Home
_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
HTML Visit Hacker News on the Web
COMMENT PAGE FOR:
HTML We outsmarted CSGO cheaters with IdentityLogger
xyst wrote 8 min ago:
So adtech tracking techniques also work for fingerprinting ban evaders.
Go figure.
Charon77 wrote 52 min ago:
I got 404
Omni5cience wrote 2 hours 49 min ago:
HTML [1]: https://archive.ph/xcad7
kjkjadksj wrote 5 hours 52 min ago:
Couldnât you stop cheaters by just looking at how their telemetry
metrics are different from the baseline? If you get to a point where
the cheater has to cheat to only be as good as a median player in the
lobby in order to evade detection, youâve effectively neutered it.
grayhatter wrote 4 hours 4 min ago:
How would something like that work?
codefined wrote 7 hours 33 min ago:
> I only shared the solution and technique with one other server
operator I fully trusted based in the UK
I think that was us! We ended up combining it with other
fingerprinting indicators, but the whole 'use VGUI' was a surprisingly
effective way at handling this. I believe they removed the web browser
in ~2018, which was disappointing. Being able to have custom skill
trees / fun integrations with servers was really powerful!
mobeigi wrote 7 hours 38 min ago:
If the website is down or slow and you want to read the article, here
is a full page screenshot of the post: [1] Sorry :'( I didn't expect
the post to get this much traffic.
HTML [1]: https://i.imgur.com/SPp6IHX.jpeg
avree wrote 7 hours 56 min ago:
This link is 404ing for me. Anyone else?
notwhereyouare wrote 7 hours 43 min ago:
seems like the whole site is 404'ing
ultimafan wrote 7 hours 58 min ago:
Cheating in online games is a scourge and I really don't understand why
people do it. It's one person selfishly getting a "win" at the expense
of ~60 other people in that match having their time, pleasure,
potentially money absolutely wasted.
I think even more infuriating than blatant hacking is this epidemic of
"micro cheating" for lack of a better way to put it that I've seen
prevalent in some games that just boost some stats or reactions by
amounts large enough to help the cheater but low enough where new or
inexperienced players have absolutely no way of telling if someone is
cheating or genuinely good especially in games with high skill
ceilings. At least when it's blatant you can leave without time wasted
but when they're doing it subtly you end up getting tilted and spending
the whole match with a bad taste in your mouth second guessing if
someone is actually playing fair or not. Chivalry 2 is a really bad
offender for this, once you notice it you can't unnotice it anymore,
almost every match will have at least one guy with his swing/move speed
adjusted by ~10% and in a game where swing manipulation is a legitimate
mechanic it can be borderline impossible to catch someone out on it
unless you're really paying attention.
daghamm wrote 7 hours 15 min ago:
Cheating is also big business. Players can pay big bucks to rent (!)
a cheat.
IIRC there is an episode on darkness diaries podcast about this.
ultimafan wrote 5 hours 5 min ago:
Yeah I get that, I understand why cheat developers do what they do.
It seems like there's a huge market and I find it hard to blame
them trying to make a living- morality wise they're probably more
worried about rent, bills, family than whether or not someone's
game time is ruined. But it's only this way because so many people
are willing enough to cheat that dropping money on it is fine for
them. It's their psychology I don't really get. Even if they're
doing it because they want the satisfaction of a "win", doesn't
that victory feel hollow because it's something they paid money
for? It's like the difference between a community valuing you
enough to give you an award vs going down to the trophy shop and
paying someone a make you your own trophy that doesn't really mean
anything.
wnevets wrote 8 hours 16 min ago:
I wonder what kind of theories these cheaters invented to explain how
they were getting caught.
Joel_Mckay wrote 8 hours 22 min ago:
In general, hardware/GPU/MAC signature hash checks are the only
consistent way to bind player account histories, and even then cheats
will change their identity with new hardware on fake postal addresses.
Best to add a few weeks delay with "reviewing" ban status to prevent
them returning hardware to retailers. Each day randomly permute which
hardware signature trips the auto-re-ban after a random number of
minutes.
Cheaters ruin the fun for everyone including themselves. Admins need to
provide a personal cost deterrent for problem users, and randomly hang
the game for people using code mods.
Let the ban hammer fall =3
johnisgood wrote 4 hours 58 min ago:
Unless I misunderstood, I do not see how this would actually work in
practice considering the client can be modified and I can send
whatever I want to the server, i.e. spoofing.
Joel_Mckay wrote 3 hours 7 min ago:
Even the Webgl signature check is resilient, and is the new
tracking cookie on many sites like YT etc. It is a robust unique
property of a specific system, and GPU. Not just the serial
number...
Indeed, duplicate salted-hash signatures on multiple active users
mean shills, and immediate bans issued for both accounts tainted by
the black list.
The trick is to randomize a mix of easy and difficult signature
checks daily.
i.e. the exploit writers will have to spend time cleaning up bugs,
redistributing the patches, and dealing with angry people that have
a GPU that is on the blacklist for a game. The more hardware
details collected, the more difficult it is to prevent tripping the
admin alert.
This is already done by some studios... "Play Stupid Games, Win
Stupid Prizes" as they say... =3
Retr0id wrote 8 hours 35 min ago:
> Wonderful, we have found a way to silently persist a cookie for each
player as they join the server.
This violates GDPR, no?
Edit: It sounds like this took place before GDPR was being enforced.
kemitche wrote 8 hours 24 min ago:
GDPR isn't a blanket ban on cookies. You don't require a cookie
notice for strictly necessary cookies, which you have a "grounds of
legitimate interest" for: [1] Fraud prevention is listed as an
example of a "legitimate interest."
So no, by my layman's interpretation, they would not have been bound
by GDPR to notify the user of cookies or other fingerprinting used
solely for anti-cheat. They'd run into trouble if they use that same
ID for marketing/advertising without consent, though.
HTML [1]: https://commission.europa.eu/law/law-topic/data-protection/r...
newZWhoDis wrote 7 hours 37 min ago:
GDPR is toothless eurotrash.
I saw a consent form that had 72 optional, 21 âlegitimate
interestâ cookies.
GFB
Ylpertnodi wrote 5 hours 50 min ago:
That means gdpr is working.
Retr0id wrote 8 hours 6 min ago:
They're perhaps not required to gather explicit opt-in consent, but
my understanding is that they'd be required to disclose what
information they collect/store.
phire wrote 5 hours 51 min ago:
The same rules apply to the steam ID and IP address.
As far as I'm aware, you can get away with disclosing the fact
that you are tracking "unique identifiers for the purpose of
anti-cheating" in the terms and conditions, without explicitly
explaining the technical details that it's a cookie.
Also, this is a server covering the Australia/New Zealand region,
so it doesn't have to worry about GDPR compliance.
lwansbrough wrote 8 hours 36 min ago:
I suppose different people are entitled to different opinions about
fingerprinting, but I reckon it only takes working on a single project
where this is a real issue for you to change your mind.
We do behavioural analysis on top of various fingerprinting for bot
detection - some people are trying really hard to ruin the internet!
I suspect a sufficiently advanced server side behaviour analysis could
do a pretty good job discovering cheaters.
ghxst wrote 7 hours 25 min ago:
Not at the expense of false positives, though. Sophisticated cheat
developers and bot creators are skilled at exploiting that narrow
margin of error where companies can't push detection further without
compromising the experience for legitimate users and destroying their
game or service.
leetbulb wrote 8 hours 44 min ago:
This isn't about stopping cheaters (cheat detection). This is about
stopping repeat cheaters trying to ban evade. Detecting cheats,
especially nowadays with hardware cheats (DMA, etc), is an entirely
different ballgame.
IMHO, one of the most effective way to stop ban evaders is to actually
charge money for the game.
