141 comments

[ 2.9 ms ] story [ 205 ms ] thread
No matter how low-level they get in the OS, this is ultimately a losing battle.

Aimbots have gone analog (src: https://hackaday.com/2022/04/30/aimbot-does-it-in-hardware/)

What can they do next? Demand webcam access with your mouse visible, I guess?

(comment deleted)
I could see a webcam pointed at your hand/keyboard to verify input being something legit players would happily opt into.
This is already the standard for speedruns and high-score records for certain games. Partly just because it makes the recording more interesting to watch, but increasingly it's for evidence of not-cheating.
Okay, but you couldn't just have a linux computer procedurally generating that video, then exposing itself to the host computer as a webcam over usb gadget driver?

Not to mention that you would have to comb through all this footage to detect cheaters... It is honestly a laughable solution.

Yes, but writing a program to synthetically generate correct images will take a while to come out in which players can play without cheaters ruining games.
Creating a system to automatically verify correct videos will take a while to come out, not to mention that it is extremely invasive for the end user and requires that they own all this extra equipment and bandwidth.

The cheater does not even really need to generate fake video like I've described. Aimbots can be as subtle as the cheater wants them to be, offering <5% precision adjustments which won't be visible on a webcam. Not to mention that half of cheating is just information assistance like wallhacks which this doesn't even cover.

What do you think is a better way to validate the input is legitimate?
The point is that the cheating problem is unsolvable at scale against sufficiently motivated attackers.

It would be possible to solve if the incentives are not that strong to cheat, but the status game associated with multiplayer games takes care of the "sufficiently motivated part".

It would be possible to solve at a small scale (e.g. at a tournament) by manually vetting hardware and manually reviewing footage.

But preventing cheating at scale against motivated attackers is so expensive as to be uneconomical. The devs will probably try to install whatever malware they can get away with in order to demonstrate to their shareholders that they care about it, but I'm guessing even the devs will be relieved when Microsoft just blocks their kernel-level malware because they know the risks it entails.

(comment deleted)
So many problems with this idea..

Can you imagine your child saying “Mom / Dad I need to buy a webcam to play this game”. Alarm bells will be going off immediately.

Financially speaking, every player needs to buy a webcam to play even a free to play game ?

Do you need a camera of a specific quality ? What if the light in your room is off and the object detection can’t work out where your hand is ?

Do you get kicked from the game because the sun went down and you didn’t turn on the light ?

Can’t imagine the compute resources required to pull this off. The skins in the game will probably have to cost 10x more.

This is just what comes to mind after thinking about this for 2 mins.

I imagine it would start with competitive leagues first and then slowly expand into mainstream if the technology proved itself.
Can’t imagine a significant number of users ever accepting this solution, there’s too much hassle involved.

Users who are not attempting world record attempts or playing tournaments where money or fame is on the line.. in other words.. 99.99% of the user base will have no incentive to bother with webcam hand recording anti-cheat systems.

They will just move onto another less bothersome game that doesn’t require it, and that game will eat the webcam-required always recording game's market share.

There will always be servers for the players that don’t care about hackers to play on.

For the ones that are sick of having their games ruined by hackers they’ll angle their webcam down at their hands (or use the app on their smartphone) and join the server that supports it.

The difference in effort, for a cheater, between installing a cheat as a user process and a kernel driver is about one button click.

I can decide to cheat, stick my CC info into a website and download a program in less than 5 minutes. To get hardware I need to provide my shipping info and wait a couple of days. If the hardware is banned, I need to wait a few days before my replacement hardware is there, or with software I just update and restart.

It's not an all or nothing thing, it's a game of cat and mouse. The aim isn't to completely stamp out cheaters at any cost, it's to raise the bar sufficiently high to make it so that enough games aren't destroyed by cheaters.

> If the hardware is banned, I need to wait a few days before my replacement hardware is there, or with software I just update and restart.

Except perhaps the first few iterations, the hardware won’t be banned. You’ll just have to load a software update for your DMA hardware.

Great, so for the first few iterations hardware bans are effevtive!
Those first few iterations are already happening.
How could the cheating hardware be banned? it is general-purpose, there is no change in the programming of the host computer that couldn't be combated by reprogramming the cheating device.

Security-by-obscurity is a game of cat-and-mouse where the cat is blind and the mouse is invulnerable.

The hardware isn't banned, the player is banned if the anticheat detects the hardware being used. The hardware might be reprogrammable and self modifying at some point in the future, but until it is and it's widely available a root level anticheat is adequate protection.
The player is not banned. The player's account is banned. It is a free game- they can make as many accounts as they like.

The hardware will become widely available once kernel-level anticheat becomes widely used.

>if the anticheat detects the hardware being used.

