Valve Releases Statement Regarding Information Leak

Valve put out a statement today about the recent leak of user information via cached pages being presented to anyone who visited the Steam website on the 25th. Notably, if you didn’t visit the website during the attack, your information should be safe:

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve goes on to note that this issue did occur due to web caching rules implemented during a Distributed Denial of Service (DDoS) attack.

Those types of attacks are extremely common, and extremely disruptive when they occur.

Unfortunately I am very familiar with DDoS attacks, as the ioquake3 master server I operate for every game using the engine has been under daily assault for the past few months. Fortunately we don’t store sensitive user information within that project, though we have far fewer resources to deal with it I can’t get on board with Valve’s apology.

It makes sense that mistakes are going to happen in responding to a DDoS, but it is extremely out of the ordinary for those mistakes to include leaking personal data. Valve says that they will contact those whose information was leaked, but the help offered by companies like Valve in response to past leaks has been to offer users time-limited subscription accounts at predatory companies that provide almost no legitimate identity protection services.

We will see what Valve actually does in response for those who were affected, but this is not an acceptable kind of thing to have happen at what should be a fairly mature institution that has been in operation as an online storefront for over a decade.

Steam Website Leaking User Information

The Steam website was completely broken for several hours today. Attempting to load any page on the site would give you another user’s version of that page including any personal details. This was also happening in the desktop client. Users on several sites produced screenshots that included blacked-out versions of pages that had other users’ details such as their billing address and Steam usernames. For example, I was able to load other people’s shopping cart just by visiting the regular cart page. Unlike many other services, the login username on Steam is to be kept secret.

As of this writing, hours later, logging in to Steam via the website just takes you to a logged-out version of the Steam page. The SteamDB site (not affiliated with Valve or Steam) has written up a note about the outage and security leak with some assumptions about how it happened. I agree with their suggestion to not store credit card details with Steam, or any online vendor as Sony proved a few years ago when their online storefront was hacked.

James Davenport Interviews R6 Siege’s Cleany Gunhands

Cleany Gunhands:

Hey there. Yeah, thanks for having me. My name is Cleany Gunhands, and I love to clean, but I also have guns for hands instead of regular human hands for hands. I’m stuck in a scary digital hell dimension where I’m thrown into a very messy house or cafe or something and, like, I have to stop a bomb sometimes. There are others there, and they’re always yelling at me, yelling, ‘Dang-it, Cleany! Stop shooting the fridge and help us make these walls strong! We need the strong walls! But I’m just trying to clean the fridge, but I can’t because I have hands that aren’t hands, but guns instead of regular human hands.

Video Footage of id Software’s Super Mario Bros. 3 Clone

John Romero posted this video today to Vimeo in celebration of the 25th anniversary of Commander Keen. it’s the first publicly available footage of the Super Mario Bros. 3 demo that id software pitched to Nintendo. You might have heard about it from the David Kushner’s Masters of Doom book (Amazon, iBooks, Wikipedia) which is well worth reading if you haven’t already.

Playstation 4’s PS2 Emulator Disappointment

A few weeks ago there was a rumor that Sony would soon announce some kind of software support for the Playstation 4 to emulate the Playstation 2. It would be a nice favor to players since Sony very quickly dropped Playstation 2 compatibility from the Playstation 3 in order to lower the price of that console’s guts.

The rumor was based on the special edition of the Playstation 4 bundled with Star Wars Battlefront. That bundle also included a code for four older Star Wars games. Star Wars: Racer Revenge, Star Wars: Jedi Starfighter, Super Star Wars, and Star Wars: Bounty Hunter. Super Star Wars originally hails from the Super Nintendo and was actually ported to the Playstation 4, the other three are Playstation 2 games running under emulation.

This was very promising. The emulator appeared to be robust in taking advantage of modern amenities like trophies and upscaling, and generic enough in its implementation by virtually mapping the Dual Shock 4 and virtual PS2-era memory cards to support a range of games instead of just the three in the bundle. The Digital Foundry article analyzing the emulator for the Star Wars games was simply titled “Hands-on with PS4’s PlayStation 2 emulation.”

Why would Sony go to all of this trouble just for three Playstation 2 games? They wouldn’t. Surely it would be for more than just those. A Sony representative vaguely confirmed the coming emulator to Wired.

Surely, surely, surely there would be a generic Playstation 2 emulator coming along any day now where you could just insert a Playstation 2 disc and receive most of these features, maybe trophies would be limited to especially popular games.

Nope.

Instead of attempting to compete with Microsoft’s recent addition of Xbox 360 emulation on the Xbox One, Sony announced that they were simply offering a short list of games for download at $10 or $15. Here’s the list:

$15 Games:
Dark Cloud
Grand Theft Auto III
Grand Theft Auto: Vice City
Grand Theft Auto: San Andreas
Rogue Galaxy
The Mark of Kri

$10 Games:
Twisted Metal: Black
War of the Monsters

People who had already purchased those games can’t just pop in a disc and play them, they have to be repurchased and more games are promised be added for download regularly.

It’s not completely unreasonable to charge that price for a download version of the game, and clearly it would require work per-game to support trophies, but it is incredibly boneheaded to not just drop a generic Playstation 2 emulator and leave out trophy support for games unless they are purchased again.

