I’ll post Epic Games response in the thread here also.
We use a tracking pixel (tracking.js) for our Support-A-Creator program so we can pay creators. We also track page statistics.
The UDP traffic highlighted in this post is a launcher feature for communication with the Unreal Editor. The source of the underlying system is available on github.
The majority of the launcher UI is implemented using web technology that is being rendered by Chromium (which is open source). The root certificate and cookie access mentioned above is a result of normal web browser start up.
The launcher scans your active processes to prevent updating games that are currently running. This information is not sent to Epic.
We only import your Steam friends with your explicit permission. The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.
Epic is controlled by Tim Sweeney. We have lots of external shareholders, none of whom have access to customer data.
Daniel Vogel VP of Engineering Epic Games Inc.
>The launcher makes an encrypted local copy of your localconfig.vdf Steam file.
This should not be done preemptively.
Totally agree. It is too difficult for the average consumer to find out what is does with that "local copy." Software shouldn't touch another program's file without user consent.
It's high time we started enforcing that by default at the OS level.
It’s notable that you bring this up in a news story about PC gaming, which is a prime example of why this shouldn’t be enforced. There are huge community efforts around modding games—adding features, updating old titles, improving performance, etc etc. All of this is essential to PC gaming, and all of it becomes impossible if software is sandboxed.
You can look at macOS as an example. Using the command line I start searching through my home directory. I get a pop up saying, "Terminal wants to access your Contacts: yes/no" "Terminal wants to access your Calendar: yes/no." This is the kind of behavior I think most people would like.
An example of the bad side is that Nvidia says they cannot develop drivers for their cards because Apple hasn't allowed them to (Apple develops the drivers). I technically believe they can, but they would have to make the user jump through some very unreasonable steps (reboot into a maintenance mode and disable integrity protection).
> I technically believe they can, but they would have to make the user jump through some very unreasonable steps (reboot into a maintenance mode and disable integrity protection).
Just confirming this is accurate. SIP wouldn't need to be disabled completely, just the blocking of unsigned kexts. (Apple allows you to selectively enable and disable pieces of SIP).
I don't think this would be so wholly unreasonable. The types of users installing third party video cards in their Macs are the types of users who should know how to do this. At the cost of their security, you could argue, but of course you still have normal Unix root restrictions to protect you there, as long as you're savvy enough to not grant such permissions to any random software.
You as the administrator should have the ability to change what you see fit. But a program should be sandboxed in such a way that it cannot willy-nilly obtain a copy of another programs data. I know ultimately there must be a way for to it to happen, but it should be explicit. In this case the Epic Launcher should, on access to Steam "sandbox", a OS dialog pops up so you can allow or prevent it.
DOSBox is a sandbox and I mod DOS games all the time as a hobby. I can run modded games in Sandboxie, or in containers in Linux. I fail to see how sandboxing is at all incongruent with modding.
Unless of course by enforce you mean taking control of the sandboxing away from the user, in which case I totally agree that should not be done because I'm against that kind of user-hostile bullshit.
> Unless of course by enforce you mean taking control of the sandboxing away from the user, in which case I totally agree that should not be done because I'm against that kind of user-hostile bullshit.
Nearly every effort I've seen by OS makers to implement sandboxing by default also makes the sandbox difficult or impossible to disable. iOS, UWP, the list goes on. I agree they shouldn't be connected, but they nearly always are. And it's always done in the name of protecting users.
macOS is the one bright spot here, and even then, the new dialogs in Mojave that can't be disabled fare crippling if you make heavy use of apps that need access to other app's sandboxes. I'm convinced that if Apple moves to ARM, it will likely come with a massive tightening on user restrictions, in the name of security.
Be that as it may, we both agree that OS developers taking control away from the user is orthogonal to application sandboxing.
Sandboxing should be done, treating users like children who need to have control stripped from them for their own good should not.
If basically every example of by-default application sandboxing also results in a loss of user control, are they really orthogonal?
As soon as you implement the option at an OS level, there are going to be (many!) developers who want it enforced for all users. It's the obvious path to go down.
I'm not sure why this is the case. I don't see why you wouldn't be able to edit things that are in the sandbox (you create it in the first place, after all), whilst making sure things in the sandbox can't access anything outside it. AFAICT, it's basically just running as a different user. User user gets edit access, Epic user only gets access to its own folder.
The problem is that third-party-Dark-Souls-modding-tool.exe needs access to Dark-Souls.exe’s sandbox.
Note, I use Dark Souls as an example here (as opposed to, say, Skyrim) because Dark Souls mods were very much not developer-sanctioned at the outset. If From Software had needed to explicitly allow mods, you can bet they never would have happened.
