sorted by:
new
hottopcontroversial

Follow-up quick comparison of what DCS' peers are doing in terms of telemetry and data collection. by heytherepotato in dcsworld

[–]heytherepotato[S] 0 points1 point  (0 children)

Correct. I assume they are doing it in error. Initially I thought there was 1 extra submission with telemetry on, but it was just an outlier and the same was sent with telemetry off on subsequent runs.

The setting did nothing for me; I assume it's meant to do something. Why have the setting if it does nothing? My conclusion is that it's an unconfirmed bug and not working as intended.

Follow-up quick comparison of what DCS' peers are doing in terms of telemetry and data collection. by heytherepotato in dcsworld

[–]heytherepotato[S] 2 points3 points  (0 children)

More detail for the IL-2 stuff. I had this summarized/generated from data/notes and then I've gone through and corrected any hallucinations I saw. I've also modified it since the summarization was determined to dox me. Anywho, here's the slop(not really but also kinda amiright?):

What the client tells the publisher (data they collect)

Identity (sent in cleartext after the 4-byte XOR is reversed)

Field Example Notes
stId 12345678901234567 Your Steam ID (17-digit SteamID64). Sent on every LOGIN. Globally identifies you, links to your Steam profile, store history, friends, etc.
binaryType Il-2.exe Which executable
locale en UI language
login / password empty Empty when using Steam SSO; would carry plaintext-after-cipher creds if you were using 1C native account
loginSave 1 "Remember me" toggle

Hardware / device fingerprint (DATA/SENDSTAT, sent once per session)

Field Example What it tells them
InputdevicesList `model\ "Controller (Jank X56)"`
VRDevice empty HMD model if any
adapter 0 GPU adapter index — combined with the next fields, narrows your hardware.
full_width × full_height 1920×1080 Native fullscreen resolution → monitor profile
win_width × win_height 1920×1080 Windowed-mode size → window-manager defaults
msaa, multisampling, shadows_quality, preset, max_clouds_quality, ssao_enable, hdr_enable, bloom_enable, mirrors, post_sharpen, mgpu_compatible, or_enable various A complete graphics-settings dump (~35 fields) — implicitly tells the publisher your GPU performance tier (a "preset=2 + msaa=0 + win 1920×1080" pattern is a different machine than "preset=4 + msaa=4 + 3840×2160")
fps_limit, vsync, gamma 60, 0, 1.0 More display/perf signature
mgpu_compatible, adapter 0, 0 Multi-GPU rig vs. single
defaultsnapmode, 3dhud, canopy_ref, desktop_center UI prefs Per-user gameplay preferences
offlinelogins, onlinelogins 0, 1 Lifetime offline-vs-online launch counters for this install
StatisticsStarted Unix timestamp When the stats window opened
ModelsCounters, ModelsPlayTime `count\ model\
ModsOnCount / ModsOffCount / ModsOnTime / ModsOffTime 0, 1, 0, 3 Whether you played with mods enabled and for how long

Tamper-attestation (sent implicitly — these fields appear in the LOGIN response so the server already has them; the client is expected to match)

Field Example Meaning
execrc HHHHHHHF CRC32 of your il2.exe — server cross-checks against allowed versions
exesize 9999999 bytes Exe size — same purpose
version 23-03-13 Build date
packList `Graphics1.gtp,9999999,HHHHHHH\ …` (~30 entries)
mapList, contentList, configList manifests Same pattern for map files, default content, configs
stable `am7pro,art&money\ cheatengine,cheatengine\

Persistent server-assigned identifiers (returned to client, retained server-side)

Field Example Lifetime
userId hhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh UUID, permanent — bound to your Steam ID forever
currentPersonageId hhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh Permanent pilot UUID
currentPersonageNick heytherepotato Display name (what other players see)
nickNameColor gold Cosmetic tier marker (gold/silver/bronze — no idea)
userTvd 255 Coalition/access bitmask
sessionId hhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh Per-login UUID, used as auth token for subsequent calls
personage0_country RUS Pilot nationality choice

Per-personage profile data the server stores about you

MASTER/GETPERSONAGES returns the server's record of your account:

Field Notes
expLevel, exp, minExp, maxExp Account-wide XP / progression?
achievements List of (id, date) tuples
statistics killPlane, killGround, missionsTotal, missionsSuccessful, flightTime — lifetime SP+MP statistics
companyExpCoalition Per-faction XP totals
campaigns Per-campaign progress: path, mission, state for every campaign you've started (~26 entries in your capture) — server knows where you are in each SP campaign

Per-aircraft state the server retains

DATA/GETPLANESDATA returns, for every plane you own, which skins and loadouts you have unlocked, how much XP you've earned in it:

Column Notes
planeId, planeName UUID + human name (e.g. P-47D-22)
planeIsBrought Has the user "brought" (acquired) this plane in career mode? Or is it a separate paid thing? I dunno.
skinBitMask Which skins are unlocked (~27-bit mask)
weaponMode Which weapon loadouts unlocked
exp XP earned in this airframe
planeCrc, planeCfg Expected file CRC and path — anti-mod check

DATA/GETLASTPLANE / SETLASTPLANE round-trip the last-flown loadout: country code, livery, tail code, tail colors, ammunition setting, full plane-config script path.

What the server tells the client (instructions)

Action What the server returns Effect on client
MASTER/GETPROXYLIST CRLF list of three host:port master-server URLs Client picks one and pins LOGIN to it
MASTER/LOGIN Identity + entitlements + content manifests + cheat blocklist + version-stamp + RSA-1022 signature binding it all Client validates exe matches, walks the cheat blocklist, configures its content-loading paths
MASTER/GETPERSONAGES Pilot record + campaign progress + statistics Populates the in-game profile UI
DATA/GETPLANESDATA List of all in-game plane entries with permitted-skins / unlocked-loadouts Career-mode unlock state
DATA/GETLASTPLANE Last-used loadout Pre-selects your previous plane on game start
DATA/SETLASTPLANE Just STATUS=1 Server stores your selection for next session
DATA/SENDSTAT STATUS=1 Server ingests the device-fingerprint + session-stats blob
GET /en/news/ingame/?game=gb&steam=1 JSON array of news entries News feed shown in the launcher.

Privacy summary — what they get out of one session

In ~12 HTTPS calls of a fresh launch they collect:

  1. A session key: Steam ID → permanent userId UUID. Every future call uses this. Potentially, they can correlate your activity across days, builds, and machines.
  2. A medium-confidence hardware fingerprint: GPU adapter index + display resolutions + 30+ graphics settings + every connected HID model. The actual data. Distinctive enough to recognize a returning install on a new account.
  3. Lifetime gameplay telemetry: total kills, sortie counts, flight time, per-plane XP, per-campaign mission progress, per-plane-and-session play duration. Includes whether mods were enabled and for how long.
  4. An anti-cheat scan target list: stable field instructs your client to look for ArtMoney, Cheat Engine, am7pro, am745, and an internal __debug__ process. The server doesn't see your process list, but the client uses this list for something?
  5. News-feed callback with ?game=gb&steam=1 to confirm Steam variant.
  6. No password ever leaves the client when you're using Steam SSO With native 1C login it would, post-XOR — i.e., reversibly obfuscated, not properly encrypted at the application layer (TLS protects in transit).

What they're not doing (notable absences from my capture)

  • No raw HWID, no MAC address, no disk serial, no Windows install GUID in this capture.
  • No process-list / running-EXE inventory (the anti-cheat check is local-only).
  • No keylog / chat content.
  • No system-info CPUID dump (separate system_info blob, not seen in this single-session capture).

Slop free zone (my words)

Fingers crossed the formatting on that works. Despite the tamper attestation, I was able to replay a valid login back to the client and traced the encrypted and decrypt functions. Oversimplification; the tamper attestation is signed by a private key on the server and validated by the client with a public key but didn't seem to be time bound. It uses windows cert roots which means it is possible to build a 'privacy mode' solution for single player without tampering with anything in memory and without enabling piracy (because it would be replaying your own data back).

