> banning having reverse engineering tools open, or having used them recently on game files
Seems like a smart way to catch inexperienced/up and coming cheat devs. How many non-cheat devs really have IDA on their gaming PC? I did and it was for developing cheats
I'm sorry, but that's a really narrow minded take. There are a lot of good reasons to have IDA or Ghidra installed on your computer, if only for fun and learning reverse-engineering. This should NOT prevent you to play others games.
( To everybody reading this : if you like computer and puzzles, you should absolutly try to reverse-engineer a simple binary at least once. It's fun !)
I assume this is a joke, but still... I have had Ghidra open in the background for a while (weeks), as I worked on some IoT projects for my cats. While I'm biased and I hold some unpopular opinions... I think not just me, but most people definitely would get offended if suddenly some game would refuse to start and/or ban online account.
Honestly, banning players because they have RE tools feels like a generally counter-productive idea. Best-case scenario is that it'll require an engineer who was actually going to RE game files to get another account, stalling them very briefly. Worst-case scenario is getting someone with technical skills and free time pissed off enough to actually start messing with the game (potentially, in a less respectful way than your average cheat developer might - looking for game-breaking exploits than just automating things or providing extra information to the player), even if they didn't mean to.
I recently saw that Roblox kids are trolling each other by putting "x64dbg" in their display names, because the game checks the window title of every running app and refuses to run if it sees that string anywhere :^)
Not literally IDA, but I once had OllyDbg on my "gaming PC" (really my "everything PC") because I was trying to help a game developer debug a problem that apparently only happened on my PC.
It's not so uncommon for homelab / cyber security researchers. I have an older licensed copy of Ida and Ghidra on my main gaming pc. Mostly to keep dumb research of workstations I use for legit work.
As someone who has lost a fair bit of my hand eye coordination as I've aged, I wanted to say thank you to you and your community for developing some cheats.
Specifically those for single player games, I've used them to finish games so I can view the story/endings.
The screenshot function pointed in the article out will only be able to take screenshots on older versions of Windows with no compositor, i.e. the ones that draw directly to the scan-out framebuffer. That's why he found it's not used anywhere--it's obsolete.
Specifically, it can access screen content, but not window content. As in, passing in the desktop hwnd gets you a picture, passing in a different hwnd gets you a bunch of black. At least as of when I tried it a few months ago on Windows 10.
All of the windows visible on screen. For my use case, I was taking a screenshot of my app (for automated testing), so I ended up taking a full desktop screenshot and cropping it to the window.
Thats what I was thinking. Some of the higher end EFT cheats I've used were drawing to the screen but were not picked up by any sort of screenshot tools or even streaming on Discord. It would appear that the whole "take a screenshot of the screen" anti-cheat is no longer effective.
As a connoisseur of online game hacks, I'm utterly stunned at the level of sophistication that both parties partake in with respect to the cat-and-mouse game of cheat/anti-cheat.
Some are technically very interesting, like the hardware DMA device I previously used. The firmware was customized specifically for a subset of users specifically to avoid detection (it eventually failed). Others are very clever, like the hack that was dynamically compiled as an Xbox Game Bar module.
No, this works fine even on current versions of Windows that can only run with the compositor, as the DWM special-cases blits from a display DC or GetDC(0). It will even switch windows out of independent flip if necessary to do this, which can be seen with PresentMon.
Well, it's more basic functionality than backwards compatibility. There was no other API to capture the screen from Vista to Windows 8, and not being able to programmatically take screenshots wouldn't have been viable. The newer DXGI Output Duplication API wasn't added until 8.1 and that still requires the DWM to change its composition strategy when active.
A perk of gamimg on Linux is that none of these invasive anti-cheats work. I consider that a plus since I never care enough about a video game to surrender my privacy or my kernel over to it.
The really invasive kernel level ones don't and probably will never work, but there's a chunk of them that do. One of the big ones, Easy Anti Cheat, mostly works[1].
totally agree, but there are some things we just cant do.
I bought Marauders to play with my son, and had maybe 4 months of excellent fun play with him. Then the dev's enabled EAC... now I cant play it anymore :-(
I cant blame the mods, they never wrote the game to work on linux it was just a happy happenstance that i could use proton to play it before the EAC transition.
Every game i have in my steam catalogue is at risk of this (except for the native ones obviously)
Why wouldn't you blame them? They should at least provide an option to turn it off like games used to. It looks like it's a co-op game; if you're playing with your friends/family why do you need anti-cheat?
Why do you need self hosted servers? Most looter shooters are p2p in game, right? Either way, you just need a filter to allow matching with other people that have anti cheat off. Or at least allow private groups in that mode.
Right, that's the criticism. Games used to make it optional. Why'd they stop (I suppose so they can sell you things like skins that you could otherwise just mod in like people used to)?
They used to be about having fun. If you wanted to put gravity at 10% and make everyone use only rocket launchers with unlimited ammo, that fell within the parameters of having fun:
I am not a fan of anti cheats, but I do like to play video games online and I want to be able to play fair games without cheaters. I am not sure what other options there are.
A locked down system, possibly including remote attestation if things get real bad, is the only realistic solution aside from game streaming which removes the hardware from the user's control altogether.
The freedom afforded in personal computing by Windows and Linux is fundamentally mutually exclusive to the security that multiplayer game operators and proper players legitimately need.
It's why game consoles and mobile gaming are the core gaming platforms. Note how Sony and Microsoft blacklist consoles suspected to be used by cheaters, and how games (and also banking) absolutely hate rooted smartphones because it breaks the assumption of a locked down and secured system.
Unironically, Cloud gaming. Stadia had a terrible business model, but the tech worked. Microsoft's XCloud together with GamePass could be a winning ticket for that. (I think there's also GeForce Now)
Of course, that wouldn't prevent anyone from capturing the screen, running image recognition software on the screen and sending USB Controller inputs to create an Aim Bot, but then again, that's not something anti-cheat software can stop these days anyway.
Cloud gaming will never be good enough for competitive FPS or racing, the latency will never be overcome, it's just physics. And if you want to do 300-400FPS, like most high-level players in CS2 do, local hardware is the only solution.
Ironically, cloud gaming is the perfect solution for single-player game, where input lag and high FPS doesn't matter much.
That aimbot would be significantly harder to implement than current ones though, the good aimbots are not generally scanning the framebuffer for heads to click, they are using the game data directly. If they do use frame scanning, it's usually with the aid of a texture swap, which also wouldn't be possible here.
I remember playing online games in the 90s and early 2000s without lots of cheaters. It was easy: if we thought they were cheating we banned them from our server.
Rust players (the game, not the language) have discovered what CS players knew back in the day - the best anti cheat is an active admin. Although Rust has much better tools than CS server admins had back in the day - we essentially had to guess, and deal with the blowback if we were wrong.
At some point, admins started to ban me pretty often, accusing me that I use wall hack (I don't), so I stopped to play online years ago. I started to play online again two weeks ago, I cap my system (I hide my cursor, I cap my framerate at 60fps, I use a submachine gun) to have more fun, but other players are trying to ban me anyway when I kill 4 enemies in 2 seconds.
