

Valve DNS privacy flap exposes the murky world of cheat prevention - ghosh
http://arstechnica.com/gaming/2014/02/valve-dns-privacy-flap-exposes-the-murky-world-of-cheat-prevention/

======
TazeTSchnitzel
Anti-cheat systems are something I feel are a necessary evil. They're opaque,
proprietary black boxes, but I'll accept them for the sake of myself and
others having a more enjoyable gaming experience.

> Cheat versus trust is an ongoing cat-and- mouse game. New cheats are created
> all the time, detected, banned, and tweaked. This specific VAC test for this
> specific round of cheats was effective for 13 days, which is fairly typical.
> It is now no longer active as the cheat providers have worked around it by
> manipulating the DNS cache of their customers' client machines.

Damn.

~~~
TheCapn
I get news of hacks irregularly from Reddit's CounterStrike community and I
have to say, its a losing fight for systems like VAC that try their best to
adhere to user rights of privacy. Certain hacks essentially hook themselves
into your PC at the kernel level and are nigh indistinguishable through scans
of any type. Anti-cheat are left with a set of heuristics that try to identify
a hack based on behaviors that are easily manipulated and faked. VAC in
particular is pretty rigorous in that they attempt for 0 false positives and
have done pretty well overall.

Some of the more recent anti-hack work involves recognizing pattern of
commands sent from the client to detect when inhumane actions occur such as
impossibly fast reactions or aim adjustments. The way I see it, hopefully this
style of anti-cheat, although reactive, will prevent any hack from being
useful as the advantage of using it is immediately taken away. Things like
trigger hacks and wall hacks are still not yet detectable through these means
but its a step in the right direction.

~~~
zimbatm
In minecraft some servers send fake blocks to the client until they are close
enough and visible. That prevents hacker for looking for specific types of
valuable blocks like chests and diamonds using x-rays. The drawback is that if
the server doesn't send the updates fast enough you might think you've hit a
diamond block until you get the update.

------
gruturo
Gabe Newell himself gave a nice explanation in a related Reddit thread:
[http://www.reddit.com/r/gaming/comments/1y70ej/valve_vac_and...](http://www.reddit.com/r/gaming/comments/1y70ej/valve_vac_and_trust/)

~~~
JetSpiegel
"This specific VAC test for this specific round of cheats was effective for 13
days, which is fairly typical. It is now no longer active as the cheat
providers have worked around it by manipulating the DNS cache of their
customers' client machines."

Spooky

~~~
shultays
Wow, not because you know, privacy is important. Becase it is no longer
effective

~~~
AimHere
Right. Gabe isn't admitting to wrongdoing here, since Valve feels that the
particular check was limited enough to be a reasonable countermeasure.

According to Gabe, this module was not aimed at scraping anyone's web usage or
browsing history (not even for game cheat sites), but just to detect whether a
machine was likely to be automatically dialing a hack's DRM server, and then
sending hashed copies of those, and only those, entries to Valve to flag as a
potential cheat. I can imagine that a lot of the gaming community would
consider that reasonable behaviour, if it was effective at cutting down on
cheats.

Whether Valve is telling the truth, I don't know. I suspect so (Gabe seems
smart enough not to try lying to the internet, though, so any deception is
likely to be that of omission). Whether this is right or wrong is a matter
between you and your shaman/vicar/rabbi/mullah/conscience/etc.

~~~
_delirium
> dialing a hack's DRM server

Huh, I didn't realize that nowadays cheat mods charged money and protected
themselves with DRM. When I used to dabble in such online games, the
cheats/trainers/etc. typically came from the same groups that cracked games'
DRM, rather than themselves having DRM.

Are there cracking groups that strip DRM from DRM-using cheats?

~~~
JetSpiegel
Corporate interest ruin everything, even cheats.

------
mentos
What will we do when hackers set up a camera and a robot with rubber fingers
to cheat in games? Reminds me of the story of Thomas Peterffy the 'father of
high speed trading':

"It wasn't until 1987 that Peterffy was able to take people out of the loop
entirely. With the world's first electronic stock exchange, the NASDAQ
terminal, traders could type in orders directly into a computer.

Peterffy didn't want to type in the orders. He and his engineers hacked into
the NASDAQ terminal and wired it up to their own computer, which traded
automatically based on algorithms.

A senior NASDAQ official saw Peterffy's setup and said Peterffy was breaking
the rules: All orders had to be entered through the keyboard. He gave
Petterfy's group one week to fix the problem.

Peterffy and his engineers came up with a solution. They built a robot with
rubber fingers that typed entries into the keyboard. It satisfied the NASDAQ
rules. And on active trading days, the robot typed so fast it sounded like a
machine gun."

~~~
kibwen
That's an interesting story, but not how these cheats operate. Most cheats
either allow access to abilities that cannot be performed via normal keyboard
input (flying, moving through walls, item duplication, instant LOS kills) or
grant the cheater information not available to a normal player (wallhacks,
maphacks).

