a full emulator on current hardware that I still need to slow down for older games. Twenty years from now, I'm betting it will be similar.

And if your going though the bother of setting up a proper emulator, finding a crack for the game should be no problem. That is assuming valve doesn't release the crack themselves like they said they would if steam ever closes down.

Re:Steaming pile

simple. they set up a third party competent at handling secure cc information, like Pay Pal.

Re:Steaming pile

[PowerCyclist]

I was complaining more generally. I too don't mind the STEAM security steps much, but my argument stands that providing an email address at all greatly lowers your anonymity. I do love that STEAM will let you install your game on another computer by simply logging in and downloading a new copy. However, Culture20's argument: "...DRM that prevents me from installing it twenty years from now..." still stands as after STEAM dies off, all of it's games will cease to activate and allow you to play -unless they're unusually nice and release tools for people to mimic their activation servers. Myst Uru did that. When they shut down the multiplayer servers they released software allowing fans to recreate them. This requires faith in the game's company as well as any company that may buy out that company from the time you buy the game until the time the servers are shut off.

Re:Steaming pile

[qwak23]

I would trust Valve to do that so long as they remain a private company run by Gabe. When they change leadership (unless Gabe is immortal, they will have to at some point), I will reevaluate based on the new leadership. If they ever go public, I may consider "liberating" the games I purchased through steam.

Re:Steaming pile

Butt-hurt fanboy alert!

Re:Steaming pile

[flimflammer]

You don't even need to give them your credit card information at all. You can go through PayPal. You can also remove your info at any time (including right after purchase) if you do give it to them.

Re:Steaming pile

[rapidreload]

Nope. I tried playing Doom in a source engine port (Doomsday Engine) recently. It was nice to use modern features such as mouse look and jumping with an OpenGL renderer, but ultimately I got bored because I've moved on from the old stuff. I can still enjoy games like Deus Ex 1 though, but game which are too old generally don't age well when you've become accustomed to modern graphics and gameplay.

Re:Steaming pile

or maybe just NOT store them?

Re:Steaming pile

[sammyF70]

but what do you do in the meantime?

Re:Steaming pile

[shione]

Run it in offline or online mode.

OP was concerned about how he could play his games in 20 years time if steam disappears. My suggestion was he could back it up when its in offline mode and play that in 20 years time.

In 20 years time though if steam was gone I think one of several things will happen:

1. Steam will release the games under public pressure.
2. You can rebuy these games at gog drm-free for $1 per bundle.
3. Someone will run a virtual steam authentication service.
4. Computers will be powerful enough to run in virtual mode an image of your steam games in offline mode.

Re:Steaming pile

[Joehonkie]

They have that.

Re:Steaming pile

[ErikZ]

Good luck with that. I've found Steam to be the best solution for managing/installing my game collection.

Re:Steaming pile

[tibman]

You may find it interesting that i have been installing (and reinstalling) steam games for almost a decade now :)

You also have to pay with CC for any online purchase. If you don't like that situation, you can use pre-paid cards and only reload them with your gaming budget for each month. PII is used for billing and to identify and authenticate you as the owner of your games (so random people can't claim your game keys and other bad things). Because after all, your house could burn to the ground and everything in it.. but you could reinstall all your games on a new computer the very next day.

Re:Steaming pile

yes sir!

Hat?

[jjshoe]

Do I get a hat for having to go through this?

Re:Hat?

they should give a tinfoil hat

Re:Hat?

[webheaded]

You laugh. Watch, there really WILL be a hat and I'm not even kidding. :p

Oblig Half-Life 3 delay...

[dstyle5]

I wonder how long this will delay the release of Half-Life 3? Or Half-Life 2 Episode 3? Left 4 Dead 3? Portal 3?

/oblig game delay post

Hmm, thats alot of 3 games Valve could be working on....

Re:Oblig Half-Life 3 delay...

[RobDollar]

Dota 3 is coming in 2017, then we get HL3, as far as I can tell. It's will be a 5 minute long mobile flash game where you have to collect jewels.

Re:Oblig Half-Life 3 delay...

