f13.net

SiX-Steam (http://www.hyper-host.net/sixsteam/). The inevitable end to a cute idea. Basically this guy made a program that hacks through the Steam Encryption, let's you use their bandwidth to download games, no need for authentication, and you can play them all online. It's the complete and total destruction of Steam as a clever idea.

Does it have custom trojans? Don't know. I bought Half-Life Silver. But this program is just too big to not talk about. What do you all see as the long-term effects this hack could have on the online distribution of gaming? Also, in a numerical amount, how much do you think Valve will sue this guy for if they ever find him?

.tk for the win.

Using Valve's own bandwidth to pirate their stuff is so unwholesome it's almost arousing.

Assuming this thing works (some of my friends are using it and say that it works, online play too), there will be a fix eventually and maybe some litigation or mass account bannings.

More proof that you just can't do this sort of thing without so-called trusted computing.  I just hope the cure is not worse than the disease.

Whoever he was, his site's dead already. Not 404 dead, 403 dead. Whoops.

This will be inevitable if online distribution is the 'next big thing.'  Call it cyber-shoplifting.  It's much more traceable, though, as our 'friend' here is about to find out

Damn. I wonder if this thing would have come had Valve not made the stupid fucking decision to require online authentication for even those clients who bought the game in the store.

You don't buy it as a tactic to eliminate the need for publishers?

You don't think eliminating publishers is a Good Thing?

I don't think it is good to eliminate all publishers.  Publishers have the capital to get the games out to the masses, and despite my appreciation for being able to bypass the frogs at Sierra and Vivendi Universal through Steam for my future Valve purchases, very few developers will have such a method to deliver games to hundreds of thousands of people.  Yes, most publishers are the absolute definition of corruption and villainy(I'm looking at YOU Electronic Arts), but they are a necessary evil for now.  There are, however, some pretty outstanding publishers, but I think a redname would probably have a better finger on who would fall into that category.

Oh, and Fuck you EA.

Not if the alternative doesn't fucking work.

And taking 3 minutes to load a game from the first double click will never count as 'working'.

Nor will having to download a new steam patch every sodding day.

Oh, and it won't eliminate publishers anyway, someone always has to fund development. It will just let a few big software houses self-publish.

And just to add insult to injury, the only way Steam will work in offline mode is if you physically disconnect your computer from the network. You can't, as far as I've been able to figure out, set it to offline mode and still be connected to the Internet. And just to be really fricking annoying sometime after the HL2 release they patched Steam to no longer work with NetLimiter. If NetLimiter is running Steam won't run.

^_^

Is there an alternative that fucking works?



Ever hear of Combat Mission?

My "may they burn in Hell" award goes to Psygnosis.

Problem with a Steam delivery system with no publishers....I'm not installing a Steam equivalent for every friggin' game I own.

I, too, am slow and cannot make it work in offline mode without unplugging my ethernet. And I kinda know what I'm doing and whatnot.

Screw steam, I bought HL2 at walmart just to make it extra evil.

A bonus F-U to Valve for the main menu screen when you boot the game up. Thanks for making me load that entire level so I can see it for 1 second before I wait for my save game to load in.

Nice concept, looks great. Takes forever. If there's a way to toggle it off, I missed it.

Go into Steam, right click on HL2 in the "play games" menu and click on properties.

In that window click on the "launch options" button. Type this line in:

-console

Done, no more level background when you load the game.

Nice tip, thanks.

Bollocks. Trusted computing ius about the restriction of consumer choice and making life easy for litigious intellectual property slumlords. There is next to nothing of merit in anything termed "trusted computing" when it comes to security. It is in fact the antithesis of "secure computing" and makes as much sense from a security perspective as any other method of trusting the client. It's a bad idea by bad people, and we don't need folks spreading FUD in order to help sell it.

There is no way to keep a secret on an open hardware platform.  No matter how clever you are, someone is going to find a way around your best crypto.