The only thing the anticheat will be able to detect is ordinary hardware. My cheating device will capture input from HDMI or PCI, the software sees it as a graphics card or a display. My cheating device lets me inspect memory directly, the motherboard just sees a normal stick of RAM. My cheating device lets me bhop and aimbot- the OS just sees an ordinary USB keyboard and mouse

> The player is not banned. The player's account is banned. It is a free game- they can make as many accounts as they like.

You're right and my wording was sloppy. Often account bans come with "hardware" bans which are an attempt at stopping this from happening but like any other form of anticheat they're not 100% effective (and nor do they need to be to be worth having).

> The hardware will become widely available once kernel-level anticheat becomes widely used.

Sure, and then the barrier for entry has been raised to buying the correct hardware, having it and keeping it up to date.

> The only thing the anticheat will be able to detect is ordinary hardware.

That's a very bold claim. There's no reason to assume that the hardware will match exactly - I expect that as the cheaters pick devices to spoof the cheat detectors will look for (and find) discrepancies.

Regarding the hardware detection - there's always way to up the game and make the system totally airgapped.

It is not impossible to have mechanical actuators pressing keys and moving a mouse, and a webcam watching a real monitor. While that's an awful lot of work compared to just reading data off a bus and simulating a HUD device, consider that some decades ago (when the fight was entirely about API hooking and ReadProcessMemory) DMA snooping was considered merely an unrealistic, theoretical possibility.

Games have been using fake memory addresses to catch cheats for decades, there’s no reason to assume games won’t try and find memory inspectors by having multiple stores of value and catching the one being processed or modified.
> The hardware isn't banned, the player is banned if the anticheat detects the hardware being used.

how? it can report itself as any pci device

The cheat software can report itself as any software, so that is the secret sauce. Can't say I'm privy to how exactly that is. The difference between "reports itself as X" and "reports itself as Y" are the same problem space.
the software actually has to interface with the operating system, which is how it's detected

the PCI card doesn't

it can be a regular perfectly functioning NIC with a different ROM chip

That's why I have to qualify it with ultimately

Right now, the analog option is out of reach except to those with the right skills. But the hardware isn't that expensive even now, and will only get cheaper. All it takes is someone to commodify it.

> Right now, the analog option is out of reach except to those with the right skills.

What skills? Buying something online, then plugging it in once it shows up on your doorstep?

If there are out-of-the-box options now, then yeah, it could be as you describe.

If you're assuming everyone knows how to wire up motors to a microcontroller and get the software set up and calibrated, that's not accurate. If you want to minimize that to a term besides "skills," that's your prerogative.

I don't think there are any commercial-grade hardware gaming aids on the market right now. If we don't count gaming keyboards and mouses with macro functionality (some folks consider those "cheats")

All the devices I've seen were hobbyist DIY proof-of-concept hardware. And if we're talking about real hardware assist (a machine that sees a screen and helps human operator with their inputs), it needs a machine vision trained for a specific game/setup and that's also quite an effort.

One dream is that I'll live long enough to see humans actually getting cybernetic enhancements and how much of a fuss that's gonna make on the gaming industry.

In the same tune, I genuinely do want to see what Olympic Games could become if anything they consider "cheating" would be allowed - I honestly want to see what humans are actually capable of (though, of course, I won't be happy if people would ruin themselves over merely a silly goal of "winning"). I believe that - unlike most arms races in history (except the Space Race, I guess) - this kind of stuff is going to be actually beneficial for humanity.

I'm not a smart guy, and probably there are some issues that I entirely miss (or maybe even not register as they don't match my beliefs), but that's a honest opinion. And yeah, I'm a sucker for science fiction.

No, but the higher the moat the less cheaters you have. No anti-cheat is perfect or even blocks all cheaters, hell even console has aimbots thanks to console modding. It’s about reducing the amount, making it harder and preemptively banning people who go at it wrong, i.e.: using a known cheat.

Better to have few cheaters than a million of them running baby’s-first-Python-script that just sends plain old WM_MOUSE.

Of course, this is just a blog post by a gaming company for their gamer audience, but lots of this stuff is downright dishonest. For example:

> Now, while most players might find the idea of a corrupted Windows installation objectionable, a disturbing number of cheaters have shown themselves to be downright enthusiastic about the opportunity to jump onto some guy’s botnet in exchange for the ability to orbwalk

Kernel mode cheats do not require joining some guy’s botnet or installing a rootkit, even if they use similar techniques. If this claim was true, Riot would have every incentive to publish more detailed analysis in order to deter people from cheating. However, popular cheats aren’t malware, so they can’t do that. Instead, they’ll just stick to vague insinuations.

It’s a lost battle anyway, DMA cheats keep getting better every day. They will inevitably render clientside anticheat obsolete.

Is there somewhere with aggregate information from analysis of cheats and what they contain?
>DMA cheats keep getting better every day

These require buying physical harder instead of someone being able to just download a cheat for free. Also if you are writing memory to cheat / sending weird packets you can detect that and ban them.

