I want to share a story in a somewhat related topic:
anti web-scraping techniques
The most devious version I ever seen of this, I was baffled, astonished and completely helpless:
This website I was trying to scrap generated a new font (as in a .woff file) on every request, the font had the position of the letters randomly moved around (for example, the 'J' would be in place of the 'F' character in the .woff and so on) and the text produced by the website would be encoded to match that specific font.
So every time you loaded the website you got a completely different font with a completely different text, but for the user the text would look fine because the font mapped it to the original characters. If you tried to copy-and-paste the text from the website you would get some random garbled text.
The only way I could think of to scrap that would have been to OCR the .woff font files, but OCR could easily prevent mass-scraping due to sheer processing costs.
A downside is it makes the site unusable for screen readers and SEO, plus it adds backend costs (compared to a plain backend that serves static files) if it's generated dynamically, although one can pre-generate a bunch of variants and randomly pick one at runtime (which could be handled by the load balancer) to minimize the costs.
If it's just swapping letters then rather than trying to dive into the WOFF you could just get the garbled data and treat it as a cesar cypher, I guess. A few dozen rotations and you're through
It's kind of annoying and prone to break but I'd rather have that than whatever Facebook is doing where every class name, ID & identifiable tags in the markup gets randomly generated every once in a while
That seems like it ought to be straightforward to defeat without OCR. If you know that a particular glyph looks like the letter J, then you just need to parse the WOFF file, find that glyph's data, and find the character that maps to it. It's definitely annoying enough to deter a casual scraper, but there's nothing conceptually difficult about it.
You do need to determine the "correct" character code for each glyph, but there are lots of ways to do that, on a spectrum from manual to automated. And you only need to do it once.
> easily prevent mass-scraping due to sheer processing costs.
my 2018 iPad Pro does OCR on images in Safari instantly. People only think OCR is slow because Adobe Acrobat still uses the same single-threaded OCR algo it’s had for decades now; then consider how blazing a GPU-based impl would be…
You need OCR unless you're going to personally sit there and break it by hand so you can feed the tr/// translation yourself every time you need to scrape. And it's a bit more tedious than the puzzles we did as kids, likely the punctuation and lowercase/uppercase were mixed into the slop.
If there's a part that doesn't change, eg a footer or something, you can get a head start and have it figure out the rest by deduction with a spellchecker
You might manage to cobble together frequency analysis too, but that would be challenging. If the ciphertext is very small, or is marketspeak without any sense to its message, then that's going to fall flat. And all this assumes just ascii rather than say a (even limited) unicode font. These assholes could be doing that just to have curly quotes or whatever.
For UT2004, you can ban by player GUID (a hash of the CD key) or IP. With the game abandoned by Epic, a number of key generators have cropped up, which makes GUID bans useless. IP bans only go so far with VPNs costing $2 these days.
The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
It was made for Tremulous (ioquake3 fork) where people kept evading IP bans, but it can be used for any other games.
It is not my project, but I know the author, and I could personally fork it and make it suitable for specific (or any) games if there is demand for it.
You may also use heuristics, too, in schachtmeister2:
Even without this IP bans only go so far as they're both easily swapped (VPN offers, or rent a VPS to forward traffic, or even by design with an ISP handing out dynamic IPs on router reboot) AND overreaching:
- NAT: ban household / campus
- CGNAT: ban whole neighbourhood
- IPv6: ban whole /64 => whole household (because of SLAAC + random privacy addresses)
On a counter-strike 1.6 server I help with moderating, we have the occasional cheater roll by, surprisingly often "ragehacking" with no attempt at subtlety (e.g. making noscope sniper headshots in mid air).
Since the server owner insists on allowing non-steam accounts (pirated copies) to connect we can't rely on SteamID bans, similarly to GUID in Unreal. It's a bit trickier to change the spoofed ID as I assume it's buried deep in the game install somewhere obscure, but still possible. It's actually a very popular game in northern Africa, the former Baltic states and surrounding areas as well as north and west Asia: without these players the server would be a ghost town.
Anyway, our approach is twofold carrot and stick style: Steam players get near instant reloads and immunity to some of the more "enthusiastic" automodding/kick features: so for the price of a handful of VPN keys you can get a legitimate, allowed advantage over most of the server population as well as reserved username and "VIP" tag, plus you now own the game. Seems a great way to do it, as it's available to anyone instantly for that one time fee (which goes direct to the game dev), or for free by playing at least 1 game a week for 5 weeks, then contacting the mod team on social media.
The other side to that (the stick), is that rather than simply kick/ban the player we usually take some time to have fun annoying them, to show them they're really not welcome, and make them actively not want to come back.
Disarming them then giving F tier weapons, a few random teleports out of bounds or stuck in the floor, repeat amx_rocket to turn them into a firework, amx_drug to max out FOV and add "drunk" effect, and ofc a bit of teasing about what a lowskill looser you must be to have fun while AI plays the game for you.
There's also "illegal" amx plugins and commands, which are generally frowned upon and extremely abusable, but quite useful in these situations. My favorite (which most of the "illegal plugins" are based around) is amx_exec which essentially gives admins direct access to any client's in-game console, to run any command or set any setting!
It's actually kind of terrifying that exists. For example this set of commands sets network baudrate to 1000 (that'll be fun for the cheater until they notice), changes name, wipes all keybinds, then binds the default chat key to close the game, while setting max FPS low enough to be bothersome without being obvious! There are pre-built macros that do far worse to your settings too: although easily fixable by deleting to restore defaults, would be very frustrating if you hadn't backed up your config files.
On an intriguing side note:
Many servers charge for VIP advantages, to the tune of up to $20/month! At first I thought this pretty shocking, until I found out that there's some kinda shady clique where to be listed in a reasonable spot on 3rd party server browsers, a hefty fee is required, and a significant proportion of this income gets spent on "boosts".
When our server owner stopped paying for "boost" for two months, mean player count dropped from 14/32 to 3/32, and max players from a regular 28/32 on weekends, to 12/32 on a Friday night if lucky. The player count rocketed as soon as the owner started paying again... but the crazy thing is it's $180/month!
Before getting involved with moderating, I thought running a fun, deathmatch, well moderated, low ping, high performance server dedicated to remakes/remixes of the 2nd most popular map in the game would be enough to be popular/busy. But no, apparently you have to pay extortionate fees to incumbent gatekeepers, if you want your server to be visible to the majority of the playerbase!
> There's also "illegal" amx plugins and commands, which are generally frowned upon and extremely abusable, but quite useful in these situations. My favorite (which most of the "illegal plugins" are based around) is amx_exec which essentially gives admins direct access to any client's in-game console, to run any command or set any setting!
Yes, we have something similar for UT2004, but only a handful of people are even aware it exists. It's too powerful and too easily abused. I have yet to share it, even with other admins.
It can be. There have been in-game commands with code execution vulnerabilities that turn into RCE because the game server can make clients run commands.
Changing steamid is easily doable on most nosteam cs 1.6 copies through a cfg file.
I used to administrate CS 1.6 until a few years ago. I got a question concerning amx_exec. I thought cl_filterstuffcmd basically killed any usage admin slowhacking?
or is it that most nosteam cs 1.6 client have it set to 0 ?
> The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
No. VPN blocking is useless to stop malicious actors as most residential connections have DHCP and VPN subnets are added and removed somewhat frequently, it's not that hard to find a "undocumented" one. It also completely excluds anyone using a VPN for non-malicous purposes.
Scanning files and folders is just ridiculous, not only an incredible invasion of privacy, but also trivial to work around.
VPN blocking is a cheap mitigation that stops 95% of the problematic traffic without removing a meaningful number of legitimate users.
Yes it doesn't "solve" the problem, and yes it removes some legitimate users, but it's by no means useless. Given the tradeoffs involved I'm not at all surprised it's so common.
If you have a solution that's less invasive (e.g., some businesses can get away with not providing anything expensive till after a payment has cleared the normal fraud window, and many businesses don't have obscene levels of malicious traffic; in those cases you can just let bad traffic run rampant and ignore it till it's a problem) then that's probably better, but blocking VPNs or whole countries or whatever can be the difference between a successful business and bankruptcy.
This still leaves you wide open to cheaters using mobile data tethering and proxies. Have you considered more advanced network analysis? It's one of the areas I have an interest in (professionally and personally) so if you want any suggestions let me know.
> This still leaves you wide open to cheaters using mobile data tethering and proxies
Is latency going to be good enough on mobile data (especially if they're also using proxies) for a FPS, though? Sure, they're using cheating software, but I wouldn't be surprised if the software gets the information it needs to cheat too late often enough for it to be useful.
Yes the latency is not nearly as bad as you might think, it's comparable to a VPN in my experience, though the quality will depend on your location and the available connections.
Sophisticated cheats in games like CSGO (and other competitive shooters) are usually very subtle, such as displaying enemies on the mini-map when they shouldn't be visible which provides a major advantage without requiring superhuman input, and the added latency is often negligible—especially when the info can be relayed to teammates and now you essentially have the entire team cheating with only 1 player suffering from a bit of increased latency.
And I wouldn't say this is an edge case either as in my experience the majority of cheaters I encountered are individuals that play on an alt account and offer a service to guarantee wins in ranked games.
It's not ideal but I lived half a year with unreliable internet and frequently played over a tethered 4G mobile connection (in Europe). Latency was around 40-50ms, which was still lower than the people playing from Eastern Europe who would play in EU West matchmaking. I imagine with 5G it could be even lower.
I regularly played CSGO in Europe because the North American ranking system were screwed up.
I got to Supreme (2nd highest rank) with 150 ms ping. The people I queued with hit Global.
It's possible to play legitimately with very high ping. The higher ping put us at a disadvantage, but the skill gap between regions made it worth it to arbitrage.
NA is (or at least was when I played) the most populated and visible regional zone, and attracts a lot of players attempting various kinds of rank manipulation. On the one hand you have smurfing, which is the practice of a relatively high skill player using a an account with relatively low rank so that they can dominate lower ranked players. On the other side you have boosting, which is a relatively high skill player ranking up new accounts for later sale.
In practice this means at lower ranks, it was not at all uncommon to be matched with players with similar rank but vastly better skills.
This was my experience too years ago when I played CSGO. The difficulty at higher ranks (up to a certain point) felt significantly easier than the lower ranks. Getting out of the silver and gold ranks (can't remember the exact names) was a hellish grind with lots of matches that ended in one sided stomps with one or two guys on the other team racking up some insane k/d. Past that was smooth sailing for a long long way.
Yep - same story here with Nuke (the old one, but then it happened again on the new one too). Got to global and it was a ghost town save for the same 5 man we ran into every night.
VPN or mobile IPs (blacklisted) must pay for a key ($20/year) that allows posting from blacklisted IPs. Key is good for posting from one blacklisted IP, locked for 30 minutes, so users cannot share keys. That way, you can ban the user by their key, if their IP is public.
It's not a perfect solution but it seems to be the best they've found for such a situation so far.
I mean, in this case it's 4chan so who cares, but I hope we are not very slowly moving towards a troubling world with lower classes of IPs and upper class IPs. IPs should be IPs should be IPs, it shouldn't matter whether it comes from an ISP, a mobile network, a VPN, or anything else, and we shouldn't attach some kind of IP caste to providers or countries. I think we really need Internet-wide IP randomization, where you can't just block a /24 or a /16 because they're in some icky ghetto. Yes, I know there is abuse, but if this is the alternative, it doesn't seem worth the cost in terms of innocent people losing access.
EDIT: Well, I guess the tribe has spoken. Pretty surprising. I think y'all are just assuming you'll always be the ones with the "good" IPs...
On some Japanese BBSes, spammers tend to use non-Japanese IPs or data center IPs. A good chunk of the spam goes away by blocking non-Japan IPs (easy to do with BGP data) and disallowing data center IPs (these often host VPNs, scrapers, etc.) from posting.
Posting from overseas thus costs money or is not possible. The trade-off is 1-100 extra users or significantly reduced spam for little effort. It's not surprising that most website operators choose the latter.
I also know of a file uploader that recently had to block overseas IPs due to such IPs repeatedly uploading illegal content. This is an example of a few bad actors ruining things for everyone.
We are already there and have been for a long time. Geoblocking is very common for low-effort DRM and abuse mitigation, common VPN providers are easy to detect by IP but generally frustrate and/or ignore abuse reporting (until serious illegal activity is committed), college and other institutional networks are often no better than VPNs in this regard, etc. The Internet hasn't been able to operate as a network of peers at least since it was opened up to the public.
Assuming they get the report after the fact and assuming their "no logging" promises are true, can they even do anything? They're not even supposed to know which customer did it, after all.
If their promises are false, wouldn't they reveal their hand if they handed logs over willy nilly?
I understand how you feel but IP blacklisting is really the only tool we have.
