Together with Java Smith and A. Sembly he can form a White hat team that fights the evils of the 'dark net' and corrupt companies. Call themselves the Whizz Kids. Hey, sounds like a budding new series...
Damn my age.
A 16-year-old lad in Manchester, England, exploited flaws in Valve's developer site to publish on Steam an unapproved game about watching paint dry. Ruby Nealon, a computer science student at Salford uni, said a set of programming blunders in the Steamworks website let him sneak his Watch Paint Dry roleplaying game past Valve' …
Isn't that standard business practice? Brand someone that embarrasses your company by exposing critical security holes "a dirty rotten hacker" and throw the book at them.
It worked for AT&T (weev) and Sony (geohotz) after all. There is certainly no shortage of white-knight commentards to defend this either.
I thought Valve was better than that. I am disappointed that someone had to go and actually perform the hijack in order to get Valve to move on it.
That was a serious bug. Valve can be happy that the guy didn't post something truly disgusting or horrifying, or simply malware. Chances are, if some true scum had found out, Valve would be publishing meek excuses for having riddled x thousands of gamer's PCs with the latest-harddisk encrypting malware. Methinks that would have been a much worse thing, and this guy alerted them to exactly that fact.
When someone is nice enough to alert you to a problem that serious, you get fixing the issue, you don't ignore it. Shame on you, Valve.
Early Access, Steam Green-Light.. Screening programs that excel at rubber stamping crud! Valve realize this, that's why they planned to retire the system a year ago. So WTF happened no reform??? Meantime, Steam users continue to green light games like mindless zombies! Classic examples: Steam Greenlight: Gabe Newell Simulator - and - Early Access: Mountains of Madness.
Jim Sterling also covers these in his sarcasticallly titled 'Best of Steam Greenlight Trailers', although I suspect he's a tad more vitriolic in his coverage.
Also, a lot of his first impressions gameplay.
He's currently being sued by a company called Digital Homocide for slander after he pointed out their games are nothing but asset flips (IE buying asset packs, throwing them together and claiming it's an original game) which gives you an idea of how backwards some of these 'game devs' are.
Steam is (generally) a good platform, but there's some real problems with it these days.
Gabe Newell Simulator, the only thing I liked about that was the cards were worth more than the actual game (Earned 50p more than what it was worth and it was a troll purchase from one of my friends who I then brought Shower with your Dad Simulator).
Anyway Valve, kill them all with fire!
"Something I've definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have 'Review Ready' and 'Reviewed' as two states of existence for the content," said Nealon
That's not the lesson to be learnt. The lesson is never, ever accept any response that comes from a user without first assuming it hasn't been completely buggered with. This especially goes for HTML forms or HTTP streams that are comically easy to modify. If your response is trusting something like an ID to be passed back to you untouched (instead of using tokens or something similar where you retain session scope on your box) then your design is completely broken...
There was nothing wrong with having two states for "ready" and "reviewed" and likewise the suggested solution of an audit trail wouldn't have stopped the core problem which was not validating the info coming back from the interface.
Boring games inexistence. The El Reg comments section is.
I waste time crafting rubbish comments to gain XP (upvotes) but theres no skill system to use the XP in.
I came here to create a high level ice mage and to grind out some loot slaying noobs, but ive since discovered the loot drops here are worse than Diablo 3 and the only class you can choose is "Anonymous Coward". What a let down.
Shittiest game of multiplayer Gedit ive ever played.
Not read all of the details, but it sounds like an "overposting" attack*, if thats the case then there must have been a series of very poor design decisions made when that site was being put together.
Bind the views directly to the model. Check
Allow model binding to reconstruct the model based solely on the data coming back from the view. Check
Pass the reconstructed model directly to the DAL for persistence in the database without checking it. Check
The golden rule "Never trust user input" seems to have been forgotten by too many people.
I demonstrated an over posting attack on a site that was delivered to an ex employer by a highly paid contractor while he was there, I used the F12 developer tool bar to make it easier. His response was "Why did microsoft make that available?" He genuinely didn't realize that the users would have access to the HTML and means of editing it regardless of the dev tools being there... He was a win forms developer trying to get into web... As far as I know he is still out there delivering crap like this.
* I use the term attack loosely
Biting the hand that feeds IT © 1998–2020