Report: Valve Anti-Cheat (VAC) Scans Your DNS History

dotarray writes "If a recent report is to be believed, Valve is looking at your browsing history. Reportedly, the company's Valve Anti Cheat system (VAC) looks at all the domains you have visited, and if it finds that you've frequented hack sites, you'll be banned. 'The new functionality has been slammed by gamers, who claim it is "more like spyware than anti-cheat". Valve has not responded to the allegations, but all Steam users have agreed to abide by specific online conduct and not to use cheats. The company's privacy policy also explains that Valve may collect "personally identifiable information", but promises not to share it with other parties.'"

So

[aliquis]

How do one set up rules to block Steam from accessing firefox profiles? (Linux obviously, though guide for Windows is fine too. Also Chrome.)

Re:So

Create a steam user without access to your real user's files. Run steam only as this user.

Re:So

Cancel subscription, uninstall steam and move on.

Re:So

[Rosco+P.+Coltrane]

How many Linux users do you think have the idea of sandboxing Valve applications, just in case they might be peeking inside other applications' user data?

There's no "Linux obviously" about it. It's a matter of trust, and Linux or not, users are far too trusting of the applications they install.

Re:So

[Z00L00K]

Create a separate virtual machine where you do all your clandestine browsing from.

If the steam engine is able to access the VM and the disks there then they really are insisting on digging through your computer, but I doubt that they will be able to go far with it.

Re: So

We shouldn't have to worry about hiding our browser history from a fucking game company. They have no god damn business even taking a peak. I don't care if if there is a hidden clause in their Eula that they say allows it. It's wrong, and they know it's wrong.

Re:So

[l_bratch]

The claim is that the operating system's DNS cache is scanned, not any particular application's history.

Re:So

[lagomorpha2]

Steam isn't a subscription service, you pay full price (ok or wait for sales) for games and they can only be run through Steam. So uninstalling Steam means losing access to the games you've bought through the service unless you pirate them back. This does make me want to delete Steam and cease using the service though.

I wonder if there are enough irritated users to delete and redownload their entire Steam library enough times to send Valve a high-bandwidth wake-up protest message.

Re:So

[wagnerrp]

Trying to run a graphically intense game inside a virtual machine can only end in tears.

Re:So

[ledow]

Why not just run Steam as a different user?

It's not like Windows where you basically are expected to run everything as one user, create a Steam user which you can only "su" to from certain other users, and then set up a script to automatically make it run Steam only as a user that has access to nothing but Steam.

But to be honest what's the point? What precisely are they going to do with the hash of a domain name that you looked up, not even visited? The bans are not going to be based on that information. You can't ban someone just because they strayed or were enticed into looking up a domain that might host a cheat, only if they actually use those cheats.

I reckon they are using it to find similar users and spot trends more than anything else. If a load of confirmed cheaters all have the same hash in their history, but not most people, then its likely that it's worth looking into other user's with that same hash (or at least taking it into account when someone reports a new cheat).

I'm a Steam fan, it has to be said, but while them looking at my domain history concerns me, they are at least hashing them and they have a full browser in the Steam client. If they want to track my visits, that's infinitely more worrying and does all sorts of cookie stuff (alright, you have to be running Steam and using their browser to visit whatever, but that's still much more info than the hash of a domain I looked up).

Also, in case you hadn't noticed, the name of domains you looked up all go to your DNS server. If that's not a local one, you're already pushing this information in plain text across the Internet. Please tell me that you're not using Google or OpenDNS before you came to whine on this post.

Plus, even aside from all the above, there is no real evidence that they are actually transmitting or collecting this information. Someone's just gone into the new anti-cheat modules with a disassembler and seen something suspicious. Doesn't mean that it's even enabled, or not test code. Nobody has yet seen it actually do this stuff (and what would it take? Wireshark and five minutes?).

If you're using DNSSEC exclusively, didn't read the Steam agreement, are running as a completely unprivileged user (without even access to the name cache, on Linux, presumably?), and can confirm that what is alleged is actually happening, then maybe you have a case to be miffed.

Otherwise? I have bigger privacy worries every time I send an email.

P.S. Damn lameness filter, what the hell are you seeing?

Re:So

[arth1]

How do one set up rules to block Steam from accessing firefox profiles? (Linux obviously, though guide for Windows is fine too. Also Chrome.)

That's not how this works. FTFA, it apparently does "ipconfig /displaydns" in Windows, which (among other things) lists what DNS lookups you have done lately.

This is easily thwarted - use a proxy server, and the only lookup that will be registered is the one of the proxy server(s).

Re:So

[gl4ss]

well the rule is stupid if it is in effect because they would need to ban the operators of this scheme too.. since they obviously visited those sites to know whats there.

Re: So

Reading comprehension must be particularly difficult for you. I am sorry.

Re:So

[pushing-robot]

Which might be why he suggested *browsing the hack sites* within a VM, not playing games.

Re:So

[jabuzz]

He is talking about running a web browser in the VM so that you can browse cheat web sites to your heart's content without Valve or anyone else having a clue that you are doing it. Next time engage brain first :-)

Re:So

[Immerman]

Still pretty fucking invasive if true. I'm going to have to watch this and, if true, protest. Not quite sure how yet, I'd hate to lose my game library but this sort of invasive behavior can't go unanswered. The "repeatedly redownload your gaming library" idea has some merit if done en-masse along with vocal enough complaints. Perhaps we can dig up the phone number and address of the company executives so we can send our complaints directly to the parties responsible for allowing such a thing .

Re:So

[Wookact]

Z00L00K actually said to do your browsing in the VM, but thanks for trying!

Re:So

[X0563511]

That's not how (most) proxies work.

Re:So

[Runaway1956]

Separate user - or separate machine. Nothing says that my gaming machine is the same as my general purpose machine.

Re:So

So you buy games that you can't play unless you have steam? Why would you do that? I play all my games without permission from anyone. I bought them, they belong to me and I play them when I want without some service watching over me. What is wrong with people today... why do you put up with this kind of crap?

Re: So

[Runaway1956]

While I agree with you - we find ourselves in a world where our government and our corporations have ASSumed the authority to spy on us. I suggest you deal with reality as it is. Let's all learn to hide our history from the likes of Steam, along with Google and all the other trackers out there.

Run Steam on your real high-tech hardware - and keep everything else on a different machine, or in a virtual machine. Just separate the two, and you're good to go.

Re:So

[l_bratch]

I agree that it's very invasive if the list is returned to Valve, however I can't find any evidence that it is. The code originally posted only details the *reading* and hashing of the DNS cache, with no sign of *transmitting* it.

As far as I can see, numerous headlines and articles since the code was posted have made the claim that the list is sent to Valve, without any evidence.

Re:So

[PriceChild]

Not always... It is my understanding that many games simply use Steam as a handy distrubution mechanism. There is nothing to say they must incorporate DRM. I'm pretty sure The Binding of Isaac is a good example...

Re: So

[sosume]

This is so wrong and against privacy laws (at least in the EU), this would be equal to the IRS regularly scanning your history to see if you visit sites with tips for tax dodging. The police arresting everyone who visits lockpicking tutorials. The RIAA arresting everyone for possession of an internet account, Or the TSA l.. oh wait, they already do that. But at least the TSA can claim that their work is in the public interest.

Besides. This is a new definition of guilty by association.

" all Steam users have agreed to abide by specific online conduct"

I would say this is only valid while using a Steam product. the way it is worded in TFA sounds more like a lifestyle where you have to abide to their rules at all times. Steam makes it even illegal to cheat in games from their competitors!

This is so ridiculous, all I can do is wait for the class action lawsuit to commence. Steam is done with, if this turns out to be true.

Re:So

[PIBM]

From TFA, they send themselves MD5 hash of the websites people have visited. Knowing that, I believe that they are using your DNS history signature to compare between players that are cheating. I don't see why they would ban people they aren't sure are cheating, as they certainly don't want to be hit by PR nightmare when people would get banned for no reason. The rare false positive they get at this time is already hard on them, and they go great way (well, large amount of steam credits happen) to make those people happy when errors really do happen.

I have looked at websites offering hacks myself, and that was mostly to know what I was against; I don't want to ragequit out of a game when the players are really good, but I certainly don't want to provide free kills to cheaters. Being able to recognize the difference is important, and knowing their arsenal helps a lot in that department.

Oh well, I've not been playing competitive steam games in a while anyway.

Re:So

[PIBM]

I though the same, but he must have been refered to those VM on VPNs which you only get to see the remote rendering of, in which case this is totally valid :)

Re:So

[arth1]

That's not how (most) proxies work.

You should be more careful about making statements about things you know little about.
I run and administer several proxy servers, and have even written my own; I think I know how they work.

When you have a proxy server configured in the web browser, instead of looking up the IP address of the web site, and then connecting to that IP, the browser will look up the IP address of the proxy server, and send the request including the full URL to the proxy.
The proxy server does the lookup of the address of the destination site, connects to it, and fetches the data, which it presents back to the client. The client does not do a lookup of the destination site - it has no need to know it, and indeed, may not be able to (one of the use cases for proxy servers is when the clients are not allowed to use DNS).

So you're dead wrong.

Re:So

[Nationless]

They also offer a variety of services which I greatly appreciate in this day an age.

I don't have to lug around all my cds/dvds/Floppies every time I move and honestly I've gotten rid of all my physical media (external hard-drives excluded) about 2 international moves ago.

It automatically keeps all my games up to date, no more Battlefield 1942 patch hell.

As a store front it allows me to keep up to date on game releases and even pre-load certain titles.

Steam sales.

A robust offline mode which automatically works as long as you've downloaded the game and run it a single time while being connected online.

I use it as a unified launcher.

I use it as a communication tool dedicated to getting in touch with other people I know who are playing games and can easily organize matches of any game on our collective steam lists.

Also not all games come with the steamworks DRM and can be run freely without steam even being installed on the system. Granted you have to download it through Steam first, but that would apply to any digital store front. Not to mention I've never noticed the DRM in action, making it the most non-intrusive form so far and if it doesn't even bother me, I don't see much reason to rage about it if it means that Steam is more likely to stay in business.

I no longer have to input CD-keys or even worry about where I've physically kept the myriads of manuals containing them and installing software is as quick as simply wanting to play something and double clicking the title and download/installation is automatic. I don't have as much time to waste on gaming as I used to so streamlining it is in my best interest.

Having to live with the "fear" that one day my games will be gone is like worrying that a Jumbo jet will land on my house. Honestly, I'd just pirate the games I'd lost.

Re:So

[Anubis+IV]

why do you put up with this kind of crap?

Cost, convenience, and a lack of alternatives.

