Report: Valve Anti-Cheat (VAC) Scans Your DNS History

dotarray writes "If a recent report is to be believed, Valve is looking at your browsing history. Reportedly, the company's Valve Anti Cheat system (VAC) looks at all the domains you have visited, and if it finds that you've frequented hack sites, you'll be banned. 'The new functionality has been slammed by gamers, who claim it is "more like spyware than anti-cheat". Valve has not responded to the allegations, but all Steam users have agreed to abide by specific online conduct and not to use cheats. The company's privacy policy also explains that Valve may collect "personally identifiable information", but promises not to share it with other parties.'"

So

[aliquis]

How do one set up rules to block Steam from accessing firefox profiles? (Linux obviously, though guide for Windows is fine too. Also Chrome.)

Re:So

Create a steam user without access to your real user's files. Run steam only as this user.

Re:So

[Rosco+P.+Coltrane]

How many Linux users do you think have the idea of sandboxing Valve applications, just in case they might be peeking inside other applications' user data?

There's no "Linux obviously" about it. It's a matter of trust, and Linux or not, users are far too trusting of the applications they install.

Re:So

[Z00L00K]

Create a separate virtual machine where you do all your clandestine browsing from.

If the steam engine is able to access the VM and the disks there then they really are insisting on digging through your computer, but I doubt that they will be able to go far with it.

Re: So

We shouldn't have to worry about hiding our browser history from a fucking game company. They have no god damn business even taking a peak. I don't care if if there is a hidden clause in their Eula that they say allows it. It's wrong, and they know it's wrong.

Re:So

[l_bratch]

The claim is that the operating system's DNS cache is scanned, not any particular application's history.

Re:So

[lagomorpha2]

Steam isn't a subscription service, you pay full price (ok or wait for sales) for games and they can only be run through Steam. So uninstalling Steam means losing access to the games you've bought through the service unless you pirate them back. This does make me want to delete Steam and cease using the service though.

I wonder if there are enough irritated users to delete and redownload their entire Steam library enough times to send Valve a high-bandwidth wake-up protest message.

Re:So

[ledow]

Why not just run Steam as a different user?

It's not like Windows where you basically are expected to run everything as one user, create a Steam user which you can only "su" to from certain other users, and then set up a script to automatically make it run Steam only as a user that has access to nothing but Steam.

But to be honest what's the point? What precisely are they going to do with the hash of a domain name that you looked up, not even visited? The bans are not going to be based on that information. You can't ban someone just because they strayed or were enticed into looking up a domain that might host a cheat, only if they actually use those cheats.

I reckon they are using it to find similar users and spot trends more than anything else. If a load of confirmed cheaters all have the same hash in their history, but not most people, then its likely that it's worth looking into other user's with that same hash (or at least taking it into account when someone reports a new cheat).

I'm a Steam fan, it has to be said, but while them looking at my domain history concerns me, they are at least hashing them and they have a full browser in the Steam client. If they want to track my visits, that's infinitely more worrying and does all sorts of cookie stuff (alright, you have to be running Steam and using their browser to visit whatever, but that's still much more info than the hash of a domain I looked up).

Also, in case you hadn't noticed, the name of domains you looked up all go to your DNS server. If that's not a local one, you're already pushing this information in plain text across the Internet. Please tell me that you're not using Google or OpenDNS before you came to whine on this post.

Plus, even aside from all the above, there is no real evidence that they are actually transmitting or collecting this information. Someone's just gone into the new anti-cheat modules with a disassembler and seen something suspicious. Doesn't mean that it's even enabled, or not test code. Nobody has yet seen it actually do this stuff (and what would it take? Wireshark and five minutes?).

If you're using DNSSEC exclusively, didn't read the Steam agreement, are running as a completely unprivileged user (without even access to the name cache, on Linux, presumably?), and can confirm that what is alleged is actually happening, then maybe you have a case to be miffed.

Otherwise? I have bigger privacy worries every time I send an email.

P.S. Damn lameness filter, what the hell are you seeing?

Re: So

Reading comprehension must be particularly difficult for you. I am sorry.

