Screw client side anti-cheat, fix your goddamn server code.
I’m reminded of a case in Apex Legends where cheaters started dual wielding pistols, despite dual wielding not actually being a game mechanic. That should be something you can easily detect on your server and block.
Client side anticheat is just smoke and mirrors and lets developers think they can get away with not doing their job of writing secure code.
I’m honestly surprised that with all this concern about privacy against Google, Microsoft, Epic, and so on, gamers are willing to just let these games have unrestricted and unchecked access to all your internet, microphone and camera data.
Likewise, despite how much gamers call games “broken glitchy messes”, they are perfectly willing to give them enough hardware access to literally destroy your computer.
Server side anti cheat can’t distinguish good players from aimbots.
I’ve been thinking about this, and I wonder how accurate this is. I think overuse of all this modern AI nonsense is a problem, but wonder if this might be a good use case for it.
A big game will probably have huge amounts of training data for both cheaters and non cheaters. An AI could probably pick up on small things like favouring the exact centre of the head or tracking through walls.
If a user has a few reports of aimbotting, just have this AI follow them for a bit and make a judgement.
It’ll get it wrong sometimes, but that’s why you also implement a whole appeals process with actual humans. Besides, client side anticheat systems also have a nasty habit of mistakenly banning people for having specific hardware/software configs.
However, I would like games to come with servers again so you can play games on your own terms
Please! Not just for anticheat reasons, but also for mods and keeping the game playable when the publishers decide it isn’t profitable.
However, I would like games to come with servers again so you can play games on your own terms
Please! Not just for anticheat reasons, but also for mods and keeping the game playable when the publishers decide it isn’t profitable.
The problem is that having an essential component of the game run on servers that only the publisher has access to is also a pretty effective way to do DRM, so they’ve got a pretty strong incentive not to do that. It’s a lot easier to ensure that someone paid for an account on publisher-run servers than that someone paid for a copy of the server and client binaries that they are in possession of.
I’m a Linux gamer, every few weeks there’s a story in the news about how some random update to anti-cheat ending up banning Linux/Steam Deck users, it’s not a problem unique to AI. AI finding false positives will happen, but that’s where the “human in the loop” appeals process happens.
Some games do employ new tactics. For example, when the game suspects you’re cheating, it’ll spawn fake opponents only you can see and check if you try to interact with them. This will defeat most wallhacks and maybe even a few aimbots.
This is the kind of cool things that they should be doing! Try new and interesting things instead of trying to brute force anti-cheat by putting restrictions on what people can do with their computers and forcing a narrative where cheaters only exist because you weren’t strict enough.
In case of CS2, it doesn’t even ban people who teleport behind you at the first second of the round. Or killing everyone through the whole map like here (Reddit): link
Server side anti cheat can’t distinguish good players from aimbots.
Neither can a rootkit, which should be unconditionally illegal and send CEOs to jail for putting in their product. There are no exceptions and no scenarios where it can possibly be acceptable for a video game to access any operating system anywhere near that level. Every individual case should constitute felony hacking, with no possibility of "user consent" being a defense even if they do actually clearly and explicitly ask for "permission".
If you want that, I kind of feel like the obligation should be placed on the OS (or maybe Steam or similar distribution platforms) to do sandboxing. Generally-speaking, in the computer security world, you’re better off just not letting software do something objectionable than trying to track down everyone who does it and have the judicial side handle things.
Mobile OSes and game console OSes already sandbox games that way.
PCs could have the ability to do that, but they don’t do that today.
I do think that they’re heading in that direction, though, at least relative to where they were, say, 30 years ago; at that point in time, permission tended to be really at a user level, and if you ran software on your computer, it pretty much had access to anything that the user did. Web browser are generally available and act as a sandbox for some lightweight sandbox. On Linux, Wayland’s a move towards handling isolation of apps at the desktop level – for a long time, desktop APIs really didn’t permit for isolation of one graphical program from another. Also on Linux, Flatpak and the like are aimed at distributing isolated graphical applications.
If you don't physically control the hardware, it is not secure.
The only valid approach to preventing cheating that matters is to have authoritative servers. Nothing else works, nothing else theoretically can work, and nothing else can possibly be described as anything but malware. There is literally no possible scenario where any entertainment company knowing anything about what else is happening on your computer can be justified.
