James Galvin

Infoworld are crowing that a “myth” has been crushed, as a hacker managed to break in to OS X to win a security contest in Vancouver. No myth has been crushed - at worst, perhaps a misconception has been dented. OS X is not hack-proof - there is no operating system on earth that is 100% secure when attached to a network, and the way some people have responded to a run-of-the-mill Safari vulnerability, you would think that there has been an apocalypse.

What the Infoworld article fails to mention is that CanSecWest organizers relaxed the rules Friday after nobody at the event had breached either of the Macs on the previous day. It doesn’t specify exactly how the rules were relaxed, but a comment mentions that “The successful attack on the second and final day of the contest required participants to surf to a malicious Web site using Safari”. If this is the case, then as far as I’m concerned, the contest only served to show how well secured OS X really is.

The article quotes Dragos Ruiu, organiser of the event:

“You see a lot of people running OS X saying it’s so secure, and frankly, Microsoft is putting more work into security than Apple has”

Dragos: the reason Microsoft is putting so much more work into security than Apple is because it needs it so much more. How many times have I had to fix friends’ Windows computers for no other reason than they left it online for a few hours without a firewall? No myth has been crushed, common sense has prevailed. Your Mac is not untouchable - it is advisable that you tighten security controls on your web browser, and be careful of surfing to dodgy sites on the internet. As long as you don’t make a habit of antagonising MaddoxX, then you can be reasonably confident that your computer won’t be trying to nuke eBay if you leave it online untended for the weekend.

The Daily Tech have an article about a hacker who is curretly holding Valve Software (the makers of Half-life) to ransom, having hacked into the system that manages internet cafe licences, and retrieved details and credit card information.

Most gamers will remember the bit of trouble that Valve had a couple of years ago, when a German hacker known as Axel G, or “Osama Bin Leaker” when he’s in a particularly powerful mood, snuck into their network. Internal emails were leaked, demos were leaked, and ultimately the source code was to Half-life 2 was put on the internet. Valve burst into action like a coiled spring - instantly assembling a dynamic and energetic tiger team:

The fiasco resulted in a lot of hassle for the company, but they got some consolation in the end when they caught the perpetrators by pulling the oldest trick in the book - offering to hire Axel G as an in-house security auditor. Beaming with pride as he headed for the plane, ready to start his new life in America working on the game he loves, the poor boy had no idea that the FBI were laughing their asses off at the airport, doing Axel G impressions as they waited for him to arrive.

Axel G - a misguided enthusiast, suffering from classic notions of teenage hackers convinced himself that he was working for the greater good. He claimed that the motive behind the source code leak was to expose Valve for lying to the public about the state of the game, which was far from finished, implying that they demoed a fake version of the game at E3.

This latest haxor, MaddoxX, displays the same symptoms of a glorified self-image, probably seeing himself as half Robin Hood, half Darth Vader and half Zerocool. However, by comparing the number of x’s in their names, we can assume that MaddoxX is at least twice as l33t as Axel G, and thus less likely to fall for the “hey, you’re good! Come and work for us” trick. I would remind Valve of the old Chinese proverb that is strangely apt here: “Blind eagles soar with wings, but do not mess with psycho Russian hackers because you’ll get pwned”.

The Daily Tech article quotes MaddoxX, who outlines his motives:

In fact, MaddoxX says that he’s been tooling around on the Steam server’s back door since January. “I did try [to] contact them several months ago. At the time, I didn’t do anything harmful — just got [a few free copies of games] but never heard anything from them,” he says. “Later,” the steamed hacker adds, “I tried to warn them to fix bugs…but as usual, they don’t listen.” He recounts that he allegedly tried e-mailing Valve employees on several occasions without a reply. When a friend of his called attention to the potential security breaches on Valve forums, every trace of each thread got shut down. “They don’t even warn or reply to their Café customers that private information is leaked,” he says.

And here we come to the issue that is bothering me: MaddoxX is dead right in what he says. When you take confidential information from your customers - be it credit card details, home phone numbers, or their dog’s middle name, you take on a degree of responsibility. My guess is that Valve’s IT guys are still sitting around eating sandwiches in front of an empty whiteboard. The director of marketing at Valve, Doug Lombardi, just recently confirmed the security breach and released this statement:

There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam.

The Daily Tech refers to a very reasonable Californian Law which says that you are required by law to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed). I’m not a lawyer, so I don’t know if Valve are bound by this, but I am aware of a general rule of thumb: if you discover a security breach, you snap to it and do something about it. You don’t hum and haw and mumble some comment a week later about an “alleged hacker” who broke into the system. If the guy has got:

• Screenshots of internal Valve web pages
• A portion of Valve’s Cafe directory
• Error logs
• Credit card information of customers
• Financial information on Valve

…then I think its safe to put your hands up and acknowledge this. Funnily enough, the Cork gaming cafe Area 51 even makes an appearence on one of MaddoxX’s screenshots. I wonder if they know that their credit card details could be compromised? Perhaps I’m being unfair, and all of the affected customers have been contacted and informed, but judging by the concerned cafe account owners on the steam forums and elsewhere, this does not seem to be the case. This only serves to validate what MaddoxX is saying, and highlights a gross lack of responsibility on Valve’s part. I believe the guy when he says he has contacted them many times about exploits and bugs and never got a reply. They sound like an absolute disaster.

Security breaches happen occasionally, and that is inevitable. I won’t dwell on the fact that it seems to be a recurring event for this particular company, I’m more concerned about the reaction when something does go wrong. Read this example of how it should be done, from Wordpress. A responsible, well worded, concise account of what happened, when it happened, who is affected, and what to do if you are affected.

What would you have said if Automattic had come out with drivel like this: “There is no security breach at Akismet. I repeat, AKISMET IS SECURE AND SAFE. oh, by the way, Wordpress got allegedly hacked.” Doug Lombardi: the issue is not “There has been no security breach of Steam”; the issue is: “THERE HAS BEEN A SECURITY BREACH“.

I mentioned in my last post that very few people these days take the time to give their views on how things are shaping up in the world of online gaming. In the days of Geocities and Gibworld, the internet was hopping in time with its myriad of animated ‘mail me’ gifs. Dozens of clan sites and tinet homepages in Ireland were poised to strike at the slightest bit of news in the gaming scene. When the boat rocked, ripples would spread giddily through the network of fluorescent static HTML pages, lovingly tended by faithful enthusiasts.

Last week, the boat rocked. When I say it rocked, I mean it crashed into an iceberg and flipped over three times before landing upside-down in the Bermuda triangle. The thundering mother of all cheating scandals emerged in a haze of furious drama. eSReality has an account of the saga involving a English gamer called Fusen and netCoders.be - a group who make aimbots, wallhacks, etc., for games such as Quake 3, Enemy Territory, CoD 2, and SOF, and sell them for up to $200. This is story of the hacker who hacked the hackers and gained access to their database via a vBulletin exploit, exposing the details of all of their customers to the public. The wild-west response, where netCoders offer a $1,000 reward for information on their attacker. The irony of the moral high ground held by the victims and their alleged legal follow-up. The hackers’ threats to hack the hacker who hacked the hackers.

The plot thickened and boiled and simmered as professional players were busted, and respected Clanbase admins ruined. But it didn’t interest me until I noticed that several members of team Ireland were caught with aimbots and wallhacks.

I have followed Ireland in the Enemy Territory nations cups a few times, and despite our small playerbase, Ireland has always had a very strong squad which was able to compete at the highest level. More recently, a new generation of players has risen to eradicate the respect that Irish national teams have accumulated over the years. If this had happened 5 years ago, there would be riots.