> instead of someone being able to just download a cheat for free

Decent hacks are already rather expensive, it’s not unusual for people to pay above $100/mo.

> Also if you are writing memory to cheat […] you can detect that and ban them.

There is no generic way to detect this.

Many are around $50/mo too so people are spending $600/year on a subscription to keep the cheats up to date and patched.
>There is no generic way to detect this.

You have the anticheat hook the game to monitor the game setting the memory and then the anticheat waits for the cheat to modify a location in memory.

It's a cat and mouse game, but that's the nature of anticheats.

they paying a monthly subscription for "undetectable" cheats these days anyway

and they're not cheap, $59.99/month would be pretty middle of the road

a cheap $30 card is nothing

The video mentions people being willing to pay up to 2k for such devices. With the DMA device itself costing a couple of hundred, plus cheat development time, plus extra hardware, I don't expect these setups become very affordable any time soon.
at the moment they're being assembled by people in their garages

once economies of scale take off they'll be $19.99

People are willing to pay up to $2k for regular software-based hacks.
From this video demo'ing a real DMA cheating device -- https://www.youtube.com/watch?v=AIbkt6Rl8FA -- the DMA is read, but the input to the computer is automated "movements" from a device masquerading as a USB mouse i.e. no DMA/memory writing.
Not all cheats can be done via a mouse or keyboard. Take for example a name changer where you steal the name of a teammate to confess people. Or for changing your movement speed or setting your client to think it's actually alive when dead.
...and those kinds of cheats are best avoided with a bit of server-side validation.
> DMA cheats

Oh, thanks for mentioning those! I wasn't keeping track of what's going on with "cheats/anti-cheats" and I've just learned those are finally a thing. The concept was obvious since forever, of course, but I've searched for the phrase and realized it had actually materialized and seem to became fairly mainstream (mass production PCI Express cards, neat!) rather than just a theoretical idea or proof-of-concept hardware.

Check out pcileech. Private hackers are using the FPGA module now. Some anti cheats are proctored these days, they see what you see to eliminate ESP/visual indicators. They’ve only just added mouse/hand aim proctoring (some DMA devices made automatic adjustments to the mouse direction with the help of hacked and custom mice - so you see an enemy left, your hand moves right, the mouse movement is overridden and moves left).

It’s very cool.

Non proctored hacking is totally defeated, the last available bastion is audio hacking (just continuously play beeps where enemies are so even if they’re hiding and not moving, even a proctored session would be able to make use of it).

> Some anti cheats are proctored these days, they see what you see to eliminate ESP/visual indicators

Meh, https://github.com/EngineOwningSoftware/pcileech-webradar

Proctoring means someone watching over your shoulder and surrounding environment. That is, setting up cameras for a side-on view, and behind you - with visibility of your screen(s). Only relevant for tournaments.
That’s what I would’ve taken it to mean, but I’m rather confused with regards to where you might actually run into that?
Every pro-league is going to end up doing this. Either through publicly visible time-delayed streams of the user's room, desk, front-of-user - or through a private entity dedicating a resource to manually review reports from proctored games who will only view suspicious or manually reported encounters/events.

Obviously this doesn't scale, so it'll be limited to paid leagues and tournaments.

> However, popular cheats aren’t malware, so they can’t do that

It is a rather popular practice to bundle things like discord token stealers amongst cheat developers to find people acting against them. While more uncommon, it isn't unheard of shipping a whole RAT alongside with the cheat.

> It’s a lost battle anyway, DMA cheats keep getting better every day. They will inevitably render clientside anticheat obsolete.

If an anti-cheat manages to stop all client-side cheating - it has already won. Requiring a hardware device to be shipped / being unable to start cheating right after a quick online purchase will deter most of the people that are considering purchasing cheats.

> If an anti-cheat manages to stop all client-side cheating - it has already won. Requiring a hardware device to be shipped / being unable to start cheating right after a quick online purchase will deter most of the people that are considering purchasing cheats

No anticheat, kernel mode or not, has come even close to that. The situation has remained mostly unchanged for at least a decade now.

It’s the cheat developers who have an opportunity to seriously demoralize anticheat developers, not the other way around. The proliferation of DMA cheats will make any time spent fighting software based cheating significantly less valuable.

> No anticheat, kernel mode or not, has come even close to that. The situation has remained mostly unchanged for at least a decade now.

While the situation has mostly "unchanged" from the perspective of the end-user, the barrier of entry to start making cheats has been raised quite a bit.

I'd say making a commercially viable cheat (assuming you actually care about your customers not getting hit by every ban wave) isn't exactly a trivial matter nowadays.

> The proliferation of DMA cheats will make any time spent fighting software based cheating significantly less valuable.

The future you talk about is not yet here. External device based cheats are a miniscule part of the current cheating market.

> They will inevitably render clientside anticheat obsolete.

Doubt it. There is no alternative on open platforms. Serverside anticheats are dead on arrival, they are and will always be easy to fool.