I’m not smart enough to see a world where Linux and effective client side anti-cheat can cohabitate. Nothing can ever stop someone running a custom linux kernel that hides any nefarious code from the games they’re targeting. PC gaming can only head that direction to the degree that they take kernel-level control away from the user.
When it comes to windows, the devs working on kernel-level anti-cheat systems are working closely with microsoft on the implementation. To the point that, if you were to try to reverse engineer it on your own machine, in all likelihood msft could convince a court that you are hacking their system, not the other way around.
I made an anti-cheat for vanilla minecraft once, it’s REALLY easy to tell if someone is cheating it’s just developers are grotesquely incompetent when it comes to detecting that sort of thing or (more often) just don’t give a shit. They’ll just create a naïve solution then never test it. For example: minecraft’s god awful anti-fly and anti-speedhack which is just “is the player in the air for 5 seconds” or “did the player go too fast” which is notorious for false positives and doesn’t even stop people trying to cheat, just punishes players for its own fuck-ups.
It really is as simple as creating a model of what the player should be able to do, and then nudging clients towards that expected play. Normal players will not even notice (or will be pleased when it fixs a desync) but cheaters will get ENRAGED and try to cheat harder before eventually giving up. The point of a good anticheat is not to punish players for cheating, but to make it easier and more fun to play within the rules.
It’s like piracy: We had years of systems built on punishment and all they do is create resentment and people trying to break your system, but you build a system on rehabilitation and you become one of the biggest platforms for PC gaming with people willingly downloading it.
Yeah, I agree with that. Installing freaking rootkits on people’s personal device, with the express purpose of identifying them and knowing what their machine contains, is not OK. A multiplayer client should be as lightweight as possible and shouldn’t be able to fuck with a game.
Even if they agree not using your data for anything else, the next security breach on their servers will make that promise useless.
And I am not sure why one would trust big publishers to have any kind of ethics anyway. Do you remember Activision’s patent to manipulate matchmaking? That would specifically match players to reward those who buy microtransactions and create pressure on those who don’t?
Yeah, totally trusting those manipulative snakes with my private data with a big “do not watch” sticker on it.
Installing freaking rootkits on people’s personal devices
If Valve is gonna do anything, I’d rather have them sandbox games from screwing with the environment, not the opposite. I’d like to be able to install random mods from Steam Workshop without worrying about whether some random modder might have malware attached to their mod that can compromise the whole system. I don’t care if a malicious mod dicks up the save games for a particular game, but I’d rather know that it cannot go beyond that.
That doesn’t solve the cheating problem, of course, but it’s a case where anti-cheating efforts and security concerns are kind of at odds.
I mean AI sounds like a legit idea. In the past e.g. battle.net from Blizzard was also just looking for “patterns”. And AI could be much better at that. The question is, how do you get the required information without having any clientside info? To distinguish between a good player and a bot would be very very time consuming to train an AI on that level.
All you really need is where the character is looking, their location and the terrain map, all of which are things the server has authority over or can check easily.
Distinguishing between a good player and a bot probably won’t be that hard. A simple aimbot would probably fire exactly at a target’s (0, 0) coordinate, while a good player may be a frame or two early or late. Someone with wallhacks will behave differently if they know someone is around a corner. There’s almost certainly going to be small “tricks” like that that an AI can pick up on.
We went through this in RuneScape with auto miners. You just randomise locations and times slightly and it’s almost impossible to tell the difference.
Depends on whether people working on cheats can see the anti-cheat detection code. It’s hard to ensure that one data set is statistically-identical to another data set.
Recently, Russia had a vote in which there was vote fraud, where some statisticians highlighted it in a really clear way – you had visible lines in the data in voting districts at 5% increments, because voting districts had been required to have a certain level of votes for a given party, and had stuffed ballot boxes to that level.
If I can see the cheat-detection code, then, yeah, it’s not going to be hard to come up with some mechanism that defeats it. But if I can’t – and especially if that cheat-detection code delays or randomly doesn’t fire – it may be very hard for me to come up with data that passes its tests.
Distinguishing between a good player and a bot probably won’t be that hard. A simple aimbot would probably fire exactly at a target’s (0, 0) coordinate,
bots are way more elaborate than that, even 20 years ago there were randomization patterns.
Unless the aimbot is using its own AI learning system, it’ll not behave as a human would. For example, it might fire at a random point in a circle, where a human might have better aim along the horizontal axis or something.
