If nobody goes to work for Valve thinking "I really love writing online stores wrapped in native apps with friends lists and voice chat bolted on the side," they don't progress very quickly.
I've been thinking about it and honestly the only way I can think a new competitor could breach into a significant market share, short of Valve screwing up completely, is to offer to duplicate a user's library across to their own platform.
so, this couldn't work unless steam creates some kind of API to get around the DRM, which they obviously won't.
The flip side of having a "no leader" organization is no assignment of responsibilities.
If it's not their responsibility, and they don't believe in the risk of the company getting caught, they don't care.
That said, I'd never pass their interview process. I've failed many interviews because I'm more of a junior than a senior engineer. That's the downfall of only hiring the best and brightest. A bunch of cowboys leads to everyone wanting to do what a cowboy programmer thinks is cool or fun.
I love writing utilities and making them user friendly as possible. I know many don't think it's possible but I love designing interfaces and dummy proofing them is one of my favorite things and I think I achieve it.
Perhaps a crisis such as this will motivate some people to shell out some coin, and pay for a reasonable HTTP service, and produce some front-end web apps.
I was enthusiastic about the Linux-based Steam OS, that is, until I noticed that, for whatever reason, they MANDATED a 500GB disk partition, onto which one must load THEIR disk image. Really?
As if Linux users would accept such absurd demands.
> As if Linux users would accept such absurd demands.
Well, yeah, that's SteamOS. Linux users should be installing the standalone Steam client within their existing distro, not a completely separate operating system.
I get the non-sexy aspect of it. But when you love something, everything matters. you're just happy to make any part of it better. Maybe that's what they need: more love of their product, and less focus on... TF2 hats.
(...although, there are alternatives , and will probably require some technical effort to pull off)
Using their regular linux client, I have more than a hundred gigabytes used between my Steam/ and SteamLibrary/ directories, and I don't even have that many games installed.
I'm almost certain it's an oversight due to not caring.
They also have a normal Linux installation mode which you can use but it requires about the same technical skills as installing any OS.
Please note that Valve has a pretty damn good picture of how much storage people have, 1TB isn't that big even for an SSD (you can get a sub 200$ 1TB SSD these days).
SteamOS is still in Beta I don't see the size requirement (which isn't a real requirement to begin with) to be a real issue considering current gaming hardware.
My steam library is over 11TB (not installed ofc) and I've seen bigger, most new AAA game releases are 30-50GB in size.
But you can go to humblebundle.com/store and buy a lot of the same games DRM-free
Steam has about 2x as many (source: http://www.cinemablend.com/games/There-How-Many-Games-Steam-...)
IME, the steam games have much better quality, so yeah, I'd have to say they aren't really a worthwhile competitor
The only bandwidth-related frustration I've experienced is when Steam's client updates itself because it's an invisible background task and occurs at relatively random times. That can cause some frustrations when I am playing a game and wonder where the lag's coming from.
To get an indication how bad this is, the default Steam account page was showing other people's accounts.
EDIT: Steam fully down for now. If you had a Steam Account, I recommend checking email/credit card on any linked accounts. (and, as always, sign up for 2FA if you haven't!)
EDIT2: Steam Community Moderator response (not linked):
- No, Steam is not hacked
- Creditcard info and phone numbers are, as required by law, censored and not visible to users
Everyone just leave it alone & don't access any steam pages until the caching is fixed.
Apparently, Google has actually cached these pages too.
Steam shutting down doesn't mean anything to page that has been crawled already.
Can't wait for the postmortem on this nonsense. Makes me wonder why I would trust Valve with any confidential info going forward.
I should really stop poking around, but this is a fascinatingly bizarre error. Has anyone seen anything like it before?
Steam is up for me. Haven't tried the Steam Store, but messaging, game access, and Family Sharing are all fully functional.
or the backend service, and not setting the Vary header correctly
Basic auth is insecure (i.e. sending credentials in plaintext) and poorly supported by browsers. For example how would you handle these scenarios:
- Force users to reauthenticate after a certain period of time.
- Allow user to logout without closing their browser.
The best setup IMO is to have an HTTPS login page (form auth, hopefully with MFA) and use a session cookie. You can do server-side settings with this setup, you minimize the time when credentials are being sent (basically just once on login), and you can force your users to occasionally reauthenticate (either session timeout or manual logout) just in case they forgot to logout of a public computer.
For testing you could allow basic auth (make it configurable, or use user-agent sniffing to force browsers to use form auth).
When used over HTTPS it is about as secure as any other web auth method.
> Force users to reauthenticate after a certain period of time.
With basic auth, there is no session. Authentication credentials are sent with each request.
> Allow user to logout without closing their browser.
There is no session. Only authenticated requests.
It's not for everyone, but I find that stateless APIs are much easier to work with.
Edit: I should note that this gift totally pacified me...but probably cost Valve virtually nothing. To
this day I still don't know if my steam controller experience on OSX is actually up to par with Windows/Steam users (beta client release notes feature OSX controller fixes frequently) because, who cares, I'm getting Half Life 3 free! OTOH there's just a handful of OSX Steam users relative to Windows, and even fewer who were early adopters of Steam software...I probably saw 5 other users in the same boat talk about the gift on Reddit.
I doubt it. The "fail-state" for their website should be to just not work, vs expose other people's credentials. If it was proven that the attackers were able to change server configs, that'd be one thing, but that doesn't seem to be the case.
Although this steam error is a bit different with everyone getting random users, it seems likely that it is along the same lines.
Over stressed servers maybe?
In other words, could an attacker exploit this bug to "dox" a specific target?
Possible explanation from unknown source: https://www.reddit.com/r/Steam/comments/3y7le9/im_logged_in_...
An attacker could send you a URL with a random query parameter, which would be ignored by Steam. But the response would be cached- with that query parameter. The attacker could then visit the URL themselves, and see private information.
An attacker could also grab CSRF tokens from the page, and perform certain actions on a victim's account.
As indicated in article, if I click on "Purchase History" or the link below, I sometimes see other user's data as well.
I was also confused when I started getting random pages in other languages, definitely stopped me from buying a game today.
I don't know what to think of steam. Is that what happens when an important piece of software is coded by game developers? Or when a company doesn't have a bug bounty?
Additionally, Steam was vulnerable to Heartbleed for a brief period of time: http://www.pcinvasion.com/steam-has-security-vulnerability-d...
After the security issue a while ago where they forced everyone to change their passwords, I'm honestly not going to be concerned about their quiet until a while after things are back to normal.
Is my experience entirely unique or is everyone remembering the old crappy steam client from 2004 (which was before I used steam)?
Edit: Or, more likely, some third option in which case I'd like to hear your thoughts.
Account information incorrect
We've gotten reports that people sometimes see other people's account information on the account page. Valve has been made aware of this and are working on a fix.
Some frequently asked questions:
- No, Steam is not hacked
Wow, steam as always with the killer customer support.
>"Steam is back up and running without any known issues," a Valve spokesperson told GameSpot. "As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users."