researcher publishes second steam 0 day, valve doesn't care

[spartaman64]

9 minutes ago, WereCatf said:

No, it's not. They banned the researcher from HackerOne's forums, not Valve's forums. Valve isn't paying them to run HackerOne's forums, Valve is paying them to validate reported vulnerabilities. Valve runs Valve's forums, HackerOne runs HackerOne's forums and HackerOne's forums aren't in any way related to Valve -- they're used for all sorts of vulnerabilities in all sorts of products.

and he was banned because he violated valve's rules if valve comes out and says he didnt violate their rules then theres no reason for hackerone to ban him

Quote

In regards to the specific researchers, we are reviewing the details of each situation to determine the appropriate actions. We aren’t going to discuss the details of each situation or the status of their accounts at this time.

also this quote from your article heavily implies that valve can get the ban overturned so hopefully they do

 

notice that it says team valve

[WereCatf]

5 minutes ago, spartaman64 said:

and he was banned because he violated valve's rules

No, Valve's rules say nothing about banning. He was banned because he was talking about going public with the vulnerability, which is all about HackerOne's policies. You are confusing Valve's guidelines for what sorts of vulnerabilities should be forward to them with HackerOne's policies regarding vulnerability-disclosure.

 

EDIT: Take a look at https://www.hackerone.com/disclosure-guidelines -- those are HackerOne's policies and they do specifically talk about bans there as well.

[Blademaster91]

The problem is the researcher wanted to leak the vulnerability publicly before giving Valve any chance to patch it, this zero day doesn't really seem to be much of an exploit since it requires the system having admin access or access to the physical system so I see why it wouldn't be a high priority for them.

 

[dalekphalm]

2 minutes ago, Blademaster91 said:

The problem is the researcher wanted to leak the vulnerability publicly before giving Valve any chance to patch it, this zero day doesn't really seem to be much of an exploit since it requires the system having admin access or access to the physical system so I see why it wouldn't be a high priority for them.

 

How would he give Valve a chance to patch it, when it was categorized as “not applicable” and therefore it wasn’t even going to be sent to any dev team. 

[spartaman64]

Just now, Blademaster91 said:

The problem is the researcher wanted to leak the vulnerability publicly before giving Valve any chance to patch it, this zero day doesn't really seem to be much of an exploit since it requires the system having admin access or access to the physical system so I see why it wouldn't be a high priority for them.

 

thats not the problem they said that they are not going to do anything to fix it. and no it doesnt require admin access it grants the program admin access. if you already have admin access why would you try to get granted admin access 

Quote

It was very funny to read comments to previous article, where community wrote “user can’t write to HKLM registry keys” or “you need administrator rights to create a symlink”. What’s interesting is that checking this statements takes almost as long as writing such comment. And yes, just in case, both statements are false. Because of this I decided to write a small section in this article, where I describe some difficult steps of exploitation.

1)      “User can’t write to HKLM registry section”.

There is no such general rule. There are specific security rules for specific registry keys. Valve gives full control to all users on HKLM\SOFTWARE\Wow6432Node\Valve\steam branch, so any user can do whatever he wants with it.

2)      “It’s not possible to start or stop service without administrator rights”.

There is no such general rule. There are specific security rules for specific services. Valve gave any user permissions to start and stop Steam Client Service.

3)      “You need administrator rights to create a symlink”.

This statement is funny itself, because there are five general types of links in Windows and only one and a half require such rights. Let me introduce you to: file symbolic link, object directory symbolic link, hard link, NTFS reparse point and reg_link. Administrator rights are necessary only to create file symbolic link and for permanent object directory symbolic link (temporary object directory symbolic link lives as long as lives the session, where it was created, most commonly until reboot, and doesn’t require any special rights).

 

[spartaman64]

7 minutes ago, WereCatf said:

No, Valve's rules say nothing about banning. He was banned because he was talking about going public with the vulnerability, which is all about HackerOne's policies. You are confusing Valve's guidelines for what sorts of vulnerabilities should be forward to them with HackerOne's policies regarding vulnerability-disclosure.

 

EDIT: Take a look at https://www.hackerone.com/disclosure-guidelines -- those are HackerOne's policies and they do specifically talk about bans there as well.

ok which rule did he violate? they said it wasnt a vulnerability. and also valve themselves heavily implied that they can get him unbanned also the statement he got implies that valve has control of the situation

[WereCatf]

Just now, spartaman64 said:

ok which rule did he violate?

Ask them, I'm not in charge.

[spartaman64]

Just now, WereCatf said:

Ask them, I'm not in charge.

it doesnt say your account has been removed in fact he can still comment on past reports it says TEAM VALVE elected to not receive reports. so valve can tell "their team" to receive reports from him again

[williamcll]

All it takes is one infected steam game and things will go down.

[mr moose]

8 hours ago, spartaman64 said:

it doesnt say your account has been removed in fact he can still comment on past reports it says TEAM VALVE elected to not receive reports. so valve can tell "their team" to receive reports from him again

Is team valve part of hackerone or valve themselves?  If they are a group operating withing hackerone and work for hackerone then his ban has nothing to do with valve.  Valve might be able to suggest such a thing, but the decision to ban him was not valves and unless other evidence surfaces not at valves discretion.