I license the right to play a game from Steam, usually for dirt cheap prices, and in exchange, it's available on any Internet-connected computer I own. Should I lack an Internet connection, it's possible to enable an offline mode as well, allowing me to continue playing regardless of my lack of a connection.

Games haven't been owned by anyone for a long time now. Even buying a physical disc is just buying a license to play the game, which can and does get revoked in cases of abuse (see: Halo 4, Call of Duty: Ghosts, Diablo III). Of the companies out there that are licensing games to customers, Steam is relatively permissive, and it's rare that a typical gamer will run into issues with them.

Re:So

[goarilla]

No it does not, most vm software implement a virtual network card at a low level.

Re:So

[l_bratch]

Do you have a source for this?

Re:So

[FatdogHaiku]

Cancel subscription, uninstall steam and move on.

Oh come on, this anti cheating detection simply demands that we cheat it!

Re:So

[torsmo]

Don't know how things work in the Windows world, but in Linux, DNS records are not cached by default, are they, unless you've purposefully set up nameserver address caching? I don't think any distribution does it by default.

Re:So

[nurb432]

Several companies already block things from running in a VM, or software virtualization/sand-boxing.

Re:So

[BlueMonk]

The reason I *started* using Steam was because I bought a game in a store only to find when I got it home that it was pretty much a dummy disk that just made me install Steam and download the game in order to play it. The game was Civilization V. I don't get outraged by much, but come to think of it, that kind of is an outrage, but one just borderline enough that I was willing to accept it rather than not play the game. I don't/didn't know what else to do.

Re:So

[nevermore94]

Simple:
Firefox - Use New Private Window
Chrome - Use New incognito window
I also set my browsers to clear all history when I exit even when I don't use the private windows, more as a matter of house keeping than paranoia.

Re:So

[geminidomino]

You forgot

*) Possibility to cancel your business relationship with Valve and keep playing the games you paid for.

Oh, wait.. No you didn't.

DRM is DRM, and there's no such thing as "DRM done right."

Re:So

[l_bratch]

The decompiled file appears to be "VAC3-MODULE-bypoink.dll", which sounds like it's come from the Windows version of Steam. My Linux version of Steam has no .dll files, only .so files as expected. Perhaps this is limited to Windows.

Re:So

[l_bratch]

Yes. However, presumably if Valve are using the DNS cache for cheat detection, then it's just one of many factors that they use to determine the probability of cheats being used.

Re:So

[Mark+J+Tilford]

1) Add a bunch of images with height and width 1, and have src on a suspicious server to your website.
2) Anybody who visits your site becomes a false positive.

Re:So

[Immerman]

So, it's invasive if transmitted to Steams central servers to be processed, but not if processed only on "your" node of Steam's massively distributed "bot net".

No argument that I would object more strongly to sending all the details home, but surreptitiously poking around and only sending the "interesting" details home isn't exactly a huge improvement. Who's to say what they might decide is interesting tomorrow?

Re:So

[l_bratch]

There's no evidence that anything from the DNS cache is sent home at all - perhaps the processing is done locally.

Of course local processing/data can't necessarily be trusted, but this may be just be one of many tests performed to decide the statistically likelihood of cheating.

If anything from the cache *is* sent home, then I will be just as angry as you. At the moment there isn't any evidence for that though.

Re:So

[modecx]

With unknown quantities of browser and associated exploits out there, it really would be smart to restrict the visiting unscrupulous sites to inside a VM, where you can revert to a known-clean snapshot with the click of a button.

Re: So

[mark-t]

Equal? Not hardly... one is a crime, for which you can be prosecuted and sent to jail. The other can at worst result only in ostracization.

Re: So

[DrGamez]

You're going to have to try a lot harder than this.

Re:So

[bruce_the_loon]

Disable the DNS Client service in Services MMC stops this as well. You'll have a few more DNS queries, but who cares.

Re:So

Psst, if you "cancel your business relationship" with Comcast, you can't watch TV anymore. Steam is a subscription service, it's not a secret. Some people prefer that.

Re:So

[ArbitraryName]

Steam isn't a subscription service,

You should probably read the things you agree to. Steam is most definitely a subscription service.

Re:So

[cultiv8]

The DNS cache is scanned to compare visited IPs against IPs that are known for cheating. Are you saying it is more likely Valve keeps a list of known IPs on your local machine? I doubt that, it would be trivial to modify a list of local hashes to prevent being detected.

Re:So

[DrGamez]

BUT WHAT IF THEY SHUT DOWN?*

*and there was no advance notice?
*and you had no way of backing up all these old games?
*and all your computers stop working the day before the shut down?
*and video games become illegal?
*and we reach the heat death of the universe?

Yeah, I bet you VALVE-APOLOGISTS will really be loving your DRM then.

Re:So

[Anubis+IV]

*) Possibility to cancel your business relationship with Valve and keep playing the games you paid for.

That same complaint applies just as well to physical copies of games as it does virtual ones, and is really a complaint about the licensing model used in the software industry, rather than being a complaint about DRM.

When you purchase a game disc at your local retailer, you're merely purchasing a license to play the game. That's the nature of your business relationship with Ubisoft, EA, or whoever. As such, canceling your business relationship with them would mean rescinding your licenses. For a physical game, the way you'd do that would be by snapping the game discs in half, deleting any copies of the games that you had made, and refusing to make use of their services.

But no one does that, not even you, since you'd still like to play those games, as you said.

Instead, if you never want to deal with Ubisoft or EA again, what you'd actually do is refuse to buy anything more from them. You don't cancel your business relationship, since that would mean being unable to play your games. You'd simply refuse to expand your relationship with them further. So why would you apply a different standard to Steam?

If you never want to interact with Steam again, you wouldn't cancel your business relationship with them, since that would mean terminating the licenses you had to play their games (i.e. the digital equivalent of snapping the game discs in half). Rather, you'd simply enable offline mode and be done with them. You can continue to play the game for as long as you like, can make backup copies of the game, and can continue enjoying it hassle free.

As such, I really don't see what your complaint about DRM is here, since your complaint is really just aimed at the licensing model used by the software industry as a whole. The only way that DRM is involved is inasmuch as it's used to enforce the license, but, as I just pointed out, Steam itself is exceedingly permissive (some games have their own DRM, but that's a separate issue from Steam). It does have limits not imposed by physical media (just as physical media has limits not imposed in the digital world), but the limit you cited is not one of them.

Re: So

[ArcadeMan]

He's running Slashdot inside a VM and using a virtual keyboard and mouse to hide his clandestine non-work-related browsing, give him a break.

Re:So

[ArcadeMan]

Or nuke the gaming PC from space. It's the only way to be sure.

Re:So

[DrGamez]

This is what I want to make sure. So far there hasn't been any evidence that info is being transmitted to Valve.

Re:So

[l_bratch]

I'm not speculating which possible thing I think is more likely, I've only been trying to point out what we *don't* know, to try to counter the stated-as-fact unknowns that various articles have been giving.

(I'm all for getting an answer from Valve about what's actually happening.)

Re:So

[eu_virtual]

Gabe Newel has stated that if we reach the heath death of the universe, you can get a new account with all your games on the next one. You just have to provide proof that you came from this universe.

Of course you have to move to a universe where steam exists, but I think you'll find valve is operating on most of them.

Re:So

[Sperbels]

* or, what if they disable your entire game library because you visited a blacklisted website.

Re:So

[LoRdTAW]

What games are those? Console? Older PC games?

Steam and their competitors make it easy to buy, download and play games. Even if you don't want Steam you have few options: buy the actual game on CD or DVD (and have it loaded with buggy malware-like copy prevention and needing the CD/DVD when you want to play) or a publishers distribution platform which works just like Steam. Downloading the game makes so much more sense in the internet age and I would never go back to buying physical media copies.

Steam and steam like service benefits:
- I can pre-order, buy or gift a game instantly from my PC, no running to stores, shipping or waiting for packages.
- Instant download. Buy the game and play it once its downloaded which can easily happen in under an hour.
- NO CD/DVD's needed and no storing of bulky media and packaging. Who wants a shelf full of plastic taking up space and collecting dust?
- Built in communications. My brother and I once played a game of TF2 while casually chatting using the Steam voice chat. It was an amazing thing to be able to casually talk as if he were next to me yet still be able to play the game and use its voice to talk to teammates.
- I can log into another PC using my Steam ID and I instantly gain access to my games. No lugging around any media.
- You can't lose the media. Remember old games and their copy protection? "Turn to page 42 of the manual and enter the second word in the third paragraph" or One that I hated until I got a cracked version from a friend who was a BBS master, Quarinitine. It had a dark red card the size of a sheet of paper with black almost unreadable text (to prevent photocopying). It was a chart you used to look up a set of numbers and then enter the corresponding code to play the game. Those were the devil, loose that card or manual and you were screwed.

disadvantages:
-no refunds. Easy - play the demo, look for recommendations/reviews or don't buy it, I haven't regretted one purchase yet (well maybe crysis 2 but that was because its gameplay sucked compared to the original but on a whole it was pretty fun).
-sometimes there are connection/server issues but they usually clear up within hours or a day. You won't die from not playing games.
-off line might crap out. But honestly, who uses that? Only two scenarios need off-line mode: places where the internet is flaky and prone to outages OR you are away from home like on a business trip or vacation. If you are part of the former, then the problem isn't Steam, its your shitty internet. If you are the latter then I assume you have better things to do than play games. Go out and have some fun. That or people just like to bitch about a non-issue just to bolster their prejudice against a media distribution platform. They could be paid shills but I digress.

Since using Steam from the day it was released (after the beta AIM looking days), I have only had two or three connection issues with Steam cloud syncing. They were steam server issues that went away within a few hours, no big deal. Contrast that to my last run-in with copy prevention CD malware like securom which randomly crashed, randomly locked up my pc on launch or permanently changed my mouse cursor to a rainbow colored CD until I rebooted (after it randomly crashes). I actually had to download a crack for Crysis just to play the fucking game without securom (aka suck-rom). And of course what if you lose or damage the CD/DVD? How do you play your copy protected need-the-cd-to-make-sure-you-aren't-a-thief game? Screw that.

Re:So

[chris200x9]

Not really, you only use games that use steam DRM. If your game is DRM free just back it up, delete steam, double click the binary and watch it launch. Steam itself is just a distribution service not a DRM. Sorry I might be a bit off topic but I'm just really annoyed at the "ZOMG steam is DRM!" crowd at the moment. Steam makes DRM available blame the publishers for using it not steam. No where is a DRM mandate.

Re:So

[locopuyo]

Do you happen to live in a cave?