Obvious cheats like spinbots spinning like crazy aren’t the only form of cheating, many cheats are more subtle and you may not realize as a player in the game, or an admin. Just look at the occasional streamer caught cheating — it’s not even obvious with tons of people watching their first person POV streams.
If we couldn’t tell they were cheating, than they weren’t ruining the experience. They didn’t gain anything from cheating on our server. There was no ranking or prize for being good.
Except lots of people like rankings and matchmaking with similarly skilled players, and people like winning too, so completely removing the incentive to cheat is throwing the baby out with the bathwater.
I really enjoy matchmaking games, though... being able to immediately find a game against someone of similar skill as you is a huge factor in enjoyment. I don't want to give that up.
Plenty of server admins even back then thought that wouldn't scale, and it hasn't. Anti-cheats like BattlEye and Easy Anti Cheat started as community developed anti-cheats. Even Starcraft 1 ICCUP (3rd party Battle.net clone) had additional "anti-hack". Counter-Strike still has 3rd party servers with ESEA/FaceIT. They have additional anti-cheat, not less.
Especially with gaming becoming mainstream compared to early 2000s. The majority of players are now casual gamers who are not interested in a job as a server admin/hoster.
On the flip side, I am really annoyed about games that require anti-cheat, especially if I would just play them single player, because it makes it harder or impossible to play them on Linux.
I got VACd on Linux the other day. Not cos I was cheating, just blocking VAC from network access. And not because I was blocking VAC deliberately, just blocking arbitrary code running from random /tmp steam binaries.
It is a pretty fucked situation that in order to allow anti cheat, you have to abandon securing your machine.
Your kernel might be private, but all your files can be accessed by the game, if it's run by the same user, which I imagine is the setup for most gamers. And since games are proprietary and auto-updated, the potential to do damage or compromise privacy is very high. Adding the kernel to the mix basically changes nothing.
Please don't post nationalistic flamebait. Even a decade ago, screenshots were long outdated as an anti-cheat measure. The code posted in the article is extremely tame, it's amateur hour compared to what modern anticheats like EAC/BattlEye/Vanguard do, especially in competitive leagues.
Nothing ruins the fun faster than lag-switching lamers. Accordingly, one can never trust client side security enforcement, or you just create a tit-for-tat economy with cheat-code authors.
The better solution is often live admins with a cheat-report button, server-side physics reconciliation trip-wires/audits (no time-travelers), and using clipped areas for character buffering (x-ray vision attempts floods buffers and crashes the client.)
The only information an online game-engine should be pulling is the hashed GPU chip serial-number for account ban enforcement.
The worst part about cheats is they ruin the fun for themselves too, as a game becomes pointless and boring.
Installing a RAT has no justification on hardware people didn't pay for...
Some chunk of the problem comes from companies trying to avoid spending money on dedicated+good servers, and choosing business models that are hostile to the idea of players banding together to subsidize their own little institutions.
1. Submitting an already active card signature is an instant ban
2. Spoofing a signature will still force you to re-register, lose your current rankings, and zero your nontransferable e-store account balance.
3. Most people don't account for the other system signatures that will also get randomly audited over several months
4. Remember part of offline audits is comparing each clients game-log to look for suspicious glitches like inhuman aim behind occluded objects, and "weird" physics. Hope they find it is a QA issue on replay... =)
Are you saying that accounts should match one-to-one to GPUs, and that two instances of the game can't run on the same machine at once? These assumptions are unrealistic: what if I upgrade my graphics card? What if my friend wants to play too, and remotes into my machine to do so?
And I don't understand which cheating behaviours this restriction is supposed to prevent.
No, there should only be 1 GPU with a specific signature active at any given time.
If multiple user accounts are tainted by the same flagged signatures, than you risk getting everyone on that hardware banned. It is usually clearly stated in the EULA expected fair play section, and it is at the admins discretion... Buy that used cheap rtx3090 at your own risk... ;)
"two instances of the game can't run on the same machine at once?"
In general, most performance heavy platforms are not going to support multi-account mode anyways.
"what if I upgrade my graphics card?"
Your associated hardware signature would simply be updated upon login. However, accounts associated with flagged signatures often remain inactive to block logins/new-account-registration/store-access.
"What if my friend wants to play too, and remotes into my machine to do so?"
Depends how the admins enforce the signature collision events. In most cases, all users will get a 1 week ban, and a warning a 1 year ban will follow. Again, the admins usually have discretion about believing users stories...
"And I don't understand which cheating behaviours this restriction is supposed to prevent"
It helps prevent persistent cheats returning their hardware purchases, re-registering, and continuing to annoy other players.
This is a very common practice on Desktops, but rare on console games for obvious reasons. =3
The admin process differs between companies. Usually if you can verify you are a different person living at a different address, than IT support might remove the flagged signature with proof of sale. I wouldn't count on the admins mercy though, as cheats will often set up shilling-circles or cloud-instances to try to get around bans.
I think 2 strikes is quite reasonable to remove people breaking the game for other users. And I only know of 1 company that bans the hardware signatures on all of their game titles at once.
The probability one will experience problems before a legitimate purchase return window period expires is very low.
Have a wonderful day, and maybe try a card game like MTG. =3
> The admin process differs between companies. Usually if you can verify you are a different person living at a different address, than IT support might remove the flagged signature with proof of sale. I wouldn't count on the admins mercy though, as cheats will often set up shilling-circles or cloud-instances to try to get around bans.
I'm glad we agree that this is unreliable and therefore not a defense of the approach.
> The probability one will experience problems before a legitimate purchase return window period expires is very low.
Okay, so I buy a card I can actually afford on eBay, put it in my machine, buy a game, and get my account permabanned. What refund am I asking for that makes this okay?
> Have a wonderful day, and maybe try a card game like MTG. =3
This reads as condescending. If you don't mean it that way, then you should consider a different way to try and be friendly lest it undermine your argument. If you do mean it that way, please stop being rude.
"Okay, so I buy a card I can actually afford on eBay, put it in my machine, buy a game, and get my account permabanned."
One would have to prove they are a different person/account-location to IT admin support. It is rare, but some companies will simply watch your game-play for a bit to see what you are up to compared to the prior ban details. Note one will likely have to gamble on the compassion of each firms IT admins.
"What refund am I asking for that makes this okay?"
These sellers are almost always knowingly trying to evade the consequences of their behavior, and trying to recoup their money to buy un-flagged hardware. This is pointless, as there are several anti-cheat queries companies can run, and like any antisocial behavior they usually just make the situation worse for themselves by contaminating the market with more flagged hardware. Eventually their sellers reputation score will warn buyers what they are doing.
Getting a refund for the "broken" equipment is a standard ebay RMA process, and Craigslist/meta-Marketplace returns can be a bit more complex.
Keep in mind a ban may eventually lift after 12 months, but IT admins may be less convinced of your intent if a user keeps popping up as a problem.
