• GabeN makes his steam password public to show off steam security
    87 replies, posted
Waiting for VoiDeD or ComWalk to break into it. They're the gods of steam reverse engineering, I doubt it's [b]that[/b] secure.
[QUOTE=Crimor;28429674]Is it just me or does this defeat the purpose of steam? Being able to use it anywhere.[/QUOTE] You can use the account anywhere. You however can only change the info from one computer. So, if someone were to phish you they would not be able to change the info so you can just change the password, log back in and you're fine. You're not being denied access to use it anywhere.
[QUOTE=Chickens!;28429266]1. Challenge hackers to break the system. 2. Hire the successful hackers. 3. Improve the system. Pretty solid idea Gabe.[/QUOTE] 4. Don't fire those fucking hackers....
[QUOTE=Newbienice99;28429529]And what happens when you upgrade your processor/other parts?[/QUOTE] Then you get a new Steam account. :V:
Found out that beta steam has a command line option: -pretend_ipt Which according to the description it: "Pretend system is IPT capable"
[QUOTE=Superstormj;28433512]4. Don't fire those fucking hackers....[/QUOTE] what?
[QUOTE=Chickens!;28429266]1. Challenge hackers to break the system. 2. Hire the successful hackers. 3. Improve the system. Pretty solid idea Gabe.[/QUOTE] 4. Call FBI
[QUOTE=nicatronTg;28433308]Waiting for VoiDeD or ComWalk to break into it. They're the gods of steam reverse engineering, I doubt it's [b]that[/b] secure.[/QUOTE] Yeah let's reverse engineer the latest hardware based identification technology from Intel. Can't be [b]that[/b] secure.
HOLY FUCK THIS HAPPENED AT CeBIT 2011? GOD DAMN IT I WAS JUST THERE [B]Edit:[/B] "Gabe Newell stellt IPT für Steam auf der Cebit 2011 vor " you tool ijyt
[QUOTE=Catdaemon;28434788]Yeah let's reverse engineer the latest hardware based identification technology from Intel. Can't be [b]that[/b] secure.[/QUOTE] You don't even have to reverse the "hardware based identification", it's just a global unique identifier. Something that ties the number/hash/whatever to your computer. The aim would be to make it useless which is quite possible. Every time you hear about magical hardware in the news you should be aware that there will always be a software front end to it, something to utilize it. You just need to mess with steam. I've already seen some of this code (it's how i found that command line option above, there's also code surrounding it which is blatantly IPT related) and really once you can obtain the data returned by the processor and figure out a way to utilize it, that's pretty much the end of the road. Accessing it doesn't seem to be the hard part but utilizing it could prove difficult, but the flaw is usually in the implementation. If these identifiers are generated over and over then there's only a few explanations as to how steam would be able to authenticate it over the network.
[QUOTE=s0beit;28434900]You don't even have to reverse the "hardware based identification", it's just a global unique identifier. Something that ties the number/hash/whatever to your computer. The aim would be to make it useless which is quite possible. Every time you hear about magical hardware in the news you should be aware that there will always be a software front end to it, something to utilize it. You just need to mess with steam. I've already seen some of this code (it's how i found that command line option above, there's also code surrounding it which is blatantly IPT related) and really once you can obtain the data returned by the processor and figure out a way to utilize it, that's pretty much the end of the road. Accessing it doesn't seem to be the hard part but utilizing it could prove difficult, but the flaw is usually in the implementation. If these identifiers are generated over and over then there's only a few explanations as to how steam would be able to authenticate it over the network.[/QUOTE] Processors already have unique identifiers. This is a cryptographic method and is designed to be secure. It's not going to be that simple.
Secure over what? They're not authenticating it through hardware, they're authenticating it over the network. Steam servers would either need to know in advance what their key would be based on prior input or there is some algorithm behind it but either way we don't know how well it's implemented. Spoofing the key is hardly impossible (since steam just invokes calls to retrieve this data) so really the question is, what needs to be stolen to gain somebodies identity? [editline]e[/editline] In fact, this bit here from a steam news post: [quote]With Steam Guard enabled, anyone attempting to login as you from an unrecognized computer must first provide additional, one-time authorization. A special access code will be sent to your contact email address, and this code must be entered into Steam before your first login on an unfamiliar computer is complete. [/quote] Suggests it's based off of some one-time data sent to the server.
[QUOTE=Crimor;28429674]Is it just me or does this defeat the purpose of steam? Being able to use it anywhere.[/QUOTE] It is optional security
[url]http://www.facepunch.com/threads/1066153-Gabe-Newell-Releases-his-Username-and-Password[/url] :)
[QUOTE=HumanAbyss;28428892]If anyone gets in, it's going to greet them with a message, then boot them out. Maybe they'll win some gifts. Gabes prepared for that eventuality, he'll have something set up to confound them.[/QUOTE] A nice hat for TF2.
What if we have the same processor?
[QUOTE=Trumple;28436140]What if we have the same processor?[/QUOTE] All processors have an unique identifier. Sandy Bridge processors comes with some feature that lets Steam access the identifier and use it for this.
[QUOTE=Trumple;28436140]What if we have the same processor?[/QUOTE] Then Gabe's going to want his CPU back.
[QUOTE=TheTalon;28429774]His account details are displayed publicly and you call it hacking still This generation....[/QUOTE] It was a joke, fairly obviously. I'd expect you of all people to realise that.
You really can't get in. I just tried. Tactical Clock incoming, it's over!
[QUOTE=PvtCupcakes;28429920]My password is a 1024-bit DSA key. No really, Steam should allow that. It'd kick ass.[/QUOTE] 'hey guys if i post some technical jargon which has little or no relation to the topic at hand maybe i'll look like i'm smart with computers!'
[QUOTE=Murkat;28436378]It was a joke, fairly obviously. I'd expect you of all people to realise that.[/QUOTE] .... But.... so was mine :frown:
[QUOTE=raBBish;28429969]If you try to login on unauthorized computers, you can make it send a confirmation code to the contact email and asks you to copy that. After that it's permanently authorized.[/QUOTE] That seems pretty useless though if someone comprimises a Steam user's e-mail account as well.
Holy shit. I just looked into [url=http://en.wikipedia.org/wiki/LifeLock]LifeLock's history[/url]. Fraud, unpaid debts, improper accounting practices.... They sound shady as fuck. :v: Edit: The most secure password I ever saw someone use was the word "CHEESECAKE" converted to hex. If anyone else has their password "43484545534543414b45", you are a winner. Edit: and if your password is "343334383435343535333435343334313462343520", you are a double winner.
I once used my Sims2 CD Key as my password, still remember it..
So have they made SteamGuard public for everyone to use now? Or is it still just in showcase stages
Someone use that trick some guy did by using Amazon's super computer cloud service or some shit and use the processing power to brute force his account and gain the password. Of course I don't know how legit the news article I got this off of was but.. sounds good I spose. I mean really. Username: Applebabble Password: Apples1998 see it's secure! This is dumb.
[QUOTE=SPESSMEHREN;28440376]That seems pretty useless though if someone comprimises a Steam user's e-mail account as well.[/QUOTE] Well basically, once this is fully implemented, you change your steam password to something really simple (not your email password), like "dog" or your name, and there's no way for them to get into your account.
Sorry, you need to Log In to post a reply to this thread.