Frotag wrote 2 hours 51 min ago:
Banning by TPM also makes ban evasion pretty expensive. At which
point the cheater has to either buy a new mobo or solder a new TPM
chip onto their mobo (not always possible). Though I guess at some
point a sloppy vendor will leak TPM keys and it'll be spoof-able.
kemitche wrote 8 hours 28 min ago:
At the time of the events in the blog, CS:GO was NOT free, and yet
there were still cheaters that apparently had access to 80+ accounts.
bob1029 wrote 7 hours 56 min ago:
Charging money and banning at the payment provider level can be
quite effective. It isn't a perfect answer but it cuts out gigantic
chunks of the problem space.
I'll take a ~99% cheat-free experience over not having any
improvement at all.
kemitche wrote 7 hours 45 min ago:
Agreed, but in this particular case the blog writer was running
private servers, rather than being Valve. They had no control
over payment processing etc.
leetbulb wrote 8 hours 1 min ago:
That's fair. There will always be cheaters like this. However,
anecdotally, after CS or any other game I've played that went
free-to-play, cheaters became a much much larger problem: from
seeing one every now and again, to at least one in nearly every
match.
connicpu wrote 8 hours 5 min ago:
Why pay for the game when you can go to an onion site that will
sell you hundreds of compromised accounts that own the game for a
fraction of the price?
snarfy wrote 8 hours 44 min ago:
For UT2004, you can ban by player GUID (a hash of the CD key) or IP.
With the game abandoned by Epic, a number of key generators have
cropped up, which makes GUID bans useless. IP bans only go so far with
VPNs costing $2 these days.
The main solutions we have today are IP ban + VPN blocking using a
database of known VPN subnets and adding them all to the firewall, and
a similar fingerprinting technique which scans their folder structure
of certain system folders.
TechDebtDevin wrote 2 hours 0 min ago:
Who is gaming in a competitive game behind a VPN.. I suppose if its
your only option, but I don't think this would be a great playing
experience.
dietr1ch wrote 11 min ago:
There's a bunch of services that can moderately reduce latency by
using better paths. Specially worth it if you want to play with
friends in servers farther than 1000km away.
hnick wrote 38 min ago:
Can help routing induced latency as the other comment says (or
force a new route if having downstream issues with your ISP
peering), and some games in the past could leak IPs especially if
using a p2p model and a VPN can mitigate that (especially one that
only routes traffic for the game).
IIRC you also need one when playing from some countries, whether
due to legal reasons or server restrictions.
takoid wrote 1 hour 3 min ago:
Using a VPN with WireGuard can actually reduce latency if your ISP
has poor routing to the game server, as a VPN with better peering
or routing paths can improve your connection. Itâs not always the
case, but with a decent provider, you might see lower ping in
certain situations.
afavour wrote 1 hour 50 min ago:
> Who is gaming in a competitive game behind a VPN..
Cheaters, which is why theyâre getting banned in the first place
CSMastermind wrote 2 hours 51 min ago:
Wait, can you help maintain UT2004? Because I love that game.
I don't play online anymore because I get destroyed but it's still
fun to pop in for a quick match against AI when I have 30 minutes to
kill.
johnisgood wrote 5 hours 27 min ago:
> IP bans only go so far with VPNs costing $2 these days. [1] was
made specifically against people using VPNs.
It was made for Tremulous (ioquake3 fork) where people kept evading
IP bans, but it can be used for any other games.
It is not my project, but I know the author, and I could personally
fork it and make it suitable for specific (or any) games if there is
demand for it.
You may also use heuristics, too, in schachtmeister2:
whois -10 "Hosting"
whois -10 "hosting"
whois -7 "Server"
whois -4 "server"
whois -10 "VPS"
whois -13 "VPN"
whois -3 "Private Network"
whois +7 "residential"
whois +7 "Residential"
whois -20 "Dedicated Server"
Edit: I noticed that the git repository returns 502, contacted the
maintainer.
HTML [1]: https://redman.xyz/doku.php/schachtmeister2
project2501a wrote 5 hours 55 min ago:
sorry for the not-so-smart question.
the cheats are software, software has certain quirks, like the way it
aims or the way it tracks. And I'm willing to bet it has enough
distinctiveness from human aiming to be classified. Couldn't a
classifier work on the behavior of the cheating software itself,
rather than use IP bans?
cwillu wrote 2 hours 2 min ago:
Some âaimbotsâ don't actually assist with the aiming, they just
fire the trigger any time the user gets on target.
derefr wrote 5 hours 33 min ago:
In order to actually catch a cheater mid-match rather than long
after the match is already over, you'd need the servers that
players are interacting through to have enough CPU grunt-force to
do that kind of analysis "faster than realtime" â i.e. for the
server's CPU to be able to run the game's physics faster than any
client can, so it can run the physics with extra math in the same
time it takes the clients to just run the physics.
Which might be something you could guarantee, if the game were
locked to wimpy console hardware; or if the game had minimal CPU
physics such that it was effectively never running CPU-bottlenecked
and there were massive gaps in frame-time where even the client
CPUs are sitting idle, that a server running in lockstep could cram
that kind of analysis into.
But gaming is a race-to-the-top, hardware-wise. The CPU in a gaming
rig might not have as many cores as your average server CPU, but
it's almost certainly going to have higher single-core perf.
And part of the reason for that, is that games really do try to use
your whole CPU (and GPU), with AAA studios especially being
factories for constant innovation in new ways to make even the
minimum requirements just to run a game's physics, higher and
higher every year.
And if the server can't do "faster than realtime" analysis of the
streams of inputs of the players, then by queuing theory, it'll
inevitably get infinitely backlogged â the server will keep
receiving new analysis work to do every timestep, and will fall
further and further behind, never catching up until new work stops
being generated â i.e. until the match is over. And then it'll
have to probably sit there for five more minutes thinking really
hard before spitting out a "hey, wait just a minute..." about any
given match.
Which is fine if there's a big central lobby server that the game
is forced to connect to, and your goal is to ensure that some
central statistic that that central server relies upon (e.g.
match-rank ELO) gets calculated correctly, such that cheaters are
prevented from climbing the leaderboards / winning their way into
high-ranked play. (And that's exactly the situation the big eSports
games companies are in.)
But in the context of older games that use arbitrary hosted servers
and random-pairing (or manual lobby-based match selection) â or
in modern, but "dead", games, that only persist due to being modded
to accept private servers â this "after-the-fact" punishment is
useless, as most servers have no incentive to do this analysis,
especially when cheaters can just hop around between servers. So
there's nothing preventing people from being matched with cheaters,
sometimes over and over again, if the cheaters can just tell their
clients to roll up with a new key+IP for every match.
...and that's assuming there even are servers. You can forget about
any of this working in a p2p context. (Think about what a Sybil
attack means in the context of a federated set of individual tiny
disconnected p2p networks.)
Arch-TK wrote 4 hours 9 min ago:
CSGO doesn't do P2P matchmaking and Valve _are_ working on
real-time heuristics based cheat detection to kick cheaters
mid-match
IPTN wrote 4 hours 25 min ago:
You should be able to limit analysis for this type of detection
to only the input leading up to a kill/hit and ignoring
everything else. The majority of the time players are not
shooting could be used to do the analysis with plenty of time to
boot midway in a round let alone a full game.
Also simple analysis of only the input streams as you stated
really doesn't have to do with the phys rate of the game server
and should be alot cheaper computationally. It can be offloaded
to another process even if it was found to be too impactful to
run alongside the game server directly. Something all those extra
cores might be good for.
Xss3 wrote 2 hours 32 min ago:
Cheats nowadays can and do
a) run on 2nd pc passively capturing the screen and commands
to a fake mouse device plugged into both machines,
b) "humanise" the aim with ai models trained on professional
players
c) add random variances within the limits of human reaction
times
So it doesn't solve things, really it'd still be playing
catchup.
blangk wrote 5 hours 1 min ago:
Not to mention the most sophisticated cheats are now running on
second computers
treyd wrote 5 hours 41 min ago:
This is part of what Valve does in CS. It works pretty well but it
does have false positives so it requires user intervention for
confirmation of bans.
snarfy wrote 5 hours 49 min ago:
It's more effort than it's worth. There are server aimbot scanners
which do something like this. There are also aimbots written to
thwart this type of detection, adding delays, random drift, etc.
