Początkowo opublikowane przez Tito Shivan:

The reason why VAC is doing that is already stated on many threads discussing this.

It's a shame this is the only thread I've seen stick around (outside of how to flush DNS).

It's looking for traces of connection to private, paid, streamed cheats.

These cheats usually DO NOT install themselves on the machine. Instead:
-Cheater logs into paid cheat service (as you do on steam)
-Site verifies user is a paid customer.
-Site remotely injects cheat into game.

[/quote]

I'm aware that's how most paid cheats work these days, but it still raises a few yellow flags.

So VAC is looking if for some reason the computer has 'looked' for some of those services.

Note that none of this implies that:
-The info is sent anywhere (the hash comparison can pretty much be done locally)
-A user us going to be banned SOLELY due to a positive on that search.

Why hash the information then if it's just to be compared locally? What exactly are they looking for? Known login servers, or domains in general? How can this be exploited by third parties and hat is ValvE going to do to try and prevent that?

Well i must say I really do miss that old Steam the green one so simple with no addons.
Now it is a full blowen spyware program to play games, sometimes change is not good.
Not happy at all Steam spying on my dns cache to find places where i have bin or my host file that blocks websites that will show up in dns cache.
No matter how you look at it, it is spying nothing you can tell me will change the fact.

Is there anything else we should know, what exactly are you collecting from our computers.

valve Please list it all. we have the right to know.

thanks: Vary unhappy gamer/person

Początkowo opublikowane przez Freyar:

Why hash the information then if it's just to be compared locally? What exactly are they looking for? Known login servers, or domains in general? How can this be exploited by third parties and hat is ValvE going to do to try and prevent that?

Because the easier way of checking for a positive is via hash comparison. It gives the guarantee that both sides being compared have not been altered. All by comparing a numeric value instead of a whole file.
You make a comparison without using the data inside of what you're comparing.

Precisely hashes are used to not peek at the data you're comparing.

An example is worth a thousand words:
Here's the MD5 hash of a text i just encrypted:

fa5c89f3c88b81bfd5e821b0316569af

I can give it that little string to you so you can compare it to other hashes, for example:

093402dc785c01274713767fb5962628

You can compare if both texts are the same (evidently they are not) without even knowing what were the texts you are comparing by running a small comparison instead of comparing two (god knows how big) text files, character a character, byte by byte.

Think Occam's razor. Why hash the data you want to get, then send it away, to have it later run a much more heavy computational comparison by rainbow tables to guess which were the data that was originally hashed (because hashing is not a two way operation. There is no way of 'unhash' it to get what you had before) -IF it is stored at all on any of the entries of the rainbow table- when you could just... directly get it?

1) Browse to steam dir
2) Search for gcache.gcf
3) Open the 400+ meg file in a hex editor
4) Search for "kazaa" and "mp3"
----
5) Ponder

I don't use that spyware application called 'kazaa' or download 'mp3' files, must of been one of them steam developers...

It seems that Gabe Newell has responded to this on Reddit:
http://www.reddit.com/r/gaming/comments/1y70ej/valve_vac_and_trust/
As has been said, no actual information about the sites you visit is being transferred to Valve.

Początkowo opublikowane przez Azza ☠:

1) Browse to steam dir
2) Search for gcache.gcf
3) Open the 400+ meg file in a hex editor
4) Search for "kazaa" and "mp3"
----
5) Ponder

I don't use that spyware application called 'kazaa' or download 'mp3' files, must of been one of them steam developers...

No such file in my directory.

Początkowo opublikowane przez Freyar:

Początkowo opublikowane przez Tito Shivan:

Third. These threads alway show how backwards many people get their privacy priorities. This alleged data gather pales in comparison with all the info, way more private and way more sensitive we give away ir is unwillingly gathered from us. Yet we make no ruckus of it.

The problem is, it's now known and unexpected. I want to know what ValvE is doing hashing cached DNS results and what they're for.. "Oh they're to catch cheaters" is too vague. What are they looking for specifically and what are they intending to do with this information?

