Tomáš Duda is a young developer working for SCS Software, the developers of the Euro Truck Simulator series. He recently found a vulnerability with Valve’s Steam service, and having reported it once to no response, reported it again via an elaborate prank. Which has got him suspended from certain parts of Steam for a whole year.
Duda altered the code on an old sale notice for Euro Truck Simulator 2 to be able to shake the screen and play the Harlem Shake. Which sounds harmless, but it’s something Valve has taken very seriously.
Jesus fucking Christ, Valve. This for making you finally fix a vulnerability? Seriously? pic.twitter.com/NWOkdgylWk
— Tomáš Duda (@tomasduda) June 15, 2014
“Timmy essentially lives on Steam”, Pavel Sebor, CEO of Czech studio SCS tells Kotaku in an email, “keeping an eye on everything happening there, every little gossip, every little new feature, parsing source code changes, he frequently suggests fixes and improvements directly to Valve. That’s why I hired him really so that he can help us push our games towards closer Steam services integration, his insight into the whole system is really deep.”
“Over the course of last year”, Sebor explains, “Timmy has found more than one vulnerability in Steam’s systems, always dutifully reporting them. This one was already reported a few months ago too, then forgotten about, but as he explained to me a short while ago, just yesterday it popped up in discussion in a closed discussion group of a few like-minded guys, and verified to still not be fixed. So Timmy supposedly wanted to play a little joke on somebody at Valve, and injected a proof of concept code into an old-forgotten announcement post, what he thought was deep enough under layers of new stuff that nobody would discover it by chance. Valve were on it within 30 minutes with a fix.”
They were also quick on the banhammer. Duda has been banned from community aspects (like forums) for 12 months as a user, but he’s also locked out of some developer stuff as well. Messing with Steam’s code, no matter how harmless the intentions, is something Valve obviously takes pretty seriously.
“Timmy as an individual indeed had some of his personal developer/publisher permissions revoked by Valve staff, which is a penalty he will no doubt feel very harshly”, Sebor adds. “He has some hard work ahead of him to learn the trust back.”
“He’s a good kid, I trust that he will grow wiser with time.”
We’ve also contacted Valve for comment on this story, and will update if we hear back.
Comments
31 responses to “Kid Developer Pranks Steam, Gets Suspended From Steam”
Thats kinda not cool on Valves part. Not saying the dude was right either, but sheesh. If it only took 30min to find and fix why didn’t they just fix it in the first place?
Indeed, sounds like its more something Valve should be held accountable for to me…
It was probably put waaaaay down on the list of pressing matters for the team as it appeared that no-one else had discovered/taken advantage of the vulnerability.
Not trying to be much of an apologist, but we really don’t know the full story on Valve’s end. Were they lazy? Were they dismissive of the guy? Were they too busy fighting other issues that may do more serious damage to the platform, and just flagged it for revisiting in the future?
Indeed, so in that case, why punish the guy when Valve merely ‘put it off for another day’?
The nature of the issue says it shouldn’t be put aside. Code injection is a big deal.
What he did wasn’t wrong either. Break down the steps as reported:
He found a vulnerability.
He reported said vulnerability.
Months passed.
The vulnerability has not been fixed.
He locates an old announcement post unlikely to be found/read by anyone.
Edits it up so it does its thing.
His actions are far from malicious. It sounds like you could inject code, that is a serious vulnerability that should be fixed very quickly.
All he did was embarrass them a little. To themselves. If they had fixed it, thanked him and moved on, I doubt any of us would know of their embarrassment.
See it from valve’s point of view. There was a problem. Someone pointed it out by messing with their product. It wasn’t a smart way to report a bug. Even if he was trying to help.
If it was up to me I’d suspend all kids…
You gots my vote.
And then kick them off your lawn too for good measure!
I get Valve has to come down hard on this but at the same time I feel a little bad for the kid.
Hopefully all parties learn from this. Don’t expect a company to find something as funny as you do and as a company don’t ignore these sorts of reports from people who only want to make things better. You are just lucky that this time it was someone without malicious intent
I disagree, usually white hat stuff like this (When reported properly first) is good for a system. Since you have volunteers doing some pretty intensive bug checking of your systems free of charge.
If it’s a vulnerability worth rushing out a fix then they should have at the first report.
If it wasn’t fixed… Well then for all the kid knows some developer decided “working as intended” and called it a day, so where’s the harm?
Seriously, if it was that quick to fix, then it worries me that Valve are not serious about patching known vulnerabilities until it is made public.
I could understand if he made it public so everyone knew about it, but it doesn’t sound like it left the eyes of those developers. It sounds like he just took advantage of it without publicly telling everyone else how to do it – which definitely doesn’t deserve the ban hammer imo.
It’s impossible to assess Valve’s seriousness about fixing bugs based on the story of one case told from only one side’s perspective. From personal experience, most likely what happened is Valve had logged the issue the first time it was reported and prioritised it lower than more serious bugs. As transientmind says below, it’s easy to think that since it’s only a half hour fix that it should have been done ages ago but when your bug tracker has a hundred ‘half hour fixes’ it’s inevitable that some of them are going to be fixed later – often much later – down the line. The only reason it was brought up the priority list was because someone actually did exploit it, but all that means is that other bugs got pushed back so this one could be fixed more urgently.
I don’t take this as any reflection at all on Valve’s seriousness, prioritisation is just a fact of life in software development.