Re:So

[Immerman]

Still pretty fucking invasive if true. I'm going to have to watch this and, if true, protest. Not quite sure how yet, I'd hate to lose my game library but this sort of invasive behavior can't go unanswered. The "repeatedly redownload your gaming library" idea has some merit if done en-masse along with vocal enough complaints. Perhaps we can dig up the phone number and address of the company executives so we can send our complaints directly to the parties responsible for allowing such a thing .

Re:So

[Runaway1956]

Separate user - or separate machine. Nothing says that my gaming machine is the same as my general purpose machine.

Re:So

So you buy games that you can't play unless you have steam? Why would you do that? I play all my games without permission from anyone. I bought them, they belong to me and I play them when I want without some service watching over me. What is wrong with people today... why do you put up with this kind of crap?

Re: So

[Runaway1956]

While I agree with you - we find ourselves in a world where our government and our corporations have ASSumed the authority to spy on us. I suggest you deal with reality as it is. Let's all learn to hide our history from the likes of Steam, along with Google and all the other trackers out there.

Run Steam on your real high-tech hardware - and keep everything else on a different machine, or in a virtual machine. Just separate the two, and you're good to go.

Re:So

[l_bratch]

I agree that it's very invasive if the list is returned to Valve, however I can't find any evidence that it is. The code originally posted only details the *reading* and hashing of the DNS cache, with no sign of *transmitting* it.

As far as I can see, numerous headlines and articles since the code was posted have made the claim that the list is sent to Valve, without any evidence.

Re:So

[PriceChild]

Not always... It is my understanding that many games simply use Steam as a handy distrubution mechanism. There is nothing to say they must incorporate DRM. I'm pretty sure The Binding of Isaac is a good example...

Re: So

[sosume]

This is so wrong and against privacy laws (at least in the EU), this would be equal to the IRS regularly scanning your history to see if you visit sites with tips for tax dodging. The police arresting everyone who visits lockpicking tutorials. The RIAA arresting everyone for possession of an internet account, Or the TSA l.. oh wait, they already do that. But at least the TSA can claim that their work is in the public interest.

Besides. This is a new definition of guilty by association.

" all Steam users have agreed to abide by specific online conduct"

I would say this is only valid while using a Steam product. the way it is worded in TFA sounds more like a lifestyle where you have to abide to their rules at all times. Steam makes it even illegal to cheat in games from their competitors!

This is so ridiculous, all I can do is wait for the class action lawsuit to commence. Steam is done with, if this turns out to be true.

Re:So

[PIBM]

From TFA, they send themselves MD5 hash of the websites people have visited. Knowing that, I believe that they are using your DNS history signature to compare between players that are cheating. I don't see why they would ban people they aren't sure are cheating, as they certainly don't want to be hit by PR nightmare when people would get banned for no reason. The rare false positive they get at this time is already hard on them, and they go great way (well, large amount of steam credits happen) to make those people happy when errors really do happen.

I have looked at websites offering hacks myself, and that was mostly to know what I was against; I don't want to ragequit out of a game when the players are really good, but I certainly don't want to provide free kills to cheaters. Being able to recognize the difference is important, and knowing their arsenal helps a lot in that department.

Oh well, I've not been playing competitive steam games in a while anyway.

Re:So

[Nationless]

They also offer a variety of services which I greatly appreciate in this day an age.

I don't have to lug around all my cds/dvds/Floppies every time I move and honestly I've gotten rid of all my physical media (external hard-drives excluded) about 2 international moves ago.

It automatically keeps all my games up to date, no more Battlefield 1942 patch hell.

As a store front it allows me to keep up to date on game releases and even pre-load certain titles.

Steam sales.

A robust offline mode which automatically works as long as you've downloaded the game and run it a single time while being connected online.

I use it as a unified launcher.

I use it as a communication tool dedicated to getting in touch with other people I know who are playing games and can easily organize matches of any game on our collective steam lists.

Also not all games come with the steamworks DRM and can be run freely without steam even being installed on the system. Granted you have to download it through Steam first, but that would apply to any digital store front. Not to mention I've never noticed the DRM in action, making it the most non-intrusive form so far and if it doesn't even bother me, I don't see much reason to rage about it if it means that Steam is more likely to stay in business.

