Support NeoGAF

[Delusibeta]

UPDATE: Formal statement from GabeN

Trust is a critical part of a multiplayer game community - trust in the developer, trust in the system, and trust in the other players. Cheats are a negative sum game, where a minority benefits less than the majority is harmed.

There are a bunch of different ways to attack a trust-based system including writing a bunch of code (hacks), or through social engineering (for example convincing people that the system isn't as trustworthy as they thought it was).

For a game like Counter-Strike, there will be thousands of cheats created, several hundred of which will be actively in use at any given time. There will be around ten to twenty groups trying to make money selling cheats.

We don't usually talk about VAC (our counter-hacking hacks), because it creates more opportunities for cheaters to attack the system (through writing code or social engineering).

This time is going to be an exception.

There are a number of kernel-level paid cheats that relate to this Reddit thread. Cheat developers have a problem in getting cheaters to actually pay them for all the obvious reasons, so they start creating DRM and anti-cheat code for their cheats. These cheats phone home to a DRM server that confirms that a cheater has actually paid to use the cheat.

VAC checked for the presence of these cheats. If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban. Less than a tenth of one percent of clients triggered the second check. 570 cheaters are being banned as a result.

Cheat versus trust is an ongoing cat-and-mouse game. New cheats are created all the time, detected, banned, and tweaked. This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers' client machines.

Kernel-level cheats are expensive to create, and they are expensive to detect. Our goal is to make them more expensive for cheaters and cheat creators than the economic benefits they can reasonably expect to gain.

There is also a social engineering side to cheating, which is to attack people's trust in the system. If "Valve is evil - look they are tracking all of the websites you visit" is an idea that gets traction, then that is to the benefit of cheaters and cheat creators. VAC is inherently a scary looking piece of software, because it is trying to be obscure, it is going after code that is trying to attack it, and it is sneaky. For most cheat developers, social engineering might be a cheaper way to attack the system than continuing the code arms race, which means that there will be more Reddit posts trying to cast VAC in a sinister light.

Our response is to make it clear what we were actually doing and why with enough transparency that people can make their own judgements as to whether or not we are trustworthy.

Q&A

1) Do we send your browsing history to Valve? No.

2) Do we care what porn sites you visit? Oh, dear god, no. My brain just melted.

3) Is Valve using its market success to go evil? I don't think so, but you have to make the call if we are trustworthy. We try really hard to earn and keep your trust.

Original OP follows:

It came from the Reddits [usual Reddit disclaimers apply]. Lazy copy-pasting go:

What it does:

Goes through all your DNS Cache entries (ipconfig /displaydns)

Hashes each one with md5

Reports back to VAC Servers

So the domain reddit.com would be 1fd7de7da0fce4963f775a5fdb894db5 or organner.pl would be 107cad71e7442611aa633818de5f2930 (Although this might not be fully correct because it seems to be doing something to characters between A-Z, possible making them lowercase)

Hashing with md5 is not full[sic] proof, they can be reversed easily nowadays using rainbowtables. So they are relying on a weak hashing function

You dont have to visit the site, any query to the site (an image, a redirect link, a file on the server) will be added to the dns cache. And only the domain will be in your cache, no full urls. Entries in the cache remains till they expire or at most 1 day (might not be 100% accurate), but they dont last forever.

We don't know how long this information is kept on their servers, maybe forever, maybe a few days. It's probably done everytime you join a vac server. It seems they are moving from detecting the cheats themselves to computer forensics. Relying on leftover data from using the cheats. This has been done by other anticheats, like punkbuster and resulted in false bans. Although im not saying they will ban people from simply visiting the site, just that it can be easily exploited

There is also privacy and security concerns over the possibility that your game is transmitting a (lightly encrypted) list of all the sites you've been on in the last day or so over the internet. So, uh, yeah. Not cool, Valve, not cool.

 

[oldmario]

If EA did this with Origin people would be grabbing their pitchforks but because it's Valve i bet a lot of people will let it slide and say the usual "i have nothing to hide"

 

[TheSeks]

Apparently, according to the reddit comments: Punkbuster

Spoiler

who uses this still? LOLOLOLOLOL *Oh wait EA/DICE does... *

does a similar thing.

