My frustration with PC gaming
Recently, I've grown frustrated with PC gaming as a whole. I think the status quo is very concerning and it's become WAY too reliant on a select few services and distribution methods.
Ownership
First of all, you don't actually own any digital games. If your account is compromised or revoked, you're fucked. Nothing has any resale value either and they can't be used as gifts.
The death of truly offline gaming
Why the cartridge and disc-memcard era worked
There's an inherent simplicity to a plug-and-play console experience, where you can buy a game, a nice fat memory card, and just be able to go nuts. Simplicity in user experience encourages the consumer to spend more time using whatever tool they're working with.
Older consoles are inherently more secure simply because there's less moving parts and less to take advantage of. If you "hack" a PS2, there's really nothing of value to obtain outside of memory card data. It doesn't store any payment information, tokens, keys, or anything potentially risky. You can give away your PS2 to a friend and just pop out the memory card and be pretty confident it's safe. They were largely single-purpose devices designed for video games. Being able to compartmentalize a device to a single purpose like this means it's not wasting resources on delivering a subpar Netflix app or maintaining a vulnerable web browser that hackers have been able to inject code into since day one. At most, your PlayStation could play CDs and DVDs.
When internet connections were ungodly slow (or, nonexistent), there's a necessity for publishers to ship a product that consumers will be satisfied with at release rather than months down the line. This, of course, wasn't always the norm back in the day as a ton of games just released unfinished and never received any updates.
How modern consoles try to address the flaws of the older era
Modern consoles offer a handful of advantages over this approach. There are some pragmatic trade-offs that I agree with, but others that are a step back in terms of the sheer simplicity of the past.
Consoles can receive online updates for games as a compromise. This can be in the form of DLC, bug fixes, and feature updates. While there's the obvious risk of games shipping incomplete, in the best of cases it turns already really good games into better ones and gives games more longevity over time. DLC and feature updates vs. complete unchanging experiences are a trade-off in terms of priorities and one makes sense for some games more than the other. A lot of competitive games benefit from consistent balance or adding features like rollback down the road.
A great example of an eternally-buggy older game is Soul Calibur 3, a pretty decent fighter that will have its save data corrupted if you decide to remove any save data older than the SC3 data itself. It's a really nasty bug that's kind of difficult to fix when the game has already shipped out to players.
Modern consoles install their data to SSD storage. This improves speed tenfold and allows people to quickly launch their games and switch between them on a whim. There's a concern with running out of disk space, sure, but I think most people are fine with buying some extra storage if it means they don't have to wait a good 30 seconds between loading screens.
- Granted, cartridge-based systems like the Switch have decently fast read access too and make storage less of a concern.
The Xbox Series X is a HUGE positive step forward for backwards compatibility. You can throw literally any Xbox game in that thing and 95% of the time, it'll run. Backwards compatibility in general is a lot more achievable as hardware has advanced tenfold and certain aspects of past consoles can be emulated. The PS2 thoroughly emulated the PSX by having a ton of very similar hardware, but it still struggles on a handful of games. Late-gen PS3s on the other hand emulate pretty much everything to do with PSX games and it does it beautifully. As console hardware becomes more PC-like, standardized on x86, and easier to work with, emulation becomes a no-brainer with very few disadvantages.
This PC-like nature has its downsides, too. Xbox in recent memory has been really pushing to be used like one, with an app store of sorts, Game Pass expecting you to constantly cycle through and never own any of your content but just briefly access subscription-alloted games online, and mediocre "media center" functionality that's outclassed by a cheap Android stick or Chromecast or something.
PlayStation Plus is even worse in terms of game ownership than Game Pass, and Sony is very, very iffy on preserving their old catalogue of games and backwards compatibility. I get that the PS3 is ungodly difficult to emulate, but the reality still stands that there's a big gap of inaccessible PS3 games you just can't enjoy. PS3s themselves are incredibly fragile and not everyone wants to go out and buy one.
You could argue that PC gaming addresses backwards compatibility concerns by Windows having very thorough functionality built-in. Sure, yeah, absolutely. However, we're now getting into the weeds of PC game distribution.
