Hacker News new | past | comments | ask | show | jobs | submit login
Keyhole – Forge own Windows Store licenses (massgrave.dev)
638 points by tuxuser 29 days ago | hide | past | favorite | 296 comments



So, just stating the obvious, you can now (¥) download all xbox games directly from the microsoft store for free? I.e. the xbox is - for now - as completely hacked as the PS Vita?

(¥) you might have to figure out some details


Yep. This seems to be the most overlooked part of the article, although maybe the most interesting.

Unfortunately not for anyone who has activated the auto-update feature on his/her Xbox, as the latest system software version seems to include a higher kernel version than supported by the collateral-damage exploit.


Exactly why you should never, ever, enable auto update, for anything. Too often it ends up breaking something or patching something you don't want patched. It allows a profit seeking company to enable or disable software functionality on your device, regardless if it's in your interest.


It should be noted that unless you've modified an Xbox One, from what I understand you cannot stop it from auto updating unless you permanently disconnect it from the internet (which will cause your licenses to eventually expire, in the year timespan or so), new launch games won't run (they're tied to a minimum version of the OS).


Wow, so it's a ticking time bomb, that should be illegal.


I agree that the device updating without your consent should be illegal, but new games requiring the updates seems fair enough: the Xbox can still run all of the games it was advertised to be able to do so at launch, and if game developers could not rely on the presence of system updates, Microsoft would just release an entirely new, incompatible Xbox instead. I think that updates are fine so long as you can update and roll back whenever you want to.


The PSP had firmware updates as well, and certain games strongly encouraged you to do so. But many had a workaround: The firmware loaded from the UMD itself. This meant your minimum firmware version could be rolled back, or that in some cases you didn't need to update and then rollback at all, as it was all loaded from the UMD. No matter what though, Sony mandated that all games support a minimum version. The last minimum version I remember was 3.00 from 2007 that introduced MemoryStick verification as an alternative to UMD verification because the PlayStation Store necessitated the ability to run without UMDs, and the final firmware update being 6.60 from 2011.

We could easily go back to installing firmware on-disc or in-download and only calling it at runtime. We won't because devs are in a desperate and futile campaign to outrun console modding (and to some extent piracy) they can't control. With consoles moving to common PC hardware rather than custom hardware like Flipper or Cell they're just going to get broken into faster and faster, so the only bet is harsher and harsher DRM on the software side. AMD straight up sold PlayStation 5 defects as the AMD 4700S "all in one" board.


>and the final firmware update being 6.60 from 2011

6.61 from January 2015[1].

[1] https://www.psdevwiki.com/psp/index.php?title=Official_Firmw...


Depending on if you consider "authorization" to require consent or informed consent, it already is illegal behavior under CFAA.


That would require a pretty creative interpretation of the CFAA.


The CFAA's broad enough so as to allow a lot of creative interpretation. A journalist using view source was breaking the CFAA was one district attorneys view.


This is the only carve out I could find for manufacturers of computers:

> No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

I guess Microsoft could argue their entire operating system business, app store, and update infrastructure are intentionally negligent, and so not covered.

I’d think a reasonable court would say that it’s working as designed, and therefore not covered by the carve out.

https://www.law.cornell.edu/uscode/text/18/1030


Intentional negligence is not a thing in law.


The same is the case with the Xbox Series X/S. I was shown three options for the last update: [Update Now] [Continue Offline without Updating] [Shut Down Xbox].


right, so at this point you dont own the device any more, you are renting it.


Which is exactly what you agreed to in the terms of service you evidently did not read

I want to be the only cheater in my lobby.


How can I read the terms of service when I need to pay for the device first?


ah yes, the legally unenforceable overbroad terms of service? those?


> (which will cause your licenses to eventually expire, in the year timespan or so)

Can you manually modify the system clock? If so you could roll the calendar back every 3-6 months.


Yup, 100%. My golden rule of computers is:

If it's working right now, an update can only cause it to break. The best case scenario is that it still works. Why would your roll the dice?


Golden rule to get exploited


the "but muh security" argument is absolute horseshit 99% of the time. and the 1% that actually need it, are going well beyond automatic updates to secure their systems.


If you look at the background radiation of the Internet of automated things just hitting services to probe for exploits, they are most commonly looking for exploits from bugs in older software.

There's a timing argument - that unless you're at risk of zero days (like you're the DOD) - that you probably don't need to upgrade immediately. But it seems unarguable to me that the longer you wait, the greater the risk from a security perspective.

As always, security is a trade off. Risk of breaking from an update has to be balanced against risk of exploit. I'd argue the latter is going up more quickly than the former.


How many actual zerodays are there that don't require you to ALSO be doing something dumb per year? It seems exceedingly rare. I understand the argument if you're talking about like, a server running some CMS or whatever, sure that's gonna get pwned because it's a big target so it's worth going after. Your natted personal machine? You're fine unless you're running executable off random russian sites (and even then you're probably fine if you're getting your shit from reputable shady sites)


There was that Windows IPv6 no click zero day within the last couple of weeks


good thing i disable IPv6 at home because it's an annoying pita and i run no machines with windows in the cloud, checkmate :P

on a more serious note though I don't think machines with ipv6 enabled that are behind a NAT are likely to be vulnerable to this, i suppose maybe wormable if you can natpunch through some p2p voip or gaming service, it's the sort of patch i would probably install if i were made aware of it (if i had ipv6 enabled), but being made aware of it doesn't like, leave me worried, and i don't consider it to be likely to affect me unpatched


>I don't think machines with ipv6 enabled that are behind a NAT are likely to be vulnerable to this

Would you be interested in educate yourself about IPv6?

https://ipv6.he.net/certification/


No, I'd rather just keep turning it off. Though if you're interested in telling me why I'm wrong concisely instead of being snarky I'll read that.


NAT and IPv6......you really should educate yourself about it IPv6 is not "that" new...trust me (bro). You know, keep learning is a big part of life ;)


No, this is a crazy take, old versions of software are usually rife with exploits, where everyone knows about the bug.


It's really not, I never upgrade anything and I haven't been pwned in like a decade. (Or maybe I have been pwned but not in a way that's affected me at all so you know, whatever)


On an internet exposed server?


While sibling comment is correct about the discussion I do have a few VPS I've had around for a while (<5 years with only password based SSH too because keys are annoying asf to manage when you're like, on your phone trying to do something etc) and I barely ever upgrade those and everything seems fine. They have DNS pointed at them too so it's not like they're secret in any way.

I suspect it's because I don't use many common software packages so the attack surface is small-ish.


What's difficult about managing keys? I use key login with termux and if anything it's easier because typing passwords (or anything) on a phone is tedious.

Agree in general that people wildly overestimate the risk leaving things alone. e.g. nginx hasn't had a security advisory affecting basic http 1.1 serving static content without TLS in many years. And of course desktops are behind stateful firewalls.


For me a big appeal of having a "home" environment on a VPS is that I can just do useful things from any computer-like device, that's not really possible with keys. Rather than fucking around with keys I can just SSH in from wherever and roll the password when I'm done. High entropy non shared passwords are just fine, you'll get your IP timed out after a couple attempts, nobody is throwing a botnet at bruteforcing my pass.


thats not what the discussion is about, stop hijacking the thread to push your narrative.


I understand that auto updates aren't ideal, because they cause breakage (most of my systems dont auto update), but I don't get not updating your systems at all.


Attacks get automated and targets are no longer hand-picked. Having many unpatched systems makes the environment ripe for self-replicating worms.


so true - the few who are at risk of real exploits are already aware of this and do more than just system updates

I only let my browser autoupdate (somewhat reluctantly) since I view that as the most likely security issue on my winpc but when I used to let win10 autoupdate (and other garbage dell drivers), things would start breaking after each update

this also applies to phone app updates - I only update if there's a reason to, not just for the sake of updating...

and people wonder why I have the best working phone and pc at the office...


> the few that are at risk…

Boxes get popped all the time. Why are you painting such a dishonest picture?

> and people wonder why I have the best working phone and pc at the office...

Probably because you know about computers. Nothing to do with your poor security practice.

And this still doesn’t say anything about the explicitly absolutist advice in the parent comment. “No matter the circumstance, turn auto-update off! Just in case you want to partake in some piracy!”


> Probably because you know about computers. Nothing to do with your poor security practice.

IME knowing about computers is what causes auto-update to break things. Because you actually rely on the kind of things that it would break.


The arch rule says update btw


Absurd. There are benefits to enabling auto-updating (security, etc). One should weigh up the costs / benefits oneself and make a call based on that. As usual, such absolutist guidance is hyperbolic.


Yeah, never ever make sure you are patched against hackers who can exploit your devices...


Nobody should follow this advice. Not least because you (the person giving it) wouldn’t have to live with the consequences of following it, but mostly because it’s idiotic.


Total tangent, but extremely interested in the use of the Yen/Yuan sign as a footnote marker. Is there some history here I’ve overlooked or is this just arbitrary?


