Forgot your password?
typodupeerror
Games

Gabe Newell Responds: Yes, We're Looking For Cheaters Via DNS 511

Posted by timothy
from the but-maybe-you-were-just-visiting dept.
dotarray writes "Valve has stepped up to answer allegations that the company's anti-cheat system was scanning users' internet history. Rather than a simple, sanitized press release or a refusal to comment on 'rumours and innuendo,' Valve CEO and gaming hero Gabe Newell has personally responded." Newell or not, not everyone will like the answer. The short version is that Yes, Valve is scanning DNS caches, with a two-tiered approach intended to find cheating users by looking for cheat servers in their histories. Says Newell: "Less than a tenth of one percent of clients triggered this second check, accessing the DNS cache. 570 cheaters are being banned due to DNS searches."
This discussion has been archived. No new comments can be posted.

Gabe Newell Responds: Yes, We're Looking For Cheaters Via DNS

Comments Filter:
  • Still abusive (Score:5, Insightful)

    by i kan reed (749298) on Tuesday February 18, 2014 @11:17AM (#46275563) Homepage Journal

    Sorry Gabe, you're not allowed to see my DNS history. You aren't allowed to see GabeNewellNatiliePortmanHotGritsFanFiciton.net in my history. That's not allowed.

    • Re:Still abusive (Score:5, Informative)

      by PhrostyMcByte (589271) <phrosty@gmail.com> on Tuesday February 18, 2014 @11:22AM (#46275619) Homepage
      The app is comparing DNS records with a client-side database of cheat sites, and if it finds a match sending it to Valve's servers for verification & ban-hammer. It's not sending every site you visit, unless the only sites you visit were via DNS records used by cheat developers.
      • No need to check your DNS history to tell you haven't visited OhNowIGetTheJoke.net
      • by Andy Dodd (701)

        So what if someone puts a URL for a cheat site in a forum comment somewhere, disguised as something else?

        • Nothing. Unless you're actually doing things on an online game that would make the admins think you were cheating, you won't be victimized simply because you follow a link.

          And bear in mind that they're not looking for public website domain names unless by sheer coincidence (or cheaping out on the part of the cheats vendor - yes, that's what we're talking about) the same server AND domain name is being used for both the vendor's website and for the DRM checking code in their cheat patch.

          I don't think it

        • by DrGamez (1134281)

          It means you still haven't read the article.
          (Sorry, that's rude, but seriously go have a read, you're 100% safe to visit all the terrible hacking website you want. Just don't use the hacks they sell.)

      • Re:Still abusive (Score:4, Insightful)

        by Bob9113 (14996) on Tuesday February 18, 2014 @11:53AM (#46275917) Homepage

        The app is comparing DNS records with a client-side database of cheat sites, and if it finds a match sending it to Valve's servers for verification & ban-hammer. It's not sending every site you visit, unless the only sites you visit were via DNS records used by cheat developers.

        Compare: We record images using your laptop's webcam, but we only look at them if our software algorithm thinks the images show you doing something that violates our ToS.

        • Re:Still abusive (Score:5, Insightful)

          by wagnerrp (1305589) on Tuesday February 18, 2014 @11:58AM (#46275983)
          It's more like an anti-theft service that when it thinks the laptop may have been stolen, it then turns on the camera to see who is using the laptop. Access to the DNS cache is only triggered by some other first-tier behavior.
          • by Bob9113 (14996)

            It's more like an anti-theft service that when it thinks the laptop may have been stolen, it then turns on the camera to see who is using the laptop.

            That would be me choosing to enlist my private sensors in a service that is specific to the use of those sensors. Two significant differences in this case: In the narrow sense, the user has not given informed consent to the use of his private sensors. In the broader sense, our society has not had a frank discussion about requiring access to a person's private s

            • Re:Still abusive (Score:5, Informative)

              by Baloroth (2370816) on Tuesday February 18, 2014 @01:11PM (#46276901)

              That would be me choosing to enlist my private sensors in a service that is specific to the use of those sensors.