I'd much rather deal with that than some kind of forced state level verification/ID system where even pseudonymous browsing becomes impossible.
Blocking IP ranges by country or ISP is pretty much always going to have to exist as long as certain countries and ISPs turn a blind eye to abuse.
Even with as poor a solution as IP blocks are, it's the best we have and alternatives seem worse.
About your edit: I think you are overlooking the Realpolitik behind running a public forum. Admins are fighting a constant war against spammers and trolls. It doesn't sound fun to me. Yes, you are right, we now live in the era of "upper class" IPs now. A bit sad, but is there a reasonable alternative?
Anyway, it's a tradeoff between dealing with bad actors effectively and not impacting common users. There's a lot more bad actors than common users running into those sorts of IP bans though.
Using a VPN with WireGuard can actually reduce latency if your ISP has poor routing to the game server, as a VPN with better peering or routing paths can improve your connection. It’s not always the case, but with a decent provider, you might see lower ping in certain situations.
When I was in the dormitory (~6-8 years ago), I used VPN (OpenVPN on my private VPS) over UDP port 53 to omit the firewall which was configured to block big parts of ports.
Oh wow that takes me back. I remember complaining to the university that I couldn't download files via FTP. A few months later they answered me explaining file sharing protocols had no legitimate uses at a university. I was working in a research lab and needed to download standardized datasets to validate that the software worked as intended. At the time, only FTP was used.
Can help routing induced latency as the other comment says (or force a new route if having downstream issues with your ISP peering), and some games in the past could leak IPs especially if using a p2p model and a VPN can mitigate that (especially one that only routes traffic for the game).
IIRC you also need one when playing from some countries, whether due to legal reasons or server restrictions.
There's a bunch of services that can moderately reduce latency by using better paths. Specially worth it if you want to play with friends in servers farther than 1000km away.
Yes, we have a whitelist ability also, but it is definitely a last resort. The game is mostly dead and difficult to discover for new players. We don't want that roadblock if we can avoid it.
I still play Quake 1 and 2 online, randomly pop into Tribes 2, Counter Strike 1.5....usually the community is clicky and toxic to outsiders but sometimes you bump into really neat people.
Is this game online/multiplayer only? I mean, people still play Galaga and PacMan and other older classic games so why would you think someone wouldn't still play this one too?
It is not online only as we would now understand. But it is certainly only multiplayer game. Well you can play against bots, but even then it is multiplayer.
Small number of players works in favor of a whitelist. People shouldn't be playing with randoms, they should be playing with friends.
Game companies invade our privacy and destroy our computer freedom with ineffective malware tier rootkit solutions only to fail to solve the problem in the end. Their business model depends on enabling people to play with any random from anywhere in the world. They are forced to trust untrustworthy clients. The truth is people should not allow their computers to talk to strangers.
I presume "whomever they wish" means anyone who is not a cheater. In that case they need a whitelist. Because without one, every player is a potential cheater. Non-whitelist solutions don't match what I presume they want. They asked for NotCheater, server returned MaybeCheater.
Without a whitelist, it's only a matter of time before an actual cheater joins their server and ruins their fun.
the cheats are software, software has certain quirks, like the way it aims or the way it tracks. And I'm willing to bet it has enough distinctiveness from human aiming to be classified. Couldn't a classifier work on the behavior of the cheating software itself, rather than use IP bans?
It's more effort than it's worth. There are server aimbot scanners which do something like this. There are also aimbots written to thwart this type of detection, adding delays, random drift, etc. It's a cat and mouse game. We don't have a lot of players left so it's not that much of an issue.
This is part of what Valve does in CS. It works pretty well but it does have false positives so it requires user intervention for confirmation of bans.
In order to actually catch a cheater mid-match rather than long after the match is already over, you'd need the servers that players are interacting through to have enough CPU grunt-force to do that kind of analysis "faster than realtime" — i.e. for the server's CPU to be able to run the game's physics faster than any client can, so it can run the physics with extra math in the same time it takes the clients to just run the physics.
Which might be something you could guarantee, if the game were locked to wimpy console hardware; or if the game had minimal CPU physics such that it was effectively never running CPU-bottlenecked and there were massive gaps in frame-time where even the client CPUs are sitting idle, that a server running in lockstep could cram that kind of analysis into.
But gaming is a race-to-the-top, hardware-wise. The CPU in a gaming rig might not have as many cores as your average server CPU, but it's almost certainly going to have higher single-core perf.
And part of the reason for that, is that games really do try to use your whole CPU (and GPU), with AAA studios especially being factories for constant innovation in new ways to make even the minimum requirements just to run a game's physics, higher and higher every year.
And if the server can't do "faster than realtime" analysis of the streams of inputs of the players, then by queuing theory, it'll inevitably get infinitely backlogged — the server will keep receiving new analysis work to do every timestep, and will fall further and further behind, never catching up until new work stops being generated — i.e. until the match is over. And then it'll have to probably sit there for five more minutes thinking really hard before spitting out a "hey, wait just a minute..." about any given match.
Which is fine if there's a big central lobby server that the game is forced to connect to, and your goal is to ensure that some central statistic that that central server relies upon (e.g. match-rank ELO) gets calculated correctly, such that cheaters are prevented from climbing the leaderboards / winning their way into high-ranked play. (And that's exactly the situation the big eSports games companies are in.)
But in the context of older games that use arbitrary hosted servers and random-pairing (or manual lobby-based match selection) — or in modern, but "dead", games, that only persist due to being modded to accept private servers — this "after-the-fact" punishment is useless, as most servers have no incentive to do this analysis, especially when cheaters can just hop around between servers. So there's nothing preventing people from being matched with cheaters, sometimes over and over again, if the cheaters can just tell their clients to roll up with a new key+IP for every match.
...and that's assuming there even are servers. You can forget about any of this working in a p2p context. (Think about what a Sybil attack means in the context of a federated set of individual tiny disconnected p2p networks.)
You should be able to limit analysis for this type of detection to only the input leading up to a kill/hit and ignoring everything else. The majority of the time players are not shooting could be used to do the analysis with plenty of time to boot midway in a round let alone a full game.
Also simple analysis of only the input streams as you stated really doesn't have to do with the phys rate of the game server and should be alot cheaper computationally. It can be offloaded to another process even if it was found to be too impactful to run alongside the game server directly. Something all those extra cores might be good for.
And I'm not refuting that. I was just pointing out a solution to a problem the GP proposed as intractable when trying to analyze player input data streams for cheating. The points you made are valid as far as the evolution of this cat and mouse game is progressing (probably still closer to the end end of can then do for now).
That being said, the vast majority of cheats are not that sophisticated. "Simple" analysis of player input should still be used to make low effort cheats less or ineffective. Especially if used to compare consistency of mechanical play by a player. I doubt most cheaters want to just turn on a full bot that plays by itself for the whole game. You can build a model of play customized for an individual player to look for changes in mechanical skill during critical plays. Then even if that was incorporated into the cheat client so that its 'actions' can't be definitevly detected against the players baseline, it would at least be limited to cheating as that player always playing like it's their best day. Either that or the cheater would have to go fully hands off for that account which I imagine is not as appealing for most cheaters.
Input analysis, even much simpleler approaches, can still be a valuable tool to make cheating more difficult and less opportunistic. The goal would be to raise the barrier of entry to cheating without immediately getting banned beyond downloading and running a client. If people who consider cheating in a game have to: order, wait for, and setup additional hardware then aquire models trained for the latest version of the game that are also trained on pro play in a way that lets the cheating be humanly plausible to remain undetected; it will reduce the total number of people who cheat in that title. Will needing to aquire additional hardware stop all cheating? No, I had a friend as a kid that owned a GameShark that I used and ended up corrupting the save on one of my Pokemon games. But if all of that is what is required to be able to successfully and consistently cheat, it will raise both the cost of development of cheats as well as their price to cheaters.
For top level professional play, in person tournaments on managed setups will remain the gold standard for the forseeable future (and besides they are attractive as events for their own sake). And for the rest of us, we will continue to be trapped in the labyrinth with both the cat and the mice.
The CPU being overwhelmed with physics sounds sus to me. CS has a few mechanics more than Q1, but not that many. It's a few collisions and should be possible to check in a tiny fraction of today's CPUs capabilities. Even with some advanced movement physics, it's just a handful of entities - Marbles does hundreds more per frame. Am I completely missing something significant here?
IP bans are fundementally flawed since you can't assume a static IP in the vast majority of cases anymore, if you rely on an IP blocklist then it's inevitable that you will end up hurting the experience of small amount of unlucky but innocent players. I suppose this might be more of an issue on ipv4 than it could be on ipv6, but really you should always expire IP bans to avoid issues like these, or you want to combine another data point with the IP such as a hardware ID (or a hash of a combination of hardware IDs). Cheaters do know this so even if we could assign everyone a static ipv6 they would likely just disable ipv6 support on their NIC and rely on their ipv4 exit ip.
Edit: If you don't think this is an issue I urge you to Google "pokemon go belgium ip ban" for a fun rabbit hole.
Sort of. Doesn't make sense to ban a single v6, you'd start by banning at the /64 level and move on to banning shorter prefixes from there.
You quickly run into the same kinds of problems you do in v4 though; most users have access to a shared pool of addresses, and you may need to ban the whole pool to ban an abuser, but then you also ban everyone else in that pool, and the abuser is more likely to have ability and motivation to use other pools.
It's better if you have multiple factors... if you don't like the IP, don't ban it, but be stricter on other measures, etc. So a well behaved client from a 'bad ip' can still play, but enough suspicious things and you can't play anymore.
Catching/stopping people who want to cheat for profit is something I personally think is never going to happen.
For a time, I would buy keys for CS:GO and different Steam accounts and use a subscription based cheat provider to provide me with ESP/chams on screen.
I knew that overwatch/admins would be seeing the demos as the accounts were new Starting from unranked meant you would be under scrutiny already so I adjusted my playstyle.
I learned not to linger around looking at walls. People's movement patterns and decision making eventually became predictable as I reviewed demos or learned in the middle of a match how players have habits and abused that information.
I was able to determine when to throw a round away to avoid suspicion and deliberately ensured I had a string of 2/3 bad games every so often so my K/D wasn't insane. I never used any aim assists, spinbots etc., and I always, always communicated with my team through ingame VOIP (not giving cheat calls) and maintained a legit facade.
I went undetected for nearly 2 years and sold hundreds of CS accounts successfully and made a tidy profit doing it.
It's another string of the gaming industry that brings in money and it will never go away.
I like to think of it as an online drug war, however insensitive that may seem.
Players from big countries often miss out on the sense of community that exist in smaller ones. When there are only 3-4 servers worth of people playing a game every day you quickly come to know them all, which really adds to the banter and sense of enjoyment.
I’ve gotten a taste of that experience playing older multiplayer games that have a small player base. I much prefer it to games with millions of players where you’ll never see the people you play a match with again
I also love games with community ran servers for the same reason
If you’re old enough you remember favoriting servers in Gamespy. You’d end up on the same servers depending on who is there and mainly how good your connection was.
Where it gets interesting is when documentation uses a typoed reserved address (e.g. 189.51.100.1 or 198.15.100.1). There are actually several RFCs that do this.
I know there's a steam client setting now to clear the data of the overlay browser (either on exit, or manually? Can't remember) - does that affect the VGUI browser?
I don't know about CS, but TF2 has the ability to disable server MOTDs - how does that affect this?
Server side only anti-cheat is one of the problem domains that I'd really love to work on at some point in my career. This is the type of adversarial arms race that just seems really fun to think long and hard about.
Only problem is, a lot of companies do NOT want to pay for it. It's 'treadmill work'. No matter how many people and how much money you throw at the problem, it still ends up just coming back. It's a losing battle because there are many, many more players than there are developers.
> Only problem is, a lot of companies do NOT want to pay for it.
Because they're 10 years behind the curve and don't understand that a game's lifespan is contingent on anti-cheat. Once it becomes clear to the casual player that a hacker is going to effect every gaming session, the game dies quickly. Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)! Other games build from the ground up with anti-cheat in mind (Valorant). Other games have an ID verified 3rd party system for competitive play (CSGO).
Personally, I think there is a middle ground between root level hardware access, and treating cheating as an afterthought. I'd lean more heavily on humans in the process... Use ML models to detect potential cheaters, and build a team of former play testers to investigate these accounts. There is zero reason a cheater should be in the top 100 accounts; An intern could investigate them in a single day! More low hanging fruit would be investigating new accounts that are over-performing. I'd also change the ToS so legal action could be persued for repeat offenders. Cheaters do real economic damage to a company, and forcing them to show up in small claims court would heavily de-incentivize ban evaders. This probably sounds expensive and overkill, but in the grand scheme of things it's cheap; it could be done on the headcount budget of 2-3 engineers. It'd also be a huge PR win for the game.