"This reads as condescending"
It is not my call what companies do with problematic users. And MTG events also bans cheats for marked decks, and pulling unfair tricks that violate the rules. The difference is people will be upset with such antics at the same table. Personally I prefer the Royal Game of Ur over tea, and am always keen to share a good laugh with folks interested in such classics.
if one chooses to be miserable/upset, than that is their right too... But it doesn't sound like much fun. =3
> Getting a refund for the "broken" equipment is a standard ebay RMA process, and Craigslist/meta-Marketplace returns can be a bit more complex.
But the equipment isn't broken: it's perfectly-functional. Some third-party putting the GPU's serial number on a naughty list is no reason to demand (nor approve) a return. Even assuming that spoofing is impossible (it's not) and the GPU was involved in illegal behaviour, why assume the seller knows that? Not everyone plays your video game.
> This is pointless, as there are several anti-cheat queries companies can run,
I'd say it's pointless because you can just instruct your computer to report a different GPU serial number. There's no reason for a cheater to replace the hardware: the only reason to replace a GPU is if it's faulty, or you want a different GPU.
> > This reads as condescending
> It is not my call what companies do with problematic users.
That too, but: what you've written reads as condescending.
> And MTG events also bans cheats for marked decks, and pulling unfair tricks that violate the rules.
Every time someone writes a criticism of the ban methods, you start defending the bans. There's some kind of miscommunication going on here.
GPU serial numbers are not a good proxy for people you want to ban. The burden of this fact should fall on the decision-makers, not everybody else. "Guilty until proven innocent" is not usually considered just.
If one seriously violates traffic laws, than a municipality will often impound the car too. The GPU signature bans are no different in terms of community standards enforcement.
"GPU serial numbers are not a good proxy for people you want to ban"
In your opinion, and that is fine for your use-case needs. Note most habitual cheats usually lie or get aggressive when they are repeatedly busted for attempting to sneak back on the servers while under a ban. The 30% that immediately fess up at least have some integrity.
We will have to agree to disagree on whether it is morally justified. Yet it is _very_ effective at dealing with that 0.05% problem user, and is already active in many ecosystems. It would be nice seeing a better solution in action... that obviously wouldn't require DRM/rooting a users computer.
>The better solution is often live admins with a cheat-report button, server-side physics reconciliation trip-wires/audits (no time-travelers), and using clipped areas for character buffering (x-ray vision attempts floods buffers and crashes the client.)
A lot of these mitigations are table stakes, even cs1.6 had server-side physics reconciliation. Aimbots are a type of cheat that cannot be detected by the above and completely ruin games. If cheaters proliferate in your game, you end up with a dead game.
Isn't a solution to this to frame the game around communities of some sort, teams, parties, squads, bands or whatever. Basically a group you can trust. You can then play with them without worry of cheating. This works best for co-op games but some competitive games could be modeled in a way to make this work.
I assure you aim-bots are easily detectable, as many simply use client log-replay comparisons. People will often get bounced to a cheaters server at some point while the admins laugh at their antics while trying to QA the issue.
I know there's nothing that can or will happen about it (for various reasons) but the whole model around multiplayer games is flawed. You're giving someone code to run on their PC and hoping your anti-cheat code can catch their code doing bad things.
I believe there are AI anti-cheats being developed and used in China so maybe we'll end up with a Recall-esque anti-cheat everywhere in the future :)
I wonder if game streaming will become one way of kicking off cheaters if this arms race gets really bad. All of the code is stored and executed on trusted systems, you would only need to sanitize control inputs which is a significantly easier task.
It would definitely stop most cheating but at a huge cost: performance. You're not running on bare metal anymore and that would be a non-starter for competitive games.
For an FPS? Completely unplayable. Wouldn't be surprised if nausea became a widespread issue - vsync is enough to get me there, let alone network lag on mouse input.
Imagine all Olympic athletes were to start competing with an AR headset on, which added 5ms of lag to their vision. Would it be a problem if they were all forced to use it?
Not sure I understand your point. There are a lots of rules and regulations on what Olympic athletes are allowed to do. What they eat, what they inject, what they wear. All of that is to make the competition as fair as possible and to have a level playing field so as to make for an interesting competition, to draw viewers, which is what the sponsors care about.
For people watching esports, they need to believe that the game isn't rigged and people aren't cheating. A couple more scandals and the sponsors are going to require cloud-gaming just to keep viewers.
My point is that it would change the game into a different one, with a different skill-set, and forcing everyone through the same restriction wouldn't make it any better.
And even if I disregard all this, cloud gaming wouldn't solve the problem, as hardware cheats that don't run on the gaming machine would still be usable.
No, I don't think it would be a problem, which is why I'm asking the question. Human eye has a 13ms latency according to google and yet it doesn't stop Olympic athletes from existing. I don't see what making the latency 18ms instead of 13ms changes if everybody has the same.
I'm pretty far from the multiplayer game dev scene, but isn't this close to how a lot of multi player sync works anyway? Just* distribute everyone's control inputs and have them all run a deterministic simulation. And then I guess you would run the same input cheat detection on all the honest clients, which are hopefully the majority... Is this impossible or did I just reinvent something that already exists?
* Yes, I know. But at least I know determinism is possible.
A common cheat in FPS games watches the rendered frame and sends mouse input to aim+fire. The server being authoritative doesn’t help in this situation.
These sort of cheats are often entirely out of band, running on a mirror of the video stream on a second machine, and transmitting user input back via USB. Clientside snooping won’t catch it either.
That seems like it ought to be detectable statistically, unless the cheater adds jitter to the inputs to mimic human hands on a controller. And if not, it seems literally impossible to prevent so you may as well give up.
(As an aside, hearing about this kind of setup really makes me wonder what the point is of cheating. Prestige? Among what set of peers?)
> And if not, it seems literally impossible to prevent so you may as well give up.
But if you give up, and your game's competitors don't, players will switch games. The way I see it, a game developer anti-cheat goals isn't necessarily to have no cheaters, but definitely to have less cheaters than your competitor.
Determinism as a networking model is rare now a days(Still used though!) client/server is a better solution most of the time. And having determinism means the cheater could see everything. But having a deterministic sim means you must insert the cheating in the distributed to everyone inputs... So -if- you could detect cheated input reliably this could be useful.. This route probably isn't worth pursing for just cheating deterrence alone though.
Something I was thinking about just today is using a distributed message bus for networking for competitive games (I had NATS in mind, since I've been playing around with that a lot lately), and having non-players running validation and cheat detection on the messages in real time. I think some incentivization could be added to essentially reward "proof of work" for validating games do or do not have cheaters.
Not only in China, Valve for example develops VACnet. For now it's not really that useful, which kinda gets amplified by banning in waves, to make it harder for cheat developers to adapt early, but keeps cheaters playing for longer.
Gonna keep an eye on it, but I'm not to sure if it'll be the solution to this issue...
Anti cheat software because one needs to play with people one does not trust and so attempts to get good behavior from strangers by force.
