[HN Gopher] Keyhole - Forge own Windows Store licenses
___________________________________________________________________
Keyhole - Forge own Windows Store licenses
Author : tuxuser
Score : 452 points
Date : 2024-09-07 09:13 UTC (13 hours ago)
(HTM) web link (massgrave.dev)
(TXT) w3m dump (massgrave.dev)
| antimemetics wrote:
| For my personal use I found it trivial to activate my Win10
| Professional. I just had to change the server address for the
| license check and boom fully activated. Not gonna share the
| specifics here but you can find it easily.
|
| I guess the method described here does ,,more" since it's much
| more elaborate. Not super familiar with the different levels of
| win licences
| notpushkin wrote:
| One of Massgrave's most famous "products" is a script that
| performs such server activation, so if anybody wants to find it
| look no further than the OP article. (Although it's not too
| hard to perform such activation manually either!)
| heraldgeezer wrote:
| Massgrave has their script for HWID and KMS and Office
| activations :)
| haunter wrote:
| >Not gonna share the specifics here but you can find it easily.
|
| Did you open the link?
| qilo wrote:
| Massgrave's tools activate your licence with Microsoft's
| servers.
| AshamedCaptain wrote:
| After reading the article, and specially the remarks about this
| engine being copy-pasted from the Xbox DRM engine , does anyone
| still believe that Pluton, also copy-pasted from the Xbox, is
| about end user security? And not totally about MS finally having
| enforceable DRM on PCs?
|
| Oh and by the way Pluton is now on the latest batch of Intel
| laptop chips. And has been on AMDs for a while. How soon until
| Windows requires it?
| dgellow wrote:
| I may be naive, but I still do. Skepticism is warranted, yet
| outright dismissal based on conjecture is its own brand of
| fallacious reasoning. Can Microsoft potentially benefit?
| Certainly. But that doesn't negate the possibility of genuine
| user security motivations and benefits for end users
| exe34 wrote:
| > Can Microsoft potentially benefit? Certainly. But that
| doesn't negate the possibility of genuine user security
| motivations and benefits for end users
|
| it's important to ask which one of the motivations will allow
| them to lock users down and ask for ongoing rent. one of
| these two will, and that's what will always drive the
| decision.
| heraldgeezer wrote:
| >does anyone still believe that Pluton, also copy-pasted from
| the Xbox, is about end user security?
|
| I never did. The worst part is explaining it to people drinking
| the MS coolaid. I'm an MS admin so people at work love Win11,
| Intune etc all that max lockdown shit. To me that's not what
| Windows is about, for me Windows is excellent because of the
| admin tools and backwards compatibility. But hey that's just
| me.
|
| Proton will be another TPM thing, introduce it, wait 5 years,
| then mandate it. They have time.
| criddell wrote:
| Another TPM thing? What problem do you have with the TPM?
| heraldgeezer wrote:
| It being a Win11 requirement. It failing and triggering
| Bitlocker on our machines. It's just shit :) No I don't
| have another solution. Let me complain.
| dangus wrote:
| What garbage hardware are you running where TPM is
| failing?
| kotaKat wrote:
| Every Windows Update that Lenovo kept pushing UEFI
| updates on their shiny new X13s with the Snapdragon and
| the Pluton chip in it kept tripping Bitlocker on every
| update.
|
| So, uh... Lenovo?
| semi-extrinsic wrote:
| FWIW, my old corpo HP would also trigger Bitlocker
| sometimes on random shit, such as upgrading the firmware
| of the docking station. But that was usually fixable
| either by unplugging USB devices while booting, or just
| trying many reboots until Bitlocker suddenly decided
| everything was OK.
| mavhc wrote:
| Had about 25% of our Dell laptops' TPM fail, got to know
| the repair technician well.
| 1oooqooq wrote:
| TPM end game is to have identity tied to a device on pcs,
| just like the monopolies already have on Android and IOS.
|
| you know how google and apple dropped actual totp 2nd
| factor for their own accounts and force you to sign on
| another device to confirm signing on new devices? same
| thing.
| dangus wrote:
| Apple has SMS if you don't own an Apple device. In fact,
| they require SMS to set up 2FA.
|
| They probably dropped totp because non-technical people
| can't figure it out.
| olyjohn wrote:
| SMS is not really great.
| throwaway48476 wrote:
| SMS is trivially exploitable. It has negative security
| value.
| ivewonyoung wrote:
| Trivially? How?
| fragmede wrote:
| I wouldn't call it trivial, but either a SS7 attack or by
| bribing the TMobile/Verizon/att store employee, you can
| get someone's SMS messages.
| dangus wrote:
| SMS is the only 2FA method that the general public
| understands.
|
| It is absolutely better than nothing even if isn't great.
| Brian_K_White wrote:
| Hell technical people can't figure it out. Everyone
| complains that it's fragile because what if their phone
| breaks, and those that think they know better, think it's
| because of the dozen one-time-use emergency codes.
|
| It's not their fault though. Every web site or service
| that offers totp and the most user-facing apps like
| google authenticator all scrupulously avoid telling you
| to save the seed value in the initial setup qr code.
|
| That short random string is all you need to have working
| totp on as many different devices as you want, set up a
| new one any time you want, and it's nothing but a simple
| static never-changing secret exactly like a password.
|
| You can wake up naked in a foreign country and be all
| back in a few minutes and without having to re-setup any
| sites or anything like that.
|
| That is, IFFFFF you have previously saved all the totp
| initial setup seed values right along with the passwords
| for those same accounts. If not, you can go do it right
| now.
| ddingus wrote:
| Where can I read more about how this is done.
| Brian_K_White wrote:
| Just when you enable 2fa on some site and it shows you a
| qr code (or however it gives you the code, it might be a
| regular url, and sometimes they even display the string
| in plain text) save that string. If it's a qr code, save
| the qr code and read it with a regular qr code reader
| (probably just your camera app these days) and it will
| have a string or a url with the string as the query
| string.
|
| That string is not just one-time use. You can just save
| it and enter it into totp apps all over the place all day
| for the next n years.
|
| keepass apps all support it now for one example, so you
| could save the string in a notes field in keepass, but
| they have a dedicated totp field now too. You paste it
| in, and now that password entry not only stores your name
| & password for that site, it stores the totp seed for
| setting up totp apps, and also displays the current totp
| time code just the same way the totp app like google
| authenticator does.
|
| It's all stored in the keepass db file just like the
| normal passwords, so to set up a new device, all you need
| is access to any copy of the keepass db file. Install any
| keepass app like keepassxc on a laptop, load the db, and
| there's your working current totp codes for all sites.
| You want a more convenient dedicated totp app than having
| to dive in to keepass, just copy the totp seed from
| keepass into gnome authenticator or whatever. The
| different apps have different ways to supply the string
| when not taking a picture directly with the camera. Some
| like google hide it from direct access. Last time I used
| google authenticator I think it had no usable export, but
| it just recently got the ability to store the seeds in
| googles cloud, but not like in an ordinary google drive
| file that would be useful, just some internal magic that
| all it does is if you can somehow manage to log in to
| your account on a new phone, it will pull the seeds down
| and start working on the new phone. It doesn't let you
| set up any other apps or devices, and Google has a copy
| of your seeds in a form they can read, even though you
| can't!
|
| But the same seeds could be just as cloud-enabled by
| being inside a password manager db, which is still
| sitting on a google cloud server, but this time in a file
| that you own, and in a form that google can't read but
| you can.
| lutoma wrote:
| You can use FIDO2 keys as 2nd factor for Apple accounts
| now
| a1o wrote:
| The TPM thing that got hacked the other day?
| botanical wrote:
| Hundreds of millions of perfectly good PCs are going to be
| end-of-life due to this.
| rolph wrote:
| -no not end of life, end of microsoft.
| rkagerer wrote:
| > _But hey that 's just me._
|
| There are more of us out there!
| 4ggr0 wrote:
| There are literally dozens of us!
| dist-epoch wrote:
| People have been saying that for more than 10 years now, since
| the TPM was introduced.
|
| Yet you can still install Linux on PCs sold with Windows, you
| can still install third party software on Windows not from a
| Store, you can still watch pirated movies downloaded from
| torrents.
|
| You can even run an unregistered/unpaid version of Windows if
| you don't mind that it will not let you change the desktop
| background image.
| croes wrote:
| And Windows PCs are still not safe.
|
| So either way it fails it's purpose
| dist-epoch wrote:
| Most Windows PCs have Secure Boot enabled the many have the
| drives encrypted with Bitlocker.
| doubled112 wrote:
| What does that do for me to stop malware? Bitlocker is
| only protecting an offline system
|
| Also consider that some keys for Secure Boot have been
| compromised.
| dist-epoch wrote:
| So I guess then your computer does not have a form of
| Secure Boot enabled, and your drives are not encrypted.