So then you give it access. Nobody is saying that you, the user, should not have control over these sandboxes.
I think most current examples of sandboxing also implies app signing and whatever restricts users' own control, hence the confusion. Users are sometimes allowed to lift the restriction but it's mostly an all-or-nothing bet.
I am already enjoying this on my Windows Store delivered games.
You can surely think about a model of sandboxing with public and private (even internal for company wide) restrictions.
That's what UWP does on Windows. And it was immediately derided by nearly everyone for being too closed down.
That's because any benefit UWP brought was outweighed by all its drawbacks, at least for me.
UWP was broadly criticized because of how it operated. Every notification I got from UWP was something along the lines of "In order to rename this file, _____ program needs access to LITERALLY EVERY FILE AND PERMISSION AVAILABLE ON YOUR COMPUTER AND/OR HOME NETWORK"
Maybe if these notifications were less vague, they wouldn't be hounded as annoying and useless... Just saying.
Sure, but don't forget about user consent part. Preferably with an option to give that consent just once. Otherwise, you'd destroy a whole dimension of software interoperability and end-user scripting.
This is kind of a legacy desktop issue these days. The mobile OSs and all the cloud stuff use things like containerization and chroots.
GP says it does have consent. what's the issue?
It copies the info prior to consent, just in case you might consent later.
That behaviour is a little bit gross.
I mean really, what's the difference? They can access that file at any time they want anyhow---as long as they only send it to their server after user consent, I'm really failing to see a problem here. Making a copy of one file they can already access to another place they can also already access isn't really violating anyone's privacy. It's what they DO with the information that matters.
>It's what they DO with the information that matters.
99% of end users will not be able to reverse engineer the binary and find out that copy is never transmitted. The fact it is 'touching' private files at all without any consent degrades trust.
Furthermore, if I want to delete all traces of Steam from my computer how the hell would I know there is a copy of steam's localconfig in a different program's folder? or what if I backup or share privately/publicly my EpicLauncher directory without realizing all my steam contacts are in there?
But is it malevolent or just a little lazy? I can't decide.
if it were malevolent, they'd just load it into ram and send it to the server without persisting on the drive... (and without asking)
It's probably to keep things working through a change in steam.
this is all greet but I shouldn't have to trust app makers. the os shouldn't allow an app to read another app's data without permission. the os also shouldn't allow an app to view what other apps are running
Epic might be doing the right thing today. Will they tomorrow? Is every library they use trustworth forever?
"I am altering the deal. Pray I don't alter it any further."
~ Darth Vader
You can read the changes to the ToS at www.palpatine2020.com/toremotetomakeaneffectdemonstration
I'm starting to think something like flatpak or snap is necessary, but in a more sandboxed way, to enforce on the user level that certain apps won't have access to certain files. I would like to see options to fully sandbox an app (has it's own separate permissions for certain documents) or not sandbox it at all (for things we trust implicitly that need that access).
flatpak permissions + Wayland are (imo) some of the best things happening on Linux right now. You could always kind of do the same stuff with containers and custom wrappers around each program, but it's really cumbersome.
I want this to be the normal. Right now, it's basically a free for all -- record the screen, send network requests, fingerprint hardware, scan for files, examine other processes. The default, out-of-the-box security settings for most distributions are unacceptable.
I'm really excited to see that sandboxing on native is starting to move in the same direction as the web; I'm hoping that within the next year or two we start to see dramatic improvement here.
I bought Metro Exodus on Epic Games recently. It was my second experience outside of playing Fortnite on PC.
I completely understand why people do not want to pay the Steam tax, but the Epic launcher is a scummy experience. Steam is popular and has a loud following because it does not make unethical choices that annoy users. I have no issue installing multiple launchers, either, but I don't want something running on my system that operates in an unethical manor. And it's tiring how common it is for companies to operate in this way, so we, as users, have to scrutinize their behavior heavily.
1) By default, the Epic launcher appears to advertise "free games" via Windows notification (popups). I never deliberately opted in to this. When I first saw the notification, I was certain I had some sort of spyware on my system. It looked like a spammy advertisement you see in free mobile games. I don't believe even EA/ORIGIN has been gutsy enough to try something like this.
2) Epic launcher defaults to starting when Windows starts. I never explicitly opted in to this. I'm sure I "affirmed" this somehow via some kind of user agreement, but I don't ever remember seeing an explicit option.
>Steam is popular and has a loud following because it does not make unethical choices that annoy users.