[spartaman64]

1 hour ago, mr moose said:

Is team valve part of hackerone or valve themselves?  If they are a group operating withing hackerone and work for hackerone then his ban has nothing to do with valve.  Valve might be able to suggest such a thing, but the decision to ban him was not valves and unless other evidence surfaces not at valves discretion.

they are probably people assigned to work on the valve bounty program. and valve heavily suggested in their own words that they can and might do something about the ban

[SupremeGOAT]

On 8/23/2019 at 8:25 AM, Sauron said:

Epic bad

this is true mijo

[TechyBen]

On 8/23/2019 at 2:20 PM, emosun said:

wait a minute.... you're saying valve are a bunch self absorbed buttheads that only care about money?

Valve: Promises/teases HL3/HL2:EP3 at the end of HL2:EP3

Also Valve: Starts developing SOOO MANY GAMES in complete secret, but their internal structure with zero heading/control means they all get nowhere.

Also Also Valve: Buys lots of indy devs, releases those games instead.

Finally Valve: Puts all their effort into making Steam a money pit (though arguably providing tools/support through the client! ) then releases a load of failed card trading games...

Fans/customers: We really only wanted the game you promised.

A few trolls: "HL3 you scum!!!"

Valve: That's it, we quit, you are sooo nasty to us! [disappears off into their money pool never to be seen again].

[Thaldor]

7 minutes ago, valdyrgramr said:

https://www.pcgamer.com/epic-steam-data-reddit/ It was something else blown out of proportion that they stopped doing after backlash.  But, there are a lot of other forms of data collection here in the US too.  For example, part of the reason stores ask you for personal information is to sell it off to telemarketers to harass you.  So, don't give your number to grocery store or any store in general.  Data collection occurs all over the net, but I find it funny people are annoyed in this one context when Epic did it because they're already biased against Epic.

I don't really care for data collection, but what Epic does is kind of dangerous and just plain stupid. Without any warnings, without any interaction EGS copies and encrypts Steams localconfig-file that includes quite a lot sensitive data (login tokens/hashes (especially to the Steam cloud), auth hashes, license keys, connection information and auths) for what? For that if the user at some point of time wants to import their friends list from Steam to EGS and then that file gets send to Epics servers. It's like grocery store would ask you to hand over your house and car keys just in case you would like them to deliver your order to your house at some point in the future.

I don't know how easy it is to use data in that file to do something but a lot of it sounds kind of dangerous to let some random program do a copy of that file for it's own reasons just in case. And why the hell this shit was done in the first place when Steam has free to use API for friend list export just because that one file on your PC sounds like a file that you don't want other programs accessing? Because Epic wanted to use their own code and not rely on others... Well that's cool... IF we weren't talking about a store front that marks you as hoarder if you buy 5 games within 10 minutes and which coders are apparently that bad they cannot implement a FUCKING SHOPPING CART in less than "somewhere later than 6 months".

 

So yeah... Epic Games Store... so safe... much skill... better. [/sarcasm]

[JZStudios]

On 8/23/2019 at 8:06 AM, Tristerin said:

With Epic (10 cent) we are knowingly allowing ourselves to be monitored at a Admin level. 

Proof please. Explicit proof, not just "well maybe's"

This shit's getting old. If I buy stock in Epic, do I also get unlimited administrative access?

 

I've seen those reddit posts and they with a unanimous *shrug* "It could be bad, but nothing definitive." I'm not that concerned with Epic reading Steam data from my games or my friends list. Hell, I don't even like Valve having that info, but since Valve says "Fuck off" to people who might actually enjoy privacy, it's just the way it is.

[spartaman64]

1 hour ago, JZStudios said:

Proof please. Explicit proof, not just "well maybe's"

This shit's getting old. If I buy stock in Epic, do I also get unlimited administrative access?

 

I've seen those reddit posts and they with a unanimous *shrug* "It could be bad, but nothing definitive." I'm not that concerned with Epic reading Steam data from my games or my friends list. Hell, I don't even like Valve having that info, but since Valve says "Fuck off" to people who might actually enjoy privacy, it's just the way it is.

i think that was said as a joke

[JZStudios]

6 minutes ago, spartaman64 said:

i think that was said as a joke

Not when he made multiple further posts about it.

I'm still also waiting for definitive proof that Epic is straight buying exclusivity deals, rather than the publisher just going to Epic for a better share. No one seems to bitch about the exclusives on any other platform. Steam especially. Literally thousands of games are only accessible via Steam. Even physical copies.

[spartaman64]

1 hour ago, JZStudios said:

Not when he made multiple further posts about it.

I'm still also waiting for definitive proof that Epic is straight buying exclusivity deals, rather than the publisher just going to Epic for a better share. No one seems to bitch about the exclusives on any other platform. Steam especially. Literally thousands of games are only accessible via Steam. Even physical copies.

i mean how else are they getting exclusive deals? they just beg the game devs and they say yes? and afaik steam doesnt require any games to be exclusive on steam while epic does and in the case of DARQ they didnt even let them be on the epic store because they turned down exclusivity. 