It is harsh – the guy didn’t do anything harmful, meant well, and it was a vulnerability that Valve should have fixed a long time ago. That said, they kind of have to play hard with this kid, to set an example. If they let him go scot free, others might be encouraged to do worse things. Hopefully they’ll rescind the ban after a while.
Kill the chicken to scare the monkey.
What this “kid” did though was essentially act like a child. What he did for attention wasn’t the right way to go about it. Even though his intentions were good, it would have caused other people disruption; He could have gone about it instead, with something a little more subtle.
Id like to take something more tangible than a ban hammer to Harlem shakers faces tbh but this kid had the courtesy to not put it in front of everybody. Valve ought to give the kid a good behaviour parole
Dick move, Valve.
Warned about exploit, nothing done, exploit prodded in a way no-one should’ve been able to see, ban hammer because… what. Now the bosses know fixer-bot327 didn’t do his fucking job and he wants to take it out on somebody? It’s the fucking definition of butt-hurt.
Less reactionary: I get the warning aspect. It’d be like if you found some condemned council property has a busted lock, you come back in six months and it’s still busted so you jump inside and record a goofy video about it. Prior warning doesn’t mean you had any right to be there and if something had gone wrong, it’d be emergency services/council picking up the tab, so no shit if caught you get fined.
Because every, “It’ll only take 30min to fix,” can’t actually get fixed in 30min because the thing about them is there’s a shitload of them. If you had infinite resources then yes, all 30min fixes would be fixed within 30min, but because no-one has infinite resources, they go in a queue. And that queue is often ordered by priority – which, yes, does actually include how much harm can be done and how unlikely it is to be found and/or acted on. Just because you feel some sense of ownership about a fault you’ve found doesn’t give you the right to go bump up its priority so you can feel validated.
WhiteGrey hat (edit: ta, ZombieJesus) stuff should always get a slap on the wrist but in this instance I kind think the opinions on what constitutes wrist-slapping are kind of varied. Maybe Valve would normally have banned a prankster for life, and the history of big reporting mitigated the penalty to a suspension.I personally think a year of not letting someone voluntarily do your fucking work for you takes this from wrist-slap to just plain butthurt.
I mostly agree with everything except the first and last paragraph, but his actions were not white hat. I covered that briefly in my reply below, but white hat hacks are ethical and legal, his actions were not. White hat ethics requires that he have permission to perform the exploit, because without it it enters the realm of ‘unauthorised computer access’, which starts getting the law involved. Yeah, it’s good that he’s been helping Valve identify bugs, but that doesn’t give him any special privilege to exploit those bugs if he thinks Valve isn’t moving fast enough for his liking. It’s not his place to try to force Valve’s hand about when they fix their bugs.
No argument there. My main criticism is the severity of the punishment. It could be that anything obviously malicious would’ve been permaban and this IS their idea of a wrist-slap, but it sure isn’t my idea of one.
Edit: Also, the nature of tester vs dev is frequently antagonistic. It doesn’t take much for a bug report to spin like a criticism, and ‘working as intended’ is a well-known ‘fuck you’ in the face of obvious defects. There needs to be a lot more benefit of the doubt given in that kind of relationship. I don’t have the background knowledge of this one, but it’s entirely possible that extrapolating previous bug-fix timeframes would allow the familiarized tester to read six-months-no-fix as equal to ‘we’re not going to’.
Maybe so. I find myself having no strong feelings on the one year ban, but at the same time I don’t have an answer to ‘would a 3 month ban sufficed in this instance’ either. Some of his earlier activity on Steam while working for SCS seems a bit unprofessional and the impression I got overall is that he’s somewhat immature and/or naive. Maybe a shorter ban would have still had the same effect, but I’m not sure I’d agree that a year is vindictive or inappropriate either.
I think we agree that some sort of punitive response was appropriate. What I don’t get are the type of people who think this kind of thing should be praised or rewarded.
Bluntly, he made a poor decision and has to live with the consequences. This is not a white hat hack. White hat hacking is ethical and legal, what he did was not. Reporting it to Valve in the first place was the right move. Exploiting it after only one attempt to report it to Valve was the wrong move. He should have simply reported the issue again and left it be, it’s not his place to try to dictate to the developer what their bug fixing schedule and priorities should be.
Hopefully he’s learned something useful about the ethics of hacking through this experience. Regardless of how noble he claims his intentions were (and remember, we only have his side of the story at the moment), this type of action is not acceptable.
I feel it’s too easy to buy a gun in America. I’m going to shoot a bunch of people in america just to show how easy it is.
Cops should always enforce 5kmh over the speed limit or else they’re endorsing murder. See? I can do hyper-inflated false equivalence too!
They will blame your addiction to gaming and the fact you frequent Kotaku.
No hate on valve but i mean come on they are slow with lots of things like Half-Life 3 so of coarse they are going to take their time to fix something quick lol.
Maybe Valve needs to learn how to runs things a bit… smoother.
Luke, thank you for not using the phrase: “We reached out to Valve.” I really, really appreciate that.
Sadly this is how a lot of vulnerabilities get fixed, and in every story I’ve read, it always, always reads the same.
Person finds vulnerability.
Person reports vulnerability repeatedly.
Nothing changes for a long time
Person exploits vulnerability harmlessly
Vulnerability gets fixed and person gets suspended, banned, or punished in some other way.
Sometimes the person legitimately breaks the rules with their exploit and unfortunately just has to deal with the consequences but I would think in this day and age where every other day there’s another security breach, companies would be jumping on these things as soon as they are reported.