Thursday, June 19, 2014

Game 4 Thought: When is it Okay to Break ToS?

Here's a little Game 4 Thought:

A bit of controversy was sparked when a developer was banned from Steam for exposing a security loophole in Steam's announcement pages.  Tomáš Duda said in a Reddit post that he had reported the issue a few months prior to the incident (source).  When he learned that it had gone unfixed after all this time, however, he took the more proactive approach of exploiting the weakness in a fairly harmless manner.  Specifically, he made an update page for one of his games play a song and shake around.  When Valve saw what he did, they nearly-immediately fixed the vulnerability and then gave him a year-long ban from his developer access, and from the Steam Community.  Thankfully they were able to get in touch and the ban was lifted within a few days.  So it all had a happy ending, but there was still some controversy during the interim that I feel is worth talking about.

Simply put, some people felt that Valve was being completely unreasonable in their ban, while others basically shrugged and said "He broke the ToS, he got a ban.  What's the big deal?"  The latter group is who I would like to address with this.  The big deal is that it isn't as cut and dry as simply breaking the ToS.  It's about the message he was trying to send.  Yes, he did break the ToS, but he did so in order to expose a weakness that Valve was apparently content to ignore.  Just how harmful could the weakness be though?  After-all, he only made music play and caused the screen to shake around.  Well, according to posts on the Reddit thread discussing the matter, it can get a lot worse than that.  Worse as-in someone could write-up a script that directs you to what looks like the Steam Store, but when you make a purchase the money goes to the script writer instead of to Steam, and obviously you don't get the game.  Apparently there are other possibilities other than that, but I'd say that even just being able to steal money from Valve's customers is enough of an exploit to label this vulnerability as a big freaking deal.

So here's a little breakdown:  Best-case scenario, Valve simply has a very slow ticketing process, to the point where reporting an issue could take months before anyone sees it.  The exploit would probably have been fixed, but who knows when they'd finally get the ticket alerting them?  In this case, Valve seriously needs to send someone down there to kick some asses into gear.  It is completely unacceptable that vulnerabilities like this could exist, and they aren't getting fixed because the guys in charge of reading bug reports are too busy playing Skyrim or something.  Worst-case scenario, an official at Valve DID read the ticket, and then just threw it out!  Regardless of whether or not the vulnerability was explained in a way that made it sound threatening, an exploit is still an exploit!  It's Valves responsibility to seal-up any potential threats, big or small.  In either case, it is 100% Valve's fault that the developer was able to take advantage of this loophole when he did; it should have been long-since fixed.

As a customer on Steam, knowing that they're so slap-dash about fixing security loopholes is kind of worrying to me.  So when someone makes it apparent by doing something completely harmless?  Damn straight I'm on his side!  The thing that worries me is the people who were rallying to support Valve on their decision.  Don't get me wrong, I understand that some people are just Neutral/Lawful, so the law is the law is the law (or in this case, the ToS is the ToS is the ToS), but that still doesn't address the core issue:  Valve was told about a vulnerability in their program that would, in addition to other potential problems, allow an enterprising hacker to create a pseudo-store that would steal money from their customers, and they didn't fix it!  So are we saying that we DON'T want developers to take the pro-active stance of doing something harmless when these exploits go unfixed in order to draw attention to them?

"Well, if Valve doesn't fix the problems, then it can just be their fault when someone DOES take advantage of them.  This guy didn't have to break the ToS, so he still deserves his punishment," the argument tends to go.  That's just it, though, I DON'T WANT SOMEONE TO TAKE ADVANTAGE OF THESE IN THE FIRST PLACE!  I am a customer on Steam.  You know who gets screwed when someone hacks into Steam and is able to, for example, create a false Store that sends customers' money to someone's account and then doesn't reward the game that was "purchased"?  ME!  I don't care how much egg gets on Valve's face when the exploit happens.  I don't care that some developer can jump-up and shout, "HA!  I reported this AGES ago, it should have been fixed!"  No, I care that potentially up to $60 of my money (per game in the purchase) is now squatting in some guy's account.  Maybe I'll get the money back, but I probably won't.  Maybe Valve will give me a key to unlock the game that I didn't actually purchase, but maybe they won't if there's no sufficient way to prove that I did in fact fall victim to the exploit.

No, I'd rather just avoid all of that potential hassle, and any hassle from other problems caused by this exploit.  I might not even fall victim to the exploit, but I'd still rather not have to deal with it happening in the first place.  I would rather a well-intentioned developer create a harmless little prank to illustrate the loophole so that Valve has to notice and fix it.  I would rather that any exploits in Steam's coding be fixed and sealed-off.  I would rather not like to hear about Valve banning developers when they do something harmless to highlight an exploit that has seemingly gone ignored.  I'm not saying that Valve should throw this guy a ticker-tape parade, but to have banned him when his actions were strictly in favor of pointing out a loophole before someone can use it in a way that's actually harmful?  As a customer on Steam, I don't like that one bit.

This has been some Game 4 Thought.  Thanks for reading.


No comments:

Post a Comment