• 0 Posts
  • 12 Comments
Joined 1 year ago
cake
Cake day: August 3rd, 2023

help-circle

  • Before Steam (esp. right before Steam) it was common for a disc to have nothing but a 100mb installer that attempted to download the game, or an actual game build so buggy that you were forced to download patches that required you to be online.

    Prior to this, games came with serial numbers and needed to be activated online. This made reselling PC games no longer a thing as you needed to trust who you were buying the game from.

    In both cases, the physical disc was yours, but it was pretty useless. It wasn’t the game, but also was required to play the game.

    Before that, we had truly resellable DRM: “Enter the 3rd word on the 20th page of the manual 🤣”.


  • I think the answer was to introduce a law which would force digital market places to clearly describe what users are paying for, for folks who weren’t around during the controversial time when Steam and Xbox Live Arcade came out and can’t grasp the concept; folks who didn’t observe the reality before and after this shift.

    Even though it was abundantly clear already, this is what the California law is all about.

    If, with this clear explanation, you still want to merely get a license to use games via a service, you should be able to do it.

    Valve isn’t doing anything wrong: far from it. Steam is awesome and I understand that one day, it could all go away and with it, all the games I have access to.

    I also understand that, at any time, Valve may decide that they don’t want me to use Steam anymore, or that someone may hack into my account and I won’t have access anymore.

    Finally, I get that even now, things that I could do with physical games; I can’t do with my Steam library (eg. Easily play a game on my Steam Deck while someone also plays another game on my desktop, or sell a game disc that sits on my desk).

    I understood this when I reluctantly signed up to Steam to play Half Life 2 back in the day when it was a complete dumpster fire of a buggy mess of a service. But it has improved so much since then.

    Hey, do you, but I don’t see what the big deal is. We’ve already protested that Steam was a bad idea, and Valve was literally the devil, but it’s actually turned out to be objectively more convenient than any alternative to play games, and it’s no longer Valve forcing us to install Steam to play their games. Practically the entire industry has shifted, plus there are now alternatives (besides piracy) like GoG. Hopefully this law causes more competition in that DRM free space.



  • Don’t get it twisted. We definitely agree.

    This will effectively add any computer it’s installed on to a botnet and create another attack vector (via Vanguard).

    The tradeoff I described, tho, is one on the Riot side. And as much as this form of anticheat is ridiculous, it makes sense given Riot’s business model. A bunch of cheaters can easily waste their money and engineering effort. They made the deliberate choice to narrow their market of potential players to those who are willing to install Vanguard and feel that Vanguard pushes most cheaters out of that narrow market. It makes sense.

    Re: That tradeoff, tho, users aren’t involved. The tradeoff users have is between installing the game or not.

    And again we both agree, installing this to an important computer or on your home network carries a tonne of risk.


  • Not that I’m defending Vanguard, but Riot’s choosing to invest in developer resources for Vanguard (and in finding cheat developers) so they don’t have to invest in server capacity or developer resources to support cheater only lobbies.

    As long as their anticheat is effective, every cheater they can repel is some amount of server capacity that legitimate players can use.

    Also, cheaters in the types of games Riot makes will cause some amount of opponents to simply leave the game in frustration. So part of this is just trying to keep players who are willing to install the game happy.

    They’ve chosen to make free to play games, so this tradeoff actually makes sense for Riot. But again, kernel level hacks aren’t something everyone will or even should install.

    It’s all about tradeoffs.


  • Late reply, but just so you know…

    Before you first launch the game, you must agree to the Riot Games terms of service. The terms very clearly state what is toxic behaviour and are pretty easy to read through. After the tutorial and before you queue for the first time, you must agree to an in game code of conduct, which is a summary of what “[good in game conduct]” (paraphrased) is.

    Although it’s not confirmed, players seem to be punished based on the volume of in-game reports and some sort of review. When you report a player, there are categories you can choose that describe their conduct. There’s also a text box where you can type out what you feel they did.

    For text chat violations, this sometimes happens automatically, and even without reports. For example, if you use a racist term, you will be immediately muted in text chat for a time.

    Although it hasn’t been confirmed, Riot has been trailing a system where they actually record and transcribe in game voice chat. The rumour is that an in game report will trigger an automated and/or manual review of the transcript. For most reports, you’ll get a confirmation in a few hours that the player was punished and a thanks for the feedback that will help the community.

    Punishments range from a competitive queue cooldown (these get progressively longer the more you repeat the behaviour, and reset after a stretch of good behaviour) to hardware ID bans for the worst cases. A hardware ID ban prevents the player from playing on any account on a PC with the same hardware fingerprint for at least 5mo, and, in some cases, permanently closes accounts that are suspected to be theirs.

    If someone bought a bunch of in-game cosmetics, this will very likely cause them to move on to another game. But, of course, the worse offenders will find a way.

    And btw, the terms also make it clear that when you buy in game cosmetics, you’re actually buying a non-transferable, revocable license to use them in-game. This license can be revoked at any time; for example if you violate the terms of service.

    And also, Riot’s support site gives players a way to dispute bans, just in case a player was banned by mistake.

    It’s not perfect (and the game isn’t even perfect in any way… far from it) but they at least make it clear what is toxic behaviour, and have put some thought into this system for trying to handle it. I think the video/article is more about stepping up manual review and scale of punishments for the worst offenders.



  • They’re completely different implementations of systems that steam video/audio/inputs.

    Valve’s is pretty buggy but has deep integration with Steam and allow NAT traversal, while Sunshine/Moonlight are way more reliable, have features that reduce latency but are pretty barebones as far as features: they just do streaming with no tight integration with what’s being streamed.

    And Sunshine is a reverse engineered version of Nvidia’s game stream server, since Nvidia sunset Gamestream a few months ago.



  • I’m not sure if it’s part of a TLS standard yet but I was talking about encrypted SNI (ECH, formerly called ESNI).

    Today, early on in a TLS connection, the client actually tells the server, in plain text, the domain name it’s intending to communicate with. The server then presents a response that only the owner of that domain can produce, then keys are exchanged and the connection progresses, encrypted. This was required to allow a single server to serve traffic on multiple domains. Before this, a server on an IP:Port combo could only serve traffic on a single domain.

    But because of this, a man in the middle can just read the ClientHello and learn the domain you’re intending to connect to. They can’t intercept any encapsulated data (e.g. at the HTTP level, in the case of web traffic) but they can learn the domains you’re accessing.

    ECH promises to make the real ClientHello encrypted by proceeding it with a fake ClientHello. The response will contain enough information to fetch a key that can be used to encrypt the real ClientHello. Only the server will be able to decrypt this.


  • And your ISP can still see which domains you’re going to if you use them as your DNS.

    Just so you know, because TLS SNI is not encrypted and not yet universally obfuscated (adoption of this is pretty slow and one of the largest CDN providers had to pause their rollout last I checked), not-even-barely-deep packet inspection can be used to track the sites you visit regardless of your DNS provider or wherever resolution is encrypted. Just do a packet dump and see.

    Also, if a website isn’t fronted by one of the most popular CDN providers in existence, it can be possible to infer the sites you’re visiting based on their server IP addresses.

    Although this just shifts where tracking can occur, a VPN is the only reliable way to maybe prevent your ISP from tracking the sites you visit, if this is your desire.