Slashdot Mirror
Gabe Newell Responds: Yes, We're Looking For Cheaters Via DNS
dotarray writes "Valve has stepped up to answer allegations that the company's anti-cheat system was scanning users' internet history. Rather than a simple, sanitized press release or a refusal to comment on 'rumours and innuendo,' Valve CEO and gaming hero Gabe Newell has personally responded."
Newell or not, not everyone will like the answer. The short version is that Yes, Valve is scanning DNS caches, with a two-tiered approach intended to find cheating users by looking for cheat servers in their histories. Says Newell: "Less than a tenth of one percent of clients triggered this second check, accessing the DNS cache. 570 cheaters are being banned due to DNS searches."
Sorry Gabe, you're not allowed to see my DNS history. You aren't allowed to see GabeNewellNatiliePortmanHotGritsFanFiciton.net in my history. That's not allowed.
Is this search in the TOS, or is it an "unauthorized" search?
This issue is a bit more complicated than you think.
I know in the olden days, I just assume everybody else was cheating (they usually were) but how common is cheating now that VAC has been around for a while?
The biggest part of his announcement is that this checking is done client side; your DNS history is not sent to Valve. They also only record MD5 hashes that match the cheat sites they are looking for, not your entire DNS history. Finally, they claim to only check for DNS lookups of servers used by the cheat software itself, not just websites where you might read about and download cheats (although in some cases I imagine these could be the same), and use this as a second check after the client has already detected a cheat installed on you machine. So simply visiting cheat software websites without using them shouldn't get you banned.
I trust Valve more than the NSA.
The NSA doesn't protect me against hackers.
No need to check your DNS history to tell you haven't visited OhNowIGetTheJoke.net
They did not look at DNS histories of your browsing... there are cheats that have their own DRM that phone home to the cheat server to make sure you paid for the cheat (/irony). All Valve was looking for was the phone home to the cheat servers, not your bloody porn searches, or even visiting a cheat website.
The more I see stories about various programs accessing all sorts of stuff they aren't supposed to, the more I wonder why we still allow this? I use my browser for something, there shouldn't be any other program on the computer that knows about it. It's time we eliminate this idea that every app has access to every file on our computers. I really don't understand why sandboxing every app is not only not the default, but also very rarely even available on most operating systems.
It seems these days most apps are hostile to the users, it's time we treated them as such and stopped letting them have the run of our computers.
VAC looks for the DRM servers that ensure you're a paying user of the cheat. Check the Reddit post.
Not cheat sites. Specific non-web servers that the cheat software "phoned home" for authentication, since cheats are paid software and therefore have their own DRM. Valve was never even made aware of anyone just browsing a cheat site.
It should also be noted that VAC no longer does this check, as devs of cheat software have figured out how to manipulate their clients' DNS cache.
Assuming Gabe is being truthful when he states that this is a secondary check triggered by some other evidence for cheating, then just visiting these sites wouldn't be enough.
Its suspicious activity (reported by players? detected through other methods? not sure) that triggers the additional check(s).
Then it's a good thing that the DNS scan is only for verification purposes in the second stage of the anti-cheat process.
It's not an issue of viewing cheating sites; Steam is looking for DNS lookups performed on DRM servers (not the Steam ones). Many cheats are paid-for so, in a cruel twist of fate some might say, they use DRM to check if the cheater has paid for the priviledge of doing so.
gaben himself has said that this tactic only lasted a matter of weeks anyway, until the cheatware started futzing around with the player's DNS cache to avoid these checks.
If God forks the Universe every time you roll a die, he'd better have a damned good memory.
I recently got banned from battlecraft (or whatever it is called) for cheating. That includes, warcraft, diablo, starcraft, others?
But here is the thing; I have not even logged on to play any of those games in over 3 years.
The vendor has come to a flawed conclusion I cheated, and prevented me from playing games I have spent hundreds of dollars for.
Mr Newell, I suggest that some, if not most of your apparent cheaters, are due to YOUR companies lack of technical skill. Stop punishing the innocent for that.
slashdot troll = you make a compelling argument I do not like the implications of.
Mind you, it's less checking if you visited a site and more if your computer accessed a proscribed host.