Fourth. We want the cake and eat it too. We want to get rid of cheaters, but the moment VAC sneaks where cheaters hide, we say it 'you shalt not pass'... Well that means cheaters can't be found as long as they hide where we don't let VAC come in. It's like saying an AV it must not read my files as they are private. (note I'm saying READ, not SEND)

This is why VAC must be used in junction with community admins on dedicated servers. This is why games like Call of Duty fail so hard in the anti-cheat department, but Counter-Strike and TF2 can thrive with fun places to play. VAC was never an end-all solution.

In order to know what to read, the software must receive instructions on wha tto look for. If it receives instructions on what to look for, information can be returned saying whether there was a match or not which implicates people who may not neccesarily be in violation of VAC anyway.

Sorry, while I like a cheat-free game myself, without information from Valve on just why VAC is putting it's nose where it really shouldn't (at least not without dinner and a movie) and what it's doing there, I find it far too intrusive. Yes, I like ValvE, but I'll hold them to the same standard. This is a problem.

Sorry, it isn't a problem if you can't be identified in any way from it. It just isn't.

Początkowo opublikowane przez Tito Shivan:

Początkowo opublikowane przez Freyar:

Why hash the information then if it's just to be compared locally? What exactly are they looking for? Known login servers, or domains in general? How can this be exploited by third parties and hat is ValvE going to do to try and prevent that?

Because the easier way of checking for a positive is via hash comparison. It gives the guarantee that both sides being compared have not been altered. All by comparing a numeric value instead of a whole file.
You make a comparison without using the data inside of what you're comparing.

Precisely hashes are used to not peek at the data you're comparing.

An example is worth a thousand words:
Here's the MD5 hash of a text i just encrypted:

fa5c89f3c88b81bfd5e821b0316569af

I can give it that little string to you so you can compare it to other hashes, for example:

093402dc785c01274713767fb5962628

You can compare if both texts are the same (evidently they are not) without even knowing what were the texts you are comparing by running a small comparison instead of comparing two (god knows how big) text files, character a character, byte by byte.

Think Occam's razor. Why hash the data you want to get, then send it away, to have it later run a much more heavy computational comparison by rainbow tables to guess which were the data that was originally hashed (because hashing is not a two way operation. There is no way of 'unhash' it to get what you had before) -IF it is stored at all on any of the entries of the rainbow table- when you could just... directly get it?

Common sense as ever, Mr Tito :)

I often refer to this sort of conspiracy talk in one way "filing the edges off of 50p's to make 10p's" - in other words, why go a long, convoluted route to get something of LESSER value? It seems that one hell of a lot of conspiracy theories contain this falsehood.

Początkowo opublikowane przez crunchyfrog:

Sorry, it isn't a problem if you can't be identified in any way from it. It just isn't.

Code that can and will have an impact on your library for Steam is a problem if it isn't trustworthy. Newell's comments on Reddit has improved my concerns so it now is merely pondering.

If you can make the hash, and you can break the hash, and you transmit the hash, you can read the hash in plaintext too.

Początkowo opublikowane przez Freyar:

Początkowo opublikowane przez crunchyfrog:

Sorry, it isn't a problem if you can't be identified in any way from it. It just isn't.

Code that can and will have an impact on your library for Steam is a problem if it isn't trustworthy. Newell's comments on Reddit has improved my concerns so it now is merely pondering.

If you can make the hash, and you can break the hash, and you transmit the hash, you can read the hash in plaintext too.

Maybe, but how does this equate to personally identifiable data? Is there anyway such text can be pointed towards a person?

How could such data "have an impact on your library"?

Początkowo opublikowane przez crunchyfrog:

Maybe, but how does this equate to personally identifiable data? Is there anyway such text can be pointed towards a person?

How could such data "have an impact on your library"?

Take the login of the user that is currently playing (because bans cannot be issued to an account if you don't know what the account is), take the hash, learn hash is whatever they're looking for. The account, if you've purchased anything (or if you've been selling a LOT of things on the community market) will have Name, Billing Address, and in some cases even SSN for US customers. This is all data ValvE holds and it isn't that hard to put the pieces together. It's the same thing EA, Facebook, and advertising agencies do.

The hash itself may not be peronsally identifiable when isolated from everything else, but the system won't work without knowing at least what account it was coming from.

Without knowing what they were doing, this meant we had an obscured piece of code tha twas looking where it really shouldn't without an explaination that can impact a library as a result of different hits.