Of course, you know Valve can't count past 2. The next Half-Life game will be "Half-Life 2: Episode 2: Part 2".

Only passwords hashed and salted

[abelb]

Gabe only said the passwords were hashed and salted. Apparently the credit card number database was only encrypted? Although they've been relatively open about this hack I'm sure people with credit card numbers stored there would be comfortable with more information.

why?

as a developer why did the servers hosting the user forms have access to steam application databases . really the forums should be in on a different server on a different db cluster in a different data center. This is something I see missed every time we do security audits on other companies , they keep servers up to date but everything is on a flat /24 network, even worse I have seen users able to route to server s will out touching a fire wall .

Well, I feel lucky

[OverZealous.com]

I won't have to worry about my credit card information being stolen, since my credit card has already been compromised since the last time I used Stream!

...

Twice.

Hooray for the credit card system! And the dependency on stupid companies to maintain this information!

(And no, I don't shop around on "suspicious" websites or anything. But, because they'll never tell me who compromised my information, I can't determine which merchants to no longer use.)

This sounds familiar

[ScuzzMonkey]

You might have thought that getting burned badly once already might have lead to a renewed emphasis on security and a commitment to best practices in securing important data. Huh. I guess the "can't happen here" clock must have reset already (as well it might have, since I only see one other comment here on Slashdot, of all places, indicating that anyone else remembered the kerfuffle over the Half-Life 2 source theft).

Re:This sounds familiar

You might have thought that getting burned badly once already might have lead to a renewed emphasis on security and a commitment to best practices in securing important data. Huh. I guess the "can't happen here" clock must have reset already (as well it might have, since I only see one other comment here on Slashdot, of all places, indicating that anyone else remembered the kerfuffle over the Half-Life 2 source theft).

A lot has changed since that happened 10 YEARS AGO. Their security needs have changed dramatically over the years and to liken the incidents is preposterous. Not enough information has emerged as to if and how much valve has screwed up, and where the holes lie. At the very least we can say that they are a significantly larger target for attacks now than they were previously and that what has become such an important company in terms of sales is bound to receive threats to security. It is if we find out if they handled security incorrectly that we can lay down judgment.

And yet

Not a single mention of it on the Steam Portal just now. Criminal. They should have it on the front fucking page.

Re:And yet

[flimflammer]

I received a notification just fine when launching steam.

Unencrypted passwords

[phorm]

All you need to see about EA's security is how they deal with "lost passwords"

Last time I did a lost password request with EA, they happily sent me my password in email. No, not a "password reset request", but my actual password.
This tells me that:
a) They're dumb enough to send passwords in plaintext via email
b) They're dumb enough to store plaintext-retrievable passwords instead of doing a hash comparison.

FAIL!

Re:Unencrypted passwords

Dude, I called EA to transfer my BF3 key from one origin account to another. Needless to say, I now have 2 BF3 accounts..

Re:Unencrypted passwords

[The+Mr.K]

People seem unaware of the fact that email is sent in plaintext. They figure since you log in to get it, it must be secure!

Re:Unencrypted passwords

[webheaded]

Fuck me. I'm going to have to change my Origin password to something completely different now. I have a bad habit of using the same passwords at places because I have a nice secure one and I'm not a robot...I forget things. I might have to start using some sort of...system or something. Ugh. I'm so tired of this shit.

Re:Unencrypted passwords

[phorm]

Try this:
    http://keepass.info/

Works in Linux, Windows, and I believe OSX

I believe it also is available as part of portableapps
    http://portableapps.com/

You can save encrypted databases of passwords. You need the master PW to access the database, from which you can then save/load a list of URL's, userid's, passwords, etc.

Saving CC #'s

[phorm]

There are many companies that allow you to save your card for later use. I personally find this dumb and avoid doing such as a rule, but I'd imagine that if they have the ability to do so, there must be some rule which allows them to do so under certain conditions.

Re:Saving CC #'s

[Coolhand2120]

PCI doesn't make rules, they make guidelines that people can follow if they want to be called "PCI Certified". Some companies will not purchase commerce software unless it has PCI certification.

My account was among those compromised.

[JakFrost]

Got hit with this one!

On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!