Many of the cheats VAC is checking for are not only sold, but protected by a form of DRM that checks an authorization server before they let you use the cheat. VAC is more often looking to see if your computer is connecting to the authorization server; e.g., they are more interested in seeing if you visit authorization.cheaters.com than forums.cheaters.com
Not that I think that is much better, and I imagine that - especially now that the method has become common knowledge - it will become far less effective. The hacks will probably start using some sort of commonly used proxy to redirect and obfuscate the authentication request; perhaps the next version of WallHack.exe will come bundled with a TOR client.
Of course, the best option would be to give customers a choice: play on sponsored, VAC protected servers - albeit at a cost to your privacy - or allow VAC to be turned off and play the game on player-hosted servers, where you may (or may not) encounter people using cheat tools.
They explain that these are non-www servers, so you can't visit them. They are used directly by the apps to find their license servers, it's not the servers where you can download the files.
And if you need to visit cheat sites for this, I would open them in some VM since these aren't the most trustworthy sites.
One point that I don't think a lot of the commenters aren't getting, is that it isn't the actual "cheat websites" that are getting detected by this system, the system doesn't even check for them.
As Gabe explained, most cheating software uses DRM, similar to that of games themselves, which "phones home" to the cheat software publishers to ensure that all of the users of the software are actually paying for it. These "DRM servers" will have their own domain names, and it's these domain names which VAC is looking for. This is to avoid flagging people for simply having visited the cheat website.
It's also worth pointing out that this check is only triggered *AFTER* VAC has already detected that the player is cheating through other means, it can be thought of as a second factor of cheat authentication. This means that players can't get "tricked" into being VAC banned by having malicious javascript on a website causing their PC to perform DNS lookups on these blacklisted domains, as they won't even be checked by VAC unless the player is detected as cheating through other means.
That being said, there's always the possibility of false positives, and if you combine that with malicious javascript mention above, you could just be incredibly unlucky and accidentally get VAC banned.
An exodus of cheaters wouldn't be a bad thing. Note that the DNS scan is only after the software detects a cheat.
I don't like the answer, but it could be worse, and it's nice the director answered honestly.
From the actual article: 1)This is no longer in operation, it was only running for a couple of weeks in the constant cat-and-mouse game with cheat developers 2)It was targeted at the DNS for DRM servers which cheat authors used to SELL cheats to PAYING customers. The system simply reported if the MD5 hash matched the DNS for the known cheat DRM servers, once the cheat had been detected during gameplay already. The DRM servers were not running a website.
You seem the only person to actually go and read that article.
Gabe Newell's watching me~ http://www.youtube.com/watch?v...
Despite that , you might get banned , because you visited and used a cheat for a single player, which will have the exact same symptom as cheating for , say, TF2 (primary and secondary DNS entries).
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Why not just shuffle anyone detected cheating into a separate game room? If they're paying customers, then they can all cheat together, and everyone wins.
I used to have a sig, but I set it free and it never came back.
The point is that these aren't sites you would normally visit out on the interwebs. It's a bit like saying "oh but what if I somehow stumbled upon udashdiasd.dashbduiqidasdjkasd.dasbdaskd.hdasuida.something.com?" when the only known vector for ever hitting up udashdiasd.dashbduiqidasdjkasd.dasbdaskd.hdasuida.something.com is through a piece of malware, and complaining that your anti-malware package threw up a red flag.
More specifically, your comment's subject:
- http://www.reddit.com/r/gaming...
Add to that that this check only occurs if VAC has already detected something fishy going on. So even if you did deliberately hit up these DRM servers (for science / research / because you want to lower the SNR for VAC).. unless you're actually using the cheat, VAC doesn't much care.
At least, them's the claims.
It should only trigger the dns check if VAC believes you are cheating.
VAC checked for the presence of these cheats. If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban.
Emphasis mine.
I don't care if I'm wrong. I only care about everyone obtaining something from the discussion.
Mind you, it's less checking if you visited a site and more if your computer accessed a proscribed host.
The use of the emphasized phrase with a straight face is exactly what's wrong with this methodology.
It's the Internet. Sane societies don't have "proscribed hosts".
Welcome to the Panopticon. Used to be a prison, now it's your home.
Just turn it off. Nobody is forcing you to use VAC, oh unless of course if you want to play with non-cheating players.