Almost more boneheaded is that some of these games had already been available for download on the Playstation 3 with an emulator running there, but they’ll still need to be repurchased even for people who bought those versions. I just don’t understand this strategy. Sony has been great with allowing people to purchase games online for the Vita, Playstation 4 or 3 and get the other platforms for free. They even have a goofy marketing name for it, Crossbuy. It should extend to emulated Playstation 2 games.

The only place you can still get a generic Playstation 2 emulator is on a computer with PCSX2. Using this kind of emulator is still finicky enough that I wouldn’t necessarily recommend the experience. Unlike emulators for 16-bit consoles like the Genesis and Super Nintendo where you kind of just choose an emulator, find a ROM image of the game and go, Playstation 1 and 2 emulators are highly dependent upon selecting the right group of plugins to provide support for things like reading the disc, USB input, audio, and video. Sometimes this process has to change depending on the game.

Getting PCSX2 to work for your games is more complicated than sticking a disc into a Playstation 4, but Wes Fenlon has a nice introductory guide up if you’re willing to battle with the open source software and move past the disappointment of Sony’s business decision to not release Playstation 2 emulation to the public on the Playstation 4.

Bad Customers Don’t Make Good Curators

If you owned a retail store, would you let a customer start cursing and yelling at your customers that the products you sell would give them incurable diseases or would you kick that customer out?

Steam’s curator program was implemented a little over a year ago. This program allowed individuals and groups of users to put together a selection of recommendations with a brief text component that appears on everyone’s Steam store page when enough people are following that curator. 

Some curators are what you would expect. Publications like Cheap Ass GamerPC Gamer, Giant Bomb, Gaming On Linux, and Rock, Paper, Shotgun, have groups and recommendations. It’s nice to see that a publication you like is recommending a game, and it says a lot when none of them are. Then there are community action groups dedicated to specific causes, like one that is a group of made up of non-developers highlighting games that lack features that they feel should be available on every computer game regardless of what era it was developed in or if the lack of such a feature would even be an issue for this type of game.

Finally, there are curators on Steam that are beyond hyperbole. For example, Waifu Hunter. Normally this name would just imply that the group is operated by anime fans who will never know how to speak with actual women. Their disgusting motto is “I will tell you if a videogame has attractive anime ladies in it.”  Here’s a sample recommendation from Waifu Hunter:

This game is a matryoshka doll of cancer, furries, and Tumblr. Play this if you hate good writing, loathe functional game design, and want to get AIDS.

Valve allows this to exist in their store, why? This negative recommendation is for a point-and-click adventure that has very positive overall user reviews. 103 positive and 10 negative reviews are shown directly on the store page for the game. Destructoid gave the game an 8 out of 10. This system is intended for positive recommendations, not rants from 8chan users. It is time to kick this customer out of the store.

Eric S. Raymond’s Turn at Becoming The Biggest Asshole in Open Source

Eric S. Raymond

Eric S. Raymond:

The short version is: if you are any kind of open-source leader or senior figure who is male, do not be alone with any female, ever, at a technical conference. Try to avoid even being alone, ever, because there is a chance that a “women in tech” advocacy group is going to try to collect your scalp.

ESR’s blog post goes on to back up this conclusion with IRC logs from one anonymized source that nasty women are all around trying to destroy him and other self-aggrandizing free software/open source shitlords through false claims of sexual assault. The comment thread on the post is an amazing cavalcade of other mens rights assholes who followed through links from terrible websites such as Phoronix and Breitbart. Surprisingly, the comment thread is a little bit better on the Phoronix post where people call out Michael Larabel on linking to ESR’s garbage as if it were fact.

ESR calls this an attempt by women to “… smear and de-legitimize the Linux community (and, by extension, the entire open-source community) in order to render it politically pliable.” ESR is the one who has smeared the Linux community. He has threatened harm to other developers, by all accounts is a terrible developer, and a racist who takes credit for coining the term open source when it was actually invented by Christine Peterson.

Google Play Music App Getting Podcasts

Elias Roman:

To that end, today we’re launching a portal for podcasters to start uploading their shows to Google Play Music before we open up the service to listeners.

Translated from Google-speak: The Google Play Music app for Android (and iOS) is going to download podcasts to Google servers and rehost them on their own servers. Podcast publishers will only have access to listener metrics for Google Play Music listeners through Google’s interface. Google will also insert extra ads around the podcasts that aren’t from, and won’t benefit, the podcast publisher:

Google reserves the right to show display (image) ads alongside podcast content. Google will not insert any pre-roll ads before podcast content starts or mid-roll ads during a given podcast episode. Google reserves the right to serve post-roll video or audio ads after podcast content. Google Play Music does not provide direct payment or revenue share for podcast content.

Today, podcast publishers put up an RSS feed that anyone can use. It’s an open standard that any client can download one of these RSS feeds, get a list of episodes, and download them. Publishers interpret the one metric that matters, downloads, and use that in addition to occasional surveys of their listening audience to sell ads to advertisers if they choose to run advertising. If Google Play Music becomes the way that most people listen to podcasts it will destroy the open standard and increase the number of advertisements that people are forced to listen to. This is not good.