> don't understand that a game's lifespan is contingent on anti-cheat
Or you could spend a huge effort on cheatproofing only to find that no-one plays your game in the first place, e.g. Concord. I imagine getting cheaters in your game often falls into the "nice problem to have" category and it is easy to kick the can down the road.
> Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)!
How does CoD accomplish this, or other games that use similar strategies. I can't wrap my mind around how you could do this effectively while also not identifying hackers for the purpose of banning. Banning = Cheater buying another license to the game, I thought they like banning people for that reason :/
One example I remember from CoD warzone is they've increased the number of in game 'wallhacks' available to players like UAVs and heartbeat sensors. So if you get killed by someone with wallhacks, it easy to tell yourself they were using the plethora of legitimate ways to be detected. It could just be a coincidence that these new features obscure a hackers visibility, but given the behavioral psychologist they have on team, I won't write off any coincidence as chance.
Your steam account is unaffected by anti-cheat measures. Being banned (vac or otherwise) from CSGO does not prevent you from playing other games, nor from playing CSGO alone.
The only trace of it is that your account profile will show that you have vac bans on record, but you don't have to show your profile.
even though im not a cheater in games, i wouldnt play a game that threatened to take me to court if they deemed me to be one. interesting thought though.
Cheat development these days is incredibly sophisticated. There are swathes of tutorials, old and recent examples to research, advanced inspection tools, etc.
It's so much easier to make cheats today than it was, say, 10 years ago.
It's also easier because more and more games are sharing common infrastructure like game engines, as compared to the past. What works in one Unreal game may save you a lot of time developing a cheat for another Unreal game.
These days, many online games encounter serious cheats within the first couple of days of release - if not the day OF release.
Some of the sophistication is not really in the technical breaking of the game or protocol anymore, figuring out if something is plausible might yield detections that you cannot "cheat" because it no longer matters if your cursor clicked on a head at the right time or not, it matters if your posture/reputation/experience makes your behaviour plausible.
Cheating and anti-cheat used to rely a lot on the pure technical parts (like "is something sneaking some reads from the memory the game engine uses to clip models?"), which is ultimately not something you will win as a game developer (DMA/Hardware attacks or even just frame grabbing the eDP or LVDS signal and intercepting the USB HID traffic has been on the market for quite a while).
But implausible actions and results for a player can only be attributed to luck so many times. Do 30 360noscope flick headshots in a row on a brand new account and you can be pretty sure something is wrong.
If we can get plausibility vs. luck sorted out to a degree where the method of cheating no longer matters, that's when the tide turns. Works for pure bots as well. But it's difficult to do, and probably not something every developer is able/willing to develop or invest in.
It's hard to balance around those sorts of things. For example, imagine a cheat that gives the player additional info about where enemies are and their state (ie: health). Even if they are of totally normal skill level in terms of movement and aim, that info will allow them to be substantially better than others. How are you going to detect that, and differentiate it from players who simply have a great sense of map awareness and a good ability to keep track of enemies and when to punish them?
Anything that makes assumptions about player's skills runs into problems too. For any online PvP game, the skill ceiling will rise with time. What once may have been considered improbable may soon become what's consistent for the top 1% or even 0.1% of the playerbase given a few years.
As well, it can run into problems as rebalancing occurs and new abilities are released.
Even the base example would make that specific scenario trivial: an account that is new has no business "being better" than everyone else.
The only group you'd punish with that is skilled players that lose their account (and create a new one), but if you use a moving skill window they can grow back into their plausibility pretty quickly, and it's a small cost compared to everything else. And you could even mitigate that by making things like the first 10 matches require a different plausibility score than the matches after that.
And with different I don't mean "no scoring at all" or something like that. But a cheater tends to not cheat "a little bit". You might have togglers, but that sticks out like a sore thumb (people don't suddenly lose or gain skill like that). And even if that fails (lots of "cheating a little bit" for example), you've still managed to boot out the obvious persistent cheating.
And that's just with 1 example and 1 scenario. Granted, that bypasses the fact that it is still difficult and doing it broader than one example/scenario is even more difficult, but that's why I ended the previous comment pointing out the difficulty and associated cost, which goes hand in hand with the balancing difficulty you pointed out. Even tribunal-assisted methods (not sure if Riot games still does that) have the same problem.
What about new players who are competitive in other, similar titles, and thus start off with a strong advantage?
And - what about experienced players who cheat?
In some scenes, it's actually more often that cheaters are some of the best, most experienced players who have a strong competitive lean and feel they 'deserve' to win, so use cheats to get an edge. It's far more common than you'd think.
That's the problem with any anti-cheat system. It's all the what-ifs. Every single 'clever idea' that has been theorized under the sun has been tried and most have failed.
Those players would be initially quarantined either way and a sliding experience window would put a limit on what is plausible. Same goes for transferrable skills.
Experienced players who cheat will still be subject to plausibility. Say there is a normal amount of variance in humans but suddenly some player no longer has variance in their action. That's not plausible at all. Or a player looking at things they cannot see, that might sometimes be a coincidence, but that level of coincidence is not plausible to suddenly change a drastic amount.
Again, this sort of thing doesn't catch all subtle cheaters, but those are also not the biggest issue. It's the generic "runs into a room, beats everyone within 10ms", and "cannot see, but hits anyway all the time" type of cheat you'd want to capture automatically.
A what-if in a tournament or the top 1% of players is such a small set of players, you'd be able to do human observation. Even then someone could cheat, but you're so far outside of the realm of general cheating, I wonder if that's worth including in a system that's mostly beneficial inside the mass market gaming players.
Either way, this sort of detection is usually done in the financial and retail world, and results in highly acceptable rates and results. It's not perfect with a 100% success rate or something like that, but it's pretty successful. Just not something studios or publishers seem to want to invest in. It's much simpler to just buy or licence something (like Easy Anti-Cheat). Broad internal expertise isn't something the markets are rewarding at this point.
> Even the base example would make that specific scenario trivial: an account that is new has no business "being better" than everyone else.
You cannot and should not rely on that, depending on what account really means, e.g. in ioquake3 games, having a new GUID (you delete a specific file to get a new one) makes you a new player.
Sure, it would only work on games where the client and server both authenticate, otherwise none of this will work as there would be no reputation to be relied on.
I've even seen the weird combination of the client and server both authenticating, but the account owner being given a choice if they want to 'level up'. It essentially means your public reputation and match history (and actual experience) no longer align.
I suppose that matters less if we're doing checks on the actual data, but for the player base, you cannot rely on what the game reports about the experience of your opponent, which makes for very confusing matchups (and the accusations that go with it).
1. Determine minimum human reaction times and limit movement to within those parameters on the client side. (For example a human can't swing their view around [in a fps] in a microsecond so make that impossible on the client) this will require a lot of user testing to get right, get pro players and push their limits.
2. Build a 'unified field theory' for your game world that is aware of the client side constraints as well as limits on character movement, reload times, bullet velocities, etc. Run this [much smaller than the real game] simulation on server.
3. Ban any user who sends input that violates physics.
Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
The vast majority of cheaters are not "rage hacking", but instead using cheats as a skill assist.
Take a moment and think about how you would design cheats that would be undetectable. Hot keys, real time adjustments, all the options and parameters you could provide cheater to dial in their choice experience while also keeping them looking legit.
Then realize cheat developers thought of all that decades ago and it is waaayyyy beyond what you can dream up in a few minutes. Hell cheats nowadays even stop cheaters from inadvertently doing actions that would out them as cheaters.
You misidentify the core problem, or at least why it is a problem from a business perspective.
The problem isn't cheating itself, the problem is players feeling like they have been cheated (and thus not buying micro transactions in the future).
If you can limit player action to things that look plausibly human, less players will feel cheated and will be less likely to drop out.
This system would be put in place on top of existing systems and if implemented as I have described could be done so fairly cheaply from a operational perspective (getting it off the ground will require a good bit of dev time).
If you had ELO based matchmaking (that dropped matches where the player performed far below what they had previously done to prevent sandbagging) a cheater with "perfect play" would end up only playing against other cheaters after a time.
> The problem isn't cheating itself, the problem is players feeling like they have been cheated (and thus not buying micro transactions in the future).
Any game I pay for that pressures me to pay with micro transactions already makes me feel like I've been cheated. "Free" to play games might be motivated that way though.
Although I doubt it would stop cheating, making sure that players can't do impossible things is absolutely a good idea and something that should have been done ages ago.
The best solution to avoid cheating is to play with people you know. Expecting a good time when playing with internet randos from all over the globe is maybe too optimistic.
Playing against subtle cheaters is imo more rage inducing once you realize it's actually happening. New or poor players won't notice and won't call them out on it or participate in a votekick because they genuinely can't tell the player is cheating. Average to good players get tilted because they might have enough game knowledge to know something is off but not notice it every time or be able to call out exactly what's happening. They end up second guessing too much. And you can't improve and get better playing against subtle cheaters because they're going to be doing things you just can't. Great players can probably tell more often than not but they're going to quit in droves when they realize the playing field isn't fair. Subtle cheating is much more destructive to a games longevity because trust in public matches is heavily eroded over time. Rage hackers you can just kick/ban/leave the match yourself because it's obvious.
> Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
No, those are still just as vehemently hated as “closet cheaters”, for example the whole XIM / Cronus infestation on any game that has controller AA.
It’s still possible to, on average, spot if it’s a closet cheater or an actual good player due to things like movement and gamesense, but for the average player it will be much less obvious, leading to a huge amount of rage towards good players because they are by default suspected as “just another closet cheater.”
What are you referring to by "gamesense"? FWIW you can implement all sorts of movement hacks, from dodging bullet particles to appearing laggy enough to seem to be teleporting.
Gamesense: a mental model of the game by which players can anticipate and pre-empt the actions of other players.
A CS:GO player with good gamesense will habitually keep their crosshairs at head height and aim at corners where an enemy is likely to emerge. They'll have an intuitive sense of how long it takes to run from one point on the map to another. They'll listen through walls for footsteps to try and decode where the enemy are, where they're headed to and what strategy they might be about to attempt.
To the uninitiated, it looks a lot like cheating - you peek through a window and instantly get headshotted before you've had any chance to react. To the guy who hit you, it's just basic gamesense - you did a predictable thing and he punished you for it.
Yeah, it feels like a dead giveaway when someone at higher ranks has near perfect but within the realm of believable gameplay from a mechanical standpoint (great aim control/accuracy, hitting lots of flick shots) but then they're running all over like a headless chicken, getting lost on the map, have no regard for positioning and angles when pushing or defending, just purely leveraging "skill" alone.
This is a slippery slope which we can view in real-time looking at the speedrunning community. Many current real person runs are using strategies once thought to be computer-only. A Mario run from 2024 would be viewed as totally impossible in 2004.
This isn’t really a relevant concern for online games since speed running is mostly rehearsed play with predictable game mechanics, not inhuman response to novel stimulus.
There's also the multi-world randomiser community, where people network a bunch of emulators together, and finding an item in one game can actually unlock something else in another player's game.
Cheaters who spin don't care if they get caught. Its the closet cheaters you can't catch like this who's aim bot only locks on the head of someone when the cross hair its a certain amount of pixels from the head, or they set it to never lock on the head.
Or to autotrigger. That's how they do for backstabs in team fortress 2. Just go around and have it trigger immediately when it'd be an instant kill.
Demomen on the other hand use an aimbot so they can hit you with those parabolic projectiles in the face, even if you're behind a wall and they can't see you at all.
This is kind of getting into my idea - Statistical methods & maybe a sprinkle of old-school machine learning.
What I would try is to hire a red team & blue team and put them in a sandbox environment. The red team cheats on purpose. The blue team is guaranteed to be playing legitimately. Both teams label their session data accurately. I then use this as training & eval set for a model that will be used on actual player inputs.
The only downside is that you will get a certain % of false positives, but the tradeoff is that there is literally nothing the cheaters can do to prevent detection unless they infiltrate your internal operations and obtain access to the data and/or methods.
Something I'm working on now. The real issue is that you get more perf hits trying to do all the important stuff server side, so devs have become lazy and offloaded more to the client than they should have, and then that became the standard. Moving all important actions server side isn't easy or cheap but it's how you prevent cheating much more holistically.
Now add in that I'm running a physics-heavy game with 120 tickrate, (considering higher after more tests), with fine motor control action combat, aimed to scale to mmorpg size, and it really becomes a challenge!
The state of the art is pretty boring and you can learn about user command payloads in an afternoon.
The world is much more complex now that YOLO-based aimbots exist, and I think the real answer is that anti-cheats are now defeatable, period.
You can craft a private binary that has no hash registered to any major anti-cheat service on the client-side, and on the server-side you’re limited to what is allowed by game rules.
Since there’s no mechanisms for preventing super human reflexes, and there probably shouldn’t be, it’s an issue that cannot be solved anymore.
