KSP 1.8 - No analytics, no game?

[Snark]

12 minutes ago, swjr-swis said:

yours is missing data-optout-service.uca.cloud.unity3d.com

Ah okay, thanks.  Fixed.  It didn't contact that address while I was running KSP just now.

12 minutes ago, swjr-swis said:

Redshell also wanted to contact the following two addresses:

127.0.0.1 treasuredata.com
127.0.0.1 api.treasuredata.com

 

Thanks, I've updated my post above.  I saw the treasuredata entries sitting there in my host file-- obviously I must have added those back-in-the-day, I just didn't sufficiently comment them to keep track.

[R-T-B]

Has anyone actually fired up wireshark to see what analytics send?  I understand being upset on principle, but it's a.) supposedly opt-outable, and b.) I'd like to know if the opt-out is obeyed.

[Snark]

13 minutes ago, R-T-B said:

Has anyone actually fired up wireshark to see what analytics send?  I understand being upset on principle, but it's a.) supposedly opt-outable, and b.) I'd like to know if the opt-out is obeyed.

I fired up wireshark to see what DNS entries it tries to resolve, which is where my above list came from.

I haven't bothered to check what the actual contents are, because 1. it's almost certainly exactly what they say it is, and 2. trying to track anything more than DNS entries would be tedious for me to do, and 3. even if I did it, there's a good chance that the contents would be some binary thing anyway that would be meaningless without excruciatingly time-consuming spelunking to try to reverse engineer what they're doing.

If someone wants to take that on, more power to 'em, but that's more time than I'm willing to invest, myself. 

As far as inferring whether their "opt out" really works or not, their design unfortunately makes that hard to verify first-hand (see notes in spoiler).

Spoiler

I tried the following:

1. Turn off the hosts filter that I describe above, so I can see what the game does
2. Start up KSP
3. Go to the settings to find the "show Unity Analytics opt-out on next startup", turn that on
4. Exit KSP
5. Restart
6. Follow the Unity-opt-out prompt that pops up
7. Get the Unity website's assurance that I've opted out of everything
8. Exit KSP
9. Start up KSP, supposedly opted out of Unity analytics, while observing with Wireshark
10. Result:  It does DNS resolution of those same sites, anyway.

So however Unity has chosen to implement their "opt-out" design, it's pretty clear that they haven't implemented it in terms of "well then just don't contact any websites when it's opted out".  As folks have observed earlier in this thread, the fact that they choose to store the opt-out setting on their website instead of as a local setting on the machine makes it really hard to observe first-hand what they're actually doing (or, more to the point, not doing).

 

[R-T-B]

2 minutes ago, Snark said:

it's almost certainly exactly what they say it is

I wouldn't count on it.  Companies push boundaries a lot these days.

That being said, I'm not losing sleep on it nor am I asking you to investigate further.  Just sayin'...  wouldn't be surprised if "off" really means "we only talk a little bit."

I mean though, I use Windows 10, so I'm already a dead duck.

Edited October 22, 2019 by R-T-B

[J.Random]

I could probably find and link all or most of the threads regarding similar stuff where users voiced their concerns and these concerns were universally met with "you're paranoid": the whole takeover by T2, EULA, redshell spyware, probably starting with whatsitsname, the Netherland company which somehow was an actual IP owner...

But I'm lazy. So just imagine I did all that and added a "surprised Pikachu" meme at the end.

[k00b]

18 hours ago, steve_v said:

Egads. Whut?

So if I don't want the owner of the noodle shop on the corner pickpocketing me for a bit of extra cash every time I eat there, I should just stop going outside?
Seriously? The answer to companies grabbing a bit extra on the side at your expense and against your wishes is to disconnect from the internet? Why didn't I think of that.
 

you stop buying noodles if they taste bad, and report pickpockets to the police.

(clue: you don't own the noodleshop, like you don't own the software (that you have paid for the privelege to use (IN IT'S ENTIRETY) OR yes; you don't use it (on the basis you have no grounds for argument) and do something more productive with your time...