PasswordMaker - Storage-less and per-site unique hash based password scheme

Changing all my passwords now to a PasswordMaker scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.

I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.

Here's the conversation for all of you.

From: [mailto:www.crazy_denis@mail.ru]
Sent: Monday, November 07, 2011 11:03 PM

Crazy Denis: You bitch Give me my account is steam which I bought yesterday! will not come back you will have problems moshenik fucking

JakFrost: I would kindly suggest you go and get another account from the source before you lose more than just money. To understand each.

Crazy Denis: How do I get another account?

JakFrost: Ask a guy who you got this one and get another one. This account is off limits.

Crazy Denis: I wrote to him he was going to do nothing to write tehpoderzhku said there had already written an answer waiting for 24 hours
damn well bring back pliz account you do what it's worth it

JakFrost: What's the password for that account so that I could find one for you?

Crazy Denis: Login: MyUsername Password: ********

JakFrost: (No Reply)

Crazy Denis: Well, I found?

JakFrost: That is correct user name and password, but that account is currently blocked by Steam support of a security breach. I can not use it either, so it ruined for us both.

Crazy Denis: Yes, all right there!, Today began to go wrong is led pishel password or an account is not suschustvuet

JakFrost: I do not know, I get an error that the password is incorrect or the account has not been found.

Crazy Denis: A registered on your soap the same account?

JakFrost: No, it does not work.

Crazy Denis: clear, damn well feel sorry for you and I were left wi

Re:My account was among those compromised.

unique hash based password scheme

Not sure if trolling or Steam got better.

Last I used Steam you could NOT copy&paste paswords to login and you had to type your password EVERY time you started Steam. So basically they force you to use trivial, easy to remember passwords as typing strong passwords would be a nightmare. I remember this because my Steam-password at one time was something along the lines of "whythefuckcantiusecopypaste".

Re:My account was among those compromised.

[HopefulIntern]

I don't speak Russian, but I know "dosvidaniya" (I would have translated it from cyrillic to roman slightly differently) means "good bye". :)

Re:My account was among those compromised.

[sammyF70]

If I read this correctly, now you are unable to play the games you ~rented~ from Steam because *they* got hacked? And nobody sees anything wrong with that picture?

Re:My account was among those compromised.

[nitehawk214]

Didn't TF2 go free to play a while back? The guy who bought a hacked account just to play TF2 is a moron.

Re:My account was among those compromised.

I think the point is that he's stringing him along to get him to admit he bought his account from an unknown source. You sometimes need to lie to get that type of information.

Re:My account was among those compromised.

[sammyF70]

Considering Steam's EULA it is not far fetched to assume compromised accoutns will be banned.

Re:My account was among those compromised.

How about just:

openssl dgst -sha1 -binary | openssl base64
MasterPass12345Steam
96zIdaFqddAXcqFT/9Vnm1ghC8c=

openssl dgst -sha1 -binary | openssl base64
MasterPass12345Facebook
NpvmZtyJu4kZsTU6ip5t7ySdemk=

Re:My account was among those compromised.

I actually do this mentally now. Better than depending on a program to do it for me.

I combine:
a sentence
number
word
Word based on service (URL, name of program, whatever)
Number based on service (as above)
I combine them by overlapping them with a certain stepping value. (so, do one part, go back to start, move out X, first character, repeat till end)
The word and numbers based on service come from a simple grid I have memorized that links the current character from the service to both a predetermined letter and number across the 2 axes.

Makes some stupidly complex passwords from a pretty easy to remember method. (even without the unique grid system to prevent re-using passwords)
Of course, things with awful password systems with limits on size aren't really helping...
In that case, I replace character.
Even without the overlapping of characters, it still makes pretty complex passwords since it is sentence+number+word+unique_word_unique_number.
I feel slightly annoyed because I'd have liked to flip the unique word and numbers around so it is WNWNW, but too lazy to change them all.

Re:My account was among those compromised.

[AdamJS]

Pretty sure you can paste in it, but I can't check ATM.

Might as well use the "remember info" checkbox. Anyone who gets control of your laptop is probably going to do far worse things than buy games on Steam (especially since they're rather quick on banning any accounts that receive gifts from stolen accounts).