Haha - i was looking for ¹, ² or § but couldn‘t find them on my german ipad onscreen keyboard, so i improvised.


Interesting that you'd use "Section", "§", as a reference marker. Asterisk (*), and dagger (†) are common reference markers in British English, but not the section sign, aka "silcrow".

Is that a common usage /auf Deutsch/? Such use is listed on the Wikipedia page, but it's a use I don't ever recall having seen before.


I'm wary of using the asterisk in internet forums, or really in almost any textual exchange online these days, because everything tries to parse text as markdown, and I am never sure whether or not my asterisks will get eaten.

Especially on sites like this one, which have no previews.


On HN you just escape as \* to avoid it doing italics, but I agree that using characters that uniformly work is sensible


It's common in some contexts, in particular ¹/²/... is common for footnotes in handwritten and digital texts.

§ is a bit less common but iirc used in some legal texts. It's also easy to use on ANSI German keyboards with shift+3.


I usually do it like this[1], if that helps.

[1]: Borrowing syntax from Markdown.


I learned BASIC programming on a VIC-20, and I typed in so many "A$, B$, C$", for decades thereafter I pronounced "$" as "string" ("A-string, B-string", etc); it got weird as I discussed Perl scripts with coworkers...


Hah, I did this as well but on a TI-99-4A. Stopped a long time ago but yes var$ would have been pronounced var-string, even in context of later gwbasic, qbasic etc.


So many memories just flooded my brain of using § for Minecraft Pocket edition...


you have tp hold a key longer and then there it is. i think it was „s“


Typing this from a German iPad keyboard. It’s the ampersand key (& → §).


oh interesting, using "section" as footnote marker is more alien to me than using yen


I've not seen it used this way before but it is similar enough to the dagger and double-dagger symbols that the intent to use it as a footnote marker is clear.


Now I just wish this could give me a license to install the Lego Boost for Windows 10 app that used to be on the windows store until 2020...

From my understanding, if you have the license, then you can still download it but it's not available for new users.


try https://store.rg-adguard.net/ to download the app, and then either keyhole to license it or just unpacking it and installing it in developer mode.


Thanks a lot, I didn't know this worked.



I tried that and it'll be great when my kid is older but the Lego Boost app has some kind of gamification built in that's honestly pretty sweet and is a good gateway I think.

Right now, I'm using an android emulator to be able to run the app on a laptop (we don't have tablets) but it's a janky experience compared to a native windows app.


If I read this correctly, Microsoft will be able to reduce the applicability of the temporary-license signing key, meaning that you probably won’t be able to generate permanent licenses for long.


Can this be used to enable the HEVC extension without a M$ account? It's so frustrating they can't license the patents as a lump sum.


You don't need this exploit. You could use a media player that doesn't need MS codec packs, but assuming this is not an option:

1. Go to https://store.rg-adguard.net.

2. Paste in https://apps.microsoft.com/detail/9n4wgh0z6vhq.

3. Change ring to "Retail".

4. Download the file with an "appxbundle" extension.

5. Install it (might need to enable developer mode for this step; don't remember).


The links to download the official microsoft signed HEVC installers can actually also be found at massgrave.dev[0] It truly is an awesome resource.

0: https://massgrave.dev/unsupported_products_activation#hevc-v...


Awesome


You don't need to pay. You just need the direct link

ms-windows-store://pdp?productId=9N4WGH0Z6VHQ

ms-windows-store://pdp?productId=9PMMSR1CGPWG

ms-windows-store://pdp?productid=9MVZQVXJBQ9V

ms-windows-store://pdp?productid=9N4D0MSMP0PT

ms-windows-store://pdp?productid=9N95Q1ZZPMH4


How do you get the direct link?


I got them from reddit: https://old.reddit.com/r/Windows10/comments/j58y6f/no_longer...

There are many articles with this workaround. Funny how it still works, almost 4 years later. This is not an accident, MS knows what it's doing.


Why would you need it? HEVC codec ships with the driver package from your GPU vendor.


This hasn't been my experience. Nvidia + Intel GPU drivers are installed but I still can't play HEVC with the default windows media player. MPC Black works fine though, and probably VLC too.


This is my experience also. VLC does work as it has its own HEVC


Why didn’t that work for me? I have an nvidia gpu


This sort of thing over decades has been the best distribution and communication channel for Windows.


Does not apply to most other software.


Yes, but I think it works exceptionally for other software, like games!

One example that stands out was the hacking/modding scene of the GTA Vice City with Multi Theft Auto, and even GTA SA, which gained a massive player base that would have never experienced the game and created emotional bonds with it. I can't prove this of course, but I bet a huge portion of the GTA V success was from users who played a moded version of the game in the past "for free".

Another example is the Adobe Suite, like Photoshop, and Illustrator, which allowed many people to become proficient with the Adobe tools and be part of a qualified workforce using that same suite of tools. A lot of these professionals from low-income countries would never had access to these tools otherwise in their formative years.

Price is a barrier to entry for many users who wouldn't have paid for the software.


Very nice utopian ideals, but wrong.

Take World of Goo. Very popular game. Released in 2008; got a sequel in 2024. Why so long for a sequel? In part, because when they experimented with a DRM-free release, they had a piracy rate of over 90%. Can you prove that's lost sales? No. Would any reasonable person say that is lost sales? Absolutely.

https://arstechnica.com/gaming/2008/11/acrying-shame-world-o...

Ever wonder why mobile games failed, and why every mobile game is seemingly full of ads? The Android piracy rate is enormous (over 60%); and freemium allows money to be earned while denting piracy rates. Let's not forget also why Nintendo went after Yuzu - over 1 million illegal downloads of Tears of the Kingdom before the game even launched. How many do you think paid afterwards?

And before anyone quotes the one or two studies showing an increase in sales from piracy; that ignores the 30+ studies showing a moderate to severe sales impact from piracy, that we also have. Nobody talks about those though, because that's a rather unpopular conclusion. However, you can't pick and choose studies to show it is a good thing.


> Can you prove that's lost sales? No. Would any reasonable person say that is lost sales? Absolutely.

Of course not. People pirate more than they consume. The amount of series and movies in my backlog is insane. I have them physically on a RAIDZ2 (RAID6) and I have access to various streaming services. But what I lack is time. I used to watch the same stuff in the 90s cause of not having access to more (or very mediocre stuff on TV). Then piracy came into play and I could download many stuff I couldn't afford. Now I have more money available, but I don't have the time anymore. It is the same with regards to my Steam library. However, a lot of that is stuff bought on sale, and that is not 1:1 compared to a gained sale as the profit wasn't full price.


>Take World of Goo. Very popular game. Released in 2008; got a sequel in 2024. Why so long for a sequel? In part, because when they experimented with a DRM-free release, they had a piracy rate of over 90%. Can you prove that's lost sales? No. Would any reasonable person say that is lost sales? Absolutely.

And seems like they learned nothing from this terrible experience, because they've also released World of Goo 2 DRM-free: https://worldofgoo2.com/


>that ignores the 30+ studies showing a moderate to severe sales impact from piracy

Could you cite a few of the best such stories that are not sponsored by media giants please and thank you.


> Price is a barrier to entry for many users who wouldn't have paid for the software.

This is what demos, student licenses, etc. are for. I don't care what your justification is, property theft is wrong.


> property theft is wrong.

It sure is, and those people should promptly return their stolen Photoshop bits to the front door of any local fire station so Adobe can put them back into their bit warehouse and ship them to paying customers next day air


It's not property theft by most definitions, but it's still harmful in much the same way as property theft is harmful -- and in exactly the same way that me watching you type in your password is harmful, even though afterwards you still know your own password.


One of our two mental models of property theft is incorrect: someone downloading Photoshop does not deprive Adobe of its ability to sell the Photoshop it manufactured to someone else

And I adamantly disagree with your password analogy if for no other reason than your password scenario creates temporal harm (assuming I do not change my password, of course) in a way that someone pirating version 1.0 does not automatically give them access to 1.1 or other product lines. In fact, I'll see your temporal factor and raise you: if someone pirates a product on Monday, and then buys the product on Tuesday, should they be jailed on Wednesday?

I'm eventually going to be sorry that I waded into this discussion, but I found the stolen bits == property theft so absurd I wanted to mock it, and now it seems this thread is somehow doubling down on false equivalences.

Piracy can be morally wrong for taking food out of software engineer's mouths, but one should not lump it into breaking-and-entering just to ratchet up the "look at how bad it is" factor


No, I think they're the same. Probably they feel different to you, depending on who you're stealing from, but ripping a DVD and putting it up on the internet during the theatrical window can really hurt filmmakers – who already make peanuts.

https://en.wikipedia.org/wiki/Film_distribution#Shrinking_of...

One person breaking and entering is bad. But in my example, this person broke-and-entered and then gave all of my future earnings away to literally everyone on the planet, thanks to the multiplicative power of technology – that's an outrageous violation.