Valve is messy
Valve has made some decent games that I don't really care that much for. However, as an actual company, I think they're incredibly fucking lazy. One of their most notable characteristics is their alleged flat organizational structure. The legend goes that Valve employees are all on the same playing field, and just decide to work on whatever projects they want without somebody looking over their shoulder. This sounds cool at least theoretically, but in reality Valve's situation is closer to an unspoken and more thorough hierarchy. Ex-Valve employees have been notorious for highlighting some of the frustrations faced within the company. While at the end of the day Valve is secretive enough that complete transparency on how they operate isn't possible, I choose to take former employees' testimonies seriously.
https://www.pcgamer.com/ex-valve-employee-describes-ruthless-industry-politics/
https://www.wired.co.uk/article/valve-management-jeri-ellsworth
I'm not only not opposed to alternative organizational structures, I'm very, very much so in favor of them. There's nothing conceptually wrong with what Valve is doing, there's something wrong with unstated power dynamics within the company and prevalent blind spots that aren't being addressed. A lot of the "old guard" of Valve ends up making certain decisions, even if they don't have an official title of sorts.
Track record of not giving a shit about your security
I want to make clear that I am NOT a security researcher. Security is not my specialty, and most of what I'm saying are just common sense infosec conclusions. There's obviously nuance to any kind of online security, and your personal threat model may be different from mine.
Valve has a history of apathy towards various software they're associated with, including frustrating vulnerabilities regarding their client.
Here, they completely disregard a severe local privilege escalation bug in the client, simply because it doesn't fit in their very limited scope of vulnerabilities they're willing to fix. There's a clear lack of care that Valve takes with these issues, and they shut down issues way too quickly on their HackerOne platform.
Here's them demanding all developers submit a phone number and utilize SMS verification, in 2023. You know, 2023. Last year, a time where TOTP has been the norm for ages. This isn't as big of a deal as while SMS 2FA is incredibly easy to exploit, it's better than nothing. However, not everyone feels comfortable just casually sharing a phone number to Valve like this. It's also not particularly scalable among multiple developers working on a game.
https://www.pcgamer.com/steam-malware-attack-new-security/#comment-jump
Here's one CVE with the Source Engine. There's a long history of Valve neglecting to patch vulnerabilities with the engine out, even when it's severe stuff that can allow for remote execution of code on a target system. Considering how many script kiddies play games like CS:GO, this is a real concern. There are other similar issues that you can search for and skim through.
https://nvd.nist.gov/vuln/detail/CVE-2021-30481
https://nitter.net/floesen_/status/1337107178096881666?s=20
Steam Deck vulnerabilities and outdated browsers
Valve's web client is a mix of their own (shitty) in-house GUI toolkit, VGUI, and a tool for in-app web browsers called Chromium Embedded Frameworks. You'll find this in a ton of applications, and it's used for really simple shit like signing into a select handful of websites and the like. I'm... not the biggest fan. I think CEF finds itself in a weird space where from an end-user's perspective it's too limited to offer much of value even browsing intended sites (like, in Valve's case, their online store page and shopping cart), and from the perspective of Valve or any other company utilizing it, they're better off not stressing about maintenance of the backend. Everyone in this situation's better off just opening shit in a normal web browser. CEF has a slow update cadence and is limited in terms of extensions and functionality in order to mitigate problems that could stem out of that slow cycle, but I for one would avoid inputting any personal info (ESPECIALLY payment information) directly into Steam's client.
https://bitbucket.org/chromiumembedded/cef/src/master/
SteamOS (3) is the operating system that the Steam Deck runs. It's based on a snapshot of Arch Linux with the KDE Plasma desktop. It's got an immutable root filesystem in order to provide image-based updates -- leading to easier maintenance and making the machine more battle-ready for tinkerers and tweakers.
The problem, is that SteamOS 3 seems to be frustratingly poorly designed in a lot of ways. The OS itself doesn't really get any updates -- not even basic security patches. While I partially blame Arch Linux for not allowing the user to separate security and feature updates, with their approach being just shipping everything together from upstream, it's ultimately up to Valve to continuously deploy updates to their OS image. There are a million tools to handle this, and I highly doubt they don't have some form of CI/CD system to help speed the process up. Most of the time, SteamOS updates are just updates to the Steam client itself and minor tweaks like fan curve defaults improving.
