Yeah I was just looking at that thread and a couple others on the subject. They are implementing a fix of some kind so I guess I'll just wait. Now if you'll excuse me, I have to go take a shower and clean the stink of the Steam forums off me.

Hey, I get to be petty sometimes too, okay?:)

In all seriousness, though, I'm all for people providing me more and more accurate information about most things I take the time to post on. If someone knows how this thing works, is supposed to work, or has otherwise done some sort of software teardown, I'd love to know about it.

I'm fully ready to believe their security implementation is both naive and badly implemented, not really because I dislike Steam and Valve (though I do), but because most people who make software and hardware are actually really bad at doing security stuff. It's a really hard problem and you can't just know a bit about it and half ass your way through it, unlike almost all the rest of the stuff these people do (I do it too).

Also, my statement about Gabe's account not getting hacked still stands, it's all but completely meaningless as far as an indication of how secure their new system actually is.

Oh, sure. I just try to bring in the other point of view; discussions about Steam tend to get rather passionately one-sided here, which I find silly. Like the guy who called Gabe Satan the other day, that was fun.

Official explanation doesn't exist, for obvious reasons, and it's too fresh for reverse engineering, I suppose. At this point, it's a mystery what all goes into the code Steam Guard checks.

Could be, could be. The thing is, though, this is not the only protection Steam accounts have, so it can afford to be not 100% secure. At this point, to gain control over someone's account, you have to:

1) Obtain their username (could be tricky, as it isn't shown anywhere except on your client window; my Steam Community username and actual Steam username are nothing alike)
2) Obtain their Steam password
3) Gain access to their e-mail (if they were smart enough to validate one in their account)
4) AND spoof the hardware-based Steam Guard code, somehow

It's just an extra layer of protection for those who were stupid enough to give their username/address to some phisher or another; for advanced users, it's quite honestly complete overkill now. So even if a weakness is found, the thing that will be hurt the most will be Valve's reputation.

Yeah, the honeypot thing is definitely a valid point.

I bet if someone really wanted to bypass the security stuff and hack Gabe's account it wouldn't matter what security measure is used.

Actually, I don't know how much you know about security, but security systems that work based on obscurity are bad. This is not to say you can't have a secret as part of your system (e.g. key or password), but if you can't tell the whole world how your system works then it is insecure by default. This is why everyone knows how most encryption algos work, they are designed precisely so that everyone can know, yet communication made using them remains secure. We have thousands of years of experience with security through obscurity and monarchs have literally been beheaded when theirs failed.

The fact that they are keeping it as some big secret is a huge red flag that it isn't really secure. In addition, they'll be unlikely to know when vulnerabilities are found as there is no community surrounding their system.

Ugh. I disabled this on my Steam client and it turns out I STILL have to enter an authentication code when logging into the Steam store via a browser. Bloody hell. >:(

Give that logging into a Steam account on a brand new hardware setup (with Steam Guard) only requires one to enter a second password that's sent to an e-mail account, if an attacker has already accomplished 1, 2, and 3 then there's absolutely no need for them to do 4. Additionally, given how many people re-use their passwords, there's a good chance that someone who's accomplished 1 and 2 will have simultaneously accomplished 3, or that someone who has accomplished 3 will simultaneously have accomplished 1 and 2. When you evaluate a security system you need to focus on the weakest part. For Steam Guard the weak point is the second password sent to the user's e-mail, which basically has all the same weaknesses as the first, regular password.

Now that is an excellent argument; thanks for pointing this out. The whole thing doesn't seem to make much sense when you look at it that way, does it?

What I'm afraid of is if I've got some kid watching my email as I open it, he can copy paste the code and now have backdoor access that he previously wouldn't have had.

Even if I don't have pestilence, someone can still hi-jack my email and still get instant access to my Steam account that they wouldn't have had otherwise.

They still have to get your Steam password as well, though, the code alone isn't enough. If it's the same as your e-mail password, you're screwed; but using different passwords for different things is a pretty basic precaution to take. Then again, average users are stupid.

Yeah I'm having this problem too. Ironically, I was Googling this, and it linked me to here. lol
If you delete the email from Steam, then that solves that. But if someone gets your email, you're pretty much screwed already. They can change your passwords on Facebook or whatever at that point.

I posted in that thread on the Steam forums and they actually managed to fix this for me, though it didn't work when they said it was fixed. Late last night I tried it out again and I finally had the options I was supposed to.

I thought about posting a link to my profile, but I just decided to wait until they patch it. I don't need to disable Steam Guard that urgently.

I agree, I am not a fan at all. I do not have regular access to a home PC at the moment, and as such, I am primarily switching between PC's frequently for gaming. Steamcloud is great for me ATM, as it lets me play games easily between machines, but this new Steamguard is terrible. I am going to try to disable it, if it's possible.

Steam needs to become LESS intrusive, not MORE intrusive. Give me a true offline mode, and the option to detach an install from the client, not this big brother BS.