Re:My account was among those compromised.

[AdamJS]

Free accounts have limits on the,.
But it's all of $5 to remove all those limits completely and permanently. Well, actually, $5 but the minimum deposit is $5 (and anything you'd want to do with a full access TF2 account would involve paying money anyways so that doesn't matter...)

Re:My account was among those compromised.

[Just+Some+Guy]

I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.

DO NOT DO THIS. I don't mean this disrespectfully, but you don't know what you're doing. That's OK! People not named "Bruce" generally suck at secure algorithms. Crypto is hard and has unexpected implications until you're much more knowledgeable on the subject than you (or I) currently are. For example, suppose that hypothetical site helpfully truncates your password to 8 chars. By storing only 8 hex digits, you've reduced your password's keyspace to just 32 bits. If you used an algorithm with base64 encoding instead, you'd get the same complexity in only 5.3 chars.

Despite what you claim, you're really much better off using a secure storage app that generates truly random passwords for you and stores them in a securely encrypted file. In another post here I mention that I use 1Password, but really any reputable app will get you the same protections. Your algorithm is a "security by obscurity" system; if someone knows your algorithm, gaining your master password gives them full access to every account you have. Contrast with a password locker where you can change your master password before the attacker gets access to the secret store, and in the worst case scenario provides you with a list of accounts you need to change.

I haven't used PasswordMaker but I'd apply the same criticisms to them. If an attacker knows that you use PasswordMaker, they can narrow down the search space based on the very few things you can vary:

• URL (the attacker will have this)
• character set (dropdown gives you 6 choices)
• which of nine hash algorithms was used (actually 13 - the FAQ is outdated)
• modifier (algorithmically, part of your password)
• username (attacker will have this or can likely guess it easily)
• password length (let's say, likely to be between 8 and 20 chars, so 13 options)
• password prefix (stupid idea that reduces your password's complexity)
• password suffix (stupid idea that reduces your password's complexity)
• which of nine l33t-speak levels was used
• when l33t-speak was applied (total of 28 options: 9 levels each at three different "Use l33t" times, plus "not at all")

My comments about the modifier being part of your password? Basically you're concatenating those strings together to create a longer password in some manner. There's not really a difference, and that's assuming you actually use the modifier.

So, back to our attack scenario where a hacker has your master password, username, and a URL they want to visit: disregarding the prefix and suffix options, they have 6 * 13 * 13 * 28 = 28,392 possible output passwords to test. That should keep them busy for at least a minute or two. Oh, and when you've found out that your password is compromised? Hope you remember every website you've ever used PasswordMaker on!

Seriously, please don't do this stuff. I'd much rather see you using pwgen to create truly random passwords and then using something like GnuPG to store them all in a strongly-encrypted file.

Re:My account was among those compromised.

[Cato]

Most likely someone guessed your password, broke into your account, and sold it on a dodgy forum. Unlikely this is anything to do with a mass hack - this sort of account takeover happens all the time with Gmail and others, but it's easier to sell a Steam account as it has games attached, and there are sometimes legit people wanting to sell Steam accounts (which is against Steam rules but still happens).

Re:My account was among those compromised.

[JakFrost]

I understand the issue with truncation causing 32-character password to be pared down to 8-characters effectively shrinking the entropy to something easily guessable that is a serious problem. Base64 encoding is better than Hex but still can be truncated.

I do have my reservations about PasswordMaker or the simplistic md5sum method I described but I am also equally concerned about fully unique password stores in a file that has a single master password. That file is golden, and if you lose it or have it compromised even if someone doesn't know your master password they effectively defeated that security system because you can't be sure if they have or will compromise the encrypted file. File management also becomes an issue if you have to access those accounts from a mobile phone, work laptop, on vacation, in an emergency where you don't have access to your own computer or USB stick, etc.

I also agree that all the options in PasswordMaker doesn't really make much sense if your master password is good already, they just try to add complexity to the hashing algorithm which is unnecessary since the hashing function has a good entropy already. These settings are just to create security by obscurity for any would-be holders of the master password but like you said the total permutations of choices is really limited and not so useful. I think the character set alpha-num+symbols, password length, and hashing function are more than enough.