I no longer have to input CD-keys or even worry about where I've physically kept the myriads of manuals containing them and installing software is as quick as simply wanting to play something and double clicking the title and download/installation is automatic. I don't have as much time to waste on gaming as I used to so streamlining it is in my best interest.

Having to live with the "fear" that one day my games will be gone is like worrying that a Jumbo jet will land on my house. Honestly, I'd just pirate the games I'd lost.

Re:So

[Anubis+IV]

why do you put up with this kind of crap?

Cost, convenience, and a lack of alternatives.

I license the right to play a game from Steam, usually for dirt cheap prices, and in exchange, it's available on any Internet-connected computer I own. Should I lack an Internet connection, it's possible to enable an offline mode as well, allowing me to continue playing regardless of my lack of a connection.

Games haven't been owned by anyone for a long time now. Even buying a physical disc is just buying a license to play the game, which can and does get revoked in cases of abuse (see: Halo 4, Call of Duty: Ghosts, Diablo III). Of the companies out there that are licensing games to customers, Steam is relatively permissive, and it's rare that a typical gamer will run into issues with them.

Re:So

[goarilla]

No it does not, most vm software implement a virtual network card at a low level.

Re:So

[FatdogHaiku]

Cancel subscription, uninstall steam and move on.

Oh come on, this anti cheating detection simply demands that we cheat it!

Re:So

[BlueMonk]

The reason I *started* using Steam was because I bought a game in a store only to find when I got it home that it was pretty much a dummy disk that just made me install Steam and download the game in order to play it. The game was Civilization V. I don't get outraged by much, but come to think of it, that kind of is an outrage, but one just borderline enough that I was willing to accept it rather than not play the game. I don't/didn't know what else to do.

Re:So

[geminidomino]

You forgot

*) Possibility to cancel your business relationship with Valve and keep playing the games you paid for.

Oh, wait.. No you didn't.

DRM is DRM, and there's no such thing as "DRM done right."

Re:So

[ArbitraryName]

Steam isn't a subscription service,

You should probably read the things you agree to. Steam is most definitely a subscription service.

Re:So

[DrGamez]

BUT WHAT IF THEY SHUT DOWN?*

*and there was no advance notice?
*and you had no way of backing up all these old games?
*and all your computers stop working the day before the shut down?
*and video games become illegal?
*and we reach the heat death of the universe?

Yeah, I bet you VALVE-APOLOGISTS will really be loving your DRM then.

Re:So

[Anubis+IV]

*) Possibility to cancel your business relationship with Valve and keep playing the games you paid for.

That same complaint applies just as well to physical copies of games as it does virtual ones, and is really a complaint about the licensing model used in the software industry, rather than being a complaint about DRM.

When you purchase a game disc at your local retailer, you're merely purchasing a license to play the game. That's the nature of your business relationship with Ubisoft, EA, or whoever. As such, canceling your business relationship with them would mean rescinding your licenses. For a physical game, the way you'd do that would be by snapping the game discs in half, deleting any copies of the games that you had made, and refusing to make use of their services.

But no one does that, not even you, since you'd still like to play those games, as you said.

Instead, if you never want to deal with Ubisoft or EA again, what you'd actually do is refuse to buy anything more from them. You don't cancel your business relationship, since that would mean being unable to play your games. You'd simply refuse to expand your relationship with them further. So why would you apply a different standard to Steam?

If you never want to interact with Steam again, you wouldn't cancel your business relationship with them, since that would mean terminating the licenses you had to play their games (i.e. the digital equivalent of snapping the game discs in half). Rather, you'd simply enable offline mode and be done with them. You can continue to play the game for as long as you like, can make backup copies of the game, and can continue enjoying it hassle free.

As such, I really don't see what your complaint about DRM is here, since your complaint is really just aimed at the licensing model used by the software industry as a whole. The only way that DRM is involved is inasmuch as it's used to enforce the license, but, as I just pointed out, Steam itself is exceedingly permissive (some games have their own DRM, but that's a separate issue from Steam). It does have limits not imposed by physical media (just as physical media has limits not imposed in the digital world), but the limit you cited is not one of them.