              Except in the case of VAC you did choose to enlist the use of VAC to prevent cheats, specifically, when you connected to a VAC enabled multiplayer server. VAC isn't some generic thing Valve sticks on all Steam games, you know: it's only enabled when you connect to a server that is VAC enabled (which is in every game I've player very clearly marked as such). You don't want VAC poking around on your computer? Don't play on a VAC server.

      • So what? It's still a violation of my privacy and therefore unethical.

    • by AC-x (735297)

      Don't worry, all the DNS names were MD5 hashed, so Gabe will only know you visited b80747491a0922eeaf0d800983ddc886 :)

    • by jader3rd (2222716)

      Sorry Gabe, you're not allowed to see my DNS history.

      So what OS model can we use to isolate one program from another? Do we want that kind of model?

  • Is it in the TOS? (Score:5, Interesting)

    by NotQuiteReal (608241) on Tuesday February 18, 2014 @11:17AM (#46275569) Journal
    Is this search in the TOS, or is it an "unauthorized" search?
    • You ask that as if ANYONE has any idea what is in the TOS. I assume it's standard TOS stuff like you won't sue us for any reason ever, we own you and can do whatever we want, you own nothing, you pledge your soul to serve in our undead army against God in the end days... That probably covers these searches.
      • by Raenex (947668)

        you pledge your soul to serve in our undead army against God in the end days...

        Sorry Valve, that one has to be signed in blood.

    • by King_TJ (85913) on Tuesday February 18, 2014 @12:24PM (#46276273) Journal

      The scanning is done client-side, which means it's just an internal function of the software.

      It isn't divulging any of your internet browsing or usage history. It's just combing the local cache for specific things, and is a process it doesn't even do in the first place unless a user is suspected of trying to abuse Valve's gaming environment by cheating.

      If the TOS has to state an app is going to access your local DNS cache, then Windows operating systems are probably in violation themselves!

  • I know in the olden days, I just assume everybody else was cheating (they usually were) but how common is cheating now that VAC has been around for a while?

    • Re: (Score:2, Funny)

      by feedayeen (1322473)

      I think that this is a, 'we don't have any gays in Iran,' type of situation.

    • by CastrTroy (595695) on Tuesday February 18, 2014 @11:26AM (#46275645) Homepage
      This is why I don't like the idea that games seemed to have moved away from hosting your own server. Online games were great when you knew the guy you were playing against. There wasn't as many problems with cheating, or perhaps you could agree on which cheats could be used, and the in-game chat was a lot more tolerable. Now that you're just playing against a random selection of people from the internet, I just don't get as much enjoyment out of it.
      • by drinkypoo (153816)

        This is why I don't like the idea that games seemed to have moved away from hosting your own server.

        Sadly, even most of the games with random matching force one of the players to serve as the server. Only MMOs really work in the way you describe.

    • by KermodeBear (738243) on Tuesday February 18, 2014 @12:17PM (#46276197) Homepage

      Like you I imagine, I've been playing online games for a long time. I even ran a half dozen TFC / Natural Selection / CounterStrike / Half-Life Deathmatch / etc. servers for three or four years. I never found cheating to be common except for CounterStrike. For some reason that game attracted cheaters like crazy. The other games, not so much. Cheating wasn't just uncommon - it was rare.

      When PunkBuster and similar products became popular it was amazing how much better I became compared to other players when playing on a protected server. (o:

      VAC has, in my opinion, done a very good job overall of keeping up with the cheating crowd. I can't remember the last time I came across a player that I suspected of cheating - and having had to do detection manually by watching player behavior, I'm very confident in this.

      There's a few things you can look for manually when looking for cheaters.

      Your typical aimbot is easy to detect. Jump into spectator mode or whatever and pick the first person view for the selected player. Instead of the smooth movements a typical player will have, you'll see the player's aim snap to positions on a screen. It's rare to see these anymore because detection is so incredibly easy.

