Gabe Newell Responds: Yes, We're Looking For Cheaters Via DNS 511
dotarray writes "Valve has stepped up to answer allegations that the company's anti-cheat system was scanning users' internet history. Rather than a simple, sanitized press release or a refusal to comment on 'rumours and innuendo,' Valve CEO and gaming hero Gabe Newell has personally responded."
Newell or not, not everyone will like the answer. The short version is that Yes, Valve is scanning DNS caches, with a two-tiered approach intended to find cheating users by looking for cheat servers in their histories. Says Newell: "Less than a tenth of one percent of clients triggered this second check, accessing the DNS cache. 570 cheaters are being banned due to DNS searches."
Still abusive (Score:5, Insightful)
Sorry Gabe, you're not allowed to see my DNS history. You aren't allowed to see GabeNewellNatiliePortmanHotGritsFanFiciton.net in my history. That's not allowed.
Valve vs NSA (Score:2, Insightful)
I trust Valve more than the NSA.
The NSA doesn't protect me against hackers.
Why do we still allow this sort of overeach? (Score:4, Insightful)
The more I see stories about various programs accessing all sorts of stuff they aren't supposed to, the more I wonder why we still allow this? I use my browser for something, there shouldn't be any other program on the computer that knows about it. It's time we eliminate this idea that every app has access to every file on our computers. I really don't understand why sandboxing every app is not only not the default, but also very rarely even available on most operating systems.
It seems these days most apps are hostile to the users, it's time we treated them as such and stopped letting them have the run of our computers.
Surfing the sites won't trigger it (Score:2, Insightful)
VAC looks for the DRM servers that ensure you're a paying user of the cheat. Check the Reddit post.
They are non-www servers, so it would be special i (Score:4, Insightful)
They explain that these are non-www servers, so you can't visit them. They are used directly by the apps to find their license servers, it's not the servers where you can download the files.
And if you need to visit cheat sites for this, I would open them in some VM since these aren't the most trustworthy sites.
Better than nothing (Score:5, Insightful)
I don't like the answer, but it could be worse, and it's nice the director answered honestly.
Re:Still abusive (Score:4, Insightful)
The app is comparing DNS records with a client-side database of cheat sites, and if it finds a match sending it to Valve's servers for verification & ban-hammer. It's not sending every site you visit, unless the only sites you visit were via DNS records used by cheat developers.
Compare: We record images using your laptop's webcam, but we only look at them if our software algorithm thinks the images show you doing something that violates our ToS.
Re:Why do we still allow this sort of overeach? (Score:5, Insightful)
We tolerate it because cheaters ruin games. If do not want to play the game, or do not want your privacy violated, then do not play games on Steam.
For those of us that do play games, and do play them honestly, this is another step in the right direction. Cheating simply kills these games. I am willing to give up a bit of privacy in exchange for fewer aimbots and wallhacks in the FPS games that I play. If you read the article, or the comments, you would realize that the DNS scanning is a second level of review that takes place when other indicators point towards a person who might be cheating.
Re:Still abusive (Score:5, Insightful)
Re:Still abusive (Score:5, Insightful)
did you even read his response? They look for indications that the cheat is in play, THEN they check DNS as verification...
Explaining something does not justify it. They should not go rummaging through my computer. Period.
Re:Still abusive (Score:2, Insightful)
I am not a gamer so I don't know if this is permitted by their TOS.
However, I don't care if they are sending a hash or the actual DNS inquiry. If they have a matching hash on their end, they are simply translating one entry into another form and back again. How do we know the limit of hashes for sites they have accumulated outside of known cheat sites?
If their TOS permits it, well, then buyer beware. But, I remember how everyone kicked and screamed when Apple and Microsoft did similar things.
They ARE examining your personal DNS history cache and sending, supposedly, matching entries. That is spyware - pure, simple and evil.
Re:Still abusive (Score:5, Insightful)
This isn't quite the same as that old "well, just don't use it" canard.
Valve was engaging in a set of behaviors which you considered acceptable, and so "purchased" (more on why "purchased" is in quotes in a second) some games from them.