[k00b]

1 hour ago, R-T-B said:

I mean though, I use Windows 10, so I'm already a dead duck.

windows 10 is great put your tinfoil hat away.

look - it's boring metadata; yes they collect everything and then some, and people get "profiled" - but how many fishes are there in the net ? you need to understand how completely insignificant it actually is.

WHAT I WILL TELL YOU THOUGH:

think about how interesting the juicy metadata behind the IP and DNS block secret more appealling metadata is; that's going to be some real juicy metadata though!.

[klesh]

Thanks fellas. Gonna block all that nonsense straight away.  

[steve_v]

1 hour ago, Snark said:

makes it really hard to observe first-hand what they're actually doing

And herein lies the problem. Unity, Squad, T2 et al. are assuring us that the data they collect is harmeless, yet nobody has any reproducable way of proving this besides pointing at DNS queries. DNS queries mean very little in this context.

Trust, but verify.

Since we can't verify due to the intentionaly opaque implementation, I'm disinclined to trust. This impasse could easily be solved by not contacting the analytics servers when the user has opted out, so why has this simple change not been made?

[DoctorDavinci]

8 minutes ago, steve_v said:

And herein lies the problem. Unity, Squad, T2 et al. are assuring us that the data they collect is harmeless, yet nobody has any reproducable way of proving this besides pointing at DNS queries. DNS queries mean very little in this context.

Trust, but verify.

Since we can't verify due to the intentionaly opaque implementation, I'm disinclined to trust. This impasse could easily be solved by not contacting the analytics servers when the user has opted out, so why has this simple change not been made?

I personally think the bigger question here is why did they try to sneak this crap in again?

I don't recall if anything about Unity analytics and such has been discussed by Squad since the redshell fiasco ... Not sure what to think about that

[steve_v]

2 hours ago, k00b said:

report pickpockets to the police.

Here I am reporting KSP pickpocketing my data. Since this behaviour is immoral rather than illegal, there are no police to report it to.
The best I can do at this point is protect myself and continue to publicly call out T2 on their underhanded and intrusive data collection. If that makes a potential customer think twice about agreeing to the ridiculous EULA, so much the better.

 

2 hours ago, k00b said:

you don't own the software

This is not a rental, and once I have bought a piece of software it is mine to do with as I will. You can argue this point until you are blue in the face, but it's my computer and I will control what it does, without exception. People who obstruct me in this are adversaries to be fought.
When I go to someone else's noodle shop, the proprietor has every right to refuse me service, change the recipe or simply evict me. My trouser pocket however, that's mine and they have no right whatsoever to put their hand in it, no matter how much impenetrable legaleese they try to get me to agree to.
Strangely enough, they don't have a right to inspect my stomach contents either, why should this be any different for software?

Take Two may well have a case for maintaining control over their software after purchase (good luck with that once I get my grubby talons on it btw), but that doesn't entitle them to anything else - including my PC specifications, hardware configuration, usage patterns, other software I may have installed, or the use of my network adapter for their own ends. It's none of their business, and it's an invasion of my privacy.

If companies continue to subvert my equipment for their gain, I will refuse to buy their products. For those that sneak this crap in after I have already paid them, I will take whatever action I can to protect my data and hurt their profits, on principle.

 

3 hours ago, k00b said:

windows 10 is great

You're entitled to your opinion of course, but I disagree. Vociferously.

3 hours ago, k00b said:

put your tinfoil hat away

Descending into the ugly realm of personal attacks is probably unwise...
 

1 hour ago, k00b said:

look - it's boring metadata

So prove it, I'm all ears. Show me exactly what they are collecting and a reliable method for verifying it, and I'll gladly revise my viewpoint in light of the evidence.

2 hours ago, k00b said:

how many fishes are there in the net ?

I don't see why it matters. Modern analysis software is very good at extracting patters from vast quantities of noisy data, to the point that several prominent companies use it as their primary businesses model.
If everybody else was jumping in front of buses, would you follow? If you're fine with getting screwed over because everyone else is too, that's your call. I am not.