| Makes sense, more secure.
| doubled112 wrote:
| I'm using Linux and LUKS but have never been convinced
| Secure Boot adds anything for me. It does sometimes add
| extra steps though, or block a driver from loading.
| dist-epoch wrote:
| > What does that do for me to stop malware? Bitlocker is
| only protecting an offline system
|
| LUKS also only protects an online system. So why are you
| using it?
|
| Oh, I think I know, if you are on Windows it's bad to use
| BitLocker because it's made by Microsoft and it doesn't
| protect against malware, but if you're on Linux of course
| you use LUKS, it's a sensible thing to do. Got it.
| croes wrote:
| The point is Linux doesn't enforce useless hardware that
| on top could be used against the user.
|
| Same with MS's recall feature.
|
| A Windows PC is just C but not P anymore.
| doubled112 wrote:
| Back in my retail computer technician and sales days, it
| wasn't uncommon for somebody to lose their Bitlocker
| keys, and encryption did what it was designed to do -
| make the data unreadable without them. Sometimes they
| didn't even understand what they enabled.
|
| To that customer, Bitlocker itself was a threat.
|
| In my small sample size, I've seen that more often than
| lost laptops. I've also seen many more malware
| infections.
|
| Tying encryption to the TPM, which is the default, makes
| it easier to lose those keys. With LUKS I choose my own
| password.
|
| It's an important implementation difference, especially
| if it is going to do it by default. Warning a person "you
| will lose all data if you don't write this down" in big
| bold red text is sometimes not enough.
|
| Does tying those keys to your MS account fix that failure
| method?
| EvanAnderson wrote:
| > Does tying those keys to your MS account fix that
| failure method?
|
| Yes. Bitlocker recovery keys are escrowed to the
| Microsoft account. I've relied on this recover data from
| a family member's PC when it failed and they had
| unknowingly opted-in to Bitlocker (a Microsoft Surface
| Laptop running Windows 10 S Mode).
| r2_pilot wrote:
| >> Does tying those keys to your MS account fix that
| failure method? >Yes. Bitlocker recovery keys are
| escrowed to the Microsoft account.
|
| Which then opens the door to other attack vectors, even
| government.
| doubled112 wrote:
| I'd imagine most people would like some insurance in the
| event of loss or theft, but are not worried about
| government.
|
| I'm vulnerable to the $8 wrench attack, but enjoy knowing
| it is only a VISA problem if I leave it a laptop the bus.
| r2_pilot wrote:
| I mention that only because it's one avenue. I figured
| obviously on a place like Hacker News that malicious
| agents aside from government could also compromise the
| security of 3rd party-held keys; as always security is a
| matter of difficult tradeoffs and anticipated threat
| categories.
| seabass-labrax wrote:
| I'm genuinely curious to know how VISA helps (or doesn't)
| in your analogy - what is a 'VISA problem'?
| doubled112 wrote:
| Mostly a joke, but I swipe a card and the problem goes
| away. No need to worry anymore.
| vel0city wrote:
| VISA as in the credit card not a travel permit
| vel0city wrote:
| As opposed to just not encrypting their data at all and
| letting everyone who ends up with the drive have their
| data.
|
| So one scenario, _everyone_ can access the data if they
| get the drive. The other, the government might get
| Microsoft to release the encryption keys.
| r2_pilot wrote:
| >As opposed to just not encrypting their data at all and
| letting everyone who ends up with the drive have their
| data.
|
| You are presenting a false dilemma where either Bitlocker
| is in use or the drive is entirely unencrypted; there are
| other ways to ensure data integrity in the face of
| physical compromise.
| whyoh wrote:
| 1. It's not a false dilemma, it's more of a question of
| how to handle the "average Joe" user that doesn't know
| how to store encryption keys. I don't like how this
| automatic encryption is implemented, by the way, but
| sending the keys to MS servers is not the worst idea
| ever.
|
| 2. Bitlocker can totally be used without a MS account and
| without sending keys anywhere and without TPM... But
| seeing how most people fail to RTFM we're back to point
| 1.
| titannet wrote:
| Secure Boot makes persisting malware in the kernel fairly
| difficult. Which IMHO made sense coming from Windows 7
| where driver rootkits and boot kits where trivial. With
| today's main threat model being encryption malware I
| would agree that it doesn't add all that much for most
| people.
| AshamedCaptain wrote:
| It really doesn't prevent anything like that, not even
| remotely. First, to do any type of persistence that would
| be detected by Secure Boot, you already require
| unencrypted, block-level access to the disk drive,
| possibly even to partitions outside the system drive.
| There are a gazillion other ways that malware can persist
| if you already have this level of access and none would
| be detected by Secure Boot. If you were able to tamper
| with the kernel enough to do this in the first place, you
| can likely do it on each boot even if launched from a
| "plain old" service.
| heraldgeezer wrote:
| If it's a desktop, who cares?
|
| Secure boot and BitLocker for the enterprise laptops,
| sure.
|
| For gamers/hackers/hobbyists, why?
| layer8 wrote:
| More accurately, unbreakable security as enabled by
| hardware TPMs also enables unbreakable vendor lock-in like
| we have with iOS. Pick your poison.
| heraldgeezer wrote:
| For now. The cogs will turn slowly towards our demise.
| nulld3v wrote:
| Or you can recognize that app/game developers are starting to
| require Secure Boot enforcement if you want to continue to
| use their apps or play their games.
|
| RIOT requires users to enable TPM-enforced Secure Boot
| starting with Windows 11 to play Valorant: https://support-
| valorant.riotgames.com/hc/en-us/articles/100...
| dist-epoch wrote:
| Let me tell you a secret: it's because the gamers are
| demanding that. The game companies couldn't care less if
| there are cheaters in the game, but it's the players which
| put huge pressure on the game companies to detect and ban
| cheaters.
| heraldgeezer wrote:
| But it allows Windows 10 without TPM.
| tpxl wrote:
| Gamers arent demanding this. There are tons of ways to
| detect cheaters, the most effective one being human
| moderation. But no, companies wont do MaNuAl WoRk because
| it doesnt sCaLe, even though they have more than enough
| cash in the bank.
| dgellow wrote:
| How do you do manual moderation on a massive fast-paced
| game like Valorant? It's correct, that doesn't scale
| scotty79 wrote:
| maybe not manual ... but ... log behavior, find outliers,
| make outliers play with outliers only
| mholm wrote:
| This absolutely happens already. The problem with finding
| statistical outliers is that plenty of legitimate players
| are outliers too. And if you're banning/segregating
| players for being outliers, you get a very angry player
| base.
|
| Riot has a pretty indepth blogpost about their anti-cheat
| systems, they've had years to mature them on some of the
| most demanding competitive gaming platforms ever made.
| Requiring players install kernel anti-cheat was very far
| down the list of possible solutions, but that's what it
| came to. It was either this or stop being free to play.
| choo-t wrote:
| The server is all-seeing, if there is no way for the
| server to discriminate cheater from other player, then no
| player can possibly know there a cheater on the server,
| thus cannot complain about cheating is either irrational
| or the server-side detection is severely flawed.
| mjr00 wrote:
| > The server is all-seeing, if there is no way for the
| server to discriminate cheater from other player, then no
| player can possibly know there a cheater on the server,
| thus cannot complain about cheating is either irrational
| or the server-side detection is severely flawed.
|
| It's impossible to tell in-game if a baseball player is
| using steroids, yet there's a laundry list of banned
| substances and players who got banned for taking them
| because the MLB believes it gives them an unfair
| advantage. It's called competitive integrity.
|
| Since it sounds like you don't play games, at least not
| competitively, I'll clarify that "cheating" in this case
| isn't the obvious stuff like "my gun does 100x damage" or
| "I move around at 100mph" or "I'm using custom player
| models with big spikes so I know everyone's location"
| that you would've seen on public Counter-Strike 1.6
| servers in 2002. Cheating is aim assistance that nudges
| your cursor to compensate for spray patterns in CS, it's
| automatic DPs and throw breaks in Street Fighter 6 that
| are just at the threshold of human reaction timing, it's
| firing off skillshots in League of Legends with an
| overlay that says if it's going to kill the enemy player
| or not. All of this stuff is doable by a sufficiently
| skilled/lucky human, but not with the level of
| consistency you get from cheating.
| choo-t wrote:
| > It's impossible to tell in-game if a baseball player is
| using steroids, yet there's a laundry list of banned
| substances and players who got banned for taking them
| because the MLB believes it gives them an unfair
| advantage. It's called competitive integrity.
|
| This is relative to meat-space, not videogame, but we
| could go there and say caffeine or Adderall use is
| cheating, thus making anti-cheat a little more
| invasive...
