1. We have added the ability to collapse/expand forum categories and widgets on forum home.
    Dismiss Notice
  2. Photobucket has changed its policy concerning hotlinking images and now requires an account with a $399.00 annual fee to allow hotlink. More information is available at: this link.
    Dismiss Notice
  3. All Civ avatars are brought back and available for selection in the Avatar Gallery! There are 945 avatars total.
    Dismiss Notice
  4. To make the site more secure, we have installed SSL certificates and enabled HTTPS for both the main site and forums.
    Dismiss Notice
  5. Civ6 is released! Order now! (Amazon US | Amazon UK | Amazon CA | Amazon DE | Amazon FR)
    Dismiss Notice
  6. Dismiss Notice
  7. Forum account upgrades are available for ad-free browsing.
    Dismiss Notice

Steam hacked - All Steam users are adviced to change their Steam passwords(Nov. 2011)

Discussion in 'Civ5 - General Discussions' started by The_J, Nov 10, 2011.

  1. PieceOfMind

    PieceOfMind Drill IV Defender Retired Moderator

    Joined:
    Jan 15, 2006
    Messages:
    9,312
    Location:
    Australia
    Let me clear up a few things before it gets more out of hand. Genocidicbunny has already done a good job of giving accurate info too (except not realising the hack was not just of the forum but also of a Steam database that had more juicy info).



    That would be a very silly thing to do. Valve so far have only said that hacker/s obtained access to a database that contained encrypted CC info, hashed and salted passwords and the other info attached to each user like email address, billing address etc.
    For starters, there is no indication yet whether any information on any users was actually taken. We don't know how long the hacker/s had access or what their intentions were. I have said in another thread that because the hacker/s chose to advertise their presence by posting an advertisement for a cheats website on the forum then stealing personal information was probably not their primary goal if a goal at all. If it were, they would have tried to stay undetected for as long as possible and not done something as stupid as they did.

    Secondly, encrypted CC number means it's pretty much useless in the hands of a thief.

    Having access to a number that looks like this:
    ~7f+}2pG$W{5367B43D_hE6,HS'11*
    is a lot different to having access to your unaltered CC number.

    Same goes with the password. Hashing/salting is a bit different to encryption but the end result is much the same - useless in the hands of someone who doesn't know the original.

    And to those thinking these could be "cracked" computationally eg. by brute force, be aware that the most common modern encryption technologies would require an obscene amount of resources to break. For instance, every computer on Earth working for longer than the current age of the universe (AES256 is like that).
    ******************

    That email is almost certainly fake.

    What do you want a link to? You can't really link to a proof an email is fake. Rather the absence of proof the email is genuine should be more than enough to convince anyone.

    For Gabe to casually tell someone by email they'll be releasing for free two major games even though there's nothing official said about it or any other public source confirming it, it would be absurd to assume it were true.
    ******************
    Because the email is fake, and because I don't think there's any proof of the encryption type used by other sources, I don't think we actually know if the encryption they use is AES256. If it is, well that's good news - the encryption would be pretty much physically impossible to break even after the advent of scalable quantum computers.
    The thing is, for the sake of security Valve will probably never tell us what they use for their encryption.


    ******************

    Generally speaking about the incident, it is not cause for panic. While it'd be a good idea for users to change their passwords it's still probably unnecessary. More importantly, if any user is foolish enough to use in their password something that is potentially publicly accessible (e.g. part of their account name) then they should change their passwords right away anyway.

    By far the most important passwords to have strong are your email password and banking passwords.
     
  2. selajunk

    selajunk Chieftain

    Joined:
    Oct 3, 2011
    Messages:
    2
    Steam turn the best Single Player game into a <snip>-hole!

    And they will continue to do this as long as people keep buying the DLC's...

    Moderator Action: please refrain from using foul language. If you find you have triggered the autocensor, please rephrase, do not try to circumvent it.

    ori

    Please read the forum rules: http://forums.civfanatics.com/showthread.php?t=422889
     
  3. Maniacal

    Maniacal the green Napoleon

    Joined:
    Mar 13, 2005
    Messages:
    18,760
    Location:
    British Columbia, Canada
    Except that all of the DLC for Valve's own games is free, and the DLC being sold on Steam is for other companies' games which Valve has nothing to do with (besides offering it for sale on Steam along with those games).

