<html><head></head><body><div style="color:#000; background-color:#fff; font-family:lucida console, sans-serif;font-size:13px"><div id="yui_3_16_0_1_1452239679225_4538"><span id="yui_3_16_0_1_1452239679225_4543">I don't know about the Steam hack, but one part is plausible. <br></span></div><div id="yui_3_16_0_1_1452239679225_4572"><br><span id="yui_3_16_0_1_1452239679225_4543"></span></div><div id="yui_3_16_0_1_1452239679225_4621"><span id="yui_3_16_0_1_1452239679225_4543">AT&T (and other land-line phones) have a means to set up forwarding to another number. That is how NoMoRobo.com works to block calls.</span></div><div id="yui_3_16_0_1_1452239679225_4622"><br><span id="yui_3_16_0_1_1452239679225_4543"></span></div><div id="yui_3_16_0_1_1452239679225_4623"><span id="yui_3_16_0_1_1452239679225_4543">Paul</span><br> </div><br><div class="qtdSeparateBR"><br><br></div><div style="display: block;" id="yui_3_16_0_1_1452239679225_4549" class="yahoo_quoted"> <div id="yui_3_16_0_1_1452239679225_4548" style="font-family: lucida console, sans-serif; font-size: 13px;"> <div id="yui_3_16_0_1_1452239679225_4547" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1452239679225_4570" dir="ltr"> <font id="yui_3_16_0_1_1452239679225_4571" face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Rick Moen <rick@linuxmafia.com><br> <b><span style="font-weight: bold;">To:</span></b> conspire@linuxmafia.com <br> <b><span style="font-weight: bold;">Sent:</span></b> Thursday, January 7, 2016 6:50 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> [conspire] Security cautionary tale: Involves 'Steam' but could have been any of many others<br> </font> </div> <div id="yui_3_16_0_1_1452239679225_4546" class="y_msg_container"><br>Just to stress, I have absolutely no idea what was the _actual_ <br>route to Mr. Dave Palmer's security compromise, and no direct <br>evidence that the 'Steam' downloads have recently (or ever) been<br>tampered with. I'm just saying why that scenario is plausible, pointing<br>out bad security practice on that company's site, and citing this as a<br>cautionary tale about the broader problem of people trusting blackbox<br>proprietary downloads, especially in the face of such bad indicators.<br><br>Psuedonymous claims, about two weeks ago, alleging security breach on<br>'Steam' Web sites was here:<br><a href="https://www.reddit.com/r/Steam/comments/3y7r0b/do_not_login_to_any_steam_websites/" target="_blank">https://www.reddit.com/r/Steam/comments/3y7r0b/do_not_login_to_any_steam_websites/</a><br>I have no knowledge of whether those assertions are credible, and so do not<br>endorse them, but merely pass along the link.<br><br><br><br><br>Date: Thu, 07 Jan 2016 11:30:59 -0800<br>To: Skeptic <<a ymailto="mailto:skeptic@lists.johnshopkins.edu" href="mailto:skeptic@lists.johnshopkins.edu">skeptic@lists.johnshopkins.edu</a>><br>From: Dave Palmer [e-mail snipped]<br>Subject: Hacked!<br><br>During the recent Steam winter sale (an online computer game distro<br>company), they had a major security breach, and the web pages belonging<br>to some people showed up on the computers of others, showing email<br>address and credit card info. I think they got me.<br><br>Yesterday, everything started going wonky. I got an email from American<br>Express saying I was trying to change my password. Then I got one from<br> Earthlink about my email account. Then one from the Apple store, which I<br>have never been to. Then I stopped getting email entirely, and my phone<br>started acting weird. It would ring once or twice and then just stop.<br><br>So today, I managed to get onto the Amex site, and found that somebody<br>had put $6000 in charges from the Apple store on my card, so I called<br>Amex, and cancelled the card. Then I poked around inside my email<br>settings at Earthlink, and found that somebody had set it up to forward<br>all my mail to another address (a feature I didn't even know they had).