Re: So

[ArcadeMan]

He's running Slashdot inside a VM and using a virtual keyboard and mouse to hide his clandestine non-work-related browsing, give him a break.

Re:So

[eu_virtual]

Gabe Newel has stated that if we reach the heath death of the universe, you can get a new account with all your games on the next one. You just have to provide proof that you came from this universe.

Of course you have to move to a universe where steam exists, but I think you'll find valve is operating on most of them.

Re:So

[Sperbels]

* or, what if they disable your entire game library because you visited a blacklisted website.

Re:So

[LoRdTAW]

What games are those? Console? Older PC games?

Steam and their competitors make it easy to buy, download and play games. Even if you don't want Steam you have few options: buy the actual game on CD or DVD (and have it loaded with buggy malware-like copy prevention and needing the CD/DVD when you want to play) or a publishers distribution platform which works just like Steam. Downloading the game makes so much more sense in the internet age and I would never go back to buying physical media copies.

Steam and steam like service benefits:
- I can pre-order, buy or gift a game instantly from my PC, no running to stores, shipping or waiting for packages.
- Instant download. Buy the game and play it once its downloaded which can easily happen in under an hour.
- NO CD/DVD's needed and no storing of bulky media and packaging. Who wants a shelf full of plastic taking up space and collecting dust?
- Built in communications. My brother and I once played a game of TF2 while casually chatting using the Steam voice chat. It was an amazing thing to be able to casually talk as if he were next to me yet still be able to play the game and use its voice to talk to teammates.
- I can log into another PC using my Steam ID and I instantly gain access to my games. No lugging around any media.
- You can't lose the media. Remember old games and their copy protection? "Turn to page 42 of the manual and enter the second word in the third paragraph" or One that I hated until I got a cracked version from a friend who was a BBS master, Quarinitine. It had a dark red card the size of a sheet of paper with black almost unreadable text (to prevent photocopying). It was a chart you used to look up a set of numbers and then enter the corresponding code to play the game. Those were the devil, loose that card or manual and you were screwed.

disadvantages:
-no refunds. Easy - play the demo, look for recommendations/reviews or don't buy it, I haven't regretted one purchase yet (well maybe crysis 2 but that was because its gameplay sucked compared to the original but on a whole it was pretty fun).
-sometimes there are connection/server issues but they usually clear up within hours or a day. You won't die from not playing games.
-off line might crap out. But honestly, who uses that? Only two scenarios need off-line mode: places where the internet is flaky and prone to outages OR you are away from home like on a business trip or vacation. If you are part of the former, then the problem isn't Steam, its your shitty internet. If you are the latter then I assume you have better things to do than play games. Go out and have some fun. That or people just like to bitch about a non-issue just to bolster their prejudice against a media distribution platform. They could be paid shills but I digress.

Since using Steam from the day it was released (after the beta AIM looking days), I have only had two or three connection issues with Steam cloud syncing. They were steam server issues that went away within a few hours, no big deal. Contrast that to my last run-in with copy prevention CD malware like securom which randomly crashed, randomly locked up my pc on launch or permanently changed my mouse cursor to a rainbow colored CD until I rebooted (after it randomly crashes). I actually had to download a crack for Crysis just to play the fucking game without securom (aka suck-rom). And of course what if you lose or damage the CD/DVD? How do you play your copy protected need-the-cd-to-make-sure-you-aren't-a-thief game? Screw that.

Re:So

[chris200x9]

Not really, you only use games that use steam DRM. If your game is DRM free just back it up, delete steam, double click the binary and watch it launch. Steam itself is just a distribution service not a DRM. Sorry I might be a bit off topic but I'm just really annoyed at the "ZOMG steam is DRM!" crowd at the moment. Steam makes DRM available blame the publishers for using it not steam. No where is a DRM mandate.

Re:So

[Arker]

It would be nice to know exactly what they are doing with it, but it seems fair to assume they are doing something with it or it wouldnt be collected in the first place.

And I cant think of anything, however far-fetched, that they could be doing with it that would be legitimate.

Re:So

[Cederic]

You're making wild assumptions here.