|
| And there another difference, you're referring to
| professional sport. I have no problem with invasive anti-
| cheat for professional gamer, even better it the gaming
| device is provided by tournament organization.
|
| But we're talking about anti-cheat used for all players,
| akin to asking people playing catch in their garden or
| playing baseball for fun an the local park to take a
| blood sample for drug test.
|
| > All of this stuff is doable by a sufficiently
| skilled/lucky human, but not with the level of
| consistency you get from cheating.
|
| That's the point, there no difference for the other
| players between playing against a cheater and playing
| against a better player. Any ELO-based matchmaking will
| solve this, cheater will end-up playing against each-
| other or against very skilled player.
|
| You could argue that they could create new account or
| purposely cripple their ELO ratting, but this is the
| exact same problem as smurfing.
| mjr00 wrote:
| Many games have ranked ladders now which are taken fairly
| seriously. Success at high levels of ladder player often
| translates into career opportunities, especially in
| League of Legends.
|
| > Any ELO-based matchmaking will solve this, cheater will
| end-up playing against each-other or against very skilled
| player.
|
| Well, first, you're wrong, because cheating only makes
| them good at one part of the game, not every part of the
| game. e.g. in League of Legends, a scripting Xerath or
| Karthus who hits every skillshot is going to win laning
| phase hard. However, scripting isn't going to help if
| they have bad macro and end up caught out in the middle
| of the game, causing their team to lose. Most cheaters
| don't end up at the top of the ladder, they end up firmly
| in the upper-middle.
|
| Secondly, you're basically saying "cheating is OK because
| they'll end up at the top of the ladder." You don't
| realize how ridiculous this sounds?
|
| Third, ranked and competition aside, playing against
| someone who's cheating isn't fun, even if you end up
| winning because they make mistakes that their cheats
| can't help them with.
|
| You don't play competitive games, that's fine, but a lot
| of people do and they demand more competitive integrity
| than casual players.
| choo-t wrote:
| > You don't play competitive games, that's fine, but a
| lot of people do and they demand more competitive
| integrity than casual players.
|
| Little difference : I don't play competitive game with
| completes strangers on company run servers.
|
| I've played competitively on community based server, with
| people being screened by other players and the community
| able to regulate itself (ban or unban players).
|
| The problem space is vastly different, you don't need
| intrusive ring 0 anti-cheat for this.
|
| The whole kernel-level anticheat stuff is a poor solution
| to a self-made problem by the developer : they wanted to
| be the one in charge of the game and servers, so they
| needed to slash human moderation need. They also wanted
| to create a unique pool of player and didn't want the
| community to split between itself and play how they want.
| mjr00 wrote:
| > Little difference : I don't play competitive game with
| completes strangers on company run servers.
|
| People don't consider playing around with your friends to
| be competitive. You don't get to choose who else is
| competing in the game or what strategies they use. This
| is just an area that you are clearly not familiar with.
|
| > The whole kernel-level anticheat stuff is a poor
| solution to a self-made problem by the developer : they
| wanted to be the one in charge of the game and servers,
| so they needed to slash human moderation need. They also
| wanted to create a unique pool of player and didn't want
| the community to split between itself and play how they
| want.
|
| This wasn't self-made by the developer, it was demanded
| by the players. Competitive games have almost exclusively
| moved to online, skill-based matchmaking with a ladder
| system because that's what players want.
| choo-t wrote:
| > People don't consider playing around with your friends
| to be competitive.
|
| I didn't say friends. Please don't modify my argument to
| refute it.
|
| > You don't get to choose who else is competing in the
| game or what strategies they use.
|
| I, as a single player, no, but us, as a community, yes,
| and it's the same for any game or sport, different group
| run different tournament with different rules about who
| play and how.
|
| > This is just an area that you are clearly not familiar
| with.
|
| Please refrain to use ad hominem, especially when you
| have no idea who you are talking with.
|
| > This wasn't self-made by the developer, it was demanded
| by the players.
|
| I don't know any players who asked for the disappearance
| of community run server or human moderation, neither that
| wanted do lose agency on the way they play. I don't they
| these players doesn't exist, but I don't make gross
| generality about players.
|
| > Competitive games have almost exclusively moved to
| online, skill-based matchmaking with a ladder system
| because that's what players want.
|
| They're not a hive mind, lots of them didn't or doesn't
| like matchmaking in any form, and even for the ones that
| wanted it, that doesn't mean developers have to remove
| other mean of play, like server browser and private
| server.
| choo-t wrote:
| > Let me tell you a secret: it's because the gamers are
| demanding that.
|
| Citation needed.
|
| Whose these gamers ? I surely didn't ask for this neither
| any of the gamers I know, nor seen any demand about that
| in gaming forums.
|
| > The game companies couldn't care less if there are
| cheaters in the game, but it's the players which put huge
| pressure on the game companies to detect and ban
| cheaters.
|
| The jump from this to "requiring TPM" is quite a long
| one.
| eezurr wrote:
| Go on steam and look at the recent reviews for older but
| still popular fps games. Gamers complain about cheaters
| constantly and will negatively review games cause of it
| choo-t wrote:
| They're demanding a way to handle or ban cheater, not
| requiring TPM, that's a non sequitur.
| RHSeeger wrote:
| You're being disingenuous here, or just missing the
| point. The point being made was the gamers are demanding
| game developers stop cheaters... and that secure boot
| (and related ways to lock down the computer) is one of
| the primary tools they know to use to do that.
| choo-t wrote:
| > The point being made was the gamers are demanding game
| developers stop cheaters... and that secure boot (and
| related ways to lock down the computer) is one of the
| primary tools they know to use to do that.
|
| That's akin to saying that, as people want security on
| the street, mandatory strip search as soon as your exit
| your home is fair game.
|
| Asking for a result doesn't give a blank-check for all
| the measures taken toward this result.
| RHSeeger wrote:
| I agree, but it doesn't change the fact that it's one of
| the primary reasons they're doing it. And "strip searches
| on the street" may not happen, but "Stop and Frisk"
| certainly is/was. And it was very much done because
| people were complaining about crime and safety. And it
| was done regardless of whether or not it was right, or
| effective, or even legal.
| brookst wrote:
| There is no technical way to prevent cheating in advance
| without secure boot. Gamers aren't saying they want lots
| of cheaters but they should be banned eventually, they
| are saying they want to play games without cheaters.
| choo-t wrote:
| You cannot "prevent" cheating, you can at best mitigate
| it, it's a balance.
|
| There plenty of way to mitigate cheating in game, but the
| game industry is focusing on the ones where they don't
| bear the cost and only the customer will (and this view
| is in part due to the model of F2P games, where banning
| cheater is useless as it doesn't cost them anything to
| create a new account).
|
| Letting game developer having complete control and spying
| on the device playing the game is fine in a physical
| tournament were they provide the device, but it's
| insanity when it's the user own device in its home.
| user_7832 wrote:
| > There is no technical way to prevent cheating in
| advance without secure boot.
|
| I'm not really sure I buy this. I can't really give a way
| that can guarantee no cheating but I know for example
| games like Genshin Impact run almost all the code (dmg
| calculation etc) server-side. Perhaps something that's an
| extension of Geforce Now might be the best "anti-cheat"
| technically speaking.
| jprete wrote:
| To run anti-cheat in that way, you need _all_ game
| mechanics to be run server-side, _and_ you need to not
| let the client ever know about something the player
| should not know - e.g. in a first-person shooter you need
| to run visibility and occlusion on the server too!
| Otherwise the cheating will take the form of seeing
| through walls and the like. This is going to boost the
| cost of the servers and probably any game subscription,
| and might lead to bandwidth or latency problems for
| players - just to avoid running any calculation that is
| relevant to game balance on player hardware.
| choo-t wrote:
| Well yeah, that's the correct way to run a server, don't
| send information you don't want the user to get.
|
| But as you are pointing out, forcing client-side
| intrusive anti-cheat is cheaper, thus this as nothing to
| do about preventing cheating, but about reducing cost.
| dumbo-octopus wrote:
| The end state of your argument is the game runs entirely
| on hosted hardware and you pay for a license to stream
| the final rendered output to your monitor. This is
| already happening. Soon games won't be able to be
| "bought" at all, you'll just pay the server a number of
| dollars per hour for the privilege of them letting you
| use their hardware.
|
| You will own nothing and like it.
| choo-t wrote:
| Making occlusion calculation sever-side during
| multiplayer have nothing to do with "owning" a game or
| not.
|
| You can even do this calculation on community-run private
| server.
| dumbo-octopus wrote:
| If all surfaces are fully opaque, maybe. The second
| particle effects and volumetric effects and all sorts of
| advanced techniques play a role in actual gameplay, no.
| And that's only for this one type of cheating.