I don't think that's true. I think Steam is popular because they were in the right place at the right time. Before Steam, the alternative for most games was driving to the store--that's who they were competing with. Steam has done many things to annoy users--they allow their store to be filled with absolute garbage shovelware for one.
They still thrive because of momentum. The games are there because the user base is there, the user base is there because the games are there.
It's partly first-mover advantage, but also Valve has repeatedly made moves that demonstrate their relative good will towards gamers and developers. Aside from their own (vanishingly few) games, Valve has never enforced any kind of exclusivity. You can even sell Steam keys through other vendors and Valve doesn't even get a cut. They helped launch the indie explosion in the mid oughties with their cross promotional stunts. They have so many sales, with such outrageous discounts, that many of their customers have dozens if not hundreds of games they unlikely to ever play. Said discounts set a new bar for what a sale even looks like, with '40% off' often eliciting general consensus of 'meh'. They have more tools to try and help users find games they might like than anyone. They worked with HTC to develop new VR tech, again with no exclusivity (unlike their competition). And as every Linux gamer here should recognize: they've done more to make Linux gaming a realistic option than anyone ever, and they never charged a dime for it.
As much flak as Valve gets for not curating games and letting games with questionable content slide until some internets make a fuss, Steam is actually, objectively, really great.
>Valve has never enforced any kind of exclusivity
Because they have no need to. Why deal with the backlash when they own the market?
>They have so many sales, with such outrageous discounts
How does this demonstrate goodwill towards anyone? The developers are the ones lowering the prices for those sales. And pushing down the price of games to app store level prices isn’t something we should be celebrating. There's a very good argument that encouraging deep discounts hurts the industry in the long run.
>They have more tools to try and help users find games they might like than anyone.
What do you mean “than anyone”. Versus itch.io and the brand new Epic store? That’s not really a high bar. They could have 1 tool and that would literally be more than anyone.
>And as every Linux gamer here should recognize: they've done more to make Linux gaming a realistic option than anyone ever, and they never charged a dime for it.
They never charged a dime for it because they were trying to expand their hold over the market. This is like praising Google giving away Android. Their interest in Steam is because they were worried Microsoft was going to use the Windows store to force them off of Windows.
> Steam is actually, objectively, really great
You definitely can’t say it’s objectively great because it could be a lot worse. A single player dominating the market is almost never great for anyone.
> Because they have no need to. Why deal with the backlash when they own the market?
They didn't always own the market. Steam was not embraced by PC gamers when it debuted, yet Valve never asked for exclusivity agreements while it was growing and still doesn't ask for them even as new competitors emerge.
> What do you mean “than anyone”.
I mean precisely that, more than literally anyone else selling games anywhere at all. The fact that no one else even bothers doesn't detract from the fact that they try.
> They never charged a dime for it because they were trying to expand their hold over the market.
Years ago, that was a worthwhile argument. A happy alignment of interests. But now, when it is incredibly unlikely they're going to close the OS and force everyone into a walled garden? Seems wasteful of them to expend as many resources as they do on things like Proton.
> You definitely can’t say it’s objectively great because it could be a lot worse.
Um... what? I can't say it is really great because hypothetically it could be worse?
> A single player dominating the market is almost never great for anyone.
I don't disagree at all with that sentiment, but lets give credit where credit is due here. Valve earned their position at the top for a variety of reasons, and notably they aren't trying to use that position anti-competitively. Isn't that exactly the kind of behavior we want to acknowledge and support?
I'm not going to give Epic a free pass just because they're not Steam, especially when they pull the anti-gamer shit they pull. There's already GOG and itch.io, which I'm much happier to support if I want to support someone for not being Steam.
>They didn't always own the market.
Before they owned the market they were new and trying to win customers. Exclusivity agreements tend to happen when a previously dominant player starts to lose market share, not when a company is still in a growth phase.
>I mean precisely that, more than literally anyone else selling games anywhere at all.
That's like praising Windows PCs for having the best Antivirus software in 1997. I mean yeah you're not wrong but...
Most of Steam's competition are stores from publishers with small catalogs that don't need the kind of discovery mechanisms that Steam does. GOG is has a much smaller curated selection so they same thing applies. Itch has a large catalog, but they are so small that they can't even be considered a competitor because of the network effects in Steam's favor.
>Um... what? I can't say it is really great because hypothetically it could be worse?
That sentence should have said "just because". You can't say it's objectively great just because it could be worse.
>I'm not going to give Epic a free pass just because they're not Steam
Who wants to give them a free pass? They'd probably be worse if they had a completely dominant market position the way Steam does. I don't want anyone to be completely dominant. I want competition. Their 30% cut and refusal to filter shovelware harms the industry because for 99% of indie devs, they completely control the market.
