Steam's VAC reads all the domains you visited(twitlonger.com) |
Steam's VAC reads all the domains you visited(twitlonger.com) |
As someone who reverse engineers things for fun, and can read the C "pseudocode" generated via decompilation pretty easily, I am going to have to disagree with the assumptions made in this post.
First, there's no proof this is from Steam, I've poked around a few of the DLLs since I saw this and am unable to find anything even remotely close to what this does.
Second, this method does NOT send anything to Valve. This method grabs the DNS cache, yes. And it MD5s the entries, then it stores it. This method itself does nothing more with the hashes. For all we know VAC could be doing a LOCAL scan of the list, and comparing it to an internal list of "known" cheat subscription servers.
Until someone posts details of exactly where in Steam this is (What DLL is all that's required to verify), and the calling method that supposedly sends this information to Valve, I would take this with a very massive grain of salt.
So yeah, no proof it sends anything. It could be a local check.
This is part of the Valve anticheat system. I believe that the idea is that this sort of code is downloaded on the fly by the game client to make it harder to reverse engineer by game cheaters. What you have to do is to find some way of dumping the code that VAC pulls from the steam servers, and of course Valve tries to make that difficult for legit reasons (regardless of whether this particular snippet of code is legit).
Do you have a link to that reddit comment thread?
EDIT: here it is: http://www.reddit.com/r/GlobalOffensive/comments/1y0kc1/vac_...
The listing of decompiled code (in image form, for your pleasure) is here: http://i.imgur.com/z9dppCk.png
IMHO the fact that they seem to store the hashes in a lookup table hints that it's meant for local use, what's the point of doing that if you just want to upload it on the net? I guess they could do both though.
You could still infer things from the timings, but again, it is not always practical.
btw, help me understand the use of the DnsFree variable... why is it often exor'd with 0x23dc67e8? is that the addr of a routine and exor is faster than adding? thank you.
It get's XOR'd once after the GetProcAddress, then XOR'd back before the STDCALL invocation.
This is done for both the GetProcAddress calls, so I'm going to just guess that this is some anti-patching anti-cheat shenanigans.
http://www.reddit.com/r/GlobalOffensive/comments/1y0kc1/vac_...
http://www.reddit.com/r/technology/comments/1y4za5/steams_va...
" Yes, with some simple wireshark analysis you can see it is being sent back.
Use wireshark, join a local TF2 server, try and isolate the VAC IP address (they are not static, but use rDNS & whois the IP). Go by process of elimination. Happy to give you pointers if anyone is interested.
Use wireshark and monitor the SSL communications of VAC for the first minute. Record the total size of outgoing packets (for me, I got 1.94 MB and 1.88 MB on my two tries -- the first time you join a VAC server and when modules update it's likely to be higher as it downloads it's modules).
note: Keep everything else constant - like what windows you have open, what processes you have running, etc.
Bloat your DNS cache. (What I did was edit my hosts file, used a script to add over 20k hosts [careful actually crashed notepad when I tried to read it])
Repeat step 1 and 2. I got 2.47 MB and 2.58 MB on two tries (first min of outgoing packets). This increase seems to be twice the amount 20k of MD5 hashes would take. Maybe a bug is causing it to be sent twice?
Clear your hosts file, flush dns cache. Repeat step 1 and 2 again. I got 1.99 MB."
Look at how the Safe Browsing API accomplishes the same task: https://code.google.com/p/google-safe-browsing/wiki/SafeBrow...
It's not even what Valve and co are doing with the info, it's similar to the Sony rootkit case where the main worry would be that the rootkit could introduce security vulnerabilities.
To be banned because you visited a website is also an abusable medium. Similar to the memory and window name scanning VAC and other similar anticheats have done in the past (or continue to do). You could historically get people banned by just doing stupid things, like having an IRC title that shows up in mIRC's window name that's detected or sending someone a message via any chatting medium that has a detected substring.
Imagine you just send a tinyurl link to your opponents in an upcoming tournament. Or just embed a simple <img> tag in an otherwise harmless webpage (display: none, for example) so everyone who visits your website has that domain fresh in their cache. This kind of "evidence" quickly becomes useless because it can be used for nefarious purposes, which is why it should never be used at all.
This is not only ineffective, it's dangerous. And it's an invasion of privacy since you can simply create a rainbow table of domain names, as other people have pointed out.
Come on, Valve.
Adding 0x20 to any uppercase ASCII character will get you its lowercase equivalent.
A similar thing was done with PunkBuster: https://en.wikipedia.org/wiki/Punkbuster#Attacks_on_PunkBust... - since it was scanning all of your computer's memory for cheat signatures, you could just paste a fragment on IRC in order to get people banned.
I guess it's a way for them to pretend they're not actually invading the user's privacy, just looking for certain websites. That's pretty weak though.
It's trivial to MD5 a list of common domains, or any other ones of interest, and compare that to the user's list.
This absolutely represents a privacy invasion.
Yes, this would also include sites opened while using private browsing, since the DNS cache doesn't get flushed afterwards (at least a Mozilla bug report said so.)
Can't say in which cases VAC will do all of that.
Maybe that's just my optimism speaking though. Every good company turns bad at some point.
As I understand that's unlawful in USA and UK at least.
So far there seems to be zero evidence that this is used to send data to valve.
Is this a reasonable way of detecting cheats? In my opinion, yes. They can't send the hostnames to the client (even in hashed format), because then the cheat authors could see if their hostname(s) are listed and subsequently change them, even if the list sent to the client is hashed (they'd just have to run their own hostnames through the same hashing function). Having my DNS cache sent to VALVe and used (likely ephemerally) is a small price to pay for multiplayer games that I enjoy to continue to be fun.
