72 comments

[ 1.5 ms ] story [ 140 ms ] thread
And that is why a person should always run steam-likes in sandboxie or similar software.
I'm not sure if that would work. Steam installs a sudo-like system service, so it can update games in Program Files without nagging the user to elevate to admin. Depending how it's launched it might sneak past the scope of Sandboxie.
It will, most anti-cheat software operate as a device driver so they have access to the WDK libraries.

Valve isn't even the worst offender, some other anti-cheat will not allow you to run ANY virtualization software while the anti-cheat is active.

Nope. Sandboxie protects you from write operations, not from read or scanning.
Nope. Sandboxie protects you from write operations, not from read or scanning.
Way to make a mountain out of a molehill.

Oh, wait, it's Peter Bright, nothing to see here. Move along.

(comment deleted)
The funny thing about this whole ordeal is that never was it mentioned that the code sends these data anywhere.
In the original reddit post linked to it was alleged that VAC sent the entries to Valve.
Gabe Newell himself gave a nice explanation in a related Reddit thread: http://www.reddit.com/r/gaming/comments/1y70ej/valve_vac_and...
"This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers' client machines."

Spooky

Wow, not because you know, privacy is important. Becase it is no longer effective
It's tested locally, Vavle doesn't get the DNS queries.
Right. Gabe isn't admitting to wrongdoing here, since Valve feels that the particular check was limited enough to be a reasonable countermeasure.

According to Gabe, this module was not aimed at scraping anyone's web usage or browsing history (not even for game cheat sites), but just to detect whether a machine was likely to be automatically dialing a hack's DRM server, and then sending hashed copies of those, and only those, entries to Valve to flag as a potential cheat. I can imagine that a lot of the gaming community would consider that reasonable behaviour, if it was effective at cutting down on cheats.

Whether Valve is telling the truth, I don't know. I suspect so (Gabe seems smart enough not to try lying to the internet, though, so any deception is likely to be that of omission). Whether this is right or wrong is a matter between you and your shaman/vicar/rabbi/mullah/conscience/etc.

> dialing a hack's DRM server

Huh, I didn't realize that nowadays cheat mods charged money and protected themselves with DRM. When I used to dabble in such online games, the cheats/trainers/etc. typically came from the same groups that cracked games' DRM, rather than themselves having DRM.

Are there cracking groups that strip DRM from DRM-using cheats?

Corporate interest ruin everything, even cheats.
VAC checked for the presence of these cheats. If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers.

Sounds like first the cheat process needed to be detected on your system, then the DNS cache would be checked.

On the surface it sounded like a privacy issue but with these extra details I am having trouble seeing an issue.

the problem is that their behaviour is not transparent, it's really similar to the censorship some country used against 'bad websites' which in the end was used for a lot of other purposes.
It's non transparent for the same reason that not all security features in cash are public.

If they would tell everything they do it would be way easier to circumvent them. Sure everything will be reverse-engineered eventually but it's a continuous process. They add new ways to detect the cheats and the bad guys try to circumvent them faster than Valve is able to add new features.

Anti-cheat systems are something I feel are a necessary evil. They're opaque, proprietary black boxes, but I'll accept them for the sake of myself and others having a more enjoyable gaming experience.

> Cheat versus trust is an ongoing cat-and- mouse game. New cheats are created all the time, detected, banned, and tweaked. This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers' client machines.

Damn.

I get news of hacks irregularly from Reddit's CounterStrike community and I have to say, its a losing fight for systems like VAC that try their best to adhere to user rights of privacy. Certain hacks essentially hook themselves into your PC at the kernel level and are nigh indistinguishable through scans of any type. Anti-cheat are left with a set of heuristics that try to identify a hack based on behaviors that are easily manipulated and faked. VAC in particular is pretty rigorous in that they attempt for 0 false positives and have done pretty well overall.

Some of the more recent anti-hack work involves recognizing pattern of commands sent from the client to detect when inhumane actions occur such as impossibly fast reactions or aim adjustments. The way I see it, hopefully this style of anti-cheat, although reactive, will prevent any hack from being useful as the advantage of using it is immediately taken away. Things like trigger hacks and wall hacks are still not yet detectable through these means but its a step in the right direction.

In minecraft some servers send fake blocks to the client until they are close enough and visible. That prevents hacker for looking for specific types of valuable blocks like chests and diamonds using x-rays. The drawback is that if the server doesn't send the updates fast enough you might think you've hit a diamond block until you get the update.
I still play CS:S online on and off. The last resort is the server admin. If you play on a server with active admins they can take care of obvious cases. The game is cheap but it isn't free so even if someone has multiple account you'll get them all eventually.
in case anyone is interested, one of the dominant cheat providers seems to be this:

http://www.deadc0deshop.net/

a cat and mouse game, but interesting nonetheless

One of the most robust cheats is Organner[1], which is notable for running entirely in ring0 instead of using a ring0 protector for a ring3 hack.