Serverside anticheats can at least ensure that cheaters won’t be able to perform vastly better than real humans at the highest levels.
So what? Real humans at the professional level are so much better than any casual player, it makes no difference in experience for the latter. You'll hopelessly lose every single time.
>2 years ago

So (2020)?

Also kinda funny a Unix-y element is referenced (/dev/null) whereas the target is only Windows.

> Now, while most players might find the idea of a corrupted Windows installation objectionable, a disturbing number of cheaters have shown themselves to be downright enthusiastic about the opportunity to jump onto some guy’s botnet in exchange for the ability to orbwalk.

So they acknowledge that running third-party stuff in kernel mode increases the likelihood your machine gets owned by malware, in the very same blog post where they tell you that from now on, they demand the ability to run their own third-party stuff in kernel mode on your machine.

> So they acknowledge that running third-party stuff in kernel mode increases the likelihood your machine gets owned by malware

Which is utter nonsense. Nothing will touch this kernel mode stuff unless they’ve already owned your machine. All the data you care about is accessible from usermode anyway.

The risks of kernel mode anticheat have been wildly overstated, Riot is engaging in the same to spread silly FUD regarding cheats.

At least on Linux, a bug on the kernel module could lead to injection of other kernel modules, packages being installed, core binaries being tampered with, which are not impossible to do in userland but require deceiving the user in entering its credentials.

I think on Windows, such actions lead to an overlay that ask for authorization and can't be auto-clicked ? If so, I think having such a prompt when not expected will rise attention from the tech-savy users which may report the culprit binary. A bug in the driver being exploited would lead to the absence of the symptom, potentially increasing the time before a first user notices it.

> At least on Linux, a bug on the kernel module could lead to injection of other kernel modules, packages being installed, core binaries being tampered with, which are not impossible to do in userland but require deceiving the user in entering its credentials

None of this matters, because all the files you care about live in your homedir anyway. In a desktop environment, the malware can tamper with your .profile to replace e.g. the sudo binary and gain root access without any exploits.

> The risks of kernel mode anticheat have been wildly overstated

How many things like https://github.com/Luohuayu/evil-mhyprot-cli and https://mobile.twitter.com/TheWack0lian/status/7793978407622... have to happen before you'll believe that there really is a significant amount of risk here?

In both of those cases someone has already hacked your machine and can run arbitrary binaries. They’ve already stolen all of your credentials from browser databases, all of your secret files from your homedir and so on.

Besides, Windows LPEs are a dime a dozen anyway.

(comment deleted)
And if I do banking from one user account and gaming from a different (limited) user account?
Literally nobody does that. That riots anticheat driver might interfere with your incredibly niche use case is fundamentally not a very compelling argument.

Besides, Windows LPEs are a dime a dozen anyway.

Accounts are not a good separation of context already, let alone privilege escalation exploits.

If you’re concerned about one use affecting the other you’re much better off dual-booting two Windows installations, both using BitLocker. They’d use separate keys and AES-XTS means there’s tamper protection as well. One partition could, at worst, destroy the other.

Not to mention them saying "if you use AAA games, you may already have such a thing running already so one more won't kill you." whereas, in real life, it increases the odds that a system will get hacked due to it since the attack surface increases (The number of bugs in "EA+Riot" could not be less than "EA", but could be higher, and the other way around)
> whereas, in real life, it increases the odds that a system will get hacked due to it since the attack surface increases

Bullshit. In real life nobody will hack you with a videogame anticheat kernel driver exploit.

They will hack you with a browser exploit, a ms office exploit, or just because you downloaded a malicious executable and decided to run it.

I agree that getting hacked through a browser is a far higher risk. However, the said browser is hopefully running with admin privileges, and if it is needed by the malware, it will need something else to exploit. If it was some small editor, it would serve no purpose for this. But we're talking about Riot Games, whose software is installed on hundreds of millions of machines and thus have a non-neglictible odd of being on the target's computer.
Admin privileges don’t matter, all the stuff you care about lives in your homedir.

Have you ever seen a real world example of super common and super insecure AV drivers being exploited for LPE? Probably not, it’s not worth the trouble.

I don't know if it has been exploited on the wild, but the subject seemingly interested some enough to find escalations bugs in https://en.m.wikipedia.org/wiki/SafeDisc.
Yes, there are tons of these bugs and tons of PoCs. However, in real life, nobody bothers to exploit them because there’s very little to gain by doing so.
> In real life nobody will hack you with a videogame anticheat kernel driver exploit.