It's about character as much as it is about value.


I wouldn't use the term "property theft", as even though there's a very clear analogue to IP and digital economics for anyone who cares to think about it, pro-piracy pedants will gladly jump on the term (which is strongly tied to physical property) to avoid addressing the problem itself. This problem doesn't happen as much with other terms like "theft", "IP theft", and "piracy".


You don't have to be "pro-piracy" to be anti media propaganda that tries to equate duplication with denial of a person's right to their own property. They're very different things.

If you think copyright infringement and theft are synonymous then presumably you'd be happy with people paying for copyrighted goods with a picture of some money, because a copy that doesn't involve a transference of control is identical with the actual item, right?!


If I watch you type in your bank password, I haven't stolen it from you, because you still know your bank password.

No theft occurred, so everything's fine, right?


You're right, you didn't steal my bank password, you can use that to commit fraud, deceiving the bank systems to then enable stealing.

Some might says you did steal the password, because you made it unusable for me, but that's a pretty subtle position I'm content with either side of.

Perhaps you'd understand better if you consider a physical key - if you take it then I cannot open the lock (with that key at least). If you only copy it, I can still open the lock, so you didn't steal it from me; but the possibility of use allowed you to deny me the use of whatever the lock protects. Not so with most copyright works. If you copy my music I can still listen to my copy as often a I like.

Maybe you understand the distinction now?


I would use the term property theft, because I would have the exact same reaction to someone stealing my wages, my stuff, or my time.


I agree that it's the exact same evil, I just wouldn't use "property theft" either to describe those things - for instance, in the case of wages, I think most people would use "wage theft" instead.


HN pedantry always amplifies the conversation


As long as you use accurate terms (ie. the right terminology) there wouldn't be such pedantry needed. You intentionally mudify the discussion by using the term property theft for non-phyisical intellectual property (which can even be shortened to IP), or preferably: copyright infringement (I stick to the term IP in this post but prefer the term copyright infringement). Different laws apply for IP compared to (physical) property. Including laws of physics. Consider the following thought experiment: try kicking your license of Microsoft Windows compared to kicking the window in your kitchen. Does your license to Microsoft Windows still work? Great. Does your kitchen window still work? Try harder, it won't last. But your Microsoft Windows license is invulnerable to physical kicking. Besides, you have a copy of it on your smartphone as you photographed it in case of you physically losing it.


No, it's property theft.


it is NOT 'property theft', since nothing has been stolen, just copied

the term you want is Copyright infringement


You are correct, however unpopular too.

We have the word infringe for the cases where the word theft is inaccurate.


My time and labor is my property.


And nobody copying your work can take those away from you.


If you can't afford the software/music/art/film/book, then you don't buy it.

Digitization doesn't somehow transform my limited time and resources into something you're suddenly entitled to.


1st world opinion.......


3rd world entitlement......


Haha, yeah, I'm pretty sure there would be a hell of a lot less working professionals using the Adobe suite today if we had all used Adobe's generous 14-day trial to get to grips with Photoshop or Flash or Dreamweaver when we were 12 or 13 years old. Or enrolled in University, I guess?

I would expect Adobe would be nothing but a forgotten brand name list to the annals of time at this point, considering their Suite has been the most pirated application every year since the early days of Windows 95... And yet....


Yeah Adobe sucks which is why I use alternatives.


ironically, I will be using un-ironically to play Guitar Hero games that I have the physically discs to, on retail hardware, that has the games installed, but not "licensed" to play without physical tethering of the disc in the failed DVD drive.

The double irony is that, even if it works, I may not be able to read my own game-saves since the Console's own public key is on the revocation list. I could sidestep this by resigning the CON files with the default value, 0.

The triple irony may be forthcoming yet. this all looks very familiar indeed.

fuckin brilliant


ecosystem of xml > tlv > null-terminated strings / utf16 for user input make an off by one error anywhere or unverified* malicious user input in the house of cards of technical debt in any MS ecosystem collapse into minefield of privilege escalation, RCE, etc horizontal pivots...not trivial, however.

this bug is essentially a retro-active pivoting platform for the lucky day you combine unsanitized input and context escape.

seems like just trivial digital sticker-swapping, but MS over-leveraging its successes, refusal to break things (to maintain backwards compatibility, and it's own technical debt..), mean that some mistakes, however trivial, yet affecting, are immortalized


In case your antivirus is censoring the page: https://archive.is/90XGW


Which ones do?


some corps, with custom policies


shitty ones


That doesn't narrow it down at all.


Who said it'd be narrow? :p


Clip has been around longer than the Xbox One though?


After reading the article, and specially the remarks about this engine being copy-pasted from the Xbox DRM engine , does anyone still believe that Pluton, also copy-pasted from the Xbox, is about end user security? And not totally about MS finally having enforceable DRM on PCs?

Oh and by the way Pluton is now on the latest batch of Intel laptop chips. And has been on AMDs for a while. How soon until Windows requires it?


>does anyone still believe that Pluton, also copy-pasted from the Xbox, is about end user security?

I never did. The worst part is explaining it to people drinking the MS coolaid. I'm an MS admin so people at work love Win11, Intune etc all that max lockdown shit. To me that's not what Windows is about, for me Windows is excellent because of the admin tools and backwards compatibility. But hey that's just me.

Proton will be another TPM thing, introduce it, wait 5 years, then mandate it. They have time.


> But hey that's just me.

There are more of us out there!


There are literally dozens of us!


Another TPM thing? What problem do you have with the TPM?


TPM end game is to have identity tied to a device on pcs, just like the monopolies already have on Android and IOS.

you know how google and apple dropped actual totp 2nd factor for their own accounts and force you to sign on another device to confirm signing on new devices? same thing.


Apple has SMS if you don’t own an Apple device. In fact, they require SMS to set up 2FA.

They probably dropped totp because non-technical people can’t figure it out.


Hell technical people can't figure it out. Everyone complains that it's fragile because what if their phone breaks, and those that think they know better, think it's because of the dozen one-time-use emergency codes.

It's not their fault though. Every web site or service that offers totp and the most user-facing apps like google authenticator all scrupulously avoid telling you to save the seed value in the initial setup qr code.

That short random string is all you need to have working totp on as many different devices as you want, set up a new one any time you want, and it's nothing but a simple static never-changing secret exactly like a password.

You can wake up naked in a foreign country and be all back in a few minutes and without having to re-setup any sites or anything like that.

That is, IFFFFF you have previously saved all the totp initial setup seed values right along with the passwords for those same accounts. If not, you can go do it right now.


Where can I read more about how this is done.


Just when you enable 2fa on some site and it shows you a qr code (or however it gives you the code, it might be a regular url, and sometimes they even display the string in plain text) save that string. If it's a qr code, save the qr code and read it with a regular qr code reader (probably just your camera app these days) and it will have a string or a url with the string as the query string.

That string is not just one-time use. You can just save it and enter it into totp apps all over the place all day for the next n years.

keepass apps all support it now for one example, so you could save the string in a notes field in keepass, but they have a dedicated totp field now too. You paste it in, and now that password entry not only stores your name & password for that site, it stores the totp seed for setting up totp apps, and also displays the current totp time code just the same way the totp app like google authenticator does.

It's all stored in the keepass db file just like the normal passwords, so to set up a new device, all you need is access to any copy of the keepass db file. Install any keepass app like keepassxc on a laptop, load the db, and there's your working current totp codes for all sites. You want a more convenient dedicated totp app than having to dive in to keepass, just copy the totp seed from keepass into gnome authenticator or whatever. The different apps have different ways to supply the string when not taking a picture directly with the camera. Some like google hide it from direct access. Last time I used google authenticator I think it had no usable export, but it just recently got the ability to store the seeds in googles cloud, but not like in an ordinary google drive file that would be useful, just some internal magic that all it does is if you can somehow manage to log in to your account on a new phone, it will pull the seeds down and start working on the new phone. It doesn't let you set up any other apps or devices, and Google has a copy of your seeds in a form they can read, even though you can't!

But the same seeds could be just as cloud-enabled by being inside a password manager db, which is still sitting on a google cloud server, but this time in a file that you own, and in a form that google can't read but you can.


I'm a bit late but FWIW Google Authenticator has a QR code export option, it generates a giant QR code (potentially multiple) that contain all the accounts and secrets. It's designed for you to scan into Google Authenticator on another device, but you can also read the contents of that QR code yourself with various open source utilities to get the accounts and secrets (or just print a copy for a physical backup of them). Overall it's not a terrible way to go, though like you said if you can save the original QR codes that's a nicer way to do it.


Thank you. This is mostly new to me and I am thankful for the hints.


That is very helpful. Thank you.


SMS is not really great.


SMS is trivially exploitable. It has negative security value.


SMS is the only 2FA method that the general public understands.

It is absolutely better than nothing even if isn’t great.


Trivially? How?


