Security through apathy
So Steam fucked up big.
I got kind of lucky in that softlykarou and I were at my parents' house, so I wasn't on Steam at all, and I only learned about the problem when scrolling through Twitter and someone retweeted a Kotaku tweet telling people to go in and remove their payment info. Except that's literally the worst thing they could have said, because as the top article says, it was page-caching error, and logging in would probably just give you someone else's page while adding your own page to the cache and letting other people see it. And you still couldn't make changes. Oops. It didn't expose people's credit card information as far as I know, but full name and address was visible.
I still haven't gotten an e-mail or anything from Valve about this, by the way.
This is just feeding into my conviction that computer security doesn't exist for the end user. You can make things worse, by using the same password everywhere or running unsecured Java or whatever, but unless you rigidly practice OPSEC when feeding information to different websites, you're only as secure as the company you deal with who cares the least about security is. And none of them will care that much until the cost of breaches is higher than the cost of letting things slide, because for the average end user, on the security <---> usability sliding scale, things are already too far toward the security end.
It's why I talk about "security through apathy." Your best defense is hoping that no one cares enough to target you personally. And most of the time you'll be right, but if you're not...
I got kind of lucky in that softlykarou and I were at my parents' house, so I wasn't on Steam at all, and I only learned about the problem when scrolling through Twitter and someone retweeted a Kotaku tweet telling people to go in and remove their payment info. Except that's literally the worst thing they could have said, because as the top article says, it was page-caching error, and logging in would probably just give you someone else's page while adding your own page to the cache and letting other people see it. And you still couldn't make changes. Oops. It didn't expose people's credit card information as far as I know, but full name and address was visible.
I still haven't gotten an e-mail or anything from Valve about this, by the way.
This is just feeding into my conviction that computer security doesn't exist for the end user. You can make things worse, by using the same password everywhere or running unsecured Java or whatever, but unless you rigidly practice OPSEC when feeding information to different websites, you're only as secure as the company you deal with who cares the least about security is. And none of them will care that much until the cost of breaches is higher than the cost of letting things slide, because for the average end user, on the security <---> usability sliding scale, things are already too far toward the security end.
It's why I talk about "security through apathy." Your best defense is hoping that no one cares enough to target you personally. And most of the time you'll be right, but if you're not...