Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:
Greenbelt, MD 08/22

Regularly scheduled events

User information for hb3d

Real Name hb3d   
Search for:
 
Sort results:   Ascending Descending
Limit results:
 
 
 
Nickname None given.
Email Concealed by request
ICQ None given.
Description
Homepage http://
Signed On Nov 27, 2011, 20:13
Total Comments 162 (Novice)
User ID 57250
 
User comment history
< Newer [ 1 2 3 4 5 6 7 8 9 ] Older >


News Comments > Firm Says Steam URLs Exploitable
53. I hate hypocrisy and blind bias. Oct 17, 2012, 22:13 hb3d
 
Prez wrote on Oct 17, 2012, 21:40:
Well it's no secret he's not a fan of Steam (but a big fan of Amazon and EA)
I'm not a fan of EA at all, but I hate the hypocrisy and blind bias I see around here and on other PC game forums. That is why I defended EA over its recent give away of free games. It's amazing the level of denial some of you EA haters will go to deal with the horrific notion that EA actually did something right or generous. EA even posted a notice on the previous survey link that new coupon codes would be sent out to those that didn't get one for the previous survey because it had to be closed. Now, that's good customer service for any company including EA.

that doesn't necessarily make him wrong.
He has to attack the messenger because he doesn't like the message and can't handle the truth.

Regarding this latest Valve security problem the silence on this both from Valve and its fans speaks volumes. When Ubisoft had a similar exploit months ago in a browser plug-in for its game client, most of you and others exploded with vitriol at Ubisoft over it even when you weren't even affect by it because you hadn't installed the plug-in. And, Ubisoft responded and fixed the problem in the same day it was reported in the news. Here, Valve didn't even reply to the researchers who disocvered the problem or to Computerworld that initally reported the story. And, this latest Valve security problem affects far more people since more people use Steam and more products since the vulnerabilities are in the Steam software and several game engines itself. The few Valve fanboys who bothered to respond in this thread either stuck their heads in the sand and denied the scope of the problem and/or blamed the researchers who found the exploits rather than place the blame on Valve where it belongs.

At what point does a company with a history of security problems and abyssmal customer service stop being "awesome"? Valve is now a multiple billion dollar company. It has a virtual monopoly on PC game distribution. It needs to stop acting like a bunch of free-wheeling hippies and stop treating customer service and security like some distant afterthought and inconvenience which interrupts its playtime. But, Valve will never improve and devote the personnel and resources necessary to those functions unless customers demand it. And, so long as the company has millions of minions who think it is "awesome" anyway and keep gladly giving it their money regardless of its repeated failings, that will never happen. That is why it is important to complain even when it is your favorite company in the wrong.

This comment was edited on Oct 17, 2012, 22:31.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
48. It's good advice but not foolproof. Oct 17, 2012, 21:22 hb3d
 
Sepharo wrote on Oct 17, 2012, 21:09:
I would hope that anyone here receiving a message about a website wanting to launch Steam would click No, especially if that wasn't their intent when clicking the link.
Well Chrome has a "remember my choice" box on that launch dialog box, so if you ever press "yes" and click the box, you won't be prompted again for Steam URL's. Other browsers probably do too. So if you go to the Steam website, install a game or demo using the Steam URL link when prompted, and click the box, you could be exploited later without knowing it because there would be no prompt. That is why relying on a prompt is not a real fix for this type of problem. It's good advice, but not foolproof.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
46. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 20:54 hb3d
 
pacbowl wrote on Oct 17, 2012, 20:51:
How about running No Script? It blocks auto-redirects too.
Anything that will block the browser from running/handling "steam://" will stop this attack vector. It won't fix the exploits in Steam or the games, but it will keep the browser from being used as a means to deliver an attack.

So, yes, if you can add "steam://*" to noscript's block list, that should do it.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
44. No subject Oct 17, 2012, 20:48 hb3d
 
Sepharo wrote on Oct 17, 2012, 20:43:
Only on Safari.
At the default settings other browsers will warn to various degrees of specificity. The problems are that not everyone uses the default security settings, and second users tend to click yes on popups because if they don't, things don't work.

"Just Say No!" is not a foolproof solution to this problem.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
41. Re: You are wrong again. Oct 17, 2012, 20:35 hb3d
 
Mashiki Amiketo wrote on Oct 17, 2012, 20:30:
That's two completely different things than what you've said in the last 4 posts.
No, it isn't. You simply don't understand what you read.

A page running something is not the URL itself being a script.
No kidding, nor did I say it was. With redirection the browser will automatically execute/go to Steam URL, which will automatically run Steam, which will automatically run/handle the URL to execute the attack. PC owned shortly thereafter. Learn to read.