You're assuming the MD5 hashes are used as part of anti-cheat detection, not just because Valve want to know which porn you enjoy.
You're assuming that MD5 clash rates are materially significant.
You're assuming that accessing a cheat site is deemed cheating and leads to a ban.
You're assuming that bans are based on single data points.
You're assuming that VAC automagically determines you're a cheat and that there isn't a human review involved.

Steam isn't perfect, but please, do try and at least base your wild speculation on some modicum of common sense.

Re:So

[Sowelu]

Worth noting that VAC doesn't lock you out of running games or delete your account, it just prevents you from playing multiplayer on VAC servers. VAC is a voluntary-to-publisher service that Valve offers to creators of multiplayer games. If a publisher says "yeah, if someone cheats on a different game then we don't want them playing on our servers either", they can do that...it's pretty much the same as publicly shared email blackhole lists. If you have a problem with a publisher putting VAC in their games, complain about them and not Valve.

Many (most?) multiplayer games that let players run their own servers give an option of running a non-VAC one, or to connect directly to IP, whatever.

Seriously...even if Valve didn't run VAC, someone else would run an equivalent service (can you say Punkbuster?). All it takes is for one or two companies to say "hey we have this way to detect cheaters, why don't we share the steam keys of the cheaters we find and keep them from playing online on our servers", and there you go.

Re:So

[jxander]

A few reasons, but the sales are the biggest ones.

If you buy a AAA retail game (that originally sold for $60) for $5, you've gotta know that there are going to be some strings attached. If you're willing to deal with those strings, well, you just saved yourself a bunch of money.

There are other benefits. I've never once had to deal with scratched or lost disks, backwards compatibility or multiple system.

Of course there are negatives as well ... and whether or not it balances out, up to each person to decide.

Re:So

[lgw]

BUT WHAT IF THEY SHUT DOWN?*

I have far more important things to worry about in life than some games. If Valve craters, there will be a new outlet for games (maybe we'll get lucky and there's be a move to GoG). As long as the risk-adjusted price I pay is fine, I don't see the problem.

As with everything in life, you pays your money and you takes your chances. The chances that Valve will vanish in the next few months, while I'm still heavily playing whatever game I just bought, are quite small.

Re:So

[Anubis+IV]

Nonsense. I dont buy licenses. I buy games.

No, you don't (unless you're representing a game publisher or developer, in which case maybe you do). Read the fine print included with any game you buy today on physical media. You bought the disc, so you generally have the right to resell the disc, and the licenses are transferable as well, so it gives many consumers the illusion of ownership, but the fact is, you don't own any of the games that you've "bought". That's why companies are legally capable of cutting off customers who break rules in their games. I provided links to several examples a few posts back in this thread.

I'm not suggesting I like that it's this way, mind you, nor that it should be this way. I'm merely pointing out that it's the reality of the situation. Having you deny it doesn't magically make it untrue.

Re: So

[master5o1]

No other crap, not no crap.

Re:So

[reve_etrange]

they can only be run through Steam

A lot of games, including multiplayer games, can be run without simultaneously running steam. You have to launch the applications directly from the steam library directory, but steam doesn't need to be running.

Re:So

[Anubis+IV]

A EULA is not a contract because it lacks the required elements of a contract, and it is not a license either, because it grants NO license! Instead, it purports to impose an anti-license, that is to impose draconian limits far above and beyond what copyright law provides, unilaterally. There is no legal principle to support this, other than 'who has the gold makes the rules.'

Go look up contracts of adhesion. IANAL, but this is basic stuff that anyone on Slashdot should know since it's of vital importance to the software industry and has been repeatedly upheld by the courts. Ignorance of them is no reason to stick your fingers in your ears and act as if they don't exist.

If you want to make an argument that their terms are unconscionable, that's one thing, but you're arguing that the contracts simply don't exist. I'll agree that there may not be an ethical basis for what they're doing or that some specific contracts may not be upheld in court, but let's not pretend that there is a lack of a legal basis for what they're doing in general.

Re:So

[slimjim8094]

It doesn't matter.