It costs $40 a month, and people seem to be happy to pay that.

[1] http://www.organner.pl

No wonder the "free to play" market is growing so quickly, if people are genuinely that willing to pay to win (or in most cases I suspect, just to lose a bit less).
maybe? i know in starcraft 2 there were several very good players who used cheats to claw their way to the very top of the ladder. but it's true that the vast majority of cheaters aren't very good. it just creates grief for most people who have to deal with it.
note that visiting this website will just add your steam account to the vac watch list ;)
valve isn't the FBI
What will we do when hackers set up a camera and a robot with rubber fingers to cheat in games? Reminds me of the story of Thomas Peterffy the 'father of high speed trading':

"It wasn't until 1987 that Peterffy was able to take people out of the loop entirely. With the world's first electronic stock exchange, the NASDAQ terminal, traders could type in orders directly into a computer.

Peterffy didn't want to type in the orders. He and his engineers hacked into the NASDAQ terminal and wired it up to their own computer, which traded automatically based on algorithms.

A senior NASDAQ official saw Peterffy's setup and said Peterffy was breaking the rules: All orders had to be entered through the keyboard. He gave Petterfy's group one week to fix the problem.

Peterffy and his engineers came up with a solution. They built a robot with rubber fingers that typed entries into the keyboard. It satisfied the NASDAQ rules. And on active trading days, the robot typed so fast it sounded like a machine gun."

That's an interesting story, but not how these cheats operate. Most cheats either allow access to abilities that cannot be performed via normal keyboard input (flying, moving through walls, item duplication, instant LOS kills) or grant the cheater information not available to a normal player (wallhacks, maphacks).

That said, it's fun to try to think of ways in which a robot reaching over your shoulder could somehow give you an unfair advantage... perfectly-timed bunny jumps, perhaps.

I think you're missing the big way - aimbots. You'd have to do some nice low latency computer vision to detect enemies, but it could theoretically be just as effective as a regular aimbot.
Regular aimbots use nonvisible information.
System like this are walking a very thin line.

> cheat software has its own DRM systems so that the developers can ensure that people pay for their cheats. If the VAC module detects certain cheats, it then checks to see if the system has performed lookups for the relevant cheat DRM servers.

The program could also hijacked the users bank session in order to check if any payment has been made. This would have the same result on a technical basis as digging through users DNS history to see if the client has contacted a cheating tools DRM server.

Is there any technical line that anti-cheat systems can't cross? I do like the gaming experience anti-cheat systems create, but at the same time, I would like that the OS prevented any program from accessing the DNS cache without my expressed and informed consent.

> I would like that the OS prevented any program from accessing the DNS cache without my expressed and informed consent

Not technically feasible. Even if the OS didn't allow direct access to the DNS cache, a program could very easily infer if a result was cached based on the query response speed.

Plus anti-cheat typically runs as an administrator or root.

> Is there any technical line that anti-cheat systems can't cross?

Illegality for one. Stealing someone's banking session and monitoring their payments is almost certainly illegal, pulling up the DNS cache and seeing if they requested the IP for a choice domain is not.

Is pulling up ones bank history and see if they include a choice transaction different from pulling up ones DNS history?

If the intention is the same (preventing cheating), I don't know if a judge would rule different based on the technology used. Both techniques steals computer resources (CPU, memory and disk usages), and both steals private information in order to achieve their goal. Would you be sure that knowingly use a computer service (the dns cache) without authorization is legal? Or for that matter, is computer trespass illegal in general if done for the explicit purpose of anti-cheating? The law as described require "intent to commit or attempt to commit or further the commission of any felony".

https://en.wikipedia.org/wiki/Computer_trespass

> steals computer resources (CPU, memory and disk usages)

No.

Cheating in MMO games is always a battle. I actually worked on a system for a game company I worked for. It had only a single cheat provider and I found a way to detect people using the cheat without being detected in turn. This is probably one of the hardest type of coding to do, you are blind as to what the cheat provider might do in the future, and they have to be really clever to hide what they are doing. This isn't DRM, this is making a game fair to all the players. Some players don't want to play the game fair and want to cheat, which never made sense to me as how is that fun. It's like robbing banks for money, why work like all the suckers who put their money in the bank? But if you work you want your money safe.

I do admit it was a lot of fun and incredibly difficult coding to do, the cheat provider programmer was very clever. No clue if it still works today since I left a while ago. It was like military defense vs offense; each side keeps upping the ante and you have to respond.