Re:So

[thoughtlover]

Why is this such a big deal (aside from the digital gestapo tactics)? Just flush your DNS before launching Steam. http://www.wikihow.com/Flush-D...

'nuff said.

Re:So

[Arker]

Nonsense. I dont buy licenses. I buy games. I have no continuing business relationship with the retailers, the publishers, or the developers as a result. The games I have bought are mine, remain mine, and I use them as I see fit without any further involvement with the aforementioned.

The publishers can comfort themselves with unlawful legal fictions if it makes them feel better about the transaction but they got their money and I got my disk and that is an exchange, not a license. I have neither asked for, nor accepted, any sort of license.

Steam, on the other hand, does not merely console themselves with unenforceable legal fictions. They actually have the balls to demand you install their traitorware on your system to do business with them.

"If you never want to interact with Steam again, you wouldn't cancel your business relationship with them, since that would mean terminating the licenses you had to play their games (i.e. the digital equivalent of snapping the game discs in half)"

They, not I, actually took that step years ago, when they first released Steam. I had programs I had purchased from them prior to this, which were online games, which they therefore had the technical ability to disable. I believed at the time that they were good guys and could be trusted with that power, and they proved me wrong. They shamelessly used that technical ability to try to force me to install Steam, just in order to have access to the games I had already bought.

Obviously I am not submissive enough to be their customer. A company gets to treat me like that once only, and they better not expect to ever see another penny out of me after. At this point they couldn't pay me to enter any sort of relationship with them.

Re:So

[LifesABeach]

Wire Tapping is Wire Tapping. One cannot help but wonder what the browsing histories of Valve board of directors, and its Legal Staff?

Re:So

[Arker]

It would be nice to know exactly what they are doing with it, but it seems fair to assume they are doing something with it or it wouldnt be collected in the first place.

And I cant think of anything, however far-fetched, that they could be doing with it that would be legitimate.

Re:So

Thanks to DNS Prefetching, all a griefer would need to do to ban people is to have them go to a page like a Google search for "steam cheat" or something. Your browser makes a bunch of DNS queries, they sit in your cache, and (if true) are uploaded to Valve for your ban. Huzzah!

Re:So

[ericloewe]

I would, but my ISP might start bothering me and I don't feel like wearing out my SSD.

The latter problem is of course easy to solve, but my ISP is notorious for aggressive traffic shaping, despite the large promotional text that says "unlimited".

Re:So

[Cederic]

You're making wild assumptions here.

You're assuming the MD5 hashes are used as part of anti-cheat detection, not just because Valve want to know which porn you enjoy.
You're assuming that MD5 clash rates are materially significant.
You're assuming that accessing a cheat site is deemed cheating and leads to a ban.
You're assuming that bans are based on single data points.
You're assuming that VAC automagically determines you're a cheat and that there isn't a human review involved.

Steam isn't perfect, but please, do try and at least base your wild speculation on some modicum of common sense.

Re:So

[idontgno]

That won't help if Valve is scanning the operating system DNS resolver cache.

For Windows, the DNS lookup part of the network stack retains all positive DNS results (i.e., a lookup worked) for 24 hours, and all negative returns (i.e., lookup failed because of a mistyped FQDN, for instance) for 15 minutes.

That's below the level of the privacy tools of the browsers. No application can override that. (Only administrative/network management tools like "ipconfig" (for Windows)).

Valve would probably register "bad evul hack-n-cheat browsing" if you did nothing more than "nslookup" the addresses of the "bad evul hack-n-cheat" web servers, even if you never fired up a browser.

Re:So

[Sowelu]

Worth noting that VAC doesn't lock you out of running games or delete your account, it just prevents you from playing multiplayer on VAC servers. VAC is a voluntary-to-publisher service that Valve offers to creators of multiplayer games. If a publisher says "yeah, if someone cheats on a different game then we don't want them playing on our servers either", they can do that...it's pretty much the same as publicly shared email blackhole lists. If you have a problem with a publisher putting VAC in their games, complain about them and not Valve.

Many (most?) multiplayer games that let players run their own servers give an option of running a non-VAC one, or to connect directly to IP, whatever.

Seriously...even if Valve didn't run VAC, someone else would run an equivalent service (can you say Punkbuster?). All it takes is for one or two companies to say "hey we have this way to detect cheaters, why don't we share the steam keys of the cheaters we find and keep them from playing online on our servers", and there you go.

Re:So

[Sowelu]

Many games require Steam to be running, usually because they use Steam services for online matchmaking or whatever. That's the game developers' choice though, they aren't obligated to do it.

Re:So

[Z00L00K]

I do suspect that the Mozilla Firefox browser will work fine in a virtual environment.

Re:So

[CurryCamel]

The line between rent and own is very, very clear in the case of steam and other similar services.

This is perhaps the crux of the matter and the reason people here too act outraged. Any and all intellectual property goods are distributed on a rent model, not an ownership basis, per definition.
Physical media, like CDs or cars or license dongles have an implicit reselling-allowed clause in them (and sometimes an explicit reselling-deined one...) for that particular item. This seems to confuse the matter further.
Even the infamous "car analogy" works here: if you could, would you be allowed to make an identical *copy* of your car, and start selling those? (as opposed to just building your own cars).

You must evaluate steam and any other subscription service on their own terms. Is what they offer value for money? Can I trust them to deliver?
I don't. Well... didn't. Then I heard they have Civilization V... Huge fan. Must buy^W get it.

Re:So

[lgw]

All that matters is the odds. The odds that Valve will be a problem are far less than the odds that my physical media will be a problem (I move often), so for me it's easy. It's not like games are priceless treasures, after all, and if Steam somehow manages to lose my entire collection I'll shrug and move on.

Of course, I buy everything I can find of interest on GoG, but that's a very limited selection.

Re:So

[jxander]

A few reasons, but the sales are the biggest ones.

If you buy a AAA retail game (that originally sold for $60) for $5, you've gotta know that there are going to be some strings attached. If you're willing to deal with those strings, well, you just saved yourself a bunch of money.

There are other benefits. I've never once had to deal with scratched or lost disks, backwards compatibility or multiple system.

Of course there are negatives as well ... and whether or not it balances out, up to each person to decide.

Re:So

[bluefoxlucid]

Remember when GameSpy just did this without integrating with the game?

Re:So

[lgw]

BUT WHAT IF THEY SHUT DOWN?*

I have far more important things to worry about in life than some games. If Valve craters, there will be a new outlet for games (maybe we'll get lucky and there's be a move to GoG). As long as the risk-adjusted price I pay is fine, I don't see the problem.

As with everything in life, you pays your money and you takes your chances. The chances that Valve will vanish in the next few months, while I'm still heavily playing whatever game I just bought, are quite small.

Re:So

[bluefoxlucid]

If Tor is running on the local machine, yes. Normally you don't use a remote HTTP TOR.

Classical proxy server HTTP sends a normal HTTP request, but always sends it to a particular IP. Normally you look up www.slashdot.org and send the request there. The request includes a Host: header always, so instead of GET /index.html HTTP/1.1 to Host: www.slashdot.org on 216.34.181.48, you send that to 10.10.100.50. 10.10.100.50 uses the Host: header to DNS look-up www.slashdot.org and sends the exact same request on.

Re:So

[bluefoxlucid]

Applications can override that. Just connect to 8.8.8.8 instead of running OperatingSystemApiDNSLookup().

Re:So

[Anubis+IV]

Nonsense. I dont buy licenses. I buy games.

No, you don't (unless you're representing a game publisher or developer, in which case maybe you do). Read the fine print included with any game you buy today on physical media. You bought the disc, so you generally have the right to resell the disc, and the licenses are transferable as well, so it gives many consumers the illusion of ownership, but the fact is, you don't own any of the games that you've "bought". That's why companies are legally capable of cutting off customers who break rules in their games. I provided links to several examples a few posts back in this thread.

I'm not suggesting I like that it's this way, mind you, nor that it should be this way. I'm merely pointing out that it's the reality of the situation. Having you deny it doesn't magically make it untrue.

Re:So

[wolrahnaes]

I doubt that, it would be trivial to modify a list of local hashes to prevent being detected.

As opposed to it not being trivial to modify your DNS cache?

Anything that's checking standard local resources will be trivial to edit for someone who cares to. Sending a list of flagged hashes would be the more privacy-safe way to do this. Whether they do or not I have no idea, but nothing about the information I've seen posted so far including any of the decompiled code seems to indicate one way or another.

Re:So

[Anubis+IV]

Name one alternative that doesn't rely on licenses.

Bet you can't.

Whether it's physically or digitally distributed, the fact is, all games are "sold" as licenses and have been for years. The only choice we have is in choosing which license we like. Physically distributed games are generally more expensive and come with a transferable license. Digitally distributed games are generally cheaper and are non-transferable. I'll take a cheaper one that's non-transferable over a more expensive one that's transferable most of the time. You're welcome to do otherwise, but don't kid yourself into thinking that you're any less of a slave to the same masters. They can cut you off just as easily as they can cut me off, as the links I provided earlier in the thread demonstrate.

Re:So

[Cruciform]

Gabe stated a few years ago that if Steam has to shut down there is a method of releasing all content on an account to the user. A master key or something. And they would give advance notice.
If they were unable to give advance notice, it's likely that whatever caused it would be impacting your life as well. Alien attack, Godzilla, Roseanne Barr clones...

Re: So

[master5o1]

No other crap, not no crap.

Re:So

[X0563511]

So, you do know what a transparent proxy is, right? I'd like to cite my daily usage of ssh -D as an example of how you're missing half the picture.

Re:So

[Arker]

"No, you don't (unless you're representing a game publisher or developer, in which case maybe you do). Read the fine print included with any game you buy today on physical media."

No thank you, I have no desire wasting my time reading bunch of dense legalese written to intimidate the ignorant. Fine print that I do not read or sign has no bearing on the situation. It certainly comes nowhere close to having the required elements of a contract.

"You bought the disc, so you generally have the right to resell the disc, and the licenses are transferable as well"

Where do you get this absurd idea that you need a license to use a program?

Do you need a license to read a book? To listen to a CD?

No, you only need a license when you intend to do something with a work which is NOT normal use, which is NOT permitted by copyright law. Like modifying and redistributing the work.

A EULA is not a contract because it lacks the required elements of a contract, and it is not a license either, because it grants NO license! Instead, it purports to impose an anti-license, that is to impose draconian limits far above and beyond what copyright law provides, unilaterally. There is no legal principle to support this, other than 'who has the gold makes the rules.'