So I guess the question is: How do you detect cheats outside of people policing each other on various servers?

 

[KojiKnight]

If EA did this with Origin people would be grabbing their pitchforks but because it's Valve i bet a lot of people will let it slide and say the usual "i have nothing to hide"

Mmm that snark. Fighting that fight before it's even begun, thereby insuring it does happen.

 

[Delusibeta]

So I guess the question is: How do you detect cheats outside of people policing each other on various servers?

I would suspect checking for modified code being sent to servers, but I don't know.

 

[runnin_blue]

Apparently, according to the reddit comments: Punkbuster

Spoiler

who uses this still? LOLOLOLOLOL *Oh wait EA/DICE does... *

does a similar thing.

So I guess the question is: How do you detect cheats outside of people policing each other on various servers?

If they kill me, they cheated. Always been my motto lol.

 

[Netherscourge]

Definitely not cool.

Very much disappointed with Valve on this.

 

[kurahador]

Dota 2 is serious business, literally.

 

[The M.O.B]

I have nothing to hide

Okay, I do. Yeah not nice Valve.

 

[Neuromancer]

So wait

Gabe Newell's looking at what porn sites I visit now?

 

[MrNyarlathotep]

If EA did this with Origin people would be grabbing their pitchforks but because it's Valve i bet a lot of people will let it slide and say the usual "i have nothing to hide"

EA DO do this with Punkbuster, as previously mentioned.

They also DID do this, but to a larger degree by scanning your entire system just by running Origin, without any pretense at being used as an anti-cheat mechanism, whereas (if true) VAC would only do this when connecting to a VACD secured server not just in running Steam.

 

[Netherscourge]

If EA did this with Origin people would be grabbing their pitchforks but because it's Valve i bet a lot of people will let it slide and say the usual "i have nothing to hide"

We'll, now that it's public, I guarantee you EA has people testing it now for Origin too.

Valve has become model content provider, after all...

 

[Heavy's Sandvich]

It's disgraceful to be honest if the allegations prove to be true.

But, cheap games and free content support is a passport for most people and many will forgive or accept.

 

[Claude Kenni]

I'd like to hear what's apparently so bad about this. To me it seems like a better way to detect cheating, something I've seen people get away with too much.

 

[gabbo]

EA DO do this with Punkbuster, as previously mentioned.

They also DID do this, but to a larger degree by scanning your entire system just by running Origin, without any pretense at being used as an anti-cheat mechanism, whereas (if true) VAC would only do this when connecting to a VACD secured server not just in running Steam.

That's still not a good excuse for doing it at all.

 

[Valnen]

I'd like to hear what's apparently so bad about this. To me it seems like a better way to detect cheating, something I've seen people get away with too much.

Agreed. Cheating in online games is way too common on PC.

 

[Crimson_Gold]

I'd like to hear what's apparently so bad about this. To me it seems like a better way to detect cheating, something I've seen people get away with too much.

It is a privacy issue. People don't want companies snooping through their business

 

[Piercedveil]

My history:

NeoGAF
NeoGAF
NeoGAF
Twitter
NeoGAF
NeoGAF
Reddit
NeoGAF
NeoGAF
NeoGAF

But really, how well does this work against cheating? VAC is known as being pretty terrible for some time now, right?

 

[cookie-monster]

/ipconfig flushdns

 

[sueil]

Really not cool Valve. Valve has way too good a reputation for what they actually are.

 

[Rapstah]

What would they possibly do with this data? If they find out that all hackers share ten or twenty entries in the list with each other, there's going to be no way to tell the Google entry from the Steamworks.com entry from the leethax.com entry unless they decrypt the list, which completely goes against the point of encrypting it in the first place.

I don't see how anything useful can be pulled out of the data statistically.

 

[Visualante2]

I don't know if Valve has made a statement on user privacy. But since the introduction of chat logs and now this I would feel much more comfortable if they were open about what is going on given the NSA scandal.