Thanks for the nirvana fallacy. The reason why steam is dominating is because they haven't fucked up yet. Competition already exists but it's going nowhere and their biggest competitive advantage is lower fees which will probably go straight into the pocket of the developer rather than result in lower prices. Steam is cornered from multiple sides and Microsoft could even completely destroy them if they wanted. In the end the customers don't benefit from the competition, they prefer their benevolent dictator over profit craving publishers.
>Thanks for the nirvana fallacy.
So a market not completely dominated by 1 player is some kind of pie in the sky utopia?
>lower fees which will probably go straight into the pocket of the developer rather than result in lower prices.
That's not how pricing works for most goods. Some money will go to consumers and some will be captured by devs. Even the money captured by devs is better for the customers than going to Steam in the long run. The vast majority of Indie devs aren't wealthy. More money in developers pockets means more and better games.
> they prefer their benevolent dictator over profit craving publishers.
Steam is already catering to profit craving publishers. They are lowering their take for large games. The only people left paying 30% are the small indie devs.
> They have so many sales, with such outrageous discounts
That was a long, long time ago. Nowadays Steam sales are pretty mediocre and almost never the cheapest discount you can get. If you want discounts, go to IsThereAnyDeal , if you only want Steam keys, you can check that option.
That is not to say that I don't think Steam is the best launcher and storefront of all the options I've seen and used. Even if I buy a game somewhere else (including GoG ), for information about the game I go to steam because it has all the info I want (and that is excluding the reviews which, as the biggest store, are also the most useful)
If you compare steam to the PlayStation Store, or the XBox marketplace, their sales are much bigger, much deeper, and much cheaper still.
Can you though? Console games have always been horrendously expensive and those are actual monopolies (I assume? Haven't had a console since the Nintendo 64) for their respective consoles.
Yes, I think you can, in the PC game market everyone is competing against steam now.
They're still setting the standard, without their deep sales every winter/summer/etc. the market would change.
> Steam has done many things to annoy users
I think people forget how much people hated Steam when it came out. I'm not sure I'd really call it "right place at the right time" either, since that sort of implies wild success pretty easily. My impression is more that Steam was 2-3 years ahead of its time but Valve believed in it and stuck through the hard times.
Here are some quotes from 2004, when Steam & Half-Life 2 were brand new:
"no one I know likes Steam at all."
"Steam is one of the worst programs I've seen in the last few years. Everyone seems to have trouble with it... why would ANYONE use it?"
"Bugs or no bugs, Steam is unacceptable IMHO."
"All hail Valve, our next Microsoft Product Activation-like overlord."
"Glad to see that they have given me an excuse to not purchase the game"
"Some ideas of Steam are nice, but I still don't like the idea of buying a product through it. Skipping the publishers is a bad thing."
"Sorry Valve, but I have no intention of letting Steam ever tough my PC."
>"right place at the right time"
By right place, right time I don't mean they started at exactly the right time, or that they achieved success quickly. I mean they were around when technology (broadband penetration, storage space etc..) finally reached the point where people were willing to buy most of their games online.
Most "instant success" stories aren't really instant.
>Steam has done many things to annoy users--they allow their store to be filled with absolute garbage shovelware for one.
I consider this to be an advantage rather than annoyance.
> Steam is popular and has a loud following because it does not make unethical choices that annoy users.
Not true. Valve fought (and lost) a drawn-out legal battle against the Australian Competition and Consumer Commission over the rights of consumers using Steam, including right to refunds: https://www.accc.gov.au/media-release/full-federal-court-con...
The outcome of this case paved the way for Steam's current refund policy.
Do you opt in to notifications on desktop apps normally? I know Steam pops up notifications when my friends play a game for example, and though I disable this I think it was enabled by default.
I have no problem with Steam's notifications since they appear for a second then piss off. Windows notifications are fucking awful. They stay in your tray with a taunting (1) symbol until you get rid of them, the collective amount of time I've wasted opening that horrible right menu and clicking away notifications must be staggering.
But one is using the system standard format for notifications, and the other one is custom. If you have a problem with how standardized system notifications are handled, that isn't really Epic's fault. Although ideally, you could choose whether to use their's or the systems and customize the available settings for each.
I generally opt out of any kind of thing that is going to popup on my screen unannounced.
I think there is a grey area on whether those sorts of notifications you mention should be enabled by default. There is an argument to be made that they should be enabled by default, as it's basically a mechanism to train/educate the user that the feature exists. As long as they can easily opt-out.