Perhaps you will get lost in the crowd, after all, fish use this tactic to confuse predators. Me, I'd rather kick that predator in the balls whenever I can, until such time as they cease preying on me.

1 hour ago, k00b said:

you need to understand how completely insignificant it actually is.

There have been several fairly high-profile incidents that show how even "insignificant" profiling can invade a persons privacy.
While it's not applicable to this game, things like this happen semi-regularly and have been for a long time. Boring metadata is quite capable of making someone's life a living hell if misused.

Consider the fictitious case of Mr. X, who skives off work to play KSP. Their employer discovers this through analytic data shared with a third-party, and T2 has just cost Mr. X his job for the sake of a few cents worth of "insignificant" metadata.
A stretch to be sure, but by no means impossible.

 

2 hours ago, k00b said:

think about how interesting the juicy metadata behind the IP and DNS block secret more appealling metadata is; that's going to be some real juicy metadata though!.

I'm not at all sure what this sentence is supposed to mean, but I'll guess: When I block all of KSP's network traffic, T2 and co. get nothing besides "This person bought the game, but we're getting no analytics from their install. Are they even playing it?"
It's a data point to be sure, but at least they're not getting anything else.

 

1 hour ago, DoctorDavinci said:

the bigger question here is why did they try to sneak this crap in again?

'Cause they knew we wouldn't like it, but they want to include it anyway. So they sneak it back in hoping to avoid a fuss.
At least that seems like the obvious explanation to me.
 

1 hour ago, DoctorDavinci said:

Not sure what to think about that

I think it's disingenuous and underhanded, and I think I will redact any trust I may have had in the company or the people working for it.

[DoctorDavinci]

20 minutes ago, steve_v said:

Cause they knew we wouldn't like it, but they want to include it anyway. So they sneak it back in hoping to avoid a fuss.

At least that seems like the obvious explanation to me.

The only reason I could see any possibility of the analytics being of any actual use that would benefit the community is if the analytics implementation is the beginning of a multiplayer implementation as the analytics must be active for any form of Unity multiplayer since they are heavily entwined

Let's be clear, I'm not trying to suggest this is what is happening ... Only pointing out the only real quasi legitimate reason to have Unity analytics incorporated into a single player game since in Unity multiplayer functionality and the analytics are just different thorns on the rosebush

Lets also be clear that I am not defending Squad, just providing facts for consideration when thinking about this issue

Whatever the reason it is still an underhanded deal ... there is no other purpose for it other than to provide feedback from online games of which KSP is not (without mods)

At least that is the conclusion I come to ... but what do I know, I'm just a hack

Edited October 22, 2019 by DoctorDavinci

[Syrius]

I get behind the whole I don't want to line your pockets at my expense, and I hate that companies monetize my data.

Has anyone thought or is there a way to write a program that can be configured to look at this type of DNS info and then send randomized, factitious, data that is 100% incorrect. Even to the point that it gives data not even relevant to the pull. ie;

Sex: plant

Age: 1,200

Time played: -927 hours

CPU: Abacus

RAM: 1kb

Internet Connection: 1kb

OS: Crayons

You all get the idea. If they want to collect data, just give them a bunch of BS they can't use. I am not a programmer so I have no clue if this is even possible. Also, it does not decrease the use of your bandwidth and would likely eat up computing cycles as the program would be the middle man between the program and the reporting so it could feed false data.

[Superfluous J]

1 hour ago, Syrius said:

I get behind the whole I don't want to line your pockets at my expense, and I hate that companies monetize my data.

Has anyone thought or is there a way to write a program that can be configured to look at this type of DNS info and then send randomized, factitious, data that is 100% incorrect. Even to the point that it gives data not even relevant to the pull. ie;

Sex: plant

Age: 1,200

Time played: -927 hours

CPU: Abacus

RAM: 1kb

Internet Connection: 1kb

OS: Crayons

You all get the idea. If they want to collect data, just give them a bunch of BS they can't use. I am not a programmer so I have no clue if this is even possible. Also, it does not decrease the use of your bandwidth and would likely eat up computing cycles as the program would be the middle man between the program and the reporting so it could feed false data.