Should Magnus Carlsen have required Niemman to get a cavity search? When tons of kids have neuralink implants, should they be polygraphed before taking a spelling test?
Cheating is not a technical problem, it's a people problem.
That's a good point. Though I feel there's a significant difference between defenfing comms from external and intermediary parties as opposed to forcing the behavior of the parties one chooses to interact with.
I think this underestimates the problem. Yes it's a people problem, but a game doesn't have the people-means to solve it, it only has technology.
>Anti cheat software because one needs to play with people one does not trust and so attempts to get good behavior from strangers by force.
Same could be said about laws. Goes to show that we don't have it solved it, at all. Every single system that we have has active bad actors in it, with no chance for us to catch them, by any means that we have, technological or not.
To add to this even more, it's not even a people problem, it's an animal problem - some of them also give out fake signals, in order to gain something.
I see your parallel with laws. My point is that laws force behavior in a society that we are obligated to share, whereas online games are a choice to share with certain people. The level of intrusion applied to protect a game seems over the top. Especially given many ways to enforce laws are often considered over the top, despite protecting more importent matters.
If the match includes cheaters, it's a bad match.
>The level of intrusion applied to protect a game seems over the top
I agree on a theoretical level, like, if it's my general purpose computer, then everything that runs on it should also answer to me, not other parties. This applies to anti-cheat, and also to DRM and other concepts like Trusted Computing and Secure Boot even, to a degree.
I don't see how one could prevent cheating, if one allows a software abstraction layer between the game, and the user. If a software is allowed to manipulate another software, then that other software cannot have proof that it's not being manipulated. On one hand, this is the beauty of computing, but on a practical level, this makes cheating in online games very easy and undetectable. So, because I like playing online, I made the compromise that somehow this level of intrusion is okay.
>ACE overall is a treasure trove of privacy violations: checking recently used files, uploading files to their servers, banning having reverse engineering tools open, or having used them recently on game files—the list goes on.
Microsoft should blacklist these binaries, and revoke developer certificate.
Cheaters are bad, but it's not worth unreasonably harming everyone else to stop them. I wouldn't advocate for surveillance cameras in everyone's homes to reduce crime.
Valorant took a massive amount of market share from CS:GO, in large part because of a very intrusive but highly effective anti-cheat system. Cheating in online games is a hard problem to solve and can make games completely unplayable. Gamers are generally much more bothered about cheating than about the privacy risks of anti-cheat, whether you agree with them or not.
For the paranoid, dual-booting to a games-only OS image would be a reasonable choice.
In my experience game engines just suck. How can cheats exist in a server authoritative game engine architecture? But alas, most programmers have apparently no idea what they're doing when it comes to "netcode".
I can't fix skill issues in others on a massive scale. I can not remove "crunch time" in the industry. I can not remove lack of care in others. Frankly, I was venting. Because sometimes all you can do is yell the wish for a better world into the void.
It can be hard to differentiate between insane aim and clever aim assistance
Wallhacks can be mitigated but can't be shut down completely. Valorant for example limits the information provided to clients based on pre-generated tile maps (for example, players in a tile won't have information about enemies on the other side of the map but will have information on the enemies on the adjacent tile within reasonable LoS) but wallhacks still exist because the LoS check has to be overly generous to account for ping and such
It doesn't. But it does allow preventing stuff like like seeing through walls. Although it would have to fail around corners for a short distance so players don't pop into view. Server authoritative solves less and less cheating problems the more sensitive to latency the game is. Non twichy RTS games could not send everything in the fog of war for example, and after checking for super human input, you'd have solved a good chunk of cheats.
> In my experience game engines just suck. How can cheats exist in a server authoritative game engine architecture? But alas, most programmers have apparently no idea what they're doing when it comes to "netcode".
This comment screams: I lack understanding and am overconfident because of it.
Ignoring games where all state is known to all parties (e.g. chess, racing, etc...), the fact of the matter is that servers are basically always authoritative... where they can be.
MOBAs, MMOs, RTSs, FPSs, Casino, etc... will all hide information not required to run the game on each client on the server to prevent cheaters from getting an advantage.
Turn based games or games with low tick rates (MMOs, MOBAs, RTSs) will run all player commands on the server with things that require immediate feedback (UI actions, current player position, animation triggers) smeared out to sync with the server's state and tweened to match the server state.
Fast paced games like racing sims will do client side determination with server side validation (to ensure that a player's speed never exceeds a certain value, turn speed/friction is inside a certain range, etc...).
FPS games are the trickiest:
- They can't do server side kill determination because the game requires a certain level of responsiveness that is faster than internet signals over fiber can allow for. So they use client-side kill determination that runs in real time with server side validation that runs when a server receives events from clients before passing those events to other players. For example: checking that a player didn't shoot another player through a wall, checking that another player wasn't moving too fast / through a wall / flying through the sky / etc...
- Components that require randomness are split into what requires syncing between client/server and what doesn't. Things like particle systems, ragdolls, etc... are handled entirely on the client. Things like random rolls in stores are handled entirely on the server. Things like physics systems, and recoil are handled by seeded PRNGs that are run on the client for instant feedback and validated on the server side using that seed.
- Depending on the type of FPS game, a client may need to see the positions of all (or a substantial amount) of the other player's characters. This is because a player may suddenly whip around the corner of a door and the client now seeing a new large area needs to be able to display the other characters in that area accurately without the characters only rendering by the time the server can inform the client of their position. This is mitigated by level design that can split a level into multiple chunks and the server only relaying the required info for the visible chunks. With extremely large levels where the groups of players are too far away to interact, the server can be sharded across multiple threads or offloaded to other servers. For types of FPS games that are built in a way that requires the server to not hold as much information hidden (e.g. an open arena level where everyone can see each-other anyway), the clients include replay systems where the players can report suspicious behavior.
- Really tricky things like vehicle physics are usually done with a mix of client side determination, server side validation + redetermination, and careful client side state tweening.
The fact of the matter is that cheaters are only a problem in:
1. A handful of games where the developers didn't do the right thing
2. Games where the only way they could ever be completely cheat-free would be on a physically impossible 0 latency network and instead they have to rely on mitigation instead of prevention where certain information can't be prevented from being available to clients.
----------------------------------------
Addendum: There is the possibility of hosting and processing hidden information client-side while keeping it hidden where needed by using homomorphic encryption but that requ...
I'd recommend watching some general game networking architecture videos.
Any tutorials with a tool that lets you simulate latency and packet loss will help you a lot.
Starting off with turn based games is going to help you a ton.
After you've got a handle on that it's worth looking into videos that are more specific to what you need, like fps, rts, etc... and the techniques that each kind of game uses. You'll also get an idea of how online cheating works because you'll be able to see what information each machine can read and set.
The problem is that games often install rootkits and the hackers are good enough to exploit those for RCE - just look at Apex Legends, they recently had active tournaments canceled because someone took over streamers boxes during live play - absolutely bonkers.
