Talk:Steam (software)

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Good article Steam (software) has been listed as one of the Video games good articles under the good article criteria. If you can improve it further, please do so. If it no longer meets these criteria, you can reassess it.
          This article is of interest to the following WikiProjects:
WikiProject Computing / Software (Rated GA-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
 GA  This article has been rated as GA-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Software (marked as Mid-importance).
WikiProject Video games (Rated GA-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Video games, a collaborative effort to improve the coverage of video games on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
 GA  This article has been rated as GA-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
Taskforce icon
This article is supported by the Valve task force.

Steam Family Options (Is it undue?)[edit]

So I have happened to notice that there is not a brief passage of one thing which talks about Steam's "Family View" and its main functionality. I would love to contribute to this page by adding that information, and I even have a reference ready*, but about what I am worried is the WP:NPOV. I am worried about as to whether it would be undue if I were to add it. What are your opinions about it? Thanks for your help.

Nope it would not be undue, and I have added a bit for this just now (one sentence all that needed). --MASEM (t) 03:36, 24 May 2015 (UTC)

Steam refund "controversy"[edit]

It's not yet so much a controversy but there's certainly been a bit of talk about the pros and cons of Steam Refunds as seen through the eyes of game developers; there's also the reported issues that some publishers purposes raised prices and/or bundled content with games in advance of the Summer Sale as to have the discounted price end up the same while denying the ability to refund these titles (based on the bundling) [1]. I don't think we're yet at a point to have this included per UNDUE but it is a topic to watch for. --MASEM (t) 17:42, 12 June 2015 (UTC)

That said, Kotaku has refuted much of the claims regarding refunds and the latest sale, but the refund approach was still a subject of debate before and I see Gamasutra's trying to get a idea of how to write an article w/ dev input. Something to watch at the meantime. --MASEM (t) 21:50, 12 June 2015 (UTC)

Epic security fail[edit]

Being able to reset the password of any account, might deserve more than a single sentence. Let's see if it develops any further.--Vaypertrail (talk) 19:04, 28 July 2015 (UTC)

Not really, given that users with steam guard enabled were not affected. Plus it was also caught quickly and Valve is working to restore said accounts. --MASEM (t) 19:06, 28 July 2015 (UTC)
The wave of sources reporting (and still publishing as I type) on this trumps your downplaying of it.--Vaypertrail (talk) 19:14, 28 July 2015 (UTC)
Of course it's being covered as it people should be aware of it, but the fact they fixed it quickly and are working to restore those affected by it may not make it as significant as it first seems. It's a vunerablility, but it doesn't appear as massive as other security holes. --MASEM (t) 19:21, 28 July 2015 (UTC)

December 2015 page cache issue[edit]

I agree with Masem that this shouldn't be added so quickly, per recentism. These brief issues very rarely result in long term importance, and Wikipedia is not news. -- ferret (talk) 23:36, 26 December 2015 (UTC)

And until we know if it was any significant damage or harm beyond revealing a few personal details (but little that can be directly done with that info) it is an accidental mistake and seems far too minor compare to other major security breaches. We are not required to report on every such outage or security mishap. --MASEM (t) 00:50, 27 December 2015 (UTC)
Its significance is not related to harm done or intentionality but reputation. As such it is information which is thoroughly encyclopedic and justified a short para as various editors have added. I would have no objection, if there are a number of such breaches, for them to be blobbed up into one. In the meantime, whilst under discussion, it should be restored as we should not reward 3RR breaches and such consensus as there is is for having it in. Springnuts (talk) 12:49, 27 December 2015 (UTC)
I would propose looking through the various additions and finding one that is concise and cited. I believe that my own fits this, but I am loath to restore this by only my own judgement. As one of the revision messages said: If it turns out that nothing happens as a result of this, then it can be removed. If it turns out that there are lawsuits/legal consequences, then those should be added. Iamoctopus (talk) 13:08, 27 December 2015 (UTC)
The fact that four different editors have added it shows that there is interest in adding it. According to WP:3RR, this should not have been reverted the fourth time. I personally believe it should be added, because it does count as a major leak of personal details. I agree that not everything warrants an edit (today's downtime for example), but this is more significant than that. This could result in legal action, and possibly the revocation of Steam's PCI certification. I also believe that this warrants inclusion, as this is the section on Security, and allowing people to see other customer's data is most certainly a security breach. The event has also received major media coverage:
Iamoctopus (talk) 13:05, 27 December 2015 (UTC)
It must be added considering its a security breach. Its a clear fact that it received widespread panic among the userbase like what iamoctopus said. Pretty much everything that I wanted to state has been stated clearly with given proof.Sultanified (talk) 14:33, 27 December 2015 (UTC)