My plan is to use different master passwords for different types of sites and also different security level desired so that throw-away forum logins wouldn't share game account password wouldn't share e-mail account passwords, and so on and so on. If one password got compromised only that site's account would be compromised and no other. If one master password got compromised then only that group of sites would be compromised.

Multiple login attempts to online sites usually get met with verification schemes, time-outs, lock-outs slowing down the password guessing process. However, brute force breaking of a password file can happen without limitation on farms of botted computers.

Both solutions offer the same thing, unique passwords per site so that insiders cannot use your password to login to other sites and accounts. One is storage-less one is storage-based.

The truly unique password stored in the file are stronger since they are truly random so at first this sounds like a great idea until the reality of management of the password file surfaces and you end up with all your eggs in one basket, that can be copied.

The algorithmically based passwords are not nearly as strong since they can be reversed if the master password or passwords are known but you don't have to manage any files, except maybe the preference file showing the settings you used for special sites that don't accept certain characters or lengths that you normally use.

Password management is a difficult task, especially when we have to manage dozens if not hundreds of accounts by now all using their own authentication system instead of using OpenID or Google APIs or Microsoft .Net.

Right now, I like the idea of storage-less unique password management better than trying to guard a password file in the world of Windows machines and vulnerabilities.

Re:My account was among those compromised.

[Just+Some+Guy]

Given a good master password, I'm not sure how an attacker could compromise the key store on a properly-implemented [1] password manager.

In the common-secret system (as shorthand for the PasswordMaker idea; I don't know what else to call it), your master password is only as secure as the weakest website you use it on. Given that the algorithm is published and easy to implement, if an attacker steals the login database of some unpatched phpBB system, they have a very short list of tests to run against each potential master password you might be using. Assume they control a botnet of more than 30,000 machines they could crack your "protected" password roughly as easily as a single machine could crack the un-PasswordMaker'ed original.

Sure, password managers involve putting all your eggs in one basket, but that basket is protected by MILSPEC encryption. I don't worry about using DropBox to sync it between my laptop and my iPhone because I don't have to trust any of the intermediaries - my data is encrypted at the endpoints.

And last, I'm at least as confident of my password manager as I am of any random Windows box not to have a keylogger installed.

[1] Yeah, I know: big assumption.

Re:My account was among those compromised.

[JakFrost]

your master password is only as secure as the weakest website you use it on

Perhaps I am misunderstanding what you're trying to say or you misunderstood PasswordMaker's one-way hash based idea.

The master password is used as a seed plus the URL + other funky info for a hashing function to create the password. The password that any website sees is derived from the one-way hashing algorithm used (MD5, SHA1, RIPEMD, etc.). The hashed password cannot be reversed. Only thing that can be compromised is your password for that one single site which is useless for any other site.

The best attack you can do is create multiple rainbow tables each, per site, per hashing algorithm used, per length of password, per character set, per each funky info chosen leading to thousands of rainbow tables due to algorithm permutations you're trying to catch.

It would be easier to use a key logger sniffer trojan on my computer to grab my master password and also the settings file for PasswordMaker to figure out what settings I used to generate it. If you can do this then all my passwords are compromised no matter if I used PasswordMaker, md5sum, or storage-based password app like GPG, etc.

Or could could just beat me with a $5 pipe wrench until I tell you my settings scheme and master password so you can post snaky comments on forums using my accounts.

PS: Anytime you say something is MILSPEC then I know that you can't be serious because MILSPEC is largely an inside joke to people who know.

How do we know?

[Joepat]

How do we know this is Gabe? It could be that the hackers took over again and wrote it like they were Gabe. Maybe Valve never even regained control of the forums! They could still be in control at this instant!

Re:How do we know?

[AdamJS]

You're joking, right?

Re:How do we know?

[Joepat]

No..... I have been told by my friends that I seem paranoid, though.

Do unto others...

[mjwx]

Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

Valve = Valuable contributor to healthy, competitive market. Cares about customers.
Sony = Anticompetitive lockdown ensures that a great many games are unplayable as they take a month to sort out the problem. Doesn't give a shit about customers.