It's a cat and mouse game. We don't have a lot of players left so
it's not that much of an issue.
dietr1ch wrote 6 hours 0 min ago:
What about banning VPNs?
IncreasePosts wrote 6 hours 2 min ago:
How about just a whitelist? I can't imagine there are a ton of legit
ut2k4 players left?
snarfy wrote 5 hours 53 min ago:
Yes, we have a whitelist ability also, but it is definitely a last
resort. The game is mostly dead and difficult to discover for new
players. We don't want that roadblock if we can avoid it.
catlikesshrimp wrote 2 hours 54 min ago:
Suggestion: Anybody can play against bot(s). Whitelist can
interact with real players.
VTimofeenko wrote 3 hours 20 min ago:
Do you happen to have a link for a good manual on "how does one
get into the modern UT2k4 multiplayer"? I.e. must-have modlist,
servers, etc.
Syntonicles wrote 5 hours 39 min ago:
TIL people still play UT2004.
I was going to mention how much I loved that game, until I
realized I played UT99. Time sure does fly...
dylan604 wrote 3 hours 11 min ago:
Is this game online/multiplayer only? I mean, people still play
Galaga and PacMan and other older classic games so why would
you think someone wouldn't still play this one too?
ghffjgff wrote 4 hours 17 min ago:
Ut99 with the matrix mod was where it was at for LAN parties...
gosub100 wrote 7 hours 51 min ago:
Just curious if IP bans work with IPv6 or if they are fundamentally
incompatible?
ghxst wrote 7 hours 3 min ago:
IP bans are fundementally flawed since you can't assume a static IP
in the vast majority of cases anymore, if you rely on an IP
blocklist then it's inevitable that you will end up hurting the
experience of small amount of unlucky but innocent players. I
suppose this might be more of an issue on ipv4 than it could be on
ipv6, but really you should always expire IP bans to avoid issues
like these, or you want to combine another data point with the IP
such as a hardware ID (or a hash of a combination of hardware IDs).
Cheaters do know this so even if we could assign everyone a static
ipv6 they would likely just disable ipv6 support on their NIC and
rely on their ipv4 exit ip.
Edit: If you don't think this is an issue I urge you to Google
"pokemon go belgium ip ban" for a fun rabbit hole.
ghxst wrote 8 hours 14 min ago:
This still leaves you wide open to cheaters using mobile data
tethering and proxies. Have you considered more advanced network
analysis? It's one of the areas I have an interest in (professionally
and personally) so if you want any suggestions let me know.
ec109685 wrote 47 min ago:
Want does mobile data tethering make it harder to ban an IP
address?
kmeisthax wrote 20 min ago:
Mobile networks are all IPv6. IPv4 traffic is behind CGNAT. As a
result, you can't ban individual cheaters, you have to ban the
whole network.
mouse_ wrote 7 hours 57 min ago:
The tactic 4chan uses:
Regular IPs can post freely
VPN or mobile IPs (blacklisted) must pay for a key ($20/year) that
allows posting from blacklisted IPs. Key is good for posting from
one blacklisted IP, locked for 30 minutes, so users cannot share
keys. That way, you can ban the user by their key, if their IP is
public.
It's not a perfect solution but it seems to be the best they've
found for such a situation so far.
ryandrake wrote 5 hours 47 min ago:
I mean, in this case it's 4chan so who cares, but I hope we are
not very slowly moving towards a troubling world with lower
classes of IPs and upper class IPs. IPs should be IPs should be
IPs, it shouldn't matter whether it comes from an ISP, a mobile
network, a VPN, or anything else, and we shouldn't attach some
kind of IP caste to providers or countries. I think we really
need Internet-wide IP randomization, where you can't just block a
/24 or a /16 because they're in some icky ghetto. Yes, I know
there is abuse, but if this is the alternative, it doesn't seem
worth the cost in terms of innocent people losing access.
EDIT: Well, I guess the tribe has spoken. Pretty surprising. I
think y'all are just assuming you'll always be the ones with the
"good" IPs...
koito17 wrote 22 min ago:
Reputation matters.
On some Japanese BBSes, spammers tend to use non-Japanese IPs
or data center IPs. A good chunk of the spam goes away by
blocking non-Japan IPs (easy to do with BGP data) and
disallowing data center IPs (these often host VPNs, scrapers,
etc.) from posting.
Posting from overseas thus costs money or is not possible. The
trade-off is 1-100 extra users or significantly reduced spam
for little effort. It's not surprising that most website
operators choose the latter.
I also know of a file uploader that recently had to block
overseas IPs due to such IPs repeatedly uploading illegal
content. This is an example of a few bad actors ruining things
for everyone.
kbolino wrote 5 hours 18 min ago:
We are already there and have been for a long time. Geoblocking
is very common for low-effort DRM and abuse mitigation, common
VPN providers are easy to detect by IP but generally frustrate
and/or ignore abuse reporting (until serious illegal activity
is committed), college and other institutional networks are
often no better than VPNs in this regard, etc. The Internet
hasn't been able to operate as a network of peers at least
since it was opened up to the public.
miki123211 wrote 1 hour 3 min ago:
> until serious illegal activity is committed
What do they do in such cases?
Assuming they get the report after the fact and assuming
their "no logging" promises are true, can they even do
anything? They're not even supposed to know which customer
did it, after all.
If their promises are false, wouldn't they reveal their hand
if they handed logs over willy nilly?
kelnos wrote 8 hours 5 min ago:
> This still leaves you wide open to cheaters using mobile data
tethering and proxies
Is latency going to be good enough on mobile data (especially if
they're also using proxies) for a FPS, though? Sure, they're using
cheating software, but I wouldn't be surprised if the software gets
the information it needs to cheat too late often enough for it to
be useful.
jjmarr wrote 5 hours 57 min ago:
I regularly played CSGO in Europe because the North American
ranking system were screwed up.
I got to Supreme (2nd highest rank) with 150 ms ping. The people
I queued with hit Global.
It's possible to play legitimately with very high ping. The
higher ping put us at a disadvantage, but the skill gap between
regions made it worth it to arbitrage.
Systemmanic wrote 5 hours 47 min ago:
What was screwed up about the NA ranks?
xnyan wrote 5 hours 8 min ago:
NA is (or at least was when I played) the most populated and
visible regional zone, and attracts a lot of players
attempting various kinds of rank manipulation. On the one
hand you have smurfing, which is the practice of a relatively
high skill player using a an account with relatively low rank
so that they can dominate lower ranked players. On the other
side you have boosting, which is a relatively high skill
player ranking up new accounts for later sale.
In practice this means at lower ranks, it was not at all
uncommon to be matched with players with similar rank but
vastly better skills.
ultimafan wrote 4 hours 49 min ago:
This was my experience too years ago when I played CSGO.
The difficulty at higher ranks (up to a certain point) felt
significantly easier than the lower ranks. Getting out of
the silver and gold ranks (can't remember the exact names)
was a hellish grind with lots of matches that ended in one
sided stomps with one or two guys on the other team racking
up some insane k/d. Past that was smooth sailing for a long
long way.
ghxst wrote 7 hours 11 min ago:
Yes the latency is not nearly as bad as you might think, it's
comparable to a VPN in my experience, though the quality will
depend on your location and the available connections.
Sophisticated cheats in games like CSGO (and other competitive
shooters) are usually very subtle, such as displaying enemies on
the mini-map when they shouldn't be visible which provides a
major advantage without requiring superhuman input, and the added
latency is often negligibleâespecially when the info can be
relayed to teammates and now you essentially have the entire team
cheating with only 1 player suffering from a bit of increased
latency.
And I wouldn't say this is an edge case either as in my
experience the majority of cheaters I encountered are individuals
that play on an alt account and offer a service to guarantee wins
in ranked games.
Sayrus wrote 7 hours 58 min ago:
Assuming obvious cheat, even 100ms or 200ms latency is unbeatable
by a human. Especially since the cheat doesn't need time to aim.
Even for non-obvious use-cases, it's hard to beat the advantage
provided by knowing the position of players.