That said, it's fun to try to think of ways in which a robot reaching over
your shoulder could somehow give you an unfair advantage... perfectly-timed
bunny jumps, perhaps.

~~~
comex
I think you're missing the big way - aimbots. You'd have to do some nice low
latency computer vision to detect enemies, but it could theoretically be just
as effective as a regular aimbot.

~~~
Dylan16807
Regular aimbots use nonvisible information.

------
coldcode
Cheating in MMO games is always a battle. I actually worked on a system for a
game company I worked for. It had only a single cheat provider and I found a
way to detect people using the cheat without being detected in turn. This is
probably one of the hardest type of coding to do, you are blind as to what the
cheat provider might do in the future, and they have to be really clever to
hide what they are doing. This isn't DRM, this is making a game fair to all
the players. Some players don't want to play the game fair and want to cheat,
which never made sense to me as how is that fun. It's like robbing banks for
money, why work like all the suckers who put their money in the bank? But if
you work you want your money safe.

I do admit it was a lot of fun and incredibly difficult coding to do, the
cheat provider programmer was very clever. No clue if it still works today
since I left a while ago. It was like military defense vs offense; each side
keeps upping the ante and you have to respond.

Oh and it was for Windows and custom code but not this.

~~~
nousernamesleft
>Cheating in MMO games is always a battle

Cheating in MMOGs isn't much of a battle. Do everything on the server: problem
solved. Consider UO did this correctly in 1997 and yet games like WoW came out
much later and still did it wrong (let the client choose its x,y,z position
and tell the server, rather than asking the server "is it legal for me to move
to x,y,z?").

It is faster paced games where you can't do everything server side that are
the problem, first person shooters being the prime example.

~~~
sehrope
> It is faster paced games where you can't do everything server side that are
> the problem, first person shooters being the prime example.

First person shooters can be ( _and I believe usually are_ ) done server side.
Official movement, firing, health, and overall physics is handled 100% on the
server. To smooth things out though, the client interpolates its view of the
world.

For example lets say you fire your gun at a person right in front of you. The
server would have final say of whether you actually hit the target. Rather
than waiting for a round trip to the server, your client may choose to
immediately show some blood/shrapnel effects to give you the illusion that you
hit them. If you actually did, the server will handle the health deduction. If
not, you probably wouldn't even notice.

~~~
nousernamesleft
First person shooters are split, part server and part client. For example, an
enemy comes in range of you, your cheat automatically triggers a "shoot at the
precise direction of their head" command to be send to the server. The server
does not check if you were actually facing that direction, it does not check
if you actually turned to face them in a manner that a human could. So things
like aimbots are common where you literally click "next target" and it cycles
through all the enemies heads. There is really no way to prevent this kind of
cheating. Slower paced RPG style games where you just send "attack target with
ability X" can be handled entirely server side. As we start seeing more fast
paced action style MMOGs and fewer "computer reproduction of pen+paper+dice"
style MMOGs the line gets blurred and more impossible to deal with cheats
become problems.

~~~
JoeAltmaier
But, but, you just said how to prevent it! "Check if you actually turned to
face them..." would work just fine?

~~~
nousernamesleft
If you just check that they did face the right way, then cheating is still
trivial. Just instantly turn and fire instead of just firing (this is what
aimbots actually do anyways). The problem is you can't have the client send
all 1000 "the mouse position changed" events to the server and have it approve
them to ensure that you actually moved the mouse rather than just instantly
changing to pointing straight at the enemy's head.

~~~
Retric
You can't validate each mouse click before updating the client's view, but you
can do the same aim validation as you do movement validation to prevent
teleportation or excessive movement. Basicly, validating 1,000 motions a
second is no problem it's latency that's the issue. So now you can still cheat
but your limited to human reaction times or the server can detect and boot
you.

------
koobarbara
The funny thing about this whole ordeal is that never was it mentioned that
the code sends these data anywhere.

~~~
hedwall
In the original reddit post linked to it was alleged that VAC sent the entries
to Valve.

~~~
koobarbara
Several posts said that the "sending" part was not seen in the code. The
original cheat site didn't mention sending either.

~~~
sp332
This comment shows the data changing depending on your DNS entries
[https://news.ycombinator.com/item?id=7252068](https://news.ycombinator.com/item?id=7252068)

~~~
Dylan16807
Not enough samples.

------
nfoz
Am I the only one OK with "cheating"?

The line between what is "tool assisted", "bot" etc. is entirely artificial,
just like "no drugs" is artificial and awkward to deal with in sports. If
you're spending $1000 on a fancy computer mouse with special buttons, I don't
see why that's much different than if I code myself a smarter mouse driver
that autosnaps to enemy faces.