No, we can safely assume this is done to compare your DNS cache to a list of hosts known for their involvement in some kind cheating (be it a website distributing cheats or some kind of cheat connecting to a certain host.)
Even if Valve doesn't intend to use this for any other purpose (and I honestly don't think they are) doesn't mean that a) they won't change their mind later on and b) their infrastructure is perfect, meaning someone could steal this information.
The above will manually clear out the windows DNS cache. Note this doesn't block it, but rather simply limits what it can find out. I'm not sure it would be possible to block this functionality entirely without also breaking DNS, or otherwise causing the Anti-cheat tool to detect something odd.
By default, the Windows DNS cache doesn't flush itself, with entries lasting for 24 hours or so. As stated in the post, you can view currently cached domain names by entering
ipconfig /displaydns
Strangely, this doesn't seem to list some of the sites I've visited this morning within firefox
I'm not convinced I like other peoples suggestions of constantly flushing your DNS because you're having to hope that VAC doesn't recheck your cache before your automated job flushes it.
Especially at an API level.
Yes, Steam spying is a problem, so don't get angry with someone suggesting a workaround.
Apparently caching isn't enabled though[1].
[1]: http://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/
OS X does use a local DNS cache AFAIK, so it's possible. The decompiled code is Win-specific, so I can't really answer that without the decompiled code for their OS X VAC port.
In fact, after reading the code and the rest of the thread I'm starting to believe it might be for obfuscation rather than protecting the user's "privacy".
When I think about how much work I do on home machines with Steam installed, I can't even begin to imagine how much of a security breach this could be at larger companies.
http://pastebin.com/PTG57bXb is the .deb and the online "Steam Agreement" - section 2A of the later is probably most relevant from a brief look through (unless they've hidden things under non-relevant headings). That requires you to give them rights to run "the software".
There are parts about their rights to your UGC, but that doesn't seem pertinent really.
Nothing seems to be a warranty from you as user to Valve giving them rights to snoop around your system and upload data they find.
I came across this a lot back working as a mac support engineer. It used to be a common issue with older routers that too many DNS requests would kill the inbuilt DNS server, effectively preventing people from using their internet connection. This was typically isolated to someone running a torrent, with their torrent client doing reverse lookups to the hundreds of connections that occurred. This crashed the router's DNS service forcing a reboot.
Workaround was to set the DHCP server on the router to give out the ISPs (or google's) DNS servers.
Here is what I've tried:
ipconfig /displaydns | grep foobar.com
#empty
#open foobar.com in Firefox
ipconfig /displaydns | grep foobar.com
foobar.com
Record Name . . . . . : foobar.com
#delete firefox cache
ipconfig /displaydns | grep foobar.com
foobar.com
Record Name . . . . . : foobar.comBesides, the question was how to prevent VAC from uploading your (hashed) DNS cache, and clearing Firefox cache doesn't flush those entries from your OS DNS cache.
More importantly, Windows will cache DNS records for no longer than the TTL. Firefox will keep entries in its cache for hours if not days. That's how sites you have been visiting will not show up in the OS cache.
blueskin_ mentions that Firefox uses its own DNS cache, and deleting the browser cache also deletes the DNS entries.
However Firefox still uses the Windows API for DNS resolution, and deleting the browser cache doesn't result in those entries being flushed from the OS DNS cache (which is demonstrated by my experiment.) In other words, simply deleting your browser cache in Firefox will not prevent VAC from uploading your OS DNS cache. As long as the entries aren't expired or flushed manually, they will remain in your OS cache and VAC has no problem getting them.
mdisraeli answers how, and remarks that many of the sites they're visiting are not in the cache
blueskin_ explains why those sites are not in the cache
pfg challenges blueskin_
Yes, 'some' of the sites will be cached by windows, this was explicitly stated in the original comment by mdisraeli. I don't know why you're acting like anyone is wrong. Did you skip midisraeli's comment accidentally, which lead you to think blueskin_ was offering a flawed solution to kamakazizuru? Blueskin_ was not offering any kind of VAC-related advice or information, just explaining Firefox's weirdness.
So I'm not sure why we're even talking about the DNS cache Firefox uses internally.
blueskin_'s response implies that because Firefox uses its own DNS cache and clearing the browser cache will clear those entries too that either a) opening a page in firefox will not put the corresponding hostname in the OS DNS cache or that b) clearing the browser cache will flush the entries from the OS cache as well. (His reply wouldn't make sense in any other way in this context.)
I'm not trying to prove anyone wrong, but the comment as it was implied you're safe if you use Firefox and clear your DNS cache, when in fact you're not.
Not true. Because Firefox has its own cache, news.ycombinator.com is not in my OS cache even though I'm actively opening and closing connections to it.
>blueskin_'s response implies that because Firefox uses its own DNS cache and clearing the browser cache will clear those entries too that either a) opening a page in firefox will not put the corresponding hostname in the OS DNS cache or that b) clearing the browser cache will flush the entries from the OS cache as well. (His reply wouldn't make sense in any other way in this context.)
Option a is the correct interpretation, more or less. Opening a page that is still in the Firefox DNS cache, which lasts hours to days, will not put the hostname into the OS cache.
>I'm not trying to prove anyone wrong, but the comment as it was implied you're safe if you use Firefox and clear your DNS cache, when in fact you're not.
I don't think it implied that, but it's okay if we disagree on this as long as the factual points are clarified.
Of course if Firefox actually ignores TTLs, forget everything I said.
I'll now set my hair on fire while pondering why they would do that.