| Rohansi wrote:
| It's not just about cost. Theoretically yes, you
| shouldn't send information that you don't want users to
| get and abuse. However, in the context of games, this is
| not always possible because most games are realtime and
| need to tolerate network latency. There is no perfect
| solution - there will always be tradeoffs.
|
| Ideally player A shouldn't be networked player B if there
| is a wall between them but what happens when they're at
| the edge of the wall? You don't want them to pop in so
| you need some tolerance. But having that tolerance would
| also allow cheaters to see players through walls near
| edges. Or your game design might require you to hear
| sounds on the other side of the wall (footsteps,
| gunshots, etc.) which allows cheats to infer what what
| may be behind the wall better than a person would.
| choo-t wrote:
| > Or your game design might require you to hear sounds on
| the other side of the wall (footsteps, gunshots, etc.)
| which allows cheats to infer what what may be behind the
| wall better than a person would.
|
| Yes, and you cannot prevent this except in in-person
| tournament.
|
| Any output send toward the player, even a faint audio
| queue could be analyzed, and use to trigger an action or
| display an overlay to the screen, and no amount of
| kernel-level stuff will prevent that, as you can do this
| outside of the computer running the game.
| beeboobaa3 wrote:
| There's no way secure boot totally prevents cheating,
| either. It just moves the goalpost a little, cheating
| will always be possible.
| _flux wrote:
| The goalpost just needs to be moved further than is
| economically interesting for cheaters _in general_ to
| reach.
|
| Perhaps secure boot by itself isn't enough, but I would
| imagine it would be a relatively large bump, when
| combined with a kernel-level anti-cheat. I presume such
| anti-cheats would e.g. disable the debugger access of
| game memory or otherwise debugging it, accessing the
| screen contents of the game or sending it artificial
| inputs.
|
| What vectors remain? I guess at least finding bugs in the
| game, network traffic analysis, attempting MitM,
| capturing or even modifying actual data in the DRAM
| chips, using USB devices controlled by an external device
| that sees the game via a camera or HDMI capture.. All
| these can be plugged or require big efforts to make use
| of.
| candiddevmike wrote:
| Back in my day we all played on private, community ran
| servers where you could easily vote to kick/ban folks,
| the server owner was your buddy, or you played with
| people you trust.
|
| Now everything is matchmaking, private servers, live
| service and that sense of community is gone.
| card_zero wrote:
| Why isn't it still like that? Don't players want small
| communities?
| choo-t wrote:
| lot of thing happened, 6th gen consoles started a new way
| of using online games (no keyboard, no third party
| chat/vocal, no group chat out of game, no private
| server), then the industry pivoted away from private
| server to have more control on their games, then the
| whole F2P economy then GaaS took any agency out of
| players hands.
| reisse wrote:
| It's very hard to gather full teams (usually 10 persons)
| in a small communities. Public matchmaking gives an
| opportunity to start a game in a minute from clicking
| "play", regardless of how many people you have at hand
| right now.
|
| Small communities still exist, it's just that vacant
| places are now filled with strangers.
| dmonitor wrote:
| Cheating in online games (especially ones that are free)
| is so absurdly rampant and disruptive that you can sell
| gamers just about anything if it can meaningfully deter
| cheaters. Every now and then a Youtuber will say "kernel
| level anti-cheat is bad for [reasons]" and gamers will
| pretend to care about it until the video leaves the "For
| You" page.
| throwaway48476 wrote:
| Because a root kit is the _only_ way to do anti cheat?
| CS2 ban wave begs to differ.
| wredue wrote:
| I haven't played valorant, so I don't know about them,
| but what I can say is that definitely other anti-cheats
| are highly ineffective (VAC being one that is highly
| ineffective), with blatant cheaters going years without
| ever being caught.
|
| Hell, blatant cheaters literally stream themselves
| cheating and their own communities do not recognize the
| cheating till the stream makes a mistake and selects the
| wrong scene. This also means that VAC methods of sending
| footage to random players is ineffective, as some
| streamers who are very obviously actually cheating do so
| in front of tens of thousands of people, and those people
| do not recognize the obvious cheating happening.
|
| We also know game companies don't care about cheating, as
| activision admitted in their lawsuit that they leave
| cheaters on a safe list so long as the cheaters have any
| semblance of an audience streaming.
| throw10920 wrote:
| > activision admitted in their lawsuit that they leave
| cheaters on a safe list so long as the cheaters have any
| semblance of an audience streaming
|
| That is absolutely _wild_ , and completely characteristic
| of Activision.
|
| Do you have a link that I can share with my CoD-playing
| friends?
| wredue wrote:
| https://www.charlieintel.com/call-of-duty-
| warzone/activision...
|
| It really doesn't even take that many viewers. Zemie, for
| example, is a straight up cheater that runs a button
| activated aimbot and wall hacks. He only averages a
| couple thousand viewers and is safe listed by a number of
| game companies.
| MSFT_Edging wrote:
| I personally stopped playing CS because my friends
| started using an alt-launcher to avoid cheaters, which
| added a whole layer of complication that made the game
| undesirable. Ban waves aren't perfect but in my limited
| experience, cheaters weren't that rampant, in others
| experience it became intolerable.
| talldayo wrote:
| That's not the gamers asking, though. In this instance
| they're being taken advantage of because they have
| maligned priorities, and being sold an over-the-top
| solution they don't need. You can still detect process
| injection, memory injection, sketchy inputs, HID fuckery,
| DRM cracking, host emulation and input macros _without_
| ever going kernel-level.
|
| Truth be told, if the exploiter-class of your game would
| even consider a kernel-level exploit, your game is fucked
| from the start. Seriously, go Google "valorant cheating
| tool" and your results page will get flooded with
| options. You cannot pretend like it's entirely the
| audience's fault when there are axiomatically better ways
| to do anticheat that developers actively ignore.
| HideousKojima wrote:
| The real solution is letting players host their own
| servers and build their own communities of players they
| trust, but corps don't like giving that kind of freedom
| to users
| realusername wrote:
| There's cheaters even on consoles which are vastly more
| locked-down than a PC.
|
| Those technical shenanigans clearly aren't working, be
| ready to be disappointed if you thought that a TPM would
| help against cheaters. Cheaters always find a way, what
| those game needs is proper moderation.
|
| Yes that does cost money but that's the only known thing
| that works in the long run.
| brookst wrote:
| This seems like the old "any imperfect solution is no
| better than doing nothing" argument. Moderation is
| expensive, hard to scale, and can only address problems
| after other users have bad experiences.
|
| It's like saying seatbelts are useless because some
| people still get hurt, so _instead of_ seatbelts we need
| a lot more ambulances and hospitals.
|
| Like any complex system, games have a funnel. These
| technical measures reduce (but not to zero) the number of
| cheaters. _Then_ moderation can be more effective
| operating against a smaller population with a lower
| percentage of abuse.
| realusername wrote:
| Since the technical measures like TPM are very heavy,
| there's some better evidence needed that it reduces the
| number of cheaters, personally I don't buy it.
|
| On the other hand, all the games / servers I've seen
| which are successful against cheater have some very good
| moderation.
| vel0city wrote:
| Just see Valorent vs Counterstrike. Similar levels of
| popularity, similar kinds of cheat concepts. One has a
| kernel level anti cheat and has few cheaters, one doesn't
| and is overrun by cheaters.
|
| Look at Counterstrike with regular VAC based matchmaking
| and then with kernel level anti cheat in FACEIT. One is
| overrun with cheaters and one isn't. It's the same game.
| choo-t wrote:
| > This seems like the old "any imperfect solution is no
| better than doing nothing" argument.
|
| Isn't this the argument used against non-kernel-level
| anticheat and server-side anticheat in the first place ?
| card_zero wrote:
| > It's like saying seatbelts are useless because some
| people still get hurt
|
| Alternatively, it's like saying poisoning your customers
| is a bad way to reduce complaints, because some of them
| survive. Matter of perspective.
| throwaway48476 wrote:
| TPM security is broken on a lot of motherboards too.
| bogwog wrote:
| Gamers don't want cheaters, but gamers also don't want
| malware. Some people won't care, others will care. The
| real problem is that publishers don't give anybody a
| choice on this. They sneak these invasive anti-piracy
| measures into their games without asking since they don't
| want to fragment their player base.
|
| The reasonable, fair, common-sense pro-consumer thing to
| do is to split the online play in two: a non-anticheat
| server and an anti-cheat server. Players can _opt-in_ to
| installing a rootkit /sharing their SSN/whatever if they
| want to play on the hardened server. This costs nothing,
| and makes all types of gamers happy.
|
| But doing this has less upside for the publisher than
| forcing anti-cheat on everyone. The only risk is that
| they might get dragged through the mud by a handful of
| influencers peddling impotent rage to viewers who are
| just looking for background noise while sleepwalking on
| their Temu dopamine treadmill live service of the month.