<br>Just a few minutes ago, an AT&T tech showed up at my door to "fix my<br>phone." I hadn't contacted them. He looked at the info on his pad and<br>said that somebody had set up my phone to forward all my calls to<br>another number--which is something ELSE I didn't know you could do.<br><br>He took off the forward, and I pressed him to pass all this on to their<br>fraud division. He didn't seem too enthusiastic about it, like it might<br>mean more work for him.<br><br>This worries me greatly, this was no simple script kiddy hack. All my<br>passwords are SERIOUSLY secure. Anyway, I've gone through and changed<br>all the passwords. Any email sent to me since around 4 pm Wed never got<br>to me.<br><br><br><br>Date: Thu, 07 Jan 2016 13:35:45 -0800<br>To: <a ymailto="mailto:skeptic@lists.johnshopkins.edu" href="mailto:skeptic@lists.johnshopkins.edu">skeptic@lists.johnshopkins.edu</a><br>From: Dave Palmer [e-mail snipped]<br>Subject: Re: Hacked!<br><br>>Interesting. There's nothing on their web site right now warning <br>>people of problems.<br><br>Nope, it happened last week, and Steam wasn't exactly<br>overly-enthusiastic about mentioning it. I learned of it on Reddit.<br><br>>I'm hope I'm telling you the obvious, but just in case, report this <br>>to one of the credit reporting agencies ASAP so this is on your credit report.<br><br>Yup, Amex has cancelled my card, and I told them the $6000 in charges to<br>the Apple store this guy just made are not mine.<br><br>>For Earthlink, I believe that if you have the basic ID numbers, ssn,<br>>billing credit card #, phone #, you can push through a password change<br>>without knowing the old password.<br><br>Well that's kinda the odd thing: my old Earthlink password was still<br>working today. I've changed it, of course. I've changed ALL my<br>passwords, even on my WiFi router.<br><br>This is not script kiddy shit, this is Russian Mafia shit. I take my<br>security SERIOUSLY, always have. My passwords are all insanely obscure,<br>I never use the same PW twice, my PC is about as secure as Windows gets.<br><br><br><br><br>Date: Thu, 7 Jan 2016 14:08:12 -0800<br>From: Rick Moen <<a ymailto="mailto:rick@linuxmafia.com" href="mailto:rick@linuxmafia.com">rick@linuxmafia.com</a>><br>To: <a ymailto="mailto:skeptic@lists.johnshopkins.edu" href="mailto:skeptic@lists.johnshopkins.edu">skeptic@lists.johnshopkins.edu</a><br>Subject: Re: Hacked!<br><br>Quoting Dave Palmer [e-mail snipped]:<br><br>> Yup, Amex has cancelled my card, and I told them the $6000 in charges<br>> to the Apple store this guy just made are not mine.<br><br>Note to the assembled: One's right under USA law to not pay this gets<br>preserved only after one files a timely _written_ (signed, dated)<br>affidavit to this effect.<br><br>The FDCPA protection also won't protect you against fraudulent charges<br>originating abroad, so travellers should be aware of that.<br><br>> This is not script kiddy shit, this is Russian Mafia shit. I take my<br>> security SERIOUSLY, always have. My passwords are all insanely<br>> obscure, I never use the same PW twice, my PC is about as secure as<br>> Windows gets.<br><br>Careful exercise of logic would reveal to Dave where the security breach<br>_must_ have occurred, but I doubt he's going to bother stopping to<br>think, because he's too busy shouting about Russian mafiosi and the sky<br>falling.<br><br>It occurred wherever he stores his all-unique-never-used-the-same-place<br>passwords, or on the device where he uses them to make outbound<br>connections. I'm betting that's the same place, and I'm betting that<br>it's his MS-Windows machine.<br><br>> as secure as Windows gets.<br><br>I'll just leave that lying there.<br><br>I don't mind telling the world where I keep all my _own_<br>all-unique-never-used-the-same-place passwords. They're in a PalmOS PDA<br>that never gets its WiFi or even Bluetooth abilities enabled. Said PDA<br>gets consulted by being held in the air by me, and I have to read the<br>passwords / whatevers off its small screen to use them wherever I need<br>to apply the information for access to something, i.e., I have to enter<br>them rather than copying/pasting from a password 'wallet' app.