by titlex on 2/17/14, 12:12 PM with 86 comments
by jimaek on 2/17/14, 1:03 PM
As someone who reverse engineers things for fun, and can read the C "pseudocode" generated via decompilation pretty easily, I am going to have to disagree with the assumptions made in this post.
First, there's no proof this is from Steam, I've poked around a few of the DLLs since I saw this and am unable to find anything even remotely close to what this does.
Second, this method does NOT send anything to Valve. This method grabs the DNS cache, yes. And it MD5s the entries, then it stores it. This method itself does nothing more with the hashes. For all we know VAC could be doing a LOCAL scan of the list, and comparing it to an internal list of "known" cheat subscription servers.
Until someone posts details of exactly where in Steam this is (What DLL is all that's required to verify), and the calling method that supposedly sends this information to Valve, I would take this with a very massive grain of salt.
So yeah, no proof it sends anything. It could be a local check.
by chippy on 2/17/14, 1:58 PM
http://www.reddit.com/r/technology/comments/1y4za5/steams_va...
" Yes, with some simple wireshark analysis you can see it is being sent back.
Use wireshark, join a local TF2 server, try and isolate the VAC IP address (they are not static, but use rDNS & whois the IP). Go by process of elimination. Happy to give you pointers if anyone is interested.
Use wireshark and monitor the SSL communications of VAC for the first minute. Record the total size of outgoing packets (for me, I got 1.94 MB and 1.88 MB on my two tries -- the first time you join a VAC server and when modules update it's likely to be higher as it downloads it's modules).
note: Keep everything else constant - like what windows you have open, what processes you have running, etc.
Bloat your DNS cache. (What I did was edit my hosts file, used a script to add over 20k hosts [careful actually crashed notepad when I tried to read it])
Repeat step 1 and 2. I got 2.47 MB and 2.58 MB on two tries (first min of outgoing packets). This increase seems to be twice the amount 20k of MD5 hashes would take. Maybe a bug is causing it to be sent twice?
Clear your hosts file, flush dns cache. Repeat step 1 and 2 again. I got 1.99 MB."
by mpeg on 2/17/14, 1:02 PM
It's not even what Valve and co are doing with the info, it's similar to the Sony rootkit case where the main worry would be that the rootkit could introduce security vulnerabilities.
by just2n on 2/17/14, 11:05 PM
To be banned because you visited a website is also an abusable medium. Similar to the memory and window name scanning VAC and other similar anticheats have done in the past (or continue to do). You could historically get people banned by just doing stupid things, like having an IRC title that shows up in mIRC's window name that's detected or sending someone a message via any chatting medium that has a detected substring.
Imagine you just send a tinyurl link to your opponents in an upcoming tournament. Or just embed a simple <img> tag in an otherwise harmless webpage (display: none, for example) so everyone who visits your website has that domain fresh in their cache. This kind of "evidence" quickly becomes useless because it can be used for nefarious purposes, which is why it should never be used at all.
This is not only ineffective, it's dangerous. And it's an invasion of privacy since you can simply create a rainbow table of domain names, as other people have pointed out.
Come on, Valve.
by ALpoe on 2/18/14, 1:11 AM
by fnordfnordfnord on 2/17/14, 1:39 PM
Adding 0x20 to any uppercase ASCII character will get you its lowercase equivalent.
by doctorderp on 2/17/14, 1:31 PM
A similar thing was done with PunkBuster: https://en.wikipedia.org/wiki/Punkbuster#Attacks_on_PunkBust... - since it was scanning all of your computer's memory for cheat signatures, you could just paste a fragment on IRC in order to get people banned.
by vinceguidry on 2/17/14, 1:05 PM
by pferde on 2/17/14, 2:03 PM
by Glyptodon on 2/17/14, 4:29 PM
by adwf on 2/17/14, 12:40 PM
Maybe that's just my optimism speaking though. Every good company turns bad at some point.
by tshadwell on 2/17/14, 12:53 PM
by dubcanada on 2/17/14, 2:31 PM
So far there seems to be zero evidence that this is used to send data to valve.
by frankster on 2/17/14, 2:51 PM
by rincebrain on 2/17/14, 6:16 PM
by wnevets on 2/17/14, 3:22 PM
by kamakazizuru on 2/17/14, 12:31 PM
by ck2 on 2/17/14, 1:44 PM
Especially at an API level.
by hnha on 2/17/14, 3:58 PM
by blueskin_ on 2/17/14, 12:59 PM