Companies are able to make ludicrous 'legal' threats and claims and abuse their customers and get away with it but that is the result of a legal system that requires money, and lots of it, to get satisfaction. Companies have tons of money, individuals of modest means who somehow come to their attention can be railroaded and the law be damned. But let's not pretend that there is any legal or ethical support for them to do it. It's brute corruption of the legal system and process, nothing more.

Re:So

[arth1]

A transparent proxy is a completely different implementation.

I was talking about [b]configuring[/b] a proxy server. In which case you forward all requests to that proxy, and the browser does not do lookups.

Re:So

[reve_etrange]

they can only be run through Steam

A lot of games, including multiplayer games, can be run without simultaneously running steam. You have to launch the applications directly from the steam library directory, but steam doesn't need to be running.

Re:So

[Anubis+IV]

A EULA is not a contract because it lacks the required elements of a contract, and it is not a license either, because it grants NO license! Instead, it purports to impose an anti-license, that is to impose draconian limits far above and beyond what copyright law provides, unilaterally. There is no legal principle to support this, other than 'who has the gold makes the rules.'

Go look up contracts of adhesion. IANAL, but this is basic stuff that anyone on Slashdot should know since it's of vital importance to the software industry and has been repeatedly upheld by the courts. Ignorance of them is no reason to stick your fingers in your ears and act as if they don't exist.

If you want to make an argument that their terms are unconscionable, that's one thing, but you're arguing that the contracts simply don't exist. I'll agree that there may not be an ethical basis for what they're doing or that some specific contracts may not be upheld in court, but let's not pretend that there is a lack of a legal basis for what they're doing in general.

Re:So

[tragedy]

Steam is the closest thing to DRM done right available. You get actual VALUE out of the relationship (all the perks of STEAM) AND it's unobtrusive.

Unobtrusive... Except for all the spying on you and handing out the data to pretty much anyone who pays (does anyone believe that their "privacy policy" is actually binding on them?) or demands with some sort of legal clout.

Re:So

[ninlilizi]

I keep my Steam sandboxed to its own physical set of drives. Far away from my actual working OS and data.
If I want to play a game. I power down. Swap out the entire array and boot back up.

Had thought this was pretty much the standard way of operating when dealing with an untrustworthy blob that pulls down even less trustworthy payloads wrapped in piles and piles of 3rd party DRM and rootkits.

Given Linux lack of stereoscopic gaming support. A dualboot is required anyhow. The extra 10-15seconds to swap out a few drive caddies is a non issue.

Re:So

[l_bratch]

Presumably, if the DNS cache /is/ even used to detect cheating, then it's just one part of some weighting system. Even this is just assumption. We don't have enough information yet.

Re:So

[Hamsterdan]

I'd really like to know what, I've never encountered anything up to now that wasn't allowed in a VM. Not doable (like playing GPU hungry games), ok, but not *allowed* ?

None so far...

Re: So

[Hamsterdan]

But most people have (and only need) one computer. It's different from the /. crowd where multiple PCs is the norm (3 powered on at the moment)

Re:So

[ubrgeek]

> Cost, convenience, and a lack of alternatives.

Are we talking about Valve or hookers?

Re:So

[Hamsterdan]

"The "repeatedly redownload your gaming library" idea has some merit if done en-masse"

Won't do any good other than bust your monthly quota since it will probably get served from a CDN so should not cost Valve more (Unless the ISP is double-dipping)...

Re:So

[Anonymous+Psychopath]

As the saying goes, wish in one hand and shit in the other, then see which one fills up first. I wish you good luck with your strategy.

Re:So

[Arker]

Contracts of adhesion are weak and suspect, at best, and we could have a nice debate about it, but it's beside the point here because a EULA isnt a contract of adhesion either. A contract of adhesion, weak as it is, is still something that you see up front and accept or reject prior to closing the deal. With a EULA, the deal is complete, the money handed over, the product accepted, before it's seen.

Imagine if booksellers tried to get away with this. You buy a book, you pay your money, you get your receipt, you walk out of the store, and start reading. And find a nice little note from the publisher claiming to be a contract (though it isnt) and/or a license (and clearly not that) which purports to strip you of basic rights in return for permission (which you dont need) to read the book. It further cautions you in the strongest possible terms that violating these rules will result in the harshest legal actions.

Would you regard that as binding? Or would you just laugh and ignore it?

If as one would suspect based on your argument so far your answer is the former I am afraid you are part of the cancer that is killing our civilization. That may sound dramatic, but it's true. Civilization cannot long survive if people are buffaloed into submission so easily.

Re:So

[idontgno]

Your suggested answer is "Roll your own DNS resolver?"

That's pretty hardcore. While you're at it, maybe the app should just poke the network drivers directly and bypass the OS's network stack.

More to the point, I've seen no evidence that browsers do their own DNS resolution. Do you have any?

Re:So

[Bugamn]

Another advantage for me, is that I often find there games that I don't find on shops around here.

Re:So

[arth1]

Some proxies can function this way. SOCKS5 proxies do, for example. SOCKS4 cannot. Arguably the most popular proxy in the world, squid, does not handle DNS.

Uh? It most certainly does.

$ telnet myproxy 3128
Trying 10.11.12.13...
Connected to myproxy.
Escape character is '^]'.
GET http://slashdot.org/ HTTP/1.1
Host: slashdot.org
Connection: close

HTTP/1.0 200 OK
Server: Apache/2.2.3 (CentOS)
SLASH_LOG_DATA: shtml
Set-Cookie: betagroup=51; path=/; expires=Thu, 18-Feb-2016 00:08:24 GMT
...

If squid didn't do DNS for you, you would have to provide the IP address. It does,so you don't.

Re:So

[arth1]

Reading the parent post again, he might be deluded into thinking this is about sending the client's DNS request to a proxy server. That's obviously not what we're talking about.

The point of using a proxy server here is to avoid having the client contact any DNS servers, no matter what the method is. When the OS doesn't know what hosts you contact, the OS can't log it.

Re:So

[slimjim8094]

It doesn't matter.

Look, when I was a kid, I used to play Counterstrike pretty seriously. I was curious about these cheats that I kept seeing on VAC-secure servers, so I went and found some and played around with them - on VAC-insecure servers, of course*. They're really cool bits of code that hook into the game and understand the engine well enough to find the head "bone" and wait for it to come into the player's view. Being a coder, I wanted to know how they worked - not to write my own, but software that hooks into other software is fairly unusual, and thus, interesting to my teenage self.

Anyways, since I was just looking around (and not willing to pay/join the "clubs" that made new undetected hacks), the aimbot I had was definitely no secret and surely would've gotten me banned if I'd played on a VAC-secure server. The deal was - cheat on a secure server, get banned. But the counterpoint is - cheat on an insecure one, no problem. It felt really fair - joining a secure server is an agreement not to cheat, and if you do, you're banned.

If this story is true, it completely changes that agreement. Presumably it's a "once a cheater, always a cheater" attitude, but that's not really fair. The cool thing about VAC was that it was indisputable. It doesn't make mistakes - you knew categorically that someone who was VAC-banned had broken the agreement by having cheat code loaded while connected to a secure server. So there was no arguing, pleas, etc - they were a cheater, they had cheated in a game that was annotated "no cheats". This would completely change that dynamic, and Valve is really careful about that kind of thing, so I'm suspicious that this is as-reported.

*Before somebody chews me out for cheating anywhere - first, it was only on cheat servers (all players were using them), and second, it only makes sense to view the active decision to turn off VAC (it's on by default) as a decision to allow cheaters.

Re:So

[geminidomino]

When you purchase a game disc at your local retailer, you're merely purchasing a license to play the game. That's the nature of your business relationship with Ubisoft, EA, or whoever. As such, canceling your business relationship with them would mean rescinding your licenses. For a physical game, the way you'd do that would be by snapping the game discs in half, deleting any copies of the games that you had made, and refusing to make use of their services.

Not quite. Physical (excepting scumbags who put steam DRM on box copies) and DRM-free digital purchases are different in that they don't allow "Ubisoft, EA, or whoever" to decide when the discs get snapped in half.

Once again valve has proven that they shouldn't be trusted. I'm glad I got out the last time they did, and was only out $40 worth of games.

Re:So

[mjwx]

How do one set up rules to block Steam from accessing firefox profiles? (Linux obviously, though guide for Windows is fine too. Also Chrome.)

The only real way to be 100% sure is to use a browser on a different box.

Other methods I can think of is putting Steam on a separate user to the one you use the firefox/chrome on (but still may not be effective as steam will have admin rights) or using the browsers incognito/private modes (but I'm not 100% sure if this clears DNS info).

Also, I'd be very surprised if other anti-cheat measures like PunkBuster didn't do the same thing.

Re:So

[LoRdTAW]

Ill admit that back in the 90's after I met my aforementioned BBS friend I never paid for any software until around 2003-ish after I grew out of it though I still grabbed a lot of music and movies from BT sites. It was fun to pirate stuff from BBS's and later 0-day warez ftp servers. I remember playing Quake well over a month before it was released in stores. Early leaks were the bomb.

Anyways, today I pay for all of my games and software, even my copy of Windows 7 ultimate (every other PC I have runs Linux). I still buy music but I also trade a lot of music but I don't download it from BT sites, instead I trade with friends. I don't care about movies anymore but I still watch a little TV from time to time.

Re:So

[thePowersGang]

Even if valve do not release a master anti-drm patch if they disappear, I feel safe in the knowledge that all DRM can be cracked, and if Steam goes down permanently, many annoyed programmer+gamers (like myself) will be working hard to remove the DRM and keep playing their games.

Re:So

[Bite+The+Pillow]

Just a bookmark for me regarding conclusions and the jumping thereto, especially in light of the ars technica article and gabes reddit topic. Fear not, you will serve humanity as well as you thought you were when posting.

Re:So

[Immerman]

Seriously? Do CDNs not charge based on bandwidth usage? How do they make money then? I would think even if they provide serious cost savings they would still incur a lot more expenses from the guy whose content gets dowloaded to the tune of a billion terabytes than the guy whose sad cat video only gets three views.

Re:So

[jxander]

20 years? So, 1994.

Still a few years before N64 or original Playstation released, which means you must be talking about SNES or Sega Genesis games. Kinda kills your "only had a problem with one CD." Unless you meant CDs or ROM Cartridges. Or maybe you just meant 16 years instead of 20. Little hyperbole never hurt.

So, still got your copy of FF7 around and ready to go? Because I do. On Steam.

Re:So

[sosume]

Will you be crafting DNS request packets by hand? If not, then you will still go through the windows IP stack, regardless of your DNS server.