I wouldn't call it trivial, but either a SS7 attack or by bribing the TMobile/Verizon/att store employee, you can get someone's SMS messages.


You can use FIDO2 keys as 2nd factor for Apple accounts now


Hundreds of millions of perfectly good PCs are going to be end-of-life due to this.


-no not end of life, end of microsoft.


It being a Win11 requirement. It failing and triggering Bitlocker on our machines. It's just shit :) No I don't have another solution. Let me complain.


What garbage hardware are you running where TPM is failing?


Had about 25% of our Dell laptops' TPM fail, got to know the repair technician well.


Every Windows Update that Lenovo kept pushing UEFI updates on their shiny new X13s with the Snapdragon and the Pluton chip in it kept tripping Bitlocker on every update.

So, uh... Lenovo?


FWIW, my old corpo HP would also trigger Bitlocker sometimes on random shit, such as upgrading the firmware of the docking station. But that was usually fixable either by unplugging USB devices while booting, or just trying many reboots until Bitlocker suddenly decided everything was OK.


The TPM thing that got hacked the other day?


People have been saying that for more than 10 years now, since the TPM was introduced.

Yet you can still install Linux on PCs sold with Windows, you can still install third party software on Windows not from a Store, you can still watch pirated movies downloaded from torrents.

You can even run an unregistered/unpaid version of Windows if you don't mind that it will not let you change the desktop background image.


Or you can recognize that app/game developers are starting to require Secure Boot enforcement if you want to continue to use their apps or play their games.

RIOT requires users to enable TPM-enforced Secure Boot starting with Windows 11 to play Valorant: https://support-valorant.riotgames.com/hc/en-us/articles/100...


Let me tell you a secret: it's because the gamers are demanding that. The game companies couldn't care less if there are cheaters in the game, but it's the players which put huge pressure on the game companies to detect and ban cheaters.


Gamers don't want cheaters, but gamers also don't want malware. Some people won't care, others will care. The real problem is that publishers don't give anybody a choice on this. They sneak these invasive anti-piracy measures into their games without asking since they don't want to fragment their player base.

The reasonable, fair, common-sense pro-consumer thing to do is to split the online play in two: a non-anticheat server and an anti-cheat server. Players can opt-in to installing a rootkit/sharing their SSN/whatever if they want to play on the hardened server. This costs nothing, and makes all types of gamers happy.

But doing this has less upside for the publisher than forcing anti-cheat on everyone. The only risk is that they might get dragged through the mud by a handful of influencers peddling impotent rage to viewers who are just looking for background noise while sleepwalking on their Temu dopamine treadmill live service of the month.


> The reasonable, fair, common-sense pro-consumer thing to do is to split the online play in two: a non-anticheat server and an anti-cheat server. Players can opt-in to installing a rootkit/sharing their SSN/whatever if they want to play on the hardened server. This costs nothing, and makes all types of gamers happy.

This is a very good point! And I'd like to point out that there is an analogue to the problem of smurfing in online video games, and the corresponding solution, which is to require semi-unique ID to play (e.g. a phone number which can only be tied to one account at a time with a cool-off period when transferring between accounts). Valve does this for Dota 2, and smurfing is far, far less common than it is in League of Legends.

Some League players complain that they don't want to give their phone number to Riot (which is entirely reasonable given that it's a subsidiary of Tencent), but if enough people don't want that, then Riot could simply split the ranked queue into two: one where (soft, ie phone #) identity verification is required, and one where it isn't.

Riot won't do this, though, not because it wouldn't fix the problem (it would, as demonstrated by Valve), but because they profit from smurf accounts buying skins.


>but if enough people don't want that, then Riot could simply split the ranked queue into two: one where (soft, ie phone #) identity verification is required, and one where it isn't.

The phone number requirement is only there if you want to play Clash. Normal ranked play works flawlessly with no number.


Correct, that's the bad reality that I'm saying needs to be changed, because smurfing is rampant in normal ranked.


The problem is also largely caused by publishers/developers wanting live service games instead of providing a complete product that users can then run themselves (with community-hosted servers). This makes the developer responsible for weedng out bad actors and they will of course seek technical means rather than social means which don't scale as cheaply.


> Let me tell you a secret: it's because the gamers are demanding that.

Citation needed.

Whose these gamers ? I surely didn't ask for this neither any of the gamers I know, nor seen any demand about that in gaming forums.

> The game companies couldn't care less if there are cheaters in the game, but it's the players which put huge pressure on the game companies to detect and ban cheaters.

The jump from this to "requiring TPM" is quite a long one.


Cheating in online games (especially ones that are free) is so absurdly rampant and disruptive that you can sell gamers just about anything if it can meaningfully deter cheaters. Every now and then a Youtuber will say “kernel level anti-cheat is bad for [reasons]” and gamers will pretend to care about it until the video leaves the “For You” page.


Because a root kit is the only way to do anti cheat? CS2 ban wave begs to differ.


I personally stopped playing CS because my friends started using an alt-launcher to avoid cheaters, which added a whole layer of complication that made the game undesirable. Ban waves aren't perfect but in my limited experience, cheaters weren't that rampant, in others experience it became intolerable.


I haven’t played valorant, so I don’t know about them, but what I can say is that definitely other anti-cheats are highly ineffective (VAC being one that is highly ineffective), with blatant cheaters going years without ever being caught.

Hell, blatant cheaters literally stream themselves cheating and their own communities do not recognize the cheating till the stream makes a mistake and selects the wrong scene. This also means that VAC methods of sending footage to random players is ineffective, as some streamers who are very obviously actually cheating do so in front of tens of thousands of people, and those people do not recognize the obvious cheating happening.

We also know game companies don’t care about cheating, as activision admitted in their lawsuit that they leave cheaters on a safe list so long as the cheaters have any semblance of an audience streaming.


> activision admitted in their lawsuit that they leave cheaters on a safe list so long as the cheaters have any semblance of an audience streaming

That is absolutely wild, and completely characteristic of Activision.

Do you have a link that I can share with my CoD-playing friends?


https://www.charlieintel.com/call-of-duty-warzone/activision...

It really doesn’t even take that many viewers. Zemie, for example, is a straight up cheater that runs a button activated aimbot and wall hacks. He only averages a couple thousand viewers and is safe listed by a number of game companies.


That's not the gamers asking, though. In this instance they're being taken advantage of because they have maligned priorities, and being sold an over-the-top solution they don't need. You can still detect process injection, memory injection, sketchy inputs, HID fuckery, DRM cracking, host emulation and input macros without ever going kernel-level.

Truth be told, if the exploiter-class of your game would even consider a kernel-level exploit, your game is fucked from the start. Seriously, go Google "valorant cheating tool" and your results page will get flooded with options. You cannot pretend like it's entirely the audience's fault when there are axiomatically better ways to do anticheat that developers actively ignore.


Go on steam and look at the recent reviews for older but still popular fps games. Gamers complain about cheaters constantly and will negatively review games cause of it


They're demanding a way to handle or ban cheater, not requiring TPM, that's a non sequitur.


You're being disingenuous here, or just missing the point. The point being made was the gamers are demanding game developers stop cheaters... and that secure boot (and related ways to lock down the computer) is one of the primary tools they know to use to do that.


> The point being made was the gamers are demanding game developers stop cheaters... and that secure boot (and related ways to lock down the computer) is one of the primary tools they know to use to do that.

That's akin to saying that, as people want security on the street, mandatory strip search as soon as your exit your home is fair game.

Asking for a result doesn't give a blank-check for all the measures taken toward this result.


I agree, but it doesn't change the fact that it's one of the primary reasons they're doing it. And "strip searches on the street" may not happen, but "Stop and Frisk" certainly is/was. And it was very much done because people were complaining about crime and safety. And it was done regardless of whether or not it was right, or effective, or even legal.


[flagged]


You cannot "prevent" cheating, you can at best mitigate it, it's a balance.

There plenty of way to mitigate cheating in game, but the game industry is focusing on the ones where they don't bear the cost and only the customer will (and this view is in part due to the model of F2P games, where banning cheater is useless as it doesn't cost them anything to create a new account).

Letting game developer having complete control and spying on the device playing the game is fine in a physical tournament were they provide the device, but it's insanity when it's the user own device in its home.


> There is no technical way to prevent cheating in advance without secure boot.

I'm not really sure I buy this. I can't really give a way that can guarantee no cheating but I know for example games like Genshin Impact run almost all the code (dmg calculation etc) server-side. Perhaps something that's an extension of Geforce Now might be the best "anti-cheat" technically speaking.


To run anti-cheat in that way, you need all game mechanics to be run server-side, and you need to not let the client ever know about something the player should not know - e.g. in a first-person shooter you need to run visibility and occlusion on the server too! Otherwise the cheating will take the form of seeing through walls and the like. This is going to boost the cost of the servers and probably any game subscription, and might lead to bandwidth or latency problems for players - just to avoid running any calculation that is relevant to game balance on player hardware.