They've changed their behavior. Let's say you don't want to do business with them anymore. You could, of course, stop using Steam ... and lose access to all your games, which you probably thought you "purchased" in some sort of "I can use it for the rest of my life" sense, but actually just got a license to use for as long as they feel like it. This is different from a "service" where the expectation is that the benefit you're getting from them is recurring on some sort of cycle.
Someone will, doubtlessly, point out that you can put the Steam client into offline mode. To which I'll say that you can't do it indefinitely. To which they'll say "but Valve says you should be able to do that," to which I'll point to http://www.pcgamer.com/2013/11... [pcgamer.com] which basically says "Valve says they want to make offline mode work 'forever', but they're not there yet."
It doesn't really matter, IMHO, that the scope of what they did here was relatively minor. The issue is that Valve, much like Sony, feels like they can trawl through your computer in areas that have nothing to do with playing the game. Today it was minor because it makes sense to start small; but if they feel comfortable trawling your DNS history -- and Newell clearly says that he has no problem with this practice -- what else do they feel comfortable doing?
Re:Still abusive (Score:5, Insightful)
That's all fine and well and I don't have any problems with that... provided that system is ONLY activated for multi-player games. If I - or anyone else - wants to cheat in a single-player game (even if the game itself has multi-player, but the cheating happens in a single-player campaign) that's my - or their - own business and nobody SHOULD be able to prevent anyone from doing that, let alone BAN based on that.
I hate, hate, HATE cheating in multi-player games. I don't usually do it in a single-player game either, but there have been occasions when I've played a particular game n+1 times through and I just want to have some fun and see what is possible with cheats. This SHOULD BE allowed in all instances, as it does NOT, in any way, shape or form harm - or indeed affect - anyone else's gameplay.
I sincerely hope that system does not flag anyone based on cheats used while playing single-player. At MOST what a system like that should do, is disable on-line functionality while the cheat is in use. Nothing else. At LEAST not BAN anyone based on that, that just insane.
Re:Still abusive (Score:5, Insightful)
I am not the person you are responding to, but for my part:
At this stage I have no real gripe at all and would have opted into this without hesitation, had it been disclosed. (I also understand that disclosing it mitigates its effectiveness as the cheat makers will now all switch to ip based lookups, or rotating dns names etc to make detection more difficult, however, as this cat and mouse game between valve and cheaters is being waged on MY computer I still feel I should have some idea what is going on.)
That said, I do find it... somewhat disturbing that they took the liberty they did. The fact that they didn't abuse it still raises the issue that they could have.
When the next shoe drops will it be revealed that some anti-cheat / anti-virus / anti-malware software is quietly reading my bank statements when I view them online automatically for evidence of cheating / infection / whatever.
And it raises the point yet again just how little we collectively realize what applications are doing with data on our system, how desperately we need to figure out how to mainstream sandboxing / selinux type permissions / application partitioning etc in a way that makes it both easy and reliable, and how much information even the host operating system leaks about us to other applications.
Re:Still abusive (Score:5, Insightful)
OK, I'm going to rant a bit here, and it's not specifically directed at the parent comment.
Hashs are NOT a form of magic pixie dust you spread on information to make them magiclly private.
Consider:
You enter your SSN, the app hashes it and then sends it to me to compare against a hashed list of SSNs from some other source. I never get your unhashed SSN.
Are you safe?
No. There is NOTHING preventing me from hashing every possible SSN and comparing them. the total number of possible SSNs (ignoring for the moment that I can narrow the attack space significantly by ruling out SSNs that have not been issued yet) is not computationally prohibitive to search, even salted.
OK, now bringing us back to the case in point.
Does hashing the DNS address provide you any useful privacy preservation benefit?
Well Valve has already said that they have a list of DNS addresses they're searching for. Ergo, they have hashed that list ot compare against your DNS. How hard would it be to hash the $(sites viewed as evil by your cultural/legal framework) and compare it to your hashed DNS list. Trivial.
Do you feel like your privacy is preserved?
Min