    Also no idea what your first sentence is referring to.
     
  4. Sadato

    Sadato Chieftain

    Joined:
    Sep 28, 2011
    Messages:
    101
    It is plain stupid that if I buy my game at my local store I'm forced to start steam everytime I want to play the game.

    Nowadays most games require steam interference.

    This steam dictatorship is astonishing.

    Those who defend steam clearly don't know what freedom and rights mean and enjoy being treated as sheeps.

    Moderator Action: Telling people they enjoy being treated like sheep isn't exactly conducive to civil discussion.
    Please read the forum rules: http://forums.civfanatics.com/showthread.php?t=422889
     
  5. Peets

    Peets Chieftain Hall of Fame Staff

    Joined:
    Jul 23, 2008
    Messages:
    1,056
    Location:
    Belgium
    Sadato: You are free to buy or not to buy it. So your freedom or your rights hasn't been harmed in any way. Those who sell the game have the right and the freedom to sell it how they want.
    So do you value your rights and freedom higher then theirs?
     
  6. Sadato

    Sadato Chieftain

    Joined:
    Sep 28, 2011
    Messages:
    101
    Imagine for a moment that Steam bankrupts and shuts down all the servers.

    ¿What have you paid for?

    There's no place for a "take it or leave it" argument becasue the issue is not about the product but about the way it is served to us.

    Most democratic countries have laws regarding what can be sold and how can be sold. There is something called "consumer rights" regarding monopolies and the way you are treated and served as a consumer.

    If we get to a point where if you want to play a PC game you must use steam and only steam, it is a monopoly and those are forbidden by international laws.

    Right now I don't have an alternative to steam to play Civ V and many other titles and I don't think is good nor safe for us as customers.

    Steam is an imposition, there are no "good" impositions.

    Imagine that to watch a movie at all the cinemas in the US you were forced to pray for Allah as a condition to enter. Hey! No one forces you! Take it or leave it!
     
  7. Solver

    Solver Civ4/5 beta tester

    Joined:
    Mar 22, 2002
    Messages:
    1,260
    Location:
    Latvia, Riga
    Yep, the email was fake, so statements about AES256 have to be retracted. You're wrong, though, in stating that Valve should want to keep the encryption scheme secret "for the sake of security". If the system relies on the particular encryption scheme being unknown, it's already borked. Kerckhoff's principle is one of the very basics of cryptography.
     
  8. Peets

    Peets Chieftain Hall of Fame Staff

    Joined:
    Jul 23, 2008
    Messages:
    1,056
    Location:
    Belgium
    What if you pre-order a game and the company goes bankrupt?
    You will lose less but it's the same :)

    For some games you have to install some other software to play it, for example Java. I don't see that big of a fuss about it.

    What about games that come only out at Playstation?
    If i want to play Gran Turismo (Probably wrong spelled) I have to buy a playstation. What if I don't want to buy a playstation? Should they bring out the game to PC too?

    There are some restaurants that have "clothes restriction" It doesn't sound that drastic as you stated for your cinema but it is the same.
     
  9. Sadato

    Sadato Chieftain

    Joined:
    Sep 28, 2011
    Messages:
    101
    If Java bankrupts, java plugins keep running.
    That preorder example is quite poor and bizarre, I don't remember any company closing during the preorder and not returning the money.

    There are countless companies that closed or that changed its policies or started giving free services and later asked for money.

    Imagine that in a couple years Steam demands a payment of 10$ per month to be able to play your games. Take it or leave it?

    Steam model means: all eggs in one basket.

    We're not talking about Civ V, if we follow this progression in a few months/years ALL games will work only with steam so there is no real alternative or option as customers.
     
  10. binhthuy71

    binhthuy71 Chieftain

    Joined:
    Nov 3, 2003
    Messages:
    1,886
    Location:
    Southern California foothills
    Steam has 35 million active user accounts and 1400 games so it's unlikely that they'll be going BK anytime soon. If they did though, Firaxis/2K would simply issue a patch that obviated the need for Steam and make it available for download.
     