Well yeah, that's the correct way to run a server, don't send information you don't want the user to get.

But as you are pointing out, forcing client-side intrusive anti-cheat is cheaper, thus this as nothing to do about preventing cheating, but about reducing cost.


It's not just about cost. Theoretically yes, you shouldn't send information that you don't want users to get and abuse. However, in the context of games, this is not always possible because most games are realtime and need to tolerate network latency. There is no perfect solution - there will always be tradeoffs.

Ideally player A shouldn't be networked player B if there is a wall between them but what happens when they're at the edge of the wall? You don't want them to pop in so you need some tolerance. But having that tolerance would also allow cheaters to see players through walls near edges. Or your game design might require you to hear sounds on the other side of the wall (footsteps, gunshots, etc.) which allows cheats to infer what what may be behind the wall better than a person would.


> Or your game design might require you to hear sounds on the other side of the wall (footsteps, gunshots, etc.) which allows cheats to infer what what may be behind the wall better than a person would.

Yes, and you cannot prevent this except in in-person tournament.

Any output send toward the player, even a faint audio queue could be analyzed, and use to trigger an action or display an overlay to the screen, and no amount of kernel-level stuff will prevent that, as you can do this outside of the computer running the game.


The end state of your argument is the game runs entirely on hosted hardware and you pay for a license to stream the final rendered output to your monitor. This is already happening. Soon games won’t be able to be “bought” at all, you’ll just pay the server a number of dollars per hour for the privilege of them letting you use their hardware.

You will own nothing and like it.


Making occlusion calculation sever-side during multiplayer have nothing to do with "owning" a game or not.

You can even do this calculation on community-run private server.


If all surfaces are fully opaque, maybe. The second particle effects and volumetric effects and all sorts of advanced techniques play a role in actual gameplay, no. And that’s only for this one type of cheating.


Back in my day we all played on private, community ran servers where you could easily vote to kick/ban folks, the server owner was your buddy, or you played with people you trust.

Now everything is matchmaking, private servers, live service and that sense of community is gone.


Why isn't it still like that? Don't players want small communities?


It's very hard to gather full teams (usually 10 persons) in a small communities. Public matchmaking gives an opportunity to start a game in a minute from clicking "play", regardless of how many people you have at hand right now.

Small communities still exist, it's just that vacant places are now filled with strangers.


lot of thing happened, 6th gen consoles started a new way of using online games (no keyboard, no third party chat/vocal, no group chat out of game, no private server), then the industry pivoted away from private server to have more control on their games, then the whole F2P economy then GaaS took any agency out of players hands.


You can't effectively sell skins if the players are in control of the servers.


There's no way secure boot totally prevents cheating, either. It just moves the goalpost a little, cheating will always be possible.


The goalpost just needs to be moved further than is economically interesting for cheaters in general to reach.

Perhaps secure boot by itself isn't enough, but I would imagine it would be a relatively large bump, when combined with a kernel-level anti-cheat. I presume such anti-cheats would e.g. disable the debugger access of game memory or otherwise debugging it, accessing the screen contents of the game or sending it artificial inputs.

What vectors remain? I guess at least finding bugs in the game, network traffic analysis, attempting MitM, capturing or even modifying actual data in the DRAM chips, using USB devices controlled by an external device that sees the game via a camera or HDMI capture.. All these can be plugged or require big efforts to make use of.


>Perhaps secure boot by itself isn't enough, but I would imagine it would be a relatively large bump, when combined with a kernel-level anti-cheat

VALORANT also adds TPM to the mix alongside SB and a kernel AC and yet is still trivially easy to cheat in as long as you have a driver you can use. Granted, it needs to be signed (=financially unreachable by a big part of the community), but if stubborn enough...


The real solution is letting players host their own servers and build their own communities of players they trust, but corps don't like giving that kind of freedom to users


Gamers arent demanding this. There are tons of ways to detect cheaters, the most effective one being human moderation. But no, companies wont do MaNuAl WoRk because it doesnt sCaLe, even though they have more than enough cash in the bank.


How do you do manual moderation on a massive fast-paced game like Valorant? It’s correct, that doesn’t scale


You limit the amount of matches you host to those you can actually referee, just like any sport where people care about cheating.


maybe not manual ... but ... log behavior, find outliers, make outliers play with outliers only


This absolutely happens already. The problem with finding statistical outliers is that plenty of legitimate players are outliers too. And if you're banning/segregating players for being outliers, you get a very angry player base.

Riot has a pretty indepth blogpost about their anti-cheat systems, they've had years to mature them on some of the most demanding competitive gaming platforms ever made. Requiring players install kernel anti-cheat was very far down the list of possible solutions, but that's what it came to. It was either this or stop being free to play.


The server is all-seeing, if there is no way for the server to discriminate cheater from other player, then no player can possibly know there a cheater on the server, thus cannot complain about cheating is either irrational or the server-side detection is severely flawed.


> The server is all-seeing, if there is no way for the server to discriminate cheater from other player, then no player can possibly know there a cheater on the server, thus cannot complain about cheating is either irrational or the server-side detection is severely flawed.

It's impossible to tell in-game if a baseball player is using steroids, yet there's a laundry list of banned substances and players who got banned for taking them because the MLB believes it gives them an unfair advantage. It's called competitive integrity.

Since it sounds like you don't play games, at least not competitively, I'll clarify that "cheating" in this case isn't the obvious stuff like "my gun does 100x damage" or "I move around at 100mph" or "I'm using custom player models with big spikes so I know everyone's location" that you would've seen on public Counter-Strike 1.6 servers in 2002. Cheating is aim assistance that nudges your cursor to compensate for spray patterns in CS, it's automatic DPs and throw breaks in Street Fighter 6 that are just at the threshold of human reaction timing, it's firing off skillshots in League of Legends with an overlay that says if it's going to kill the enemy player or not. All of this stuff is doable by a sufficiently skilled/lucky human, but not with the level of consistency you get from cheating.


> It's impossible to tell in-game if a baseball player is using steroids, yet there's a laundry list of banned substances and players who got banned for taking them because the MLB believes it gives them an unfair advantage. It's called competitive integrity.

This is relative to meat-space, not videogame, but we could go there and say caffeine or Adderall use is cheating, thus making anti-cheat a little more invasive…

And there another difference, you're referring to professional sport. I have no problem with invasive anti-cheat for professional gamer, even better it the gaming device is provided by tournament organization.

But we're talking about anti-cheat used for all players, akin to asking people playing catch in their garden or playing baseball for fun an the local park to take a blood sample for drug test.

> All of this stuff is doable by a sufficiently skilled/lucky human, but not with the level of consistency you get from cheating.

That's the point, there no difference for the other players between playing against a cheater and playing against a better player. Any ELO-based matchmaking will solve this, cheater will end-up playing against each-other or against very skilled player.

You could argue that they could create new account or purposely cripple their ELO ratting, but this is the exact same problem as smurfing.


Many games have ranked ladders now which are taken fairly seriously. Success at high levels of ladder player often translates into career opportunities, especially in League of Legends.

> Any ELO-based matchmaking will solve this, cheater will end-up playing against each-other or against very skilled player.

Well, first, you're wrong, because cheating only makes them good at one part of the game, not every part of the game. e.g. in League of Legends, a scripting Xerath or Karthus who hits every skillshot is going to win laning phase hard. However, scripting isn't going to help if they have bad macro and end up caught out in the middle of the game, causing their team to lose. Most cheaters don't end up at the top of the ladder, they end up firmly in the upper-middle.

Secondly, you're basically saying "cheating is OK because they'll end up at the top of the ladder." You don't realize how ridiculous this sounds?

Third, ranked and competition aside, playing against someone who's cheating isn't fun, even if you end up winning because they make mistakes that their cheats can't help them with.

You don't play competitive games, that's fine, but a lot of people do and they demand more competitive integrity than casual players.


> You don't play competitive games, that's fine, but a lot of people do and they demand more competitive integrity than casual players.

Little difference : I don't play competitive game with completes strangers on company run servers.

I've played competitively on community based server, with people being screened by other players and the community able to regulate itself (ban or unban players).

The problem space is vastly different, you don't need intrusive ring 0 anti-cheat for this.

The whole kernel-level anticheat stuff is a poor solution to a self-made problem by the developer : they wanted to be the one in charge of the game and servers, so they needed to slash human moderation need. They also wanted to create a unique pool of player and didn't want the community to split between itself and play how they want.


> Little difference : I don't play competitive game with completes strangers on company run servers.

People don't consider playing around with your friends to be competitive. You don't get to choose who else is competing in the game or what strategies they use. This is just an area that you are clearly not familiar with.

> The whole kernel-level anticheat stuff is a poor solution to a self-made problem by the developer : they wanted to be the one in charge of the game and servers, so they needed to slash human moderation need. They also wanted to create a unique pool of player and didn't want the community to split between itself and play how they want.

This wasn't self-made by the developer, it was demanded by the players. Competitive games have almost exclusively moved to online, skill-based matchmaking with a ladder system because that's what players want.


