My short bio: This is my second AMA actually, first one is here if anyone's curious. Never thought I'd be doing a second! I submitted the game Watch paint dry to Steam using a security vulnerability for which my explanation has received a lot of press! AMA!

My Proof: Twittarrr

Just a note, I will be answering questions all night (until about 1:30 to 2am BST) and the rest tomorrow :) I will try to answer every question!

Comments: 132 • Responses: 44  • Date: 

NippleDippers138 karma

What will your next game be? Fingers crossed for grass growing

hiilikecats49 karma

Was thinking of doing ice defrosting. I'd start it by getting it until moisture shows up, then do 2 more episodic parts where it melts a little more, then never make a game like it again.

tezoatlipoca36 karma

Hey! Im a big fan of aesthetically complete games, so WPD really appealed to me. I think Im about 40 hrs in and so far the gameplay is exactly what I was looking for. What has me excited is that unlike other games which may only have ~6-8 hrs, I hear the single player is good for 100+ hrs... and has unlimited replay value.

Having said that, is there any immediate plan for Watching Paint Dry 2? or perhaps a paint hue micro-transaction system?

hiilikecats10 karma

Already answered a similar question :)

Was thinking of doing ice defrosting. I'd start it by getting it until moisture shows up, then do 2 more episodic parts where it melts a little more, then never make a game like it again.

CHWK26 karma

Will you make a prequel that involves proper wall prep prior to painting?

hiilikecats10 karma

Nah I'll pay some other company to make a game that show's the paint drying from another perspective.

ploki122-2 karma

Dang, at first I read that as "Nah, I'll play some other company and make make a game that show's the paint drying from another perspective."

I'm kinda disappointed, but I guess that's not bad either.

hiilikecats8 karma

I'm referencing Half Life : Blue Shift, if you missed the reference. :p

virodoran24 karma

Why didn't you name your fake game "Half Life 3?"

hiilikecats35 karma

I was very tempted to and it would've definitely gotten a much bigger response but I wanted to remain responsible and not piss Valve off too much. I think Watch paint dry was so close to being a real Steam game in line with some of the other joke Greenlight games that a lot of people thought it was genuine! :p

virodoran16 karma

How was Valve's response to your vulnerability report (once you finally got through to them). I don't believe they have a bug bounty program, so was it hard to get ahold of someone who would actually take you seriously?

In your blog post it sounds like you didn't get through to them until after you published the game. Once you got ahold of someone, were they actually good about following up with you, finding out what you did and fixing it and such?

hiilikecats33 karma

They fixed it same day. Didn't acknowledge me on the hall of fame as that's "reserved for reporters that provide several high quality reports over time". No bug bounty was offered. A bit disappointed to be honest, for a company of Valve's size. I don't expect one now and never did, money isn't the biggest motivating factor for me, but if this was Google, Facebook, or another big internet company, they'd be paying out. Even smaller ones thanks to HackerOne!

slackvariable8 karma

Reading your bio, you left school at 14 to go to uni - why? and how?

hiilikecats9 karma

Didn't like school. Been going to online college since I was like 10, thought I'd step up to the real thing. Sort of cheaper too. I had to sell a lot of my stuff as my family couldn't afford to pay for my tuition fees. With "real" university, I get my tuition paid by the government on a loan.

slackvariable5 karma

And your parents were fine with this / encouraged this. And your teachers?

hiilikecats6 karma

Parents encouraged it yes. I was ahead in school but my high school was reluctant to let me sit my GCSEs early so I just did them privately. I integrated really well into my university with the people here and I'm 101% sure I'm having a much better time that I would be in high school! I've met a lot of cool people, travelled to Croatia for a summer school and got myself an internship with a major games studio doing InfoSec :)

pretzelsaregood2 karma

Props dude. So CroTeam? Someone else?

My Brother-In-Law is a Graphic Artist from Zagreb. Any ideas on how he could get a foot in the door?

hiilikecats2 karma


I traveled to Croatia for the summer school but my internship is in Ireland. I'll be keeping it quiet as I don't want anything to reflect on them as a company.

pretzelsaregood1 karma

Cool cool. Good luck with it. If you've got any leads on who to contact, I'd appreciate it. If not no worries. Sorry for bugging you on Twitter.

Edit: Just realize the company is in Ireland, you're not working remotely for CroTeam. Else I think that's what you meant. Sorry for the inconvenience. Don't want have your AMA reflect on the company in Ireland, CroTeam, or career prospects. Good luck.

hiilikecats2 karma

I have never worked with Croteam in my life! I visited Varazdin :p

DrunkWhenSober5 karma

This is going to be a technical guide further down but getting access to Steamworks for me was also what started my investigation into this. I’m not going to comment on how/why I have access to Steamworks but I will confirm it was not exploiting any web forms, not Greenlight and not through direct contact with someone from Valve. Despite it no longer working, I’m not going to give any details on how this was done so please don’t ask! I have good reasons not to.