Why is the concept that people will treat companies in the same way that those companies treat them such a strange and unusual concept to some people?

Could be bad

[MobyDisk]

This is breaking news so the details are not all there. What if they also got to the databases that push updates? I would like to know the definitive answer to that because Steam is one of the few things that I allow to send me automatic updates. I sure would hate to get a virus via steam. Fortunately, Steam runs as a non-administrative user but it still has write access to all the binaries in my steam folder, so that is still a lot of potential damage.

I'm safe

[Baloo+Uriza]

Good thing my Steam password is unique to my Steam account, and the credit card associated won't work because I changed banks...

No email to me so far

[cvtan]

Since I never understood the need for Steam in the first place, maybe I'm not worthy of a notification.

Re:No email to me so far

[Smigh]

I don't know if they're sending emails at all, I didn't get one. This information was shown in a popup after you close a game, inside Steam's software. That's where I got to know about it.

Or steal your money when you buy rehashed pork

[G3ckoG33k]

Or steal your money when you buy rehashed pork

Here is a gem - http://www.youtube.com/watch?v=b5dsOn06w1s

EA is weird

Fraudulent transaction on my credit card

[gregrah]

Not sure if this is a coincidence, but the credit card that I had on file with Steam got billed with a fraudulent charge on Nov 6. Any other steam users experiencing anything like this?

Re:Fraudulent transaction on my credit card

My friend just had a fraudulent charge on his check card for a purchase from a German punk store sometime in the last day or two.

Re:Fraudulent transaction on my credit card

Yep, same here. Fraudulent transaction on November 8. My bank detected the "tester" transaction from the US (I'm in Australia) and suspended my card.

Re:Fraudulent transaction on my credit card

Same. A charge from "ssaver.biz" was on my statement today, for a small amount. Suspicious enough to make me act upon it.

Re:Fraudulent transaction on my credit card

yup. same here several charges with the same CC. not a coincidence.

stores online and in UK.

Re:Fraudulent transaction on my credit card

I, too, had a fraudulent charge, but mine was almost a month ago. It was for an e-gift card at an online web site.

I don't know that my charge is related to the Steam hack, but it's possible that their database was compromised over a month ago, and the hackers defaced their forum just before leaving as a red herring.

To make matters worse, when I went to check my online banking account, it had been suspended due to multiple password failures. But I only entered the password once and I know I entered it correctly...fortunately my bank password is completely unique.

I've been wondering...

[jones_supa]

At the times when Half-Life 2 source was leaked, the cracker said that along spectating the development process he actually made some small changes to the code. Is it possible that some of these made their way to the final product or if there is even some hidden malicious code included? Paranoid, but interesting.

Credit Card numbers...

They shouldn't store credit card numbers in the first place! It might be easier for people to purchase stuff but it's situations like these that should give customers the posibility of whether they want it saved or not.

Re:Credit Card numbers...

[ledow]

You've always had the ability to not store credit card numbers on Steam, or remove stored ones. You've also always had the possibility to pay by things like Paypal etc.

DRM Sucks We all know that, do something about it!

I bought the orange box a few years ago now, along with a new system.

I had a gmail account tied to the steam account, both accounts had extremely strong random passwords for them.

In 2008-2009 I had quite a bit of fun playing Left 4 Dead online and Team Fortress 2 and Half Life 2 and Portal.

2010 was the first intrusion on the account, don't know how they got in! after that I just really didn't care, I knew this kind of shit was going to happen.

So I shutdown the gmail account associated with the steam account.

I logged into steam support helpdesk, and no matter what I did I couldn't get them to change the email address over, nothing I did helped me, I even gave them a photograph of the orange box and the serial number on the box! with my account information written on it. (sent via email)

So what is the point exactly of DRM? Is it there to take away my rights? to steal from me? Because right at this moment this Orange box is totally worthless to anyone.

And you really believe that?

[Travoltus]

EA hands you that glass of purple kool-aid and you just drink it without a second thought?

Given what these corporations have done in the past you HAVE GOT to be drinking the kool-aid to believe they won't sell any information they get, to third parties. They may even do so illegally.