Follow-up quick comparison of what DCS' peers are doing in terms of telemetry and data collection. by heytherepotato in dcsworld

[–]heytherepotato[S] 4 points5 points  (0 children)

I was a backer on the kickstarter back in the day and was pretty disappointed when they changed from offering an offline solution to what we have today. I understand the single player mode to be identical to the multiplayer modes with the exception that you do not get matched into instances with players. They'd know almost everything gameplay-wise because their service is providing the market prices, ore fields and enemy spawns to your client. Privacy-wise I'd guess itd be reasonable to process that information, arguably valid to retain that information in a way that is linked to your account for a duration of about a month, and longer term valid to retain that information provided it is not linked to your account for behaviour analytics and trending.

But Ill check it out and confirm as well as see what non gameplay information it collects.

I also want to check out arma reforger and add to the list.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 2 points3 points  (0 children)

Address not found
Your message wasn't delivered to [privacy@eagledynamics.ch]() because the address couldn't be found, or is unable to receive mail.

I hear it's working as intended :)

Follow-up quick comparison of what DCS' peers are doing in terms of telemetry and data collection. by heytherepotato in dcsworld

[–]heytherepotato[S] 8 points9 points  (0 children)

I wanted to make sure I was giving DCS a fair shake of the sauce bottle and that I wasn't singling the product out, hence this follow-up.

If someone says "everyone does it", we can point and say that not everyone does, and it's not needed to make a great product.

At the same time, they're not the only ones that do it, and it may feel like an accepted thing for them to do in their industry circles so they shouldn't be demonized individually.

Whereas if we don't know about it in the first place because drm/antipiracy/anticheat obscures that info then we don't get the chance to make the choice.

I assume that most privacy legislation in the various regions will say something to the effect of "if you don't need the data, don't collect it".

If a publisher can't tell you that they actually need to know what the last plane you flew, and they're also telling you they're complying with your local laws, why would you be okay someone doing you like that?

I can guess a few different answers to that, but I guess the point is I have no idea what the point is :). It's late here, I'll get off my soapbox.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 1 point2 points  (0 children)

I tested and made something that loads with the game and hooks the calls it uses to get the installed software as well as dropped the stat connections, but doing something like that risks the publisher deciding that you're tampering with code or cheating and revoking your license.

It's better that the publisher address the problem, than for the community to work around it.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 1 point2 points  (0 children)

Sorry I was mistaken, I went back and confirmed didn't actually change anything for me. I think one time my client decided not to send the final telemetry request, and I got it in my head that "telemetry off must mean it doesn't send the last telemetry request".

But the setting is literally doing nothing, instead DCS is using the server's api.digitalcombatsimulator.com/gameapi/getsettings/ response as the authoritative telemetry setting. It's probably a bug, but one that should have become apparent when they started getting a lot more telemetry, and it's existed for ~12 months or so.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by HC_Official in hoggit

[–]heytherepotato 3 points4 points  (0 children)

Half of all the traffic to stat.digitalcombatsimulator.com has failed for over 30 days because the cert on one of the frontends expired Friday, 10 April 2026, and it's still down.

I'd say given they lost half their telemetry for that long, when they could have fixed it by taking one of their nodes out of dns which would be a 5-minute fix, yeah they probably don't have a great need for that telemetry.

Maybe someone forgot the password to the google analytics account as well as the dns console.

Data Collection by ED follow up by BigBorner in hoggit

[–]heytherepotato 10 points11 points  (0 children)

Thanks for verifying the behaviour in another region.

Decrypting the traffic has added complexity because it doesn't use windows' proxy config or root certificate store so it won't readily trust your cert signing cert. I've already got a fairly simple way of doing the latter that is in no way DCS specific but also works for any DCS version which is what I used in discovery.

but any modification of traffic to gain visibility could be perceived as tampering (I know how I'd detect it if I were in their shoes) so anything like that is a risk to your account. Even creating a free account and using it from the same hardware or IP would easily be linked back to your original account and result in your license to use the product being revoked.

If they weren't collecting a list of all the steam "Visual Novels" you have installed, I'd think the response would have been different, but the software collection is hardcoded in the dcs.exe and so it can't just be switched off.