Please be aware that WP:3RR applies to individual editors. It does not mean "This addition can't be reverted more than 3 times". The fact that Masem reverted 3 (4) times does not mean another editor cannot revert it, so let's stop claiming 3RR means it should stay. Second, from a WP:BRD point of view, once it was reverted the first time, that's when the talk page should have been used, without re-adding it until a consensus was established. Thirdly, the fact that "multiple editors added it" and that shows "interest" doesn't establish anything. Many editors don't even look at the history and see that it was removed previously or why it was removed. The first editor is a long dormant one with less than 20 edits, and the second was a SPA who signed up only for that.

All that aside, I keep reading "If it results in legal action." .... Has it? No. That is crystal balling. What we have a spate of news coverage about a single incident, with no evidence of long term impact or lasting coverage. This is basically recentism and "not news" in a nutshell. If next week or next month, we find that it's still being reported on, or that someone has filed a lawsuit, we can add it then. There's no deadline. In short, this is being argued backwards. It's not "if nothing else happens, it can be removed." It's "if something else happens, it can be added." -- ferret (talk) 15:12, 27 December 2015 (UTC)

"The first editor is a long dormant one with less than 20 edits" Having a new account doesn't mean you are new to editing stuffs in Wiki. Putting that aside, the breach should just be part of the security tab instead of a new subsection if it were to be added. Elsewise, this breach should be completely 'ignored'. --Sultanified (talk) 15:52, 27 December 2015 (UTC)
  • Given that Valve has just issued another more in-depth response to this topic ([2]), I think it warrants inclusion. --The1337gamer (talk) 19:26, 30 December 2015 (UTC)
    • Reading the reply, no not really. DOS attack (which had been warned about earlier) forced them to change cache settings, there was an accidental situation with the setup, they shut down, reviewed and put in the proper caching in place, and then redeployed, while working both to prevent that happening in future and making sure affected users are given alerts and offers to help correct anything. It was not a long-standing security issue as the other ones noted here have had but a mistake resulting from trying to route around a DDOS on that day. Interesting, but very much falling presently into WP:NOT#NEWS unless we hear of serious privacy breeches that result, which doesn't sound like will be happening. --MASEM (t) 19:36, 30 December 2015 (UTC)
Masem, if 34,000 users having their details leaked wasn't a "serious privacy breech", then you won't have any problems filling out the following form:
  • Steam Account name:
  • paypal email address:
  • Name and billing address:
  • Phone number:
  • last 4 digits of your bank card and type:
  • Funds in Steam Wallet:
  • Purchase History:

Thanks.--Vaypertrail (talk) 17:01, 2 January 2016 (UTC)

Which of course, isn't the same information that was actually exposed in the caching issue, nor were all 34,000 exposed, as other non-sensitive pages were also part of the effected count. -- ferret (talk) 17:05, 2 January 2016 (UTC)
If that information was stored on the account, it was exposed, please fill out the form too. Thanks.--Vaypertrail (talk) 17:12, 2 January 2016 (UTC)
This is a poor argument, because again, while some of this is private information, there's not much that directly can be done with those things in hand. Further Valve is working with those affected, which is better than much more severe security breaches from major banks and the like. Further, these details in full were not revealed for each user affected. Further, consider that each month there are about 77,000 accounts hijacked, and this further makes this a drop in the bucket. --MASEM (t) 17:55, 2 January 2016 (UTC)
The large sum of sources and Valve disagree with you. If it wasn't a big deal, Valve wouldn't be contacting those affected. It belongs in the article, but no more than a single sentence.--Vaypertrail (talk) 18:39, 2 January 2016 (UTC)
It's a "deal", but it's not a significant issue, and there's no indication that it is a long-term security flaw (which is important). If we hear more of this within a week or so, then it might be appropriate to include. --MASEM (t) 18:50, 2 January 2016 (UTC)