So you need community judgement, and that too is boring. Good players being accused of cheating in Counter Strike is a years old and entertaining problem.
Probably refers to the YOLO family of object detection/classification models. Though I wasn't aware that they could be used for something like cheating in csgo. They are really fast compared to most AI models but I thought that it still wouldn't be fast enough to give you a real advantage (especially for pros), as cheats usually depend on "wall hacks" or similar, and being able to see more than what you could see on your screen.
> but the traffic itself was encrypted over HTTPS. This meant that even if one were to use a packet sniffing tool like Wireshark, you would not be able to find the raw token.
It's trivial to decrypt HTTPS with tools like Fiddler or Burp Suite, assuming this build in browser used system proxy and system certificates list.
Its all about how apparent the issue is if you're running Wireshark - it does not stand out, so you have to do a lot more work to discover what is actually happening. The request is also hidden in plain sight along other requests, and those requests are what you'd expect (you'd normally expect a motd request, so this isn't out of the place).
Given that the way of circumventing the issue at hand is to delete a single local file, which is far simpler than finding the actual request and setting up fiddler or burp suite, this worked good enough.
It's also pretty easy to export the secret keys from Firefox and import it into Wireshark. Like, it's some clicks, and (depending on which TLS it uses) you gotta do it for every connection, but it's not too hard.
respect the ingenuity of the solution and how well it did.
although it has to be said that we are better off without having vgui in the first place.
this kind of sneaky tracking is so widespread today on the Web that it is nearly impossible to be bothered with evading it. whether it is the "wideport" or what extensions you use, you might as well use tails to surf the internet at that rate.
but using a logical fallacy, to exploit for the better good does seem appealing.
This isn't about stopping cheaters (cheat detection). This is about stopping repeat cheaters trying to ban evade. Detecting cheats, especially nowadays with hardware cheats (DMA, etc), is an entirely different ballgame.
IMHO, one of the most effective way to stop ban evaders is to actually charge money for the game.
Why pay for the game when you can go to an onion site that will sell you hundreds of compromised accounts that own the game for a fraction of the price?
At that time CS:GO would cost around $3 during various Steam sales and it was possible to buy a huge amount of gift copies that could be stored in your Steam inventory. So one "legit" account would buy lots of copies and then "gift" them to new accounts that would go on a cheating spree.
Charging money and banning at the payment provider level can be quite effective. It isn't a perfect answer but it cuts out gigantic chunks of the problem space.
I'll take a ~99% cheat-free experience over not having any improvement at all.
Agreed, but in this particular case the blog writer was running private servers, rather than being Valve. They had no control over payment processing etc.
That's fair. There will always be cheaters like this. However, anecdotally, after CS or any other game I've played that went free-to-play, cheaters became a much much larger problem: from seeing one every now and again, to at least one in nearly every match.
Banning by TPM also makes ban evasion pretty expensive. At which point the cheater has to either buy a new mobo or solder a new TPM chip onto their mobo (not always possible). Though I guess at some point a sloppy vendor will leak TPM keys and it'll be spoof-able.
Banning new Steam IDs on banned IPs seems too strict to me. Some ISP use CG-NAT or rotate IPs, meaning a single bad actor could harm many innocent players.
They actually cover these concerns, acknowledge it was a problem with examples of siblings or students behind a shared IP, and then developed a parallel cookie based tracking system, using the "server welcome message" which is served as a web page in the in-game browser.
It's also worth noting this is a 3rd party dedicated server provider, who manages and leases community run game servers. Getting a ban here would prevent you from playing on that provider's servers, but not any of the official matchmaking ones or servers from another hosting provider.
They added the third identifier to detect ban evasion by changing the Steam ID and the IP address.
They implemented some specific exceptions but generally recommended to not play on untrusted networks to avoid getting banned along cheaters in the same network.
Yeah that sounded like a very bad idea. It was already a bad idea years ago when there were enough IPv4 addresses, because still people were using NAT behind routers. So, it could happen that you just ban a whole family or people that are living together in the same flat, although only one of them cheated. But now, with this whole carrier grade NATting, it seems like not only a bad, but a dysfunctional idea.
NAT is a problem, but in this case I think it's a valid consideration regardless. Banning innocent players behind shitty ISPs sucks, but cheaters suck more.
Yeah. IPs are NOT identifiers. At best they are a session ID. Using IPs to ban players on the basis that they've been used by a cheater before seems extremely unfair and probably even an opportunity for denial-of-service.
I'd agree if it was being used to ban players across many servers, but a single community server is not that big a deal to be banned from. And they seem to have had an appeals process.
> I only shared the solution and technique with one other server operator I fully trusted based in the UK
I think that was us! We ended up combining it with other fingerprinting indicators, but the whole 'use VGUI' was a surprisingly effective way at handling this. I believe they removed the web browser in ~2018, which was disappointing. Being able to have custom skill trees / fun integrations with servers was really powerful!
> But cheaters are cunts. They're cunts now, they've always been cunts.
> And the only thing that's going to change is they're going to become bigger cunts.
> Maybe have some more cunt kids.
That statement is really shows how big of a dick you are, like come on man, it's just a game. Without learning game cheats and writing trojans and botnets since 14, although I'm kind of clean now, I wouldn't have mastered C++, C# and Java together and later get deep into computer science (and cybersecurity to some extent).
> but you're ruining the experience of others when hacking in multiplayer games
What I meant was, cheating can be a good learning experience to programming for a lot of kids, because they get immediate feedback and rewards. At least that's what I see it as.
By breaking the agreed-upon rules you gain resources and others lose resources (energy, morale, money, w/e). That the activity impacts the cheater in other ways is beside the point if its a dick move or not.
I'm with you, but the environment they cheat in matters. Learning to hack with CTFs is great, but against real targets? Of course, I'm overplaying the severity of cheating a bit, but the point still stands.
> The best part was that no one knew how we were able to do this and our admin team kept the implementation a top secret. We should have filed a patent!
I know you’re joking, but if you had filed a patent you would have had to reveal the trick, thus rendering it immediately useless.
Excellent write up and solution. Cheating in video games makes for a wretched experience for those who don't cheat.
It's crazy how rampant cheating in multiplayer games, especially competitive ones has gotten. Ten years ago, I thought it was at an extreme, but it's only gone up since then.
Part of the problem is that for some software developers, writing cheats brings in a massive amount of money.
So instead of some teenager messing around making unsophisticated cheats, you have some devs that are far better at writing cheats than game developers are at preventing them.
It doesn't help that game devs have to secure everything, everywhere, but cheat devs only have to find a single flaw.
Which seem to be exclusively FPS games with ~10+M players ?
I don't even remember the last time when I've heard of a game outside that very narrow (albeit decently popular) category to have complaints about cheaters. Meanwhile for these games, I hear about it like every month, and all this despite this genre being amongst the ones that I play the least !
No, that figure is way off. Check out a website that sells digital goods or cheats and you will see that even far smaller games have cheats available.
Escape from Tarkov comes to mind. An extremely hard and niche first person shooter with RPG elements. It is a private Russian company so we don't know exact player numbers, but it is estimated to be ~200k by some hits in a google search.
There are people who will provide carry services and guns and gear for plenty of people who will pay for it, as well as other providers selling the cheats that the carriers use for a weekly fee. The people who are providing these services are getting paid in USD when their local currency has a far lower value. It isn't a moral thing, it is a money thing.
You know that you sometimes don't know a bug exists before someone exploits it or uses your software in a way that you did not think of. There are experts who stand to make tons of cash if they can create or use an exploit that people will pay money to advance with.
The only way to prevent this is something that no one wants to hear, but it needs to be a unique citizenship identifier of some sort, since HWIDs and other means of tracking are mostly useless.
One thing to note is that CSGO can be considered a play-to-earn type game; you play the game, get lootboxes, get lucky, sell the item for... idk, hundreds? thousands? So it's an incentive to cheat and buy new copies of the game if found out. A single item can be a month's income easily.
Mind you I don't know if that's the case on privately hosted servers as well, since those could be manipulated to give players the points needed to get the lootboxes.
That system incentives against it. Your inventory becomes locked meaning worthless if you get the proper ban. So for farming stuff, it is much better not to cheat.
Not that there isn't options of making money that do benefit from cheating. Like creating high ranking accounts to sell. Which some people buy for the status of the rank...
Well, it's just a genre that's immensely popular and easy to cheat in.
If you have access to the game's memory etc, it's pretty easy to create an aimbot or thing that lets you see thru walls et cetera.
How you gonna cheat in a moba? It's a strategy game, you need, like, cutting edge AI to beat the best humans at it. In fact OpenAI specifically worked on an AI to play Dota 2, it was that hard.
You don't need to improve your individual performance to cheat, anything that improves game-sense works just as well. A common one for moba (and other genres) is a radar style hack, which can show an overlay of the map with the player locations in real time. Knowing where you enemies are at all times is a HUGE advantage in a moba.
Cheating is commonplace in lots of games much smaller than that. Company of Heroes 2 (an RTS released in 2013) for example is pretty much ruined by map hackers.
I think that's a very naïve way of looking at game development. There are many reasons why games are exploitable besides lack of reasonable dev effort.
- Almost all games are going to use a licensed or shared game engine. That means the softwsre architecture is already known to skilled cheat developers with reverse engineering skills.
- Obfuscating the game will only go so far, as demonstrated by the mixed success of Denuvo DRM.
- The game will not be the most privileged process on the machine, while cheaters are glad to allow root/kernel access to cheats. More advanced cheaters can use PCIe devices to read game memory, defeating that mitigation.
- TPMs cannot be trusted to secure games, as they are exploitable.
- Implementing any of these mitigations will break the game on certain devices, leading to user frustration, reputation damage, and lost revenue base.
- And most damning, AI enabled cheats no longer need any internal access at all. They can simply monitor display output and automate user input to automate certain actions like perfect aim and perfect movement.
A couple of thoughts, but I largely agree with you.
> Obfuscating the game will only go so far, as demonstrated by the mixed success of Denuvo DRM.
Denuvo is for the most part DRM, rather than anticheat. It's goal is to stop people pirating the game during the launch window.
> The game will not be the most privileged process on the machine, while cheaters are glad to allow root/kernel access to cheats.
This ship has sailed. Modern Anticheat platforms are kernel level.
> TPMs cannot be trusted to secure games, as they are exploitable.
Disagree here - for the most part (XIM's being the notable exception) cheating is not a problem on console platforms.
> AI enabled cheats no longer need any internal access at all. They can simply monitor display output and automate user input to automate certain actions like perfect aim and perfect movement.
I don't think these are rampant, or even widespread yet. People joyfully claim that because cheats can be installed in hardware devices that there's no point in cheating, but the reality is the barrier to entry of these hyper advanced cheats _right now_ means that the mitigations that are currently in place are necessary and (somewhat) sufficient.
It's not AI enabled cheats that are the issue, it's DMA through things like PCIe devices disguised as regular hardware. Sophisticated cheats no longer run on the same computer as you're playing on. Google "pcie dma cheat" for a fun rabbit hole.
Right, but the barrier for entry for those cheats is huge - the sp605 board is $700, for example. There are cheaper ones, but you’re not going to have rampant cheating testing through games when you add hundreds in hardware to the requirements.
Antiecheats work in layers and are a game of cat and mouse. They can detect these things some times, and will ban them (and do hardware bans). The cheaters will rotate and move on, and the cycle continues. The goal of an effective anti cheat isn’t stop cheating, it’s be enough of a burden that your game isn’t ruined by cheaters, and not enough of a target to be fun for the cheat writers.
Because at the end of the day the game is running on the user's machine, a machine in which the user has full access to every part of the execution and the software developer does not. You can only get around that by streaming the game instead of running it on the client side and even then an aimbot or some type of automation would be possible nowadays.
> I think a better question here is: why is game code so exploitable?
The nature of FPS games means only environment integrity can stop cheating. It's not exploitable per se. Just the game skill can be done by a computer perfectly.
Conversely who knows how long it will take for AIs to play Hearthstone with never-before-seen-cards well.
- GOOD software are simple and easy to understand, which makes it EASY to cheat.
- BAD software are needlessly complex and finicky, so it's HARD to rig it for a cheat.
- Anti-cheats intentionally make software BAD and over-complicated, so cheaters would have hard time modifying it. But computers are brittle and also aren't smarter than humans so cheaters will eventually find a way.
- Security is completely irrelevant topic since game clients are "bought" and run on your hardware; Digital Restrictions Management built to work against you as user is anti-consumer, anti-right-to-repair, anti-human, super bad thing, and lots of efforts are made to keep PC away from it as much as practical.
It has nothing to do with laziness or cost. If anything it'll be the best programmed game that gets hacked fastest. And PS2 that gets emulated last.