| throw10920 wrote:
| > The reasonable, fair, common-sense pro-consumer thing
| to do is to split the online play in two: a non-anticheat
| server and an anti-cheat server. Players can opt-in to
| installing a rootkit/sharing their SSN/whatever if they
| want to play on the hardened server. This costs nothing,
| and makes all types of gamers happy.
|
| This is a very good point! And I'd like to point out that
| there is an analogue to the problem of smurfing in online
| video games, and the corresponding solution, which is to
| require semi-unique ID to play (e.g. a phone number which
| can only be tied to one account at a time with a cool-off
| period when transferring between accounts). Valve does
| this for Dota 2, and smurfing is far, _far_ less common
| than it is in League of Legends.
|
| Some League players complain that they don't want to give
| their phone number to Riot (which is entirely reasonable
| given that it's a subsidiary of Tencent), but if enough
| people don't want that, then Riot could simply split the
| ranked queue into two: one where (soft, ie phone #)
| identity verification is required, and one where it
| isn't.
|
| Riot won't do this, though, not because it wouldn't fix
| the problem (it would, as demonstrated by Valve), but
| because they profit from smurf accounts buying skins.
| lupusreal wrote:
| If it's software your job requires, that's one thing. But
| games? Just play different games, or get a different hobby.
| You have a choice so exercise it.
| AshamedCaptain wrote:
| Software doesn't require it so far because these devices
| are "uncommon" (i.e. for example, not on server hardware,
| not usually virtualized).
|
| But guess what is happening now that MS requires TPM for
| Windows? All virtualizers now have some support for TPM.
| The time will come.
| beeboobaa3 wrote:
| First they came for the socialists, and I did not speak
| out--
|
| Because I was not a socialist.
|
| Then they came for the trade unionists, and I did not
| speak out--
|
| Because I was not a trade unionist.
|
| Then they came for the Jews, and I did not speak out--
|
| Because I was not a Jew.
|
| Then they came for me--and there was no one left to speak
| for me.
| lupusreal wrote:
| Financially supporting games which do a thing you
| disapprove of is so counter productive it defies rational
| explaination. You aren't "speaking out", you're joining
| the party and paying membership dues. How could you get
| so twisted around? Brain damage, that must be it.
| beeboobaa3 wrote:
| Sure and today it's games, and tomorrow it'll be
| something you care about.
| lupusreal wrote:
| Yeah so give money to the companies that do it, that'll
| show them! Boycotting those products is capitulation
| somehow, because brain damage.
| jnwatson wrote:
| And why is that? It isn't for DRM (the game is free). It is
| for anti-cheat, and it is great.
|
| The libertarian maximalist i-can-do-what-i-want-with-my-
| computer ignore the many use cases where I want to trust
| something about someone else's computer, and trusted
| computing enables those use cases.
| Unai wrote:
| > It is for anti-cheat, and it is great.
|
| How is it great? Vanguard is extremely invasive; having
| kernel access, you have to relinquish your PC to this
| chinese-owned company at all times (whether you're
| playing the game or not), and just trust in their good
| faith.
|
| And for what? Cheaters are more rampant than ever, now
| that they have moved to DMA type cheats, which can't (and
| never will) be detected by Vanguard.
|
| So you give away complete control of your PC to play a
| game with as many cheaters as any other game. I wouldn't
| call that "great".
| notdisliked wrote:
| I don't think you can make the argument that the amount
| of cheaters using DMA is "just as many" as in a game with
| a less restrictive anti cheat, allowing cheaters to
| simply download a program off the internet and run it to
| acquire cheats. The accessibility of DMA cheats is
| meaningfully reduced to the point that I would guess
| (only conjecture here, sorry) the amount of cheaters is
| orders of magnitude less in an otherwise equivalent
| comparison.
|
| Now, the amount of DMA cheaters may still be unacceptably
| high, but that's a different statement than "the same
| amount as".
|
| So, it's not "giving up something for nothing", it's
| giving up something for something, whether that something
| is adequate for the trade offs required will of course be
| subjective.
| Unai wrote:
| Yeah, valid point.
|
| You're right, a game with no anti-cheat or a bad one will
| have more cheaters. But as you said, it's about the
| tradeoff, and that's what isn't "great". It was for a
| period of two years or so, since the tradeoff was "lose
| all control of your PC by installing a rootkit, play a
| game completely free of cheats", which was compelling,
| but now that the game isn't sterile anymore it's hardly
| worth it, at least for me.
| taormina wrote:
| I don't know, the number of cheaters appears to be non-
| zero and present enough in my games. Why give any random
| game studio kernel level access to anything? There are
| absolutely server-side solutions, likely cheaper
| solutions because the licensing fees for the anti-cheat
| software aren't cheap.
|
| We gave up something real. But it has not been proven
| whether we got anything. Maybe we got nothing, maybe we
| stopped a few of the laziest cheaters, but we still see
| tons of cheaters. The number of possible cheaters is
| based off the quality of the software. No amount of
| aftermarket software will magically improve the quality
| of your game in a way that 100% deters cheaters. I'm
| positive that their marketing claims they reduce cheaters
| by an order of magnitude, but I have not observed them
| successfully catching cheaters with these tools.
| __MatrixMan__ wrote:
| Is it so radical to want to be in control of your stuff?
| What are these use cases where we need to have third
| parties in control?
|
| I don't really buy the gaming one, in every other domain
| where a community of people are gathering to do a thing
| they enjoy together it's on the community and not the
| tool maker to figure out how to avoid bad behavior. If
| you don't wanna play with cheaters then just play with
| somebody else.
| Bognar wrote:
| You are in control. You can disable secure boot, you can
| install your own keys, you don't have to boot windows,
| you don't have to play games that demand invasive anti-
| cheat. Vote with your wallet.
|
| Relying on the community to police cheaters is not an
| effective strategy for online skill-based matchmaking
| games. There's a reason game companies spend money and
| effort on anti-cheat and it's not because they're
| ignoring cheaper alternatives.
| __MatrixMan__ wrote:
| If I felt confident that I would always be able to
| disable secure boot, I wouldn't be so worried about it.
| dangus wrote:
| People who are concerned about this should realize:
| Microsoft will never create a situation where alternative
| operating systems can't be installed. They already went
| through the antitrust ringer on that issue. They don't even
| control what hardware vendors do for the most part.
|
| This requirement will only hit multiplayer games where
| cheating and security threats are rampant.
|
| Also, if you have a PC with secure boot enabled, there are
| popular Linux distributions like Ubuntu that have a signed
| key. Or, you can add a signing key to the firmware,
| depending on your hardware. And of course, most
| commercially available PCs will let you disable secure boot
| entirely.
|
| (Most multiplayer games with anti-cheat software don't
| really work on Linux anyway.)
| AshamedCaptain wrote:
| > Microsoft will never create a situation where
| alternative operating systems can't be installed. They
| already went through the antitrust ringer on that issue.
|
| They have shipped ARM Surfaces where alternative
| operating systems could not get installed, enforced with
| Secure Boot permanently on. Have they been through any
| such "antitrust ringer" in the past 10 years?
|
| > Also, if you have a PC with secure boot enabled, there
| are popular Linux distributions like Ubuntu that have a
| signed key
|
| Note that there's one key MS uses for Windows and one key
| they use for everything else. They actually advise OEMs
| not to install this second key by default ("Secured Core"
| PCs), and some vendors have followed the advice, such as
| Lenovo. Resulting in yet another hoop to install non-MS
| OSes.
|
| Even recently, a Windows update added a number of Linux
| distributions to the Secure Boot blacklist, resulting in
| working dual boot systems being suddenly cripped. Of
| course, even _ancient_ MS OSes are never going to be
| blacklisted.
| ZeroWidthJoiner wrote:
| > They actually advise OEMs not to install this second
| key by default ("Secured Core" PCs), and some vendors
| have followed the advice, such as Lenovo. Resulting in
| yet another hoop to install non-MS OSes.
|
| True, 3rd party not trusted by default is a "Secured-Core
| PC" requirement, but so is the BIOS option for enabling
| that trust [0]. On my "Secured-Core" ARM ThinkPad T14s
| it's a simple toggle option.
|
| > Even recently, a Windows updated added a number of
| Linux distributions to the Secure Boot blacklist,
| resulting in working dual boot systems being suddenly
| cripped. Of course, _ancient_ MS OSes are never going to
| be blacklisted.
|
| Actually they are in the process of blacklisting their
| currently used 2011 Windows certificate, i.e. the
| Microsoft cert installed on every pre-~2024 machine, also
| invalidating all Windows boot media not explicitly
| created with the new cert. It's a manually initiated
| process for now, with an automatic rollout coming later
| [1].
|
| It'll be very interesting to watch how well that's going
| to work on such a massive scale. :)
|
| [0] https://learn.microsoft.com/en-us/windows-
| hardware/design/de...