That's just not true - for example, the infamous capcom.sys

The implication is that Riot only stands to gain a small amount of money if they decide to actually start a botnet using their customers' machines, with a lot of risk of lawsuit/bad PR if they do so; and that cheap cheat makers, due to their already-shady business and anonymity, are more likely to start selling botnet access on the side to make extra cash.
The risk isn't that Riot uses the module maliciously. The risk is that the module contains a security vulnerability, and that someone else then uses it maliciously.
Good cheats are expensive (like, often more than $100 per month) Cheat makers have way higher per-user revenues than Riot.
No they acknowledge that cheat Trojans exist.
> your machine gets owned by malware

That's the whole point, is it not? Anticheat is malicious software burning up CPU cycles and reducing security whether you're cheating or not...

> This isn’t giving us any surveillance capability we didn’t already have.

I think this is an important line. Regardless of how people feel about anti-cheating efforts, I don't believe many people realize how much access games already have to their system to the point where it's kind of a miracle there aren't more malicious games out in the wild.

Why limit your argument to games? All softwares that are ran without sandbox sadly have this issue. Any software could be malicious, not only games.
Games? You mean literally every piece of software on (most) computers? Most default Windows, Linux, Mac single user setups are vulnerable to having everything be intercepted/exfiltrated by every program installed. Why would games be of concern specifically?
Unless someone is 'that friend' that always tries to download shady programs and has tons of malicious extensions (previously toolbars) installed, I imagine most people are naive to the amount of potential harm desktop software can do; using common sense when browsing and sticking to typical programs (for games, Steam/third party big-name publishers' launchers) is very low-risk, so eventually you forget that any program could be stealing your browser cookies in an instant.

Discord currently has this problem[0] where people send DMs stating 'will you playtest my game' and that exe just steals the user's stored Discord login token and uses it to proliferate the scam to more people, and/or uses the token to buy tons of gifted nitro.

0: https://www.reddit.com/r/discordapp/comments/s1f1vs/the_rece...

Because games are generally thought of as harmless. Most people aware a rogue piece of productivity software or something can cause them issues. Games, for whatever reason, don't get that same consideration.
You basically can't have a PC game in 2022 without a kernel rootkit to detect cheating.
Small caveat - multiplayer PC game.
They’ve never actually rolled this out for League. I’ve played hundreds if not thousands of hours of competitive matches over a decade and never seen a blatant cheater (maybe 1-2 cass botters, but couldn’t be sure).

Given that it’s one of the biggest online PvP games around, I don’t think you or Riot are really making a strong case here.

I believe this is referring to Vanguard, the anti-cheat Valorant uses that at some point is supposed to come to League.
To understand why it's a strong argument, you have to understand the difference between 2D games like League and 3D games like Valorant. In a 2D game, the game is slow enough that you can keep most of the state server-side. The potential to cheat in League is very low. Things you might want to do include (1) macros to do combos (2) automatically run away when low health (3) bigger alerts when an enemy is charging your lane (4) skillshot aiming. None of those are going to really push you up in rank. You'd be better off just getting good at them yourself, as you'll have more flexibility than relying on a tool to do them for you (and then having to fight the tool when you don't want them).

A 3D game like Valorant or Call of Duty is much more fast-paced and also introduces a third dimension. This means that transferring the visible game state to the player every frame is much more difficult, both for the server to keep track of, and for the network bandwidth available to the players. This means that in 3D games, there is often client-side data that the user is not supposed to see (such as the exact position of an enemy who has ducked behind a wall, but the server hasn't stopped sending you position data for yet). This poses a huge advantage to whoever can get access to that data and display it somehow. These are called cheats... And they can run in kernel space. This is why they need their own kernel rootkit to detect them.

This article seems to be a bit unclear, but it seems like their point is to justify kernel-mode anti-cheat in broad strokes. I don't think they're just talking about League here. Adding anti-cheat to League is probably not a priority, for reasons I've outlined above.

Having started my technical career long ago as an angsty teen looking to develop cheats, I'm aware of the architectural issues. This is probably a hot take, but for FPS and the like, I view wallhack-type cheats as fully inevitable, and more of a game design challenge than a technical one.

Compared to old school FPS like COD and CSGO, I'll throw out Overwatch as a good example of a game that de-emphasizes the relative importance of knowing an enemy's position by dramatically raising TTK and placing importance on team coordination, mechanics, and character selection. A cheating sniper in OW can easily get shut down by the coordinated actions of two enemy tank players. Designing the game in a way that limits the ability of a single wall-hacking sniper to ruin the experience is IMO much more effective than getting into a kernel-level AC arms race. Valorant still has cheats available for it, after all.

Okay but all of that is irrelevant to the point I'm arguing, which is that you need user-side kernel-mode anti-cheat or the cheaters are much more numerous and pass some point where the game is not fun to play for most non-cheaters. And redesigning the game to be cheater-unfriendly by adding vehicles and stuff is just limiting the game experiences you can have, because someone doesn't like rootkits (luckily, most players don't care).
What definition of “rootkit” are you using here? I’d consider myself fairly well-versed with rootkits, but don’t understand how game anticheats could reasonably be described as such.
Does Microsoft have to approve these drivers? I would argue Microsoft should not allow this kind of thing if they really want to provide security.