It would be far better to send plausible yet incorrect data.

"Lie about your income, your age, gender, and race.
Spell your name incorrectly, so it's harder to trace."

"Lie about your favorite drink, your viewing habits and the color of your sink.
Make up a phone number, make up a postal code, if we all lie together the computer might explode!"

[PT]

13 hours ago, Snark said:

Well, here's what I'm using.  This is from running Wireshark on a KSP 1.8 install, and filtering for all DNS requests.  I just added a block for anything at all that KSP tried to talk to when I started it up:

127.0.0.1 cdp.cloud.unity3d.com
127.0.0.1 config.uca.cloud.unity3d.com
127.0.0.1 perf-events.cloud.unity3d.com
127.0.0.1 prd-lender.cdp.internal.unity3d.com
127.0.0.1 thind-gke-usc.prd.data.corp.unity3d.com
127.0.0.1 thind-prd-knob.data.ie.unity3d.com
127.0.0.1 remote-config-proxy-prd.uca.cloud.unity3d.com
127.0.0.1 data-optout-service.uca.cloud.unity3d.com

AFAICT, this is the full list of everything that KSP tries to talk to, at least when I start the game up, open a game, return to main menu, and exit.

 

Important caveats to bear in mind for the above:

• It's not a guaranteed complete list of sites (though I suspect it probably is).
  • Why it's not guaranteed:  Because there's nothing in principle preventing KSP from perhaps trying to access some other site at some other time.  These are just the sites that it accessed while I was watching it.
  • Why I'm not super concerned:  Because I ran through a few cycles of startup / shutdown of KSP, and it hit these same sites every single time.  So I'm guessing this is probably about it.
• There's no guarantee it couldn't change with another update sometime.
  • Of course, it's easy to just run Wireshark again at that time, too. 
• These are just the DNS calls.
  • Why that's a potential concern:  In principle they could be making direct calls to specific IP addresses and I wouldn't see it here, since I'm only tracking DNS requests (because trying to read the full Wireshark output for all network traffic on my computer, including all the other programs that are chattering all the time, would take more of my time than I'm willing to sink into this.)
  • Why I'm not super worried about it:  Because nobody uses direct IP addresses, that's a noob move.  Almost certainly any configured attempts to talk to them will need DNS resolution at least to start with, so blocking all their DNS traffic ought to do the trick, seems to me.

Incidentally, the last time this concern erupted over RedShell stuff a year or two ago, I added the following entries, based on stuff I was reading in the forums at the time:

127.0.0.1 redshell.io
127.0.0.1 api.redshell.io
127.0.0.1 treasuredata.com
127.0.0.1 api.treasuredata.com

...Based on my current Wireshark observations, I'm not seeing any attempts to contact redshell.io; all I see are various *.unity3d.com addresses.  I've left the redshell.io entries in place anyway (because it's not hurting anything, I have no legitimate need to ever go to redshell.io, and why not).  But they may not be actually accomplishing anything anymore.

 

[EDIT] Updated list of sites, thanks @swjr-swis

Hmnh. Sounds like using whitelist instead of blacklist might be more future proof solution. 

I guess we could make some short ps script to put wildcard ban and few selected exclusions (ckan, github or whatever else is used for autoupdate in mods nowdays). 

If I am not mistaken, good antivir/firewalls respect windows firewall rules so it should work for most setups. 

 

[kerbiloid]

Spoiler

If two programs collect statistics about each other's work (like all of them are trying these days), and send to their developers, isn't it a violation of both EULA?...

 

[R-T-B]

14 hours ago, k00b said:

windows 10 is great put your tinfoil hat away.

It was a casual joke.

I have zero personal concerns.  Some privacy ethics concerns, yes, but that comes from a different side of me (I work in my retirement occasionally as a freelance security consultant, see my extended post on this below).

My point was Windows 10 telemetry is more intrusive than Unity Analytics, which it is.  Neither one should concern 99% of home users, beyond industry ethical concerns that is.  More on that below.