You sort of can't. No idea about video games but it's a big issue for chess. Really top games (world championship) are played person to person in a sealed environment with moves relayed out of the room after a 15 or 30 minute time delay. Online games of any importance require you to set up TV cameras in your playing room, etc.
Fundamentally, like with any defense in depth/security system, you need to accept you can't build a solution that stops all cheating, it's all about making the cost sufficiently high that it's so rare people have an acceptable online gameplay experience most of the time.
So at each step, you weigh how much the cost is for the mitigation (in terms of upfront and ongoing dev costs, and player problems), and the benefit (in terms of how much higher you make the barrier).
For example, conceptually, you could sell a dedicated machine that requires gov't ID and credit card linked to your account to purchase and melts down if you ever are detected tampering with it, requires a mic and camera on 24/7 to make sure you're not tampering with it once purchased, dies if it loses internet ever once turned on, etc etc, but then nobody is going to buy it because you have made the cost in terms of disruption to players too high for anyone to bother.
I'm not sure you can usefully solve it other than trying to keep the barrier for entry higher than a lot of people will bother, and possibly making the barrier much higher for something like ranked play, b/c otherwise, if you do things like if you ever close their DRM after boot, you need to reboot to play the game, you're going to cannibalize your player base, because it's too much of a pain in the ass, and they will (correctly) blame you for this.
I’m not much of a gamer, but my kids are growing up and will soon want to play the real stuff. Is there any easy way to see whether a game requires anti-cheat to run? I’d hate to spend top dollar on a game only to find it’ll take over their entire computer and I’ll want to make a hard rule “no games with kernel level anti cheat in this house” or something like that.
Rule of thumb - if it runs well on steam deck / steamos it probably doesn't have anything too extreme... most multiplayer games won't run on the windows compatibility layer as it allows the client a possible level of control that would look similar to a low level cheat.
Nearly every competitive game game is going to be utilizing some form of anticheat like this, so single player games tend to not have this issue (drm is a separate conversation)
Steam sometimes lets you know with a banner in the store page about a required 3rd party software, but there's also https://areweanticheatyet.com/ maintained by Linux gamers.
What's frustrating to me is that games will run the hyper invasive kernel level version of an anti cheat on Windows but will allow Linux plays, which has no such level of access. If we're trusting Linux players with no kernel level monitoring, why not windows players? Have cheater really not caught on that there's a lower bar on that platform? I hope they don't because I like being able to play competitive games with friends without having to reboot first.
I think it really is just that some cheaters don't wanna install a different OS, and my understanding is that there are still plenty of hacks on Windows so not much reason to change. Overwatch 2 for example has had a free undetected source-released cheat on Windows for months now (according to what I've heard on Reddit).
I believe Valorant and Roblox have had devs/employees state that supporting Linux isn't worth it for the small proportion of the player base vs the increased cheat risk as well, although feel free to take that with a grain of salt
Multiplayer games all have some kind of anti-cheat, or they have cheater dominated servers. Unfortunately I don't know any easy data source to find out the kind of anti-cheat games use. Sometimes the Steam page has details on it.
I suggest compartmentalization for games, for example a dedicated gaming machine. That way, anti-cheat doesn't have much to take over. You can connect it to guest wifi, so that it doesn't see the LAN either.
SteamDB has a "technologies used" field taken from the Steam API. Not all are bad, EAC and Battleye are the most common, and are both reputable. Those run with the game and close with the game, and they minimize data collection.
"BUT DAAaaaAAAaaaAAD! Tommy's parents let _him_ install invasive software on _his_ computer, and they're a doctor and a lawyer, so they seem really smart!"
Anti cheat engines are effectively spyware, except accepted spyware.
How can you reliably ensure someone's machine is not running a cheat without having access to what it's running?
Anti cheat is not easy and just the perception of cheaters will nuke pvp games. But personally I want better anti cheat, the only question is at what cost?
Im not sure if this is somthing we will ever be able to solve to a satisfactory degree with these top down/automated approaches.
I have been gaming my whole life and I miss the "old" days of having community run server as being the default.
You would go online one day pick a server and play on it in the mode you want (For context: I am talking about Counter Strike:Source). Over time you would get into talking with the regulars on the server and you form some bonds.
And if someone does something the majority does not like the can be vote kicked/banned. We took care of cheaters/flamers/grievers that way. An admin on the server can still revoke the ban if the banned person explains why it was unjustified.
No it wasnt streamlined, and it was sometimes unfair, and establishing global leaderboards were difficult (see ESL company).
But you had community involvment and soooooo much content (game mods and skins; all for free btw.) and it felt good to be part of it.
The lack of communities is why it seems unlikely. I remember several times successfully making my case and being unbanned!
Usually some friend of the admins was given power, they abused it, then you could go on a forum they hosted/make your case. People would chime in and so on
Children managed to "work from home" decades before the industry did
It wasn't a hassle, it was the point. Curate a community worth spending time in/with
Being denied served a function too. You learned about a community you don't want to be part of!
Modern AAA games are meant to be disposable, with a killswitch for when the next consumable is released. This isn't possible with community servers. They don't want longevity. Cheating is an entirely self-inflicted problem caused by this. Self-policing communities with moderation tools are far more effective.
These companies are so greed driven, that they lobby to make cheating a federal offence and for private police raids and private house searches, instead of making a healthy community based on previous experience. As has, disturbingly, already happened in Australia (https://torrentfreak.com/images/gtaorders-1.pdf)
In this day and age, I think that compartmentalization is the way to go. Gaming, and especially online gaming is basically public by default, so I decided that I don't fight the zeitgeist, rather I search for a place for it. I personally solved this for myself by having a dedicated gaming OS, and by not connecting that OS to my private network. So, there they have it - some control over my machine, but not much of my personal life.
I think you nail it right here. Gaming is a specialist activity poorly suited to general purpose computing. The only reason we ever used one machine for both was that home computers were expensive. Not having to support games in your daily driver means you can optimise it for real tasks, and also optimise your gaming platform for games. It's a win/win.
> Gaming is a specialist activity poorly suited to general purpose computing.
I think this is terribly myopic. Gaming and game modding/development resulted from it hugely contributed to general purpose computing in general, possibly more than any other activity. And it was only possible with games running on a general-purpose platform, not a gaming appliance.
I know, I lived through it, and it was great at the time. Note that I was responding to OP who said he he'd set aside a Windows PC just for gaming. That would qualify as a gaming appliance in this context.
This might be true for competitive games with an intrusive anti-cheat, but not for gaming in general. I also keep an isolated PC specifically for these games, for my kids and myself - only because of the anticheat. But games like KSP always go to the main PC full of tools and possibilities to mod and tinker.
Yes, in reality I do both as well. I dual-boot my PC, I have two 1 terabyte SSDs in it, one for Linux, and one for Windows. The online multiplayer stuff I do on the Windows partition, it has the launchers, discord, and a bunch of things like that - and none of my personal data, just what's very strictly necessary for gaming, and even then, I'm often 100 years old, and live at "Screwyou Avenue 1" and things like that. And on my Linux partition I live my real life, but even that has the Steam launcher with some games, which I play not particularly isolated from anything else.