On my own hotspot, I have less than 30ms of latency.
ycombinatrix wrote 8 hours 47 min ago:
>We Outsmarted CSGO Cheaters by Exploiting the Client
Fixed
mobeigi wrote 8 hours 40 min ago:
The game's the game.
LinuxAmbulance wrote 8 hours 49 min ago:
Excellent write up and solution. Cheating in video games makes for a
wretched experience for those who don't cheat.
It's crazy how rampant cheating in multiplayer games, especially
competitive ones has gotten. Ten years ago, I thought it was at an
extreme, but it's only gone up since then.
Part of the problem is that for some software developers, writing
cheats brings in a massive amount of money.
So instead of some teenager messing around making unsophisticated
cheats, you have some devs that are far better at writing cheats than
game developers are at preventing them.
It doesn't help that game devs have to secure everything, everywhere,
but cheat devs only have to find a single flaw.
BlueTemplar wrote 4 hours 2 min ago:
Some competitive multiplayer games.
Which seem to be exclusively FPS games with ~10+M players ?
I don't even remember the last time when I've heard of a game outside
that very narrow (albeit decently popular) category to have
complaints about cheaters. Meanwhile for these games, I hear about it
like every month, and all this despite this genre being amongst the
ones that I play the least !
ClassyJacket wrote 1 hour 47 min ago:
Well, it's just a genre that's immensely popular and easy to cheat
in.
If you have access to the game's memory etc, it's pretty easy to
create an aimbot or thing that lets you see thru walls et cetera.
How you gonna cheat in a moba? It's a strategy game, you need,
like, cutting edge AI to beat the best humans at it. In fact OpenAI
specifically worked on an AI to play Dota 2, it was that hard.
mvdtnz wrote 3 hours 53 min ago:
Cheating is commonplace in lots of games much smaller than that.
Company of Heroes 2 (an RTS released in 2013) for example is pretty
much ruined by map hackers.
DJBunnies wrote 8 hours 39 min ago:
I think a better question here is: why is game code so exploitable?
A: laziness and cost. It just doesnât matter the same way that
baking code matters, I guess.
So they toss on some cheap anti cheat instead of architecting it
safely (expensively.)
ghxst wrote 6 hours 37 min ago:
A very large amount of games that are released nowadays all use
well known and well documented engines, that's what makes it a lot
easier, there's an interview on YouTube with a company that
develops cheats for multiple games that mention this here:
HTML [1]: https://youtu.be/zwruk-tLIOU?si=3O2jBKQneur-n3iS
numpad0 wrote 6 hours 52 min ago:
Oh, that's an easy one.
- GOOD software are simple and easy to understand, which makes it
EASY to cheat.
- BAD software are needlessly complex and finicky, so it's HARD to
rig it for a cheat.
- Anti-cheats intentionally make software BAD and over-complicated,
so cheaters would have hard time modifying it. But computers are
brittle and also aren't smarter than humans so cheaters will
eventually find a way.
- Security is completely irrelevant topic since game clients are
"bought" and run on your hardware; Digital Restrictions Management
built to work against you as user is anti-consumer,
anti-right-to-repair, anti-human, super bad thing, and lots of
efforts are made to keep PC away from it as much as practical.
It has nothing to do with laziness or cost. If anything it'll be
the best programmed game that gets hacked fastest. And PS2 that
gets emulated last.
kelnos wrote 8 hours 3 min ago:
I think GP's last line covers it. It's the same reason why DRM is
ultimately ineffective, and why even companies that work hard and
spend time and money to secure their infra still sometimes get
popped: the game devs have to be perfect 100% of the time, but the
cheaters only have to get lucky and find a flaw once.
GuB-42 wrote 8 hours 10 min ago:
Priorities. Games need content and performance. Give game
developers more budget, and they will work on making the game
faster, fix game breaking bugs, and add content rather than make
the game less exploitable.
And cheats do not always rely on exploitable bugs. A bot using
screen capture and input device emulation works at the OS level and
in other contexts (ex: accessibility), it would be a legitimate
thing to do.
lagadu wrote 8 hours 16 min ago:
Because at the end of the day the game is running on the user's
machine, a machine in which the user has full access to every part
of the execution and the software developer does not. You can only
get around that by streaming the game instead of running it on the
client side and even then an aimbot or some type of automation
would be possible nowadays.
Matheus28 wrote 8 hours 24 min ago:
Itâs not that simple.
Some games arenât able to prevent cheating. The client has the
data on where the enemies on their screen are. The cheat only needs
to move the mouse and click on the enemies heads. Other games like
MMORPGs involve the cheat just playing the game and farming on
behalf of the player.
It just becomes a cat and mouse game where the anti cheat is trying
to detect something hooking into the game process while the cheat
tries to hide itself.
drdaeman wrote 7 hours 58 min ago:
> MMORPGs involve the cheat just playing the game and farming on
behalf of the player
From a player perspective that's not cheating, that's running a
bot. It's automation of a routine grind - which is typically
designed to make players hate it and spend money instead.
Automating boring stuff is simply natural.
For pay-to-win games it's effectively a balancing system, a
pushback against player-hostile mechanics. Not unlike an
adblocker on the web.
That's strictly in context of MMORPG genre, of course.
colechristensen wrote 8 hours 29 min ago:
This isn't the better question.
When you have software running locally, you can arbitrarily modify
how it runs.
Like an aimbot is a powerful cheat, and there's no amount of
security that can prevent one from being used outside of an
anticheat being able to look deep into what your system is doing,
what it contains. The only way to prevent that kind of thing is to
remove your control of your own computer.
jsheard wrote 8 hours 18 min ago:
> When you have software running locally, you can arbitrarily
modify how it runs.
Well, you can on PC at least. Xbox and Playstation security has
matured to the point that code modification in online games isn't
really a thing anymore, the worst they have to deal with is
controller macros most of the time.
lagadu wrote 8 hours 12 min ago:
Until they get jailbroken that is. There is no such as a
perfectly secure platform in which the user has complete
physical control over it.
jsheard wrote 8 hours 9 min ago:
The PS4 and PS5 have been jailbroken numerous times, but...
1) Their secure boot implementation has never been broken,
which means you can't upgrade from an exploitable version N
firmware to a non-exploitable version N+1 while persisting a
backdoor like you could on older systems like the PS3. You're
stuck at version N until another exploit is found.
2) They rotate the crypto keys used for online play with
every new firmware so they can easily lock those old
exploitable firmwares out of online play for good, even if
they try to spoof their version number. There's no getting
around not having the new keys.
Meanwhile the Xbox One took a decade to get even a limited
jailbreak that allows arbitrary code execution inside the
game sandbox, but can't escape the game sandbox to take over
the kernel, and the Xbox Series systems have yet to be
jailbroken at all on any firmware.
Hypothetically being able to break anything with physical
access doesn't count for much in practice if the thing you
want to physically attack is buried inside a <7nm silicon
die, doesn't trust anything outside of itself, and has
countermeasures against fault injection attacks. The Switch
may well be the last big victory for console hackers, the
writing has been on the wall for years now.
Ekaros wrote 8 hours 26 min ago:
And even then you could do aimbot with camera pointed on the
screen and either faking a mouse or providing sensor sufficient
data somehow to simulate movement... That is reach super human
reaction times and accuracy...
drdaeman wrote 7 hours 47 min ago:
I wish I'd live to see the time of true cyborgs who will exceed
ordinary human capabilities in some regard.
colechristensen wrote 5 hours 6 min ago:
How attached and how technical does it have to be to be
"cyborg".
Me with a pen and paper exceeds many human capabilites.
Likewise with wearables like a smartwatch.
Does it have to be direct neural integration to be a cyborg?
Definitely people with profound brain injuries have been
enhanced to the ability to interact again.
drdaeman wrote 3 hours 4 min ago:
Good question! IMHO, it's a spectrum, of course, not a
binary concept.
But if we have to define a criteria... I guess, integrated
just enough so it can't be trivially removed, making it
more of a "body part" rather than a "tool".
