I’m opposed to most things that congress does. I find this one especially appalling. In I’m opposed to most things that congress does. I find this one especially appalling. In before they even granted themselves this power, this MUST be stopped.
Continue reading

Today ls “black Friday.” There are a lot of people out shopping today. I’m not one of them. However, I’m also not part of some ideological movement in opposition to shopping today. I just don’t like crowds. I can’t be bothered. I was invited to a “buy nothing” day on Facebook. I suppose if the point is to raise awareness of needless consumerism, I’m a fan. But in this era of anti-capitalism, of the “99%”, I’m wary.
Continue reading

Nothing but Everything

My mood has been low recently. But it’s been lifted this morning by song.

I’m listening to my “Everything but the Girl” radio station on Pandora. As Carolyn put it, “Is it nothing but Everything But the Girl”? Pleasant enough in itself, but thanks to Lexus, I’m enjoying it as part of a free trial to Pandora One. It’s funny how it’s the little things. For no particular reason that I can think of, BMW has always been the target of my automotive lust.
Continue reading

Steam Cracked

I got a disturbing message on my Steam account, today:

…intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

(emphasis mine)

I’m unimpressed. Credit card data was in the same database as user data, purchase history, billing address, etc? To me, that means either: 1)They kept a whole bunch of information in a PCI-DSS secured vault at great expense as getting data into and out of such a vault is difficult by design, or 2) They were storing credit card data outside of a PCI-DSS vault in direct violation of the guidelines set forth by Visa, MasterCard, etc.

I’m also disturbed by the cagey language. “We do not have evidence that … credit card numbers … were taken by the intruders.” Given that it apparently took them 4 days from the forum defacement until the general announcement, I’m insufficiently impressed with their reported forensics to think that their lack of evidence for some activity means an absence of that activity. Who knows how long they were in breach even before the forum defacement that caused them to stumble over the broader breach? I’m also curious what algorithm was used for the credit card encryption. And where was the encryption key kept? Was it potentially exposed as well?

Of course, I’m also sympathetic. When I was with Linden Lab, we suffered a database breach as well. We ended up forcing a change to everyone’s passwords, pulling an all-nighter to implement new password recovery measures, manning the telephones to personally talk with affected customers and help them validate their accounts and change their passwords. Credit card data, however, was never exposed, nor at risk at the level of penetration the attacker reached.

Ironically, I had a conversation with Valve nearly a year ago. I’d heard they were looking for some international payment expertise and I got in touch. They ended up not thinking that I was what they needed, but at least I was able to put them in touch with the great people at Envoy. They apparently didn’t connect either. I wish they’d gotten someone in though, and that someone had taken a good, hard look at their credit card processing and storage. They’d have been able to write a much less embarrassing letter. The full text of the note follows the break, but it ends with “I am truly sorry this happened, and I apologize for the inconvenience.” I believe they’re sorry it happened, but this is still such a milk toast apology. If I had to write that letter it would say something a little stronger, something like: “I’m deeply disappointed that we failed to maintain the trust you put in us when you shared your personal information with us, and we’re going to do everything we can to redouble our security efforts to ensure this sort of thing never happens again and to earn back your trust and loyalty as our most valued resource – our customer.”

In the meanwhile, if you have a Steam account, do yourself a favor:

  • Change your Steam password
  • Change your password anywhere else you used the Steam password (you know you did)
  • Remove your payment information from Steam until they can demonstrate they can be trusted with it

Dear Steam Users and Steam Forum Users:

Continue reading

On the invitation of Sam’s soccer football coach from West City Soccer with whom we play “Family Futbol”, I have joined a Co-Rec soccer league with SOCA. If I’m not the oldest player on the team, I’m pretty close. This team has a reserved field on Wednesdays for practice. We had our first practice last week, and there were maybe 6 or so team members who came out to practice. We did a little bit of practice on corner kicks, but it pretty quickly devolved into a small pick-up game.
Continue reading

— ping statistics — 203 packets transmitted, 148 packets received, 27.1% packet loss round-trip min/avg/max/stddev = 6.303⁄43.857⁄4017.386⁄327.895 ms I just wrote how much better my very fast internet is. However, things are not looking so rosy right now. 27% packet los to my upstream router is not so good.
Continue reading

Moar Speed

I had heard that Comcast’s introduction into the area of some greater DOCSIS 3 infrastructure might have a positive impact on my available bandwidth. Sure enough, I’m approaching 30 Mbs. Of course upload speeds aren’t what they were last time I checked, but maybe that’s a “time of test” issue.
Continue reading

Author's picture

AC Capehart

Charlottesville geek with a passion for technology, soccer, and growth.

CTO, Pearl Certification

Charlottesville, Virginia, USA