Architecture can help up to a point but it can't stop everything - the usefulness of ESP can be reduced by not sending the client information it doesn't need to know, but that gets computationally expensive on the server, and culling information too aggressively can interfere with lag compensation. Perfect recoil compensation can be prevented by not replicating the servers RNG state on the client so it can't predict where the next bullet will go, which CS:GO started doing at some point. Aimbots though? Those are just automating an input the user could theoretically make legitimately, so you're pretty much stuck with statistical heuristics or client-side detection.
Priorities. Games need content and performance. Give game developers more budget, and they will work on making the game faster, fix game breaking bugs, and add content rather than make the game less exploitable.
And cheats do not always rely on exploitable bugs. A bot using screen capture and input device emulation works at the OS level and in other contexts (ex: accessibility), it would be a legitimate thing to do.
A very large amount of games that are released nowadays all use well known and well documented engines, that's what makes it a lot easier, there's an interview on YouTube with a company that develops cheats for multiple games that mention this here: https://youtu.be/zwruk-tLIOU?si=3O2jBKQneur-n3iS
Some games aren’t able to prevent cheating. The client has the data on where the enemies on their screen are. The cheat only needs to move the mouse and click on the enemies heads. Other games like MMORPGs involve the cheat just playing the game and farming on behalf of the player.
It just becomes a cat and mouse game where the anti cheat is trying to detect something hooking into the game process while the cheat tries to hide itself.
> MMORPGs involve the cheat just playing the game and farming on behalf of the player
From a player perspective that's not cheating, that's running a bot. It's automation of a routine grind - which is typically designed to make players hate it and spend money instead. Automating boring stuff is simply natural.
For pay-to-win games it's effectively a balancing system, a pushback against player-hostile mechanics. Not unlike an adblocker on the web.
That's strictly in context of MMORPG genre, of course.
I think GP's last line covers it. It's the same reason why DRM is ultimately ineffective, and why even companies that work hard and spend time and money to secure their infra still sometimes get popped: the game devs have to be perfect 100% of the time, but the cheaters only have to get lucky and find a flaw once.
When you have software running locally, you can arbitrarily modify how it runs.
Like an aimbot is a powerful cheat, and there's no amount of security that can prevent one from being used outside of an anticheat being able to look deep into what your system is doing, what it contains. The only way to prevent that kind of thing is to remove your control of your own computer.
And even then you could do aimbot with camera pointed on the screen and either faking a mouse or providing sensor sufficient data somehow to simulate movement... That is reach super human reaction times and accuracy...
How attached and how technical does it have to be to be "cyborg".
Me with a pen and paper exceeds many human capabilites.
Likewise with wearables like a smartwatch.
Does it have to be direct neural integration to be a cyborg? Definitely people with profound brain injuries have been enhanced to the ability to interact again.
Good question! IMHO, it's a spectrum, of course, not a binary concept.
But if we have to define a criteria... I guess, integrated just enough so it can't be trivially removed, making it more of a "body part" rather than a "tool".
Point is, it'll certainly spark a discussion and re-evaluation of what's "fair", potentially shifting the consensus from somewhere around the current "glasses are fair game, but a programmable mouse is not" to somewhere more accepting of differently-abed individuals.
> When you have software running locally, you can arbitrarily modify how it runs.
Well, you can on PC at least. Xbox and Playstation security has matured to the point that code modification in online games isn't really a thing anymore, the worst they have to deal with is controller macros most of the time.
The PS4 and PS5 have been jailbroken numerous times, but...
1) Their secure boot implementation has never been broken, which means you can't upgrade from an exploitable version N firmware to a non-exploitable version N+1 while persisting a backdoor like you could on older systems like the PS3. You're stuck at version N until another exploit is found.
2) They rotate the crypto keys used for online play with every new firmware so they can easily lock those old exploitable firmwares out of online play for good, even if they try to spoof their version number. There's no getting around not having the new keys.
Meanwhile the Xbox One took a decade to get even a limited jailbreak that allows arbitrary code execution inside the game sandbox, but can't escape the game sandbox to take over the kernel, and the Xbox Series systems have yet to be jailbroken at all on any firmware.
Hypothetically being able to break anything with physical access doesn't count for much in practice if the thing you want to physically attack is buried inside a <7nm silicon die, doesn't trust anything outside of itself, and has countermeasures against fault injection attacks. The Switch may well be the last big victory for console hackers, the writing has been on the wall for years now.
Perhaps not applicable to a hidden web browser in counter strike but for public webpages you can apply the same fingerprint technique and only include the payload on _some_ page loads for non-fingerprinted users.
Has a very nice advantage of if they go looking for fingerprinting they may or may not find it by random chance. It is security through obscurity but by making the bar higher for ban evasion you did actually remove a lot of people.
It feels like cheating as become endemic, every game I've played online in the last 2-3 years seems to be rampant with cheating. I don't remember it being this big of an issue 5-10 years ago, or maybe I was just ignorant to it? It's at the point now where I run into cheaters frequently enough that I find it hard to justify investing time into multiplayer games anymore.
I can only assume the recent uptick is due to games adding tradable cosmetic items which has made it financially viable to cheat as most cheaters seem happy to drop a lot of money on cheats as well as $80 to re-buy a game once they eventually get banned.
Don’t most games with expensive cosmetics lock them behind paywalls?
I assume there is lots of cheating because of every game having matchmaking system for fair with rankings. And there’s a huge amount of people that feel locked into low ranking because of bad teammates (which makes no sense statistically speaking), and if they just bump something they would do well.
There’s others who just want to showoff an high ranking.
And the guys that just want a cheap win, at the expense of ruining everyone else game.
And then there’s the business of this. Cheat tool makers making money of these lind of people. High ranking players selling boosting services or high ranking accounts (smurfing and cheating feels very similar on the loosing side). And even the high ranking players selling player providing boosting can cheat to perform the service in less time.
Skill based matchmaking with any form of public ranking (showing a number or tier) will always be full of people trying to game the system instead of trying to get better at the game. Specially in team games.
What about some sort of shadowbanning ? Or "shadowsegregating" : I mean if you detect and group cheaters so that they play with other cheaters ? Leaving normal players alone ? (I am not a player, I don't know how these multiplayer games work, I'm just wondering)
The idea of client-side "cookies" existed even before CS:GO. I remember in CS:S the server was able to change game variables set on the client. I wrote a script for a CS:S server that would fingerprint a cheater by setting an obscure game variable to a unique value and so being able to identify the player through that even if they had a different steam id and ip. It seemed to work well for a long time for getting rid of the most common cheaters but of course the most commited and capable ones with RE skills will always be ahead of the game.
Would it be worth charging for CSGO? Or Counter-Strike 2, whatever the latest is? Because being banned by Steam ID might mean something if you have to pay $10 each time for the privilege.
I used to believe this, but in Call of Duty you burn $40-60 a ban plus it was or is tied to a phone number at one point and that didn't slow cheating down one bit. It's ultimately why my group quit playing.
While the game is free, they do charge $14.99 if you want access to the ranked matchmaking called Premier. Sadly, the cost of entry is not enough to dissuade most cheaters it would seem.
They semi-charge, i.e. the new “Premier” league is gate-kept by a $15 charge and an XP gate that requires extensive playtime in their other game modes.
However, one can pretty easily buy a wholesale account if and when that happens and skip the time-money sink.
At the part were he writes about the human analysis of game data, I thought the article would end up with training an AI or just statistical analysis on that data to identify players. That would have been a little more interesting (but harder to do) than exploiting the game.
> If a player joins with a different Steam ID but with an IP address that is already banned, the system now re-bans them
This works great until you realize you're punishing innocent players because of CGNAT and IP addresses getting rotated. Cheaters usually know how to get their router to request a new IP address. That IP address then gets assigned to someone else later.
This scenario definitely did pop up and we would review it on a case by case basis to unban users or make exceptions. However, it was quite rare. Only a handful of reported instances over several months. If our servers were more popular we definitely would have run into it a lot more.
No, not specifically. That section is still written under the misconception that IPs are bound to households, or static networks like university networks. Instead they can swap at the very least country wide (or rather, however the provider manages the IP addresses it controls). Their mental model is just not how the internet works.
By using IP as the ban id they created a system that constantly and regularly banned completely innocent steam IDs, thinking they are somehow linked when a new steam id uses a banned IP, which is nonsense. They just did not notice because the banned gamers did not complain.
Being from country with lot of IPs for operators. I did some packet sniffing on DHCP broadcast traffic seen by my router(ISP should filter that...) and I saw at least 3 non-continuous public IP blocks... And that was just day or less of monitoring this traffic...
So if the same connection(plug in wall) can end up with IPs from different blocks, well, trying to do anything sensible with this is too complicated.
I always found it funny how ip bans seemed to be so popular despite being apparently completely ineffective until I realized this was mostly a US thing. In my country (2 of them that I've lived in, in fact) ISPs always assign the client a dynamic address from their very large pools every time I reconnect. This was as true back in the 28.8kb dial up days as it is in the 10gbit FTTH days we live in. Having a static IP address here has always been a service you have to pay for.
I remember this being hilarious when idiots would ip ban me back on the IRC days: "oh no, I have to press the reconnect button!"
Cheating in online games is a scourge and I really don't understand why people do it. It's one person selfishly getting a "win" at the expense of ~60 other people in that match having their time, pleasure, potentially money absolutely wasted.
I think even more infuriating than blatant hacking is this epidemic of "micro cheating" for lack of a better way to put it that I've seen prevalent in some games that just boost some stats or reactions by amounts large enough to help the cheater but low enough where new or inexperienced players have absolutely no way of telling if someone is cheating or genuinely good especially in games with high skill ceilings. At least when it's blatant you can leave without time wasted but when they're doing it subtly you end up getting tilted and spending the whole match with a bad taste in your mouth second guessing if someone is actually playing fair or not. Chivalry 2 is a really bad offender for this, once you notice it you can't unnotice it anymore, almost every match will have at least one guy with his swing/move speed adjusted by ~10% and in a game where swing manipulation is a legitimate mechanic it can be borderline impossible to catch someone out on it unless you're really paying attention.
In the case of CSGO, playing means earning lootboxes, and the items contained therein can be resold / auctioned off. It's the same problem as in Diablo 3 when it first launched, you could sell items found (randomly) in-game for real money. I read one guy's project, I'm sure it was posted on HN, who had 25 bots / copies of the game running to monitor the in-game currency market for deals, then resell those for real money.
Every once in a while there would be a ban wave - implying bot detection and handling was a manual / batch job process - but he'd just get 25 new copies / accounts, the income he made was more than enough to make up for it.
Of course, that assumes he was able to funnel the money out quick enough. And also, both Valve and Blizzard have their own incentive to not be too hard on bots, as they get a cut for every transaction. As long as people don't stop playing / paying because of bots.
> Cheating in online games is a scourge and I really don't understand why people do it. It's one person selfishly getting a "win" at the expense of ~60 other people in that match having their time, pleasure, potentially money absolutely wasted.
The article addresses this specifically and concisely. It starts with “I'm not being funny and I mean no disrespect.” and then becomes very Australian.
Some "micro cheating" are really easy to develop. When I was younger and a bit bored, I wrote my own "micro-cheat" in AutoIt[0] with less than 10 lines of code.
This was for the game counter-strike (I don't remember which version, either Source or early CSGO). The logic of the cheat was:
- I manually aim, with the sniper, close to the wall of an intersection
- I press a special key, then when the pixel at the center of the screen change, simulate input mouse click to "fire"
This was fun for maybe 1-2h, but the fun was more about the success of the project (from an idea to a working cheat) than getting some free kills while playing.
What a bunch of absolute losers. If it's taught me anything though, it's that you can't underestimate the pathologies of people you encounter 'in the real world'.
Yeah I get that, I understand why cheat developers do what they do. It seems like there's a huge market and I find it hard to blame them trying to make a living- morality wise they're probably more worried about rent, bills, family than whether or not someone's game time is ruined. But it's only this way because so many people are willing enough to cheat that dropping money on it is fine for them. It's their psychology I don't really get. Even if they're doing it because they want the satisfaction of a "win", doesn't that victory feel hollow because it's something they paid money for? It's like the difference between a community valuing you enough to give you an award vs going down to the trophy shop and paying someone a make you your own trophy that doesn't really mean anything.
I always felt that valve didn't go far enough to prosecute cheaters (back in the day). I wonder if there are metrics out there for how effective methods like Overwatch actually were.
>Now, in order for a player to appear to us as a "fresh player" they would need to change their Steam ID, IP address and Steam installation folder. As you can imagine, no one is going to do the latter.
Really? I would expect that a dedicated cheater would reinstall Windows (or reload from a snapshot) every time they are caught.
Seems like they were private servers. So they really need only hurdle enough to have cheaters go somewhere else. Not totally kill their ability to play. And well most people will move on. Only those who take it most personally start to spend lot of time.