First of all might I start by thanking everyone commenting here for the civility and courtesy shown in expressing their views, and for correctly focusing on content. I do think we have explored the issue thoroughly. Equally it seems clear that there is something of a head of steam (to coin a phrase) for at least some mention on the basis of the current sources, without requiring more sources. Unless there are any new arguments to raise, might we start moving the process forward? Might I ask MASEM (t) if they are willing to concede some addition of the material at this stage, and if so, to suggest what they think a consensus position on this proposed edit might look like? If their view is that no mention of the issues is acceptable, then we might go to the WP:Dispute resolution noticeboard, but (IMHO) this would seem to be to make a mountain out of a molehill. Springnuts (talk) 18:58, 2 January 2016 (UTC)

Two editors have argued from a point of policy (WP:NOTNEWS) not to include until such time that there's reason to believe this is an event of lasting importance. Since this talk section has opened, no such developments have occurred. No one has sued, no one has reported being compromised by it, and reliable sources have made no real further coverage of it. Since nothing has really changed, on exactly what basis do you argue for inclusion at this time? As far as I can see, WP:NOTNEWS as well as WP:RECENTISM still apply. There's still no deadline to include it later if something changes. -- ferret (talk) 19:28, 2 January 2016 (UTC)
@Ferret are you saying that in your view no consensus is possible? Springnuts (talk) 20:35, 2 January 2016 (UTC)
(edit conflict)I'm saying that two editors, including myself, have argued that it should not be included for policy-based reasons. You've said unless there are new arguments to raise that you want to start moving the process forward. However, you have not refuted any of the policy based reasons for leaving out the content, so I asked you if something has changed in the last week since this was initially discussed that shows that the policy in question is no longer relevant. If you have information that shows something has changed and lasting importance is demonstrated, please, let me know. I do not know if that means that there is no chance of a consensus, because I can't speak for others (For example, yourself. Perhaps later tonight you read WP:NOTNEWS and decide that it's correctly being applied here). Feel free to ping WT:VG for other views, or to approach various other avenues such as an RfC. -- ferret (talk) 20:54, 2 January 2016 (UTC)
In the hope that we might get some more views I have asked a few uninvolved editors (who have previously edited the article) to comment if they feel they would like to. Springnuts (talk) 20:51, 2 January 2016 (UTC)
Pinging a handful of experienced WP:VG editors that may be able to offer additional insight: @Sergecross73, Salvidrim!, Czar, PresN, GamerPro64, Sam Walton, and Dissident93. -- ferret (talk) 21:03, 2 January 2016 (UTC)
  • Due weight. It was widely covered, but there is little info. Add a single sentence to either the history or security section from the most reliable source. I recommend a mainstream newspaper: The Independent or The Verge I am no longer watching this page—ping if you'd like a response czar 21:23, 2 January 2016 (UTC)
  • I don't see why we shouldn't put this info in here. Steam is notorious for being hacked. But this was an incident that might have been the final straw for some people. Seeing it firsthand I can definitely say its noteworthy. And it seems certain websites agree with that sentiment. GamerPro64 21:46, 2 January 2016 (UTC)
  • I'm also of the mindset that while a whole paragraph in a section titled "Controversy" would be a big UNDUE issue, a mere sentence or two in an already existing section would be fine, as long as it's brief and strictly to the source. I also agree that we should shy away from Forbes Contributors articles as sources, (they've made some massive mistakes in their articles before, especially in articles about controversies) instead relying on something more like "The Verge". Sergecross73 msg me 21:58, 2 January 2016 (UTC)
  • Yes, that can be seen here. The Forbes and Kotaku articles claim that Steam let people log in as other people, which never happened. They simply saw incorrect cached pages. -- ferret (talk) 22:05, 2 January 2016 (UTC)
  • It definitely was a notable event, so I think it should be added, but only with a sentence or two like Serge said. ~ Dissident93 (talk) 22:07, 2 January 2016 (UTC)
  • I'll go with WP:DUE being strong enough here. I support a single sentence or two added to the existing security section, backed by a very solid source like Verge. I would however prefer if we could find a secondary source that covers Valve's "what happened" announcement rather than primary sourcing. This should do. -- ferret (talk) 22:17, 2 January 2016 (UTC)
I'm happy with this emerging consensus for a sentence or two. Springnuts (talk) 22:51, 2 January 2016 (UTC)
  • Agreed with one sentence, preferably with a single citation. It's common for flash in the pan incidents like this, even ones notable enough for a mention, to suddenly get a full paragraph using 20 citations that are all copies of each other, only for the article to looks really dumb a month later. Lets just skip that annoying step, and not pretend it takes 10 sources to verify an obvious event, and not pretend that a small website error is the most important thing to ever happen in the history of Steam. --PresN 01:09, 3 January 2016 (UTC)
  • "On December 25, 2015, Valve, as a result of reconfiguring its caching scheme due to an ongoing denial of service attack on Steam's servers, inadvertently allowed partial personal details of about 35,000 Steam users to be randomly visible to all users, and Valve worked to address issues with those affected." --MASEM (t) 03:18, 3 January 2016 (UTC)
  • I believe this sentence should be connected to the last sentence in the Security (In July 2015, a bug in the software allowed anyone to reset the password to any account by using the "forgot password" function of the client. High profile professional gamers and streamers lost access to their accounts) because they are both talking about bugs in the system. As for a reference for this, something like this Ars Technica post or this VentureBeat post. Anarchyte 06:53, 3 January 2016 (UTC)
  • It wasn't a bug though. They misconfigured a cache that they were implementing that day to stop the DOS attack, and then fixed it by fixing the cache configuration change. --MASEM (t) 07:10, 3 January 2016 (UTC)
  • While very likely unintended, the public disclosure of private information of a number of users makes this event notable enough for one or two sentences. Lklundin (talk) 08:47, 3 January 2016 (UTC)