Oh and it was for Windows and custom code but not this.

>Cheating in MMO games is always a battle

Cheating in MMOGs isn't much of a battle. Do everything on the server: problem solved. Consider UO did this correctly in 1997 and yet games like WoW came out much later and still did it wrong (let the client choose its x,y,z position and tell the server, rather than asking the server "is it legal for me to move to x,y,z?").

It is faster paced games where you can't do everything server side that are the problem, first person shooters being the prime example.

WoW has a demanding enough latency requirement. Same with DotA 2. Not to mention the server resources used.
>WoW has a demanding enough latency requirement

And yet ultima online proved that excuse was bogus before WoW ever existed.

> It is faster paced games where you can't do everything server side that are the problem, first person shooters being the prime example.

First person shooters can be (and I believe usually are) done server side. Official movement, firing, health, and overall physics is handled 100% on the server. To smooth things out though, the client interpolates its view of the world.

For example lets say you fire your gun at a person right in front of you. The server would have final say of whether you actually hit the target. Rather than waiting for a round trip to the server, your client may choose to immediately show some blood/shrapnel effects to give you the illusion that you hit them. If you actually did, the server will handle the health deduction. If not, you probably wouldn't even notice.

Right and wrong.

Movement and such can be done server-side, mainly.

But visibility pretty much has to be done client-side. Which means that people can hack the client to see through walls. You can do culling server-side to an extent, but not entirely - because otherwise someone with a high latency coming around a corner will have no chance against someone with low latency on the other side.

Also, servers pretty much have to (well, not really. But otherwise games become unplayable to those with higher latencies, as where you see other players is not where you need to fire to hit them) allow you to hit someone that was, according to your client game tick, in target when you fired. Which means that the client has to tell the server what game "tick" the client fired on. Which allows for cheating if the client deliberately tells the server that it fired/started to move on an earlier tick than it actually did.

First person shooters are split, part server and part client. For example, an enemy comes in range of you, your cheat automatically triggers a "shoot at the precise direction of their head" command to be send to the server. The server does not check if you were actually facing that direction, it does not check if you actually turned to face them in a manner that a human could. So things like aimbots are common where you literally click "next target" and it cycles through all the enemies heads. There is really no way to prevent this kind of cheating. Slower paced RPG style games where you just send "attack target with ability X" can be handled entirely server side. As we start seeing more fast paced action style MMOGs and fewer "computer reproduction of pen+paper+dice" style MMOGs the line gets blurred and more impossible to deal with cheats become problems.
But, but, you just said how to prevent it! "Check if you actually turned to face them..." would work just fine?
If you just check that they did face the right way, then cheating is still trivial. Just instantly turn and fire instead of just firing (this is what aimbots actually do anyways). The problem is you can't have the client send all 1000 "the mouse position changed" events to the server and have it approve them to ensure that you actually moved the mouse rather than just instantly changing to pointing straight at the enemy's head.
Maybe stats on the behavior would work. You can tell who's typing on a keyboard by running stats on the inter-key delays etc. Probably stats on commands to the server (turn, fire delay etc) would identify bots pretty well.
You can't validate each mouse click before updating the client's view, but you can do the same aim validation as you do movement validation to prevent teleportation or excessive movement. Basicly, validating 1,000 motions a second is no problem it's latency that's the issue. So now you can still cheat but your limited to human reaction times or the server can detect and boot you.
The F2P game "Path of Exile" (similar to Diablo) does everything on the server and it causes so many problems that you need to avoid certain character skills that are more prone to causing desync issues between server and client. They even include a chat command that will sync you with the server which most people have macro'd to a key on their keyboard or mouse it's so prevalent.
>The F2P game

You've already explained a big chunk of the issue right there. There are many poorly written games. PoE is one of them. That doesn't mean you can't write a similar game well.

> asking the server "is it legal for me to move to x,y,z?"

These questions are not always straightforward. Why can't you do this in a shooter? Because any mouse position on the screen is valid. How do you know if the user physically moved the mouse or it was some other software that moved the mouse cursor?

How do you know the user genuinely decided to aim at a random enemy, instead of relying on an on-screen display of player information that is not normally available?

You can't do everything on the server side. If you could, it wouldn't be an interactive game.

You might want to re-read my post. I specifically pointed out that shooters are the standard example of where you can't do everything server side, where as traditional MMOGs you can.
I know, I was just building on your example of why it's difficult for shooters. And it's also difficult for many other games for similar reasons.

Being able to directly set your position in an MMO is not the only way to cheat. Some MMOs have rules against plugins and helper tools. Those are also cheats. You can hack the client and display more in the minimap, or show you exactly how much HP some monster has, run a bot to control your character, etc.