I suppose different people are entitled to different opinions about fingerprinting, but I reckon it only takes working on a single project where this is a real issue for you to change your mind.
We do behavioural analysis on top of various fingerprinting for bot detection - some people are trying really hard to ruin the internet!
I suspect a sufficiently advanced server side behaviour analysis could do a pretty good job discovering cheaters.
Not at the expense of false positives, though. Sophisticated cheat developers and bot creators are skilled at exploiting that narrow margin of error where companies can't push detection further without compromising the experience for legitimate users and destroying their game or service.
I am surprised VGUI browser shares cookies across Steam accounts. When I log out of my Steam account, switch to another one, launch the same game, I would have expected an entirely different datastore to be used for the VGUI browser.
It was a security nightmare. Basically a half baked browser with a subset of the security considerations you'd expect from a browser.
Valve worked on it for a little while patching bugs as they popped up (notoriously slowly I might add). Then in August 2017, an exploit in which server operators could execute JavaScript on players that joined their servers started to spread and was maliciously abused by bad actors. For example, some server operators using their player bases residential IP addresses to sign up to gambling websites so they got kickbacks. Others simply tried to hijack Steam accounts or sell rare Steam virtual items on the Steam marketplace to themselves.
After Valve patched the above exploit, some smaller bugs popped up in the following weeks and 2 months later in October, Valve completely binned the VGUI browser in CSGO. They had enough! This broke a lot of plugins like IdentityLogger and music players that would play music in the background as you played the game. But at least the attack vector was removed.
Fraud prevention is listed as an example of a "legitimate interest."
So no, by my layman's interpretation, they would not have been bound by GDPR to notify the user of cookies or other fingerprinting used solely for anti-cheat. They'd run into trouble if they use that same ID for marketing/advertising without consent, though.
They're perhaps not required to gather explicit opt-in consent, but my understanding is that they'd be required to disclose what information they collect/store.
The same rules apply to the steam ID and IP address.
As far as I'm aware, you can get away with disclosing the fact that you are tracking "unique identifiers for the purpose of anti-cheating" in the terms and conditions, without explicitly explaining the technical details that it's a cookie.
Also, this is a server covering the Australia/New Zealand region, so it doesn't have to worry about GDPR compliance.
If GDPR were entirely toothless then they wouldn't have shown you the consent form but they would've just served the cookies regardless. The GDPR is not about reducing the cookies served, it's about letting people opt out.
Unfortunately it is lacking some teeth because normally opting out of all cookies should be as easy and straightforward as opting in to all cookies, but I've seen quite a few forms that hide 'reject all' behind a 'more info' button type of thing. Maybe I could file a complaint about that, I should look into it.
IANAL, but there is a "Legitimate Interest" exception, which gets abused a lot when a consent popup has about 50 of those pre-checked on a hidden tab, but this looks like a valid case to me.
The UK DPA (basically a fork of GDPR) has this to say [1]: "the following purposes do constitute a legitimate interest [...] fraud prevention; ensuring network and information security; indicating possible criminal acts".
Under the Computer Misuse Act 1990 [2], there's a possible reading under which "hacking" to cheat (even if someone else does the hacking and you jsut install the program) could actually be a crime.
Thinking about it, steam should force this on every game developer that has cheating problem (I am assuming mainly shooters), maybe implemented better fingerprinting way, giving developers options to hide cookies somewhere in folders of their choosing.
The problem is that once a technique like this becomes standardized the cheat software will know how to automatically disable it. Even in the article it points out that had the cheaters put in the work they could have edited a single text file to break the system, but they did not. If this solution had been implemented for all CS:GO players then it would have been defeated fairly quickly, but since it was just one set of servers those were easy enough for the cheaters to avoid.
That said, eyeballing the chart in the article you can see an enormous ban wave that happens when the system is turned on, but afterwards the total level of cheating quickly returns to roughly where it started. If there were long term impacts it was only in the reduction of staff hours needed to review game footage to determine if a player is cheating.
Risk there is that what ever id is generated tends to leak. So lot of cheaters will either tamper with it or circumvent it. So the game will continue and not actually be effective for very long.
Problem is that you do not want random. You want it to be generated. It should be same say after you reinstall OS and the drivers and the game.
Idea really is that you can identify single device time after time. So even if there is slight change in anything like software that can be easily changed that is not good enough.
Not that fingerprints should lead straight to bans, but maybe at least heightened awareness.
Couldn’t you stop cheaters by just looking at how their telemetry metrics are different from the baseline? If you get to a point where the cheater has to cheat to only be as good as a median player in the lobby in order to evade detection, you’ve effectively neutered it.
Why not? It's effective and easy to do and while it can be circumvented it will stop some players with very little effort. Also, the article is about 2017/2018.
In general, hardware/GPU/MAC signature hash checks are the only consistent way to bind player account histories, and even then cheats will change their identity with new hardware on fake postal addresses. Best to add a few weeks delay with "reviewing" ban status to prevent them returning hardware to retailers. Each day randomly permute which hardware signature trips the auto-re-ban after a random number of minutes.
Cheaters ruin the fun for everyone including themselves. Admins need to provide a personal cost deterrent for problem users, and randomly hang the game for people using code mods.
Unless I misunderstood, I do not see how this would actually work in practice considering the client can be modified and I can send whatever I want to the server, i.e. spoofing.
Even the Webgl signature check is resilient, and is the new tracking cookie on many sites like YT etc. It is a robust unique property of a specific system, and GPU. Not just the serial number...
Indeed, duplicate salted-hash signatures on multiple active users mean shills, and immediate bans issued for both accounts tainted by the black list.
The trick is to randomize a mix of easy and difficult signature checks daily.
i.e. the exploit writers will have to spend time cleaning up bugs, redistributing the patches, and dealing with angry people that have a GPU that is on the blacklist for a game. The more hardware details collected, the more difficult it is to prevent tripping the admin alert.
This is already done by some studios... "Play Stupid Games, Win Stupid Prizes" as they say... =3
> User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
I'm not a lawyer, but I think this actually has some interesting things to think about. Not all cookies require consent under the ePrivacy directive, there is an exception for cookies that are "strictly necessary for the delivery of a service requested by the user". I think that'd fit in this case, since providing a cheater free experience is part of the "service" the players are looking for. At the same time, the ePrivacy directive also mentions that the user should be provided with "clear and comprehensive information" about what is stored. Providing that would render the cookies useless.
I don't know how these would balance each other out legally, but it's fun to think about
No, that doesn't count. Companies have tried arguing that their ads' tracking cookies are strictly necessary otherwise they wouldn't be able to offer their services (ads pay the bills). And yet, they require consent.
Preventing cheaters is similar. And this is blatantly a tracking cookie.
You aren't considering that ad cookies/tracking are used to enable a service to someone else (ad buyers), while this anti-cheat tracking cookie is used to enable a service to the user themselves (a cheat-free gaming experience.) I think that may make the difference.
Also, all of this was in 2017. Anyone doing it in 2024 should indeed run it past a lawyer.
This community is Australian & New Zealand based, we had 0 European players or visitors. And as @unsnap_biceps this predated GDPR compliance.
You are right though that you wouldn't be able to do this in Europe today because asking for fingerprinting consent defeats the purpose because the hacker would likely quickly figure out what is happing and circumvent it.
Seems trivially easy to hit their evade scenario though.
If I merely change the mac address in the device connected to my cable modem, I get a new IP, every time. Combined with the fact that the game is free, so you can easily make new steam accounts.
The whole point of the article is that they set an identifier in the in-game browser, which will survive MAC address, IP resets, and new steam accounts.
I want to share a story in a somewhat related topic:
anti web-scraping techniques
The most devious version I ever seen of this, I was baffled, astonished and completely helpless:
This website I was trying to scrap generated a new font (as in a .woff file) on every request, the font had the position of the letters randomly moved around (for example, the 'J' would be in place of the 'F' character in the .woff and so on) and the text produced by the website would be encoded to match that specific font.
So every time you loaded the website you got a completely different font with a completely different text, but for the user the text would look fine because the font mapped it to the original characters. If you tried to copy-and-paste the text from the website you would get some random garbled text.
The only way I could think of to scrap that would have been to OCR the .woff font files, but OCR could easily prevent mass-scraping due to sheer processing costs.
A downside is it makes the site unusable for screen readers and SEO, plus it adds backend costs (compared to a plain backend that serves static files) if it's generated dynamically, although one can pre-generate a bunch of variants and randomly pick one at runtime (which could be handled by the load balancer) to minimize the costs.
Yeah, my immediate thought was this would be bad for screen readers, plus OCR could easily defeat this
LOL the replies are hilarious. You've sniped several nerds today. Neat story.
I know right? I just scraped another website instead.
I am actually surprised no one went: "actually that technique is called 'chicken ostrich sandwich' and was first employed in babylon in 2000BC"
Actually that technique is called a "Caesar cipher" and it has been employed since at least the 1st c. BCE.
If it's just swapping letters then rather than trying to dive into the WOFF you could just get the garbled data and treat it as a cesar cypher, I guess. A few dozen rotations and you're through
It's kind of annoying and prone to break but I'd rather have that than whatever Facebook is doing where every class name, ID & identifiable tags in the markup gets randomly generated every once in a while
Could be an arbitrary permutation or worse have multiple equivalent characters. Fonts can do a lot.
That seems like it ought to be straightforward to defeat without OCR. If you know that a particular glyph looks like the letter J, then you just need to parse the WOFF file, find that glyph's data, and find the character that maps to it. It's definitely annoying enough to deter a casual scraper, but there's nothing conceptually difficult about it.
You do need to determine the "correct" character code for each glyph, but there are lots of ways to do that, on a spectrum from manual to automated. And you only need to do it once.
> easily prevent mass-scraping due to sheer processing costs.
my 2018 iPad Pro does OCR on images in Safari instantly. People only think OCR is slow because Adobe Acrobat still uses the same single-threaded OCR algo it’s had for decades now; then consider how blazing a GPU-based impl would be…
I dunno, I never measured it. If you are scraping billions of small social media posts I would expect it to add up and make it unviable.
It pre processes your photo library while charging
The GP mentioned it working for pictures viewed in safari
So it's a Caesar cipher, which is trivial to break. You don't need OCR or any computationally intensive solution.
You need OCR unless you're going to personally sit there and break it by hand so you can feed the tr/// translation yourself every time you need to scrape. And it's a bit more tedious than the puzzles we did as kids, likely the punctuation and lowercase/uppercase were mixed into the slop.
If there's a part that doesn't change, eg a footer or something, you can get a head start and have it figure out the rest by deduction with a spellchecker
You might manage to cobble together frequency analysis too, but that would be challenging. If the ciphertext is very small, or is marketspeak without any sense to its message, then that's going to fall flat. And all this assumes just ascii rather than say a (even limited) unicode font. These assholes could be doing that just to have curly quotes or whatever.
For UT2004, you can ban by player GUID (a hash of the CD key) or IP. With the game abandoned by Epic, a number of key generators have cropped up, which makes GUID bans useless. IP bans only go so far with VPNs costing $2 these days.
The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
> IP bans only go so far with VPNs costing $2 these days.
https://redman.xyz/doku.php/schachtmeister2 was made specifically against people using VPNs.
It was made for Tremulous (ioquake3 fork) where people kept evading IP bans, but it can be used for any other games.
It is not my project, but I know the author, and I could personally fork it and make it suitable for specific (or any) games if there is demand for it.
You may also use heuristics, too, in schachtmeister2:
Edit: I noticed that the git repository returns 502, contacted the maintainer.> IP bans only go so far with VPNs
Even without this IP bans only go so far as they're both easily swapped (VPN offers, or rent a VPS to forward traffic, or even by design with an ISP handing out dynamic IPs on router reboot) AND overreaching:
- NAT: ban household / campus
- CGNAT: ban whole neighbourhood
- IPv6: ban whole /64 => whole household (because of SLAAC + random privacy addresses)
Residential VPNs are more common now with cheaters to bypass VPN blocks.
OK, https://redman.xyz/git/schachtmeister2 now works (cgit), and it can be cloned, too.
Wait, can you help maintain UT2004? Because I love that game.
I don't play online anymore because I get destroyed but it's still fun to pop in for a quick match against AI when I have 30 minutes to kill.
On a counter-strike 1.6 server I help with moderating, we have the occasional cheater roll by, surprisingly often "ragehacking" with no attempt at subtlety (e.g. making noscope sniper headshots in mid air).
Since the server owner insists on allowing non-steam accounts (pirated copies) to connect we can't rely on SteamID bans, similarly to GUID in Unreal. It's a bit trickier to change the spoofed ID as I assume it's buried deep in the game install somewhere obscure, but still possible. It's actually a very popular game in northern Africa, the former Baltic states and surrounding areas as well as north and west Asia: without these players the server would be a ghost town.