Given the openness of SteamOS - I'm guessing the side effect would be to develop anti-VAC kernel modules to fool VAC into thinking everything's sane and good even if the user is cheating to heck and back (and unless VAC is using a kernel module, it's pretty hard to protect against it...).
I mean, should Valve/Steam pull this off in the future, it's trivially simple for something the user puts on SteamOS to hide the DNS resolver cache, to hide the cheat processes and fake the file hashes from any process...
The more important bit is that your PC needs to have contacted the cheat DRM server. The only way this should happen is if you have a cheat installed that is trying to contact it. It's not something you would try to do with a web browser without the cheat.
The scanning is done client-side, which means it's just an internal function of the software.
It isn't divulging any of your internet browsing or usage history. It's just combing the local cache for specific things, and is a process it doesn't even do in the first place unless a user is suspected of trying to abuse Valve's gaming environment by cheating.
If the TOS has to state an app is going to access your local DNS cache, then Windows operating systems are probably in violation themselves!
A DNS hit is a DNS hit. Whether cheat software or your browser initiates the name resolve, it will end up in the DNS cache. The only protection is what the parent said, it already has to suspect that the player is cheating. Makes me wonder why the dip in the DNS cache is even necessary. To me, it implies that they're afraid of false-positives.
Anticheat software have been scanning memory forever.and when if scans memory it's obviously comparing data to a pattern to decide if tha'ts a cheat or not.
Not sure what's the difference between you mail account lying open on the background holding all your personal communications beeing scanned by punkbuster or vac, or the dns cache beeing scanned too.
Code caves, hooking, etc. I'm not sure if anticheat software can't beat online game cheaters.
I trust valve, and fuck beta.
While I agree in general, I am not sure this applies here, for 2 reasons:
1. This is not society in general, this is on hosts which are running games, which are protected by VAC. The user signed up, the user installed the game, the user invoked the game, the user was warned that the game uses VAC and cheaters would be banned.
2. Even after the user has invoked the VAC protected game, these checks for "proscribed hosts" are not done as a primary check, but, as a followup to confirm an association for which there was already evidence.
#2 is important. Just going to a cheat site doesn't make you a cheater. However, if you are suspected to be a cheater for other reasons, and it turns out you go to the site for the cheat you are suspected of, that is confirmation. That is good investigation. If you look for whoever went to a site and then use that to bias your cheat detection, that is a good old fashioned witch hunt.
"I opened my eyes, and everything went dark again"
Or you, if they happen to falsely flag you as a cheater.
Thank you Dave Raggett
It does send it back to the mothership. Otherwise mothership wouldn't know how to ban. The detail they're arguing on is that they're doing comparison against database on your machine rather than theirs.
Of course, absolutely nothing stops a NSA mole inserting a few appropriate cites into target's VAC to check for sexual interests in case they need blackmail material to forward to CIA that specific person for example. And Gabe will be none the wiser, like the google and facebook CEOs were about NSA having essentially direct indexed search access to all their user data on demand.
If you look in a DNS cache all you know is name request was made you don't have any evidence of what was done with that name.
Any web site you visit could cause entries for any DNS name it chooses to be loaded into the cache. It is not hard to imagine competing clans, those who dislike you or just want to create chaos operate a site which causes incriminating entries to be loaded into DNS caches.
I want to see Valve held criminally liable for rummaging thru computers and conducting investigations.
No, it isn't. If you'd RTFA, you'd learn that the DNS check only happens as a confirmation safety step, once an active cheat has already been detected by Steam.
HSJ$$*&#^!#+++ATH0
NO CARRIER
Not all games are VAC-protected, and not all VAC-protected games have every server VAC-protected (I think). For instance, you won't have VAC running for single-player games.
This is /.
Of course I didn't RTFA ;)
No, it isn't. If you'd RTFA, you'd learn that the DNS check only happens as a confirmation safety step, once an active cheat has already been detected by Steam.
--fatboy
Yeah, I can't see Linux players being allowed on any servers for some games. "No VAC on Linux" is a reasonable statement. VAC-only games (I think CoD?) will therefore never make it onto the platform. Can you imagine if only one operating system didn't have cheat detection? Why not wave a big flag around saying "If you want to cheat, run Linux"?
