• 0 Posts
  • 25 Comments
Joined 1 year ago
cake
Cake day: August 3rd, 2023

help-circle

  • Before Steam (esp. right before Steam) it was common for a disc to have nothing but a 100mb installer that attempted to download the game, or an actual game build so buggy that you were forced to download patches that required you to be online.

    Prior to this, games came with serial numbers and needed to be activated online. This made reselling PC games no longer a thing as you needed to trust who you were buying the game from.

    In both cases, the physical disc was yours, but it was pretty useless. It wasn’t the game, but also was required to play the game.

    Before that, we had truly resellable DRM: “Enter the 3rd word on the 20th page of the manual 🤣”.


  • I think the answer was to introduce a law which would force digital market places to clearly describe what users are paying for, for folks who weren’t around during the controversial time when Steam and Xbox Live Arcade came out and can’t grasp the concept; folks who didn’t observe the reality before and after this shift.

    Even though it was abundantly clear already, this is what the California law is all about.

    If, with this clear explanation, you still want to merely get a license to use games via a service, you should be able to do it.

    Valve isn’t doing anything wrong: far from it. Steam is awesome and I understand that one day, it could all go away and with it, all the games I have access to.

    I also understand that, at any time, Valve may decide that they don’t want me to use Steam anymore, or that someone may hack into my account and I won’t have access anymore.

    Finally, I get that even now, things that I could do with physical games; I can’t do with my Steam library (eg. Easily play a game on my Steam Deck while someone also plays another game on my desktop, or sell a game disc that sits on my desk).

    I understood this when I reluctantly signed up to Steam to play Half Life 2 back in the day when it was a complete dumpster fire of a buggy mess of a service. But it has improved so much since then.

    Hey, do you, but I don’t see what the big deal is. We’ve already protested that Steam was a bad idea, and Valve was literally the devil, but it’s actually turned out to be objectively more convenient than any alternative to play games, and it’s no longer Valve forcing us to install Steam to play their games. Practically the entire industry has shifted, plus there are now alternatives (besides piracy) like GoG. Hopefully this law causes more competition in that DRM free space.



  • Don’t get it twisted. We definitely agree.

    This will effectively add any computer it’s installed on to a botnet and create another attack vector (via Vanguard).

    The tradeoff I described, tho, is one on the Riot side. And as much as this form of anticheat is ridiculous, it makes sense given Riot’s business model. A bunch of cheaters can easily waste their money and engineering effort. They made the deliberate choice to narrow their market of potential players to those who are willing to install Vanguard and feel that Vanguard pushes most cheaters out of that narrow market. It makes sense.

    Re: That tradeoff, tho, users aren’t involved. The tradeoff users have is between installing the game or not.

    And again we both agree, installing this to an important computer or on your home network carries a tonne of risk.


  • Not that I’m defending Vanguard, but Riot’s choosing to invest in developer resources for Vanguard (and in finding cheat developers) so they don’t have to invest in server capacity or developer resources to support cheater only lobbies.

    As long as their anticheat is effective, every cheater they can repel is some amount of server capacity that legitimate players can use.

    Also, cheaters in the types of games Riot makes will cause some amount of opponents to simply leave the game in frustration. So part of this is just trying to keep players who are willing to install the game happy.

    They’ve chosen to make free to play games, so this tradeoff actually makes sense for Riot. But again, kernel level hacks aren’t something everyone will or even should install.

    It’s all about tradeoffs.


  • Late reply, but just so you know…

    Before you first launch the game, you must agree to the Riot Games terms of service. The terms very clearly state what is toxic behaviour and are pretty easy to read through. After the tutorial and before you queue for the first time, you must agree to an in game code of conduct, which is a summary of what “[good in game conduct]” (paraphrased) is.

    Although it’s not confirmed, players seem to be punished based on the volume of in-game reports and some sort of review. When you report a player, there are categories you can choose that describe their conduct. There’s also a text box where you can type out what you feel they did.

    For text chat violations, this sometimes happens automatically, and even without reports. For example, if you use a racist term, you will be immediately muted in text chat for a time.

    Although it hasn’t been confirmed, Riot has been trailing a system where they actually record and transcribe in game voice chat. The rumour is that an in game report will trigger an automated and/or manual review of the transcript. For most reports, you’ll get a confirmation in a few hours that the player was punished and a thanks for the feedback that will help the community.

    Punishments range from a competitive queue cooldown (these get progressively longer the more you repeat the behaviour, and reset after a stretch of good behaviour) to hardware ID bans for the worst cases. A hardware ID ban prevents the player from playing on any account on a PC with the same hardware fingerprint for at least 5mo, and, in some cases, permanently closes accounts that are suspected to be theirs.

    If someone bought a bunch of in-game cosmetics, this will very likely cause them to move on to another game. But, of course, the worse offenders will find a way.

    And btw, the terms also make it clear that when you buy in game cosmetics, you’re actually buying a non-transferable, revocable license to use them in-game. This license can be revoked at any time; for example if you violate the terms of service.

    And also, Riot’s support site gives players a way to dispute bans, just in case a player was banned by mistake.

    It’s not perfect (and the game isn’t even perfect in any way… far from it) but they at least make it clear what is toxic behaviour, and have put some thought into this system for trying to handle it. I think the video/article is more about stepping up manual review and scale of punishments for the worst offenders.



  • They’re completely different implementations of systems that steam video/audio/inputs.

    Valve’s is pretty buggy but has deep integration with Steam and allow NAT traversal, while Sunshine/Moonlight are way more reliable, have features that reduce latency but are pretty barebones as far as features: they just do streaming with no tight integration with what’s being streamed.