Look, when I was a kid, I used to play Counterstrike pretty seriously. I was curious about these cheats that I kept seeing on VAC-secure servers, so I went and found some and played around with them - on VAC-insecure servers, of course*. They're really cool bits of code that hook into the game and understand the engine well enough to find the head "bone" and wait for it to come into the player's view. Being a coder, I wanted to know how they worked - not to write my own, but software that hooks into other software is fairly unusual, and thus, interesting to my teenage self.

Anyways, since I was just looking around (and not willing to pay/join the "clubs" that made new undetected hacks), the aimbot I had was definitely no secret and surely would've gotten me banned if I'd played on a VAC-secure server. The deal was - cheat on a secure server, get banned. But the counterpoint is - cheat on an insecure one, no problem. It felt really fair - joining a secure server is an agreement not to cheat, and if you do, you're banned.

If this story is true, it completely changes that agreement. Presumably it's a "once a cheater, always a cheater" attitude, but that's not really fair. The cool thing about VAC was that it was indisputable. It doesn't make mistakes - you knew categorically that someone who was VAC-banned had broken the agreement by having cheat code loaded while connected to a secure server. So there was no arguing, pleas, etc - they were a cheater, they had cheated in a game that was annotated "no cheats". This would completely change that dynamic, and Valve is really careful about that kind of thing, so I'm suspicious that this is as-reported.

*Before somebody chews me out for cheating anywhere - first, it was only on cheat servers (all players were using them), and second, it only makes sense to view the active decision to turn off VAC (it's on by default) as a decision to allow cheaters.

Oh good

So security researchers who also game are pretty much screwed then?

Re:Oh good

Security researchers? Most game server admins I know (at least, the good ones) will browse hack sites/videos, so they know what's out there and what to look for. Unless it started very recently, they're not doing any banning for this.

Summary that misrepresents the Article... *shock*

[Puls4r]

Actually, the article doesn't say anyone has been banned using the data. It specifically says that NO one currently knows what happens with the data. So that's a pretty large red herring. That doesn't negate the heinousness of them tracking the websites you visit *just* in case you might cheat. Very NSA-esque.

ipconfig /flushdns

[gatkinso]

Done.

Article based on REDDIT post

The article is based on a REDDIT post. We all know they are always 100% accurate and credible. They did catch the boston bombers afteralll!

journalism at its finest.

DEBUNKED

This story is being debunked in the original reddit thread.

http://www.reddit.com/r/technology/comments/1y4za5/steams_vac_now_reads_all_the_domains_you_have/

Re:DEBUNKED

[makomk]

For values of "debunked" equal to "people clueless about how VAC works are loudly insisting that it's not true, and being believed because Valve fanbois". (Amongst other issues, you won't find the code of any VAC modules in Steam's or the game's DLLs because they're downloaded from the server at runtime in order to make them harder to reverse-engineer and block.) Someone later in the thread has apparently tested and found that stuffing the DNS cache with bogus entries increases the amount of SSL-encrypted data VAC sends back by almost exactly twice the size of the MD5 hashes of all those entries, and clearing the cache returns the amount of data sent back to what it was. (It may not necessarily be possible for others to replicate this, as I recall one of VAC's anti-reverse-engineering measures is that different people receive a different subset of the payload modules. So far no-one's tried though, they've just said it's not proof enough.)

Re:Summary that misrepresents the Article... *shoc

[moronoxyd]

Luckily, not everyone lives in the US.
Some countries have different laws, even consumer protection laws that are worth that name.

And yes, even companies operating out of the US have to conform to at least some of these laws if they want to do business in Germany/Europe. An yes, they WANT to, because Europe is not an insignificant market.

Re:Summary that misrepresents the Article... *shoc

> Indeed, it also says the the actual entries themselves are not sent back, but only the hashes

DNS names are easily enumeratable, the only reason to emphasize that it's hashes is if you're clueless or dishonest.
From a privacy perspective, they are sending back DNS names, saying that's hashes is only fooling people.

another workaround. if you care

[goombah99]

flush the dns cache before you launch steam:
on a mac that command is:
sudo killall -HUP mDNSResponder

However since steam is normally installed with admin permissions it may very well be running some sort of spyware deamon that is violating your privacy even when the application is not running, making that dodge useless. Since they are willing to go that far I would not put it past them to also be running a spyware daemon as well.