But I do think it's a very different thing between those and what Epic is doing with advertisements regarding completely unrelated games that they want me to play/buy. It serves me no functional purpose, it only serves Epic, especially because the only reason I have Epic Launcher on my system is because it's the only way to play Metro Exodus right now; it's a means to an end.
Clarification. What is the steam tax you speak of? I understand when people use the term 'Apple tax' (for example), they're referring to a premium price on a premium product and the follow up premier prices that come with it. But as far as Steam's prices go - assuming the term is used in relation to the price of the products - I don't see any particular inflation over the price of games in a brick and mortar store. In fact, even comparing Steam prices to GOG or the Humble store, I don't think I've ever encountered any discrepancy in prices that points to a "steam tax".
I believe they are referring to the amount that the store takes out of each sale from developers and publishers, not what consumers pay.
Perhaps, but the comment is written from the consumer's perspective. Thank you for the insight, though.
note also that the steam tax is mainly fud
steam doesn't take a cut from keys you sell on your homepage or third party stores
And, importantly, their cut is completely in line with pretty much every distribution channel's cut. Notably not itch.io and now Epic.
What is Steam's typical cut?
30%-20% if the sale is t trough the steam client, 0% otherwise
Neither of these items are unethical. They are just design decisions that you don’t like.
Funny, for years Steam did this too. In fact it's only recently that I can't recall seeing one of their announce popups
1) By default, the Epic launcher appears to advertise "free games" via Windows notification (popups). I never deliberately opted in to this. When I first saw the notification, I was certain I had some sort of spyware on my system. It looked like a spammy advertisement you see in free mobile games. I don't believe even EA/ORIGIN has been gutsy enough to try something like this.
Been using steam since 2011 and I've never seen an OS level notification about ... anything. There's a window that pops up with information about current deals when you open Steam (after it's been completely closed), perhaps that's what you're thinking of?
Those deals popups are even more intrusive than OS notifications.
I'd be minding my own business on my PC, Steam minimized and not being currently used, then suddenly... popup!
I'm sure they've tuned it down since but back in the day I remember being quote offended at the manner that it was shown to me
I'm not sure what you mean by "back in the day" but for as long I can remember, those deals pop-ups have only been shown when I started Steam and opened the main Steam window. And then it isn't shown again until next time I start Steam, so if I have Steam running for 30 days, I only see it once in those 30 days—when I start Steam.
It's never popped up on me while Steam was minimized or even just unfocused.
Anyway, if it was as bad as you say, clearly Valve has learned a thing or two and dialed it back, which I think it a net positive.
In my mind, using OS notifications to advertise deals is much, much worse because we should be able to trust that our OS notifications are relevant and useful, not that they're ads and spam.
In the distant past they would spawn as an unexpected popup out of nowhere
I don't recall steam ever doing this. And I've used it since the HL2 days. Are you confusing it with the popup that shows on steam startup?
And it was/is default on.
I'm referring to the deals popup that appears in the center of the screen announcing sales. Back in the day its appearance pissed me the hell off
What popup are you referring to? If it's the login popup, that is Steam starting up at Windows startup...
He means the huge window that opens after starting steam and logging in. The window usually has multiple pages with current deals.
>I completely understand why people do not want to pay the Steam tax According to anonymous developer comments, Epic Tax is higher than Epic advertises due to extra "associate" (or "influencer") packages that add extra 5% to 20% on top of the 12%.
> When I first saw the notification, I was certain I had some sort of spyware on my system.
Apparently you were correct, based on this story.
>Steam is popular and has a loud following because it does not make unethical choices that annoy users
VAC now reads all the domains you have visited and sends it back to their servers hashed
-Goes through all your DNS Cache entries (ipconfig /displaydns)
-Hashes each one with md5
-Reports back to VAC Servers
-So the domain reddit.com would be 1fd7de7da0fce4963f775a5fdb894db5 or organner.pl would be 107cad71e7442611aa633818de5f2930 (Although this might not be fully correct because it seems to be doing something to characters between A-Z, possible making them lowercase)
-Hashing with md5 is not full proof, they can be reversed easily nowadays using rainbowtables. So they are relying on a weak hashing function.
You dont have to visit the site, any query to the site (an image, a redirect link, a file on the server) will be added to the dns cache. And only the domain will be in your cache, no full urls. Entries in the cache remains till they expire or at most 1 day (might not be 100% accurate), but they dont last forever.
We don't know how long this information is kept on their servers, maybe forever, maybe a few days. It's probably done everytime you join a vac server. It seems they are moving from detecting the cheats themselves to computer forensics.