Anyway, our approach is twofold carrot and stick style: Steam players get near instant reloads and immunity to some of the more "enthusiastic" automodding/kick features: so for the price of a handful of VPN keys you can get a legitimate, allowed advantage over most of the server population as well as reserved username and "VIP" tag, plus you now own the game. Seems a great way to do it, as it's available to anyone instantly for that one time fee (which goes direct to the game dev), or for free by playing at least 1 game a week for 5 weeks, then contacting the mod team on social media.
The other side to that (the stick), is that rather than simply kick/ban the player we usually take some time to have fun annoying them, to show them they're really not welcome, and make them actively not want to come back.
Disarming them then giving F tier weapons, a few random teleports out of bounds or stuck in the floor, repeat amx_rocket to turn them into a firework, amx_drug to max out FOV and add "drunk" effect, and ofc a bit of teasing about what a lowskill looser you must be to have fun while AI plays the game for you.
There's also "illegal" amx plugins and commands, which are generally frowned upon and extremely abusable, but quite useful in these situations. My favorite (which most of the "illegal plugins" are based around) is amx_exec which essentially gives admins direct access to any client's in-game console, to run any command or set any setting!
It's actually kind of terrifying that exists. For example this set of commands sets network baudrate to 1000 (that'll be fun for the cheater until they notice), changes name, wipes all keybinds, then binds the default chat key to close the game, while setting max FPS low enough to be bothersome without being obvious! There are pre-built macros that do far worse to your settings too: although easily fixable by deleting to restore defaults, would be very frustrating if you hadn't backed up your config files.
amx_exec cheatername "rate 1000" amx_exec cheatername "name iCaNtAiM" amx_exec cheatername "unbind all" amx_exec cheatername "bind y quit" amx_exec cheatername "fps_max 50"
On an intriguing side note: Many servers charge for VIP advantages, to the tune of up to $20/month! At first I thought this pretty shocking, until I found out that there's some kinda shady clique where to be listed in a reasonable spot on 3rd party server browsers, a hefty fee is required, and a significant proportion of this income gets spent on "boosts".
When our server owner stopped paying for "boost" for two months, mean player count dropped from 14/32 to 3/32, and max players from a regular 28/32 on weekends, to 12/32 on a Friday night if lucky. The player count rocketed as soon as the owner started paying again... but the crazy thing is it's $180/month!
Before getting involved with moderating, I thought running a fun, deathmatch, well moderated, low ping, high performance server dedicated to remakes/remixes of the 2nd most popular map in the game would be enough to be popular/busy. But no, apparently you have to pay extortionate fees to incumbent gatekeepers, if you want your server to be visible to the majority of the playerbase!
> There's also "illegal" amx plugins and commands, which are generally frowned upon and extremely abusable, but quite useful in these situations. My favorite (which most of the "illegal plugins" are based around) is amx_exec which essentially gives admins direct access to any client's in-game console, to run any command or set any setting!
Yes, we have something similar for UT2004, but only a handful of people are even aware it exists. It's too powerful and too easily abused. I have yet to share it, even with other admins.
Isn't this a huge security vulnerability for the client?
It can be. There have been in-game commands with code execution vulnerabilities that turn into RCE because the game server can make clients run commands.
Changing steamid is easily doable on most nosteam cs 1.6 copies through a cfg file.
I used to administrate CS 1.6 until a few years ago. I got a question concerning amx_exec. I thought cl_filterstuffcmd basically killed any usage admin slowhacking?
or is it that most nosteam cs 1.6 client have it set to 0 ?
> The main solutions we have today are IP ban + VPN blocking using a database of known VPN subnets and adding them all to the firewall, and a similar fingerprinting technique which scans their folder structure of certain system folders.
No. VPN blocking is useless to stop malicious actors as most residential connections have DHCP and VPN subnets are added and removed somewhat frequently, it's not that hard to find a "undocumented" one. It also completely excluds anyone using a VPN for non-malicous purposes.
Scanning files and folders is just ridiculous, not only an incredible invasion of privacy, but also trivial to work around.
VPN blocking is a cheap mitigation that stops 95% of the problematic traffic without removing a meaningful number of legitimate users.
Yes it doesn't "solve" the problem, and yes it removes some legitimate users, but it's by no means useless. Given the tradeoffs involved I'm not at all surprised it's so common.
If you have a solution that's less invasive (e.g., some businesses can get away with not providing anything expensive till after a payment has cleared the normal fraud window, and many businesses don't have obscene levels of malicious traffic; in those cases you can just let bad traffic run rampant and ignore it till it's a problem) then that's probably better, but blocking VPNs or whole countries or whatever can be the difference between a successful business and bankruptcy.
Excluding someone on VPN from playing UT2004 on a specific server is not an abuse of their human rights
where was the parent mentioning this is a violation of one's human rights exactly?
Privacy is a human right.
This still leaves you wide open to cheaters using mobile data tethering and proxies. Have you considered more advanced network analysis? It's one of the areas I have an interest in (professionally and personally) so if you want any suggestions let me know.
> This still leaves you wide open to cheaters using mobile data tethering and proxies
Is latency going to be good enough on mobile data (especially if they're also using proxies) for a FPS, though? Sure, they're using cheating software, but I wouldn't be surprised if the software gets the information it needs to cheat too late often enough for it to be useful.
Yes the latency is not nearly as bad as you might think, it's comparable to a VPN in my experience, though the quality will depend on your location and the available connections.
Sophisticated cheats in games like CSGO (and other competitive shooters) are usually very subtle, such as displaying enemies on the mini-map when they shouldn't be visible which provides a major advantage without requiring superhuman input, and the added latency is often negligible—especially when the info can be relayed to teammates and now you essentially have the entire team cheating with only 1 player suffering from a bit of increased latency.
And I wouldn't say this is an edge case either as in my experience the majority of cheaters I encountered are individuals that play on an alt account and offer a service to guarantee wins in ranked games.
It's not ideal but I lived half a year with unreliable internet and frequently played over a tethered 4G mobile connection (in Europe). Latency was around 40-50ms, which was still lower than the people playing from Eastern Europe who would play in EU West matchmaking. I imagine with 5G it could be even lower.
Assuming obvious cheat, even 100ms or 200ms latency is unbeatable by a human. Especially since the cheat doesn't need time to aim.
Even for non-obvious use-cases, it's hard to beat the advantage provided by knowing the position of players.
On my own hotspot, I have less than 30ms of latency.
I regularly played CSGO in Europe because the North American ranking system were screwed up.
I got to Supreme (2nd highest rank) with 150 ms ping. The people I queued with hit Global.
It's possible to play legitimately with very high ping. The higher ping put us at a disadvantage, but the skill gap between regions made it worth it to arbitrage.
What was screwed up about the NA ranks?
NA is (or at least was when I played) the most populated and visible regional zone, and attracts a lot of players attempting various kinds of rank manipulation. On the one hand you have smurfing, which is the practice of a relatively high skill player using a an account with relatively low rank so that they can dominate lower ranked players. On the other side you have boosting, which is a relatively high skill player ranking up new accounts for later sale.
In practice this means at lower ranks, it was not at all uncommon to be matched with players with similar rank but vastly better skills.
This was my experience too years ago when I played CSGO. The difficulty at higher ranks (up to a certain point) felt significantly easier than the lower ranks. Getting out of the silver and gold ranks (can't remember the exact names) was a hellish grind with lots of matches that ended in one sided stomps with one or two guys on the other team racking up some insane k/d. Past that was smooth sailing for a long long way.
At the time, there were no people of very high ranks. I also queued office only which didn't help.
It's basically impossible to keep one's rank at Supreme if you only play against Gold Nova or so due to the way the rating system works.
Yep - same story here with Nuke (the old one, but then it happened again on the new one too). Got to global and it was a ghost town save for the same 5 man we ran into every night.
The tactic 4chan uses:
Regular IPs can post freely
VPN or mobile IPs (blacklisted) must pay for a key ($20/year) that allows posting from blacklisted IPs. Key is good for posting from one blacklisted IP, locked for 30 minutes, so users cannot share keys. That way, you can ban the user by their key, if their IP is public.
It's not a perfect solution but it seems to be the best they've found for such a situation so far.
I mean, in this case it's 4chan so who cares, but I hope we are not very slowly moving towards a troubling world with lower classes of IPs and upper class IPs. IPs should be IPs should be IPs, it shouldn't matter whether it comes from an ISP, a mobile network, a VPN, or anything else, and we shouldn't attach some kind of IP caste to providers or countries. I think we really need Internet-wide IP randomization, where you can't just block a /24 or a /16 because they're in some icky ghetto. Yes, I know there is abuse, but if this is the alternative, it doesn't seem worth the cost in terms of innocent people losing access.
EDIT: Well, I guess the tribe has spoken. Pretty surprising. I think y'all are just assuming you'll always be the ones with the "good" IPs...
Reputation matters.
On some Japanese BBSes, spammers tend to use non-Japanese IPs or data center IPs. A good chunk of the spam goes away by blocking non-Japan IPs (easy to do with BGP data) and disallowing data center IPs (these often host VPNs, scrapers, etc.) from posting.
Posting from overseas thus costs money or is not possible. The trade-off is 1-100 extra users or significantly reduced spam for little effort. It's not surprising that most website operators choose the latter.
I also know of a file uploader that recently had to block overseas IPs due to such IPs repeatedly uploading illegal content. This is an example of a few bad actors ruining things for everyone.
We are already there and have been for a long time. Geoblocking is very common for low-effort DRM and abuse mitigation, common VPN providers are easy to detect by IP but generally frustrate and/or ignore abuse reporting (until serious illegal activity is committed), college and other institutional networks are often no better than VPNs in this regard, etc. The Internet hasn't been able to operate as a network of peers at least since it was opened up to the public.
> until serious illegal activity is committed
What do they do in such cases?
Assuming they get the report after the fact and assuming their "no logging" promises are true, can they even do anything? They're not even supposed to know which customer did it, after all.
If their promises are false, wouldn't they reveal their hand if they handed logs over willy nilly?
I understand how you feel but IP blacklisting is really the only tool we have. I'd much rather deal with that than some kind of forced state level verification/ID system where even pseudonymous browsing becomes impossible.
Blocking IP ranges by country or ISP is pretty much always going to have to exist as long as certain countries and ISPs turn a blind eye to abuse.
Even with as poor a solution as IP blocks are, it's the best we have and alternatives seem worse.
About your edit: I think you are overlooking the Realpolitik behind running a public forum. Admins are fighting a constant war against spammers and trolls. It doesn't sound fun to me. Yes, you are right, we now live in the era of "upper class" IPs now. A bit sad, but is there a reasonable alternative?
Ever read Pirate Cinema?
Anyway, it's a tradeoff between dealing with bad actors effectively and not impacting common users. There's a lot more bad actors than common users running into those sorts of IP bans though.
Want does mobile data tethering make it harder to ban an IP address?
Mobile networks are all IPv6. IPv4 traffic is behind CGNAT. As a result, you can't ban individual cheaters, you have to ban the whole network.
I don’t think CGNAT is particularly limited to mobile networks. If you don’t serve traffic on IPv6, more and more of it will be proxied.
Who is gaming in a competitive game behind a VPN.. I suppose if its your only option, but I don't think this would be a great playing experience.
Using a VPN with WireGuard can actually reduce latency if your ISP has poor routing to the game server, as a VPN with better peering or routing paths can improve your connection. It’s not always the case, but with a decent provider, you might see lower ping in certain situations.
> Who is gaming in a competitive game behind a VPN..
Cheaters, which is why they’re getting banned in the first place
Lota of competetive players pay for a vpn to protect against DoS attacks.
When I was in the dormitory (~6-8 years ago), I used VPN (OpenVPN on my private VPS) over UDP port 53 to omit the firewall which was configured to block big parts of ports.
Oh wow that takes me back. I remember complaining to the university that I couldn't download files via FTP. A few months later they answered me explaining file sharing protocols had no legitimate uses at a university. I was working in a research lab and needed to download standardized datasets to validate that the software worked as intended. At the time, only FTP was used.
Can help routing induced latency as the other comment says (or force a new route if having downstream issues with your ISP peering), and some games in the past could leak IPs especially if using a p2p model and a VPN can mitigate that (especially one that only routes traffic for the game).
IIRC you also need one when playing from some countries, whether due to legal reasons or server restrictions.
There's a bunch of services that can moderately reduce latency by using better paths. Specially worth it if you want to play with friends in servers farther than 1000km away.
My VPN is always enabled, including when I game
How about just a whitelist? I can't imagine there are a ton of legit ut2k4 players left?
Yes, we have a whitelist ability also, but it is definitely a last resort. The game is mostly dead and difficult to discover for new players. We don't want that roadblock if we can avoid it.