So, c'mon, how did ya do it?

hiilikecats6 karma

All I'm going to say is I've got very good personal and business based reasons behind why I'm not releasing this, but I will elaborate and say it was social engineering performed over a few days. No false details about myself were given however (i.e. I did not make out to be D.I.C.E, they knew who I was). They also did not know I wanted the account for security research (nor did I!)

DrunkWhenSober1 karma

I have done the same thing. I've received a couple dev kits under the guise of a "product tester". I mean, it's true, I'm usually testing the product.

Also, a lot of companies in China have some insecure leaks where their source code is posted on Github. But I only deal with that because my company also sells chinese products. They have horrible source code. I wouldn't bother with it if I didn't have to open it up.

Thanks for the info. That's pretty much what I assumed went down.

hiilikecats2 karma

You're not really on the right line of thought, but I've done that a couple of times as well I will admit :p

justscottaustin5 karma

How did it take Steam so long to realize that their integrated platform is -- pretty much by definition -- subject to code injection?

hiilikecats5 karma

I tried notifying them several times before I did it but didn't get a response. Whether they didn't receive the emails or not I don't know, they don't have an autoresponder confirming they received it. I sent another email shortly after releasing the game and they replied to that and sorted it the same day.

Fortembras883 karma

What is your overall opinion of valve as a company after all of this? What inspired you to do this in the first place?

hiilikecats10 karma

Inspiration was the social engineering attempt for the steamworks account working.

My opinion of Valve has gone down but given how they handle stuff like this it's not unexpected. They did not offer a bounty, did not initially respond and have let me keep my Steamworks account and told me their "hall of fame" (acknowledgements) is for people who consistently submit bug reports. Now I don't want to sound salty but I kinda take that as "Thanks for the bug, but you're gonna have to work harder than that if you want an actual acknowledgement. Keep your Steamworks account and keep doing our security teams purpose for free."

To be fair it worked though, I have found more since and reported them (unrelated and sort of less severe?)

Fortembras882 karma

I'm sure that if this big of an issue was looked over in the Web page source, there has to be a lot of other potential risks elsewhere that could enable someone to do some pretty nasty stuff. I wonder if some of this is being done and we just don't know.

hiilikecats6 karma

Based on the social engineering attempt, I believe apart from Valve employees I'm the only person with a Steamworks account that doesn't have plans to legitimately release a game. I'm not trying to big myself up or anything, but a lot of it was timing, there were a lot of factors in to play here. I always find security holes look way more obvious when they're explained anyway. I doubt this is being done and Valve don't know about it.

de_stroyd3 karma

What do I need to sacrifice to the gods above in order to get a steam key? All of my life I have wished for a CIA guy card and it finally arrives, impossible to acquire.

hiilikecats3 karma

I'm not releasing them and so far it's not the direct next step in my master plan. Trading cards are no longer available anyway.

Protosega1 karma

A few got on the market somehow, what happens to the people that paid for them?

I saw a few sell for $60+

hiilikecats1 karma

Unlucky? :P

Protosega1 karma

Wow, that really sucks.

hiilikecats1 karma

Idk dude :< Steam support sucks so I doubt they're getting a refund. I didn't want them flooding the market anyway... I gave a few keys out to randomers, shame to see they tried to profit from it :/

RetroRiot3 karma

Were you ever curious/scared if there was going to be repercussions from valve once the game hit the store and everything brought to light?

Bonus: So are the emotes are gone forever? Am I never going to see and own smol nozomi and ethan bradberry?

hiilikecats3 karma

Emotes are gone for good unless I find another way around their security but they did ask I don't do anything public facing again.

For the first question, I didn't know honestly.

OutOfMana2 karma

What was your reaction upon discovering the vulnerability?

hiilikecats7 karma

Honestly, I was surprised. Like I don't think I'm a top-tier hacker, and a mix between the fact this worked and someone else hadn't already discovered it shocked me.

Johnny_The_Lizardman2 karma

I am so exited for your game! Will you make a sequel or another game afterwards?

hiilikecats3 karma

Please don't call it a game :(

Maybe. Definitely not a 3rd though.

abaiz2 karma

According to your Twitter it says you're a high school drop out? If you had a choice would you go back, and how has that affected your current profession?

hiilikecats2 karma

If you read my other AMA (linked in the top) and my website, I dropped out of school when I was 14 to pursue a degree full-time and I'm still studying for it. Nearly finished Year 2!

RobotFaker2 karma

So, how did you go about getting :smol: as an emoticon?

hiilikecats3 karma

I'm mates with Triple Q (the guy that drew it) and asked him if I was welcome to use it and he said sure and even made me a sprite version! I used the same trading card release exploit detailed in the guide to do it technically, if that's what you're asking!

chamuth1 karma

When your 75 and retired, do you believe you will be able to reflect on your life proudly and believe your contributions to the world will be worth it?

hiilikecats2 karma

No clue man :P I was surprised how big this blew up.