Point is, it'll certainly spark a discussion and
re-evaluation of what's "fair", potentially shifting the
consensus from somewhere around the current "glasses are
fair game, but a programmable mouse is not" to somewhere
more accepting of differently-abed individuals.
andrewia wrote 8 hours 31 min ago:
I think that's a very naïve way of looking at game development.
There are many reasons why games are exploitable besides lack of
reasonable dev effort.
- Almost all games are going to use a licensed or shared game
engine. That means the softwsre architecture is already known to
skilled cheat developers with reverse engineering skills.
- Obfuscating the game will only go so far, as demonstrated by the
mixed success of Denuvo DRM.
- The game will not be the most privileged process on the machine,
while cheaters are glad to allow root/kernel access to cheats.
More advanced cheaters can use PCIe devices to read game memory,
defeating that mitigation.
- TPMs cannot be trusted to secure games, as they are exploitable.
- Implementing any of these mitigations will break the game on
certain devices, leading to user frustration, reputation damage,
and lost revenue base.
- And most damning, AI enabled cheats no longer need any internal
access at all. They can simply monitor display output and automate
user input to automate certain actions like perfect aim and perfect
movement.
maccard wrote 7 hours 43 min ago:
A couple of thoughts, but I largely agree with you.
> Obfuscating the game will only go so far, as demonstrated by
the mixed success of Denuvo DRM.
Denuvo is for the most part DRM, rather than anticheat. It's goal
is to stop people pirating the game during the launch window.
> The game will not be the most privileged process on the
machine, while cheaters are glad to allow root/kernel access to
cheats.
This ship has sailed. Modern Anticheat platforms are kernel
level.
> TPMs cannot be trusted to secure games, as they are
exploitable.
Disagree here - for the most part (XIM's being the notable
exception) cheating is not a problem on console platforms.
> AI enabled cheats no longer need any internal access at all.
They can simply monitor display output and automate user input to
automate certain actions like perfect aim and perfect movement.
I don't think these are rampant, or even widespread yet. People
joyfully claim that because cheats can be installed in hardware
devices that there's no point in cheating, but the reality is the
barrier to entry of these hyper advanced cheats _right now_ means
that the mitigations that are currently in place are necessary
and (somewhat) sufficient.
heavenlyblue wrote 6 hours 29 min ago:
> This ship has sailed. Modern Anticheat platforms are kernel
level.
so you use a kernel level anti-anti-cheat
ghxst wrote 6 hours 42 min ago:
It's not AI enabled cheats that are the issue, it's DMA through
things like PCIe devices disguised as regular hardware.
Sophisticated cheats no longer run on the same computer as
you're playing on. Google "pcie dma cheat" for a fun rabbit
hole.
maccard wrote 5 hours 16 min ago:
Right, but the barrier for entry for those cheats is huge -
the sp605 board is $700, for example. There are cheaper ones,
but youâre not going to have rampant cheating testing
through games when you add hundreds in hardware to the
requirements.
Antiecheats work in layers and are a game of cat and mouse.
They can detect these things some times, and will ban them
(and do hardware bans). The cheaters will rotate and move on,
and the cycle continues. The goal of an effective anti cheat
isnât stop cheating, itâs be enough of a burden that your
game isnât ruined by cheaters, and not enough of a target
to be fun for the cheat writers.
jsheard wrote 8 hours 33 min ago:
Architecture can help up to a point but it can't stop everything -
the usefulness of ESP can be reduced by not sending the client
information it doesn't need to know, but that gets computationally
expensive on the server, and culling information too aggressively
can interfere with lag compensation. Perfect recoil compensation
can be prevented by not replicating the servers RNG state on the
client so it can't predict where the next bullet will go, which
CS:GO started doing at some point. Aimbots though? Those are just
automating an input the user could theoretically make legitimately,
so you're pretty much stuck with statistical heuristics or
client-side detection.
doctorpangloss wrote 8 hours 33 min ago:
> I think a better question here is: why is game code so
exploitable?
The nature of FPS games means only environment integrity can stop
cheating. It's not exploitable per se. Just the game skill can be
done by a computer perfectly.
Conversely who knows how long it will take for AIs to play
Hearthstone with never-before-seen-cards well.
wbl wrote 7 hours 8 min ago:
Probably three years
tedunangst wrote 8 hours 35 min ago:
No kidding, implementing multiplayer as a VNC session on a
controlled server is very expensive.
latexr wrote 8 hours 49 min ago:
> The best part was that no one knew how we were able to do this and
our admin team kept the implementation a top secret. We should have
filed a patent!
I know youâre joking, but if you had filed a patent you would have
had to reveal the trick, thus rendering it immediately useless.
Doesnât detract at all from your post. Fun read.
aftbit wrote 8 hours 50 min ago:
>Now, in order for a player to appear to us as a "fresh player" they
would need to change their Steam ID, IP address and Steam installation
folder. As you can imagine, no one is going to do the latter.
Really? I would expect that a dedicated cheater would reinstall Windows
(or reload from a snapshot) every time they are caught.
Ekaros wrote 8 hours 46 min ago:
Seems like they were private servers. So they really need only hurdle
enough to have cheaters go somewhere else. Not totally kill their
ability to play. And well most people will move on. Only those who
take it most personally start to spend lot of time.
beeboobaa3 wrote 8 hours 52 min ago:
I hope they asked permissions for storing those cookies. Otherwise
they're violating various EU laws.
ketkev wrote 8 hours 23 min ago:
I'm not a lawyer, but I think this actually has some interesting
things to think about. Not all cookies require consent under the
ePrivacy directive, there is an exception for cookies that are
"strictly necessary for the delivery of a service requested by the
user". I think that'd fit in this case, since providing a cheater
free experience is part of the "service" the players are looking for.
At the same time, the ePrivacy directive also mentions that the user
should be provided with "clear and comprehensive information" about
what is stored. Providing that would render the cookies useless.
I don't know how these would balance each other out legally, but it's
fun to think about
beeboobaa3 wrote 6 hours 25 min ago:
No, that doesn't count. Companies have tried arguing that their
ads' tracking cookies are strictly necessary otherwise they
wouldn't be able to offer their services (ads pay the bills). And
yet, they require consent.
Preventing cheaters is similar. And this is blatantly a tracking
cookie.
eqvinox wrote 5 hours 39 min ago:
You aren't considering that ad cookies/tracking are used to
enable a service to someone else (ad buyers), while this
anti-cheat tracking cookie is used to enable a service to the
user themselves (a cheat-free gaming experience.) I think that
may make the difference.
Also, all of this was in 2017. Anyone doing it in 2024 should
indeed run it past a lawyer.
leoff wrote 8 hours 26 min ago:
LOL
mobeigi wrote 8 hours 27 min ago:
Great point!
This community is Australian & New Zealand based, we had 0 European
players or visitors. And as @unsnap_biceps this predated GDPR
compliance.
You are right though that you wouldn't be able to do this in Europe
today because asking for fingerprinting consent defeats the purpose
because the hacker would likely quickly figure out what is happing
and circumvent it.
unsnap_biceps wrote 8 hours 35 min ago:
GDPR didn't take effect until May 2018, this only worked until
October 2017.
ketkev wrote 8 hours 20 min ago:
GDPR is about the processing of personal data. Cookies (and such)
are subject to 2002's ePrivacy directive
latexr wrote 8 hours 45 min ago:
Not every cookie requires consent. [1] In this case, this one might
fit:
> User centric security cookies, used to detect authentication abuses
and linked to the functionality explicitly requested by the user, for
a limited persistent duration
HTML [1]: https://commission.europa.eu/resources-partners/europa-web-g...
beeboobaa3 wrote 6 hours 27 min ago:
It's clearly a tracking cookie.
> for a limited persistent duration
FTA:
> However, the VGUI browser had no issues saving cookies with
expiry dates exceeding 10+ years!
So no, it doesn't even qualify.
blahyawnblah wrote 5 min ago:
10 years is a limited duration
voytec wrote 8 hours 55 min ago:
Kudos to the author for using RFC5737[0] TEST-NET-2 address for:
> An example of an IPv4 IP address is 198.51.100.1.