      Driver hacks to provide see-through textures, or model hacks that have a long cross through them that extend through walls, are also pretty easy to detect by watching the player. Is someone across the map and scoring head shots through walls? Does he always seem to know where the enemy is? He's using one of these.

      The interesting cheat is the second one (wall / model hacks) which allows one to see opponents behind objects, because it's not a mechanical advantage like an aim bot; it's a strategic advantage, an information advantage. It doesn't change the ability of the cheater to aim more accurately; it changes the cheater's behavior. A player without the cheat information will act as if the opponent is not there; a player with the information will.

      So, you'll see tactical advances / retreats, shots fired / grenades thrown, etc. that would not occur in normal non-cheating game play. Yes; there will always be the person who gets the lucky what-the-hell shot. That happens.Sometimes more than once. What you need to look for is a consistent pattern over time that cannot be attributed to simply being "good", having a better overall strategy, or having an unusual play style.

      I bet that with enough information collected it would be possible to detect this kind of behavior and flag individual players for follow-up manual inspection. It would be a fascinating bit of research, really.

      Resource hacks are very dead these days, as information about resources (ammunition carried, money earned, life amount, etc.) are all stored server-side for most games. There's no way for the client to fiddle with that data.

      • by Lothsahn (221388)
        When I was in college, my friend had a roommate who played CS nearly all the time. His roommate actually failed out of college because all he did was CS.

        While I think most of your points stand, I can say with 100% certainty that he acted like he could see through walls. He was so good that he routinely killed people (with headshots, even) through walls. Had I not seen his monitor with my own eyes, I would have known he was cheating. He was frequently accused of cheating. In fact, he could only play
  • by pavon (30274) on Tuesday February 18, 2014 @11:20AM (#46275587)

    The biggest part of his announcement is that this checking is done client side; your DNS history is not sent to Valve. They also only record MD5 hashes that match the cheat sites they are looking for, not your entire DNS history. Finally, they claim to only check for DNS lookups of servers used by the cheat software itself, not just websites where you might read about and download cheats (although in some cases I imagine these could be the same), and use this as a second check after the client has already detected a cheat installed on you machine. So simply visiting cheat software websites without using them shouldn't get you banned.

    • Why couldn't they just MD5 the files for the actual game, to verify that they match with the official binaries? Seems a lot less intrusive, and less potential for abuse.

      FWIW, it shouldn't matter what information I discover; what matters is what I do with it. Maybe I hack games, maybe I like to visit the sites that teach you how so I can understand what that means; either way, unless I'm using the knowledge I gained from game-hacking websites to.. er, well, hack Steam games, then IMO it's none of Gabe's fuck

      • by Anonymous Coward on Tuesday February 18, 2014 @11:38AM (#46275753)

        Cheats have evolved beyond file tampering. Most are done with code injection, and boy is that history a long one. I suspect the actual DNS being hunted for are the cheats' "DRM" servers that ensure you paid the guy who made the cheat money. CheatHappens.com or whatever they're calling themselves these days was one of the first to start doing this in a big way.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Why couldn't they just MD5 the files for the actual game, to verify that they match with the official binaries? Seems a lot less intrusive, and less potential for abuse.

        A lot of anti-cheat systems already do things similar to that, but it only catches one category of cheats. It doesn't help so much for cheats that change the game after it is loaded into memory, ones that change behavior of the video card that make things easier to see without touching the game, and ones that help control inputs without editing the game.

        maybe I like to visit the sites that teach you how so I can understand what that means;

        Then this check won't flag you, because that is not what it is looking for. Various cheat programs these days have their own DRM system because the makers

      • by szap (201293)

        Don't need to change the actual files to patch it. See DLL Injection: http://en.wikipedia.org/wiki/D... [wikipedia.org]

      • by dave562 (969951)

        Often times they are not modifying the binaries themselves. The cheats are separate DLLs that are injected into the process at run time.