There's a lot of players who actively choose VAC games over non-VAC games, even with full information about these countermeasures, because they want to lower the chances that they are playing against a cheater. Saying "I run Linux but please let me play your game" is like saying "I'm not willing to take a drug test but please hire me". Some places might. Some places never will.
VAC only runs when you are actively connected to a VAC-enabled server.
I don't cheat and nor do I tolerate software sticking its nose in business other than it's own and my DNS records are none of anyone's business,regardless of what they use it for.
No, there won't be an exodus. This is a non-issue and no one cares.
If something on your PC is calling home to some cheat-DRM address (not forum, not discussion board, not even a frikken' download site)... then you are probably not a false positive, though.
1: Post image hosted on cheating server in a forum frequented by Value customers
2: Wait for them to all get banned.
3: ???
Anticheat software only scans the memory of the process it runs in.
Other processes don't have access to the memory of others.
If you hate software poking around your RAM, running processes etc, then you can already wave goodbye to multiplayer - almost every anti-cheat service is doing those now (and need to, given the arms race between cheat software and cheat detection).
Unless you don't mind rampant cheating, that is. But if that's indeed no biggie, then I wish you an enjoyable stay in wallhack-land.
I was quite excited about the official Steam client for Linux and bought about a $100 worth of games when it came out. Cheating or not they no have right to scan for/look at anything outside of the Steam system ie Steam/game created files.
Yes I will not support Steam anymore as I have that power. $100+ lost but lesson learned.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
made a legal requirement, enforced by the FTC.
I am a bit conflicted, I don't like the idea, but then again I also don't want to play against cheaters. At least I can respect that he laid it out on the table and was honest about it rather than the usual BS PR response that usually comes out for these sorts of things.
You can test this by trying to delete firefox.exe on Windows and see the process that has a lock on it via Unlocker
Rename firefox.exe to FuckYouFatassNewell.exe . Enjoy.
You have no idea how their software works, as it's proprietary. Furthermore, the fact that you used the word "probably" says it all. You can't have absolute faith in any software, and certainly not if you can't see the source.
Thank you Dave Raggett
You could subtitue 98% of Linux and 100% of Windows systems and say the same. You say source - but we both know that if we're paranoid, just looking at the supposed does little good. Any binary you download could have been made from an altered source. So, how many OSes did you compile yourself? Which binary do you trust, and why?
That hasn't been true pretty much ever. Back before Windows did privilege separation, anti-cheats scanned everything they could find; after the rise of UAC, PunkBuster and other anti-cheat systems added a prompt to permanently authorize their system-level service on the first run.
They explain that these are non-www servers, so you can't visit them.
You don't have to visit them. Doing a name resolution query willl put them on the list, whether there's anything to visit or not.
Did you know that antivirus software, for example, may do a name resolution query on the hosts and IP addresses listed in the Received headers in an e-mail? That puts entries in your DNS cache, without you visiting anything. How about web boards that allow embedded images? A user can put [IMG]http://some.malicious.site/[/IMG] in a post, and there does not have to be a web server on that address for your browser to look up the address, and the OS cache it.
There are so many ways that your DNS cache can be full of entries that you have no control over, that it should never be used for evidence of anything. And what Steam does here is using it as secondary evidence.
Never mind that Windows should never allow unprivileged processes to display the complete DNS cache in the first place.
I consider the freedom to look at the source important in and of itself. And even if being able to look at the source doesn't stop 100% of all Bad Things, it's a hell of a lot better than dealing with binary blobs. Don't resort to the perfect solution fallacy.
Thank you Dave Raggett
Good for you. Me myself, I won't put that much more trust into the ability of looking at a source that's many thousands pages long and so utterly complicated it would take a team of experts to fully audit; also one that may or may not be the same software I wound up with. Theoretical possbilities I have no real means to use are that: theoretical possibilities.
If you are that paranoid, do what I do. Install a network filter at your endpoint and analyze your own traffic. That's the only way to be sure, unless the network filter/analyzer themselves are bugged. But that's a risk I'll live with.
(Now, I also value open source for some of its merits - long-term maintainabilitiy, the biggest among them. But that doesn't mean blind and exclusive faith, imho.)