The intellectual exercise of botting is fantastic anyway, and I'd rather see
my gamer friends doing _that_ than playing the games vanilla ;)

Online games require a gentleman's agreement about what is OK behaviour.
Individual communities should be hosting their own game server instance and
allowing people in that follow their friendly rules.

The idea that I'm "not allowed" to "bot" a game is offensive to me in the way
that "no reverse engineering" clauses in license agreements are offensive. I
do love playing games, and don't normally bot anything (except netcraft this
one time.. o_O), I concede there's a conflict here, but I err on the side of
my personal liberty rather than convenience of playing games. I wish others
would do the same...

~~~
lost_name
I'm not sure how many games have done this, but the concept of the "cheater's
island" came up somewhat recently -- I want to say Max Payne 3 did this first,
but I'm not sure.

Basically, players who have been detected as cheaters only end up with other
players who cheat. The problem is once you're on the island, you're probably
not getting out.

I personally favor this solution over the outright banning of players.

~~~
oakwhiz
This is similar to the practice of "hellbanning" but I think it is a more
friendly solution. Valve's VAC system is similar because VAC-banned players
are still able to play on non-VAC servers (with other cheaters and pirates.)

------
kbar13
Remember when ESEA's anti-cheat implementation also had a bitcoin miner built
into it?

[http://play.esea.net/index.php?s=esports&d=comments&id=12692](http://play.esea.net/index.php?s=esports&d=comments&id=12692)

------
belorn
System like this are walking a very thin line.

> cheat software has its own DRM systems so that the developers can ensure
> that people pay for their cheats. If the VAC module detects certain cheats,
> it then checks to see if the system has performed lookups for the relevant
> cheat DRM servers.

The program could also hijacked the users bank session in order to check if
any payment has been made. This would have the same result on a technical
basis as digging through users DNS history to see if the client has contacted
a cheating tools DRM server.

Is there any technical line that anti-cheat systems can't cross? I do like the
gaming experience anti-cheat systems create, but at the same time, I would
like that the OS prevented _any_ program from accessing the DNS cache without
my expressed and informed consent.

~~~
UnoriginalGuy
> I would like that the OS prevented any program from accessing the DNS cache
> without my expressed and informed consent

Not technically feasible. Even if the OS didn't allow direct access to the DNS
cache, a program could very easily infer if a result was cached based on the
query response speed.

Plus anti-cheat typically runs as an administrator or root.

> Is there any technical line that anti-cheat systems can't cross?

Illegality for one. Stealing someone's banking session and monitoring their
payments is almost certainly illegal, pulling up the DNS cache and seeing if
they requested the IP for a choice domain is not.

~~~
belorn
Is pulling up ones bank history and see if they include a choice transaction
different from pulling up ones DNS history?

If the intention is the same (preventing cheating), I don't know if a judge
would rule different based on the technology used. Both techniques steals
computer resources (CPU, memory and disk usages), and both steals private
information in order to achieve their goal. Would you be sure that knowingly
use a computer service (the dns cache) without authorization is legal? Or for
that matter, is computer trespass illegal in general if done for the explicit
purpose of anti-cheating? The law as described require "intent to commit or
attempt to commit or further the commission of any felony".

[https://en.wikipedia.org/wiki/Computer_trespass](https://en.wikipedia.org/wiki/Computer_trespass)

~~~
Dylan16807
> steals computer resources (CPU, memory and disk usages)

No.

------
dmead
in case anyone is interested, one of the dominant cheat providers seems to be
this:

[http://www.deadc0deshop.net/](http://www.deadc0deshop.net/)

a cat and mouse game, but interesting nonetheless

~~~
gateaumoisi
note that visiting this website will just add your steam account to the vac
watch list ;)

~~~
kabdib
No, it won't.

------
venomsnake
And that is why a person should always run steam-likes in sandboxie or similar
software.

~~~
jsheard
I'm not sure if that would work. Steam installs a sudo-like system service, so
it can update games in Program Files without nagging the user to elevate to
admin. Depending how it's launched it might sneak past the scope of Sandboxie.

~~~
mpeg
It will, most anti-cheat software operate as a device driver so they have
access to the WDK libraries.

Valve isn't even the worst offender, some other anti-cheat will not allow you
to run ANY virtualization software while the anti-cheat is active.

------
JetSpiegel
Way to make a mountain out of a molehill.

Oh, wait, it's Peter Bright, nothing to see here. Move along.

------
mariuolo
Does it happen on the Linux version as well? Would running it in a LXC
container mitigate that problem?

------
arca_vorago
My reddit reply to GabeN got hellbanned... I want to see more data from more
sources on where the check is done.

Comment:"So you are saying that the tests people had done by bloating DNS and
watching traffic that noticed a correlation are wrong, and only hashes that
meet a list sent to the client are checked and sent back to Valve? Why would
the data sent back to Valve increase on systems without cheats when nothing
other than loading many DNS entries is different? Where is the check done?..."

------
Shahidul1990
Excelent