If they're unwilling to improve the security then they need to provide users the option to opt out of both.

Changes like this simply cannot be introduced without consulting the audience first, and making it optional: see Steam Guard.

/ipconfig flushdns

Could we put this in a launch command to any VAC enabled game? I imagine VAC will be checking periodically not just when the game runs.

 

[Shiggy]

What the hell? Not even EA is doing shit like that.

 

[MrNyarlathotep]

That's still not a good excuse for doing it at all.

I agree, but - caveat - IF TRUE, at least it is only when connecting to VAC servers, so you can choose not to do that as a precaution, whereas when Origin was doing it it scanned your entire system just by running Origin.

EDIT:

What the hell? Not even EA is doing shit like that.

nope.avi

 

[Soule]

If EA did this with Origin people would be grabbing their pitchforks but because it's Valve i bet a lot of people will let it slide and say the usual "i have nothing to hide"

Jesus, you're preemptively whingeing on the first post. Also I have not seen a 'usual' comment regarding Valve that people have nothing to hide, I'm not aware of any other cases where they've pried and people have had to take this stance, would you mind linking me to some context for this?

 

[dragonelite]

Dammit not you too valve...

 

[Proxy]

EA DO do this with Punkbuster, as previously mentioned.

They also DID do this, but to a larger degree by scanning your entire system just by running Origin, without any pretense at being used as an anti-cheat mechanism, whereas (if true) VAC would only do this when connecting to a VACD secured server not just in running Steam.

Pretty sure that would be Even Balance doing that not EA. Also, I remember that thread and this comment from Reddit :

Yay. Conspiracies. So let's see what Origin really does, shall we?
If you hook process monitor onto Origin you will not see Origin scanning anything, independently of how long you use it. So what triggered the OP's screenshot?
Origin on installation will try to find games installed on your harddrive and automatically register them within Origin. It does that in a couple of different ways:
It reads the windows games registry
It looks for games in Program Files
It looks for games in ProgramData (where, for unknown reason the OP's SMS and tax software are storing the data instead of the user profile where that data should go!)
it reads the xfire config if it finds one for games
If you look at the screenshot closely you will see that it does not actually read any files. Instead it looks for their existence and recursively walks the directory. It does not read any of your files, at least not judging from this screenshot or anything I have found on my machine.
Lastly if you monitor the network traffic that Origin causes you will see that it does not transmit anything of value to EA. So far I have not seen anything bug login credentials being submitted.
But it's always so much more fun to assume that software is inherently evil. You can hook a syscall monitor on any application and you will see that it operates all over the drive. That's not something unique to Origin. Steam will do the same if you click the "add non steam game" button.
//EDIT: something I forgot: I think people should not run any sysinternals tools without a basic understanding of what they do or at least not jump to conclusions.

http://www.reddit.com/r/gaming/comments/lsoj6/still_thinking_eas_origin_is_harmless/c2vbjty

 

[samn]

I'd like to hear what's apparently so bad about this. To me it seems like a better way to detect cheating, something I've seen people get away with too much.

How on earth is it a better way to detect cheating?

I could post a link in this thread to a shady cheat website. Even people who didn't click on it would have the domain added to their DNS cache, if they were browsing with Chrome which preloads links before you click.

Even if I was actively visiting these websites, it is no indication that I am downloading them or using them in game.

 

[UnrealEck]

I don't really care. I doubt there's anything sinister going on with them knowing my DNS cache data.

 

[Ashsturm]

What would they possibly do with this data? If they find out that all hackers share ten or twenty entries in the list with each other, there's going to be no way to tell the Google entry from the Steamworks.com entry from the leethax.com entry unless they decrypt the list, which completely goes against the point of encrypting it in the first place.

I don't see how anything useful can be pulled out of the data statistically.

Valve will have a hashed list of known sites they can use to compare the hashed (not encrypted) entries against.