I see the point in this. While PC can do everything, we can specialize it ways, and if we separate the concerns, it enables further specialization. In fact I think (and experienced) that such separation enables a healthier lifestyle as well. I can do things like the gaming notifications not entering when I'm focused on administration, and similarly, I don't get the life planner updates while I'm gaming. If one has the resources to compartmentalize, I think it's a worthwhile effort.
I am not sure if there's any public data regarding that.
But it has been estimated that the illegal market of cheats is worth about 100 million.
Many cheaters don't even intend on playing against legitimate players, looking for so called "hack vs hack" games.
At some point CS2 didn't really act on cheaters for a while and it got really ugly.
Anti-Cheats do work, there will always be ways around it but as long as these alternative paths are inconvenient enough to prevent a consumer from buying the cheat then it works.
Without Anti-Cheat modern competitive games are unplayable.
160 comments
[ 3.4 ms ] story [ 227 ms ] threadSeems like a smart way to catch inexperienced/up and coming cheat devs. How many non-cheat devs really have IDA on their gaming PC? I did and it was for developing cheats
( To everybody reading this : if you like computer and puzzles, you should absolutly try to reverse-engineer a simple binary at least once. It's fun !)
Honestly, banning players because they have RE tools feels like a generally counter-productive idea. Best-case scenario is that it'll require an engineer who was actually going to RE game files to get another account, stalling them very briefly. Worst-case scenario is getting someone with technical skills and free time pissed off enough to actually start messing with the game (potentially, in a less respectful way than your average cheat developer might - looking for game-breaking exploits than just automating things or providing extra information to the player), even if they didn't mean to.
You can basically patch the executable to skip the function that locks you out
Specifically those for single player games, I've used them to finish games so I can view the story/endings.
A less permanently-severe but real example: A Windows game which terminates (with no message) if the user opens "git bash" (cygwin).
My only windows box is in an actual physical box right now and I cannot verify.
As a connoisseur of online game hacks, I'm utterly stunned at the level of sophistication that both parties partake in with respect to the cat-and-mouse game of cheat/anti-cheat.
Some are technically very interesting, like the hardware DMA device I previously used. The firmware was customized specifically for a subset of users specifically to avoid detection (it eventually failed). Others are very clever, like the hack that was dynamically compiled as an Xbox Game Bar module.
I, too, consider it a benefit of gaming on Linux.
[1]: https://areweanticheatyet.com/breakdown
I bought Marauders to play with my son, and had maybe 4 months of excellent fun play with him. Then the dev's enabled EAC... now I cant play it anymore :-(
I cant blame the mods, they never wrote the game to work on linux it was just a happy happenstance that i could use proton to play it before the EAC transition.
Every game i have in my steam catalogue is at risk of this (except for the native ones obviously)
They used to be about having fun. If you wanted to put gravity at 10% and make everyone use only rocket launchers with unlimited ammo, that fell within the parameters of having fun:
https://youtube.com/watch?v=uo7-qyfeThU
The freedom afforded in personal computing by Windows and Linux is fundamentally mutually exclusive to the security that multiplayer game operators and proper players legitimately need.
It's why game consoles and mobile gaming are the core gaming platforms. Note how Sony and Microsoft blacklist consoles suspected to be used by cheaters, and how games (and also banking) absolutely hate rooted smartphones because it breaks the assumption of a locked down and secured system.
Unironically, Cloud gaming. Stadia had a terrible business model, but the tech worked. Microsoft's XCloud together with GamePass could be a winning ticket for that. (I think there's also GeForce Now)
Of course, that wouldn't prevent anyone from capturing the screen, running image recognition software on the screen and sending USB Controller inputs to create an Aim Bot, but then again, that's not something anti-cheat software can stop these days anyway.
Ironically, cloud gaming is the perfect solution for single-player game, where input lag and high FPS doesn't matter much.
On the other hand, you have issues like smurfers who cause the same disruption without actually running any cheat software.
Ultimately your problem is uneven matchmaking and the perception of cheating, not cheating itself.
Especially with gaming becoming mainstream compared to early 2000s. The majority of players are now casual gamers who are not interested in a job as a server admin/hoster.
I got VACd on Linux the other day. Not cos I was cheating, just blocking VAC from network access. And not because I was blocking VAC deliberately, just blocking arbitrary code running from random /tmp steam binaries.
It is a pretty fucked situation that in order to allow anti cheat, you have to abandon securing your machine.
It's a cliche, but XKCD shows this really succinctly: https://xkcd.com/1200/
The better solution is often live admins with a cheat-report button, server-side physics reconciliation trip-wires/audits (no time-travelers), and using clipped areas for character buffering (x-ray vision attempts floods buffers and crashes the client.)
The only information an online game-engine should be pulling is the hashed GPU chip serial-number for account ban enforcement.
The worst part about cheats is they ruin the fun for themselves too, as a game becomes pointless and boring.
Installing a RAT has no justification on hardware people didn't pay for...
There are better solutions, but as you stated they are not cheap or easy to monetize. =)
Isn't that literally client-side security enforcement?
2. Spoofing a signature will still force you to re-register, lose your current rankings, and zero your nontransferable e-store account balance.
3. Most people don't account for the other system signatures that will also get randomly audited over several months
4. Remember part of offline audits is comparing each clients game-log to look for suspicious glitches like inhuman aim behind occluded objects, and "weird" physics. Hope they find it is a QA issue on replay... =)
Have a nice day, =)
And I don't understand which cheating behaviours this restriction is supposed to prevent.
If multiple user accounts are tainted by the same flagged signatures, than you risk getting everyone on that hardware banned. It is usually clearly stated in the EULA expected fair play section, and it is at the admins discretion... Buy that used cheap rtx3090 at your own risk... ;)
"two instances of the game can't run on the same machine at once?"
In general, most performance heavy platforms are not going to support multi-account mode anyways.
"what if I upgrade my graphics card?"
Your associated hardware signature would simply be updated upon login. However, accounts associated with flagged signatures often remain inactive to block logins/new-account-registration/store-access.
"What if my friend wants to play too, and remotes into my machine to do so?"
Depends how the admins enforce the signature collision events. In most cases, all users will get a 1 week ban, and a warning a 1 year ban will follow. Again, the admins usually have discretion about believing users stories...
"And I don't understand which cheating behaviours this restriction is supposed to prevent"
It helps prevent persistent cheats returning their hardware purchases, re-registering, and continuing to annoy other players.
This is a very common practice on Desktops, but rare on console games for obvious reasons. =3
Which is why this is completely unreasonable.
I think 2 strikes is quite reasonable to remove people breaking the game for other users. And I only know of 1 company that bans the hardware signatures on all of their game titles at once.
The probability one will experience problems before a legitimate purchase return window period expires is very low.
Have a wonderful day, and maybe try a card game like MTG. =3
I'm glad we agree that this is unreliable and therefore not a defense of the approach.