(Now, I also value open source for some of its merits - long-term maintainabilitiy, the biggest among them. But that doesn't mean blind and exclusive faith, imho.)
I don't have blind faith, as I even accepted that it doesn't provide 100% security at all. However, I'm definitely not going to make the situation worse with proprietary software, and as I said, being able to look at the source is more important to me.
Thank you Dave Raggett
Both should be a reason. The existence of false positives (and, as we've seen time and time again, these systems are as far from perfect as you can get) is but one of many reasons to oppose this.
Thank you Dave Raggett
I always used to get accused of hax on public servers; now they can tell I am actually that good.
I know this is AC but holy christ you didn't even read the summary.
Your ignorance is making me angry so please allow me this: fuck you.
Convince your opponent to visit a web page that causes dns lookups of all the major cheating sites.
Please tell me the browser cache is screwing with me. Please tell me that my wife wants to have sex more often ( ok that isn't going to happen, I have a 12 and 15 year old) Do we really have Slashdot.org back?
Admitting it does not make it any less bad. Boycott. ( or brick thru the window )
---- Booth was a patriot ----
I guess this whole punkbuster thing is a constant game of leapfrog, but I wonder how long until this is worked around by, say, a browser addon that maintains its own DNS caches for selected sites so the system DNS cache is never touched, or even more simply, cheaters publicize a few IP addresses to crack sites, bypassing DNS completely.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
There was a time here in the US when "those" people had to sit over there, and drink from that fountain while these "better" people got sit over here with a nicer chair and a cleaner fountain. Isn't it strange how these days that doesn't happen anymore? I guess enough of "those" people didn't like it so quit going to those establishments and they just withered away. Yay, capitalism! Oh wait, it didn't happen that way at all. The government had to make them stop being racist assholes. Just because some company says it has to be their way or the highway doesn't mean they are correct. They know this and that is why there still hasn't been a good definitive court case on the validity of ToS's. We all know they are one sided contracts and they don't want a precedent set.
Actually, yes, you don't have to visit them, but you have to be actively using the cheat, because the VAC method involves checking for DRM checks (phoning home for verification) for cheat programs (believe it, it's actually a thing). Looking online for cheats and all those FUDdy things people keeps spewing in the comments is not the point, the point is recognizing the DRM servers for the cheat tools, only sanely accessible when using the tool itself, I don't think anyone will stumble upon that host during daily browsing, no matter how many cheats they look at online.
And, damn, If you look around you can see this is true, such cheat programs exist and, yes, I also think that paying for a cheat program with DRM is incredibly stupid. I had a hard time believing it until I looked around and saw that people is stupid enough to pay to cheat in games, AND allowing DRM on them to boot!
The real news here is that some people is obsessed with winning random games to the point of using such services with perhaps more DRM than Steam itself... it's really sad when you think about it.
net stop dnscache
Having to work for a living is the root of all evil.
If you break the rules you get more scrutinized?
Wow! That isn't far. (Dripping with sarcasm) The world doesn't work that way! I am shocked and appalled.
[sourcode]
If (YouAreACheater()) CheckForMoreEvidenceOfYourCheating();
[/sourcecode]
Move along.
Nothing new to see here and nothing than really violates your rights or privacy.
You are such a fun little loser. How cute that you are so unable to do anything but try to bother him. All you are doing is proving to everyone that you cant code crap.
Based on what others are saying, it's just multiplayer mode in multiplayer games, and even then, only those where you're playing on a VAC-enabled server.
It seems there is a security exploit here, and it is being performed by Valve. Windows (1) keeps an unencrypted cache of DNS lookups and (2) allows unfettered access to it from any application. This is pretty bad, but clearly it was not the intent when creating the cache to let random applications spy on your browsing history, so Valve's access to the cache has to be considered an exploit, possibly even a crime?
Nonetheless the take home message here is that better operating systems need to be designed that don't allow applications to access each other's memory and log files by default.
Seems to me that you can either play fair games with friends or play unfair games with cheaters. Auto-aim bots make FPS games no fun at all if you are playing against a random set of players. But giving up your browser history to get a fair game? Ought to be offered as an Opt-In and be done with it.
"There is no god but allah" - well, they got it half right.