About a day ago, a new thread popped up on Reddit that claims Valve is reading your computer's DNS cache, encrypting it using MD5 hashes, and then sending that information to Valve's VAC servers.

Here is a copy and paste of the user's post, made without comment.
VAC now reads all the domains you have visited and sends it back to their servers hashed

Decompiled module: http://i.imgur.com/z9dppCk.png

What it does:
  • Goes through all your DNS Cache entries (ipconfig /displaydns)
  • Hashes each one with md5
  • Reports back to VAC Servers
  • So the domain reddit.com would be 1fd7de7da0fce4963f775a5fdb894db5 or organner.pl would be 107cad71e7442611aa633818de5f2930 (Although this might not be fully correct because it seems to be doing something to characters between A-Z, possible making them lowercase)
  • Hashing with md5 is not full proof, they can be reversed easily nowadays using rainbowtables. So they are relying on a weak hashing function

You dont have to visit the site, any query to the site (an image, a redirect link, a file on the server) will be added to the dns cache. And only the domain will be in your cache, no full urls. Entries in the cache remains till they expire or at most 1 day (might not be 100% accurate), but they dont last forever.

We don't know how long this information is kept on their servers, maybe forever, maybe a few days. It's probably done everytime you join a vac server. It seems they are moving from detecting the cheats themselves to computer forensics. Relying on leftover data from using the cheats. This has been done by other anticheats, like punkbuster and resulted in false bans. Although im not saying they will ban people from simply visiting the site, just that it can be easily exploited

Original thread removed, reposted as self text (eNzyy: Hey, please could you present the information in a self post rather than linking to a hacking site. Thanks)

EDIT1: To replicate this yourself, you will have to dump the vac modules from the game. Vac modules are streamed from vac servers and attach themselves to either steamservice.exe or steam.exe (not sure which one). Once you dump it, you can load the dll into ida and decompile it yourself, then reverse it to find the winapi calls it is using and come to the conclusion yourself. There might be software/code out there to dump vac modules. But its not an easy task. And on a final note, you shouldn't trust anyone with your data, even if its valve. At the very least they should have a clear privacy policy for vac.

EDIT2:Here is that vac3 module: http://www.speedyshare.com/ys635/VAC...LE-bypoink.rar It's a dll file, you will have to do some work to reverse it yourself (probably by using ida). Vac does a lot of work to hide/obfuscate their modules.

The problem here is that it's not true. Well, it's not all true. The OP of the thread makes some wildly unsubstantiated claims in his post. My privacy is being invaded! This is abhorrent! Valve is casting suspicion on the innocent! This is good to stop private hacks! Fuck Valve! Fuck cheaters!

You get the idea.

Even his proof (linked above, embedded below) shows no indication that any of that information is being sent back to Valve. All of the hash work is done client-side meaning that Valve would also have no way to determine what the source was originally. Though this is assuming the information was sent to Valve for analysis, which so far, nobody has been able to prove from the code in the decompiled VAC module to be happening.

This is really just absurd.

That thread on Reddit and many others like it on the site have blown up by people just reading the headline and pulling out the pitchforks without having any idea of what is really happening here.

Reddit user S1CKLY makes a good point in his post:
The point is that if Valve wanted that data they either wouldn't hash it, or they'd use an easily reversable algorithm. Using MD5 shows that they're making a best-effort to keep that info private while still keeping the data useful for targeting trends among hackers.

On the same side of the coin, user Dire from NeoGAF provides a better explanation of what is happening based on the actual evidence provided.
I don't think many people in this thread understand the implications of the method they're using. MD5 is a one-way hash. You put in some data, you get out a hash. Going directly from that hash to the original data is impossible. Surprisingly enough it's not a magical compression method that can change anything to a lossless 128bit chunk! What is possible is generating a list of precomputed hashes of "interesting" data and comparing retrieved data to that. The ONLY reason valve would be doing it this way is specifically to protect user privacy.

MD5 has collision issues that make it inappropriate for stuff like secure communication verification, but it rocks for stuff like this when you don't care at all (or don't want to know) what the original data was and just want to see if, with a high probability, it matches something you're specifically looking for. It's fast cheap and easy. Or, for instance, if you download a program from a site mirror and want to ensure that it's identical (again - with a very high probability) to the program from the original site then md5 is just the tool.

Valve is, at most, using VAC to locally scan (again, the DNS cache, hashed or otherwise, is never actually sent to Valve) the DNS cache and perhaps send up a warning flag for certain users. Their use of MD5 hashing is also a benefit to protecting users' privacy in that they are never working directly with anyone's DNS cache information.

And it's for precisely these reasons why this isn't even news worthy. It also reaffirms how I've long felt that most people don't bother reading beyond the headline for many news stories or posts. It's honestly sad just how many up votes that original topic has on Reddit.

And it's not like I'm singling out Reddit, because this same thing initially happened on NeoGAF and Shacknews. People saw the headline without seeing the facts or examining them for themselves and suddenly everyone was picking up their pitchforks and bitching up a storm, all because of something one guy incorrectly said in a post on Reddit. These kind of knee-jerk reactions need to stop. But I know they won't. Most people know they won't. These are the times I feel like merely tossing up a sensationalist headline with zero substance just to see how many more hits it would get when compared to one that is the boring truth.

That actually gives me a good idea for a different title for this entry than what I originally planned.