> The probability one will experience problems before a legitimate purchase return window period expires is very low.
Okay, so I buy a card I can actually afford on eBay, put it in my machine, buy a game, and get my account permabanned. What refund am I asking for that makes this okay?
> Have a wonderful day, and maybe try a card game like MTG. =3
This reads as condescending. If you don't mean it that way, then you should consider a different way to try and be friendly lest it undermine your argument. If you do mean it that way, please stop being rude.
One would have to prove they are a different person/account-location to IT admin support. It is rare, but some companies will simply watch your game-play for a bit to see what you are up to compared to the prior ban details. Note one will likely have to gamble on the compassion of each firms IT admins.
"What refund am I asking for that makes this okay?"
These sellers are almost always knowingly trying to evade the consequences of their behavior, and trying to recoup their money to buy un-flagged hardware. This is pointless, as there are several anti-cheat queries companies can run, and like any antisocial behavior they usually just make the situation worse for themselves by contaminating the market with more flagged hardware. Eventually their sellers reputation score will warn buyers what they are doing.
Getting a refund for the "broken" equipment is a standard ebay RMA process, and Craigslist/meta-Marketplace returns can be a bit more complex.
Keep in mind a ban may eventually lift after 12 months, but IT admins may be less convinced of your intent if a user keeps popping up as a problem.
"This reads as condescending"
It is not my call what companies do with problematic users. And MTG events also bans cheats for marked decks, and pulling unfair tricks that violate the rules. The difference is people will be upset with such antics at the same table. Personally I prefer the Royal Game of Ur over tea, and am always keen to share a good laugh with folks interested in such classics.
if one chooses to be miserable/upset, than that is their right too... But it doesn't sound like much fun. =3
https://www.youtube.com/watch?v=WZskjLq040I
But the equipment isn't broken: it's perfectly-functional. Some third-party putting the GPU's serial number on a naughty list is no reason to demand (nor approve) a return. Even assuming that spoofing is impossible (it's not) and the GPU was involved in illegal behaviour, why assume the seller knows that? Not everyone plays your video game.
> This is pointless, as there are several anti-cheat queries companies can run,
I'd say it's pointless because you can just instruct your computer to report a different GPU serial number. There's no reason for a cheater to replace the hardware: the only reason to replace a GPU is if it's faulty, or you want a different GPU.
> > This reads as condescending
> It is not my call what companies do with problematic users.
That too, but: what you've written reads as condescending.
> And MTG events also bans cheats for marked decks, and pulling unfair tricks that violate the rules.
Every time someone writes a criticism of the ban methods, you start defending the bans. There's some kind of miscommunication going on here.
GPU serial numbers are not a good proxy for people you want to ban. The burden of this fact should fall on the decision-makers, not everybody else. "Guilty until proven innocent" is not usually considered just.
"GPU serial numbers are not a good proxy for people you want to ban"
In your opinion, and that is fine for your use-case needs. Note most habitual cheats usually lie or get aggressive when they are repeatedly busted for attempting to sneak back on the servers while under a ban. The 30% that immediately fess up at least have some integrity.
We will have to agree to disagree on whether it is morally justified. Yet it is _very_ effective at dealing with that 0.05% problem user, and is already active in many ecosystems. It would be nice seeing a better solution in action... that obviously wouldn't require DRM/rooting a users computer.
In my opinion, it is the lesser of two evils. =3
A lot of these mitigations are table stakes, even cs1.6 had server-side physics reconciliation. Aimbots are a type of cheat that cannot be detected by the above and completely ruin games. If cheaters proliferate in your game, you end up with a dead game.
Have an awesome day, =)
Have a great day, and let the ban-hammer fall =)
“Admin! He’s doing it sideways!”
Now there's gonna be a guy that does this specifically just to prove us wrong... lol =)
I believe there are AI anti-cheats being developed and used in China so maybe we'll end up with a Recall-esque anti-cheat everywhere in the future :)
For people watching esports, they need to believe that the game isn't rigged and people aren't cheating. A couple more scandals and the sponsors are going to require cloud-gaming just to keep viewers.
And even if I disregard all this, cloud gaming wouldn't solve the problem, as hardware cheats that don't run on the gaming machine would still be usable.
I'm pretty far from the multiplayer game dev scene, but isn't this close to how a lot of multi player sync works anyway? Just* distribute everyone's control inputs and have them all run a deterministic simulation. And then I guess you would run the same input cheat detection on all the honest clients, which are hopefully the majority... Is this impossible or did I just reinvent something that already exists?
* Yes, I know. But at least I know determinism is possible.
These sort of cheats are often entirely out of band, running on a mirror of the video stream on a second machine, and transmitting user input back via USB. Clientside snooping won’t catch it either.
The google term is "hardware cheats"
(As an aside, hearing about this kind of setup really makes me wonder what the point is of cheating. Prestige? Among what set of peers?)
But if you give up, and your game's competitors don't, players will switch games. The way I see it, a game developer anti-cheat goals isn't necessarily to have no cheaters, but definitely to have less cheaters than your competitor.
Imagine all the things that would be possible. Truly decentralised servers, where the end user can run server side logic.
Gonna keep an eye on it, but I'm not to sure if it'll be the solution to this issue...
Should Magnus Carlsen have required Niemman to get a cavity search? When tons of kids have neuralink implants, should they be polygraphed before taking a spelling test?
Cheating is not a technical problem, it's a people problem.
Yes, and technical solutions are usually a bad sign. How nice is the neighborhood that locks pharmacy razors vs the one that doesn't?
>Anti cheat software because one needs to play with people one does not trust and so attempts to get good behavior from strangers by force.
Same could be said about laws. Goes to show that we don't have it solved it, at all. Every single system that we have has active bad actors in it, with no chance for us to catch them, by any means that we have, technological or not.
To add to this even more, it's not even a people problem, it's an animal problem - some of them also give out fake signals, in order to gain something.
I agree on a theoretical level, like, if it's my general purpose computer, then everything that runs on it should also answer to me, not other parties. This applies to anti-cheat, and also to DRM and other concepts like Trusted Computing and Secure Boot even, to a degree.
I don't see how one could prevent cheating, if one allows a software abstraction layer between the game, and the user. If a software is allowed to manipulate another software, then that other software cannot have proof that it's not being manipulated. On one hand, this is the beauty of computing, but on a practical level, this makes cheating in online games very easy and undetectable. So, because I like playing online, I made the compromise that somehow this level of intrusion is okay.
Microsoft should blacklist these binaries, and revoke developer certificate.
For the paranoid, dual-booting to a games-only OS image would be a reasonable choice.
Wallhacks can be mitigated but can't be shut down completely. Valorant for example limits the information provided to clients based on pre-generated tile maps (for example, players in a tile won't have information about enemies on the other side of the map but will have information on the enemies on the adjacent tile within reasonable LoS) but wallhacks still exist because the LoS check has to be overly generous to account for ping and such
I don't follow. How does the game being server-authoritative stop clients from running software that automatically aims at people's heads?