All game launchers will fuck your shit up except for maybe gog.
When they're giving aweay award-winning games that are currently selling for $20 on Steam, is it really bad that they're letting you know?
This argument is nonsense. Perhaps they should robocall me to tell me as well?
If I want to be notified about anything (except emergencies) I should have to explicitly opt into it.
How can you complain about all these AMAZING DEALS we're offering?
>1) By default, the Epic launcher appears to advertise "free games" via Windows notification (popups). I never deliberately opted in to this.
How's that any different than steam showing popups for newly released games on startup?
>When I first saw the notification, I was certain I had some sort of spyware on my system. It looked like a spammy advertisement you see in free mobile games. I don't believe even EA/ORIGIN has been gutsy enough to try something like this.
So you're upset that the notification made you think your computer was infected? And you expect that epic games to have forseen this outcome?
>2) Epic launcher defaults to starting when Windows starts. I never explicitly opted in to this. I'm sure I "affirmed" this somehow via some kind of user agreement, but I don't ever remember seeing an explicit option.
AFAIK steam does the same.
Here are the default settings for a fresh steam install: https://i.imgur.com/2SNpi1O.png. As you can see, steam engages in the same "unethical" behavior as epic.
gp is referring to a Windows system notification, it appears in the bottom right. They don't look like the Epic client.
The notification related setting in your screenshot causes the pop-up window upon launching Steam. But it's a window that belongs to the Steam client. It has the obvious interface styling of Steam and is titled "Steam - News".
I agree with you that the "launch on startup" option would be better as opt-in.
I agree with gp that Windows notifications are a step worse.
edit- changed description of pop-up
>I agree with gp that Windows notifications are a step worse.
Let me get this straight: you think that showing a medium sized banner ad in a window is better than a few lines of text using the OS provided notification API? Why?
If the position was reversed, I could very well imagine the opposite argument. eg. "boo epic shows this massive ad in your face, whereas steam uses a discreet notification"
It's the same reason that nobody likes advertisements in their push notifications on their phone: it takes your attention away from the currently active program/app you're using. Steam's huge box shows up only when you intend to open steam, while Epic's Windows notification might as well pop up while you're doing your taxes.
Not who you were replying to, but I agree with him.
Notifications - whether they were intended to or not, are way more intrusive in my usual workflow, and I would posit the majority of people find it the same.
This is down to the fact that the steam popups advertising games are in the same icon and styling as the rest of steam -> i.e. You alt+tab or click on your steam icon and close or view it as clearly a steam thing. It also pops up during first start only.
A windows notification I find to be much more attention grabbing and not clearly defined as a particular program, and if I find it to be an ad, I'm immediately put out by this as I'm being advertised to by a program in my system tray, where I'm used to that being configuration info and/or notification of something minimising/complete etc.
Any information they give me through the notification tab is now in jeopardy of being ignored because I've been taught that they are ads now.
This isn't unique to steam for me, I'm totally used to programs opening up additional windows upon opening, but any programs that advertise through system notifications have long since bothered me.
It’s not the same thing at all. The advertisements on Steam show when you launch Steam. It’s practically a home screen.
The Epic ads appear to show whenever they want, even if Epic launcher is minimized to the system tray. You can be doing something entirely unrelated to Epic on your OS and it will pop up.
Steam does not do this. Either way, why do you think almost every single web browser has pop up window protection built-in?
> Let me get this straight: you think that showing a medium sized banner ad in a window is better than a few lines of text using the OS provided notification API?
Jesus fuck yes.
The OS notification system is for important stuff that I actually give a damn about, not your company's spammy bullshit. Steam shows me a window that's obviously part of the Steam client and only when I launch it. That's significantly, ridiculously, miles and miles better.
>Let me get this straight: you think that showing a medium sized banner ad in a window is better than a few lines of text using the OS provided notification API? Why?
Because the banner ad does not distract me from something else while the notification does. The banner shows up when Steam starts which means my attention is on Steam and specifically on waiting for it to start. The notifications come up any time which means I'm specifically focused on something else.
I just attempted to sign up with Epic. Only my email address had already been signed up. I used the password reset and took over the account. No games just setup with a strange name and in Thailand. Now I can’t buy games because of the country. I can’t change country. Support wants a photo of my passport, that’s not happening, to change country.
I found an article showing many email addresses had been signed up in the same way. Epic was not validating email addresses.
They’ve lost my business.
Yeah, I had the same issue, with the same name on the account. Somebody I know also had this issue, and after a few rounds of back and forth with support they managed to get the bogus account deleted, and I think their plan was to then create a new account. I was going to try logging in with my Google Account (which is the same email) but who knows if that will work or not. I think it is easier to just wait a year for exclusivity to expire. There's plenty of games out there to play.