13 hours ago, DoctorDavinci said:

redshell fiasco

What was that?

3 hours ago, PT said:

Because nobody uses direct IP addresses, that's a noob move.

Oops.  Bad assumption.  A lot of telemetry clients I have seen do.  To avoid precisely what you are trying.  Static ips are cheap for a big company.

I will check my router later, but I bet my butt it's doing exactly that.

 

Edited October 22, 2019 by R-T-B

[R-T-B]

13 hours ago, DoctorDavinci said:

I personally think the bigger question here is why did they try to sneak this crap in again?

This is a good question, but you should be asking the whole industry this, not Squad.  It's a rapidly growing trend.

Windows?  Got telemetry, introduced with Windows 10.  It was backported to 8/7 with the most recent patches too.

Why was that?  Dunno, but the best answer to this one if you care, is O&O ShutUp 10.  Google it.

Got an NVIDIA Card?  Congratulations, their driver (no geforce experience required) also loads a telemetry component.  Yep.  The display driver.

Why do they need that?  They really don't.  The best answer to rejecting this nonsense is produced by my old employer, look up Techpowerup NVCleanStall to remove the telemetry prior to installing.  Made by my old boss, the almighty w1zzard of techpowerup.com

 

Got an Intel CPU?  You are probably running their driver update solution that includes telemetry.  No solution except to uninstall.

If you really want to get tinfoil hat, look into your Intel based machines Intel Management Engine, or AMDs heavily integrated "PSP" Security Processor.  All these are processors in your computer that see all, and can do anything at rights ABOVE admin, and feature remote access functionality at some level.  As of yet there is no evidence of abuse of this, but why do we need these platforms at all?

Short answer is we don't.  It's a really good question.

My security consulting firm, GlacialSoftware, has been trying to answer that question for a few years now, I and my partners have focused particularly on the Intel Management Engine, which I have succesfully disabled on some motherboards here:

https://www.techpowerup.com/forums/threads/asrock-z370-z390-taichi-and-some-others-actively-modding-firmware-with-intel-management-engine-disabled-new-method.259319/

Once upon a time, it was possible to completely remove Management Engine code using tools I and several others worked on.  Now that results in board bricks.  The most you can do is instruct the engine to shutdown using an undocumented bios-based command intended for government targets, and trust that Intel would not cross the government, right?

That command only works until next boot, btw.  My bioses above address this by issuing the command repeatedly every boot.

But again, why?  And how this all doesn't violate EU privacy laws is beyond me, my guess is they simply claim they discard data from the EU.  But I'd be a skeptic that that always happens.

Unity Analytics is nothing, and no, I am not a tinfoil hat.  I know way more about this than average joe.

My honest advice to the average consumer?

At this point in time, privacy is dead for you and you have already lost.  Fixing it is either beyond you, or too inconvienient too consider.  If this bothers you, vote accordingly.

Edited October 22, 2019 by R-T-B

[R-T-B]

1 hour ago, kerbiloid said:

  Hide contents

If two programs collect statistics about each other's work (like all of them are trying these days), and send to their developers, isn't it a violation of both EULA?...

 

 

No, not if they never agreed to it, why?  Corperate espionage might be a good theory for the above happenings though.

[Starhawk]

Some content has been removed.

Do not allow the discussion to descend into personal attacks and insults.

There is plenty of room for respectful disagreement here.

Thank you for you understanding
KSP Moderation Team

[R-T-B]

11 hours ago, steve_v said:

So prove it, I'm all ears. Show me exactly what they are collecting and a reliable method for verifying it, and I'll gladly revise my viewpoint in light of the evidence.

The latest Windows 10 builds include a tool option to view your metadata if you want (guides on how to use it would take us wat offtopic).  It's not really that bad but it isn't that great either.  It tracks what you click, open, and how long it's open/used primarily.  Why?  Really good question.

Edited October 22, 2019 by R-T-B

[PT]

1 hour ago, R-T-B said:

Oops.  Bad assumption.  A lot of telemetry clients I have seen do.  To avoid precisely what you are trying.  Static ips are cheap for a big company.