|
| [1] https://support.microsoft.com/en-
| us/topic/kb5025885-how-to-m...
| AshamedCaptain wrote:
| > True, 3rd party not trusted by default is a "Secured-
| Core PC" requirement, but so is the BIOS option for
| enabling that trust
|
| As I said, yet another increase in the number of hops for
| no reason.
|
| Before you say anything else: until this you could
| install _signed_ Linux distributions without even knowing
| how to enter your computer's firmware setup. Now you
| can't.
|
| The trend is obviously there. First, MS forced Linux
| distributions to go through arbitrary "security" hoops in
| order to be signed. Then, MS arbitrary altered the deal
| anyway. Even mjg59 ranted about this. And the only
| recourse MS offers to Linux distributions is to pray MS
| doesn't alter the deal any further.
|
| Maybe at no point they will make it impossible on x86
| PCs, but they just have to keep making it scary enough.
| And in the meanwhile keep advertising how WSL fits all
| your Linux-desktop computing needs. While at the same
| time claim they have nothing against opensource.
|
| > Actually they are in the process of blacklisting their
| currently used 2011 Windows certificate
|
| No, they are NOT in the process, and that is precisely
| what I was referring to. They have not even announced
| when they are going to even start doing the process. All
| you quoted is instructions to do it manually. So I'll
| believe it when I see it.
|
| And besides, just clearing the CMOS is likely to get you
| a nice ancient DBX containing only some grub hashes on
| it, and the Windows MS signature on DB. Not so much luck
| for the MS UEFI CA signature, as discussed above. So
| "recovery" will be trivial for Windows, not so much for
| anyone else..
| delfinom wrote:
| You can in fact disable secure boot on the arm surfaces.
|
| The problem is nobody really has put enough effort to
| port Linux to it. Some people started but haven't gotten
| very far
|
| https://github.com/orgs/linux-surface/projects/1
| https://github.com/linux-surface/aarch64-firmware
| https://github.com/linux-surface/aarch64-packages
|
| >, a Windows update added a number of Linux distributions
| to the Secure Boot blacklist
|
| It was due to a bug/and or not being able to detect all
| manners of dual boot correctly.
|
| The goal was not to blacklist old distros, it was to
| blacklist vulnerable boot managers
|
| Microsoft's response and fixes were provided:
| https://learn.microsoft.com/en-us/windows/release-
| health/sta...
| AshamedCaptain wrote:
| > You can in fact disable secure boot on the arm
| surfaces.
|
| Not all. I know for a fact you could not in the RT/2.
|
| This is despite the fact that people _do put effort_.
| This is how I know, for example, that some Linux
| workarounds for "funny" ACPI interpretations had to be
| also "ported" to the ARM architecture in ACPI ARM Linux
| because Windows is literally making the same "bugs" all
| over again. Except, this time, Windows hardware is in the
| _minority_, and there's plenty of ARM ACPI devices that
| do not require these workarounds...
|
| > It was due to a bug/and or not being able to detect all
| manners of dual boot correctly.
|
| Sure. It is also a bug they just applied these blacklists
| automatically in the first place? It is also a bug that
| the list of blacklisted bootloaders mostly comprises non-
| MS oses, despite the fact there are well-known issues in
| many Windows versions?
| dfox wrote:
| One thing that I do not understand is how an app can
| determine whether secure boot is enabled in any kind of
| secure way. The TPM and Secure boot system is not designed
| for that.
| beeboobaa3 wrote:
| For now. It's not ubiquitous enough yet. Games are already
| starting to require secure boot, the rest will follow in a
| few years.
| ineptech wrote:
| People will keep saying it, because that ratchet only seems
| to go one way. Consumer access to general purpose computing
| is something we take for granted, but every year it seems
| like there's a bit less of it, and once we lose it we will
| never get it back.
| pbhjpbhj wrote:
| Yes, and Microsoft will still have regular "accidents" where
| they wipe out your ability to boot your Linux install, oh
| oopsy.
|
| They should be prosecuted for that shit.
| libertine wrote:
| This sort of thing over decades has been the best distribution
| and communication channel for Windows.
| 23B1 wrote:
| Does not apply to most other software.
| libertine wrote:
| Yes, but I think it works exceptionally for other software,
| like games!
|
| One example that stands out was the hacking/modding scene of
| the GTA Vice City with Multi Theft Auto, and even GTA SA,
| which gained a massive player base that would have never
| experienced the game and created emotional bonds with it. I
| can't prove this of course, but I bet a huge portion of the
| GTA V success was from users who played a moded version of
| the game in the past "for free".
|
| Another example is the Adobe Suite, like Photoshop, and
| Illustrator, which allowed many people to become proficient
| with the Adobe tools and be part of a qualified workforce
| using that same suite of tools. A lot of these professionals
| from low-income countries would never had access to these
| tools otherwise in their formative years.
|
| Price is a barrier to entry for many users who wouldn't have
| paid for the software.
| 23B1 wrote:
| > Price is a barrier to entry for many users who wouldn't
| have paid for the software.
|
| This is what demos, student licenses, etc. are for. I don't
| care what your justification is, property theft is wrong.
| ChumpGPT wrote:
| 1st world opinion.......
| mdaniel wrote:
| > property theft is wrong.
|
| It sure is, and those people should promptly return their
| stolen Photoshop bits to the front door of any local fire
| station so Adobe can put them back into their bit
| warehouse and ship them to paying customers next day air
| topato wrote:
| Haha, yeah, I'm pretty sure there would be a hell of a
| lot less working professionals using the Adobe suite
| today if we had all used Adobe's generous 14-day trial to
| get to grips with Photoshop or Flash or Dreamweaver when
| we were 12 or 13 years old. Or enrolled in University, I
| guess?
|
| I would expect Adobe would be nothing but a forgotten
| brand name list to the annals of time at this point,
| considering their Suite has been the most pirated
| application every year since the early days of Windows
| 95... And yet....
| 123pie123 wrote:
| it is NOT 'property theft', since nothing has been
| stolen, just copied
|
| the term you want is Copyright infringement
| ddingus wrote:
| You are correct, however unpopular too.
|
| We have the word infringe for the cases where the word
| theft is inaccurate.
| throw10920 wrote:
| I wouldn't use the term "property theft", as even though
| there's a very clear analogue to IP and digital economics
| for anyone who cares to think about it, pro-piracy
| pedants will gladly jump on the term (which is strongly
| tied to physical property) to avoid addressing the
| problem itself. This problem doesn't happen as much with
| other terms like "theft", "IP theft", and "piracy".
| pbhjpbhj wrote:
| You don't have to be "pro-piracy" to be anti media
| propaganda that tries to equate duplication with denial
| of a person's right to their own property. They're very
| different things.
|
| If you think copyright infringement and theft are
| synonymous then presumably you'd be happy with people
| paying for copyrighted goods with a picture of some
| money, because a copy that doesn't involve a transference
| of control is identical with the actual item, right?!
| gjsman-1000 wrote:
| Very nice utopian ideals, but wrong.
|
| Take _World of Goo_. Very popular game. Released in 2008;
| got a sequel in 2024. Why so long for a sequel? In part,
| because when they experimented with a DRM-free release,
| they had a piracy rate of over 90%. Can you prove that 's
| lost sales? No. Would any reasonable person say that is
| lost sales? Absolutely.
|
| https://arstechnica.com/gaming/2008/11/acrying-shame-
| world-o...
|
| Ever wonder why mobile games failed, and why every mobile
| game is seemingly full of ads? The Android piracy rate is
| enormous (over 60%); and freemium allows money to be earned
| while denting piracy rates. Let's not forget also why
| Nintendo went after Yuzu - over 1 million illegal downloads
| of Tears of the Kingdom before the game even launched. How
| many do you think paid afterwards?
|
| And before anyone quotes the one or two studies showing an
| increase in sales from piracy; that ignores the 30+ studies
| showing a moderate to severe sales impact from piracy, that
| we also have. Nobody talks about those though, because
| that's a rather unpopular conclusion. However, you can't
| pick and choose studies to show it is a good thing.
| pbhjpbhj wrote:
| >that ignores the 30+ studies showing a moderate to
| severe sales impact from piracy
|
| Could you cite a few of the best such stories that are
| not sponsored by media giants please and thank you.
| thrownawaysz wrote:
| MAS (which is also hosted on Github) is the perfect example of
| Microsoft not caring about end user piracy. Just use it.
| diggan wrote:
| Maybe it's beneficial for Microsoft that solutions like that
| are FOSS so they can more easily inspect the code for
| prevention purposes in the future?
| fallingsquirrel wrote:
| I think Microsoft is just purposefully lax about enforcing
| their own trademarks on their own properties. It could be due
| to organizational memory of their antitrust case. It could be
| to avoid bad publicity (like the recent spat where youtube
| took down a video teaching people how to use adblockers).
