• United States



Some gamers steamed over alleged Valve anti-cheat DNS spying

Feb 16, 20145 mins
Data and Information SecurityMicrosoftMobile Security

Reddit rumor control alleges that Valve's anti-cheat system checks the domains you visited and sends them back to VAC servers.

Are you a gamer? Got Steam? How steamed might you be then if Valve was spying on your web browsing via the Steam platform’s anti-cheat solution known as VAC? A post on Reddit alleges that “VAC now reads all the domains you have visited and sends it back to their servers.”

If you’ve ever played with a cheater, someone using speed hacks, aimbots or shooting through walls for example, then it can be pretty annoying. There was allegedly so much cheating in Counter Strike: Global Offensive, fans “begged” Valve to fix the VAC anti-cheat system. “Aimbots, walls, no recoil, DoS’ing servers…etc, the abuse cheaters can lay on legitimate players is disgusting,” wrote gamer InkofDeath on the Steam users’ forum. “Regular players have no immediate action of ‘fighting back’, and must wait on more long-term solutions while they are abused by cheaters.” While it’s not for certain that Valve’s remedy included a VAC domain-spying update per accusations on Reddit, apparently the ban hammer has been falling more regularly on gaming cheaters.

According to a Counter Strike Global Offensive Reddit thread, VAC:

  • Goes through all your DNS Cache entries (ipconfig /displaydns)
  • Hashes each one with MD5
  • Reports back to VAC Servers

Valve is not the only company that uses an anti-cheat system, but it is perhaps one of the most highly regarded companies as countless millions of gamers have Steam. Various Reddit threads discussing the VAC code, range in people alleging that Valve is violating gamers’ privacy, to seeing nothing in the code to indicate DNS cache is being sent back to the VAC servers. However, the pitchfork waving may have started on multiplayer gaming cheat sites after an allegedly “huge” VAC ban wave in the game Rust.

Your PC stores recently accessed websites in a Domain Name System (DNS) cache database. To use the “if I’m not cheating then it doesn’t matter” argument is about like using the “nothing to hide” argument in a privacy or surveillance debate. If you read about this and someone has linked directly to a site selling cheats, or another similarly blacklisted site, and you click on it, then that website visit would temporarily be stored in your DNS cache. If the allegations are true, then you could be banned even without using cheats yourself.

For that reason, I won’t be linking you directly to any site selling gaming cheats in case you are a gamer and then do get banned for visiting that domain. However, a “member of a private hacking site” said the latest VAC update has been bringing down the ban hammer and linked to a post accusing (image) the VAC update of being “more like spyware than an anti-cheat.” Ironically, since the person who posted is accused of being a “cheater,” then that might not be a “trusted” source. Another alias screaming bloody murder sells cheats, so we will discount those comments as anti-cheating systems that work would directly influence the seller’s money flow….but that screaming might also mean VAC is working better now.

Although most folks don’t bother to read it, Steam subscribers have agreed not to cheat and to abide by specific online conduct. Valve’s privacy policy makes it clear that Valve may collect personally identifiable info, but does not share that PII with “other parties except as described in this policy.”

Some of the mix-up regarding exactly what is happening with VAC goes back to VAC allegedly sending a MD5 hashed list of visited domain data back to its servers. Some people see nothing in the code to indicate any domain browsing history is being sent back to VAC servers, while others point out that Valve using MD5 was lazy and cracking MD5 hash is child’s play thanks to rainbow tables.

Haters are gonna hate, but it’s not clear if any of these anti-cheat “spying” allegations are accurate. At this time, Valve has not commented on the accusations. It is not known if the allegations are even true and if so, how long this info on domains visited by gamers are stored. DNS cache is not stored permanently on PCs, but whether or not the allegations of VAC “spying” are legit, some people are recommending that gamers should flush DNS to protect themselves. Ironically, I’ll link you to EA’s version of how-to flush and renew DNS as well as “what’s my DNS.”

If you want to read Valve-related news that is definitely true, then Valve recently implemented a beta trial of Steam Tags, a “feature that lets the Steam userbase collectively assign new tags to games.” Hell supposedly broke loose as Valve miscalculated the number of trolls who jumped on this opportunity; therefore tags like “crap” “not a game” and other ruder and more abusive labels were among “popular” tags. Therefore Valve had to roll out a beta update for reporting offensive tags.

What do you think? Is Valve invading your privacy with VAC DNS cache checking?

**Update: Top dog at Valve, Gabe Newell, responded to the VAC DNS cache checking.

Like this? Here’s more posts:

  • How to easily encrypt email with Virtru for free: Gmail, Hotmail, Outlook, Yahoo
  • Top 25 most commonly used and worst passwords of 2013
  • Microsoft: Targeted phishing attacks allowed SEA to steal law enforcement documents
  • How to customize Windows 8.1 Start screen and keyboard shortcut tricks
  • Microsoft surveys tech elites on online privacy
  • Microsoft finally gets a clue: Boot to desktop as default in Windows 8.1 update
  • Senator Rand Paul sues President Obama over NSA phone surveillance
  • Microsoft to offer free 8GB of OneDrive storage if you refer friends
  • How to change Windows 8.1 to local account with no Microsoft email account required
  • EFF on cyber attack against hacktivists: CFAA for you; impunity for feds
  • Security expert publishes truth & tech details behind NBC’s Sochi hacking story

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.