Mortiel Profile picture
Aug 21, 2019 12 tweets 4 min read Read on X
Many have seen me criticise @EpicGames lately, which has lead some Epic apologists call me a Steam fanboy.

Well, I think it's about time the Valve apologist be angry at me, because what follows won't be pretty. In the words of @AngryJoeShow, you done fucked it up, @steam_games.
Let's discuss Information Security. It's not well understood by technical people, much less an average person. Suffice to say there is this thing called a vulnerability that can, by itself or when combined with other vulnerabilities, allow bad stuff to happen to your computer.
The most common form of "bad stuff" going around nowadays is called ransomware. It's where malware encrypts your computer so you can't access anything, then demands you pay a bad person somewhere to decrypt it... Which they may or may not do after you pay. Nasty stuff.
Now, without getting too technical, one of the most common ways ransomware infects a computer is using exploits called Lateral Account Movement. It's a strategy you see most often with cyberattacks on big enterprise networks. Nearly all modern ransomware uses it.
One of the ways this tactic plays out is infecting a target with malware like Trickbot from a bad website. Then, once infected, the malware exploits a programme with a Local Privilege Escalation exploit. Once it has escalated permissions, it's game over. Ryuk says hello.
Which brings us to Valve. Many of you may be unaware, but recently a security researcher, @PsiDragon, advised Valve of two Local Priviledge Escalation exploits in the @steam_games client. The first time, Valve hand-waved it away. Not important because it's not a remote exploit.
But when you are a security researcher, there's this code:

You disclose the proof on concept exploit to the company. They have 90 days to fix it. If not, you publicly disclose it.

Most major corps pay people for finding these exploits. Some make a good living as "bug hunters".
If a company declines your exploit report, then you publicly disclose it. Which is what Felix did.

Valve's response? Ban him from their bug hunting programme. Real mature, Valve.

Since he couldn't report the second exploit because he was banned, it went straight to public.
So, right now, we all have a vulnerable piece of software on our computers because Valve wanted to stick their heads in the sand and act like children instead of taking InfoSec seriously. This is unacceptable.
Little tip @steam_games: Ask all the companies literally rebuilding their environments from scratch how "out of scope" that local privilege escalation vulns are when combined with Trickbot.

I sure as hell hope your internal infrastructure doesn't have the same "security" policy.
@steam_games For reference, here are the reports for anyone interested:

amonitoring.ru/article/steamc…

amonitoring.ru/article/onemor…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mortiel

Mortiel Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Mortiel

Oct 18, 2019
People never grasp what I mean when I say that, in order to understand a corporation like Activision-Blizzard and why they won't change their stance on China, you have to understand who their actual customers are.

Spoiler Alert: It isn't you, the gamers.

CC: @Slasher @Grummz
Public corporations live and die by their stocks, not their product/service sales. The product/service sales are just a means to sell stocks. Their customer is investors, not consumers.

So, when Act-Blizz sees this graph, you know they have been panicking for just over a year.
Activision-Blizzard, like EA before them, has lost massive stock value over the past year because, primarily, Blizzard games don't have an attractive profit margin anymore.

The fact is Act-Blizz has been trying to get into the Chinese market because they need stronger growth.
Read 7 tweets
Oct 1, 2019
There is a point to discuss on this front regarding the importance of distribution selection to the end consumer. Yes, it is more than just a "delivery medium". Distribution plays a key role in consumer cost and experience. Let's break this down:
First, the choice of distribution has the greatest impact on consumer cost/value consideration. In the context of Steam versus EGS, the first example is the distribution costs leading to higher product costs versus the value that the product *and* distribution provides.
Distribution costs in this context could be reflected both by Steam's higher distribution fee or by Epic's exclusivity agreement payments to publishers. Both inflate costs on the supply side that prevent any consumer cost savings. But what does that mean in the big picture?
Read 8 tweets
Jul 5, 2019
@PixelTwitchTV @CristianCeo @TheRagingShadow @TimSweeneyEpic Now, we are starting to get into a lot of my professional experience here, so please bear that in mind when I say that it is demonstrably true that exclusivity commonly seen as the "Scorched Earth" strategy. Let me explain that... Bear with me, this is a bit complicated:
@PixelTwitchTV @CristianCeo @TheRagingShadow @TimSweeneyEpic So exclusivity, or vertical integration as I know it, ultimately sees one product/service lean on another product/service as a crutch. To keep the context relevant, Epic leans on exclusive games to get people to buy on the Epic Games Store. However, there are consequences...
@PixelTwitchTV @CristianCeo @TheRagingShadow @TimSweeneyEpic Vertical integration is expensive, especially as the subject of exclusivity gains more brand value. As a result, the integrator (Epic) has to apportion a large part of the budget to gaining and keeping exclusivity. Even a company as rich as Epic has finite resources...
Read 12 tweets
Jun 17, 2019
This was an evidence-backed statement, that the majority of developers are either unsure or do not believe @steam_games justifies it's 30% cut. (Caveats, of course, but the benefit of the doubt here.)

So, just like before, let's put this through our Critical Thinking test.
For reference, the segment of focus is pictured here:
First, asking the currency of the information. This was from a survey taken late 2018. While minor shifts in the market have occurred, this is still fairly current. Pass #1
Read 9 tweets
Jun 12, 2019
Part of what I set out to do is provide correct information to consumers so they can make informed purchases. But how do I do that?

Let's use this claim "stores extract more than half the profit" and it's context as an exercise in Critical Thinking.
First, we need to ask When... Is the info backing the claim created? Is it current? Since no source is provided to back the information, we do not have any basis on how current the claim is. Red Flag #1.
Next, we ask How... Is this info relevant to the topic being claimed? Since the store fee would be considered part of the "costs" a publisher (not the dev) pays, the claim loses applicability. Red Flag #2.
Read 12 tweets
Apr 22, 2019
Just as a bit of a more in depth explanation to completely dispel @TimSweeneyEpic's allegation that developer's make less profit than Valve on a game sold on @steam_games. Bottom line: My educated guess is that Valve makes 8% profit on a game sold on Steam. Let's break this down
@TimSweeneyEpic @steam_games Valve charges 30% off the top of a game purchased directly through the Steam Store, which accounts to about 66% of all activations on Steam. Remove the 33% of Steam Key activations and you end up with 19.8% made off a game available on Steam. Moving on...
After that, you have Sweeney's own alleged 7% transaction cost per sale added to an estimated 30% OpEx cost off the top for personnel plus an additional 23% CapEx invested into R&D costs for the software itself. These are average annualized budget costs for any major company.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(