|
| Another example of this: the leaked Windows source code is
| available straight from GitHub.
| npteljes wrote:
| Instead I think that they let people use it unauthorized, so
| that Windows is even more entrenched. Same with what Adobe
| did with Photoshop. These companies are lucky that their
| product gets home and office use as well, because they can
| let the noncommercial use slide, and just squeeze the office
| users more.
|
| It's more of a business move, than a technical move.
| Microsoft has plenty of capable people, they don't need such
| software to be FOSS to successfully inspect it.
| nicman23 wrote:
| more like the license process is so bad that they dont bother
| to go after them
| sneak wrote:
| There is ultimately no way to get a good license process on
| consumer PCs. The owner and operator of the hardware is also
| the adversary. It's like DRM for video and other content: you
| are giving the ciphertext and the keys to the attacker. It's
| only a matter of time until it is broken.
| SV_BubbleTime wrote:
| >the license process is so bad that they dont bother to go
| after them
|
| For a person, yes go for it they won't bother.
|
| For a company... we have had some annoying MS audits. So how
| everything has to be retail WITH the cards. I have a stack
| ready for our next audit if it ever happens again.
| a1o wrote:
| I have no idea how to get access to LTSC Windows without it. I
| have bought Windows PRO keys in case someone asks one day, but
| as a person, I really don't know how to get the not annoying
| Windows that is available for companies.
| olyjohn wrote:
| The pro keys won't cover you if someone asks. You're not
| licensed for LTSC and you can't have it without an enterprise
| agreement. It's still piracy. you might as well have not even
| paid for the pro keys.
| therein wrote:
| It could still help with a jury of his peers.
| thrownawaysz wrote:
| I once went down this rabbithole ("I use LTSC for years might
| as well buy a legit copy finally") and... it was almost
| impossible. You need to buy at least 5 licenses through
| volume licensing but you also have to be a business (can't
| buy it as a natural person). Then there were some other thing
| about standalone version, upgrade, subscription etc.
|
| So yeah LTSC was never meant to be available for single
| desktop users at home yet it's best version of Windows
| available.
| miles wrote:
| I did a little writeup[1] back in 2018 about how to acquire
| Windows 10 LTSC as an individual. It was only around $300,
| which included the required four additional CALs.
|
| By way of comparison, Windows 11 Pro is $200[2].
|
| [1]
| https://tinyapps.org/blog/201811300700_windows_10_ltsc.html
|
| [2] https://www.microsoft.com/en-
| us/d/windows-11-pro/dg7gmgf0d8h...
| indrora wrote:
| In the long run, pirated copies of Windows are noise level: The
| vast majority of people are going to get a license via an OEM
| (which survives reinstallation), businesses aren't going to
| risk running unlicensed windows machines (especially if they're
| paying for it elsewhere) and have easy means to acquire OEM
| licensed machines that are supported by the OEM for parts &
| service, and people who run an up to date but pirate-licensed
| copy of Windows are at least running an up to date version
| instead of sitting on an EOL copy that is barely getting
| security updates.
|
| Allowing piracy at that level is _actively_ safer in the long
| run.
| hakfoo wrote:
| I suppose the other aspect is the gradual death of the white-
| box PC shop.
|
| The large OEMs have contracts to pay 9 cents per license.
|
| They'll never crack the individual enthusiast building his
| own PC from Newegg parts and installing a hack, but he's
| small potatoes.
|
| But back in the day, there there was a fair chance your local
| midsize business, government, university, didn't necessarily
| buy from Dell or HP-- they bidded out a few hundred PCs to a
| local shop, which had both the motivation and technical
| knowledge to use the same license key on each one, and the
| scale where it could represent significant lost revenue.
|
| Introducing activation was probably a significant sabotage
| for them. Although I'd suspect the stick on license
| certificate was almost as big a deal in that regard.
| stepupmakeup wrote:
| Last year, a Microsoft support representative even used it on a
| customer's computer.
|
| https://news.ycombinator.com/item?id=38295819
|
| https://www.bleepingcomputer.com/news/security/microsoft-sup...
| Tepix wrote:
| So, just stating the obvious, you can now (Y=) download all xbox
| games directly from the microsoft store for free? I.e. the xbox
| is - for now - as completely hacked as the PS Vita?
|
| (Y=) you might have to figure out some details
| ryx wrote:
| Yep. This seems to be the most overlooked part of the article,
| although maybe the most interesting.
|
| Unfortunately not for anyone who has activated the auto-update
| feature on his/her Xbox, as the latest system software version
| seems to include a higher kernel version than supported by the
| collateral-damage exploit.
| 38 wrote:
| Exactly why you should never, ever, enable auto update, for
| anything. Too often it ends up breaking something or patching
| something you don't want patched. It allows a profit seeking
| company to enable or disable software functionality on your
| device, regardless if it's in your interest.
| indrora wrote:
| It should be noted that unless you've modified an Xbox One,
| from what I understand you _cannot_ stop it from auto
| updating unless you permanently disconnect it from the
| internet (which will cause your licenses to _eventually_
| expire, in the year timespan or so), new launch games won
| 't run (they're tied to a minimum version of the OS).
| __MatrixMan__ wrote:
| Wow, so it's a ticking time bomb, that should be illegal.
| seabass-labrax wrote:
| I agree that the device updating without your consent
| should be illegal, but new games requiring the updates
| seems fair enough: the Xbox can still run all of the
| games it was advertised to be able to do so at launch,
| and if game developers could not rely on the presence of
| system updates, Microsoft would just release an entirely
| new, incompatible Xbox instead. I think that updates are
| fine so long as you can update and roll back whenever you
| want to.
| Zambyte wrote:
| Depending on if you consider "authorization" to require
| consent or informed consent, it already is illegal
| behavior under CFAA.
| klodolph wrote:
| That would require a pretty creative interpretation of
| the CFAA.
| fragmede wrote:
| The CFAA's broad enough so as to allow a lot of creative
| interpretation. A journalist using view source was
| breaking the CFAA was one district attorneys view.
| hedora wrote:
| This is the only carve out I could find for manufacturers
| of computers:
|
| > No action may be brought under this subsection for the
| negligent design or manufacture of computer hardware,
| computer software, or firmware.
|
| I guess Microsoft could argue their entire operating
| system business, app store, and update infrastructure are
| intentionally negligent, and so not covered.
|
| I'd think a reasonable court would say that it's working
| as designed, and therefore not covered by the carve out.
|
| https://www.law.cornell.edu/uscode/text/18/1030
| __MatrixMan__ wrote:
| I don't think there's such a thing as intentionally
| negligent. They'd have to argue that the whole feature
| was actually a bug.
| timenova wrote:
| The same is the case with the Xbox Series X/S. I was
| shown three options for the last update: [Update Now]
| [Continue Offline without Updating] [Shut Down Xbox].
| 38 wrote:
| right, so at this point you dont own the device any more,
| you are renting it.
| Jerrrry wrote:
| Which is exactly what you agreed to in the terms of
| service you evidently did not read
|
| I want to be the only cheater in my lobby.
| thot_experiment wrote:
| Yup, 100%. My golden rule of computers is:
|
| If it's working right now, an update can only cause it to
| break. The best case scenario is that it still works. Why
| would your roll the dice?
| hoffs wrote:
| Golden rule to get exploited
| 38 wrote:
| the "but muh security" argument is absolute horseshit 99%
| of the time. and the 1% that actually need it, are going
| well beyond automatic updates to secure their systems.
| trog wrote:
| If you look at the background radiation of the Internet
| of automated things just hitting services to probe for
| exploits, they are most commonly looking for exploits
| from bugs in older software.
|
| There's a timing argument - that unless you're at risk of
| zero days (like you're the DOD) - that you probably don't
| need to upgrade immediately. But it seems unarguable to
| me that the longer you wait, the greater the risk from a
| security perspective.
|
| As always, security is a trade off. Risk of breaking from
| an update has to be balanced against risk of exploit. I'd
| argue the latter is going up more quickly than the
| former.
| thot_experiment wrote:
| How many actual zerodays are there that don't require you
| to ALSO be doing something dumb per year? It seems
| exceedingly rare. I understand the argument if you're
| talking about like, a server running some CMS or
| whatever, sure that's gonna get pwned because it's a big
| target so it's worth going after. Your natted personal
| machine? You're fine unless you're running executable off
| random russian sites (and even then you're probably fine
| if you're getting your shit from reputable shady sites)
| LorenzoGood wrote:
| No, this is a crazy take, old versions of software are
| usually rife with exploits, where everyone knows about
| the bug.