Re:So

[Ash+Vince]

Seriously...even if Valve didn't run VAC, someone else would run an equivalent service (can you say Punkbuster?). All it takes is for one or two companies to say "hey we have this way to detect cheaters, why don't we share the steam keys of the cheaters we find and keep them from playing online on our servers", and there you go.

Exactly, a few years back I used to play America's Army 2 quite a lot. Most clans would stream bans from all the anti-cheat organisations they could on top of punkbuster being built into the game. So once PB kicked you for cheating, that IP you were using got recorded along with the GUID that was linked to your account. Any other accounts linked to that one by GUID or IP also became suspicious.

Obviously if you were on a dynamic IP the IP link would be tenuous because you would be linked to loads of other players, but if you were on a static IP (you could tell by looking through your entire history of games and seeing how often it changed) then you needed to get a new IP before most AA2 servers would let you in. This worked because AA2 logged pretty much every game.

The reality is the people who cheat spoil online gaming for everyone else, just about all games companies therefore have to be seen to do something about it.

I personally would be much happier if Steam simply deleted your account along with all your games if you were caught cheating just once. Actually I would be happier if when you were caught cheating Valve sent someone round to your house to break both your legs but I can foresee a few legal difficulties with this.

Re:So

[grumbel]

DRM is DRM, and there's no such thing as "DRM done right."

While it would be nicer without DRM, DRM is really only a small piece of what makes the whole service. Take for example Linux versions, on Steam, you automatically get them when they become available for free. When you buy on GOG or physical discs you don't get them, either they aren't provided at all or you have to pay again for them. If you want to play a non-english version of a game you also have a much better chance at getting it on Steam then on any other service.

While that doesn't make the DRM go away, Steam does give me a lot more freedom on where and how I can play my games compared to other services. Would it be nice to have a DRM-free service with the same feature set as Steam? Sure, but as far as I know no one like it exists, closest thing is Humblebundle Store, which gives you both DRM-free versions as well as the Steam version, but they offer a lot less games then Steam at the moment.

Re:So

[grumbel]

There's no "Linux obviously" about it. It's a matter of trust, and Linux or not, users are far too trusting of the applications they install.

I don't think it's a problem with user trust, given all of the viruses and malware I don't think many are left that have trust in software. I think the problem is that no desktop OS gives you an easy way to properly isolate apps from each other. In Linux I can fudge around with multiple user accounts and such, but it's generally a mess, if there would something as easy as "sandbox ./your_untrustworthy_app" then people might actually use it.

Re:So

[bluefoxlucid]

Well, more "use libbind" the same as all the bind utils. It's one library call versus another. The point is that applications can, but don't, override this; there's nothing in the application allowing the user to tell it to do so, but it's bluntly easy for an application to provide a "stealth mode" that queries the OS for its DNS settings, then calls a stock DNS resolver library. Hell, I'm pretty sure that's how it's always done on Linux, using res_query() from libresolv (hence /etc/resolv.conf).

Re:So

[bluefoxlucid]

You think the Windows IP stack sniffs packets and then breaks TCP/IP to act as a DNS cache? Windows only has a list of recent DNS lookups because Windows apps call DnsQuery() to go through the WMI DNS Provider service, which is equivalent to setting 127.0.0.1 in /etc/resolv.conf on Linux and running bind locally as a caching nameserver.

Re:So

[Samizdata]

Or, when Games for Windows Live shuts down, you lose DLC you paid for through it, and get told by Steam and the Publisher, "Yeah, well, you need to buy it AGAIN if you ever want to uninstall said game."

Re:So

[Samizdata]

I actually kinda of got into Steam because of the whole "losing physical media" thing.

Re: So

[jxander]

And a working PS1 on which to play it, with controllers? And a TV with open RCA jacks?

For my money, having it on Steam is just more convenient. Of course, ROMs are the best option, but I'm limiting to fully legal avenues

To each their own, I suppose

Re:So

[lgw]

I did as well. Now I always check GoG first, because Steam just gets more annoying every year, but still better that than physical media!

Re:So

[Samizdata]

Well, Steam is pretty much lost me as a customer over me getting screwed on my Bioshock DLC purchase, so there's that. But I have too much stuff to throw it away.

Oh good

So security researchers who also game are pretty much screwed then?

Re:Oh good

Security researchers? Most game server admins I know (at least, the good ones) will browse hack sites/videos, so they know what's out there and what to look for. Unless it started very recently, they're not doing any banning for this.

Re:Oh good

[mjwx]

So security researchers who also game are pretty much screwed then?

Any security researcher that goes to hacking sites on their gaming box is screwed.

IIRC, most security researchers use VM's these days to avoid contaminating systems that they use for production.

Summary that misrepresents the Article... *shock*

[Puls4r]

Actually, the article doesn't say anyone has been banned using the data. It specifically says that NO one currently knows what happens with the data. So that's a pretty large red herring. That doesn't negate the heinousness of them tracking the websites you visit *just* in case you might cheat. Very NSA-esque.

GoG?

[Torp]

I've been trying to switch my gaming purchases to GoG anyway, mainly because it's a pain to game on both a laptop and desktop with Steam. This is just another reason for it.
All GoG needs is to start supporting Linux...

Re:GoG?

[neilo_1701D]

Windows person first and foremost; I'm a Dynamics AX technical consultant (please don't hurt me).

I've been evaluating various Linux distros for my desktop, as my hobby time is more and more Linux (hello, Raspberry Pi and robotics!). I looked at Wine, and learned about CodeWeaver's CrossOver (this is probably old news to you). Once I had appropriate 3D drivers installed for my Toshiba S955 (that was a battle), I was able to install some stuff from GOG. Medal Of Honor: Allied Assault, for example, ran flawlessly in an XP bottle. Unreal was a disaster. That's my experience so far, which matches with what I read on CodeWeaver's site.

So, whilst having GOG support Linux would be ideal, that's not going to happen. This seems to be a good alternative.

(FWIW, I certainly got a buzz out of seeing Office 2010 install and run flawlessly on Fedora 19!)

Re:GoG?

[manicb]

PlayOnLinux also makes it pretty easy, and explicitly supports a lot of GOG installers... Currently enjoying Neverwinter Nights from the GOG Insomnia sale on my Linux music production rig. Still, native versions are nice, and I won't buy a game from them if I have reason to suspect a native version is available.

Sweet!

So all I have to do to limit the competition is search a cheating site from my buddies computer?! Thanks for the tip!

ipconfig /flushdns

[gatkinso]

Done.

Re:ipconfig /flushdns

[peon_a-z,A-Z,0-9$_+!]

But... Is an "empty" DNS history more suspect than a moderately populated one?

Re:ipconfig /flushdns

[Immerman]

Right. Just be sure to do that before every time you launch Steam, and always shut down Steam before browsing the web.

Re:ipconfig /flushdns

[Mashdar]

flushdns, ping goatse.Solved!

Re: ipconfig /flushdns

[lostfayth]

most operating systems boot with a clean cache, and steam typically runs at startup/login. an empty or near empty DNS cache would not be an uncommon finding.

Re:ipconfig /flushdns

[sunderland56]

Why is there an API call to read the DNS history in the first place? The only required API is "please look up this address"; I can't see any valid reason to have a "please give me DNS history" call.

Re:ipconfig /flushdns

[BitterOak]

But does the flushdns actually ERASE the contents of the cache or merely delete it? (By erase, I mean overwrite with zeros or something else so snooping software can't reconstruct the original cache contents.)

Re:ipconfig /flushdns

[Dogers]

I assume you're doing that on your router too?

Re:ipconfig /flushdns

[gatkinso]

I suppose I have to roll a simple batch file for you as well. *sigh*

What about cheat haters?

[AlienSexist]

I've known gamers to frequent cheat sites just to see what the cheaters are using and what is possible to exploit When a legitimate player suddenly faces inexplicable challenges sometimes they go find where people are downloading their skills/advantages from in order to explain their new struggles. Often times it starts with the feeling "that HAS to be a cheat" then digging around finding if there is a cheat the enables that behavior.

Re:What about cheat haters?

[Rich0]

I imagine that they'll get the same experience as somebody who runs a Tor relay-only node. Admins will block them because it is easy to do, and has a minimal impact on their sales. They really don't care if it has no impact on security.

This is the VAC and not steam client

Keep in mind they're talking about the VAC software and not the steam client. VAC runs when you run a game that supports it. (The wiki page has a list of games though I do not know how up to date it is.) The Steam client doesn't do this reporting itself.

Re:This is the VAC and not steam client

[Torp]

And this makes it better how?

Re:This is the VAC and not steam client

[DrGamez]

Because more information is usually better than not having this information?

The AC you replied never said this is better or worse, so stop trying to color their arguments to make your own comment look better.

Article based on REDDIT post

The article is based on a REDDIT post. We all know they are always 100% accurate and credible. They did catch the boston bombers afteralll!

journalism at its finest.

This is why you should use the apk host file.

Obviously it blocks malicious behavior such as this.

Time to run apps as if they were applicances?

[davidwr]

Perhaps its time to put certain applications, such as web browsers in their own "VM appliance" to isolate them from being spied on or misused by other apps.

In the meantime, get into the habit of using your browser's "privacy mode."

If games and other apps that don't "need" to work with your other applications can run in a VM without an unacceptable performance hit, consider putting them in such a box as well.

If your OS supports running apps in sandboxes/jails and your favorite games work well in such an environment, that may be easier than putting them in a full-blown VM.

Re:Time to run apps as if they were applicances?

[Immerman]

Perhaps its time to put certain applications, such as web browsers in their own "VM appliance" to isolate them from being spied on or misused by other apps.
\In this case that would have no effect - the DNS cache is (indirectly) accessed by every 'net enabled application on you computer.

Or perhaps it's time to start implement finer-grained permissions for all applications, such as the security system OLPC was experimenting with. There's no reason anything in my game library should be able to look at anything except the application and save-game folders. A document editor may need access to your complete documents folder and external media, but there is no reason for it to be able to examine what other programs are installed on my computer. And *nothing* should be able to touch my web cam without explicit permission. Law enforcement can already listen in on any conversation that takes place within earshot of a telephone, but there's no reason to let nefarious individuals do the same thing with any conversation within earshot of a laptop/tablet/etc.

Re:Time to run apps as if they were applicances?

[Opportunist]

Good luck with most games. Game makers hate it when you run their games in a VM, considering a tool used only by crackers, so they'll do whatever possible to limit your ability to even run them in a VM.

Workaround

[goombah99]

How do one set up rules to block Steam from accessing firefox profiles? (Linux obviously, though guide for Windows is fine too. Also Chrome.)

The only useful workaround is to boycott steam. Otherwise they will work around your workarounds till they finally just install a Sony rootkit. Do you really want a company that even takes even one step over the line? teach them a lesson.