> People don't consider playing around with your friends to be competitive.

I didn't say friends. Please don't modify my argument to refute it.

> You don't get to choose who else is competing in the game or what strategies they use.

I, as a single player, no, but us, as a community, yes, and it's the same for any game or sport, different group run different tournament with different rules about who play and how.

> This is just an area that you are clearly not familiar with.

Please refrain to use ad hominem, especially when you have no idea who you are talking with.

> This wasn't self-made by the developer, it was demanded by the players.

I don't know any players who asked for the disappearance of community run server or human moderation, neither that wanted do lose agency on the way they play. I don't they these players doesn't exist, but I don't make gross generality about players.

> Competitive games have almost exclusively moved to online, skill-based matchmaking with a ladder system because that's what players want.

They're not a hive mind, lots of them didn't or doesn't like matchmaking in any form, and even for the ones that wanted it, that doesn't mean developers have to remove other mean of play, like server browser and private server.


You're basically ignoring the past 30+ years of the gaming and cheating industry. Everybody already does log behaviour, try to find outliers, and have some systems to try to keep cheaters outside from the general player pool. That's what gaming companies have been doing since at least the early Halo days. That has its own set of side effects, such as creating a horrible experience for the most talented and active players — also the ones most likely to stream and advocate for your game, to produce youtube videos to complain about bad experience, and to have a very influential profile in the community.

The state of game cheating has professionalized A LOT, it is extremely competitive and cheating companies produce extremely good quality tools compared to what we had 20 years ago. There is a lot of money to be made, we are at the point where you can just pay a cheap monthly subscription and you get access to actively maintained cheating tools. I know people working on the anti-cheat side, it is a really messy, highly dynamic (the bad actors are constantly adapting), complicated problem that isn't solved once and for all. We are far from the situation where just a few people are using some hacked-together software that will obviously be spotted as cheaters.

Game dev companies (at least US/European ones) have zero interest in developing or paying for kernel-level anti-cheat. That's a massive barrier of entry for the player base and they know this. It's also far from being cheap.

(Note: ignoring geopolitical factors, Chinese companies such as Tencent or Russian companies could definitely have interests in developing kernel-level anti-cheat for information gathering)


While there are solutions, I won't comment on Valorant - free to play games are a whole can of worms the companies have nobody but themselves to blame.

I will comment on a game I used to play though: Escape from Tarkov. The game costs somewhere between 40$ and 250$+tax, depending on what pack you buy. Banning cheaters for this game is literally a profit center. Every time you ban a cheater and they re-buy the game, you made at least 40$. The majority of cheating in the game was due to real money trading - cheaters would make in-game millions quickly, sell them, get banned, buy the game again at a profit.

The solution to this is brain-dead simple - more manual moderation (these cheaters are very obvious to spot). What the developers did instead just killed the game.


There's cheaters even on consoles which are vastly more locked-down than a PC.

Those technical shenanigans clearly aren't working, be ready to be disappointed if you thought that a TPM would help against cheaters. Cheaters always find a way, what those game needs is proper moderation.

Yes that does cost money but that's the only known thing that works in the long run.


This seems like the old “any imperfect solution is no better than doing nothing” argument. Moderation is expensive, hard to scale, and can only address problems after other users have bad experiences.

It’s like saying seatbelts are useless because some people still get hurt, so instead of seatbelts we need a lot more ambulances and hospitals.

Like any complex system, games have a funnel. These technical measures reduce (but not to zero) the number of cheaters. Then moderation can be more effective operating against a smaller population with a lower percentage of abuse.


> It’s like saying seatbelts are useless because some people still get hurt

Alternatively, it's like saying poisoning your customers is a bad way to reduce complaints, because some of them survive. Matter of perspective.


Since the technical measures like TPM are very heavy, there's some better evidence needed that it reduces the number of cheaters, personally I don't buy it.

On the other hand, all the games / servers I've seen which are successful against cheater have some very good moderation.


Just see Valorent vs Counterstrike. Similar levels of popularity, similar kinds of cheat concepts. One has a kernel level anti cheat and has few cheaters, one doesn't and is overrun by cheaters.

Look at Counterstrike with regular VAC based matchmaking and then with kernel level anti cheat in FACEIT. One is overrun with cheaters and one isn't. It's the same game.


> This seems like the old “any imperfect solution is no better than doing nothing” argument.

Isn't this the argument used against non-kernel-level anticheat and server-side anticheat in the first place ?


TPM security is broken on a lot of motherboards too.


But it allows Windows 10 without TPM.


If your account gets flagged for ANY sort of irregular behaviour, you immediately get "upgraded" to requiring TPM and Secure Boot. Been there, done that - a crack for VEGAS Pro I used turned on test signing via registry for whatever reason and VALORANT REALLY didn't like that - and because of the PC I was using at the time that was the end of my VALORANT career.


One thing that I do not understand is how an app can determine whether secure boot is enabled in any kind of secure way. The TPM and Secure boot system is not designed for that.



If it's software your job requires, that's one thing. But games? Just play different games, or get a different hobby. You have a choice so exercise it.


Software doesn't require it so far because these devices are "uncommon" (i.e. for example, not on server hardware, not usually virtualized).

But guess what is happening now that MS requires TPM for Windows? All virtualizers now have some support for TPM. The time will come.


First they came for the socialists, and I did not speak out—

Because I was not a socialist.

Then they came for the trade unionists, and I did not speak out—

Because I was not a trade unionist.

Then they came for the Jews, and I did not speak out—

Because I was not a Jew.

Then they came for me—and there was no one left to speak for me.


Financially supporting games which do a thing you disapprove of is so counter productive it defies rational explaination. You aren't "speaking out", you're joining the party and paying membership dues. How could you get so twisted around? Brain damage, that must be it.


Sure and today it's games, and tomorrow it'll be something you care about.


Yeah so give money to the companies that do it, that'll show them! Boycotting those products is capitulation somehow, because brain damage.


You're making a lot of weird assumptions here, and seem to have completely missed the point I am making.


I said that people shouldn't play games with rootkit anticheat and you gave me that damned "first they came for" crap as though I am the one capitulating to the abusive practice. How else am I meant to take it?


It's about the

> and I did not speak out

bit. They're going to keep coming for stuff until it's something you care about.

For more information please refer to this wikipedia article: https://en.wikipedia.org/wiki/First_they_came_...


And why is that? It isn't for DRM (the game is free). It is for anti-cheat, and it is great.

The libertarian maximalist i-can-do-what-i-want-with-my-computer ignore the many use cases where I want to trust something about someone else's computer, and trusted computing enables those use cases.


> It is for anti-cheat, and it is great.

How is it great? Vanguard is extremely invasive; having kernel access, you have to relinquish your PC to this chinese-owned company at all times (whether you're playing the game or not), and just trust in their good faith.

And for what? Cheaters are more rampant than ever, now that they have moved to DMA type cheats, which can't (and never will) be detected by Vanguard.

So you give away complete control of your PC to play a game with as many cheaters as any other game. I wouldn't call that "great".


I don’t think you can make the argument that the amount of cheaters using DMA is “just as many” as in a game with a less restrictive anti cheat, allowing cheaters to simply download a program off the internet and run it to acquire cheats. The accessibility of DMA cheats is meaningfully reduced to the point that I would guess (only conjecture here, sorry) the amount of cheaters is orders of magnitude less in an otherwise equivalent comparison.

Now, the amount of DMA cheaters may still be unacceptably high, but that’s a different statement than “the same amount as”.

So, it’s not “giving up something for nothing”, it’s giving up something for something, whether that something is adequate for the trade offs required will of course be subjective.


I don’t know, the number of cheaters appears to be non-zero and present enough in my games. Why give any random game studio kernel level access to anything? There are absolutely server-side solutions, likely cheaper solutions because the licensing fees for the anti-cheat software aren’t cheap.

We gave up something real. But it has not been proven whether we got anything. Maybe we got nothing, maybe we stopped a few of the laziest cheaters, but we still see tons of cheaters. The number of possible cheaters is based off the quality of the software. No amount of aftermarket software will magically improve the quality of your game in a way that 100% deters cheaters. I’m positive that their marketing claims they reduce cheaters by an order of magnitude, but I have not observed them successfully catching cheaters with these tools.


Yeah, valid point.

You're right, a game with no anti-cheat or a bad one will have more cheaters. But as you said, it's about the tradeoff, and that's what isn't "great". It was for a period of two years or so, since the tradeoff was "lose all control of your PC by installing a rootkit, play a game completely free of cheats", which was compelling, but now that the game isn't sterile anymore it's hardly worth it, at least for me.


Is it so radical to want to be in control of your stuff? What are these use cases where we need to have third parties in control?

I don't really buy the gaming one, in every other domain where a community of people are gathering to do a thing they enjoy together it's on the community and not the tool maker to figure out how to avoid bad behavior. If you don't wanna play with cheaters then just play with somebody else.