Apple would never approve such a mechanism, for sure.

For Microsoft you need a code signing certificate [0], shell out about $500 and to follow some instructions.

Apple do allow this through kernel extensions, but its very much opt in from users.

[0] https://docs.microsoft.com/en-us/windows-hardware/drivers/de...

While i'm not sure if it works for device drivers, Microsoft is working on Azure Code Signing, which moves it from third-party vendors to MS directly.

For Apple, kexts have been deprecated for a while, with more modern APIs available for ensuring privacy and security in device drivers[1].

1: https://developer.apple.com/support/kernel-extensions/

But kexts are only deprecated and not removed. Someone having enabled kexts is just as likely to be cheating as they are using an old audio interface device with their DAW.

Edit: good to know about MS, I didn't actually know that!

(comment deleted)
This is very concerning. Installers on Windows in 2022 should not even require admin permission (only elevating if a user wants to install for all users). What if Riot had a supply chain attack and someone attached something far more malicious to the kernel?
What damage do you expect they will do with kernel access that they won't do with admin access?
Due to cheaters, anti-cheats, and a general trend towards invasiveness... I've been thinking that individuals compartmentalizing gaming to dedicated machines (e.g., gaming consoles, dedicated PC gaming rigs) is a good idea.

Separating out the requirement to run games, from the general-purpose computing requirements, opens up more options. It also pushes fewer people towards buying into Windows way of life for everything desktop/laptop.

It's a fantastic idea, and the reason I own a console. The extra advantage of consoles is that both I and the developers know that the other players on my platform are all on locked down hardware so measures like this are unnecessary for everyone.
After spending enough years fighting spammers and fraudsters, short of having an aggressive anti-cheating operations team (which can work great, but is of course expensive to operate), our spam strategies pointing to really one solution: making it more expensive to lose an account. This is why I think consoles are winning (too expensive to get banned) and why I thought VAC secure made a lot of sense (as long as the game isn't free - precisely why TF2 is now a bot haven). There needs to be some skin in the game that the cheater will lose if they get banned. Even the chance that they'll get detected deters them (which is absolutely fantastic when you consider the battle from an OODA loops perspective).
What a load of baloney. It's an open secret that client side cheat detection is a losing battle, and yet many games still persist with these unacceptably hacky half measures. The correct approach has always been to perform the cheat detection on the server side and use statistical analysis to detect and ban cheaters. No brittle assumptions about client environment resulting in potential breakages or false bans. No invasive rootkits that could compromise your users' machines. No opportunity for the client to reverse engineer or instrument the binary to patch out the cheat detection methods.
> yet many games still persist with these unacceptably hacky half measures.

Unfortunately what you're suggesting is a hacky half measure.

From a servers perspective there is no difference between a client with a shitty connection and a client who is pretending they have a shitty connection to cheat. The reality is that servers trust clients for some cases (and verifies that those things are possible) because it provides a better experience for a large number of players.

> No brittle assumptions about client environment resulting in potential breakages or false bans.

Let's be honest, server side anticheat is no less susceptible to this than client side. If you're banning on heuristics there's going to be false bans at some point, and you are making assumptions about a perfect client environment with this approach.

> No opportunity for the client to reverse engineer or instrument the binary to patch out the cheat detection methods.

Except you can analyse the ban rates based on how "aggressive" your cheat is across all your players and adjust the effectiveness to keep it under that threshold. If we're going to make the claim that cheaters can always adapt to client side cheats, we can make the same claim for server side cheats.

> From a servers perspective there is no difference between a client with a shitty connection and a client who is pretending they have a shitty connection to cheat. The reality is that servers trust clients for some cases (and verifies that those things are possible) because it provides a better experience for a large number of players.

Lag switching is only one kind of cheat that applies mainly to multiplayer FPS games, and as I said, it can be mitigated through statistical analysis. A simple method would be to kick players (but not ban) from a match if they have too many latency spikes. A better method would be to analyze how often a player's latency spikes coincide with their kills, and ban them if there is excessive correlation.

You are right that preventing any and all forms of cheating is impossible, especially where such methods would negatively impact the player experience. But a perfect solution isn't necessary. Issuing bans after the fact is still effective, as long as the cheaters don't make too much progress or otherwise cause too much impact within that time frame.

> Let's be honest, server side anticheat is no less susceptible to this than client side. If you're banning on heuristics there's going to be false bans at some point, and you are making assumptions about a perfect client environment with this approach.