Re:Workaround

[dshk]

Players who are frustrated by cheaters are also ready to boycott Steam. If I were Steam, I would serve my frustrated, honest users. We also maintain a gaming site, and you cannot believe how many people get angry because of cheaters.

I have no issue if they only check for domains or only selectively download the list. But I use three different machines for gaming, development, and system administration.

Re:Workaround

[Zxern]

Yeah and I bet most of the time people claim someone is cheating when they in fact aren't. The other player is simply better and they get frustrated and claim cheating. Happens all the time.

Re:Browsing history?

[Rosco+P.+Coltrane]

Why gee, such skills in online browsing history masking leave me speechless...

DEBUNKED

This story is being debunked in the original reddit thread.

http://www.reddit.com/r/technology/comments/1y4za5/steams_vac_now_reads_all_the_domains_you_have/

Re:DEBUNKED

[0123456]

That would be exactly the kind of system monitoring a political or law enforcement or divorce lawyer analysis could find intriguing, without requiring decryption or complex analysis of logs that might be harder to find.

You do realize this is a GAME we're talking about, not a terrorist cell?

Re:DEBUNKED

[makomk]

For values of "debunked" equal to "people clueless about how VAC works are loudly insisting that it's not true, and being believed because Valve fanbois". (Amongst other issues, you won't find the code of any VAC modules in Steam's or the game's DLLs because they're downloaded from the server at runtime in order to make them harder to reverse-engineer and block.) Someone later in the thread has apparently tested and found that stuffing the DNS cache with bogus entries increases the amount of SSL-encrypted data VAC sends back by almost exactly twice the size of the MD5 hashes of all those entries, and clearing the cache returns the amount of data sent back to what it was. (It may not necessarily be possible for others to replicate this, as I recall one of VAC's anti-reverse-engineering measures is that different people receive a different subset of the payload modules. So far no-one's tried though, they've just said it's not proof enough.)

Re:DEBUNKED

If by debunked, you mean "confirmed, but vehemently defended".

Re:Visiting !=guilt

[mlts]

This might be a way to bully/troll someone. Find what their account name is, then make an account with the identical name on every botting site. Of course, account names are hard to come by, but it is a way for someone to cause mischief, similar to people who create bogus FB profiles.

How ironic . . .

[Kimomaru]

I thought the point of playing a game was to relieve stress. Getting online to play something is starting to become more involved and complex than most people's jobs. It is kind of a shame, though, that people take Counterstrike and Call of Duty so seriously that they need to scam the system. Defeats the purpose, no?

Re:Summary that misrepresents the Article... *shoc

[moronoxyd]

Luckily, not everyone lives in the US.
Some countries have different laws, even consumer protection laws that are worth that name.

And yes, even companies operating out of the US have to conform to at least some of these laws if they want to do business in Germany/Europe. An yes, they WANT to, because Europe is not an insignificant market.

Re:Summary that misrepresents the Article... *shoc

> Indeed, it also says the the actual entries themselves are not sent back, but only the hashes

DNS names are easily enumeratable, the only reason to emphasize that it's hashes is if you're clueless or dishonest.
From a privacy perspective, they are sending back DNS names, saying that's hashes is only fooling people.

another workaround. if you care

[goombah99]

flush the dns cache before you launch steam:
on a mac that command is:
sudo killall -HUP mDNSResponder

However since steam is normally installed with admin permissions it may very well be running some sort of spyware deamon that is violating your privacy even when the application is not running, making that dodge useless. Since they are willing to go that far I would not put it past them to also be running a spyware daemon as well.

Re:another workaround. if you care

[Carewolf]

No on Debian, I run steam as a normal user under user credentials. It doesn't launch any daemons, and has no suid executables, but it does have read/write access to all local files which includes saved history of browsers. Will do strace when I get home. Should be interesting.

Re:another workaround. if you care

[tlhIngan]

flush the dns cache before you launch steam:
on a mac that command is:
sudo killall -HUP mDNSResponder

Except, mDNSResponder isn't a DNS cache. It's the multicast (hence "m") DNS server used by Bonjour/ZeroConfig.

It has zip to do with DNS caching other than storing what services are being made available on your machine to your network. It binds on a multicast IP.

Re:another workaround. if you care

[ArbitraryName]

It has zip to do with DNS caching other than storing what services are being made available on your machine to your network. It binds on a multicast IP.

False. mDNSResponder is also used for unicast. The command to flush the DNS cache given by the GP is exactly how Apple tells you to do it using Mountain Lion.

Promise not to share

[gmuslera]

... unless an employee decides to use it, a secret order of the NSA requires to disclose it, their servers get hacked (by the NSA, other countries intelligence agencies, hacking groups, or script kiddies) or the protocol have a vulnerability or the information can be captured and decrypted. The respect of privacy by US companies had become an oximoron. Is a promise that they can't possibly honor, and they are too big to close doors like Lavabit if the NSA want their customers data.

Re:Browsing history?

[X0563511]

Last I checked that doesn't do shit about your OS' DNS cache.

Re:DNS cache really doesn't say that much

[X0563511]

Doesn't WOW have public test servers? Why didn't you do your work on that?

This isn't as hard to combat as you think....

[ToddHofer]

The easiest thing to do is, is created a batch script that empties your history and flushes your DNS. After that, it opens steam. Assign your steam icon to that batch file. Problem solved.

Re:Summary that misrepresents the Article... *shoc

[Immerman]

I'm not so sure.
1. Are you sure the EULA actually states that they may monitor your non-steam related activities? I would appreciate a pointer to the relevant paragraph if so.
2. My understanding is that it's still somewhat up in the air exactly how legally binding an EULA really is. Though I doubt most people could afford a good enough lawyers to press the issue
3. Even assuming the EULA is binding, it's generally accepted that a contract cannot demand that either party surrender their constitutional rights, and the 9th Amendment specifically states that the enumerated rights are only a sampling, not a comprehensive list, or even a list of the most important, and in no way should be interpreted to detract from the importance of the rights not so enumerated. Privacy included.

Re:Browsing history?

[Barefoot+Monkey]

Not browsing history.

Run cmd.exe and in the command prompt type "ipconfig /displaydns" (without the quotation marks). That's your DNS history, and that's what Steam is looking through.

To clear that, type "ipconfig /flushdns".

Re:Browsing history?

[Immerman]

Won't make any difference if they're monitoring your DNS cache instead. Sorry, did you not realize that your porn-browsing habits leave secondary footprints on your system as well?

Re:Is it safe now?

[sideslash]

WHY HELLO, MY FELLOW LOYAL, SLASHDOT-READING COMRADE. LET US TALK OF DNS CACHES AND GAME SUBSCRIPTIONS AND VALVE AND STUFF.

[whisper] Would you shut up? You're gonna get us killed. All the first wave of revolutionaries have already been lined up against the wall and shot. Keep it under the radar. Now see if you can sneak over to the Facebook love analysis article, and another resistance operative will brief you there.[/whisper]

Ineffective anti-cheat mechanism, no?

[rnturn]

It wouldn't, for example, prevent anyone from cheating by doing some browsing at the local coffee shop to find the cheats and then coming home to play games on the desktop system at home.

Re:Ineffective anti-cheat mechanism, no?

[Ash+Vince]

It wouldn't, for example, prevent anyone from cheating by doing some browsing at the local coffee shop to find the cheats and then coming home to play games on the desktop system at home.

You get the reply, but I think many of you here are missing the point about why Steam might be doing this. They probably don't care about your browsing history, when they care about is other bits of software doing DNS requests.

In my very limited experience these sort of cheats that VAC are looking for are now a subscription service. They know that VAC or PB or whatever will detect them very quickly, so they update them regularly and you subscribe. That means the cheat software probably phones home to check your subscription is still valid and see if the game has been updated to detect the version you are currently running. VAC is probably trying to detect that phoning home.

Of course, now everyone know they do this the cheat authors will just make sure they bypass the DNS cache and VAC will probably have to find another way.

This is hacking

If an individual does something like this, you can bet the government would charge them with computer crime under the Computer Fraud and Abuse Act. If a company does it, nothing gets done.

Re:DNS cache really doesn't say that much

[Immerman]

>My point being that dns histroy is only the grossest of measures of what you're doing on your pc

Don't worry, it's still enough to let the NSA send you to Guantanamo indefinitely if you do anything else suspicious, or if someone doesn't like you. I'm sure it's only a matter of time before such privileges extend to their secret corporate sponsors as well. And for those kinds of privileges who *wouldn't* sponsor them?

Good not to be a gamer

[erroneus]

I have a non-addictive personality in general... perhaps it would be more accurate to say "anti-addictive" as there have been times when I would go overboard with some activities. X-Wing vs Tie Fighter, for example, cost me hundreds of dollars in "sick days" after calling in to work because I wanted to accomplish something. (Sick and stupid right?) I came to my senses after a paycheck demonstrated the value of my lost time. Anyway, I don't really play games which are time consuming and/or deeply involving... not often anyway.

But if I were a gamer, I would be intensely offended by Valve's activities. Then again, I spent some really late nights playing Halo 2 losing sleep and feeling miserable... yeah... I did it again. Didn't cost me money, but cost me in health and rest and all that. It was while playing that and similar games that I really appreciated how much I hate cheaters. Aim-bots and all this other crap just served to anger me...which kept me awake playing. Eventually, I woke up to what I was doing (again) and restored myself to healthier ways. But I do know cheaters see cheating as a game in and of itself which is why they do it.

So I understand why Valve wants to do it but as a Bill of Rights guy, I am deeply disturbed and disgusted by Valve's actions as well. (Yes, I know Valve isn't government but the principles have a way of bleeding into all walks and areas of life and it's quite likely that they are sharing data with government as just about everyone seems to be. Go visit Dick's Sporting Goods and see how much information they try to get from you when you buy guns and/or ammo. Holy crap it's scary and disgusting. And they CERTAINLY and DEFINITELY share data with the government electronically.)

I'm not going to say I don't care about this or that I don't have a dog in this fight. I do. I see many of the principles laid out in the BoR as common sense and as a structure for how to maintain mutual respect for various parties not only government.

Personally, I think people should stop playing shooting games and buy real guns and ammo. It's harder to cheat, for one, but is more expensive to be sure. But the effect of practice and skill certainly serve to trigger those accomplishment feelings. Also, PC gamers can also appreciate the desire to acquire high performance devices of all sorts ranging from scopes to lasers and all sorts of creative and amusing shotgun ammo. Caution: Guns and Ammo are expensive... way more than PC gaming. But the fun is unquestionable.

Stop using the software and services of these rights offenders entirely. They need to understand where the line should be drawn.