<br><br>Inconvenient? Sure. But I get the assurance that it's literally<br>airgapped from everything else.<br><br>The sole exception is when I back it up over USB. And one of these<br>days, I need to get one of those USB adapter widgets that restricts what<br>type of USB device the thing I connect to can claim to be, though I<br>doubt that is a credible threat model in this case.<br><br>On PalmOS itself, I store all passwords and other sensitive information<br>in a gradually expanding set of records within Keyring,<br>gnukeyring.sourceforge.net , an open-source PalmOS application that<br>stores everything in a single database file that is 3DES encrypted as<br>stored, and only one record at a time gets decrypted in PalmOS RAM.<br>Thus, my backups are single files that you can certainly break into if<br>you can brute-force 3DES symmetric encryption.<br><br>I leave copies of the backup files, in fact generational sets of the<br>file going back years, in as many places as I can.<br><br>There's one master password. If I ever forget it (and Deirdre does at<br>the same time), I'm in trouble. Short of shoulder-surfing me as I use<br>my PDA, you'll need to use rubber-hose decryption on me (or my wife).<br><br><br><br><br>Date: Thu, 7 Jan 2016 17:49:57 -0800<br>From: Rick Moen <<a ymailto="mailto:rick@linuxmafia.com" href="mailto:rick@linuxmafia.com">rick@linuxmafia.com</a>><br>To: <a ymailto="mailto:skeptic@lists.johnshopkins.edu" href="mailto:skeptic@lists.johnshopkins.edu">skeptic@lists.johnshopkins.edu</a><br>Subject: Re: Hacked!<br><br>Quoting Greg B [e-mail snipped]:<br><br>> Why store them online at all? <br><br>Technically, I store them _offline_. The only place that is 'online' is<br>in 3DES-encrypted form in PDA backups. But let's move on to the<br>substance of your question and suggestion:<br><br>> Why not simply dream up an algorithm or two in your head and use one<br>> based on a derivation in conjunction with the site name? Should be<br>> pretty indecipherable.<br><br>Also easy to start forgetting and getting wrong.[1] Also, the more<br>easily memorable the algorithm is, the easier it is to deduce the<br>pattern from a couple of examples and make good guesses at the other<br>passwords.<br><br>Honestly, though, mostly the latter doesn't happen. Mostly, passwords<br>get misappropriated because you use them on a machine that has been<br>security compromised, and then often the resulting damage gets<br>multiplied because of people using the same credentials in multiple<br>places. But the worst damage occurs when the machine that has been<br>security compromised is one where the crown jewels are: either the one<br>machine from which you do outbound connections to almost everything, or<br>the place where your 'password wallet' application is, or both.<br><br>Which brings us back to Mr. Palmer here. He says that Valve Corporation<br>(which he calls 'Steam', the name of their gaming software platform) had<br>a major security compromise about which, as is typical, they've been<br>slow to be honest with their users about. Which sort of behaviour I've<br>seen from firms only, gosh, just about always.<br><br>According to Dave, the 'Steam' Web site had security problems. Let's<br>say you were a garden-variety computer criminal -- not the Russian<br>Mafia, just some shlub -- and you found that Valve Corporation had made<br>one of the usual dumbass errors with site security. You ssh in using<br>(say) company developer credentials you stole when an engineer rashly<br>ssh'ed into the company from a shared university shell server that had<br>long ago had a trojaned /usr/bin/ssh client installed. You poke away at<br>the server for a few weeks and find a way to escalate privilege to<br>root-user authority. Now you have the keys to the kingdom. You quickly<br>install a rootkit so that your presence won't be noticed by the<br>(oblivious) Valve Corporation sysadmins.