But that tradeoff is entirely under your control. With server side heuristics, you are in a better position to understand how it works and document it so that others on your team understand it as well. You can tweak its parameters and specialize it with assumptions specific to your game mechanics, and minimize false positives to some probability interval. You can identify specific cheating patterns (e.g. perfectly tracking an enemy behind walls long since the enemy is last seen) and tailor your heuristic to detect such cases. You can feed it more sample data to increase its accuracy. You can set up processes to verify ambiguous cases with human moderators in the loop. None of this requires any assumptions about the client environment, it only requires analyzing the player inputs received by the server over the network. Client side heuristics, on the other hand, tend to be based on things that serve as rather poor proxies for cheating. Running the game in a virtual machine? Banned. Running the client in WINE on Linux? Banned. Driver signature enforcement disabled? Flagged. User running AutoHotKey or WinDbg or Ghidra? Flagged. New Windows update that breaks some internal NT kernel ABI that my anti-cheat rootkit was relying on? Uh oh. These detection methods are better than nothing, but heavy reliance on them has made it easy for cheaters to circumvent anti-cheats while still causing issues for legitimate players whose setup might deviate slightly from the norm.

> Except you can analyse the ban rates based on how "aggressive" your cheat is across all your players and adjust the effectiveness to keep it under that threshold. If we're going to make the claim that cheaters can always adapt to client side cheats, we can make the same claim for server side cheats.

While true, this sort of signal carries much less information than what you can gain from reverse engineering client side cheat detection. You can make it more difficult by issuing ban waves at fixed intervals, and slightly varying the thresholds by some small random amount each time. Larger ban wave intervals mean that it takes longer for cheaters to infer the behavior of your server side anti-cheat, at the cost of taking longer to ban cheaters. But again, that tradeoff is under your control.

Every now and again I read things on HN about the area that I work in that reminds me that HN despite being confident doesn't always know what it's talking about. If it's so easy, can you share a prototype of someone doing it? Surely, if you can solve the entire problem of anticheat in one HN post there must be some proof to back it up.

> Lag switching is only one kind of cheat that applies mainly to multiplayer FPS games, and as I said, it can be mitigated through statistical analysis <...>

These methods are already in use with client side cheat detection. The thing about latency spikes is that there are many things that cause them. To use your example of checking when spikes appear near a kill in an FPs, presumably a kill is associated with a spike in traffic (multiple users shooting, extra movement, etc). So it's far more likely that you see spikes at the point of extra network traffic. Lag spikes wee also only one example.

> With server side heuristics, you are in a better position to understand how it works and document it so that others on your team understand it as well

You have control over all of these things with client side heuristics and cheat detection too don't forget.

> Running the game in a virtual machine? Banned. Running the client in WINE on Linux? Banned. Driver signature enforcement disabled? Flagged. User running AutoHotKey or WinDbg or Ghidra? Flagged. New Windows update that breaks some internal NT kernel ABI that my anti-cheat rootkit was relying on?

Firstly, the NT interface is probably the most stable of any software im aware of. I don't personally keep up with kernel breakages but my understanding of them is they're incredibly incredibly rare. They're also very well documented and published on a mostly expected cadence. If an anticheat isn't being kept up to date, it's ineffective, whether or not that's in relation to it's heuristics or its support for OS features. Secondly, there's a reason all of those things are suspicious. (And as an aside many games don't actually ban you for running them, they pop up and tell you to turn them off before killing the game . They _do_ ban if you bypass that check though).

> causing issues for legitimate players whose setup might deviate slightly from the norm.

Having ghidra or windgb running, or running via wine isn't "slightly" out of the norm, it's a statistical anomaly that would be flagged as "massive outlier" if heuristics were applied. Also, why is it ok for players whose software setup deviates from the norm, but not ok for players with outlying network setups?

> You can make it more difficult by issuing ban waves at fixed intervals, and slightly varying the thresholds by some small random amount each time.

So exactly the same methods in use right now?

Doesn't every machine with thunderbolt have the ability to have its memory edited undetectably?
Don't IOMMU's prevent that these days?
That's not much protection, as it pertains to "trusted computing," if it can be silently turned on or off as a bios setting.
Seeing how many cheaters there still is are on Valorant (where they already employ such techniques), I really doubt this is helping much. But yay, let's keep pushing more and more intrusive software on user's computers.
Simply disgusting to see someone trying to find excuses for usage of outright malware with arguments like "users shouldn't care anyway".
This is a pattern I see very often and that I think all of us can see all the time. The developers of software try to control how the users use the software.

This is not just a regular customer or user relationship between the user and the developer. This is something else, some kind of controlling behavior that we need to get rid of.

You can't force someone to stop doing something as long as they do it on their own computer. You have to choose; either people use your computer with your rules or they use their own computer with their rules.

If players want to cheat, that's the player's problem, not the developer's problem.

…and on that same note, the developers have total say over what someone does on their computer — the server.
No player runs code on the developer's server. They just send packets to it, just like my web browser sends packets to web servers. Nobody is trying to put anti-cheat software in my web browser.
So? You’re still using their server. They can choose to require you to follow certain rules to do so.
They can choose the server rules but I choose what code runs on my computer.
My point is that they can stipulate to run their code on your computer if you wish to connect to their server — which is the current situation. If you uninstall/disable anticheats, the server declines your connection.
That's what I meant in my first post that we need to get rid of. There is too much of this behavior that companies try to get into people's computers and control what they can do with their own computer.
But, again, why can’t they stipulate requirements for using their services? If you don’t want to run their anti cheat then you can’t play on their servers, simple.

