On Christmas Day, Valve had a few hours of problems. Their servers were being overloaded by malicious traffic. The best analogy that I could provide would be a bad organization who sent a thousand people to Walmart, to do nothing but stand in the check-out line and ask the cashier about the time. This clogs up the infrastructure, preventing legitimate customers from making their transactions. This was often done after demanding a ransom. Don't pay? Your servers get clogged at the worst time.
A little too much sharing…
There are two ways to counter-act a DDoS attack: add hardware or make your site more efficient.
When a website is requested, the server generates the page and sends it to the customer. This process is typically slow, especially for complicated sites that pull data from one or more database(s). It then feeds this data to partners to send to customers. Some pages, like the Steam Store's front page, are mostly the same for anyone who views it (from the same geographic region). Some pages, like your order confirmation page, are individual. You can save server performance by generating the pages only when they change, and giving them to relevant users from the closest delivery server.
Someone, during a 20-fold spike in traffic relative to the typical Steam Sale volume, accidentally started saving (caching) pages with private information and delivering them to random users. This includes things like order confirmation and contact information pages for whatever logged-in account generated them. This is pretty terrible for privacy. Again, it does not allow users to interact with the profiles of other users, just see the results that other users generated.
But this is still quite bad.
Users complained, especially on Twitter, that Valve should have shut down their website immediately. From my position, I agree, especially since attempting to make a purchase tells the web server to pull the most sensitive information (billing address, etc.) from the database. I don't particularly know why Valve didn't, but I cannot see that from the outside.
It's probably a simple mistake to make, especially since Valve seems to blame a third-party for the configuration issue. On the other hand, that also meant that Valve structured their website such that sensitive information is in the hands of third-parties to properly cache. That might have been necessary, depending on their browser compatibility requirements, but I would hope that it's something Valve restructures in the future. (For instance, have the caching server store the site's framework, and fill in the individual's data with a JavaScript request to another, uncached server.)
But again, I don't work there. I don't know the details.
“But again, I don’t work
“But again, I don’t work there. I don’t know the details.” well said. why most of us come here id say.
ill piggyback off above quote, and ask this question, for some perspective, as i dont know jack about issues like these in general, let alone this one specifically. but how does this compare to other data breaches? Sony for instance.
sidenote- Valve attempting to shift culpability onto a third-party (whether justified or not), is not comforting in the slightest.
This, while tragic, is
This, while tragic, is nowhere near as awful as some of the previous data breaches. The worst people could get was an email address, last four of credit card information.(I’m pretty certain that was it in regard to personal information) The moment you would try to change anything it’d prompt for credentials so they couldn’t edit anything or purchase anything. Not a huge deal, but the big concern at this point is the email address & last four of card are pretty important when attempting to do a bit of social engineering if they so desired.
There is probably more to it that I don’t remember at this point but I wasn’t hugely concerned as I don’t have my card info saved for purchasing so I kind of stopped worrying pretty quickly.
thx! steam just updated its
thx! steam just updated its ‘service agreement’. i wonder if the changes being implemented (Valve SARL), have anything to do with these holiday security issues? aforementioned ‘third-party’ found??
Doubtful. If I had to guess,
Doubtful. If I had to guess, I'd say it's this: http://arstechnica.com/gaming/2015/12/french-consumer-group-sues-for-right-to-resell-steam-games/
Officially, it's something to do with them getting into hardware.
windows 10 duh!!!!!!!!!!!
windows 10 duh!!!!!!!!!!!
Valve may well have ‘shut
Valve may well have ‘shut down their website’ quickly. The problem is this was a caching service issue. The entire PROBLEM was the cache service holding pages to cache they shouldn’t have: Valve literally pulling the plugs out of the Steam store webservers would do nothing until the caching service had purged the incorrect configuration and all the pages that had been changed incorrectly, and/or Valve’s DNS host had propagated changed to prevent Steam URLs from pointing to the cache service. Both take time, and there’s no much Valve can do other than call up either service (who are operating on holiday staffing) and yell “Fix it faster!”.
Yeah, those are some of the
Yeah, those are some of the details that could vary on how their back-end is structured. You'd expect that a big red button would be designed to take the service offline in case of emergency, invalidating all cache. Who knows (from the outside)?
I can only say: crappy web
I can only say: crappy web server.
Every HTTP request has well known origin and destination (user specific key used by server to distinguish between users). If two users connect, two sessions will be created. How is possible to mix data from two totally different sessions? Not to reuse but mix?
That’s like playing two movies from two different files and both are mixed!?
Why this does not happens on overloaded PC but happens on web server?
I’m just here to comment on
I’m just here to comment on the commentary regarding Valve’s…comment. Inception.