| thot_experiment wrote:
| It's really not, I never upgrade anything and I haven't
| been pwned in like a decade. (Or maybe I have been pwned
| but not in a way that's affected me at all so you know,
| whatever)
| LorenzoGood wrote:
| On an internet exposed server?
| emeril wrote:
| so true - the few who are at risk of real exploits are
| already aware of this and do more than just system
| updates
|
| I only let my browser autoupdate (somewhat reluctantly)
| since I view that as the most likely security issue on my
| winpc but when I used to let win10 autoupdate (and other
| garbage dell drivers), things would start breaking after
| each update
|
| this also applies to phone app updates - I only update if
| there's a reason to, not just for the sake of updating...
|
| and people wonder why I have the best working phone and
| pc at the office...
| simonjgreen wrote:
| Total tangent, but extremely interested in the use of the
| Yen/Yuan sign as a footnote marker. Is there some history here
| I've overlooked or is this just arbitrary?
| bewaretheirs wrote:
| I've not seen it used this way before but it is similar
| enough to the dagger and double-dagger symbols that the
| intent to use it as a footnote marker is clear.
| Tepix wrote:
| Haha - i was looking for 1, 2 or SS but couldn't find them on
| my german ipad onscreen keyboard, so i improvised.
| bratwurst3000 wrote:
| you have tp hold a key longer and then there it is. i think
| it was ,,s"
| isametry wrote:
| Typing this from a German iPad keyboard. It's the
| ampersand key (& - SS).
| gcr wrote:
| oh interesting, using "section" as footnote marker is
| more alien to me than using yen
| AStonesThrow wrote:
| I learned BASIC programming on a VIC-20, and I typed in so
| many "A$, B$, C$", for decades thereafter I pronounced "$"
| as "string" ("A-string, B-string", etc); it got weird as I
| discussed Perl scripts with coworkers...
| quectophoton wrote:
| I usually do it like this[1], if that helps.
|
| [1]: Borrowing syntax from Markdown.
| pbhjpbhj wrote:
| Interesting that you'd use "Section", "SS", as a reference
| marker. Asterisk (*), and dagger (+) are common reference
| markers in British English, but not the section sign, aka
| "silcrow".
|
| Is that a common usage /auf Deutsch/? Such use is listed on
| the Wikipedia page, but it's a use I don't ever recall
| having seen before.
| c0balt wrote:
| It's common in some contexts, in particular 1/2/... is
| common for footnotes in handwritten and digital texts.
|
| SS is a bit less common but iirc used in some legal
| texts. It's also easy to use on ANSI German keyboards
| with shift+3.
| pferde wrote:
| I'm wary of using the asterisk in internet forums, or
| really in almost any textual exchange online these days,
| because everything tries to parse text as markdown, and I
| am never sure whether or not my asterisks will get eaten.
|
| Especially on sites like this one, which have no
| previews.
| a1o wrote:
| Does anyone knows a good way to activate MS Office on macOS ?
| Doesn't matter how many times I buy the thing it eventually
| forgets the license and calling Microsoft Support usually doesn't
| result in anything. One day Office starts complaining that it's
| not activated and then it eventually locks me out of it. It would
| be nice if the Office license on macOS actually worked but if
| there's an easy solution for activation I wouldn't look back.
| thrownawaysz wrote:
| https://massgrave.dev/office_for_mac
| a1o wrote:
| Thank you!
| ravetcofx wrote:
| Alternative answer, Use LibreOffice
| bloqs wrote:
| So this is now patched? And this works on xbox store too?
| efilife wrote:
| It is said in the article that it's patched, multiple times
| layer8 wrote:
| If I read this correctly, Microsoft will be able to reduce the
| applicability of the temporary-license signing key, meaning that
| you probably won't be able to generate permanent licenses for
| long.
| loeg wrote:
| > As it turns out, data after the signature block isnt checked at
| all... and it can even override data that came before it.
| Whenever two blocks of the same type are stored together, the
| last one overrides all the others before it. So, if we want to
| change any license data, we can just make a block for it and put
| it after the signature block!
|
| Amazing.
| Dwedit wrote:
| I wonder if this is the worst cryptography blunder since
| Nintendo Wii using 'strncmp' to validate a hash (which stops
| after the first matching 00 byte)
| bri3d wrote:
| This "check the block signature and then read another one"
| bug is incredibly common. I'd say it's one of the top 5 bugs
| I see in Validating Things. Other examples of places I've
| seen this recently include some variants of VW AG
| infotainment systems (mostly MIB2 High, I think), but it's
| kind of everywhere (as was the `strncmp-a-hash` method of
| validating an RSA-PKCS#1.5 signature).
|
| This is probably the most egregious/impactful manifestation
| of it, though, especially if it applies to Xbox.
| throwaway48476 wrote:
| Can this be used to enable the HEVC extension without a M$
| account? It's so frustrating they can't license the patents as a
| lump sum.
| e4m2 wrote:
| You don't need this exploit. You could use a media player that
| doesn't need MS codec packs, but assuming this is not an
| option:
|
| 1. Go to https://store.rg-adguard.net.
|
| 2. Paste in https://apps.microsoft.com/detail/9n4wgh0z6vhq.
|
| 3. Change ring to "Retail".
|
| 4. Download the file with an "appxbundle" extension.
|
| 5. Install it (might need to enable developer mode for this
| step; don't remember).
| Stagnant wrote:
| The links to download the official microsoft signed HEVC
| installers can actually also be found at massgrave.dev[0] It
| truly is an awesome resource.
|
| 0:
| https://massgrave.dev/unsupported_products_activation#hevc-v...
| throwaway48476 wrote:
| Awesome
| Rinzler89 wrote:
| Why would you need it? HEVC codec ships with the driver package
| from your GPU vendor.
| dist-epoch wrote:
| You don't need to pay. You just need the direct link
|
| ms-windows-store://pdp?productId=9N4WGH0Z6VHQ
|
| ms-windows-store://pdp?productId=9PMMSR1CGPWG
|
| ms-windows-store://pdp?productid=9MVZQVXJBQ9V
|
| ms-windows-store://pdp?productid=9N4D0MSMP0PT
|
| ms-windows-store://pdp?productid=9N95Q1ZZPMH4
| Alifatisk wrote:
| How do you get the direct link?
| dist-epoch wrote:
| I got them from reddit: https://old.reddit.com/r/Windows10/
| comments/j58y6f/no_longer...
|
| There are many articles with this workaround. Funny how it
| still works, almost 4 years later. This is not an accident,
| MS knows what it's doing.
| Jerrrrrrry wrote:
| ironically, I will be using un-ironically to play Guitar Hero
| games that I have the physically discs to, on retail hardware,
| that has the games installed, but not "licensed" to play without
| physical tethering of the disc in the failed DVD drive.
|
| The double irony is that, even if it works, I may not be able to
| read my own game-saves since the Console's own public key is on
| the revocation list. I could sidestep this by resigning the CON
| files with the default value, 0.
|
| The triple irony may be forthcoming yet. this all looks very
| familiar indeed.
|
| fuckin brilliant
| Jerrrrrrry wrote:
| ecosystem of xml > tlv > null-terminated strings / utf16 for
| user input make an off by one error anywhere or unverified*
| malicious user input in the house of cards of technical debt in
| any MS ecosystem collapse into minefield of privilege
| escalation, RCE, etc horizontal pivots...not trivial, however.
|
| this bug is essentially a retro-active pivoting platform for
| the lucky day you combine unsanitized input and context escape.
|
| seems like just trivial digital sticker-swapping, but MS over-
| leveraging its successes, refusal to break things (to maintain
| backwards compatibility, and it's own technical debt..), mean
| that some mistakes, however trivial, yet affecting, are
| immortalized
| thund wrote:
| In case your antivirus is censoring the page:
| https://archive.is/90XGW
| nicolas_t wrote:
| Now I just wish this could give me a license to install the Lego
| Boost for Windows 10 app that used to be on the windows store
| until 2020...
|
| From my understanding, if you have the license, then you can
| still download it but it's not available for new users.
| layer8 wrote:
| Maybe you could use this instead: https://en.scratch-
| wiki.info/wiki/LEGO_BOOST_Extension
| nicolas_t wrote:
| I tried that and it'll be great when my kid is older but the
| Lego Boost app has some kind of gamification built in that's
| honestly pretty sweet and is a good gateway I think.
|
| Right now, I'm using an android emulator to be able to run
| the app on a laptop (we don't have tablets) but it's a janky
| experience compared to a native windows app.
| vednig wrote:
| > which we independently uncovered around the same time it was
| reported to Microsoft
|
| highly suspicious
| nixosbestos wrote:
| Clip has been around longer than the Xbox One though?
| HL33tibCe7 wrote:
| > massgrave.dev
|
| Bit gross to be honest
___________________________________________________________________
(page generated 2024-09-07 23:00 UTC)