<br><br>And you think: What should I get into? Credit card information for<br>sure, because it looks like Valve Corporation stupidly hosts<br>'store.steampowered.com' on its own server, the same server that hosts<br>downloads and product information. (I cannot tell this absolutely for<br>certain without a lot more research, as they're load-balancing<br>everything on Akamai.) So, let's say you break into credit card data,<br>and steal Dave's Amex card information.<br><br>But then what _else_ is the aspiring young breakin artist going to fool<br>around with? Downloads, of course! It's a juicy target, and there is<br>_nothing_ being done there to provide users with a means to authenticate<br>what they download.<br><br>o The download for MS-Windows is an .exe file.<br>o The download for x86_64 Linux is a .deb package.<br>o The download for MacOS X is a .dmg disk image.<br><br>In each and every case, you are supposed to immediately 'open' and run,<br>or just run, an executable and then give it root (for Linux, MacOS X) or<br>Administrator (for MS-Windows) authority. This huge piece of black-box<br>proprietary software, you are asked to just give it carte-blanche to do<br>anything whatsoever on your computer, right then.<br><br>And people do that. Because they've heard 'Steam' is cool, and so they<br>totally compromise their system security for a bright shiny object that<br>they have absolutely no reason to trust.<br><br>Now, I don't know from specific information that Valve's .exe, or its<br>.deb, or its .dmg is now, or has ever been, trojaned by someone who<br>compromised its Web site. However, the point is that _if_ someone did<br>compromise that Web site, that is logically, if not the very first thing<br>to tamper with, at least the second thing.<br><br>How do we do things differently in open source? First of all, we are<br>lastingly wary of big piles of proprietary software and avoid them where<br>possible. Second, we're trebly wary of such piles if expected to fetch<br>and run them with root-user authority.<br><br>Third, we also try to train users to check the provenance and<br>attestation of code. Look, for example, at the 'Install Steam Now'<br>links on <a href="http://store.steampowered.com/about" target="_blank">http://store.steampowered.com/about </a>. Do they even offer so<br>much as md5sums or sha1sums of the download files, so that the user can<br>verify that the download is intact? No.<br><br>Is there a developer PGP keyring used to sign the downloadable files,<br>that can be used to ensure that the files haven't been tampered with<br>since the developer signed them? Seemingly not that, either.<br><br>Many hapless compromises of developer download sites _have_ been quickly<br>detected because someone was alert enough to notice that newer downloads<br>lack PGP signing entirely or suddenly have a new key the developer<br>hasn't used before. This pattern of change is apparent even if the<br>intruder uses root control to put a tampered-with PGP keyring up for<br>download: Someone quickly enough wonders why the key suddenly changed<br>without explanation (and there are also better ways to manage<br>introduction of new signing keys that ought to be used).<br><br>But none of this is even in the picture because... cool gaming!<br>Bright shiny objects!<br><br>But Dave has _no idea_ how this could have happened. Except Russian<br>Mafiosi.<br><br><br>[1] My Keyring database has about 250 records. Even though probably <br>2/3 of those are things I no longer need to know, even 50, even 30 <br>strong-password credentials are difficult to remember reliably. And, <br>don't know about you, but my losing access to most of my working set of<br>passwords would be a Very Bad Thing.<br><br><br>_______________________________________________<br>conspire mailing list<br><a ymailto="mailto:conspire@linuxmafia.com" href="mailto:conspire@linuxmafia.com">conspire@linuxmafia.com</a><br><a href="http://linuxmafia.com/mailman/listinfo/conspire" target="_blank">http://linuxmafia.com/mailman/listinfo/conspire</a><br><br><br></div> </div> </div> </div></div></body></html>