You are in control. You can disable secure boot, you can install your own keys, you don't have to boot windows, you don't have to play games that demand invasive anti-cheat. Vote with your wallet.

Relying on the community to police cheaters is not an effective strategy for online skill-based matchmaking games. There's a reason game companies spend money and effort on anti-cheat and it's not because they're ignoring cheaper alternatives.


If I felt confident that I would always be able to disable secure boot, I wouldn't be so worried about it.


People who are concerned about this should realize: Microsoft will never create a situation where alternative operating systems can’t be installed. They already went through the antitrust ringer on that issue. They don’t even control what hardware vendors do for the most part.

This requirement will only hit multiplayer games where cheating and security threats are rampant.

Also, if you have a PC with secure boot enabled, there are popular Linux distributions like Ubuntu that have a signed key. Or, you can add a signing key to the firmware, depending on your hardware. And of course, most commercially available PCs will let you disable secure boot entirely.

(Most multiplayer games with anti-cheat software don’t really work on Linux anyway.)


> Microsoft will never create a situation where alternative operating systems can’t be installed. They already went through the antitrust ringer on that issue.

They have shipped ARM Surfaces where alternative operating systems could not get installed, enforced with Secure Boot permanently on. Have they been through any such "antitrust ringer" in the past 10 years?

> Also, if you have a PC with secure boot enabled, there are popular Linux distributions like Ubuntu that have a signed key

Note that there's one key MS uses for Windows and one key they use for everything else. They actually advise OEMs not to install this second key by default ("Secured Core" PCs), and some vendors have followed the advice, such as Lenovo. Resulting in yet another hoop to install non-MS OSes.

Even recently, a Windows update added a number of Linux distributions to the Secure Boot blacklist, resulting in working dual boot systems being suddenly cripped. Of course, even _ancient_ MS OSes are never going to be blacklisted.


You can in fact disable secure boot on the arm surfaces.

The problem is nobody really has put enough effort to port Linux to it. Some people started but haven't gotten very far

https://github.com/orgs/linux-surface/projects/1 https://github.com/linux-surface/aarch64-firmware https://github.com/linux-surface/aarch64-packages

>, a Windows update added a number of Linux distributions to the Secure Boot blacklist

It was due to a bug/and or not being able to detect all manners of dual boot correctly.

The goal was not to blacklist old distros, it was to blacklist vulnerable boot managers

Microsoft's response and fixes were provided: https://learn.microsoft.com/en-us/windows/release-health/sta...


> You can in fact disable secure boot on the arm surfaces.

Not all. I know for a fact you could not in the RT/2.

This is despite the fact that people _do put effort_. This is how I know, for example, that some Linux workarounds for "funny" ACPI interpretations had to be also "ported" to the ARM architecture in ACPI ARM Linux because Windows is literally making the same "bugs" all over again. Except, this time, Windows hardware is in the _minority_, and there's plenty of ARM ACPI devices that do not require these workarounds...

> It was due to a bug/and or not being able to detect all manners of dual boot correctly.

Sure. It is also a bug they just applied these blacklists automatically in the first place? It is also a bug that the list of blacklisted bootloaders mostly comprises non-MS oses, despite the fact there are well-known issues in many Windows versions?


> They actually advise OEMs not to install this second key by default ("Secured Core" PCs), and some vendors have followed the advice, such as Lenovo. Resulting in yet another hoop to install non-MS OSes.

True, 3rd party not trusted by default is a "Secured-Core PC" requirement, but so is the BIOS option for enabling that trust [0]. On my "Secured-Core" ARM ThinkPad T14s it's a simple toggle option.

> Even recently, a Windows updated added a number of Linux distributions to the Secure Boot blacklist, resulting in working dual boot systems being suddenly cripped. Of course, _ancient_ MS OSes are never going to be blacklisted.

Actually they are in the process of blacklisting their currently used 2011 Windows certificate, i.e. the Microsoft cert installed on every pre-~2024 machine, also invalidating all Windows boot media not explicitly created with the new cert. It's a manually initiated process for now, with an automatic rollout coming later [1].

It'll be very interesting to watch how well that's going to work on such a massive scale. :)

[0] https://learn.microsoft.com/en-us/windows-hardware/design/de...

[1] https://support.microsoft.com/en-us/topic/kb5025885-how-to-m...


> True, 3rd party not trusted by default is a "Secured-Core PC" requirement, but so is the BIOS option for enabling that trust

As I said, yet another increase in the number of hops for no reason.

Before you say anything else: until this you could install _signed_ Linux distributions without even knowing how to enter your computer's firmware setup. Now you can't.

The trend is obviously there. First, MS forced Linux distributions to go through arbitrary "security" hoops in order to be signed. Then, MS arbitrary altered the deal anyway. Even mjg59 ranted about this. And the only recourse MS offers to Linux distributions is to pray MS doesn't alter the deal any further.

Maybe at no point they will make it impossible on x86 PCs, but they just have to keep making it scary enough. And in the meanwhile keep advertising how WSL fits all your Linux-desktop computing needs. While at the same time claim they have nothing against opensource.

> Actually they are in the process of blacklisting their currently used 2011 Windows certificate

No, they are NOT in the process, and that is precisely what I was referring to. They have not even announced when they are going to even start doing the process. All you quoted is instructions to do it manually. So I'll believe it when I see it.

And besides, just clearing the CMOS is likely to get you a nice ancient DBX containing only some grub hashes on it, and the Windows MS signature on DB. Not so much luck for the MS UEFI CA signature, as discussed above. So "recovery" will be trivial for Windows, not so much for anyone else..


As long as Apple can get away with locking their devices, Microsoft will look at getting there too.


The funny thing is that it's currently easier to run linux on M-powered Apple devices than Qualcomm powered Windows devices. My 8cx Gen2 powered Dell Inspirion is a blackhole of linux support where Gen1 and Gen3 seem supported but Gen2 has a different device tree breaking linux support.

Hell I can't even reformat it with a fresh copy of Win11 for ARM because it isn't offered. The only way to download windows for ARM is a virtual machine file for windows insiders. Then use third party tools to crack that open and extract the OS.


People will keep saying it, because that ratchet only seems to go one way. Consumer access to general purpose computing is something we take for granted, but every year it seems like there's a bit less of it, and once we lose it we will never get it back.


And Windows PCs are still not safe.

So either way it fails it's purpose


More accurately, unbreakable security as enabled by hardware TPMs also enables unbreakable vendor lock-in like we have with iOS. Pick your poison.


Most Windows PCs have Secure Boot enabled the many have the drives encrypted with Bitlocker.


What does that do for me to stop malware? Bitlocker is only protecting an offline system

Also consider that some keys for Secure Boot have been compromised.


So I guess then your computer does not have a form of Secure Boot enabled, and your drives are not encrypted. Makes sense, more secure.


I’m using Linux and LUKS but have never been convinced Secure Boot adds anything for me. It does sometimes add extra steps though, or block a driver from loading.


> What does that do for me to stop malware? Bitlocker is only protecting an offline system

LUKS also only protects an online system. So why are you using it?

Oh, I think I know, if you are on Windows it's bad to use BitLocker because it's made by Microsoft and it doesn't protect against malware, but if you're on Linux of course you use LUKS, it's a sensible thing to do. Got it.


Back in my retail computer technician and sales days, it wasn’t uncommon for somebody to lose their Bitlocker keys, and encryption did what it was designed to do - make the data unreadable without them. Sometimes they didn’t even understand what they enabled.

To that customer, Bitlocker itself was a threat.

In my small sample size, I’ve seen that more often than lost laptops. I’ve also seen many more malware infections.

Tying encryption to the TPM, which is the default, makes it easier to lose those keys. With LUKS I choose my own password.

It’s an important implementation difference, especially if it is going to do it by default. Warning a person “you will lose all data if you don’t write this down” in big bold red text is sometimes not enough.

Does tying those keys to your MS account fix that failure method?


> Does tying those keys to your MS account fix that failure method?

Yes. Bitlocker recovery keys are escrowed to the Microsoft account. I've relied on this recover data from a family member's PC when it failed and they had unknowingly opted-in to Bitlocker (a Microsoft Surface Laptop running Windows 10 S Mode).


>> Does tying those keys to your MS account fix that failure method? >Yes. Bitlocker recovery keys are escrowed to the Microsoft account.

Which then opens the door to other attack vectors, even government.


As opposed to just not encrypting their data at all and letting everyone who ends up with the drive have their data.

So one scenario, everyone can access the data if they get the drive. The other, the government might get Microsoft to release the encryption keys.


>As opposed to just not encrypting their data at all and letting everyone who ends up with the drive have their data.

You are presenting a false dilemma where either Bitlocker is in use or the drive is entirely unencrypted; there are other ways to ensure data integrity in the face of physical compromise.