Re:Good not to be a gamer

[nurb432]

You think it will stop here?

Re:Good not to be a gamer

[erroneus]

Well, since the story is actually not real, who knows.

It does serve as a message to the industry about what's not acceptable. That message has come out loud and clear in so many ways against so many companies lately that it stands reason that the industry, and valve especially, will still get the message.

As for dumping games and buying guns? I don't know. The market in that area is still growing. And as elections are getting closer, the price of guns and ammo as well as gasoline are temporarily dropping. And the market is especially interested in women as a growing demographic. So very interesting things are happening there despite the present media hype about gun violence. (They rarely report that it's decreasing every year and has been for a long time and even more rarely report that places with more restrictive gun laws have more gun violence than places without.)

And the US's culture of politically correct fear is just about ready burn itself out as issues are increasingly coming to a head. We're tired of racism. We're tired of fear, hype and hysteria. We're growing more tired of government though admittedly, most don't realize or understand how incredibly dependent on government they actually are. The landscape is shifting even if it's not fast enough for my taste.

Re:Summary that misrepresents the Article... *shoc

[arth1]

DNS names are easily enumeratable, the only reason to emphasize that it's hashes is if you're clueless or dishonest.
From a privacy perspective, they are sending back DNS names, saying that's hashes is only fooling people.

Oh? If they're really easily enumerable, pray tell, which DNS name does the following hash point to?
c0ff3e297157c1e60bc2a2bedb5f6532

BFD

[bigwavedave33]

Use another user profile on your box to play the game that is not an admin. Problem solved

Re:Summary that misrepresents the Article... *shoc

[Gaygirlie]

That doesn't negate the heinousness of them tracking the websites you visit *just* in case you might cheat.

They aren't tracking websites you visit. They are tracking your DNS-requests. They are not the same thing, DNS-requests only show what domain names your system has queried and doesn't even say if the queries have come from the browser, IM, games or anything else -- there is no way for Valve to deduce the websites you've been visiting from these if there's more than one site behind the domain, like e.g. many blogging platforms and such host thousands of blogs under a single domain-name.

Browsing history or DNS cache?

[GameboyRMH]

These are different things.

Also, not to apologize for Valve, but there are games far more invasive than this. Some NFS games (NFS:S2U for one) will trawl your actual browser history to put targeted ads on in-game advertising surfaces. Unless you use a software firewall to block their Internet access ;-)

2 different things

[fluffythdestroy]

Going on a website and getting the info is 1 thing but using that info to your use might be another thing. For example I could go on a cheating website to report it to steam at the end but I have to at least go on the website to verify if the app is available. To steam unfortunately it doesn't matter but it should. The lack of effort from Steams side is surprising as they should involve its users in the fight against cheats instead of fighting against users. Users pay for games, I'm pretty sure some of them wouldn't mind report cheats as I don't know a person who likes to get cheated in games.

Re:Different question

[Jaysyn]

So, what you gonna do about it?

Download the games & crack them, just like I used to do before Steam made them dirt cheap?

Windows

Disconnect from net, Open command prompt, Type: ipconfig /flushdns
Reconnect net.

Not like I have other computers

[FrozenGeek]

Oh, wait. I'm a slash-dotter. I have lots of computers. So I'll Steam on one computer and get cheats on another. Sorry Valve.

nothing related to browsers

[fluffythdestroy]

Its related to your dns cache. In windows you type ipconfig /displaydns to get the info steam could use against you but doing a ipconfig /flushdns might do the trick to flush what steam would use but i don't know when steam fetch the info so the best way is to either use a proxy (some are free as well) or use VM. If you have Windows 7, you could use the XP Mode and after doing some test, whatever you do or go on xp mode, the dns of your host is still clean. So do your cheat or browsing in xp mode then close it down and your dns will always be clean.

wrong fix

Sounds like they are solving the wrong issue. The issue isn't what sites I go to and to be frank that's none of their damned business. I don't cheat on multiplayer, but on single player I download trainers because I don't want to waste time grinding most of the time, and my enjoyment comes from the story. Online cheating punishes the whole server and to think that Steam can solve the issue like this is just plain wrong. This just punishes people for browsing and doesn't stop the cheaters.

Re:wrong fix

[dshk]

I am sure that a visit to a site which distributes cheating tools is only one of the many factors in the evaluation of whether the player is a likely cheater or not.

Better answer

[nurb432]

Just don't support valve with your money for pulling crap like that.

Re:cmake

[hawkinspeter]

Browsing the internet only from a VM is actually the most secure way to do so whether or not you're running Steam. With a VM, you can do some browsing, click on all the most depraved and unsavoury sites and then close it down and revert to a snapshot.

So?

[Travelsonic]

...but all Steam users have agreed to abide by specific online conduct and not to use cheats.

So?
Doesn't necessarily mean "any means necessarily" is necessarily what they agreed to, or legal - especially something to goes that far without being explicitly confined. *sighs* I wish people who cite the EULA, etc not as an argument, but as a shutout to opposing arguments would just shut up and learn that it doesn't cancel out all arguments, particularly since it being written doesn't necessarily mean it's legal, nor does it negate that people will/can have an opinion about it.

Re:Summary that misrepresents the Article... *shoc

[Calydor]

c0ff3e ...

Starbucks.com

Re:Summary that misrepresents the Article... *shoc

[JesseMcDonald]

Oh? If they're really easily enumerable, pray tell, which DNS name does the following hash point to?
c0ff3e297157c1e60bc2a2bedb5f6532

I have no idea, but even you must be able to see that it would be trivial to put together a lookup table of the top million or so domain names indexed on their corresponding hashes. From that you can easily work out the domain name from the hash, without actually reversing the hash function.

even worse yet

[slashmydots]

In case you're not familiar with Steam and VAC, it doesn't work worth a shit and people cheat all the time. It's a complete joke that makes even Punkbuster look good. MW3 was a huge budget game that was ruined by cheaters. It's a complete mess roughly equivalent to a low budget game like Renegade where over 50% of people are shooting through walls with unlimited ammo, etc. That's all on top of VAC too, which does NOTHING.

Re:solutions to this might be drastic

[Immerman]

Good on ya. If you really miss not being able to play many newer games though may I suggest a slightly different perspective? Steam doesn't sell games, they make long-term rentals. And there's nothing wrong with that - I occasionally rent movies, watch hulu, or borrow books from the library - none of which make any pretense to transferring ownership in the first place. As I see it the biggest problems with Steam are twofold:
1) They claim to be selling the games.
2) They charge full purchase price for the rental.

Now (1) is deceptive advertising, and if you consider it worthy of boycott I won't argue, except to point out the general ineffectiveness of a boycott without widespread popularity and organization. But (2) has a solution for the conscientious consumer - wait until the "purchase" price falls to what you'd consider an acceptable rental price, and then rent it. It may take a few years, and the graphics will no longer be quite as impressive as compared to new games, but at least for single-player games the gameplay's all there.

There's also some DRM-free games sold through the Steam storefront, they don't compel publishers to incorporate Steam DRM after all, they just make it easy. I have no objection to such games, and you've got to admit Stream is doing some wonderful things for the indie game market. Plus being a Steam-store customer who will buy full-price DRM-free games but only rents games when deeply discounted is likely to send a far clearer message as to the nature of your objection to those data-mining the sales data.

Re:Summary that misrepresents the Article... *shoc

[PFactor]

What he means is that there are rainbow tables available for many MD5 hashes. There is software that can search hundreds of thousands of possible hashes per second. You don't need to calculate the MD5 hash over, you just have to do a simple text compare, followed by a lookup in the rainbow table. If you have a rainbow table of the major hack sites in which you're interested, I bet it doesn't take more than a second or two to determine if the hash you sent is of one of those sites. Maybe that doesn't fit your definition of easily enumerable, but it fits mine.

The Privacy Policy does NOT...

[Rizzen]

... allow for harvesting of information on your computer. If you read the full agreement you'll see that it specifically states, "By using Valve's online sites, products, and services, users agree that Valve may collect personally identifiable information (as defined below)."

No where does it say they will go through your DNS cache. At best, the policy covers things such as your Name, Address, Phone Number, CC #, etc for billing purposes, and the use of cookies and the like.

Unfortunately the Steam TOS has a binding arbitration clause which effectively keeps you from suing them. (See section 12 of the Steam TOS)

Linky things:
Valve Privacy Policy: http://store.steampowered.com/...
Steam TOS: http://store.steampowered.com/...

avoid Steam

[Tom]

Just one more reason to avoid Steam, and that's even considering that TFA is largely bogus and bans based on this data gathering are a myth.

But that a fucking game center spies on your browser history is crazy. It has no fucking business doing that. Prevent 3rd party tools from accessing the games and modifying them in-memory, etc. - fine with me, that's what I expect with an anti-cheat software. Gather statistics on my online browsing habbits? Quite honestly, this should be illegal and carry jailtime penalties. Why are we giving corporations stalking permissions when private people can go to jail for much less?

Easy to defeat...

[BronsCon]

Gaming rig for gaming, general purpose rig for porn, finding hacks and cheats, and everything else. Duh.

If steam goes that far....

[CTU]

then its time to pull out a second system for web searching and bring in your cheats via flash drive. Steam can only check the system it is running on

Hacking SteamOS to disable VAC?

[tlhIngan]

Given how one of the main points of SteamOS is it's openness - does it make sense to have VAC on it?

I mean, it's a LOT easier to make a Linux kernel module that finds out what the VAC (or Steam) processes are, then having the kernel module modify responses to hide stuff from it.

  I mean, lets say you have an aimbot or other cheat. You can run it on SteamOS, and have the kernel module hide that process (or even the fact network packets are redirected through it) so VAC can't even run anymore.

And I don't see VAC as a kernel module as every component in SteamOS is supposed to be replaceable so even compiling a new kernel is an option.

So I guess the question is - how is Valve protecting against SteamOS cheaters? It's a lot harder to do it on Windows since you have to do a lot of hooking and kernel signing and all that (plus trusting random binaries), whereas on Linux it's way easier to hook things.

Re:There's absolutely no potential for abuse

[ArcadeMan]

Also, do you have to look at so much lesbian porn all the time? There are other things on the Internet, you know.

What do you mean? An African or European lesbian?

Re:No SteamBox for me

[iamacat]

Did you carefully read and understand the lists of permissions before installing these Android games?

Just the first step

[jmcwork]

They are just mining browser history until they get the pre-cogs on-line.

It's either cheating, spying or walled garden

[iamacat]

Once you allow custom software and especially device drivers to run on a box, it is theoretically impossible to automatically discover what that software is capable of doing. Any workarounds are sleazy in some way. Even basic DRM hides stuff and restricts rights of the legitimate owner of the hardware and software.