People with wallhacks will deliberately move their crosshairs over people that they see through walls. Or, if they know the server is watching for that, they’ll make a subconscious effort to never have their crosshairs over someone through walls.
Inexhaustive of things that kernel mode code can do that unprivileged (without “root”) user mode cannot:
Update and install drivers.
Run programs (like cryptominers) without them appearing in the task list.
Make network requests ignoring all firewalls and monitoring tools, even when seemingly in airplane mode.
Monitor your webcam and microphone, possibly without turning on that little light next to it.
Escape any sandbox you put it in.
Replace the OS with one containing malicious code.
Replace the efi firmware with one that replaces any future OS install with the aforementioned malicious OS.
Permanently brick your graphics card.
Take advantage of buggy hardware to burn your house down.
And so on. The question you should be asking isn’t “are they going to do this?” but instead “why are they even asking for this permission in the first place?”.
A game where you run around pretending to be a space marine doesn’t need low level access to your hardware.
I’d argue that any software that is adversarial towards the user/computer owner, and takes actions specifically to hinder an action by them, on their own machine, is malicious.
We’d be absolutely apoplectic if the government demanded we install a surveillance tool on our laptops in order to e.g. access the DMV website or file our taxes, but when someone tells us to in order to play a game, it’s okay? Nah.
I don’t. Anything on the client can be tampered with. It’s the server’s job to make sure anything they receive is both valid and consistent with how a human would act.
how do you stop it on client side? I’m not sure if it has been deployed into the wild but these days computer vision is good enough to just work off the images. Capture image signal, fake usb mouse outputting movements calculated from image data. If this isn’t already available it’s only held back by the need for extra hardware.
I just started apex two month ago and i think i haven't encountered more than one cheater, but i wasn't really sure. I watched a video on cheaters on apex yesterday and ooof, it's really bad. In other games i played they would use aimbot and or walls. But not speedhacking, dual wielding, aimbot and quickshielding and what not. And apparently nothing really ever happens to them.
Quick disclaimer, I’ve been involved with FOSS shooters for something like 20 years now. I mention that to establish where I come from: in a FOSS game anybody can modify the game client all they want, so all the bullshit is out of the way from the start. You can’t hide behind make-believe notions such as “they can’t modify the client” – which is one of the major lies and fallacies of commercial close-source games. If there’s something you don’t want the client to know or do, you make it so on the server.
There is a lot of things that the server can do that can severely limit cheater shenanigans. If you don’t want them to see through walls then don’t tell them what’s behind walls. If you don’t want them to know what’s behind them then don’t tell them what’s outside their cone of view. If you don’t want them to teleport look where they were a moment ago and where they claim to be now and figure out if it should be possible. You get the idea.
Aimbots can be detected because at the core it’s a simple issue of the client’s aim snapping from one place to the target too fast. What’s “too fast” and the pattern of the movement can be up for debate but it can definitely be detected and analysed and reviewed in many ways – regular code, AI, and human replay.
If this kind of analysis is too much for your server to perform in real time (it was too much, 20 years ago) then you can store it and analyse it offline or replay it for human reviewers. You can fast-parse game data for telltale signs, analyse specific episodes in detail, and decide to ban players. Yes it happens after the game was ruined but at least it happens.
There are a couple of types of cheating that you can’t detect server side:
Modifications to the client HUD that help the player grok information faster and better. This is a large category that can include things like colorblindness overlays, font changes, UI changes, movement tracking on display etc. As far as I’m concerned that falls under HUD modding and should be welcome in any healthy game. Again, if you don’t want clients to have a piece of information don’t give it to them, and design your game in a way that such mods are mostly irrelevant.
Automating input. Again a large category that includes macros that speed up complex chains of operations. Can be slowed down by imposing server-side delays but you can hurt legit fast players this way too. Same as above, if this is what makes or breaks your shooter then perhaps you should rethink it.
Some of the most fun games I’ve seen did not care about HUD mods and macros and on the contrary embraced them. You want to write a macro that will auto-purchase the best gear based on your available coin after respawn? Knock yourself out, because what constitutes “best” gear changes depending of the circumstances, and a veteran with a pistol can smoke your ass anyway if you don’t know how to properly use that fancy plasma gun.