This realization is what has driven the movie and music industries to push DRM technologies to protect their content on a PC.  The centerpiece of the strategy is keeping part of your hardware secret from you.

I guess what I meant was not DRM in the sense of "Digital Rights Management" i.e., remove your fair use rights, but ratther  DRM in the sense of having hardware keep secrets from its owner.

One solution is completely closed hardware, like the XBox and other consoles.  Feel free to come up with a solution for the PC platform.

I wouldn't exactly put the Xbox up as the poster boy for DRM. It's quite possibly the most hacked console ever created.

Freakin' Microsoft.  I stand corrected.  Looks like Sony didn't do much better:

http://www.0xd6.org/ps2-independence.html

I still maintain it's easier to secure closed hardware, however.  For years, the only known expoits of the XBox required hacking the hardware.

Please stop reposting FUD. Security through obscurity is what you are advocating. Closed hardware does not make better security. Trust is not a one-way street. Read work by security researchers, not that of corporate marketing offices. A good place to start for a lucid explanation of the issues is the writings of Ross Anderson (http://www.cl.cam.ac.uk/users/rja14/).

No.  I'm saying there's no way to keep a secret key secret on an open hardware platform.  Recover the secret key and your crypto falls over.  Feel free to provide counter examples.



There's a lot on site.  What specifically are you proposing?

Sure, I'd love to argue this all night and into next year if we need to. I'm here to serve. Your flaw is not that open hardware can be compromised, it is in thinking that closed hardware cannot. It most certainly can, even if you move Fritz into the same die as the processor and implement Nexus in firmware. Perhaps you will increase the cost and complexity of breaking  into the system, and remove the bulk of the script kiddies from playing. However, the real criminals, spies and terrorists will not be deterred. Your security is in fact no better.



I'm proposing that you read some, specifically those documents regarding trusted computing. Perhaps start with the FAQ.

The key is that the trust here is for the vendor, not the computer owner. For the owner, trusted computing models actually reduce the ability to effectively manage security. Giving another company the keys to affect or subvert your security policy is a stupid, stupid idea. Preventing people from tampering with your open hardware by putting it under physical control is simpler, cheaper and more effective.

But removing the bulk of the script kiddies is exactly what I want to do.



Again, I'm not interested in stopping real criminals, terrorists or whatever the boogeyman du jour is.  I want game developers to get their due without having to rely on suits and other leeches, and I want to play online games that aren't awash in cheaters.




I did read the FAQ, and it convinced me so-called Trusted Computing is the only way around the potentially untrustworthy client.



Not necessarily.  I suggest you do some more reading on that site yourself, maybe starting with a post by John Gilmore that he links:





Not if I can choose who to trust and when.



What do you mean by "physical control"?

That's DRM, IP control. It isn't security. Saying that the client will be more secure is disingeneous. That's my point. Sure, the publisher can better trust the client, but that IS NOT security from the perspective of the client.

Just come out and say it - you are not concerned with making the computer owner more secure. You are interested in making the IP slumlord wealthier.



Don't. Just don't. I've read everything there, and most everything linked, Gilmore's post included.

Not only can an enlightened consumer choose between shite and crap, they can also choose between on and off. If the US companies want to push the enlightened consumer (and every non-US government, research institute, corporation and military) to Japanese chips by mandating TC, they're heading in the right direction.

TC belongs in DRM appropriate set-top boxes, not in general purpose computers. Trying to prevent a crime by removing the tools is unworkable. I can kill you with a piece of paper as well as I can with a gun. Don't sell your IP on a computer if BORA concerns you.

I'm not concerned with either.  You seem to have a reading comprehension problem.  Here it is again:






1) I'll do as I please.

2) Everything?  Why didn't you bring up his paper on key establishment in ad-hoc networks?  It deals with the problem of secure key distribution in potentially insecure networks.  Or perhaps his paper on The Cocaine Auction Protocol?  It describes a protocol for communications between parties that mistrust each other.




Right now the enlightened consumer can choose jack shit and jack left town.  This will not change as long as there are knee-jerk negative reactions to all things "Trusted."



I'm not talking about mandating anything to anyone.  I want the ability to purchase an anti-cheat system that actually works.



So now I'm tied to some mega-corporation's crappy hardware, inflated price, and long upgrade cycle?  I want to be able to play games that use today's latest technology.  I don't want to have to wait for Microsoft or whomever to upgrade their shitty set-top box.




This is exactly what's going to happen.  Game companies are going to release console-only at least initially, and we'll all lose.

In what way has this got anything to do with improving the security for the client system owner? You've said that you aren't interested in that.

There is a world of difference between securing a computer and making intellectual property management easier and more robust for the publisher.

You say that you don't want to wait for MS to upgrade their crappy box. You are prepared to trade off flexibility in general purpose computers to get your DRM/integrity gains. Other people than you are not prepared to wait for MS to upgrade their crappy OS and apps. Today I can compile up a Windows utility to address a shortcoming in the system, and I can use free tools to do so. Under TC, I'll need thousands of dollars of MS development tools, and when I have finished coding my masterwork, I'll have to get it TC registered through an extremely expensive process. Kiss shareware goodbye, you'll get what the mega-corps allow you to have.

Moving content like games to set-top boxes makes sense. We lose less.

I never said that TC would improve security for the owner. I did link John Gilmore who said that TC could do that.  Take it up with him.



I don't see why the trade off is necessary.



So don't  purchase any trusted technology then.  Like you said, the Japanese and others will be happy to oblige .



So it's OK to force DRM-encrusted set-top boxes on people who want to play games, but it's not OK to allow people who want play games on their PCs to buy DRM technologies?

True enough. You said:





Which is at the VERY LEAST implying that security for the client can be improved by the adoption of hardware that the client cannot trust.



It is a sine qua non requirement of trusted computing environments that the user relinquish control over their system in order to provide attestation of the code, root of trust and endorsement.







Yes. It's great - WE LOSE LESS if we cripple set-top boxes and not general purpose computers. Sure, I'll even join you in being brassed off at such a state of affairs, but I'll take it over wasting my computer systems. I don't know about you, but games are pretty low on my priority list of things I have to do on a computer.

It seems to me that you want to invite a dangerous and restrictive set of controls on mainstream computers just so that you can believe that the person that thrashes you in an online game is better at it than you. Despite the Xbox being the pinnacle of available TC systems, 99% of the people on Xbox Live that use a TVR Cerbera Speed 12 in PGR2 did not complete the game.

It implies no such thing.  The only way to prevent cracking and cheating is to solve the problem of the untrustworthy client.  I maintain that cannot be done in a completely open hardware platform, because it requires keeping something secret from the client.

There is nothing preventing an open specification of secret-keeping hardware from being effective.  Would it ease your mind if the spec was open and there were multiple vendors?



Yes, but there is no requirement that control be relinquished permanently nor on to whom it is relinquished.  Would it ease your mind if there were multiple competing providers of root trust and endorsement, and you were free to choose among them? Would it ease your mind further if you could disable the hardware when you didn't want to use it?  What about if the TC implementation lived in an add-on board that you could remove at your pleasure or just plain not install in all your systems?  If the owner can choose how much TC tech they buy and from whom, the flexibility and usefulness of general-purpose computers need not be compromised at all.

I guess we're very different.  There are lots of things I have to do with computers.  The only thing I want to do with computers is play games. (OK, and maybe post on this board, too.)

So you want us all to suffer because you want an xbox with a monitor, mouse, and keyboard?

You cannot have your cake and eat it here I'm sorry to say. The second it becomes viable to only sell on closed systems everyone will adopt. The user then has no option but to go with closed systems because they wont be able to run anything on an open system. You cannot have both. It's either closed or open. Frankly I'd rather have an open system and let the companies charge me extra for their software to compensate for losses due to piracy. I'd also rather try my chances with cheaters online.