    And Sunshine is a reverse engineered version of Nvidia’s game stream server, since Nvidia sunset Gamestream a few months ago.



  • I’m not sure if it’s part of a TLS standard yet but I was talking about encrypted SNI (ECH, formerly called ESNI).

    Today, early on in a TLS connection, the client actually tells the server, in plain text, the domain name it’s intending to communicate with. The server then presents a response that only the owner of that domain can produce, then keys are exchanged and the connection progresses, encrypted. This was required to allow a single server to serve traffic on multiple domains. Before this, a server on an IP:Port combo could only serve traffic on a single domain.

    But because of this, a man in the middle can just read the ClientHello and learn the domain you’re intending to connect to. They can’t intercept any encapsulated data (e.g. at the HTTP level, in the case of web traffic) but they can learn the domains you’re accessing.

    ECH promises to make the real ClientHello encrypted by proceeding it with a fake ClientHello. The response will contain enough information to fetch a key that can be used to encrypt the real ClientHello. Only the server will be able to decrypt this.


  • And your ISP can still see which domains you’re going to if you use them as your DNS.

    Just so you know, because TLS SNI is not encrypted and not yet universally obfuscated (adoption of this is pretty slow and one of the largest CDN providers had to pause their rollout last I checked), not-even-barely-deep packet inspection can be used to track the sites you visit regardless of your DNS provider or wherever resolution is encrypted. Just do a packet dump and see.

    Also, if a website isn’t fronted by one of the most popular CDN providers in existence, it can be possible to infer the sites you’re visiting based on their server IP addresses.

    Although this just shifts where tracking can occur, a VPN is the only reliable way to maybe prevent your ISP from tracking the sites you visit, if this is your desire.


  • When the 3.5-less trend started setting in, I still had a phone with a headphone jack but started looking into wireless Bluetooth digital audio convertors just to prepare myself for the reality that it’ll eventually be hard to find a phone that’s both…good…and that I could plug my IEMs into.

    One I settled on was the Radsone ES100. Besides allowing me to continue to use my headphones, one feature I really liked was its ability to store equalizer settings that could be used with any source, whether it be a Bluetooth device or one I plug the DAC into via USB. I found that there were equalizer apps for Android, but they kept getting killed because of memory limitations I guess. This device externalized the EQ.

    Anyways some of the folks who made that branched off and made an even better version, the Qudelix 5K. It has the same features but does a better job of simultaneously connecting to multiple devices (but sadly it doesn’t mix the sources…it just has a priority 😔😔😔😔). So I grabbed that upgrade and now the headphone side of my audio is locked in.

    I found that getting a Bluetooth DAC helped me feel better about the trend of removing a standard audio connector from devices (which I gotta say, still makes no sense). It still frustrates me that I need to walk around with another device and the limitations of Bluetooth are annoying, but the cool thing is that when my last 3.5mm jack equip device (OnePlus 5) just stopped turning on, I just grabbed a random replacement phone (Pixel 5) and kept the same audio chain.

    tl;dr - Consider just accepting that this is the trend for phones these days and try a portable Bluetooth (or even USB) DAC. When you find one you like, moving to any source will be less stressful. It won’t matter if it has a headphone jack: you’ll be able to focus on other features or even just get a less costly device that’ll sound identical to what u know.



  • I’ve always found this take on in-product purchases and subscriptions weird.

    You are right that they’re allowed to do whatever they want, but…this is just my personal take…the value proposition for Nitro is pretty low as it is. Trying to get more than a subscription from me is a bit of a turn off and makes me want to reach for the cancel subscription button (actually, my subscription is currently in this state through to the renewal date because of the nags about paid borders and stuff).

    I do this with this and also other services that want to upsell beyond a premium or support the platform experience. If I’m already supporting the platform, the first time I’m asked to support it more is when I cancel the subscription. Then they have the uphill battle of convincing me to resubscribe in the future.

    Stated differently, if they don’t remind me I’m subscribed, I’d just keep paying. If they remind me by asking me to pay for things over and above a subscription, I’m suddenly trying to find the true value of the new thing, and also in the next subscription payment. If I can’t decide within a few minutes, I always just hit cancel.



  • I’m kinda scared that the trailer was knee deep in “from the ____ who did _____ .”

    Granted, it’s a teaser trailer, but it would have been cool to see a little more of what this show has to offer. e.g. The Boyz is great, because the story adapted from it’s source material was already interesting. I’d love to learn more about the story of this adaptation, esp since there’s a lot they’d have to do to turn the non linear, choose your own adventure source material into a non-interactive story.

    Feels like the showrunners and story writers would have the opposite challenge of, say, The Last of Us. There, it was all about retelling an existing story and resisting the urge to reinvent too much.

    Here they’d need to pick one of many stories and fill in a bunch of gaps.

    Hope it works out 🤞🙏


  • It’s more down to trust and attestation than a technical implementation. Whoever makes an NFC payment system needs to prove to payment processors that the chain of software and hardware from the payment terminal to whatever proves you’re the account holder (a card or a phone) can be identified. And, separately, the implementation needs to be audited.

    This may sound like they’re trying to make this horrible walled garden on the surface, but bank users expect their money to not get stolen. And if it is, they expect the bank to make that problem disappear. The bank can only provide these assurances if they control everything.

    This is why they use hardware attestation and a chain of trust all the way through to the OS to identify the specific implementation of an NFC payment system. They want to know they can go after whoever created the buggy NFC payment implementation to recover the money or to least stop partnering with them.

    Not a lot of FOSS developers would go through the trouble.