This comment screams: I lack understanding and am overconfident because of it.
Ignoring games where all state is known to all parties (e.g. chess, racing, etc...), the fact of the matter is that servers are basically always authoritative... where they can be.
MOBAs, MMOs, RTSs, FPSs, Casino, etc... will all hide information not required to run the game on each client on the server to prevent cheaters from getting an advantage.
Turn based games or games with low tick rates (MMOs, MOBAs, RTSs) will run all player commands on the server with things that require immediate feedback (UI actions, current player position, animation triggers) smeared out to sync with the server's state and tweened to match the server state.
Fast paced games like racing sims will do client side determination with server side validation (to ensure that a player's speed never exceeds a certain value, turn speed/friction is inside a certain range, etc...).
FPS games are the trickiest:
- They can't do server side kill determination because the game requires a certain level of responsiveness that is faster than internet signals over fiber can allow for. So they use client-side kill determination that runs in real time with server side validation that runs when a server receives events from clients before passing those events to other players. For example: checking that a player didn't shoot another player through a wall, checking that another player wasn't moving too fast / through a wall / flying through the sky / etc...
- Components that require randomness are split into what requires syncing between client/server and what doesn't. Things like particle systems, ragdolls, etc... are handled entirely on the client. Things like random rolls in stores are handled entirely on the server. Things like physics systems, and recoil are handled by seeded PRNGs that are run on the client for instant feedback and validated on the server side using that seed.
- Depending on the type of FPS game, a client may need to see the positions of all (or a substantial amount) of the other player's characters. This is because a player may suddenly whip around the corner of a door and the client now seeing a new large area needs to be able to display the other characters in that area accurately without the characters only rendering by the time the server can inform the client of their position. This is mitigated by level design that can split a level into multiple chunks and the server only relaying the required info for the visible chunks. With extremely large levels where the groups of players are too far away to interact, the server can be sharded across multiple threads or offloaded to other servers. For types of FPS games that are built in a way that requires the server to not hold as much information hidden (e.g. an open arena level where everyone can see each-other anyway), the clients include replay systems where the players can report suspicious behavior.
- Really tricky things like vehicle physics are usually done with a mix of client side determination, server side validation + redetermination, and careful client side state tweening.
The fact of the matter is that cheaters are only a problem in:
1. A handful of games where the developers didn't do the right thing
2. Games where the only way they could ever be completely cheat-free would be on a physically impossible 0 latency network and instead they have to rely on mitigation instead of prevention where certain information can't be prevented from being available to clients.
----------------------------------------
Addendum: There is the possibility of hosting and processing hidden information client-side while keeping it hidden where needed by using homomorphic encryption but that requ...
Got any recommendations I can read? Watch? Listen to? Self teaching myself at the moment and looking for more info on topics like this.
Any tutorials with a tool that lets you simulate latency and packet loss will help you a lot.
Starting off with turn based games is going to help you a ton.
After you've got a handle on that it's worth looking into videos that are more specific to what you need, like fps, rts, etc... and the techniques that each kind of game uses. You'll also get an idea of how online cheating works because you'll be able to see what information each machine can read and set.
It doesn't appear to have. https://steamcharts.com/app/730#All
2. It doesn't even work!
So at each step, you weigh how much the cost is for the mitigation (in terms of upfront and ongoing dev costs, and player problems), and the benefit (in terms of how much higher you make the barrier).
For example, conceptually, you could sell a dedicated machine that requires gov't ID and credit card linked to your account to purchase and melts down if you ever are detected tampering with it, requires a mic and camera on 24/7 to make sure you're not tampering with it once purchased, dies if it loses internet ever once turned on, etc etc, but then nobody is going to buy it because you have made the cost in terms of disruption to players too high for anyone to bother.
I'm not sure you can usefully solve it other than trying to keep the barrier for entry higher than a lot of people will bother, and possibly making the barrier much higher for something like ranked play, b/c otherwise, if you do things like if you ever close their DRM after boot, you need to reboot to play the game, you're going to cannibalize your player base, because it's too much of a pain in the ass, and they will (correctly) blame you for this.
Nearly every competitive game game is going to be utilizing some form of anticheat like this, so single player games tend to not have this issue (drm is a separate conversation)
What's frustrating to me is that games will run the hyper invasive kernel level version of an anti cheat on Windows but will allow Linux plays, which has no such level of access. If we're trusting Linux players with no kernel level monitoring, why not windows players? Have cheater really not caught on that there's a lower bar on that platform? I hope they don't because I like being able to play competitive games with friends without having to reboot first.
I believe Valorant and Roblox have had devs/employees state that supporting Linux isn't worth it for the small proportion of the player base vs the increased cheat risk as well, although feel free to take that with a grain of salt
I suggest compartmentalization for games, for example a dedicated gaming machine. That way, anti-cheat doesn't have much to take over. You can connect it to guest wifi, so that it doesn't see the LAN either.
How can you reliably ensure someone's machine is not running a cheat without having access to what it's running?
Anti cheat is not easy and just the perception of cheaters will nuke pvp games. But personally I want better anti cheat, the only question is at what cost?
I have been gaming my whole life and I miss the "old" days of having community run server as being the default.
You would go online one day pick a server and play on it in the mode you want (For context: I am talking about Counter Strike:Source). Over time you would get into talking with the regulars on the server and you form some bonds. And if someone does something the majority does not like the can be vote kicked/banned. We took care of cheaters/flamers/grievers that way. An admin on the server can still revoke the ban if the banned person explains why it was unjustified.
No it wasnt streamlined, and it was sometimes unfair, and establishing global leaderboards were difficult (see ESL company).
But you had community involvment and soooooo much content (game mods and skins; all for free btw.) and it felt good to be part of it.
The lack of communities is why it seems unlikely. I remember several times successfully making my case and being unbanned!
Usually some friend of the admins was given power, they abused it, then you could go on a forum they hosted/make your case. People would chime in and so on
Children managed to "work from home" decades before the industry did
It wasn't a hassle, it was the point. Curate a community worth spending time in/with
Being denied served a function too. You learned about a community you don't want to be part of!
These companies are so greed driven, that they lobby to make cheating a federal offence and for private police raids and private house searches, instead of making a healthy community based on previous experience. As has, disturbingly, already happened in Australia (https://torrentfreak.com/images/gtaorders-1.pdf)
I think this is terribly myopic. Gaming and game modding/development resulted from it hugely contributed to general purpose computing in general, possibly more than any other activity. And it was only possible with games running on a general-purpose platform, not a gaming appliance.
But it has been estimated that the illegal market of cheats is worth about 100 million.
Many cheaters don't even intend on playing against legitimate players, looking for so called "hack vs hack" games.
At some point CS2 didn't really act on cheaters for a while and it got really ugly.
Anti-Cheats do work, there will always be ways around it but as long as these alternative paths are inconvenient enough to prevent a consumer from buying the cheat then it works.
Without Anti-Cheat modern competitive games are unplayable.
It's a much higher price than I'm willing to pay.