I just discovered that I am effected by this. I might have been interested in checking out epic games store. I am utterly disinterested in uploading a passport/id or other personal data to prove I'm not from Thailand.
Seeing as the accounts seem to share the same fake name. Ican Icanaw I suggest purging all such accounts and making people actually confirm email addresses before using them as identifiers like adults.
This is a junior high level mistake. So basic and so bad I no longer think anyone should trust Epic to have access to credit card info.
Yeah I like competition in the market and would like to help Epic out but the way they're handling this is so poor.
Satisfactory is the game I wanted to buy but it's not worth it for me to send a photo of my passport to anyone. They fail to validate email addresses then I'm supposed to trust them with data that identifies me and could be used to steal my identity, no thanks.
Can you just delete the fake account and create a new one on your email address?
I had to do that when someone created a samsung account in my name and I couldn't change the country/language of it.
What is the incentive for people to pretend they own those email addresses?
Edit: I am effected by this issue. I am of course not dumb enough to add a credit card to the account.
If they allow you to log on in via a third party authentication like log in via google account or log in via facebook etc I foresee a flow like this.
Create a bunch of fake accounts attached to various emails.
For each account periodically check to see if a new method of payment is attached to the account. When one is immediately buy a bunch of gifts for other users that will be sold through some side channel like facebook/whatsapp/what have you. Example make a post on any sort of forum say message me to buy a copy of $40 game only $10 for the first 5 users to message me. For each user that pays buy a game and send the legit code for the game. This trust will keep you from being taken down immediately or perhaps even at all if the user doesn't notice the losses.
This could work because a user could say log in via oauth via another service, link their account to the unknown preexisting account by setting the same email account. Virtually no services allow more than one account with the same email address its the unique key that defines the account.
As soon as they create the account the first thing they do is buy a game because most new users installed so they could buy a game from epic. They check whatever box is required to save their method of payment.
You now have an account that can be accessed via oauth via the users preferred provider and the hackers chosen password + victims email address with a saved payment method the hacker cannot access directly but can spend and monetize via side channel.
> This could work because a user could say log in via oauth via another service, link their account to the unknown preexisting account by setting the same email account.
For that to work the service would have to allow a login with email/password without verification, and then also allow oauth login to the same account.
They obviously allow account creation without verifying that user controls the email address in the first place so the second isn't much of a stretch. They are grossly incompetent.
No idea the only feasible possibility I've come up is to damage Epics customer relations. I don't know maybe it was just some idiot with a list of emails and script but no real game plan.
Here is the an article discussing others with the same issue https://twinfinite.net/2019/03/psa-epic-store-doesnt-validat...
Here is the last email I got from Epic:
Jan E. March 15, 2019, 11:39 +1300 | Conversation ID: #9950515 Hi (Player's Name),
Thanks for the information!
I know how important it is for you to update and change your country to your Epic account. No worries, I got your back and I'll do my very best to assist you with your request. Additionally, I know how frustrating it can be. Please know that here at Epic Games, we are serious about the player's security and we assure you that your email address is secured as long as you keep the password updated or enable 2FA.
In order to change the country on your account I will need you to reply with an image of one of the following items with your name and address visible:
Passport Personal identification *Recent rent or mortgage statement
Any other personal information should be blacked out.
I'll be looking forward to hearing from you soon.
"No worries, I got your back - here's a canned response!"
That is by a considerable margin the most patronising, "how are you fellow kids" canned response I've ever seen.
Canned response hell. So helpful it isn't.
Are you required to prove your Country on sign up? I think not. So why all of the rigmarole to change it? I'm guess for legal reasons.
It's because games can be cheaper in countries where the economy is weaker. $60 in USA is a standard price, but that's outrageous in Thailand, and here Epic might charge the equivalent of $30. They do not want people shopping around for the cheapest country to purchase games from.
A passport is somewhat ridiculous, as is the lack of initial email verification, of course.
Epic can report huge user growth numbers in the hot and growing Asian market to their investors.
Ah, the Twitch model -- where half of its users are spambots and the other half are viewbots.
Probably either Denial of Service or hoping a way to make money off it became available later.
Same here. Some guy in Thailand. Weird!
There are loads of people that got hit by this https://twitter.com/catahstrophic/status/1098657650575732736
This is why I use specific throwaway emails for tasks like this. Has the nice effect to keep spam confined and trackable to the service you registered to.