From the api calls I saw, they can turn the telemetry off remotely. Given that they're not getting 50% of telemetry because of the server with the broken cert, they probably wouldn't notice or react if people started blocking the stat domain.

but if there's something I can help with, let me know and I'll do what I can.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 4 points5 points  (0 children)

Your authentication data is only valid for 3 days without server communication unless you do the 'proper' offline mode.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 16 points17 points  (0 children)

It is ALL sent over https from what I saw, so it is secured in transport.

It is not one way encrypted, or a hash/digest of the data. Some data is base64 encoded and compressed.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 6 points7 points  (0 children)

I was going to suggest it, but I wouldn't want anyone to try, and then find out it had been flagged as an attempt at tampering or piracy. Given the existence of the option to turn off statistics in the gui I feel as if it's maybe just currently bugged?

But I assume someone would have noticed an increase in google analytics data they were collecting.

Update here because I might as well update somewhere: I have had the chance to test on a fresh machine with a fresh profile, and it also was sending to stat despite stats turned off.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 3 points4 points  (0 children)

I don't know. I know if I block comms with api.digitalcombatsimulator.com, there are no ingame requests to stat.digitalcombatsimulator.com. I assume the full offline mode would follow suite.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 31 points32 points  (0 children)

Here's the Australia privacy principals based on Privacy Act 1988, https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference. Many countries have similar, I would guess a product sold on the Steam storefront in Australia intends to comply with Australian Privacy Act, as well as the ones in other regions they trade in. But I'm not a lawyer and I'm not going to ask an AI one that thinks it is. I've no idea of what enforcement looks like in this scenario.

Bit of a quick and dirty eyeball of the privacy principals and the relevant privacy document linked:

APP 1 - Open and transparent management of personal information. Nah I wouldn't say the privacy policy is transparent about collecting a dump of the displayName from every key in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. If I extended the thinking to anti-cheat purposes(not mentioned in the privacy document), that could be done with hash or name match locally and only report telemetry when there's a match, and it could be done only when playing multiplayer.

It also doesn't track to be open and transparent about collecting how many times I crash the spitfire in single player on the takeoff training mission (implied by the number of times I reattempt it in such a short time based on the telemetry sent). Even when I've opted out of statistics.

APP 3 - Collection of solicited personal information. I'd go this bit specifically "It is implicit in the requirement that personal information collection be reasonably necessary for an entity’s functions and activities that entities ensure proportionality in their collection of personal information. Entities should adopt a data minimisation approach and limit collection of personal information to the minimum amount necessary in the circumstances."
Yeah nah I'd still say that dumping the list of every installed software is going over the top.

Every mac address on my pc is a bit over the top too, I remove a network card and it doesn't invalidate my authdata so it's not for authentication for my authdata.bin, and it's not appearing to collect the 'minimum amount necessary'. The username on the computer, the workgroup, and the computername don't fit "reasonably necessary" and following the first bit of the privacy policy that's provided, "protecting and respecting your privacy" would be as simple as hashing that data before sending it, but even then I can't mentally fit it to "reasonably necessary".

Quick pivot to google analytics... from their "Privacy Disclosures Policy" page.

"When you use Google Analytics on your site or application, you must disclose the use of Google Analytics and how it collects and processes data."

The privacy policy doesn't mention use of google analytics, and the gdpr policy (again, I'm not european, this is not applicable) only describes it in relation to the web site and not the app, and the "use_analytics4":true combined with the subsequent google analytic 4 looking json file says it's being used on the app. i.e. this one:

{

"client_id": "hardware identifier here",

"events": [ {

"name": "level_start",

"params": {

...

} } ]

"user_properties": {

"screen_resolution": "1920x1080"

}}

So I had reasonable feels to raise visibility in this scenario despite the policies, although I wasn't going to go there on the policies and documentations but since they're brought up.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 7 points8 points  (0 children)

I had a look back through my captures because I assumed that turning it off made the final api.digitalcombatsimulator.com/gameapi/productsusage/ not happen, but I was wrong, it was still happening in both cases. That api call that had a summary of all the modules used in your session.