Doing everything on the server only prevents god-mode types of cheats. You can also cheat with extra information, computer assistance, etc.

UO was horribly broken in 1997. There was a program "UO Extreme" which let you fast walk, because the server didn't check. You could dye items glitched out colors, because the server didn't check that you chose a valid color from the dialog. You could reveal hidden people, because the server just tagged them with a "hidden" flag, instead of not sending their location at all.
>There was a program "UO Extreme"

Yeah, I know the guy who wrote it.

>which let you fast walk

No, it let you work around having a high latency dialup connection. All it did was watch for outgoing movement request packets and respond to them with OKs. The server was still checking though. So if you tried to move somewhere you couldn't, your client would see the OK from UOE, then later see the "nope" from the server and you would rebound back to where you were, and you would often get your client's idea of your position desynced from the servers, which was the one that actually mattered.

>You could dye items glitched out colors, because the server didn't check that you chose a valid color from the dialog

Yes, there were many bugs. Large and complex software has bugs. That bug was fixed. Which demonstrates exactly my point, that you can in fact do everything server side.

>You could reveal hidden people, because the server just tagged them with a "hidden" flag, instead of not sending their location at all.

Which packet sets the "hidden" flag again? http://necrotoolz.sourceforge.net/kairpacketguide/

They fixed the hidden flag problem by just not sending the character; you used to be able to talk while hidden, and later talking would reveal you, because there wasn't a hidden mob to tie the text to.

If I remember right there were actually two stages of the run hack in UO; in the first it was an advantage when the server itself was laggy and not just the client, later it was only an advantage for working around laggy connections and had severe rubberbanding and desyncing.

And no, this can never be worked around solely on the server without resorting to something like OnLive. Another thing I didn't mention about UOE was it could make it always be daytime--how are you going to work around that on the server?

As for which packet: http://necrotoolz.sourceforge.net/kairpacketguide/packet78.h...

which links to: http://necrotoolz.sourceforge.net/kairpacketguide/CS/mobiles...

Which has the status "hidden"

Am I the only one OK with "cheating"?

The line between what is "tool assisted", "bot" etc. is entirely artificial, just like "no drugs" is artificial and awkward to deal with in sports. If you're spending $1000 on a fancy computer mouse with special buttons, I don't see why that's much different than if I code myself a smarter mouse driver that autosnaps to enemy faces.

The intellectual exercise of botting is fantastic anyway, and I'd rather see my gamer friends doing that than playing the games vanilla ;)

Online games require a gentleman's agreement about what is OK behaviour. Individual communities should be hosting their own game server instance and allowing people in that follow their friendly rules.

The idea that I'm "not allowed" to "bot" a game is offensive to me in the way that "no reverse engineering" clauses in license agreements are offensive. I do love playing games, and don't normally bot anything (except netcraft this one time.. o_O), I concede there's a conflict here, but I err on the side of my personal liberty rather than convenience of playing games. I wish others would do the same...

I don't have a problem with "cheating" in the sense you described it, but I want to know if I'm playing against people who are using it, and I appreciate the option to not play with those folks. When I sit down to TF2, I'm not looking to compete with the best reverse engineers, or the folks who throw the most money at their games (in the case of Valve mentioning buying hacks) - in fact, I'm not looking to compete at all. I just want to relax and have fun playing the game, and I can't if I'm being hacked to death.
You have always been able to host Valve game servers with VAC disabled. If you want to play a game of "who has the variables on their hack set higher" without getting banned then knock yourself out.
I'm not sure how many games have done this, but the concept of the "cheater's island" came up somewhat recently -- I want to say Max Payne 3 did this first, but I'm not sure.

Basically, players who have been detected as cheaters only end up with other players who cheat. The problem is once you're on the island, you're probably not getting out.

I personally favor this solution over the outright banning of players.

This is similar to the practice of "hellbanning" but I think it is a more friendly solution. Valve's VAC system is similar because VAC-banned players are still able to play on non-VAC servers (with other cheaters and pirates.)
You're crazy. Fancy mice don't improve your performance in any notable way. And the 'agreement about what is OK' is how it already works. Nobody says you're 'not allowed' to cheat, you just won't be allowed on certain servers while doing so.
My reddit reply to GabeN got hellbanned... I want to see more data from more sources on where the check is done.

Comment:"So you are saying that the tests people had done by bloating DNS and watching traffic that noticed a correlation are wrong, and only hashes that meet a list sent to the client are checked and sent back to Valve? Why would the data sent back to Valve increase on systems without cheats when nothing other than loading many DNS entries is different? Where is the check done?..."

Does it happen on the Linux version as well? Would running it in a LXC container mitigate that problem?