Valve’s VAC Anti-cheat Program Raises Suspicions of Data Mining Gabe Newell Counters on Reddit

The latest saga of web users and internet privacy revolved around a seemingly unexpected name in the gaming industry. A few days ago, Valve Anti-Cheat, more commonly abbreviated to VAC, was reverse-engineered and discovered to watch the website domains websites users were visiting. The forum thread was originally posted on a Counter-Strike hacking forum and was linked onto Reddit (the link to the forum has since been removed) where the issue gained considerable attention. Redditors were split between the unconfirmed assumption that VAC was mining web browsing data and the typical good faith of Valve, the developer of Steam, a widely used game library and DRM platform, and many well-known games such as the Half-Life series, the Portal series, Left 4 Dead series, Team Fortress 2, and DOTA 2.

Yesterday afternoon, Valve founder and CEO Gabe Newell wrote a post on Reddit called “Valve, VAC, and Trust” giving Valve’s side to the story. The new feature to VAC was an anti-hacking measure that checked ongoing outbound connections to determine if a connection was made to a known hacking DRM server. A match with VAC’s locally stored DNS table of known servers escalated the account to be double checked on the VAC servers.

VAC checked for the presence of these cheats. If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban. Less than a tenth of one percent of clients triggered the second check. 570 cheaters are being banned as a result.

Newell further went on to state that this new VAC implementation had already been noticed and rendered ineffective by hackers.

This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers’ client machines.

The rest of Newell’s statement gives more arguments regarding the trustworthiness of Valve and VAC. Further examination of the reverse engineered code confirmed VAC does not send web browsing data to Valve.

“Our response is to make it clear what we were actually doing and why with enough transparency that people can make their own judgements as to whether or not we are trustworthy.

Q&A

1) Do we send your browsing history to Valve? No.

2) Do we care what porn sites you visit? Oh, dear god, no. My brain just melted.

3) Is Valve using its market success to go evil? I don’t think so, but you have to make the call if we are trustworthy. We try really hard to earn and keep your trust.”