[Blademaster91]

12 minutes ago, JZStudios said:

Not when he made multiple further posts about it.

I'm still also waiting for definitive proof that Epic is straight buying exclusivity deals, rather than the publisher just going to Epic for a better share. No one seems to bitch about the exclusives on any other platform. Steam especially. Literally thousands of games are only accessible via Steam. Even physical copies.

Epic just hands publishers some fortnite money, most of them don't turn it down.  I'd agree exclusives suck on every platform,but at least Steam isn't shit and has basic features Epic still hasn't bothered to throw some of that fortnite money at. I personally couldn't trust EGS as they insisted there wasn't any spying and reddit threads proved otherwise.

[xAcid9]

8 hours ago, JZStudios said:

I'm still also waiting for definitive proof that Epic is straight buying exclusivity deals, rather than the publisher just going to Epic for a better share. No one seems to bitch about the exclusives on any other platform. Steam especially. Literally thousands of games are only accessible via Steam. Even physical copies.

 

TL;DW
>Dev released official Steam launch date for the game.
>Epic contact Dev for exclusivity deal
>Dev reject exclusivity deal
>Dev asked to release the game at Epic store w/o exclusivity
>Epic reject

 

[Arika]

8 hours ago, JZStudios said:

Steam especially. Literally thousands of games are only accessible via Steam

Unlike EGS, Steam doesn't prevent you from selling on other platforms. Steam is the most used and apparently quite easy to get your game on, so of course devs are going to flock to the largest potential audience.

 

And as with the recent DARQ news, if you don't take their exclusivity deal, they will not let you put it on their platform. because apparently their "hand curated" is only available to people who took their money and made the deal.

[Derangel]

12 hours ago, JZStudios said:

Not when he made multiple further posts about it.

I'm still also waiting for definitive proof that Epic is straight buying exclusivity deals, rather than the publisher just going to Epic for a better share. No one seems to bitch about the exclusives on any other platform. Steam especially. Literally thousands of games are only accessible via Steam. Even physical copies.

The devs of the game Ooblets outright said they were given upfront money and a sales guarantee for going EGS exclusive.

[ravenshrike]

15 hours ago, JZStudios said:

No one seems to bitch about the exclusives on any other platform. Steam especially. Literally thousands of games are only accessible via Steam.

Publishers choosing to only release a game on Steam is not remotely the fault of Valve. There is no restriction by Valve enforcing such a policy.

[JZStudios]

16 hours ago, spartaman64 said:

i mean how else are they getting exclusive deals? they just beg the game devs and they say yes? and afaik steam doesnt require any games to be exclusive on steam while epic does and in the case of DARQ they didnt even let them be on the epic store because they turned down exclusivity. 

Firstly, it's the publishers, not the game devs. And in the case of indie devs, the few I've seen have said they're doing it for the better split, not that Epic paid them a million. And, alright, Steam doesn't require or force games to be exclusive, but many are anyways. Most actually. And then you still have Bethesda's whatever, uPlay, Origin, uhh... I don't know what else. I don't play modern games.

Haven't heard of DARQ, but he was approached by Epic and refused the offer because he already had a steam date.

16 hours ago, Blademaster91 said:

Epic just hands publishers some fortnite money, most of them don't turn it down.

Proof please.

16 hours ago, Blademaster91 said:

Epic just hands publishers some fortnite money, most of them don't turn it down.  I'd agree exclusives suck on every platform,but at least Steam isn't shit and has basic features Epic still hasn't bothered to throw some of that fortnite money at. I personally couldn't trust EGS as they insisted there wasn't any spying and reddit threads proved otherwise.

And Steam is shit. Most of it barely functions, only recently could I start actually watching embedded video links in steam with it freezing and requiring me to restart it. 

There's still zero proof of Epic spying. they aren't accessing administrative files on your PC, they're looking at Steam files, and they aren't being sent back. That's not spying.

[JZStudios]

4 hours ago, Derangel said:

The devs of the game Ooblets outright said they were given upfront money and a sales guarantee for going EGS exclusive.

Another game I haven't heard of. But hey, actual proof. It certainly works for indie devs though, since they'd really probably only need a few thousand. Still wondering how the deals work with bigger games like Metro, which by the way, was Deep Silver's deal, not 4A, and that angry dev guy, surprise surprise, was not actually a dev.

https://ooblets.com/2019/07/we-did-the-thing/

1 hour ago, ravenshrike said:

Publishers choosing to only release a game on Steam is not remotely the fault of Valve. There is no restriction by Valve enforcing such a policy.

I get that, but it's also kind of irrelevant. As mentioned in the link above, EGS is a free alternative, and the games are only exclusive for a year. It's a stupid thing to be so pissy about.

Also, just because Steam doesn't force games to be exclusive (Which, I mean... Epic can't force people to sign into a deal) doesn't mean they aren't effectively exclusive. You can't get them anywhere else. If something goes off Steam, like Alan Wake, The Lego LOTR, or... all 3 DiRT's, you have no way of obtaining or playing those games anymore. Well, you can't buy them anymore.