Right, with the exception of Masem, everyone agree's it should be mentioned. The sentence should not include technical info. My draft - On December 2015, Steam's content delivery network was misconfigured in response to a DDoS attack, causing 34,000 users' personal information to be exposed.--Vaypertrail (talk) 13:24, 3 January 2016 (UTC)

I would like to see ""to be potentially exposed." The cache issue affected 34,000 users, but the exact pages exposed are unknown and not all 34,000 necessarily resulted in sensitive pages being shown. -- ferret (talk) 14:57, 3 January 2016 (UTC)
Inclusion of the word 'potentially' would require another source than the above from the Verge which says: 'Valve estimates that roughly 34,000 users saw data exposed by the breach'. The potential for damage from such an exposure is an entirely different matter, since it can take a long time for such damage from the exposure to materialize. Lklundin (talk) 16:11, 3 January 2016 (UTC)
To quote the original primary source announcement, formatting mine: Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users. -- ferret (talk) 17:26, 3 January 2016 (UTC)
That sounds not quite right. Data from 34k users in parts were shown to any user of Steam at the time. --MASEM (t) 17:54, 3 January 2016 (UTC)

What about this version: it's a bit clunky but may cover it - On December 2015, Steam's content delivery network was misconfigured in response to a DDoS attack: 34,000 users saw at least some personal information relating to other users. Springnuts (talk) 09:31, 8 January 2016 (UTC)

That's a bit backwards. It was not 34,000 users who saw information related to other users, it was 34,000 users who may have been seen. I am going to just add Vaypertrail's, and we can tweak from there. -- ferret (talk) 12:44, 8 January 2016 (UTC)
Thanks ferret (talk) - Springnuts (talk) 16:18, 10 January 2016 (UTC)