In this case, the alternative is no or ineffective VAC and, accordingly, not much fun in multiplayer games. I guess it would be nice if Valve gave users the option to opt out of VAC and play on special open servers or only with specific trusted players.

unwise

[DaveGod]

Back when I was a fansite and game admin I'd check the hack sites once per week or so to keep tabs on things.

what is it using ?

[JohnVanVliet]

the $94,000 question is
Is it using System V or System D to look up the dns cache ???????

Re:Summary that misrepresents the Article... *shoc

[_xeno_]

Happily enough, Alexa offers a download of the top million domains. Even calculating the MD5 hash for every domain every time and doing a simple string comparison using node.js, it takes only a couple of seconds to run through every single entry in that table.

arth1's domain isn't in the top million list, though.

But still, there are plenty of sites in the top million list you may not want to share with Valve that you visit, like #83, pornhub.com, or #84, huffingtonpost.com.

My wife is cheating on me

[sandbagger]

Her name happens to be Borderlands 2 --- yeah, her parents are strange -- will Valve help me find out who she's seeing?

sensational

[SkunkPussy]

Some guy has decompiled (what he claims to be) a VAC (Valve Anti Cheat) module that seems to be downloaded and executed when you connect to a game server. He has found code that scans the dns cache, hashes the domain name and adds it to an array.

Its not clear what is done with the data - whether it is compared against a blacklist sent by the server, whether it is used as an anti-proxy measure to verify that the VAC module was downloaded from the correct server, or whether this data is indeed sent to Valve. Tellingly, the guy who found the code where Valve scans the dns cache, has not found any code where this data gets sent to Valve.

So until someone actually finds code that sends this data off to Valve, I'm leaving the pitchfork party early.

See also: http://www.reddit.com/r/Global...

Re:sensational

[Sowelu]

> to verify that the VAC module was downloaded from the correct server...
 
...actually that sounds about right, if not that exactly then something close. I can totally see someone using a HOSTS file to screw around with a security system, it makes sense. In an ideal world, they would only upload very specific entries.

You missed one

[ThatsNotPudding]

Home Owners' Associations

They're almost the perfect example of American Greed: "We forbid _you_ from doing anything that might affect _our_ property values."

Fascists.

Re:There's absolutely no potential for abuse

[Cederic]

Trans-racial lesbian porn is always a tense experience: Which colour will the dildos be?

This is why I stopped buying PC games

[WaffleMonster]

I just want to play I don't want all of your bullshit. Between anti-piracy hoops, spying, forcing Internet connectivity and removing LAN functionality it just isn't worth it.

Please, consider it in context.

[Edgewize]

When you play "Valve Anti-Cheat" (VAC) enabled games, you agree to allow Valve to scan your computer for evidence of cheat/hack programs. This is what VAC does. It's like Punkbuster, Warden, etc - depending on your point of view, it tries to level the playing field for multiplayer games, or it is an invasion of privacy because you have the right to cheat all you want.

Valve's VAC, Blizzard's Warden, etc are all "spyware" by definition. Their job is to find and collect evidence of suspected game-tampering cheats, both known and unknown, and report them. They already sniff your running processes, window titles, loaded drivers, USB devices, filesystem, etc. Scanning your local DNS cache is probably one of the least invasive things that VAC does, *and it only happens when you play games which advertise the VAC feature*.

If you don't like this, don't play VAC-enabled multiplayer games. It's that simple.

Re:Derp

[bluefoxlucid]

Well. I've browsed sites like Milw0rm ad Packetstorm without https. I'm sure there's non-https warez sites... Pirate Bay? So maybe you just don't need HTTPS. Or maybe you just accept the exception for this session, and the 1 or 2 sites you hit you just browse.

Re:Summary that misrepresents the Article... *shoc

[bluefoxlucid]

What blogging platform hosts thousands of blogs under a single domain name?

Yet another reason...

[phoenix182]

I don't use/allow steam or similar programs or services. True or not it's a headache I don't need.

Re:There's absolutely no potential for abuse

[Hamsterdan]

There's even a third type which includes *both*...

Must be true if it's on reddit :)

[DTentilhao]

Must be true if it's on reddit :)

Re:Summary that misrepresents the Article... *shoc

[shutdown+-p+now]

So, would you be okay with everyone knowing that you hit goatse.cx every day at 11pm?

Re:DNS cache really doesn't say that much

[DigitalSorceress]

They do have test servers, but I'm talking about just researching the bot issue - looking up web sites that discussed technical information that maybe WOW would consider "cheat sites" -

Warcraft wasn't using VAC obviously, but I was trying to give an example of researching information that may be on sites that if you looked at my DNS, you might assume I was cheating - In other words: DNS doesn't in and of itself tell the actual story.

Re:DNS cache really doesn't say that much

[DigitalSorceress]

Well, indeed, with the way things are today, you may have a point. /looks nervously over shoulder

Response from Gabe Newell

[gman003]

http://www.reddit.com/r/gaming...

Basically, they're looking only for the DRM servers used by some very specific kernel-level cheats (apparently even cheats have DRM now - and these are not web sites, but DRM servers they're looking for, you won't trigger it by searching for or even buying cheats unless you use them). They do this comparison client-side, transmitting only if there is a match, and only transmitting the hashed value (which is used so the VAC servers can confirm it was a cheat when issuing the ban - otherwise one would be able to forge a "cheat" and get someone else banned). They also only do this scan at all if VAC has detected the cheat in the first place, which they claim has affected less than 0.1% of their users.

Valve is explicitly denying that they are gathering your browser history.

So my overall analysis:
1) If what they say is true, then they're doing everything they can to *not* gather your browsing history, and are only gathering the hashed value to protect users.
2) This should be possible to verify - see if the code doing the checks is triggered at all during normal use, and see what a packet sniffer picks up.
3) Even though I like Valve a lot, after recent events (Snowden, some personal betrayals, etc.) I feel I can't trust anybody. I'll let others do the verification (I'm not technically skilled enough to trust my own work on it), but if it turns out that this is all they are doing, it's a good thing that is very, very close to being a bad thing. If, however, they are not just spying on us but then lying about it, I will be downloading a Steam crack immediately (I spent over $1000 on Steam games, they're mine no matter what the law says) and taking everything into offline mode.

Re:Summary that misrepresents the Article... *shoc

[Buzer]

Youtube?

Beware of iframes

[kyoko21]

I guess the next thing to do is to start making websites with hidden iframes that loads pages of "questionable" content so that it will posion your DNS history. You may not have actually seen the "questionable content" in question, but your browser certainly loaded the content which in technical terms would fall in-line with the profile of this "anti-cheating" system.

It's as if you are assumed guilty of any sex crime simply by walking through the red-light district.

Re:Summary that misrepresents the Article... *shoc

[Gaygirlie]

DNS-cache doesn't cache the times you access the domain, either, or how often. They only cache the fact that such a domain has been queried. It doesn't even say that it has been you who queried the domain -- it could be your IM-application when someone throws you a link to that domain, it could be your browser that just queries the domains for all the links on a site or something completely different.

Re:Summary that misrepresents the Article... *shoc

[shutdown+-p+now]

You're right, it doesn't record the date. But if you monitor it all the time, you'll see the entries come in. And they will have to come in eventually as it is a cache - entries don't stay cached in perpetuity if not regularly visited. OTOH, if the entry does remain in the cache past the usual TTL (which is known), then that website was visited at least once in that period.

Re: IM and browser querying domains... you'll have to explain that to other people when someone tries to blackmail you like that.

Re:Summary that misrepresents the Article... *shoc

[Gaygirlie]

OTOH, if the entry does remain in the cache past the usual TTL (which is known), then that domain was queried at least once in that period.

Fixed that for you.

Re: IM and browser querying domains... you'll have to explain that to other people when someone tries to blackmail you like that.

Eh. I don't. Everyone knows I'm a creep.

Re:Steve Jackson games. On books. copyrighted.

[Anubis+IV]

Explaining the reality of a situation does not imply that one condones it. Don't read between the lines and think that I like the way things are. And unlike you, if I'm stuck making a choice between two crappy options, I'm not going to delude myself into thinking that one is a "good" one just because it's slightly better than the alternative. You seem to be content to do so, however.

EULAs are legal and have been upheld in court repeatedly. I don't like them, but that's how it is. Denying them doesn't make them go away. You're living in a fantasy if you're pretending that the alternative (physical media) which hides them a bit more is a better option. At least my eyes are open and I know what my choices are. You? You're still convinced there's a difference.

And re hacks for non steam games

[doccus]

And if you're getting hacks only for non steam games, and they cut you off, isn't that THEM violating the contract? And where in the steam contract anyways does it say they are entitled to look at your private browsing history? And re offline mode, Valve says there's no time limit and the users say there is.. Who's right?

Is privacy really a non-issue?

[matcheydj]

So basically, shut down Steam completely then run a simple console (e.g., Windows) "1. ipconfig /release all, 2. ipconfig /flushdns, 3. ipconfig /renew"; Not to condone cheating, but this is something that can clog your system if it's having to be constantly checked.

If Steam can access the internet, and be running (to put it plainly) with permissions to install, then it runs as Admin on your stuff -- good luck setting up rules to not have to manually shut down if cheating is something you want to do.

Although, have you seen so-called "cheat" sites? They basically list achievements/trophies for games, because these cheats aren't coded in like they used to be in old consoles. It used to be something fun, I don't know what's happened to the judgement of it.

At the risk of saying too much, is privacy even an issue, really? I was filling out a form today for some website, and it struck me that so many services online have access to our personal information, and copy the same sort of security questions. When you're filling out a form for a new site, would you choose the same security questions and answers if they appear? And, since there are so few "common" security questions, would that be a clue to which question/answer combo you would pick on, for example, a banking site -- given its relative importance to a marginal or third party site (like one for shopping that has your CC info but doesn't hold your actual money). It seems like the more you want to do online, everybody is going to end up with your information. Not really a big deal when you give it some thought. Less stress on you since they won't have to fight eachother over your info, they'll all have a piece, and likely leave you alone. It's like devaluation of the currency of privacy, I guess?

But I digress. Doesn't seem like Valve's changes are that big of a deal - if the old days of button combos are dead, and walkthroughs are plentiful -- then the only cheats that are really out there are console or specific technology hacks that circumvent fair gameplay in a more massively multiplayer world of gaming. To go even further on the privacy bit, why not demand they share it with other parties and see what happens. It would relax controls on gaming companies and you may even get better offers, freeing up the market.

Anyway...