It bothers you and (relatively) few others that they need to run a kernel driver to prevent cheats, but it bothers countless players when a game is plagued with cheaters, and yes, there’s some prevention done by anti-cheats. Call of Duty: Warzone has/had a notorious cheating problem and absolutely no anti-cheat system.

> why can’t they stipulate requirements for using their services?

They can and they do, but there is too much of this behavior that companies require too much access and control of people's computers. My computer is my private thing. It's like my home. No company requires to come home to me when I want to do something; they send mail. I want more things to work like the web: everyone has 100% control of their computer and web browser and they can connect to web servers and those web servers can have whatever rules they want but they don't try to get into people's computers.

It becomes the developer's problem when the players are quitting the game because cheaters are ruining it though. And also the player's problem who want to play a game without cheaters.

For example, BattlEye started out as 3rd party anti-cheat for Battlefield Vietnam because the players wanted better anti-cheat. Similarly Face-IT and ESEA run their own anti-cheats that are opt-in and not part of the developer's game.

It becomes the developer's problem because they put themselves in a position where their money and future depends on what random people do in a game. Nobody should expect it to go well when you connect random people on the internet and require them to behave. Just look at Twitter and places like that. We need a different structure.
What do you have in mind for a different structure?
One old and tested solution is that you play with your friends or people you trust. This has worked perfectly for board games and other pre-internet games for many years.

Otherwise if you want to play at a bigger scale, I don't know how you would do that. Maybe that's just the lesson you have to learn, that random people on the internet can't be trusted.

You have the "right" to run cheats on your machine and Riot has the right to stop you from connecting to their servers and ruining the experience for their customers when you do it. The software is still installed and you can use all of its offline features all you want, which in the case of Riot games is stare at a login screen because they are all live service multiplayer games.

Why is your right to disrupt a service for other people more important than their right to enjoy that service?

I'm not interested in any right to disrupt a service; it's just something that can happen because of other rights: to run arbitrary code on your own computer, and trying to remove that right is not going to work. We need a better solution.
Riot's anti cheat is the only one I've found that causes my KVM virtual machine running Windows to BSoD.

Ironic that the post title indicates Linux-awareness but the post content breaks any chance of playing Riot's games on a Linux computer.

Riot Vanguard outright states that virtual machines are not supported (for valid reasons; how do you ensure the guest OS memory isn’t just tampered with by cheats outside?). It doesn’t surprise me that it doesn’t work.
Yes, I know Riot has stated that VMs aren't supported.

I'm no expert on anti-cheat but other popular games (e.g. Apex Legends) run without BSoD and as far as I can see don't have serious issues with cheating.

I don't think this is an issue of technical necessity so much as an issue of there being very few Linux gamers and even fewer using something like VFIO to run games rather than dual-booting.

Apex Legends has its own troubles of cheating but it’s less seen because it’s a battle royale game, you spectate them “once” compared to playing 20-so rounds against a cheater.

And IIRC Vanguard is purposefully strict.

Does this mean you have to disable Hyper-V to run LoL?
No, League doesn’t use Vanguard to begin with, and Hyper-V is excepted because your OS is the root VM, i.e. another VM can’t manage it. Just LSASS and such, and they’re trusted.
dota2: overwatch. With the right data, nice users and probably a bit of ML...
Putting aside the technical aspect, the tone of this post feels familiar to me.

In one of my earlier roles, I was responsible for a system used to filter internet access for about a million school students. The students were absolutely easily able to bypass our filtering in a bunch of ways we could not address, as we had no control over the client devices.

Being a team of professionals in a situation where we were constantly being defeated by a bunch of kids felt humiliating, even as we acknowledged the uneven battleground we were fighting on.

I suspect a similar feeling was behind this blog post. Why else say things like "as much as we might like the idea of an ever-escalating appsec war with teenagers"? This comes off as bitter and insincere to me. As though they're trying to put down their adversary while simultaneously acknowledging they're losing the battle and need to deploy the nuclear option.

Edit: not that "teenager" is necessarily a put down. If there's one thing I learned from that job, it's that teenagers are incredibly resourceful.

I wonder if their anti-cheats will work on Linux and if they will be GPL compliant.
It's infuriating that developers still espouse this secure client method.

It doesn't work.

You just chase the cheats higher and higher up the stack and once they're in the hardware, you're boned. And they're already in the hardware. Between direct memory access and actually external AI devices, people can cheat.

So either audit client actions to make sure they only do what they can do (via peers and server) or do the rendering server-side to stop information leaks. Anything else is dishonest and a waste of everyone's time and safety.