Re:another workaround. if you care

[Carewolf]

No on Debian, I run steam as a normal user under user credentials. It doesn't launch any daemons, and has no suid executables, but it does have read/write access to all local files which includes saved history of browsers. Will do strace when I get home. Should be interesting.

Re:Browsing history?

[X0563511]

Last I checked that doesn't do shit about your OS' DNS cache.

Re:Workaround

[dshk]

Players who are frustrated by cheaters are also ready to boycott Steam. If I were Steam, I would serve my frustrated, honest users. We also maintain a gaming site, and you cannot believe how many people get angry because of cheaters.

I have no issue if they only check for domains or only selectively download the list. But I use three different machines for gaming, development, and system administration.

Re:Different question

[Jaysyn]

So, what you gonna do about it?

Download the games & crack them, just like I used to do before Steam made them dirt cheap?

Re:Summary that misrepresents the Article... *shoc

[JesseMcDonald]

Oh? If they're really easily enumerable, pray tell, which DNS name does the following hash point to?
c0ff3e297157c1e60bc2a2bedb5f6532

I have no idea, but even you must be able to see that it would be trivial to put together a lookup table of the top million or so domain names indexed on their corresponding hashes. From that you can easily work out the domain name from the hash, without actually reversing the hash function.

Re:Summary that misrepresents the Article... *shoc

[PFactor]

What he means is that there are rainbow tables available for many MD5 hashes. There is software that can search hundreds of thousands of possible hashes per second. You don't need to calculate the MD5 hash over, you just have to do a simple text compare, followed by a lookup in the rainbow table. If you have a rainbow table of the major hack sites in which you're interested, I bet it doesn't take more than a second or two to determine if the hash you sent is of one of those sites. Maybe that doesn't fit your definition of easily enumerable, but it fits mine.

Re:There's absolutely no potential for abuse

[ArcadeMan]

Also, do you have to look at so much lesbian porn all the time? There are other things on the Internet, you know.

What do you mean? An African or European lesbian?

Re:Summary that misrepresents the Article... *shoc

[_xeno_]

Happily enough, Alexa offers a download of the top million domains. Even calculating the MD5 hash for every domain every time and doing a simple string comparison using node.js, it takes only a couple of seconds to run through every single entry in that table.

arth1's domain isn't in the top million list, though.

But still, there are plenty of sites in the top million list you may not want to share with Valve that you visit, like #83, pornhub.com, or #84, huffingtonpost.com.

You missed one

[ThatsNotPudding]

Home Owners' Associations

They're almost the perfect example of American Greed: "We forbid _you_ from doing anything that might affect _our_ property values."

Fascists.

Response from Gabe Newell

[gman003]

http://www.reddit.com/r/gaming...

Basically, they're looking only for the DRM servers used by some very specific kernel-level cheats (apparently even cheats have DRM now - and these are not web sites, but DRM servers they're looking for, you won't trigger it by searching for or even buying cheats unless you use them). They do this comparison client-side, transmitting only if there is a match, and only transmitting the hashed value (which is used so the VAC servers can confirm it was a cheat when issuing the ban - otherwise one would be able to forge a "cheat" and get someone else banned). They also only do this scan at all if VAC has detected the cheat in the first place, which they claim has affected less than 0.1% of their users.

Valve is explicitly denying that they are gathering your browser history.

So my overall analysis:
1) If what they say is true, then they're doing everything they can to *not* gather your browsing history, and are only gathering the hashed value to protect users.
2) This should be possible to verify - see if the code doing the checks is triggered at all during normal use, and see what a packet sniffer picks up.
3) Even though I like Valve a lot, after recent events (Snowden, some personal betrayals, etc.) I feel I can't trust anybody. I'll let others do the verification (I'm not technically skilled enough to trust my own work on it), but if it turns out that this is all they are doing, it's a good thing that is very, very close to being a bad thing. If, however, they are not just spying on us but then lying about it, I will be downloading a Steam crack immediately (I spent over $1000 on Steam games, they're mine no matter what the law says) and taking everything into offline mode.