"The illegal we do immediately; the unconstitutional takes a little longer." - Henry Kissinger. And it applies to Corporations, too.

Never, ever give sensitive information to anyone you do not trust. Always monitor every app you use and know fully what information it transmits. Paranoia? Hardly. It's the most basic law of survival.

Re:And you really believe that?

[Xest]

I think you missed the point, I'm not saying I like the EULA or say anyone should accept it, I'm pointing out that it's no different to any other EULA. The linked article seems to imply it's some ultra-nasty new EULA that we've never seen anything like before. That's completely false, it looks just like any other EULA.

I agree all EULA's like this are unacceptable, but that it's pretty fucking hypocritical to single this one out when the poster has probably accepted many other similar EULAs in the past, and more importantly, when the very site he's posted it on does exactly what he's complaining about even without a EULA.

I'm not commenting on whether they will or wont sell you're data on, I'm just saying that the EULA in question doesn't give them any more or any less legitimacy in selling it on than any other similar EULA bundled with most other games on the market nowadays.

Re:And you really believe that?

(snip) when the poster has probably accepted many other similar EULAs in the past (/snip)

I don't know about you, but I've NEVER *accepted* a EULA in my life.. I check the little box and keep on truckin'... These fuckin' EULA's
are so off-the-fucking-wall that NO ONE in their right mind would "accept" them....I'm just waiting for someone with deep pockets to test
tese fucking things....

Re:And you really believe that?

[The+Mr.K]

Unfortunately, just clicking the checkbox counts as accepting. EULAs are meant to cover the company's ass in every possible way, so they're pretty painful sounding. Everything written in the EULA isn't necessarily something that will happen.

Re:And you really believe that?

I didn't check the checkbox. It was like that when it appeared, and it disappeared before I could even see more than a word or two of the EULA.

Is there any proof to the contrary? Can you show me where I signed?

MBNet

[Smigh]

I don't know how things work in other countries but all banks in Portugal allow you to link your account to a service called MBNet, which allows you to create a virtual CC number with the balance that you need to make a purchase and it expires in 2 days or after it's used.

Ever since I got to know about it, I don't use anything else and I don't know why someone would. You don't even need a CC, it's linked to your bank account.

So every time you need to make a purchase, you create a CC number on the fly, with the spending limit of the purchase you want to make and this CC information will be useless after you complete the purchase.

That's all hackers will ever get from me, a bunch of useless CC numbers.

Excuse me, nobody has explained why

Excuse me, nobody has explained why the existence of XBL or GFW makes Steam not require personal details for a game you already bought, as per OP statement.

I also fail to see why Securrom is worse than Steam. At least with securrom you can give your game away afterwards, you're not region locked, and you can play the game as soon as you have the disk.

Dammit.

[DaVince21]

This has been annoying the shit out of me. I've been meaning to check the forums to see if other people have problems running SEGA Genesis & Mega Drive Classics, and I simply can't. Forums are always the quickest and easiest ways to solve these kinds of problems, but I guess I'll just contact SEGA support or whatever.

Thanks, intruders.

drm vs personal information

[executeGlobal]

Interesting how we have drm on the games to protect game rights / data, but when it comes to consumer data there isn't much concern for our information's protection.

Wondering if CC info was still stored

I've only bought two games off Steam; one with Paypal, and one with a CC. I did NOT check off "save" for my CC info, so would it still be in their database from the initial order?

Can we at least give credit where credit is due?

[Vrtigo1]

Valve say that passwords were salted and hashed in the db and CC info was encrypted. It sounds like they followed best practices in storing this info. Can we at least give them some kudos for doing this? It would be a lot easier for them to store that info in clear text, so it seems like the least we can do is thank them for taking appropriate security precautions.

The difference

[AdamJS]

The difference is that EA would have hidden it, and unlike Sony they would have been successful in doing so. Then they'd probably lock down their forums after banning anyone questioning such actions.

Re:Can we at least give credit where credit is due

[Opportunist]

Well, so far we have Valve's word. And while I don't question their word on principle, I'll hold my kudos 'til some audit came and went and confirms that.