Pretty poor from Valve, if they do use it as part of a decision on a ban then it seems open to abuse. With browser pre-caching anyone could post a link on a site like GAF and have a DNS entry pop up in everyone cache without them even clicking the link

 

[TouchMyBox]

This doesn't affect Linux users, so my scat porn addiction is kept safe from Gaben.

 

[Jedi2016]

I'm failing to see how your DNS cache has fuck all to do with cheating.

 

[Stitch]

So Gabe knows that I'm watching a lot of JAV.

 

[DR3AM]

fuck valve

 

[Unhandled Exception]

I'm failing to see how your DNS cache has fuck all to do with cheating.

They need to know if you ever visit vaccheaters.com apparently. You're obviously cheating if you do.

 

[fantomena]

fuck valve

.

 

[Face it Tiger..]

GabeN now knows I frequent torrent sites & redtube too often.

he must be eliminated.

 

[pixlexic]

You guys know that all web advertising does the same thing but worse right now.

Right at this moment neogaf is showing me ads of every item I have been looking at from newegg in the past two weeks.

 

[zigg]

They need to know if you ever visit vaccheaters.com apparently. You're obviously cheating if you do.

I'm not at all a fan of this sort of thing, but there is a compromise here.

Don't report every domain in the cache. Do the scan locally and only report if this one domain is found.

 

[NEO0MJ]

WTF? One of the reasons I didn't install origins is that it did something like this and now Valve is doing it?

 

[Yuuichi]

I'm failing to see how your DNS cache has fuck all to do with cheating.

This. Sure, it might be a hint, but me going to a site that distributes cheats /= cheating.

 

[jim-jam bongs]

I don't see how this is even effective, honestly. Too many false positives. If they weren't hashing the TLDs they could use it as a way of discovering cheat sites by looking at the commonly visited domains of recently banned users for matches, but other than that it feels like a ticket to wrongful banning.

I don't want Valve or anyone else to know I was just googling for images of vagina dentata :S

 

[dragonelite]

You guys know that all web advertising does the same thing but worse right now.

Right at this moment neogaf is showing me ads of every item I have been looking at from newegg in the past two weeks.

Maybe ads do that, but what does someone browser history has to do with cheating.

 

[kingocfs]

Not into this.

 

[TheSeks]

I'm failing to see how your DNS cache has fuck all to do with cheating.

It's them checking for known cheating sites so they can ban you that way (possibly) instead of having to continue to monitor files/checksums from being modified (old way, and allows "false positives" just as much as this new method does since unless you're using "sv_pure 1" any modified file will change the checksum).

Now, before someone jumps on me: IIRC, "sv_pure" can be worked around so it isn't a 100% fool-proof solution. It just stops custom-sounds and textures from being loaded in a game, it isn't an anti-cheat.

 

[Unhandled Exception]

You guys know that all web advertising does the same thing but worse right now.

Right at this moment neogaf is showing me ads of every item I have been looking at from newegg in the past two weeks.

What point are you trying to make here?

 

[Stumpokapow]

This does not sound like a good anti-cheat strategy and seems like a pretty inconclusive piece of evidence to ban someone based on or even as secondary evidence to confirm a ban.

However:

Hashing with md5 is not full[sic] proof, they can be reversed easily nowadays using rainbowtables. So they are relying on a weak hashing function

While it's true that MD5 is a weak hashing function, I'm not sure what the argument is here. Is the fear a MITM attack exposing your data or is the fear that Valve is secretly retaining data and then attacking their own hashed data? Why not simply send the data plaintext if that was their aim? Is there reason to believe that Valve is retaining the data at all rather than comparing the hash against a known blacklist and discarding? What's the actual argument here?

 

[beast786]

Wow. At least with kinect I could cover the damn thing

 

[cameron]

How on earth is it a better way to detect cheating?

I could post a link in this thread to a shady cheat website. Even people who didn't click on it would have the domain added to their DNS cache, if they were browsing with Chrome which preloads links before you click.

Even if I was actively visiting these websites, it is no indication that I am downloading them or using them in game.

Yea. Valve can't possibly think this is a logical way to detect cheaters.

 

[Duxxy3]

Kind of glad I don't play multiplayer games on my PC now.