1. It's not a false dilemma, it's more of a question of how to handle the "average Joe" user that doesn't know how to store encryption keys. I don't like how this automatic encryption is implemented, by the way, but sending the keys to MS servers is not the worst idea ever.

2. Bitlocker can totally be used without a MS account and without sending keys anywhere and without TPM... But seeing how most people fail to RTFM we're back to point 1.


I’d imagine most people would like some insurance in the event of loss or theft, but are not worried about government.

I’m vulnerable to the $8 wrench attack, but enjoy knowing it is only a VISA problem if I leave it a laptop the bus.


I mention that only because it's one avenue. I figured obviously on a place like Hacker News that malicious agents aside from government could also compromise the security of 3rd party-held keys; as always security is a matter of difficult tradeoffs and anticipated threat categories.


I'm genuinely curious to know how VISA helps (or doesn't) in your analogy - what is a 'VISA problem'?


Mostly a joke, but I swipe a card and the problem goes away. No need to worry anymore.


Ah, thank you; I get it now: you don't need to worry about data theft because the drive was encrypted, so the only remaining problem is buying a replacement - a 'VISA' problem. I rather like that way of putting it; I might use it myself :)


VISA as in the credit card not a travel permit


The point is Linux doesn't enforce useless hardware that on top could be used against the user.

Same with MS's recall feature.

A Windows PC is just C but not P anymore.


Secure Boot makes persisting malware in the kernel fairly difficult. Which IMHO made sense coming from Windows 7 where driver rootkits and boot kits where trivial. With today's main threat model being encryption malware I would agree that it doesn't add all that much for most people.


It really doesn't prevent anything like that, not even remotely. First, to do any type of persistence that would be detected by Secure Boot, you already require unencrypted, block-level access to the disk drive, possibly even to partitions outside the system drive. There are a gazillion other ways that malware can persist if you already have this level of access and none would be detected by Secure Boot. If you were able to tamper with the kernel enough to do this in the first place, you can likely do it on each boot even if launched from a "plain old" service.


If it's a desktop, who cares?

Secure boot and BitLocker for the enterprise laptops, sure.

For gamers/hackers/hobbyists, why?


Yes, and Microsoft will still have regular "accidents" where they wipe out your ability to boot your Linux install, oh oopsy.

They should be prosecuted for that shit.


For now. It's not ubiquitous enough yet. Games are already starting to require secure boot, the rest will follow in a few years.


For now. The cogs will turn slowly towards our demise.


I may be naive, but I still do. Skepticism is warranted, yet outright dismissal based on conjecture is its own brand of fallacious reasoning. Can Microsoft potentially benefit? Certainly. But that doesn't negate the possibility of genuine user security motivations and benefits for end users


> Can Microsoft potentially benefit? Certainly. But that doesn't negate the possibility of genuine user security motivations and benefits for end users

it's important to ask which one of the motivations will allow them to lock users down and ask for ongoing rent. one of these two will, and that's what will always drive the decision.


> As it turns out, data after the signature block isnt checked at all... and it can even override data that came before it. Whenever two blocks of the same type are stored together, the last one overrides all the others before it. So, if we want to change any license data, we can just make a block for it and put it after the signature block!

Amazing.


I wonder if this is the worst cryptography blunder since Nintendo Wii using 'strncmp' to validate a hash (which stops after the first matching 00 byte)


This "check the block signature and then read another one" bug is incredibly common. I'd say it's one of the top 5 bugs I see in Validating Things. Other examples of places I've seen this recently include some variants of VW AG infotainment systems (mostly MIB2 High, I think), but it's kind of everywhere (as was the `strncmp-a-hash` method of validating an RSA-PKCS#1.5 signature).

This is probably the most egregious/impactful manifestation of it, though, especially if it applies to Xbox.


> This "check the block signature and then read another one" bug is incredibly common

I don't have links handy, but Android fell prey to this bug twice checking .apk signatures due to .zip files having duplicated copies of the manifest


MAS (which is also hosted on Github) is the perfect example of Microsoft not caring about end user piracy. Just use it.


In the long run, pirated copies of Windows are noise level: The vast majority of people are going to get a license via an OEM (which survives reinstallation), businesses aren't going to risk running unlicensed windows machines (especially if they're paying for it elsewhere) and have easy means to acquire OEM licensed machines that are supported by the OEM for parts & service, and people who run an up to date but pirate-licensed copy of Windows are at least running an up to date version instead of sitting on an EOL copy that is barely getting security updates.

Allowing piracy at that level is actively safer in the long run.


I suppose the other aspect is the gradual death of the white-box PC shop.

The large OEMs have contracts to pay 9 cents per license.

They'll never crack the individual enthusiast building his own PC from Newegg parts and installing a hack, but he's small potatoes.

But back in the day, there there was a fair chance your local midsize business, government, university, didn't necessarily buy from Dell or HP-- they bidded out a few hundred PCs to a local shop, which had both the motivation and technical knowledge to use the same license key on each one, and the scale where it could represent significant lost revenue.

Introducing activation was probably a significant sabotage for them. Although I'd suspect the stick on license certificate was almost as big a deal in that regard.


I have no idea how to get access to LTSC Windows without it. I have bought Windows PRO keys in case someone asks one day, but as a person, I really don't know how to get the not annoying Windows that is available for companies.


I did a little writeup[1] back in 2018 about how to acquire Windows 10 LTSC as an individual. It was only around $300, which included the required four additional CALs.

By way of comparison, Windows 11 Pro is $200[2].

[1] https://tinyapps.org/blog/201811300700_windows_10_ltsc.html

[2] https://www.microsoft.com/en-us/d/windows-11-pro/dg7gmgf0d8h...


Thank you for this


The pro keys won't cover you if someone asks. You're not licensed for LTSC and you can't have it without an enterprise agreement. It's still piracy. you might as well have not even paid for the pro keys.


It could still help with a jury of his peers.


I once went down this rabbithole ("I use LTSC for years might as well buy a legit copy finally") and... it was almost impossible. You need to buy at least 5 licenses through volume licensing but you also have to be a business (can't buy it as a natural person). Then there were some other thing about standalone version, upgrade, subscription etc.

So yeah LTSC was never meant to be available for single desktop users at home yet it's best version of Windows available.


Last year, a Microsoft support representative even used it on a customer's computer.

https://news.ycombinator.com/item?id=38295819

https://www.bleepingcomputer.com/news/security/microsoft-sup...


more like the license process is so bad that they dont bother to go after them


>the license process is so bad that they dont bother to go after them

For a person, yes go for it they won’t bother.

For a company… we have had some annoying MS audits. So how everything has to be retail WITH the cards. I have a stack ready for our next audit if it ever happens again.


sorry with cards? what do you mean?


There is ultimately no way to get a good license process on consumer PCs. The owner and operator of the hardware is also the adversary. It’s like DRM for video and other content: you are giving the ciphertext and the keys to the attacker. It’s only a matter of time until it is broken.


Maybe it's beneficial for Microsoft that solutions like that are FOSS so they can more easily inspect the code for prevention purposes in the future?


Instead I think that they let people use it unauthorized, so that Windows is even more entrenched. Same with what Adobe did with Photoshop. These companies are lucky that their product gets home and office use as well, because they can let the noncommercial use slide, and just squeeze the office users more.

It's more of a business move, than a technical move. Microsoft has plenty of capable people, they don't need such software to be FOSS to successfully inspect it.


I think Microsoft is just purposefully lax about enforcing their own trademarks on their own properties. It could be due to organizational memory of their antitrust case. It could be to avoid bad publicity (like the recent spat where youtube took down a video teaching people how to use adblockers).

Another example of this: the leaked Windows source code is available straight from GitHub.


Does anyone knows a good way to activate MS Office on macOS ? Doesn't matter how many times I buy the thing it eventually forgets the license and calling Microsoft Support usually doesn't result in anything. One day Office starts complaining that it's not activated and then it eventually locks me out of it. It would be nice if the Office license on macOS actually worked but if there's an easy solution for activation I wouldn't look back.



Thank you!


Alternative answer, Use LibreOffice


I use it too, but I need MS Office itself because of weird Azure plugin that makes documents in OneDrive that only open in MS Office.


For my personal use I found it trivial to activate my Win10 Professional. I just had to change the server address for the license check and boom fully activated. Not gonna share the specifics here but you can find it easily.

I guess the method described here does „more“ since it’s much more elaborate. Not super familiar with the different levels of win licences


One of Massgrave’s most famous “products” is a script that performs such server activation, so if anybody wants to find it look no further than the OP article. (Although it's not too hard to perform such activation manually either!)


Massgrave's tools activate your licence with Microsoft's servers.


Massgrave has their script for HWID and KMS and Office activations :)


>Not gonna share the specifics here but you can find it easily.

Did you open the link?


> which we independently uncovered around the same time it was reported to Microsoft

highly suspicious


So this is now patched? And this works on xbox store too?


It is said in the article that it's patched, multiple times


> massgrave.dev

Bit gross to be honest




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: