Steam fall down. Go BOOM.

[schild]

SiX-Steam. The inevitable end to a cute idea. Basically this guy made a program that hacks through the Steam Encryption, let's you use their bandwidth to download games, no need for authentication, and you can play them all online. It's the complete and total destruction of Steam as a clever idea.

Does it have custom trojans? Don't know. I bought Half-Life Silver. But this program is just too big to not talk about. What do you all see as the long-term effects this hack could have on the online distribution of gaming? Also, in a numerical amount, how much do you think Valve will sue this guy for if they ever find him?

.tk for the win.

[Fabricated]

Using Valve's own bandwidth to pirate their stuff is so unwholesome it's almost arousing.

Assuming this thing works (some of my friends are using it and say that it works, online play too), there will be a fix eventually and maybe some litigation or mass account bannings.

[JMQ]

More proof that you just can't do this sort of thing without so-called trusted computing.  I just hope the cure is not worse than the disease.

[Merusk]

Whoever he was, his site's dead already. Not 404 dead, 403 dead. Whoops.

This will be inevitable if online distribution is the 'next big thing.'  Call it cyber-shoplifting.  It's much more traceable, though, as our 'friend' here is about to find out

[HaemishM]

Damn. I wonder if this thing would have come had Valve not made the stupid fucking decision to require online authentication for even those clients who bought the game in the store.

[JMQ]

You don't buy it as a tactic to eliminate the need for publishers?

You don't think eliminating publishers is a Good Thing?

[ahoythematey]

I don't think it is good to eliminate all publishers.  Publishers have the capital to get the games out to the masses, and despite my appreciation for being able to bypass the frogs at Sierra and Vivendi Universal through Steam for my future Valve purchases, very few developers will have such a method to deliver games to hundreds of thousands of people.  Yes, most publishers are the absolute definition of corruption and villainy(I'm looking at YOU Electronic Arts), but they are a necessary evil for now.  There are, however, some pretty outstanding publishers, but I think a redname would probably have a better finger on who would fall into that category.

Oh, and Fuck you EA.

[eldaec]

You don't think eliminating publishers is a Good Thing?

Not if the alternative doesn't fucking work.

And taking 3 minutes to load a game from the first double click will never count as 'working'.

Nor will having to download a new steam patch every sodding day.

Oh, and it won't eliminate publishers anyway, someone always has to fund development. It will just let a few big software houses self-publish.

[Trippy]

You don't think eliminating publishers is a Good Thing?

Not if the alternative doesn't fucking work.

And taking 3 minutes to load a game from the first double click will never count as 'working'.

Nor will having to download a new steam patch every sodding day.

And just to add insult to injury, the only way Steam will work in offline mode is if you physically disconnect your computer from the network. You can't, as far as I've been able to figure out, set it to offline mode and still be connected to the Internet. And just to be really fricking annoying sometime after the HL2 release they patched Steam to no longer work with NetLimiter. If NetLimiter is running Steam won't run.

[Calantus]

^_^

[JMQ]

Not if the alternative doesn't fucking work.

Is there an alternative that fucking works?

Oh, and it won't eliminate publishers anyway, someone always has to fund development. It will just let a few big software houses self-publish.

Ever hear of Combat Mission?

My "may they burn in Hell" award goes to Psygnosis.

[Sky]

Problem with a Steam delivery system with no publishers....I'm not installing a Steam equivalent for every friggin' game I own.

I, too, am slow and cannot make it work in offline mode without unplugging my ethernet. And I kinda know what I'm doing and whatnot.

Screw steam, I bought HL2 at walmart just to make it extra evil.

And taking 3 minutes to load a game from the first double click will never count as 'working'.

A bonus F-U to Valve for the main menu screen when you boot the game up. Thanks for making me load that entire level so I can see it for 1 second before I wait for my save game to load in.

Nice concept, looks great. Takes forever. If there's a way to toggle it off, I missed it.

[Zetleft]

Go into Steam, right click on HL2 in the "play games" menu and click on properties.

In that window click on the "launch options" button. Type this line in:

-console

Done, no more level background when you load the game.

[Trippy]

Done, no more level background when you load the game.

Nice tip, thanks.

[Righ]

More proof that you just can't do this sort of thing without so-called trusted computing.  I just hope the cure is not worse than the disease.

Bollocks. Trusted computing ius about the restriction of consumer choice and making life easy for litigious intellectual property slumlords. There is next to nothing of merit in anything termed "trusted computing" when it comes to security. It is in fact the antithesis of "secure computing" and makes as much sense from a security perspective as any other method of trusting the client. It's a bad idea by bad people, and we don't need folks spreading FUD in order to help sell it.

[JMQ]

There is no way to keep a secret on an open hardware platform.  No matter how clever you are, someone is going to find a way around your best crypto.

This realization is what has driven the movie and music industries to push DRM technologies to protect their content on a PC.  The centerpiece of the strategy is keeping part of your hardware secret from you.

I guess what I meant was not DRM in the sense of "Digital Rights Management" i.e., remove your fair use rights, but ratther  DRM in the sense of having hardware keep secrets from its owner.

One solution is completely closed hardware, like the XBox and other consoles.  Feel free to come up with a solution for the PC platform.

[toma levine]

I wouldn't exactly put the Xbox up as the poster boy for DRM. It's quite possibly the most hacked console ever created.

[sidereal]

One solution is completely closed hardware, like the XBox and other consoles.

http://forums.xbox-scene.com/index.php?showtopic=320590">tee-hee

[JMQ]

Freakin' Microsoft.  I stand corrected.  Looks like Sony didn't do much better:

http://www.0xd6.org/ps2-independence.html

I still maintain it's easier to secure closed hardware, however.  For years, the only known expoits of the XBox required hacking the hardware.

[Righ]

There is no way to keep a secret on an open hardware platform.  No matter how clever you are, someone is going to find a way around your best crypto.

Please stop reposting FUD. Security through obscurity is what you are advocating. Closed hardware does not make better security. Trust is not a one-way street. Read work by security researchers, not that of corporate marketing offices. A good place to start for a lucid explanation of the issues is the writings of Ross Anderson.

[JMQ]

Please stop reposting FUD. Security through obscurity is what you are advocating.

No.  I'm saying there's no way to keep a secret key secret on an open hardware platform.  Recover the secret key and your crypto falls over.  Feel free to provide counter examples.

Closed hardware does not make better security. Trust is not a one-way street. Read work by security researchers, not that of corporate marketing offices. A good place to start for a lucid explanation of the issues is the writings of Ross Anderson.

There's a lot on site.  What specifically are you proposing?

[Righ]

Please stop reposting FUD. Security through obscurity is what you are advocating.

No.  I'm saying there's no way to keep a secret key secret on an open hardware platform.  Recover the secret key and your crypto falls over.  Feel free to provide counter examples.

Sure, I'd love to argue this all night and into next year if we need to. I'm here to serve. Your flaw is not that open hardware can be compromised, it is in thinking that closed hardware cannot. It most certainly can, even if you move Fritz into the same die as the processor and implement Nexus in firmware. Perhaps you will increase the cost and complexity of breaking  into the system, and remove the bulk of the script kiddies from playing. However, the real criminals, spies and terrorists will not be deterred. Your security is in fact no better.

Closed hardware does not make better security. Trust is not a one-way street. Read work by security researchers, not that of corporate marketing offices. A good place to start for a lucid explanation of the issues is the writings of Ross Anderson.

There's a lot on site.  What specifically are you proposing?

I'm proposing that you read some, specifically those documents regarding trusted computing. Perhaps start with the FAQ.

The key is that the trust here is for the vendor, not the computer owner. For the owner, trusted computing models actually reduce the ability to effectively manage security. Giving another company the keys to affect or subvert your security policy is a stupid, stupid idea. Preventing people from tampering with your open hardware by putting it under physical control is simpler, cheaper and more effective.

[JMQ]

Sure, I'd love to argue this all night and into next year if we need to. I'm here to serve. Your flaw is not that open hardware can be compromised, it is in thinking that closed hardware cannot. It most certainly can, even if you move Fritz into the same die as the processor and implement Nexus in firmware.

However, in a few years, the Fritz chip may disappear inside the main processor - let's call it the `Hexium' - and things will get a lot harder. Really serious, well funded opponents will still be able to crack it. But it's likely to go on getting more difficult and expensive.

Perhaps you will increase the cost and complexity of breaking  into the system, and remove the bulk of the script kiddies from playing.

But removing the bulk of the script kiddies is exactly what I want to do.

However, the real criminals, spies and terrorists will not be deterred. Your security is in fact no better.

Again, I'm not interested in stopping real criminals, terrorists or whatever the boogeyman du jour is.  I want game developers to get their due without having to rely on suits and other leeches, and I want to play online games that aren't awash in cheaters.

I'm proposing that you read some, specifically those documents regarding trusted computing. Perhaps start with the FAQ.

I did read the FAQ, and it convinced me so-called Trusted Computing is the only way around the potentially untrustworthy client.

The key is that the trust here is for the vendor, not the computer owner.

Not necessarily.  I suggest you do some more reading on that site yourself, maybe starting with a http://www.cl.cam.ac.uk/~rja14/gilmore.txt">post by John Gilmore that he links:

One of the things I told them years ago was that they should draw clean lines between things that are designed to protect YOU, the computer owner, from third parties; versus things that are designed to protect THIRD PARTIES from you, the computer owner.  This is so consumers can accept the first category and reject the second, which, if well-informed, they will do.

For the owner, trusted computing models actually reduce the ability to effectively manage security. Giving another company the keys to affect or subvert your security policy is a stupid, stupid idea.

Not if I can choose who to trust and when.

Preventing people from tampering with your open hardware by putting it under physical control is simpler, cheaper and more effective.

What do you mean by "physical control"?

[Righ]

But removing the bulk of the script kiddies is exactly what I want to do.

However, the real criminals, spies and terrorists will not be deterred. Your security is in fact no better.

Again, I'm not interested in stopping real criminals, terrorists or whatever the boogeyman du jour is.  I want game developers to get their due without having to rely on suits and other leeches, and I want to play online games that aren't awash in cheaters.

That's DRM, IP control. It isn't security. Saying that the client will be more secure is disingeneous. That's my point. Sure, the publisher can better trust the client, but that IS NOT security from the perspective of the client.

Just come out and say it - you are not concerned with making the computer owner more secure. You are interested in making the IP slumlord wealthier.

Not necessarily.  I suggest you do some more reading on that site yourself

Don't. Just don't. I've read everything there, and most everything linked, Gilmore's post included.

Not only can an enlightened consumer choose between shite and crap, they can also choose between on and off. If the US companies want to push the enlightened consumer (and every non-US government, research institute, corporation and military) to Japanese chips by mandating TC, they're heading in the right direction.

TC belongs in DRM appropriate set-top boxes, not in general purpose computers. Trying to prevent a crime by removing the tools is unworkable. I can kill you with a piece of paper as well as I can with a gun. Don't sell your IP on a computer if BORA concerns you.

[JMQ]

Just come out and say it - you are not concerned with making the computer owner more secure. You are interested in making the IP slumlord wealthier.

I'm not concerned with either.  You seem to have a reading comprehension problem.  Here it is again:

But removing the bulk of the script kiddies is exactly what I want to do...I'm not interested in stopping real criminals, terrorists or whatever the boogeyman du jour is.  I want game developers to get their due without having to rely on suits and other leeches, and I want to play online games that aren't awash in cheaters.

Don't. Just don't. I've read everything there, and most everything linked, Gilmore's post included.

1) I'll do as I please.

2) Everything?  Why didn't you bring up his paper on http://www.cl.cam.ac.uk/users/rja14/Papers/key-infection.pdf">key establishment in ad-hoc networks?  It deals with the problem of secure key distribution in potentially insecure networks.  Or perhaps his paper on http://www.cl.cam.ac.uk/~rja14/cocaine.pdf">The Cocaine Auction Protocol?  It describes a protocol for communications between parties that mistrust each other.

Not only can an enlightened consumer choose between shite and crap, they can also choose between on and off.

Right now the enlightened consumer can choose jack shit and jack left town.  This will not change as long as there are knee-jerk negative reactions to all things "Trusted."

If the US companies want to push the enlightened consumer (and every non-US government, research institute, corporation and military) to Japanese chips by mandating TC, they're heading in the right direction.

I'm not talking about mandating anything to anyone.  I want the ability to purchase an anti-cheat system that actually works.

TC belongs in DRM appropriate set-top boxes, not in general purpose computers.

So now I'm tied to some mega-corporation's crappy hardware, inflated price, and long upgrade cycle?  I want to be able to play games that use today's latest technology.  I don't want to have to wait for Microsoft or whomever to upgrade their shitty set-top box.

Trying to prevent a crime by removing the tools is unworkable. Don't sell your IP on a computer if BORA concerns you.

This is exactly what's going to happen.  Game companies are going to release console-only at least initially, and we'll all lose.

[Righ]

I want game developers to get their due without having to rely on suits and other leeches, and I want to play online games that aren't awash in cheaters.

In what way has this got anything to do with improving the security for the client system owner? You've said that you aren't interested in that.

There is a world of difference between securing a computer and making intellectual property management easier and more robust for the publisher.

You say that you don't want to wait for MS to upgrade their crappy box. You are prepared to trade off flexibility in general purpose computers to get your DRM/integrity gains. Other people than you are not prepared to wait for MS to upgrade their crappy OS and apps. Today I can compile up a Windows utility to address a shortcoming in the system, and I can use free tools to do so. Under TC, I'll need thousands of dollars of MS development tools, and when I have finished coding my masterwork, I'll have to get it TC registered through an extremely expensive process. Kiss shareware goodbye, you'll get what the mega-corps allow you to have.

Moving content like games to set-top boxes makes sense. We lose less.

[JMQ]

In what way has this got anything to do with improving the security for the client system owner?

I never said that TC would improve security for the owner. I did link John Gilmore who said that TC could do that.  Take it up with him.

You are prepared to trade off flexibility in general purpose computers to get your DRM/integrity gains.

I don't see why the trade off is necessary.

Under TC, I'll need thousands of dollars of MS development tools, and when I have finished coding my masterwork, I'll have to get it TC registered through an extremely expensive process. Kiss shareware goodbye, you'll get what the mega-corps allow you to have..

So don't  purchase any trusted technology then.  Like you said, the Japanese and others will be happy to oblige .

Moving content like games to set-top boxes makes sense. We lose less.

So it's OK to force DRM-encrusted set-top boxes on people who want to play games, but it's not OK to allow people who want play games on their PCs to buy DRM technologies?

[Righ]

In what way has this got anything to do with improving the security for the client system owner?

I never said that TC would improve security for the owner. I did link John Gilmore who said that TC could do that.  Take it up with him.

True enough. You said:

There is no way to keep a secret on an open hardware platform. No matter how clever you are, someone is going to find a way around your best crypto.

One solution is completely closed hardware, like the XBox and other consoles. Feel free to come up with a solution for the PC platform.

Which is at the VERY LEAST implying that security for the client can be improved by the adoption of hardware that the client cannot trust.

You are prepared to trade off flexibility in general purpose computers to get your DRM/integrity gains.

I don't see why the trade off is necessary.

It is a sine qua non requirement of trusted computing environments that the user relinquish control over their system in order to provide attestation of the code, root of trust and endorsement.

So don't  purchase any trusted technology then.  Like you said, the Japanese and others will be happy to oblige.

Moving content like games to set-top boxes makes sense. We lose less.

So it's OK to force DRM-encrusted set-top boxes on people who want to play games, but it's not OK to allow people who want play games on their PCs to buy DRM technologies?

Yes. It's great - WE LOSE LESS if we cripple set-top boxes and not general purpose computers. Sure, I'll even join you in being brassed off at such a state of affairs, but I'll take it over wasting my computer systems. I don't know about you, but games are pretty low on my priority list of things I have to do on a computer.

It seems to me that you want to invite a dangerous and restrictive set of controls on mainstream computers just so that you can believe that the person that thrashes you in an online game is better at it than you. Despite the Xbox being the pinnacle of available TC systems, 99% of the people on Xbox Live that use a TVR Cerbera Speed 12 in PGR2 did not complete the game.

[JMQ]

There is no way to keep a secret on an open hardware platform. No matter how clever you are, someone is going to find a way around your best crypto.

One solution is completely closed hardware, like the XBox and other consoles. Feel free to come up with a solution for the PC platform.

Which is at the VERY LEAST implying that security for the client can be improved by the adoption of hardware that the client cannot trust.

It implies no such thing.  The only way to prevent cracking and cheating is to solve the problem of the untrustworthy client.  I maintain that cannot be done in a completely open hardware platform, because it requires keeping something secret from the client.

There is nothing preventing an open specification of secret-keeping hardware from being effective.  Would it ease your mind if the spec was open and there were multiple vendors?

It is a sine qua non requirement of trusted computing environments that the user relinquish control over their system in order to provide attestation of the code, root of trust and endorsement.

Yes, but there is no requirement that control be relinquished permanently nor on to whom it is relinquished.  Would it ease your mind if there were multiple competing providers of root trust and endorsement, and you were free to choose among them? Would it ease your mind further if you could disable the hardware when you didn't want to use it?  What about if the TC implementation lived in an add-on board that you could remove at your pleasure or just plain not install in all your systems?  If the owner can choose how much TC tech they buy and from whom, the flexibility and usefulness of general-purpose computers need not be compromised at all.

I guess we're very different.  There are lots of things I have to do with computers.  The only thing I want to do with computers is play games. (OK, and maybe post on this board, too.)

[Calantus]

I guess we're very different.  There are lots of things I have to do with computers.  The only thing I want to do with computers is play games. (OK, and maybe post on this board, too.)

So you want us all to suffer because you want an xbox with a monitor, mouse, and keyboard?

You cannot have your cake and eat it here I'm sorry to say. The second it becomes viable to only sell on closed systems everyone will adopt. The user then has no option but to go with closed systems because they wont be able to run anything on an open system. You cannot have both. It's either closed or open. Frankly I'd rather have an open system and let the companies charge me extra for their software to compensate for losses due to piracy. I'd also rather try my chances with cheaters online.

[dEOS]

Sending one or multiple encrypted files with the same secret key and providing the secret key for decrypting the said files to millions of people over the globe for money is just asking for someone to break that secret key in someway and all your system falls flat.

This is so 1980.

d

[HaemishM]

You don't think eliminating publishers is a Good Thing?

Not if the alternative doesn't fucking work.

And taking 3 minutes to load a game from the first double click will never count as 'working'.

Nor will having to download a new steam patch every sodding day.

Oh, and it won't eliminate publishers anyway, someone always has to fund development. It will just let a few big software houses self-publish.

Yeah, what he said. I'm all for digital distribution; I think it would help game development tremendously. However, it's got to fucking work, plain and simple. Not working, especially when not working means screwing customers who legitimately bought your product, is not acceptable. The same goes for CD-copy protection schemes. I don't give a shit about them, until they actually cause legit copies to stop working.

Valve had lots of Sierra money and Half-Life success to fund Steam; like SOE and EQ2, they have no excuses for bringing out a fucked up product.

[Azhrarn]

Sending one or multiple encrypted files with the same secret key and providing the secret key for decrypting the said files to millions of people over the globe for money is just asking for someone to break that secret key in someway and all your system falls flat.

But lucky for them, it would probably take a while.

[Trippy]

Sending one or multiple encrypted files with the same secret key and providing the secret key for decrypting the said files to millions of people over the globe for money is just asking for someone to break that secret key in someway and all your system falls flat.

But lucky for them, it would probably take a while.

Ah, no, you missed the point. The secret key has to be stored unencrypted in RAM to be used by the client to decrypt things. Somebody with a debugger and enough time and patience will be able to pull that secret key out of memory. There's no need to try to guess the key through a "brute force" method like in the above project. This was the whole point about the Trusted Computing debate that went on above. Right now there's no way for software vendors to "hide" things from a determined cracker on today's PCs. The Trusted Computing initiative is an attempt to solve this problem.

Edit: Actually that wasn't the whole point of the TC debate above

[JMQ]

No, I emphatically do not want an XBox, keyboard or not.  I see closed consoles as one extreme and completely open PCs as the other.  I say there's enough room for something else in between without compromising either.

The open PC is nowhere near as fragile as you think.  Recent history is littered with examples of lock-in gone wrong.  Intel tried to sneak in cpuid and promptly had to backtrack because of the shit storm that ensued.  Intel tried to lock everyone into using RDRAM, and the market showed them where to stick their Rambus.  Intel tried to lock in the 64-bit platform of the future, and along came AMD.  IBM tried to foist Microchannel on people, and so on and so forth.  The open PC is unkillable.