  11. Peets

    Peets Chieftain Hall of Fame Staff

    Joined:
    Jul 23, 2008
    Messages:
    1,056
    Location:
    Belgium
    Yes, java keeps running but what if I don't want it but I need it to play that game.
    You may think, that is a crazy argument cause everyone accepts it and everyone finds it normal that it is there.

    A company closing or going bankrupt is a difference.
    When a company goes bankrupt you can forget about your pre-order money.

    If steam will ask money in the future, you may count me in for complaining the hell out of them.
    But what if Java suddenly starts to ask money?

    Steam is starting to get competition, origin... I expect in the future even more companies trying to do the same thing as steam and origin. Who knows what the future brings.
     
  12. scratchthepitch

    scratchthepitch Chieftain

    Joined:
    Feb 13, 2010
    Messages:
    798
    That and the other "reasons" you used to excuse exploitive behavior by the wannabee monopolists at steam are just "selling points" adapted to "debate" form. They are not even valid arguments in the roles you intended for them. For example. the restaurant one above. To relate it accurately to having Civ5 restricted to steam, you would have to stipulate that ALL restaurants have the same dress code and you cant dine out if you don't accommodate yourself to it. That wouldn't exactly help your argument or encourage people to use steam, now would it. :lol: You don't really have any positive examples to justify customers being exploited by steam, so you use bogus ones, like those above. Little debate tricks used to sell your POV, rather than valid arguments and facts to support that POV. It's a waste of time, like advertising, which informs nobody and is only intended to get people doing, or buying, things they don't really need nor want.

    People just want a choice on whether to use steam or not, that's it.

    But you people promoting steam are arguing against them having that choice and try to argue that lack of choice is "good" or "the American way" or some other such sloganeering garbage. Now why is that? Why are you so set against people being able to play a game without steam interfering? It's kinda obvious, isn't it.

    I've stated before, the main reason I never developed any desire to even try steam is all the offensive fan spamming trying to force people into accepting this monopoly on their gaming. This kind of hard sell tactic is only used by those up to no good.

    Unsubscribes thread.
     
  13. Peets

    Peets Chieftain Hall of Fame Staff

    Joined:
    Jul 23, 2008
    Messages:
    1,056
    Location:
    Belgium
    I am far from telling that steam is good and everyone has to use it.
    Nor do I enjoy "The American way"

    I simply arguing that some people don't have any good reason why steam is bad.
    The reasons they give can be used for many other things where nobody makes no fuss about. This I find frustrating.

    People can make the choice if they want to use steam or not.
    But if you want to play Civ 5 you have to get steam.
    If you want to play another game you are probably have to take something else even if you like it or not. That's how the market works.
    I'm just countering the arguments that are used to make steam evil, that's all.

    I can easily make your argument turn around, why is everyone creating this propaganda that steam is evil with no valid argument? I haven't seen one good argument.

    Steam is exploiting their customers?
    Every company is exploiting their customer. Otherwise they'll go out of business.
    All those commercials... Most of them are not even true as you stated. Do I have a choice if I want to see them or not? No. Is it there? Yes. But all this fuss started with that steam is braking freedom and your rights... Which they do not.

    If steam is a monopoly then so is Xbox, Playstation, ...

    There are games that can be played with or without steam, that is not the choice of Steam so who do you have to blame?
     
  14. Keejus

    Keejus Chieftain

    Joined:
    Mar 6, 2011
    Messages:
    311
    Location:
    Denmark
    I need a PS3 to play Heavy Rain? This Sony monopoly is unacceptable. I need to wear a shirt and shoes to eat at a particular restaurant? Clearly, these money-grubbing food and cloth producers are in cahoots (in this metaphor, restaurants without such a policy are non-Steamworks games, my friend). I want to visit my friend two towns over, but he says I can't come over unless I promise not to punch him in the face again. How dare he monopolize his own private property like that?

    I need a government-issued license to drive a car, or own a gun, or sell medicine? This is clearly illegal exploitation of my basic liberties!