While it's probably not relevant anymore since you don't want deal with them, if you are in Europe, you should be able to require that they fix the information due to GDPR. Refusal to fix information must be based on law and I while IANAL, I don't think there's a law that would require them to request passport copy to fix the country. https://tietosuoja.fi/en/if-you-want-to-have-your-data-recti...
Interestingly enough I sent a Request For Correction to a company which manages a conference in Berlin.
Their response was, in summary, "thanks for your request, we need a full copy of your passport, driving licence and a recent utility bill to correct your records".
I can open a bank account with less information!
Usually this is abusive, and can be fought. Yet many companies are using this as a roadblock to slow down data requests.
The fact that they even mess with files outside their directory means any answer they give is ingenuous.
Some other steam games have much worse behavior. The EULA you had to accept for Square Enix games was so horrible that I have games purchased on my system that I will not play. I should probably ask steam for a refund.
If you want an interesting book to read, I recommend Dan Ariely's "The honest truth about dishonesty".
In particular, license agreements seem to work like disclosure he mentions. The way it works is that there is a veneer of justification that allows for all sorts of unethical behavior.
Oh dear, I have a bunch bought(mostly due to nostalgia, haven't played them on steam)
Can you give an example and the shennanigans it does?
I remember the last time I tried launching a square enix game I got to the accept dialog and read the terms and conditons.
It used said they could collect basically every interaction you ever had with their games, information on your system unrelated to the game, and when agreeing it was binding, irrevocable and forever.
the current policy is here, and it is still amazing:
read the first section - they basically collect everything they can and can share it with everybody.
Note that the original reddit thread is pretty suspect and alarmist. The OP is clearly inexperienced with the process inspection tools they are playing around with. They complain about the launcher using minified JS, opening dlls, and checking root certificates among other things all of which are very normal things for a desktop application to do.
Skip the clickbaity title drama and read Epic's response, which is included a little bit lower down on the top post, before forming an opinion.
The title isn't clickbait and is the most fair phrasing possible for this situation. (the Epic response provides more sensible context for the allegations)
Stop that bikeshedding and apologism please, its neither constructive nor relevant
I don't see what's wrong with this if they asked for permission first. I gave access to Epic Games to collect info on who my steam friends are so I could play Apex with them.
Confusing Epic launcher for Origin? Or Fortnite for Apex?
Ah I did confuse Origin Launcher for Epic. Thanks for addressing that.
Part of the allegations are that information was collected before permission was given.
I don't know if it was in response to this debacle, but Epic Games have published a public roadmap for the Epic Games launcher on Trello:
On a related note, Steam could (should?) also encrypt that data on disk, using a key derived from your Steam account ID (not your Steam password, because you may need to change the password), so that no other process can snoop on your Steam profile without your explicit consent to begin with.
The simple fact of the matter is, this shouldn't even be necessary.
An application shouldn't be sniffing the user's private data from another app without explicit permission.
This is literally the sort of thing a piece of malware would do, grab your data and upload it to the botnet...
I agree. But it doesn’t hurt to put up preemptive defense. In fact, the OS should also isolate and encrypt per-app profiles. And when one app wants to access data that belongs to another app, it should ask the user’s permission. I don’t know if any of the major desktop OSes (including Linus distros) already provide this kind of mechanism, and that it’s just the app developers not bothering to use the mechanisms.
Your Steam account ID is trivial to figure out and once you know that, you can derive the decryption key, so what's the point? Though I guess TPM could be used here..
I was assuming that your steam account ID isn’t persisted in cleartext on disk either.
Failing that, we could have a key that’s just stored on the Steam cloud and requires login to retrieve.
key wrapping works fine. massively simplified: generate random secret, encrypt data with random secret, encrypt random secret with password, store that. so when your password is updated, you only have to update the encrypted random secret, not all the files.
What happens if you have your Steam profile on multiple machines and you need to change/reset the password?
Why I'm not surprised some people are already defending or at least minimizing this?
I certainly don't want one program snooping data from other installed programs without my explicit permission.
And this explains how Galyonkin knew how much of the Fortnite players had Steam installed and, specifically, were using it on a regular basis.
There's also this annoying problem with the launcher multicasting stuff on network constantly.
I mean, they're owned by Tencent and have zero experience with this outside of Fortnite. Pretty much what I expected to happen (not this specific gaffe but in general).
About what I expected. Say what you want about Steam but they made most of their most dumbass mistakes years ago and learned from them.
Any explanation on why the links for the source code on Github are dead, and the repositories are gone?
Even if you didn't install it, one of your steam friends probably did which included you with it :O
Jokes on them, I don't have any friends.
It would be Epic, if it was true.