The method could be exploited, and even then there has to be trust for ValvE to not abuse it. They're pretty good about not doing it, but there's always a chance that will change.

Początkowo opublikowane przez Freyar:

Początkowo opublikowane przez crunchyfrog:

Maybe, but how does this equate to personally identifiable data? Is there anyway such text can be pointed towards a person?

How could such data "have an impact on your library"?

Take the login of the user that is currently playing (because bans cannot be issued to an account if you don't know what the account is), take the hash, learn hash is whatever they're looking for. The account, if you've purchased anything (or if you've been selling a LOT of things on the community market) will have Name, Billing Address, and in some cases even SSN for US characters. This is all data ValvE holds and it isn't that hard to put the pieces together. It's the same thing EA, Facebook, and advertising agencies do.

The hash itself may not be peronsally identifiable when isolated from everything else, but the system won't work without knowing at least what account it was coming from.

Name, billing address, and possibly SSN is not sensitive data. Little to nothing can be done with it on it's own, and that data is equally likely to already be on the internet.

Granted this might seem uncomfortable, and if it goes further than this, then it may be cause for alarm. However, you still haven't said how this can impact your account. Unless there's actualy data such a credit card numbers (which are well-encrypted in any case), then it's doubtful anything that you've stated can be used in any malicious way.

Początkowo opublikowane przez crunchyfrog:

Name, billing address, and possibly SSN is not sensitive data. Little to nothing can be done with it on it's own, and that data is equally likely to already be on the internet.

Actually it is sensitive data. That is all data someone would need to steal your identity. The only thing missing would be the birthday. SSN is extremely sensitive data and that is why most of the time just the last 4 numbers are used to verify because the rest is hidden to prevent theft..

That being said the data being collected is not being collected to market to you, have you arrested or anything but possibly get you a ban. A real person does not even see the raw data. Google and Facebook collect way more data on you than anyone else so I suggest you stop using those services if you are worried.

Początkowo opublikowane przez facedown:

Początkowo opublikowane przez crunchyfrog:

Name, billing address, and possibly SSN is not sensitive data. Little to nothing can be done with it on it's own, and that data is equally likely to already be on the internet.

Actually it is sensitive data. That is all data someone would need to steal your identity. The only thing missing would be the birthday. SSN is extremely sensitive data and that is why most of the time just the last 4 numbers are used to verify because the rest is hidden to prevent theft..

That being said the data being collected is not being collected to market to you, have you arrested or anything but possibly get you a ban. A real person does not even see the raw data. Google and Facebook collect way more data on you than anyone else so I suggest you stop using those services if you are worried.

Actually, you're wrong. You can't steal an identity on those details alone (otherwise phone books would be pretty dangerous items). I reserve judgement on SSN as I'm not American and have no idea how that works, or whether it ca be used as evidence for anything (such as extended credit).


A lot of people think that those two details are enough to steal identity, and true to an extent you could pose as that person with those details, however you won't be able to do anything with it that is harmful to the REAL person.

I seriously doubt that any of the data collected could possibly work towards getting you a ban in anything.

Ok, that is enough. Gabe has commented on the matter and explained it.

Everything I'm reading so far has been based on pure speculation and id just causing an argument.

For one, if a hash can be broken, would it happen soon enough to be of use? What information does it contain?

The closes it could contain is a SteamID as Valve does not send personal information in such a way. That ID is public and is sent to any server you join and can even be found through 3rd party sites. It is non-personal information and can be used to ban an account.No name, address or anything else would be sent as that isn't needed to do what needs to be done in this case.

From what Gabe said "If found, then hashes of the matching DNS entries were sent to the VAC servers.", so nothing is sent unless it may have found a cheat, then the hash is sent to confirm a cheat with VAC servers. VAC would then set up a ban.

Believe it or not, that is up to you.

Then this part I feel is true too "There is also a social engineering side to cheating, which is to attack people's trust in the system.".

If someone doesn't want to trust it, then they don't have to use it. It is their choice to make.

As Gabe said "Our response is to make it clear what we were actually doing and why with enough transparency that people can make their own judgements as to whether or not we are trustworthy."

-----
Quotes taken from Gabe Newell's Reddit post, found at: http://www.reddit.com/r/gaming/comments/1y70ej/valve_vac_and_trust/