And yes you're fearmongering, when there is a solution right there.
I am not fear mongering when this is a very real fear of exploit since the exploit works and it is public. Second, that solution is one which I already mentioned below, but it isn't permanent unless Valve removes the functionality from Steam because Steam automatically restores itself when it is run if a part is deleted, etc.

This comment was edited on Oct 17, 2012, 21:00.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
39. You are wrong again. Oct 17, 2012, 20:26 hb3d
 
hb3d wrote on Oct 17, 2012, 19:41:
Glad to see you're good on the fear mongering 101 though.
It's not fear mongering. It is the truth. This exploit can allow remote code execution, and since it can, there is virtually no limit to what it can do.

Steam url's aren't scripted.
They can be. A website can script the URL's to execute in the browser without clicking on anything, i.e. redirection.

See "Aside from tricking users to manually click on rogue steam:// URLs, attackers can use JavaScript code loaded on malicious pages to redirect browsers to such URLs, Luigi Auriemma said Tuesday via email."

I have followed Luigi's work in game hacking for over ten years. He has reported the vulnerabilities he finds in games to companies like Epic and id for years, and they have been subsequently fixed. When he says something about games and exploits, it is the truth.

Even someone from h-online figured that one out. "disabling the steam:// handler will disable or severely limit this vulnerability."
I said the same thing below. The problem is that Steam will restore that functionality when it launches or automatically updates.

This comment was edited on Oct 17, 2012, 21:02.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
36. Re: That is NOT enough. Oct 17, 2012, 20:02 hb3d
 
Prez wrote on Oct 17, 2012, 19:58:
Dammit! What if I blocked the Steam service in a program like Process Explorer until I'm ready to use it?
If you can prevent the entire Steam client from running using something like that, then yes, that would mitigate your exposure. But, so long as Steam is running you are vulnerable.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
34. Re: That is NOT enough. Oct 17, 2012, 19:53 hb3d
 
Prez wrote on Oct 17, 2012, 19:51:
I'll do the next best thing and turn the client off until I actually am going to use it. Normally I leave it running as long as my PC is on. I already use Chrome as my browser.
That won't help because the browser will launch Steam to execute these URL's if it is not already running. That is the whole idea of having these Steam-specific URL's in the first place.

Valve needs to autoupdate Steam to get rid of the URL handler as an immediate step to blunt this attack, but the Steam website is full of the URL's so it's going to break all that functionality.

This comment was edited on Oct 17, 2012, 20:07.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
32. It's not hard. You simply guess. Oct 17, 2012, 19:47 hb3d
 
In order to make this exploit work, you need to be able to cause something to create the file, in order to be able to execute it.
As I wrote before, if a Source engine game is installed, it can be made to do that with this exploit.

If you don't know what's installed, you have no attack vector.
You simply guess. Sure it won't affect people who don't have a Source game installed, but so many Steam users do, and so many use the default location for Steam that it isn't hard to find a vulnerable target. It was the exact same thing with the Uplay exploit. The specified path to the executable to run in that exploit was simply a guess on the target's directory structure and installed programs. Windows also still has a %path% variable that will execute anything in that path without knowing the full path.

Even their unreal engine exploit requires a upk file to exist already, in order to cause it to crash(integer overflow).
It already exists in the Sanctum game. That is why they chose that game over the dozens of other Unreal engine games on Steam.

But in the latter case, you need to know "what" you're running into to make it do something.
As I wrote before, you simply guess and target the most likely spots. Hackers have been doing that forever, and guess what? It works.

This comment was edited on Oct 17, 2012, 20:06.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
31. That is NOT enough. Oct 17, 2012, 19:41 hb3d
 
Mashiki Amiketo wrote on Oct 17, 2012, 18:49:
Worst case? Remote code execution with them being able to transverse directories.
That is NOT worst case. The exploits show hackers could execute anything on your PC with this exploit. That source engine exploit will run anything specified in the batch file at startup. So, delete all your files, steal your account credentials, etc. Once you can remotely execute code as you can here, the sky is really the limit.

Just don't click on any random steam url's and you'll be fine.
No, that won't do it because if the Steam url's are scripted, you don't have to click on a thing. And, if your browser doesn't prompt on the URL's as Safari doesn't at all and others won't if set that way, you won't even know if your browser executed these URL's.

This comment was edited on Oct 17, 2012, 19:48.
 
Reply Quote Edit Delete Report
 
News Comments > Ships Ahoy - DOOM 3: BFG Edition
31. Re: Ships Ahoy - DOOM 3: BFG Edition Oct 17, 2012, 18:42 hb3d
 
Prez wrote on Oct 17, 2012, 17:23:
The biggest thing I think was that it was pretty jarring for Doom fans that the series went from visceral run and gun to survival horror.
Doom 3's gameplay was a victim of the PC technology of the time. Recreating the Doom/Doom II experience with all of those enemies and items on the screen at once simply wasn't possible with the hardware available at the time of Doom 3's development since Carmack was pushing the game to have leading edge visuals. Sure, he could have made the game less demanding like Serious Sam and recreated the original experience, but that is not what he and id wanted. It also wouldn't have sold a lot of hardware upgrades like Doom 3 did which is what hardware vendors wanted.

However this is now 2012, and one big reason this re-release of the game is such a letdown is that Bethesda/id didn't use the opportunity to make the new "lost" missions in the game take advantage of the prevalent graphics hardware of the past eight years since Doom 3's release to recreate the original Doom gameplay experience in the Doom 3 engine.
 
Reply Quote Edit Delete Report
 
News Comments > Ships Ahoy - DOOM 3: BFG Edition
29. It's a console bargain-bin game without the bargain bin price. Oct 17, 2012, 18:33 hb3d
 
Flatline wrote on Oct 17, 2012, 18:22:
This is a bargain-bin release.
but with a $30 pricetag instead of $5 or $10

What makes this re-release of the game especially exasperating for PC gamers is that it is a consolized bastardization of a classic PC game. Even if you didn't like Doom 3, you still have to admit that the PC version of the game is still a PC game in terms of features (game settings, SDK, dedicated server multiplayer, etc.). This re-release of the game is a classic example of what is wrong with PC games today. You don't save PC gaming by turning the PC into a game console.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
25. Re: This goes way beyond being a browser exploit. Oct 17, 2012, 17:58 hb3d
 
hb3d wrote on Oct 17, 2012, 17:07:
That Uplay exploit effected everyone too, and everyone that had the game plugin installed, not just IE.
I went back and read the Uplay researcher's original post again and I see that the plug-in didn't use ActiveX. The title of the post was "Re: AxMan ActiveX fuzzing" but that was a misleading title since it was actually a thread about a different exploit and the researcher just mentioned his new find in that same thread.

You still need to be able to have knowledge of what's where, to be able to execute this exploit.
No, you don't because Windows environment variables will tell you that. Plus most users use default installation locations for Windows and Steam.

And before that you need to be able to have access to something to be able to create the batch file,
Well as stated in the article the Source engine will do that for the attacker if a Source engine game is installed. But, hardly anyone plays Source engine games, right?

This comment was edited on Oct 17, 2012, 18:10.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
23. Re: Firm Says Steam URLs Exploitable Oct 17, 2012, 17:52 hb3d
 
Prez wrote on Oct 17, 2012, 17:47:
Is it simply a matter of avoiding clicking on external Steam links?
No because the exploit can be scripted with Javascript so that you don't have to click on a thing.

The most secure way to avoid being exploited is to uninstall the Steam client. If you try to remove Steam's URL handler functionality manually, Steam's forced updates will simply put it right back on the next launch. Barring that only use Chrome or IE9 as your web browser and set them to prompt for user confirmation on all URL handlers. Then if such a notice pops up, always choose "block" or "no" in the popup.
 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
22. It is hard to get a reply from Valve. Oct 17, 2012, 17:49 hb3d
 
Kosumo wrote on Oct 17, 2012, 16:10:
Anyone else to back up that Valve are any more difficult to contact than any other large game/software studio?
This from the Computerworld article says it all on that: "Valve did not immediately return a request for comment." Even Computerworld didn't get some type of reply from Valve to a very serious security issue. Not even a "We're now aware of the issues and looking into them." Ubisoft both responded and fixed its exploit the same day. See this.


 
Reply Quote Edit Delete Report
 
News Comments > Firm Says Steam URLs Exploitable
19. This goes way beyond being a browser exploit. Oct 17, 2012, 17:07 hb3d
 
Mashiki Amiketo wrote on Oct 17, 2012, 13:24:
Looking at this a bit more, it appears that unless you've been able to compromise the machine before hand and lay a batch file(and know what games are installed). This is pretty much useless, so if someone has already compromised the machine that far. You've got other things to worry about than steam urls.

Though I might have missed something.
You missed a lot. Read the whole article (slowly for you) on Computerworld. This goes way beyond being a browser exploit. The browser is just used an attack vector into the Steam client itself and Source engine games. See "The researchers released a video in which they demonstrate how steam:// URLs can be used to remotely exploit some vulnerabilities they found in the Steam client and popular games." Valve's wonderful security triumphs again. I wonder if we will see Half-Life 3 source code soon.

In a different example, a steam:// URL can be used to execute legitimate commands found in Valve's Source game engine in order to write a .bat file with attacker-controlled content inside of Windows Startup folder. Files located in the Windows Startup directory are automatically executed when users log in.
That is really, really bad. As bad or worse than that Uplay exploit everyone bashed Ubisoft over (but not the researcher who found the exploit, hypocrites), but was fixed in a day or less. At least that exploit only affected users with the installed plug-in. This attack affects all browsers and Steam client users and since it can be scripted with Javascript, it is relatively easy to implement and get past the user especially on some browsers and settings.

This comment was edited on Oct 17, 2012, 18:08.
 
Reply Quote Edit Delete Report
 
News Comments > Ships Ahoy - DOOM 3: BFG Edition
13. Re: It's console Doom 3! Oct 17, 2012, 01:33 hb3d
 
Badboyquake wrote on Oct 17, 2012, 01:18:
Console is disabled by default in the game, but you can access it by using the following command line in the launch option: +seta com_allowconsole 1
Thanks for the tip. "Seta" doesn't work with this game though so you either always have to use the command-line option to enable the console or put it into a autoexec.cfg file which works. Enabling the console also disables achievements (not that I personally care).

change fov with g_fov XX or +set g_fov XX
That's a nice tip, but the Lost levels are so cramped that a wider view isn't really needed. The default setting is 80.

some people like the lost missions.
What people? All of the slow, unchallenging, brain-dead zombies you find in those levels? Standard Doom 3 at least has some story, cutscenes, and you feel like you are part of something bigger. These Lost levels feel like something Bethesda interns made. They have all of the worst aspects of Doom 3 in abundance with none of the charms.

dont forget the doom II addon from nerve "No Rest for the Living". first time for pc, xbox360 players know it.
That's just nine Doom II maps. I haven't played them, but given how many thousands of Doom II maps have been made, I don't see that these nine are worth $30.

This comment was edited on Oct 17, 2012, 03:19.
 
Reply Quote Edit Delete Report
 
News Comments > Ships Ahoy - DOOM 3: BFG Edition
12. Don't forget Steam and P2P Multiplayer only. Oct 17, 2012, 01:29 hb3d
 
deqer wrote on Oct 17, 2012, 01:11:
You can take your rehashed product--with it's new file format and no modding capabilities--and kindly shove it up your ***. Good day.
Since you previously stated your dislike for Steam, to add to your list of reasons not to buy the game, this version also requires Steam and its multiplayer uses Steam's wonderful consolized P2P matchmaking instead of better available options on Steam. There is also no LAN multiplayer. The patched original release of Doom 3 has dedicated servers and LAN multiplayer.

This comment was edited on Oct 17, 2012, 02:13.
 
Reply Quote Edit Delete Report
 
News Comments > Ships Ahoy - DOOM 3: BFG Edition
10. Get the original release of Doom 3 if you want mods. Oct 17, 2012, 01:16 hb3d
 
Kitkoan wrote on Oct 17, 2012, 00:17:
If I can't mod it or anything, kinda kills a lot of it for me
There's just no reason for a serious PC gamer to buy this version. If for some reason you don't already have the original release of Doom 3 and the RoE add-on, buy that instead and download some of the great mods for that version like the classic Doom mod and the co-op mods. The Doom 3 source code is now open source too, so if you are serious about mod creation, the sky is the limit.

I've played a few of the levels of the "Lost" missions, and they are just cramped, linear, boring garbage with virtually no story. The few audio logs and emails you find are just terribly uninteresting. Any third-party single-player maps made by modders for the original Doom 3 release can't be any worse than these.

As for supposedly improved visuals in this BFG edition, I'm not seeing it. The game looks like the same game made in 2004. Of course there are no settings in the menus for video aside from resolution, FPS 60/120 (why fixed?), bloom, and antialiasing (4X max).

This comment was edited on Oct 17, 2012, 01:56.
 
Reply Quote Edit Delete Report
 
News Comments > Ships Ahoy - DOOM 3: BFG Edition
4. It's console Doom 3! Oct 16, 2012, 23:11 hb3d
 
The Half Elf wrote on Oct 16, 2012, 22:54:
Is this the edition that nobody asked for or wanted?
I've always played games exclusively on the PC including the original releases of all of the Doom games, and having tried this "improved" version of the game I can now say that I know what it feels like to own an XBOX360 or a Playstation 3. The paucity of the settings screens should make any PC gamer cry. This new version doesn't even support mods or existing third-party maps because Bethesda/id changed the archive file format for the game. There is no command console either (without command-line CVAR setting).

Or does it include duct tape?
Yes, in that you can turn on the flashlight at any time while still holding your weapon although there is no visible flashlight model.

And if you already own DOOM 3 on Steam, between now and November 13th you can save $10 on your purchase.
This needs to be changed to "And if you already own DOOM 3 on Steam, play that version and save your money." The only thing you're missing out on besides the consolitis are the "Lost" levels, and from what I have played so far, they should have stayed lost.

This comment was edited on Oct 17, 2012, 03:15.
 
Reply Quote Edit Delete Report
 
162 Comments. 9 pages. Viewing page 1.
< Newer [ 1 2 3 4 5 6 7 8 9 ] Older >


footer

Blue's News logo