I’ve mentioned human review above which brings up an interesting feature that I don’t see implemented in enough games: saving and replaying game metadata. It’s stupidly simple to store everything that happened during a match on the server side and it doesn’t take much space. You can offer that recording to seasoned players to replay on their PC which allows them to see the match from any player’s point of view. An experienced veteran can notice all kinds of shenanigans this way – and it’s also an excellent e-sport and machinima feature that enables commentary, editing, tutorials and so on.
Edit: Oh, forgot one thing. You may be wondering, then why don’t the big game companies do all this? Simple, cost. Why should they pay for server juice and staff to review games properly when they can slap a rootkit on your computer and use your resources?
in a FOSS game anybody can modify the game client all they want, so all the bullshit is out of the way from the start. You can’t hide behind make-believe notions such as “they can’t modify the client” – which is one of the major lies and fallacies of commercial close-source games.
Sometimes, just for practical performance reasons, with realtime games, the client is gonna need access to data that would permit one to cheat. You can’t do some game genres very well while keeping things on the server.
Consoles solve this by not letting you modify your computer. I think that if someone is set on playing a competitive game, that’s probably the best route, as unenthusiastic as I am about closed systems. The console is just better-aimed at providing a level playing field. Same hardware, same performance, same input devices, can’t modify the environment.
'Course, with single player games, all that goes out the window. If I want to modify the game however I want, I should be able to do so, as it doesn’t hurt anyone else. I should be able to have macros or run an FPS in wireframe mode or whatever.
For PC competitive multiplayer, in theory, you could have some kind of trusted component for PCs (a “gaming card” or something) that has some memory and compute capability and stores the stuff that the host can’t see. The host could put information that the untrusted code running on the host can’t see on the card. It also lets anti-cheat code run on the card in a trusted environment with high-bandwidth and low-latency access to the host, so you can get, for example, mouse motion data at the host sampling rate for analysis. That’d be a partial solution.
Sure, it’d be a solution for five minutes until someone delids the secure enclave on the gaming card, extracts the keys, and builds their own open source hw alternative.
High-performance FPGAs are actually relatively cheap if you take apart broken elgato/bmd capture cards, just a pain in the butt to reball and solder them. But possibly the cheapest way to be able to emulate any chip you could want.
someone delids the secure enclave on the gaming card, extracts the keys
Not a problem. You can potentially go for an attack on hardware, maybe recover a key, but you have a unique key tied to it. Now the attacker has a key for a single trusted computer. He can’t distribute it with an open-source FPGA design and have other users use that key, or it’ll be obvious to the server that many users have the key. They blacklist the key.
It’s because hardware is a pain to attack that consoles don’t have the cheating issues that PCs do.
Earth 2150 includes the base-building, as well as a very cool “persistent homebase” mechanic for the singleplayer campaigns, where you build bases in the mission sites but also have a home base that you can transport units to/from, for use in future missions.
I would add the 1999 game Warzone 2100 to this list. Much like Earth 2150 you can design your own units and it also has the persistent homebase + mission outposts system. It was open-sourced in 2004 and has received quite a bit of love since then.
If you’ve never played Dune 2 or Dune 2000 or whatever other iterations and remakes of the Dune RTS series, I strongly recommend it. It seems like a lot of Warcraft’s DNA comes from Dune.
Yeah, seems like. Like when I was a kid and I played Dune 2, then played Warcraft a few years later, the one seemed to inherit most of its ideas from the other.
But I didn’t like go look up the dates or exhaustively check that no other game came up with the format first. I know the first Age of Empires is somewhere vaguely in that same time span too, but I’m not certain of the order.
Oh sorry it seemed offensive or negative in any way, I just wanted to clarify that “seems like” i s a vast understatement. Dune 2 predates all of them, and became a template for mechanics and layouts. We’ve gone a long way since, but dune was the first of the models that we build RTS games as today
Kind of in between games at the moment. Been digging through my backlog, looking for something to play, but nothing has really clicked yet. In the meantime I've been doing this little gaming advent calendar thing with Mission in Snowdriftland. It's a platformer that used to be a flash game that was used to promote Nintendo products back in the 2000s. It's set up like an advent calendar, with 24 levels. You could probably beat it in a few hours, but I've been enjoying taking it one level a day,
Since getting a PS5, a good chunk of my time has been spent with my PS4 library I fell off of when loading was too obnoxious. I had a Last of Us Left Behind save on grounded difficulty that I had never beat because, while I enjoy the brutal difficulty of the last encounter, waiting to load every time I died was miserable. The much faster (but slower than PS5 games lol) load time got me over the hump.