I think you wanted to quote Snark for that one.

Anyway, both static IP and static DNS are noob moves. Pro advert scum use randomly generated multi-level DNS's on multiple second level domains with changing IP so user can't keep up with blacklisting, in such cases whitelist is a solution. Analytics collectors can learn a lot from shifty advert networks

57 minutes ago, R-T-B said:

At this point in time, privacy is dead for you and you have already lost.  Fixing it is either beyond you, or too inconvienient too consider.  If this bothers you, vote accordingly.

Over my dead body.

This fight is hard because so many people don't care or gave up. But as you can see, some of us still got that fire going. Come, join the resistance. We don't have cookies.

2 minutes ago, R-T-B said:

The latest Windows 10 builds include a tool option to view your metadata if you want.  It's not really that bad but it isn't that great either.  It tracks what you click, open, and how long it's open/used primarily.  Why?  Really good question.

UI optimizations, I'd guess. With some NSA deal as cherry on top

Good example of that is MS Office "ribbon" menu. They collected user interactions and built it so most used options will be now on top. 

Edited October 22, 2019 by PT

[R-T-B]

7 minutes ago, PT said:

 

Over my dead body.

Mine too.  My point was the civilian pop is already mostly dead.  That's ok though, we can educate them to vote, and then maybe they can be like, alive again.  Like zombies.

Who said the dead voting was bad?

Ok, maybe the analogy is breaking down.

5 minutes ago, PT said:

Anyway, both static IP and static DNS are noob moves. Pro advert scum use randomly generated multi-level DNS's on multiple second level domains with changing IP so user can't keep up with blacklisting, in such cases whitelist is a solution. Analytics collectors can learn a lot from shifty advert networks

Yet to see that, but it could be happening I guess.  Just not on any of the above, or anything I have studied.

Advertisers have a multiple decade head start on analytics though, so not surprising.

 

7 minutes ago, PT said:

We don't have cookies.

You must at least have persession cookies or you'd have to login every click!

Edited October 22, 2019 by R-T-B

[k00b]

1 hour ago, R-T-B said:

It was a casual joke.

I have zero personal concerns.  Some privacy ethics concerns, yes, but that comes from a different side of me (I work in my retirement occasionally as a freelance security consultant, see my extended post on this below).

 

oops sorry... makes you wonder what these people do with their computers huh ?

59 minutes ago, R-T-B said:

And how this all doesn't violate EU privacy laws is beyond me, my guess is they simply claim they discard data from the EU.  But I'd be a skeptic that that always happens.

it is not a "privacy violation" because it is not about the person see "metatdata" "data about data" > if was personal it wouldn't be "meta".

("personal information" is freely available by facebook anyway......................................................).

[R-T-B]

41 minutes ago, k00b said:

oops sorry... makes you wonder what these people do with their computers huh ?

it is not a "privacy violation" because it is not about the person see "metatdata" "data about data" > if was personal it wouldn't be "meta".

Good argument, until you add enough data, or more than one source.  In an age of facebook, no metadata is " meta" for very long.

This arguemebt also isn't legally sustainable in the EU anyway, due to the GDPR.  Even metadata needs consent, and it has to be opt-in, not opt-out.

As you may have guessed, if you have an actively used facebook and are concerned about this, my advice would either be to delete facebook right now, or adjust your priorities. 

I have a facebook, from old work days.  It knows my name and that's about it.  It seems to have falsely concluded that I live in Billings, Montana, and sends me stuff from there all the time.  Pretty funny.  Everyone knows I'm an evergreener, but facebook knows nothing but my name because I only told it my name.

Poor poor facebook. 

41 minutes ago, k00b said:

makes you wonder what these people do with their computers huh ?

Illegal computer crime of course...  we are all having so much fun with our fast, botnet powered KSP installs while you all live your boring, monitored, suburban life. 

(/s, obvious I hope.  It's a joke man)

Edited October 22, 2019 by R-T-B