Sending one or multiple encrypted files with the same secret key and providing the secret key for decrypting the said files to millions of people over the globe for money is just asking for someone to break that secret key in someway and all your system falls flat.

This is so 1980.

d

Yeah, what he said. I'm all for digital distribution; I think it would help game development tremendously. However, it's got to fucking work, plain and simple. Not working, especially when not working means screwing customers who legitimately bought your product, is not acceptable. The same goes for CD-copy protection schemes. I don't give a shit about them, until they actually cause legit copies to stop working.

Valve had lots of Sierra money and Half-Life success to fund Steam; like SOE and EQ2, they have no excuses for bringing out a fucked up product.

But lucky for them, it would probably take a while (http://stats.distributed.net/projects.php?project_id=8).

Ah, no, you missed the point. The secret key has to be stored unencrypted in RAM to be used by the client to decrypt things. Somebody with a debugger and enough time and patience will be able to pull that secret key out of memory. There's no need to try to guess the key through a "brute force" method like in the above project. This was the whole point about the Trusted Computing debate that went on above. Right now there's no way for software vendors to "hide" things from a determined cracker on today's PCs. The Trusted Computing initiative is an attempt to solve this problem.

Edit: Actually that wasn't the whole point of the TC debate above

No, I emphatically do not want an XBox, keyboard or not.  I see closed consoles as one extreme and completely open PCs as the other.  I say there's enough room for something else in between without compromising either.

The open PC is nowhere near as fragile as you think.  Recent history is littered with examples of lock-in gone wrong.  Intel tried to sneak in cpuid and promptly had to backtrack because of the shit storm that ensued.  Intel tried to lock everyone into using RDRAM, and the market showed them where to stick their Rambus.  Intel tried to lock in the 64-bit platform of the future, and along came AMD.  IBM tried to foist Microchannel on people, and so on and so forth.  The open PC is unkillable.

Yes. (http://www.coh.com) Entirely downloadable, no fucking around with steamesque crap, patches that download on log out way ahead of their launch date rather than on log in every fricking day, no complaints about legitimate purchasers not being able to get in (even on launch day), and despite having to connect to servers to play it still gets you going in less than half the time that steam takes.

Another example here. (http://www.atitd.com)

In single player games? Not that I'm aware of.

Stardock has an all-access pass to all their games - Totalgaming.net (http://totalgaming.stardock.com/).

Lately, they've been doing everything right and no one notices because their games AREN'T SHINY ENOUGH FOR THEM. Arrogant Gamespot/IGN fed pricks.

Stardock is doing a great job at safely entering the game genre, imo. Growing a nice little community core to support them despite the fickle gaming public, and a heck of a game in GalCiv.

A lot of the stuff in this thread is highly technical, and I won't claim to know much about it. But I can say this with a good degree of certainty:


As hard as one may work to put highly advanced security systems on open/closed hardware, and software, there is someone out there working just as hard (if not harder) to find a way to crack that security. They will almost always succeed, as well.

There isn't really a such thing as an "unsinkable ship", as they say.

For each brilliant mind trying to make movies harder to copy and music harder to rip, there are 200 brilliant minds making it easier than ever to copy movies and rip music.

Security for IT isn't really that different than military security.  No fortress is unbreakable, but nor is it the goal of the builder to make it such - the goal is to make the cost of entry in excess of the cost of success.  Worried about security, some of the most secure networks aren't connected to any outside network at all.  That is, there is no physical connection between network X and anything else, but even this isn't proof of security.  How can you break into a box that isn't plugged into the internet?  Two ways are physical break-in (walk up to the box, or one it is connected to), or get someone else to inadvertantly plant a trojan.  But because both are difficult, and with good policies even more difficult, the cost of break-in is high.

A closed system raises the cost of entry.  Open systems gain the ability to receive reports of vulnerabilities - but you're still in the rut of having to push fixes to people, which is hard.