[0]
HTML [1]: https://www.rfc-editor.org/rfc/rfc5737
o11c wrote 5 hours 43 min ago:
Where it gets interesting is when documentation uses a typoed
reserved address (e.g. 189.51.100.1 or 198.15.100.1). There are
actually several RFCs that do this.
mobeigi wrote 8 hours 53 min ago:
I'm a big fan of using identifiers reserved for examples. I use
TEST-NET-2 IP's and example.com all the time in my documentation!
beeboobaa3 wrote 8 hours 55 min ago:
> If a player joins with a different Steam ID but with an IP address
that is already banned, the system now re-bans them
This works great until you realize you're punishing innocent players
because of CGNAT and IP addresses getting rotated. Cheaters usually
know how to get their router to request a new IP address. That IP
address then gets assigned to someone else later.
mobeigi wrote 8 hours 50 min ago:
This scenario definitely did pop up and we would review it on a case
by case basis to unban users or make exceptions. However, it was
quite rare. Only a handful of reported instances over several months.
If our servers were more popular we definitely would have run into it
a lot more.
LudwigNagasena wrote 8 hours 9 min ago:
You would need to ban random people and see how many of them report
it to estimate the real amount of such errors.
Alupis wrote 8 hours 47 min ago:
I would wager most people just move onto a different server -
leaving you with useless/suppressed data on how many people this
may have impacted.
Vvector wrote 8 hours 50 min ago:
That was addressed in the article.
cwmma wrote 8 hours 53 min ago:
They addressed this in the section entitled "Problematic cases of IP
address fingerprinting"
lagadu wrote 7 hours 53 min ago:
I always found it funny how ip bans seemed to be so popular despite
being apparently completely ineffective until I realized this was
mostly a US thing. In my country (2 of them that I've lived in, in
fact) ISPs always assign the client a dynamic address from their
very large pools every time I reconnect. This was as true back in
the 28.8kb dial up days as it is in the 10gbit FTTH days we live
in. Having a static IP address here has always been a service you
have to pay for.
I remember this being hilarious when idiots would ip ban me back on
the IRC days: "oh no, I have to press the reconnect button!"
BlueTemplar wrote 3 hours 24 min ago:
Is it ? I'm not in the US and I've always had a fixed IP.
Which seems to have been best practice for IPv4 and is still best
practice with IPv6 :
HTML [1]: https://www.ripe.net/publications/docs/ripe-690/#5--end-...
onli wrote 8 hours 40 min ago:
No, not specifically. That section is still written under the
misconception that IPs are bound to households, or static networks
like university networks. Instead they can swap at the very least
country wide (or rather, however the provider manages the IP
addresses it controls). Their mental model is just not how the
internet works.
By using IP as the ban id they created a system that constantly and
regularly banned completely innocent steam IDs, thinking they are
somehow linked when a new steam id uses a banned IP, which is
nonsense. They just did not notice because the banned gamers did
not complain.
Ekaros wrote 8 hours 34 min ago:
Being from country with lot of IPs for operators. I did some
packet sniffing on DHCP broadcast traffic seen by my router(ISP
should filter that...) and I saw at least 3 non-continuous public
IP blocks... And that was just day or less of monitoring this
traffic...
So if the same connection(plug in wall) can end up with IPs from
different blocks, well, trying to do anything sensible with this
is too complicated.
therein wrote 8 hours 54 min ago:
Yeah, you would think they would rely on their secret cookie in that
situation instead, to minimize false positives like that.
ZeroCool2u wrote 8 hours 57 min ago:
Server side only anti-cheat is one of the problem domains that I'd
really love to work on at some point in my career. This is the type of
adversarial arms race that just seems really fun to think long and hard
about.
arminiusreturns wrote 5 hours 29 min ago:
Something I'm working on now. The real issue is that you get more
perf hits trying to do all the important stuff server side, so devs
have become lazy and offloaded more to the client than they should
have, and then that became the standard. Moving all important actions
server side isn't easy or cheap but it's how you prevent cheating
much more holistically.
Now add in that I'm running a physics-heavy game with 120 tickrate,
(considering higher after more tests), with fine motor control action
combat, aimed to scale to mmorpg size, and it really becomes a
challenge!
andrewmcwatters wrote 5 hours 52 min ago:
The state of the art is pretty boring and you can learn about user
command payloads in an afternoon.
The world is much more complex now that YOLO-based aimbots exist, and
I think the real answer is that anti-cheats are now defeatable,
period.
You can craft a private binary that has no hash registered to any
major anti-cheat service on the client-side, and on the server-side
youâre limited to what is allowed by game rules.
Since thereâs no mechanisms for preventing super human reflexes,
and there probably shouldnât be, itâs an issue that cannot be
solved anymore.
So you need community judgement, and that too is boring. Good players
being accused of cheating in Counter Strike is a years old and
entertaining problem.
BlueTemplar wrote 4 hours 15 min ago:
> now that YOLO-based aimbots exist
the what ?!?
mardifoufs wrote 4 hours 0 min ago:
Probably refers to the YOLO family of object
detection/classification models. Though I wasn't aware that they
could be used for something like cheating in csgo. They are
really fast compared to most AI models but I thought that it
still wouldn't be fast enough to give you a real advantage
(especially for pros), as cheats usually depend on "wall hacks"
or similar, and being able to see more than what you could see on
your screen.
Night_Thastus wrote 8 hours 50 min ago:
Only problem is, a lot of companies do NOT want to pay for it. It's
'treadmill work'. No matter how many people and how much money you
throw at the problem, it still ends up just coming back. It's a
losing battle because there are many, many more players than there
are developers.
J_Shelby_J wrote 5 hours 17 min ago:
> Only problem is, a lot of companies do NOT want to pay for it.
Because they're 10 years behind the curve and don't understand that
a game's lifespan is contingent on anti-cheat. Once it becomes
clear to the casual player that a hacker is going to effect every
gaming session, the game dies quickly. Many games have gone so far
as to obfuscate the presence of hackers so that players are less
likely to notice them (CoD)! Other games build from the ground up
with anti-cheat in mind (Valorant). Other games have an ID verified
3rd party system for competitive play (CSGO).
Personally, I think there is a middle ground between root level
hardware access, and treating cheating as an afterthought. I'd lean
more heavily on humans in the process... Use ML models to detect
potential cheaters, and build a team of former play testers to
investigate these accounts. There is zero reason a cheater should
be in the top 100 accounts; An intern could investigate them in a
single day! More low hanging fruit would be investigating new
accounts that are over-performing. I'd also change the ToS so legal
action could be persued for repeat offenders. Cheaters do real
economic damage to a company, and forcing them to show up in small
claims court would heavily de-incentivize ban evaders. This
probably sounds expensive and overkill, but in the grand scheme of
things it's cheap; it could be done on the headcount budget of 2-3
engineers. It'd also be a huge PR win for the game.
doctorpangloss wrote 34 min ago:
> Other games have an ID verified 3rd party system for
competitive play (CSGO).
Ha ha, you mean paying for the game and holding your Steam
account as collateral?
Unit327 wrote 57 min ago:
> don't understand that a game's lifespan is contingent on
anti-cheat
Or you could spend a huge effort on cheatproofing only to find
that no-one plays your game in the first place, e.g. Concord. I
imagine getting cheaters in your game often falls into the "nice
problem to have" category and it is easy to kick the can down the
road.
TechDebtDevin wrote 1 hour 56 min ago:
> Many games have gone so far as to obfuscate the presence of
hackers so that players are less likely to notice them (CoD)!