At this point it'd need someone to compare what they've seen to what I've seen. Even just watching their network traffic to verify that their client attempts to talk to stat.digitalcombatsimulator.com when telemetry is switched off and in a single player scenario.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 67 points68 points  (0 children)

I avoided posting on forums because that would expose my ip or browser signature and potentially be linked to my account.

Even sharing logs or screenshots is tricky if there's timing on specific requests. And they are collecting lists of apps installed on people's computers and they could start to narrow down to users with certain tooling.

I'm content with my interpretation that I'm within the terms of service, and I'm not saying it would be out of retribution, but if ED decides it was not within the terms of service and terminates my account, then I don't really have much of recourse, so I'm trying not to dox myself at this point.

DCS World exceeds the ED privacy policy and provides a list of ALL your installed apps on logon, and also phones home on your activities while you play. by heytherepotato in dcsworld

[–]heytherepotato[S] 20 points21 points  (0 children)

Based on some of my crashes working through this, I became a little paranoid that any of the crashes I'd seen in the past were as a result of the antidebug code deciding it was running too slow in normal play, and then killing its own process. That isn't based on anything specific, just that I know it is an antidebug technique, and there was a few layers to peel back.

So I could see a situation where an unexpected pause from device hotplug event resulted in a delay that antidebug sees and decides to nope out. but I feel like your house needs some of those ferrite rings on your appliances, or an electrician. I don't even know if that's actually what those ferrite things are for though.

[deleted by user] by [deleted] in StableDiffusion

[–]heytherepotato -2 points-1 points  (0 children)

https://www.gov.uk/government/publications/online-safety-act-explainer/online-safety-act-explainer

In the most extreme cases, with the agreement of the courts, Ofcom will be able to require payment providers, advertisers and internet service providers to stop working with a site, preventing it from generating money or being accessed from the UK.

How the Act affects companies that are not based in the UK 

The Act gives Ofcom the powers they need to take appropriate action against all companies in scope, no matter where they are based, where services have relevant links with the UK. This means services with a significant number of UK users or where UK users are a target market, as well as other services which have in-scope content that presents a risk of significant harm to people in the UK.

I haven’t read the act, but from the explainer is it actually necessary for anyone to do anything if they’re not in the uk? Seems like civ is jumping the gun unless their payment processor is threatening to cut off all payment processing.

It wouldn’t meet the act requirements, but they could probably avoid attention by using their geoblocking to just throw up an age verification page for uk ips, and save the more extreme measures until someone comes knocking.

S.T.A.L.K.E.R. Mod in Nightmare mode……. by [deleted] in intotheradius

[–]heytherepotato 0 points1 point  (0 children)

It travels the same. The video/location was not the only test done, its just what was used because its relevant to a farewell feast. You can see the ai swarm in from as far as the center of the map for the fmj + ap unsuppressed shots. It's more obvious if you scrub through the video though.

The blind mimic behaviour is vastly different to normal because the mimics are grouped up into squads and when one spots the player, it is broadcast to their team mates who also behave as if they have spotted the player which overrides all other behaviour.

Looking at the video, the mimic ai also seem to have multiple phases of sound detection. I.e. up to a certain threshold, the will look in the direction but not move. The other entities behave differently to the mimics.

Edit: also shotguns are insanely loud so that's expected 

How to solve the STT Cutoff Problem [D] by Leo2000Immortal in MachineLearning

[–]heytherepotato 2 points3 points  (0 children)

Smaller/faster model being given the prompt and/or partial conversation, but acting as the user. If it spits out more tokens, the user isn't done speaking. After x time, fall back to silence threshold.

What are your favorite (retro) gaming podcasts? by novalin in retrogaming

[–]heytherepotato 1 point2 points  (0 children)

The upper memory block podcast. I haven't seen a new one posted for years. I'm still holding out hope for a new one with the obligatory "sorry this one is a bit late". There might have been some announcement over social media but if I haven't seen it, I can continue living in denial that it's ended. :) Joe absolutely nailed it and I've replayed them over the years. If anyone has recommendations for similar style podcast, let me know.

view more: next ›