Valve targetted a random kernel release that they've most likely backported their intended fixes onto. While I understand being reluctant to run the latest bleeding-edge kernel, there are better options than just shipping a random snapshot. LTS kernels exist for this specific reason: to allow more conservative Linux distros to still receive security backports and crucial bug fixes. Valve's approach keeps them vulnerable and prevents the Steam Deck from supporting drivers that have come out since that old kernel release. I think it's important that a gaming handheld receives proper kernel updates simply because a lot of controllers may just not work out of the box until a more recent update.
SteamOS has shipped an old version of Firefox for ages. Outside of Firefox being inherently more insecure than its Chromium friends, which may or may not matter depending on your threat model (I personally am a happy Firefox user and it'll take a miracle to get me to switch), shipping an old version of it is probably the worst decision. Web browsers are the most important and most vulnerable part of a desktop computer, and need to be properly secured. You can imagine that a lot of Steam Deck users briefly logged into Firefox in order to make a game purchase or do something similar. Maybe they checked their email. You get the idea.
If you want to learn more about Gecko's issues compared to Chromium, look here. Again, I'm not telling you to just switch to a different browser, but you should be aware of the trade-offs you make with the software you use.
https://madaidans-insecurities.github.io/firefox-chromium.html
I could forgive a lot of this if Valve didn't openly market the Steam Deck as a full PC, showing people doing real work on the thing like any other machine. I'm happy that desktop Linux is in the hands of more people, but it needs to be done better.
Weird maintenance approach?
This is less an immediate security issue, but always concerns me about how Valve is maintaining their service: they have this weird policy of shutting down every Tuesday evening Pacific, without any visual warning within the client itself. There are horror stories of people making purchases on maintenance day and not having it process correctly. It's also just not reasonable to power down your service entirely like this in 2024. Most online services, ESPECIALLY ones that offer social functionality like chats and online gameplay, need to be always-on. We have a million tools to handle stuff like this, and I refuse to believe that Valve can't roll out some kind of high-availability setup to address this issue. Like I mentioned earlier, I think some of these things are just the old guard of Valve that won't really ever move past dated policies like this.
Which leads to my last point:
You're putting all your eggs in their basket
All of the things I've pointed out might seem like nitpicks to you, but as a whole, they hurt my confidence in Valve and willingness to spend money on their platform. I don't feel comfortable that my game library will last and even that my account is safe. I don't think I'm being a tinfoil hatter by saying that out of all the game distribution vendors, I wouldn't be surprised at all to see some kind of Steam data breach.
The DRM present on Steam and the requirement of being online AND have their server accessible deters me from using their platform.
The problem is, on PC,
Everything else sucks in different ways
GOG and Epic Games have atrocious UX and pretty much everything else has a lot of the same concerns and issues that Steam does. It's so fucked up how many launchers and game stores we have, but that they're all problematic in some ways.
GOG does answer a lot of my concerns as you can entirely bypass their services and just use their installers normally. However, controller support and functionality pales in comparison to Steam Input and their Linux support is nonexistent (which is not to say necessarily that games won't run on Linux, just that they won't help you).
Windows as a development target and its risks
DirectX is a very well-documented API and most PC game developers are trained to work with its tooling, if any. It's good, but it's also owned and controlled by Microsoft. API changes and new extensions can fuck over Steam Deck/Linux users relying on the DXVK translation layer and WINE.
Microsoft isn't your friend and they have a history of sometimes enshittifying software. The fact that the PC games industry revolves around their product concerns me as kernel-level anticheat can lock PC gamers into an uncomfortable future that's Windows-only and a Windows that's limited in terms of functionality. A lot of anticheat software will block tools gamers love like GPU overclocking software, and they'll become more and more restrictive as a misguided measure to crack down on cheaters.
Subjective: I'm not interested in PC exclusives
Almost every game I am interested in is a multiplat release nowadays, and PlayStation offers a handful of interesting exclusives. I wouldn't really be missing anything moving to console personally, and I'd argue that most interesting games hit consoles either first or simultaneously with PC. Of course, this is a matter of opinion.
Moving on
I'm not leaving PC gaming entirely. I have a beefy workstation PC, and a Steam Deck. You're crazy if you think I'm giving all that up. However, I've been trying to use my PS5 more and build up my modest collection of PS4/PS5 games. I think that I'm more comfortable on a more focused experience without a lot of the headaches of Valve and other PC gaming concerns.