How does CoD accomplish this, or other games that use similar
strategies. I can't wrap my mind around how you could do this
effectively while also not identifying hackers for the purpose of
banning. Banning = Cheater buying another license to the game, I
thought they like banning people for that reason :/
J_Shelby_J wrote 47 min ago:
One example I remember from CoD warzone is they've increased
the number of in game 'wallhacks' available to players like
UAVs and heartbeat sensors. So if you get killed by someone
with wallhacks, it easy to tell yourself they were using the
plethora of legitimate ways to be detected. It could just be a
coincidence that these new features obscure a hackers
visibility, but given the behavioral psychologist they have on
team, I won't write off any coincidence as chance.
globalnode wrote 3 hours 25 min ago:
even though im not a cheater in games, i wouldnt play a game that
threatened to take me to court if they deemed me to be one.
interesting thought though.
willcipriano wrote 8 hours 30 min ago:
My idea:
1. Determine minimum human reaction times and limit movement to
within those parameters on the client side. (For example a human
can't swing their view around [in a fps] in a microsecond so make
that impossible on the client) this will require a lot of user
testing to get right, get pro players and push their limits.
2. Build a 'unified field theory' for your game world that is aware
of the client side constraints as well as limits on character
movement, reload times, bullet velocities, etc. Run this [much
smaller than the real game] simulation on server.
3. Ban any user who sends input that violates physics.
Now cheating has to at look like high level play instead of someone
flying around spinbotting everyone from across the map. Players
hopefully don't get as frustrated when playing against cheaters as
they assume they are just great players. Great players should be
competitive against cheaters as well.
TechDebtDevin wrote 1 hour 53 min ago:
Cheaters who spin don't care if they get caught. Its the closet
cheaters you can't catch like this who's aim bot only locks on
the head of someone when the cross hair its a certain amount of
pixels from the head, or they set it to never lock on the head.
ultimafan wrote 4 hours 37 min ago:
Playing against subtle cheaters is imo more rage inducing once
you realize it's actually happening. New or poor players won't
notice and won't call them out on it or participate in a votekick
because they genuinely can't tell the player is cheating. Average
to good players get tilted because they might have enough game
knowledge to know something is off but not notice it every time
or be able to call out exactly what's happening. They end up
second guessing too much. And you can't improve and get better
playing against subtle cheaters because they're going to be doing
things you just can't. Great players can probably tell more often
than not but they're going to quit in droves when they realize
the playing field isn't fair. Subtle cheating is much more
destructive to a games longevity because trust in public matches
is heavily eroded over time. Rage hackers you can just
kick/ban/leave the match yourself because it's obvious.
Workaccount2 wrote 5 hours 25 min ago:
The vast majority of cheaters are not "rage hacking", but instead
using cheats as a skill assist.
Take a moment and think about how you would design cheats that
would be undetectable. Hot keys, real time adjustments, all the
options and parameters you could provide cheater to dial in their
choice experience while also keeping them looking legit.
Then realize cheat developers thought of all that decades ago and
it is waaayyyy beyond what you can dream up in a few minutes.
Hell cheats nowadays even stop cheaters from inadvertently doing
actions that would out them as cheaters.
willcipriano wrote 2 hours 24 min ago:
You misidentify the core problem, or at least why it is a
problem from a business perspective.
The problem isn't cheating itself, the problem is players
feeling like they have been cheated (and thus not buying micro
transactions in the future).
If you can limit player action to things that look plausibly
human, less players will feel cheated and will be less likely
to drop out.
This system would be put in place on top of existing systems
and if implemented as I have described could be done so fairly
cheaply from a operational perspective (getting it off the
ground will require a good bit of dev time).
If you had ELO based matchmaking (that dropped matches where
the player performed far below what they had previously done to
prevent sandbagging) a cheater with "perfect play" would end up
only playing against other cheaters after a time.
johnisgood wrote 5 hours 7 min ago:
> skill assist
Yeah, most games have builtin aimbot, called "aim assist". I do
not like it, in fact, I find it annoying as a player, too (I
come from Quake 3).
jorvi wrote 5 hours 46 min ago:
> Now cheating has to at look like high level play instead of
someone flying around spinbotting everyone from across the map.
Players hopefully don't get as frustrated when playing against
cheaters as they assume they are just great players. Great
players should be competitive against cheaters as well.
No, those are still just as vehemently hated as âcloset
cheatersâ, for example the whole XIM / Cronus infestation on
any game that has controller AA.
Itâs still possible to, on average, spot if itâs a closet
cheater or an actual good player due to things like movement and
gamesense, but for the average player it will be much less
obvious, leading to a huge amount of rage towards good players
because they are by default suspected as âjust another closet
cheater.â
johnisgood wrote 5 hours 5 min ago:
What are you referring to by "gamesense"? FWIW you can
implement all sorts of movement hacks, from dodging bullet
particles to appearing laggy enough to seem to be teleporting.
jdietrich wrote 4 hours 32 min ago:
Gamesense: a mental model of the game by which players can
anticipate and pre-empt the actions of other players.
A CS:GO player with good gamesense will habitually keep their
crosshairs at head height and aim at corners where an enemy
is likely to emerge. They'll have an intuitive sense of how
long it takes to run from one point on the map to another.
They'll listen through walls for footsteps to try and decode
where the enemy are, where they're headed to and what
strategy they might be about to attempt.
To the uninitiated, it looks a lot like cheating - you peek
through a window and instantly get headshotted before you've
had any chance to react. To the guy who hit you, it's just
basic gamesense - you did a predictable thing and he punished
you for it.
ultimafan wrote 4 hours 9 min ago:
Yeah, it feels like a dead giveaway when someone at higher
ranks has near perfect but within the realm of believable
gameplay from a mechanical standpoint (great aim
control/accuracy, hitting lots of flick shots) but then
they're running all over like a headless chicken, getting
lost on the map, have no regard for positioning and angles
when pushing or defending, just purely leveraging "skill"
alone.
johnisgood wrote 4 hours 19 min ago:
Thank you, that makes sense.
berbec wrote 8 hours 12 min ago:
This is a slippery slope which we can view in real-time looking
at the speedrunning community. Many current real person runs are
using strategies once thought to be computer-only. A Mario run
from 2024 would be viewed as totally impossible in 2004.
burnte wrote 5 hours 54 min ago:
No one does multiplpayer speedruns.
endgame wrote 3 hours 9 min ago:
Counter example: [1] There's also the multi-world randomiser
community, where people network a bunch of emulators
together, and finding an item in one game can actually unlock
something else in another player's game.
HTML [1]: https://www.youtube.com/watch?v=8g_7Hx42P1Y
BlueTemplar wrote 4 hours 26 min ago:
Of course a lot of people do them. They even do them with
multiple teams in parallel, starting at the same time !
jwagenet wrote 6 hours 1 min ago:
This isnât really a relevant concern for online games since
speed running is mostly rehearsed play with predictable game
mechanics, not inhuman response to novel stimulus.
bob1029 wrote 8 hours 14 min ago:
This is kind of getting into my idea - Statistical methods &
maybe a sprinkle of old-school machine learning.
What I would try is to hire a red team & blue team and put them
in a sandbox environment. The red team cheats on purpose. The
blue team is guaranteed to be playing legitimately. Both teams
label their session data accurately. I then use this as training
& eval set for a model that will be used on actual player inputs.
The only downside is that you will get a certain % of false
positives, but the tradeoff is that there is literally nothing
the cheaters can do to prevent detection unless they infiltrate
your internal operations and obtain access to the data and/or
methods.
anamexis wrote 8 hours 46 min ago:
Are there more sophisticated cheat developers though?
Night_Thastus wrote 8 hours 39 min ago:
Cheat development these days is incredibly sophisticated. There
are swathes of tutorials, old and recent examples to research,
advanced inspection tools, etc.
It's so much easier to make cheats today than it was, say, 10
years ago.
It's also easier because more and more games are sharing common
infrastructure like game engines, as compared to the past. What
works in one Unreal game may save you a lot of time developing a
cheat for another Unreal game.
These days, many online games encounter serious cheats within the
first couple of days of release - if not the day OF release.
BlueTemplar wrote 4 hours 17 min ago:
It's funny, with "sophisticated", I would have expected "so
much harder".
But I guess the documentation and standardization are even more
advanced ?
berbec wrote 8 hours 10 min ago:
It can happen in days sometimes.