      • by frinsore (153020)
        Checking the MD5 hash is one of the oldest methods of anti-cheat. Nowadays file hashes are signed by a private key and verified locally with the corresponding public key, if the hashes don't match then it's an invalid file. But like I said, this is one of the oldest methods and has been worked around for years. The simplest method is to modify system dlls that the executable depends upon to inject code into the running game. This then leads to signing everything that the executable could depend upon.
      • by blincoln (592401)

        Most cheating involves modifying processes in memory, not the files on disk.

        I do agree that it's really heavy-handed of Valve to ban players over DNS entries, though. What's to stop me from posting a page on some heavily-trafficked site with embedded image tags pointing to those systems (they may not load, since who knows if the cheat servers are even running web server components, but visiting machines will still cache the DNS entries), trying to get anyone who visits it banned on Steam?

      • If it just MD5ed fhe files, the games would be hacker heaven, since you don't need to touch the files.

        There are tons of ways to do this. You can attach a custom DLL to run code, or just inject code directly. You can do this when the program starts up even before it has a chance to run any code itself. You could modify your graphics driver to change the way the game renders so that the game itself sees everything about itself is fine because it is.

        Also, files for the actual game are hashed, at least in S

  • Valve vs NSA (Score:2, Insightful)

    by Anonymous Coward

    I trust Valve more than the NSA.
    The NSA doesn't protect me against hackers.

  • by Anonymous Coward on Tuesday February 18, 2014 @11:32AM (#46275687)

    They did not look at DNS histories of your browsing... there are cheats that have their own DRM that phone home to the cheat server to make sure you paid for the cheat (/irony). All Valve was looking for was the phone home to the cheat servers, not your bloody porn searches, or even visiting a cheat website.

  • by green1 (322787) on Tuesday February 18, 2014 @11:32AM (#46275689)

    The more I see stories about various programs accessing all sorts of stuff they aren't supposed to, the more I wonder why we still allow this? I use my browser for something, there shouldn't be any other program on the computer that knows about it. It's time we eliminate this idea that every app has access to every file on our computers. I really don't understand why sandboxing every app is not only not the default, but also very rarely even available on most operating systems.

    It seems these days most apps are hostile to the users, it's time we treated them as such and stopped letting them have the run of our computers.

    • by dave562 (969951) on Tuesday February 18, 2014 @11:53AM (#46275927) Journal

      We tolerate it because cheaters ruin games. If do not want to play the game, or do not want your privacy violated, then do not play games on Steam.

      For those of us that do play games, and do play them honestly, this is another step in the right direction. Cheating simply kills these games. I am willing to give up a bit of privacy in exchange for fewer aimbots and wallhacks in the FPS games that I play. If you read the article, or the comments, you would realize that the DNS scanning is a second level of review that takes place when other indicators point towards a person who might be cheating.

      • by green1 (322787)

        This particular case may have a "noble" goal, but the exact same techniques could be (and probably are) used for much more nefarious purposes. There is no good reason why it is even possible for any app to do this.
        Apps should NEVER have access to anything outside of themselves without explicit permission. There is no good reason for it, under any circumstances, and it causes huge security holes.

    • by Kardos (1348077)

      > It seems these days most apps are hostile to the users, it's time we treated them as such and stopped letting them have the run of our computers.

      Well that the tradeoff when it comes to closed source software. You have to trust that the provider of the binary is Not Evil.

      > It's time we eliminate this idea that every app has access to every file on our computers.

      Mobile has made some progress here with "App Permissions", such that you can limit what an app can do. It's easy to do this when you build a

      • by green1 (322787)

        Mobile has not really done any better. most mobile OSs will tell you what permissions an app is asking for, but won't allow you to select which ones to allow. In addition, the apps are still not fully sandboxed. For example on my android phone I have an app that won't run on rooted phones. It doesn't request root permission, so it SHOULD have no possible way of knowing I'm rooted, however it has full access to the file system (without any special permissions) and therefore can figure it out on it's own.
        It's

    • by Ardyvee (2447206)

      Don't use VAC. AFAIK (correct me if I'm wrong), it should only be activated if you join VAC-enabled servers. VAC is specifically Valve's Anti-Cheat System and it does what it says on the tin. Although I guess I do agree on the whole sandboxing thing. But you still have the problems of cheating in online games.