Chyba żadna korpo nie przestrzega praw pracowniczych ani nie szanuje ochrony danych, ale przy Xiaomi dochodzi kwestia powiązań z chińskim reżimem i ryzyko, że dodali jakiś szpiegowski dodatek nieujęty w specyfikacji…
Stranded Deep is on Game Pass, so figured I’d give it a shot. Good so far. Kind of a mix of Raft and The Forest. It is a little rough to start since you pretty quickly need to travel to other islands to get materials and the starter raft is not fun to use. Once I built my own it really picked up though
Bought Hogwarts Legacy a week or so on a deep discount and I’m enjoying the hell of it. During december I traditionally watch the Harry Potter movies so now I expanded to the game. So far it might be my game of the year since I didn’t try Baldur’s gate 3 yet, I’ll pick that one up on a sale later on. I’m taking my time and explore every nook and cranny in the game. I was hyped for Diablo 4 as a long time devotee but in it’s current form it’s simply not fun and needs quire a rework for me to pick it up sadly. The atmosphere, visuals, music, even combat is spot on but it lost way too much on other fronts. Starfield is another game which I put on hold as I simply didn’t continue the game at some point, will probably resume it after a few more patches.
Still playing the field since finishing my second BG3 playthrough a few weeks ago:
Sniper Elite 5: I wish I’d known about this series 10 years ago. SE5 is a surprisingly fun stealth action game, with enormous sandbox levels that encourage varied approaches, styles, and paths. Lots of unlockables and customizations (and unlike the new Hitman games, those unlockables can be used across all levels once you get them). Unfortunately I’m just not super into this kind of experience anymore, but I still had a lot of fun for the time I did spend on it before getting worn out. I’m keeping it on my system because I’m sure it will scratch another itch soon.
Bus Simulator 21: I wanted something I could zone out with, just kind of dive into mundanity and focus on little details. The game does meet that criteria conceptually, but the gameplay just doesn’t feel super well-tuned, and you get these little penalties for everything that goes wrong. I didn’t play it long enough to deal with the business management aspect, which I think is a significant part of the appeal, but it really just didn’t click like I wanted it to.
Firewatch: Skipped this when it released and was a huge deal. I didn’t know anything going into it and really liked the format of the game, exploring the woods, pulling up the map and compass to navigate and all that. Characters and performances were exceptional. But ultimately I was kind of disappointed because …
spoilerit makes you think it’s building to some fascinating conspiracy but ultimately reveals it was just one nutjob playing games. I guess I was more invested in the superficial potential of the high-concept narrative than the actual story the game was probably knocking me over the head trying to tell.
Concrete Genie: Really stellar artistic achievement. The quasi-stop-motion style of the in-engine game, the animations of the genies, and the sketchbook style cutscenes all looked phenomenal in their individual styles. The story was touching and I loved the idea of a hero whose value is his artistic drive, but I was a little bothered by what I felt was a fairly reductive approach to bullying. But the biggest problem was that the game feels really incomplete. Exploration is competent, but the drawing mechanics are not nearly robust enough to tap into the creativity it’s trying to celebrate, and the final act of the game introduces a whole new set of mechanics that, again, are really shallow. By the halfway point, the game felt more like a really, really sophisticated proof of concept than a completed game.
Two Point Hospital: This game is doing a much better job with what I was hoping to get out of Bus Simulator 21. Love the art style and UI. No complaints, just something easy to dip into from time to time.
Paradise Killer: I just started this and it is fucking nuts in a very sincere way. Opening lines: “The Syndicate created the first Paradise Island to worship their dead alien gods. Guided by Leader Monserrat, the Syndicate attempt to resurrect the gods by forcing Citizens into psychic worship rituals. However, the worship invites demonic corruption from beyond the stars. The islands always fail. The islands die and a new Paradise Island is born. The cycle repeats.” Really unique art style and game world. Time will tell if the investigative core lives up to the rest.
Currently re-playing Assassin’s Creed 1 and playing Vanilla WoW for the first time on a private server.
Im remembering how much I liked AC1. I know many people say it wasnt that great of a game, but to me its exactly what an Assassin’s Creed game should be - stalk, plan, stealth, assassinate, escape.
WoW is also really fun. I tried getting into retail a few times over the years but there was just too much. It was way too overwhelming. Vanilla seems to be just right for a new player.
bin.pol.social
Najnowsze