0:
HTML [1]: https://www.ign.com/articles/final-fantasy-14s-latest-...
oneplane wrote 8 hours 24 min ago:
Some of the sophistication is not really in the technical
breaking of the game or protocol anymore, figuring out if
something is plausible might yield detections that you cannot
"cheat" because it no longer matters if your cursor clicked on
a head at the right time or not, it matters if your
posture/reputation/experience makes your behaviour plausible.
Cheating and anti-cheat used to rely a lot on the pure
technical parts (like "is something sneaking some reads from
the memory the game engine uses to clip models?"), which is
ultimately not something you will win as a game developer
(DMA/Hardware attacks or even just frame grabbing the eDP or
LVDS signal and intercepting the USB HID traffic has been on
the market for quite a while).
But implausible actions and results for a player can only be
attributed to luck so many times. Do 30 360noscope flick
headshots in a row on a brand new account and you can be pretty
sure something is wrong.
If we can get plausibility vs. luck sorted out to a degree
where the method of cheating no longer matters, that's when the
tide turns. Works for pure bots as well. But it's difficult to
do, and probably not something every developer is able/willing
to develop or invest in.
Night_Thastus wrote 8 hours 12 min ago:
It's hard to balance around those sorts of things. For
example, imagine a cheat that gives the player additional
info about where enemies are and their state (ie: health).
Even if they are of totally normal skill level in terms of
movement and aim, that info will allow them to be
substantially better than others. How are you going to detect
that, and differentiate it from players who simply have a
great sense of map awareness and a good ability to keep track
of enemies and when to punish them?
Anything that makes assumptions about player's skills runs
into problems too. For any online PvP game, the skill ceiling
will rise with time. What once may have been considered
improbable may soon become what's consistent for the top 1%
or even 0.1% of the playerbase given a few years.
As well, it can run into problems as rebalancing occurs and
new abilities are released.
oneplane wrote 7 hours 53 min ago:
Even the base example would make that specific scenario
trivial: an account that is new has no business "being
better" than everyone else.
The only group you'd punish with that is skilled players
that lose their account (and create a new one), but if you
use a moving skill window they can grow back into their
plausibility pretty quickly, and it's a small cost compared
to everything else. And you could even mitigate that by
making things like the first 10 matches require a different
plausibility score than the matches after that.
And with different I don't mean "no scoring at all" or
something like that. But a cheater tends to not cheat "a
little bit". You might have togglers, but that sticks out
like a sore thumb (people don't suddenly lose or gain skill
like that). And even if that fails (lots of "cheating a
little bit" for example), you've still managed to boot out
the obvious persistent cheating.
And that's just with 1 example and 1 scenario. Granted,
that bypasses the fact that it is still difficult and doing
it broader than one example/scenario is even more
difficult, but that's why I ended the previous comment
pointing out the difficulty and associated cost, which goes
hand in hand with the balancing difficulty you pointed out.
Even tribunal-assisted methods (not sure if Riot games
still does that) have the same problem.
johnisgood wrote 5 hours 2 min ago:
> Even the base example would make that specific scenario
trivial: an account that is new has no business "being
better" than everyone else.
You cannot and should not rely on that, depending on what
account really means, e.g. in ioquake3 games, having a
new GUID (you delete a specific file to get a new one)
makes you a new player.
oneplane wrote 4 hours 50 min ago:
Sure, it would only work on games where the client and
server both authenticate, otherwise none of this will
work as there would be no reputation to be relied on.
johnisgood wrote 4 hours 12 min ago:
I agree, just thought I would mention. :)
> A smurf is a player who creates another account to
play against lower-ranked opponents in online games.
Happens in many games, including League of Legends on
which people typically spend a lot of money.
Night_Thastus wrote 6 hours 43 min ago:
What about new players who are competitive in other,
similar titles, and thus start off with a strong
advantage?
And - what about experienced players who cheat?
In some scenes, it's actually more often that cheaters
are some of the best, most experienced players who have a
strong competitive lean and feel they 'deserve' to win,
so use cheats to get an edge. It's far more common than
you'd think.
That's the problem with any anti-cheat system. It's all
the what-ifs. Every single 'clever idea' that has been
theorized under the sun has been tried and most have
failed.
oneplane wrote 4 hours 43 min ago:
Those players would be initially quarantined either way
and a sliding experience window would put a limit on
what is plausible. Same goes for transferrable skills.
Experienced players who cheat will still be subject to
plausibility. Say there is a normal amount of variance
in humans but suddenly some player no longer has
variance in their action. That's not plausible at all.
Or a player looking at things they cannot see, that
might sometimes be a coincidence, but that level of
coincidence is not plausible to suddenly change a
drastic amount.
Again, this sort of thing doesn't catch all subtle
cheaters, but those are also not the biggest issue.
It's the generic "runs into a room, beats everyone
within 10ms", and "cannot see, but hits anyway all the
time" type of cheat you'd want to capture
automatically.
A what-if in a tournament or the top 1% of players is
such a small set of players, you'd be able to do human
observation. Even then someone could cheat, but you're
so far outside of the realm of general cheating, I
wonder if that's worth including in a system that's
mostly beneficial inside the mass market gaming
players.
Either way, this sort of detection is usually done in
the financial and retail world, and results in highly
acceptable rates and results. It's not perfect with a
100% success rate or something like that, but it's
pretty successful. Just not something studios or
publishers seem to want to invest in. It's much simpler
to just buy or licence something (like Easy
Anti-Cheat). Broad internal expertise isn't something
the markets are rewarding at this point.
therein wrote 8 hours 59 min ago:
I am surprised VGUI browser shares cookies across Steam accounts. When
I log out of my Steam account, switch to another one, launch the same
game, I would have expected an entirely different datastore to be used
for the VGUI browser.
mobeigi wrote 8 hours 31 min ago:
It was a security nightmare. Basically a half baked browser with a
subset of the security considerations you'd expect from a browser.
Valve worked on it for a little while patching bugs as they popped up
(notoriously slowly I might add). Then in August 2017, an exploit in
which server operators could execute JavaScript on players that
joined their servers started to spread and was maliciously abused by
bad actors. For example, some server operators using their player
bases residential IP addresses to sign up to gambling websites so
they got kickbacks. Others simply tried to hijack Steam accounts or
sell rare Steam virtual items on the Steam marketplace to themselves.
After Valve patched the above exploit, some smaller bugs popped up in
the following weeks and 2 months later in October, Valve completely
binned the VGUI browser in CSGO. They had enough! This broke a lot of
plugins like IdentityLogger and music players that would play music
in the background as you played the game. But at least the attack
vector was removed.
jandrese wrote 8 hours 35 min ago:
The VGUI browser was a security nightmare, which is why Valve
eventually deleted it from Steam.
awestroke wrote 8 hours 47 min ago:
The VGUI browser also allowed servers to steal the steam session
cookies. So not a very hardened implementation at all.
Giorgi wrote 9 hours 0 min ago:
Thinking about it, steam should force this on every game developer that
has cheating problem (I am assuming mainly shooters), maybe implemented
better fingerprinting way, giving developers options to hide cookies
somewhere in folders of their choosing.
jandrese wrote 8 hours 30 min ago:
The problem is that once a technique like this becomes standardized
the cheat software will know how to automatically disable it. Even
in the article it points out that had the cheaters put in the work
they could have edited a single text file to break the system, but
they did not. If this solution had been implemented for all CS:GO
players then it would have been defeated fairly quickly, but since it
was just one set of servers those were easy enough for the cheaters
to avoid.
That said, eyeballing the chart in the article you can see an
enormous ban wave that happens when the system is turned on, but
afterwards the total level of cheating quickly returns to roughly
where it started. If there were long term impacts it was only in the
reduction of staff hours needed to review game footage to determine
if a player is cheating.
Ekaros wrote 8 hours 53 min ago:
Risk there is that what ever id is generated tends to leak. So lot of
cheaters will either tamper with it or circumvent it. So the game
will continue and not actually be effective for very long.
Broge wrote 9 hours 5 min ago:
Feels disgusting with the hidden fingerprinting but very technically
impressive!
DIR <- back to front page