      • by green1 (322787)

        This particular case has a "noble" goal, but the exact same techniques could be used for much more nefarious purposes. There is no good reason why it is even possible for an app to do this.
        Apps should NEVER have access to anything outside of themselves without explicit permission. There is no good reason for it, and it causes huge security holes.

    • by jader3rd (2222716)

      The more I see stories about various programs accessing all sorts of stuff they aren't supposed to, the more I wonder why we still allow this?

      It's because we like it when programs work well together. As a result general purpose computers have the model that anything running as the user is the user. So preventing one application from interfacing with/messing with another program would be the same as blocking the user from doing the same. Any OS that tries to put up garden walls between programs is decried as an attack on computational liberty.

  • by Pricetx (1986510) on Tuesday February 18, 2014 @11:40AM (#46275781)

    One point that I don't think a lot of the commenters aren't getting, is that it isn't the actual "cheat websites" that are getting detected by this system, the system doesn't even check for them.

    As Gabe explained, most cheating software uses DRM, similar to that of games themselves, which "phones home" to the cheat software publishers to ensure that all of the users of the software are actually paying for it. These "DRM servers" will have their own domain names, and it's these domain names which VAC is looking for. This is to avoid flagging people for simply having visited the cheat website.

    It's also worth pointing out that this check is only triggered *AFTER* VAC has already detected that the player is cheating through other means, it can be thought of as a second factor of cheat authentication. This means that players can't get "tricked" into being VAC banned by having malicious javascript on a website causing their PC to perform DNS lookups on these blacklisted domains, as they won't even be checked by VAC unless the player is detected as cheating through other means.

    That being said, there's always the possibility of false positives, and if you combine that with malicious javascript mention above, you could just be incredibly unlucky and accidentally get VAC banned.

  • by BlackPignouf (1017012) on Tuesday February 18, 2014 @11:41AM (#46275797)

    I don't like the answer, but it could be worse, and it's nice the director answered honestly.

  • RTFA (Score:5, Informative)

    by Grantbridge (1377621) on Tuesday February 18, 2014 @11:44AM (#46275831)
    From the actual article: 1)This is no longer in operation, it was only running for a couple of weeks in the constant cat-and-mouse game with cheat developers 2)It was targeted at the DNS for DRM servers which cheat authors used to SELL cheats to PAYING customers. The system simply reported if the MD5 hash matched the DNS for the known cheat DRM servers, once the cheat had been detected during gameplay already. The DRM servers were not running a website.
  • Why ban? (Score:5, Interesting)

    by MadCow42 (243108) on Tuesday February 18, 2014 @11:54AM (#46275949) Homepage

    Why not just shuffle anyone detected cheating into a separate game room? If they're paying customers, then they can all cheat together, and everyone wins.

  • Given the openness of SteamOS - I'm guessing the side effect would be to develop anti-VAC kernel modules to fool VAC into thinking everything's sane and good even if the user is cheating to heck and back (and unless VAC is using a kernel module, it's pretty hard to protect against it...).

    I mean, should Valve/Steam pull this off in the future, it's trivially simple for something the user puts on SteamOS to hide the DNS resolver cache, to hide the cheat processes and fake the file hashes from any process...

  • Anticheat software have been scanning memory forever.and when if scans memory it's obviously comparing data to a pattern to decide if tha'ts a cheat or not.

    Not sure what's the difference between you mail account lying open on the background holding all your personal communications beeing scanned by punkbuster or vac, or the dns cache beeing scanned too.

    Code caves, hooking, etc. I'm not sure if anticheat software can't beat online game cheaters.

  • by viperidaenz (2515578) on Tuesday February 18, 2014 @02:27PM (#46278009)

    1: Post image hosted on cheating server in a forum frequented by Value customers
    2: Wait for them to all get banned.
    3: ???

Going the speed of light is bad for your age.

Working...