    For what it's worth, they've said that if that ever happens, they will release a patch that unlocks all Steam games and lets you play them without Steam.
     
  15. forty2j

    forty2j Chieftain

    Joined:
    Dec 6, 2010
    Messages:
    735
    Location:
    NJ
    Yes. On the Mac App Store.

    It's unfortunate that this event happened to Steam, because its primary effect has been to get everyone with any ill feelings about Steam to recount them repeatedly. But the fact of the matter is, my personal details, encrypted password & CC #, and so forth are exactly as safe at Steam as they are at Amazon, Apple, Barnes & Noble, and any other place where I happen to have an account with a convenient ordering system. A motivated, determined, skilled hacker will find his way into any of them.
     
  16. headcase

    headcase Limit 1 Facepalm Per Turn

    Joined:
    Aug 12, 2011
    Messages:
    1,213
    Location:
    Ontario, Canada
    They're too busy telling you about the wonderful games you could buy!

    Thanks CivFanatics :goodjob:
     
  17. jimmygeo

    jimmygeo Chieftain

    Joined:
    Jan 15, 2004
    Messages:
    234
    Location:
    Alberta, Canada
    I've been leery of getting CIV thru Steam. Now I'm glad I didn't! Long live Civ4 BtS!!
     
  18. da_Vinci

    da_Vinci Gypsy Prince

    Joined:
    Jun 13, 2004
    Messages:
    4,172
    Location:
    Maryland, USA
    The problem is that unless you go cash only, unencrypted bank account numbers and routing numbers (with you name and address if you present a check) and unencrypted card numbers are going to be floating around wherever you transact business.

    The thing that the internet adds is a route into the online "vault" (where before you would have had to break into someone's physical files), but do you have a guarantee that doing business offline doesn't mean that your info is still put into a corporate database that can be hacked online?

    The sad truth is not if we will be compromised, but when in this information age. So you just have to have all precautions up.

    Well, just seeing all this today, a vigorous search for the notice on steam fails to find it. I think it needs to be more obvious than that.

    Well said

    I changed my Steam password, and I noticed another feature of Steam Guard: It allowed me to deauthorize all other computers (other than the current login). Seems this might be a two edged sword:

    1. The good: Since I got in, if anyone had authorized another computer with the old password (which I suppose would mean they would also be in my email), that is now de-authorized and would need the new password to re-authorize.

    2. The bad: If someone got in and added computers, since that would mean they are in my email, then they could have de-authorized all computers but theirs, and also changed the password. So this protection to be used by the user, if hacked, could be used to lock out the user?

    dV
     
  19. PieceOfMind

    PieceOfMind Drill IV Defender Retired Moderator

    Joined:
    Jan 15, 2006
    Messages:
    9,312
    Location:
    Australia
    In that unlikely event going through Steam's support for account recovery would work just fine. However the customer would need to have some form of proof of ownership of the account. Usually a physical cd key from a retail game that was used on Steam or some transaction details are enough to prove ownership. So if your account is stolen, it's never lost forever unless you have nothing left to prove it's yours.

    Funnily enough, I think the last 4 digits of the credit card number you used (if you used one!) is one of the things they ask for to help prove your identity.

    Also, yes the utility of Steam Guard depends entirely on the strength of security of the email account. It's designed to reduce effectiveness of phishing sites that pretend to be Steam, where they ask directly for your steam account name and password. Now for such phishing attempts to be fruitful they either would need to ask you for your email address and password at the same time (heh, it has been tried!) or obtain access to your email through some other means. In other words it's a big step forward in reducing steam account theft but it's not completely fool-proof.
     
  20. PieceOfMind

    PieceOfMind Drill IV Defender Retired Moderator

    Joined:
    Jan 15, 2006
    Messages:
    9,312
    Location:
    Australia
    We'll have to agree to disagree. Valve employees posting on their forums are refusing to offer any comment in response to questions of the nature: "What type of encryption was used or how secure was it."

    People are looking for peace of mind on this matter but not receiving it. Maybe they'll inform us later on. Who knows...
     

Share This Page