876181117611 karma

Have you/did you look at other pages with the user id as 1? If so, what did you find?

hiilikecats1 karma

The Steamworks website is really patched together, of everything I tested (I only test manually), this was the only form I saw that had an editor_accountid field unless I've made an oversight.

ducemon1 karma

How did the idea of an AmA occur to you? ;)

Seriously though,what's your favourite RPG game?

hiilikecats8 karma

Undertale by far. Pokemon used to be a favorite of mine but it felt like every new release was getting more and more dull. Undertale is a small, but powerful game that was incredibly well made and is just $10. Mine was gonna be $2 for fk sake!

ducemon2 karma

More plans for cheap blockbusters like "Watch the paint dry"?

Maybe "Watch Undertale sales go up"?

hiilikecats9 karma

"Watch confidence in Valve's security go down"?

ducemon3 karma

I'll give you a CS:GO and 2 TF2 crates for that !

hiilikecats3 karma

Making the Kickstarter video as we speak!

donavanshepard2 karma

You should try Lisa:The Painful RPG if can handle some pretty dark themes for a game.

hiilikecats2 karma

Thanks dude, I'm super busy at the moment with all this and other projects but it's on my 'must play' list now!

Brainbus1 karma

What do you think of RPG maker?

hiilikecats4 karma

Very powerful tool and there have been some amazing games made with it! Very good for making paint drying simulators.

s1gnalCha0s1 karma

Out of curiosity, is your name a reference to Ruby on Rails?

hiilikecats3 karma

It's my legal name! :p

Megamash67291 karma

why the smol nozomi?

hiilikecats5 karma

Nozomi comes best in smol size man!

ButterFlamingo1 karma

Do you think Steam would have accepted your game if they looked at it?

hiilikecats2 karma

No. I think greenlight is a demand based thing but they do have some quality control and a 45-second game is not something they'd allow on the store.

breawycker1 karma

Have you ever considered making an actual game to submit to steam?

hiilikecats5 karma

I'm not a game dev. I have an idea of how to release this now, and will be doing so hopefully on Friday.

Mt_Reddit1 karma

Do you love bad rats as much as I do?

hiilikecats2 karma

Oh god no. I think even Watch paint dry beats Bad Rats.

CrazyDave23451 karma

What is your biggest hack ever? If its the steam hack, what's your second biggest hack? [I'm a computer programmer]

hiilikecats1 karma

Probably my corsair one or another that the company didn't acknowledge so I can't release details! I'll say it's government related though.

Gek_Lhar1 karma

Are y0u ready to get a job at Valve?

hiilikecats3 karma

Dude I don't think I'm getting a job there after all this and unless they have a sudden change of security ethic I don't think I'd want one lol

Watermelon4201 karma

Rock, paper, or scissors?

hiilikecats2 karma

Rock. Rock beats paper.

GalaxyMage1 karma

How do you manage your time? Like what and how do you study?

hiilikecats1 karma

I don't really "study" to be honest. I learn most of my stuff reading articles off Reddit and stuff in my own time. In terms of coursework and revision for uni, it still leaves me with a lot of free time. I play a lot of guitar usually when I'm not doing anything else or nap :p

res30stupid1 karma

Do you feel that too many people are exploiting PC Gaming such as Steam and overflooding the distribution service with games that are incomplete or below standards? 'Less is more', so to say?

hiilikecats2 karma

Not my thing to comment on, but honestly I think it's a supply/demand thing. Steam controls the supply (especially with trading cards and emoticons) and therefore creates a demand. We need some joke games in my opinion. Whether there are too many I'm not sure, but I'll say that some joke games I've played are better than serious ones that are on greenlight. Serious != good.

justscottaustin0 karma

Would you rather code-inject one horse sized duck or 100 duck-sized horses into Steam's platform? And how long do you think it will take them to realize that their entire platform is vulnerable based on their (lovely) tight distribution and integration model?

While I haven't explored anything other than the obvious exploits, isn't there a SteamOS? Wouldn't that be a better stepping stone for such exploits?

hiilikecats1 karma

100 duck-sized horses, but developers cannot create appids themselves and I don't have a vulnerability for that (yet). I'll be disclosing some other unrelated vulnerabilities once they're fixed.

33L_0 karma

Do you develop any "real" games? Not hating on WPD, but do you have any other projects going on?

hiilikecats1 karma

For some reason a lot of media outpoints have referred to me as a "game developer".

I am not a game developer!!! I'm an infosec (information security) person :p.

In terms of infosec projects, yes I do have a few projects I'm working on and am always looking for bug bounties!

flarn20060 karma

About getting a Steamworks account, you said this:

Despite it no longer working, I’m not going to give any details on how this was done so please don’t ask! I have good reasons not to.

Since you said we can ask you anything now, how did you get a Steamworks account? :)

Just kidding. (Unless you really do want to answer.) What I really came here to ask is what those "good reasons" are.

hiilikecats2 karma

That'd just hint at it more dude. I'll say that it's not knowing anyone from Valve, though.

flarn20061 karma

Can you tell us soon at least? Or eventually?

hiilikecats1 karma

Right now is not the time. If I do reveal it, I will give an explanation why now was not the time also.