Steam spyware

I really enjoyed the Half-Life and Counter-Strike games, especially the original Half-Life and Half-Life 2 single player episodes which were revolutionary for their time. Whether you're a fan of the game or not, Unforeseen Consequences: A Half-Life Documentary is well worth a watch. I spent a huge amount of time tweaking, scripting and creating content for HL and CS and i miss those days, but i will no longer install Steam on my computer.
As many others, i held Valve in very high regard when they released Half-Life, however my appreciation for the company took a sharp nosedive when Steam was introduced. On one hand the idea of Valve cutting out the middleman -- the game publishers -- and releasing content directly to consumers was attractive, but on the other i hated that you had to have Steam running to just to play an off-line single player game or even to build a map, so much so that i emailed Gabe about how i and some of the other long-time Valve and HL fans felt about it. His one-line reply was "Steam is a set of non-trivial problems".
I would very much like to revisit the HL single player episodes but i would need to figure out how to best isolate Steam and any installed games from the rest of my system. Proprietary software cannot be trusted, plain and simple. For those of you using Steam on your daily-driver box, i would strongly recommend figuring out a way to isolate it because it is, in effect, malware. From the article, Steam over at Spyware Watchdog:
This program is spyware because it collects huge amounts of user information, including but not limited to your Home Address, Telephone Number, Credit Card Number, and Internet Search History. Steam also profiles your hardware, communications through Steam's social networking features, and contains a mandatory self-updater. Steam will not work without an internet connection.
[...]
Steam also confirms that it shares this information with third parties. The implications of this are as follows: Steam knows your name, age, where you live, your banking information, and what your e-mail is. Steam shares this information with other companies (at least, to the extent allowed by law). Steam can use your IP Address to track where you are to the nearest county and can use your Device Unique ID provided by the fingerprinting spyware features inside Steam to track your usage habits across devices that you use. Steam also records all of your communications with others through its social networking and instant messaging services, such as all chat logs, voice conversations, and forum posts, and can share all of this information with third parties as well.
And from the article If You Use Steam, Valve Might Be Tracking Every Website You Visit on Gizmodo:
Here's a fun fact: If you use Steam for your games -- let's face it, you do -- there's a chance Valve's Anti-Cheat System been taking a look at all the websites you visit and sending a list back to home base. Why? No one knows for sure.
The discovery comes by way of SHG_Nackt who claims to have found a suspicious little piece of code that appears to mine your DNS cache for a list of domains, hash them and send them back to Valve for perusal.
And from another article, Steamed: Valve Software Battles Video-game Cheaters, on IEEE Spectrum
The company combats this with its own Valve Anti-Cheat System, which a user consents to install in the Steam subscriber agreement. Cook says the software gets around antivirus programs by handling all the operations that require administrator access to the user's machine. Periodically, the company transmits "client challenges" to a player's machine, running software that scans for cheat codes. The Anti-Cheat software might, for example, trigger a dormant code on the player's machine. If the machine doesn't send back the appropriate response, the code alerts Valve to a possible violation.
Valve also looks for changes within the player's computer processor's memory, which might indicate that a cheat code is running. Finding anomalies is not difficult. The company knows what series of operating code is required to run the game and can spot suspicious activity. Once code is suspected, it's turned into an incident report, which is analyzed by Cook's team of 16 engineers. Sometimes code is determined to be a standard privacy or security measure.
"We can see it and say, 'Oh, that's just antivirus software running the background,' and flag it as okay," says Cook. Valve keeps a directory of cheat codes and can compare new incident reports to others in its database. The team then tests out the code using copies of their own game. Once designated as a true cheat, it's added to the database for future reference.
Valve's Anti-Cheat software raises privacy concerns. "Any time you, as a user, allow someone to run software or a process on your system, then you're not in control," says Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a San Francisco-based nonprofit advocacy group.
And from another article, NSA's Hacker-in-Chief: We Don't Need Zero-Days To Get Inside Your Network, on Motherboard:
Joyce may work for an infamously-deceptive state intelligence apparatus, but his advice here is spot on. While zero-days are powerful, the vast majority of networks likely get compromised by government hackers in much less dramatic ways. Among them: not keeping software updated, failing to restrict administrative privileges to a small number of users, and Bring Your Own Device policies that create havoc by allowing employees to introduce unknown and vulnerable personal devices to their company's network.
Even a laptop running Valve's Steam gaming service can make a nice point of entry for Joyce's NSA buddies, he says.
"Why go after the professionally administered enterprise network when people are bringing their home laptops, where their kids were going out and downloading Steam games the night before?"
Another wildly embarrassing and very stupid mistake that Valve took a beating for was when they tried to delete all the files in the root directory of the file system. This may have only affected Linux users (i don't recall) and it obviously was not intentional, but what made the catastrophic blunder all the more embarrassing is the fact that whoever wrote the code apparently never bothered to test it.
As i recall, a new Steam update was pushed out the door and some files needed to be deleted on the client side. The problem was that some ding-dong added a space after a forward slash which meant the code would attempt to dump everything on the root partition.
If you also refuse to use Steam, but miss the old Half-Life and Counter-Strike games, check out the FreeHL and FreeCS projects by 'eukara'. Rather than being clones, these ambitious projects are scratch-built from the ground up. While neither is ready for prime time, they are (sort of) playable and development is active.