TIL people still play UT2004.
I was going to mention how much I loved that game, until I realized I played UT99. Time sure does fly...
I still play Quake 1 and 2 online, randomly pop into Tribes 2, Counter Strike 1.5....usually the community is clicky and toxic to outsiders but sometimes you bump into really neat people.
Ut99 with the matrix mod was where it was at for LAN parties...
Is this game online/multiplayer only? I mean, people still play Galaga and PacMan and other older classic games so why would you think someone wouldn't still play this one too?
It is not online only as we would now understand. But it is certainly only multiplayer game. Well you can play against bots, but even then it is multiplayer.
Do you happen to have a link for a good manual on "how does one get into the modern UT2k4 multiplayer"? I.e. must-have modlist, servers, etc.
Small number of players works in favor of a whitelist. People shouldn't be playing with randoms, they should be playing with friends.
Game companies invade our privacy and destroy our computer freedom with ineffective malware tier rootkit solutions only to fail to solve the problem in the end. Their business model depends on enabling people to play with any random from anywhere in the world. They are forced to trust untrustworthy clients. The truth is people should not allow their computers to talk to strangers.
>People shouldn't be playing with randoms, they should be playing with trusted friends.
People should be able to play with whomever they wish.
I presume "whomever they wish" means anyone who is not a cheater. In that case they need a whitelist. Because without one, every player is a potential cheater. Non-whitelist solutions don't match what I presume they want. They asked for NotCheater, server returned MaybeCheater.
Without a whitelist, it's only a matter of time before an actual cheater joins their server and ruins their fun.
Enumerating badness just doesn't work.
Suggestion: Anybody can play against bot(s). Whitelist can interact with real players.
sorry for the not-so-smart question.
the cheats are software, software has certain quirks, like the way it aims or the way it tracks. And I'm willing to bet it has enough distinctiveness from human aiming to be classified. Couldn't a classifier work on the behavior of the cheating software itself, rather than use IP bans?
It's more effort than it's worth. There are server aimbot scanners which do something like this. There are also aimbots written to thwart this type of detection, adding delays, random drift, etc. It's a cat and mouse game. We don't have a lot of players left so it's not that much of an issue.
Some “aimbots” don't actually assist with the aiming, they just fire the trigger any time the user gets on target.
This is part of what Valve does in CS. It works pretty well but it does have false positives so it requires user intervention for confirmation of bans.
In order to actually catch a cheater mid-match rather than long after the match is already over, you'd need the servers that players are interacting through to have enough CPU grunt-force to do that kind of analysis "faster than realtime" — i.e. for the server's CPU to be able to run the game's physics faster than any client can, so it can run the physics with extra math in the same time it takes the clients to just run the physics.
Which might be something you could guarantee, if the game were locked to wimpy console hardware; or if the game had minimal CPU physics such that it was effectively never running CPU-bottlenecked and there were massive gaps in frame-time where even the client CPUs are sitting idle, that a server running in lockstep could cram that kind of analysis into.
But gaming is a race-to-the-top, hardware-wise. The CPU in a gaming rig might not have as many cores as your average server CPU, but it's almost certainly going to have higher single-core perf.
And part of the reason for that, is that games really do try to use your whole CPU (and GPU), with AAA studios especially being factories for constant innovation in new ways to make even the minimum requirements just to run a game's physics, higher and higher every year.
And if the server can't do "faster than realtime" analysis of the streams of inputs of the players, then by queuing theory, it'll inevitably get infinitely backlogged — the server will keep receiving new analysis work to do every timestep, and will fall further and further behind, never catching up until new work stops being generated — i.e. until the match is over. And then it'll have to probably sit there for five more minutes thinking really hard before spitting out a "hey, wait just a minute..." about any given match.
Which is fine if there's a big central lobby server that the game is forced to connect to, and your goal is to ensure that some central statistic that that central server relies upon (e.g. match-rank ELO) gets calculated correctly, such that cheaters are prevented from climbing the leaderboards / winning their way into high-ranked play. (And that's exactly the situation the big eSports games companies are in.)
But in the context of older games that use arbitrary hosted servers and random-pairing (or manual lobby-based match selection) — or in modern, but "dead", games, that only persist due to being modded to accept private servers — this "after-the-fact" punishment is useless, as most servers have no incentive to do this analysis, especially when cheaters can just hop around between servers. So there's nothing preventing people from being matched with cheaters, sometimes over and over again, if the cheaters can just tell their clients to roll up with a new key+IP for every match.
...and that's assuming there even are servers. You can forget about any of this working in a p2p context. (Think about what a Sybil attack means in the context of a federated set of individual tiny disconnected p2p networks.)
You should be able to limit analysis for this type of detection to only the input leading up to a kill/hit and ignoring everything else. The majority of the time players are not shooting could be used to do the analysis with plenty of time to boot midway in a round let alone a full game.
Also simple analysis of only the input streams as you stated really doesn't have to do with the phys rate of the game server and should be alot cheaper computationally. It can be offloaded to another process even if it was found to be too impactful to run alongside the game server directly. Something all those extra cores might be good for.
Cheats nowadays can and do
a) run on 2nd pc passively capturing the screen and commands to a fake mouse device plugged into both machines,
b) "humanise" the aim with ai models trained on professional players
c) add random variances within the limits of human reaction times
So it doesn't solve things, really it'd still be playing catchup.
And I'm not refuting that. I was just pointing out a solution to a problem the GP proposed as intractable when trying to analyze player input data streams for cheating. The points you made are valid as far as the evolution of this cat and mouse game is progressing (probably still closer to the end end of can then do for now).
That being said, the vast majority of cheats are not that sophisticated. "Simple" analysis of player input should still be used to make low effort cheats less or ineffective. Especially if used to compare consistency of mechanical play by a player. I doubt most cheaters want to just turn on a full bot that plays by itself for the whole game. You can build a model of play customized for an individual player to look for changes in mechanical skill during critical plays. Then even if that was incorporated into the cheat client so that its 'actions' can't be definitevly detected against the players baseline, it would at least be limited to cheating as that player always playing like it's their best day. Either that or the cheater would have to go fully hands off for that account which I imagine is not as appealing for most cheaters.
Input analysis, even much simpleler approaches, can still be a valuable tool to make cheating more difficult and less opportunistic. The goal would be to raise the barrier of entry to cheating without immediately getting banned beyond downloading and running a client. If people who consider cheating in a game have to: order, wait for, and setup additional hardware then aquire models trained for the latest version of the game that are also trained on pro play in a way that lets the cheating be humanly plausible to remain undetected; it will reduce the total number of people who cheat in that title. Will needing to aquire additional hardware stop all cheating? No, I had a friend as a kid that owned a GameShark that I used and ended up corrupting the save on one of my Pokemon games. But if all of that is what is required to be able to successfully and consistently cheat, it will raise both the cost of development of cheats as well as their price to cheaters.
For top level professional play, in person tournaments on managed setups will remain the gold standard for the forseeable future (and besides they are attractive as events for their own sake). And for the rest of us, we will continue to be trapped in the labyrinth with both the cat and the mice.
The CPU being overwhelmed with physics sounds sus to me. CS has a few mechanics more than Q1, but not that many. It's a few collisions and should be possible to check in a tiny fraction of today's CPUs capabilities. Even with some advanced movement physics, it's just a handful of entities - Marbles does hundreds more per frame. Am I completely missing something significant here?
CSGO doesn't do P2P matchmaking and Valve _are_ working on real-time heuristics based cheat detection to kick cheaters mid-match
Not to mention the most sophisticated cheats are now running on second computers
What about banning VPNs?
Just curious if IP bans work with IPv6 or if they are fundamentally incompatible?
IP bans are fundementally flawed since you can't assume a static IP in the vast majority of cases anymore, if you rely on an IP blocklist then it's inevitable that you will end up hurting the experience of small amount of unlucky but innocent players. I suppose this might be more of an issue on ipv4 than it could be on ipv6, but really you should always expire IP bans to avoid issues like these, or you want to combine another data point with the IP such as a hardware ID (or a hash of a combination of hardware IDs). Cheaters do know this so even if we could assign everyone a static ipv6 they would likely just disable ipv6 support on their NIC and rely on their ipv4 exit ip.
Edit: If you don't think this is an issue I urge you to Google "pokemon go belgium ip ban" for a fun rabbit hole.
Sort of. Doesn't make sense to ban a single v6, you'd start by banning at the /64 level and move on to banning shorter prefixes from there.
You quickly run into the same kinds of problems you do in v4 though; most users have access to a shared pool of addresses, and you may need to ban the whole pool to ban an abuser, but then you also ban everyone else in that pool, and the abuser is more likely to have ability and motivation to use other pools.
It's better if you have multiple factors... if you don't like the IP, don't ban it, but be stricter on other measures, etc. So a well behaved client from a 'bad ip' can still play, but enough suspicious things and you can't play anymore.
Catching/stopping people who want to cheat for profit is something I personally think is never going to happen.
For a time, I would buy keys for CS:GO and different Steam accounts and use a subscription based cheat provider to provide me with ESP/chams on screen. I knew that overwatch/admins would be seeing the demos as the accounts were new Starting from unranked meant you would be under scrutiny already so I adjusted my playstyle.
I learned not to linger around looking at walls. People's movement patterns and decision making eventually became predictable as I reviewed demos or learned in the middle of a match how players have habits and abused that information. I was able to determine when to throw a round away to avoid suspicion and deliberately ensured I had a string of 2/3 bad games every so often so my K/D wasn't insane. I never used any aim assists, spinbots etc., and I always, always communicated with my team through ingame VOIP (not giving cheat calls) and maintained a legit facade.
I went undetected for nearly 2 years and sold hundreds of CS accounts successfully and made a tidy profit doing it. It's another string of the gaming industry that brings in money and it will never go away.
I like to think of it as an online drug war, however insensitive that may seem.
At that point, you're putting more effort into cheating than regular players do at playing the game lol
Players from big countries often miss out on the sense of community that exist in smaller ones. When there are only 3-4 servers worth of people playing a game every day you quickly come to know them all, which really adds to the banter and sense of enjoyment.
I’ve gotten a taste of that experience playing older multiplayer games that have a small player base. I much prefer it to games with millions of players where you’ll never see the people you play a match with again
I also love games with community ran servers for the same reason
If you’re old enough you remember favoriting servers in Gamespy. You’d end up on the same servers depending on who is there and mainly how good your connection was.
Kudos to the author for using RFC5737[0] TEST-NET-2 address for:
> An example of an IPv4 IP address is 198.51.100.1.
[0] https://www.rfc-editor.org/rfc/rfc5737
I'm a big fan of using identifiers reserved for examples. I use TEST-NET-2 IP's and example.com all the time in my documentation!
Where it gets interesting is when documentation uses a typoed reserved address (e.g. 189.51.100.1 or 198.15.100.1). There are actually several RFCs that do this.
I know there's a steam client setting now to clear the data of the overlay browser (either on exit, or manually? Can't remember) - does that affect the VGUI browser?
I don't know about CS, but TF2 has the ability to disable server MOTDs - how does that affect this?
Server side only anti-cheat is one of the problem domains that I'd really love to work on at some point in my career. This is the type of adversarial arms race that just seems really fun to think long and hard about.
Only problem is, a lot of companies do NOT want to pay for it. It's 'treadmill work'. No matter how many people and how much money you throw at the problem, it still ends up just coming back. It's a losing battle because there are many, many more players than there are developers.
> Only problem is, a lot of companies do NOT want to pay for it.
Because they're 10 years behind the curve and don't understand that a game's lifespan is contingent on anti-cheat. Once it becomes clear to the casual player that a hacker is going to effect every gaming session, the game dies quickly. Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)! Other games build from the ground up with anti-cheat in mind (Valorant). Other games have an ID verified 3rd party system for competitive play (CSGO).
Personally, I think there is a middle ground between root level hardware access, and treating cheating as an afterthought. I'd lean more heavily on humans in the process... Use ML models to detect potential cheaters, and build a team of former play testers to investigate these accounts. There is zero reason a cheater should be in the top 100 accounts; An intern could investigate them in a single day! More low hanging fruit would be investigating new accounts that are over-performing. I'd also change the ToS so legal action could be persued for repeat offenders. Cheaters do real economic damage to a company, and forcing them to show up in small claims court would heavily de-incentivize ban evaders. This probably sounds expensive and overkill, but in the grand scheme of things it's cheap; it could be done on the headcount budget of 2-3 engineers. It'd also be a huge PR win for the game.
> don't understand that a game's lifespan is contingent on anti-cheat
Or you could spend a huge effort on cheatproofing only to find that no-one plays your game in the first place, e.g. Concord. I imagine getting cheaters in your game often falls into the "nice problem to have" category and it is easy to kick the can down the road.
Arguably it's table stakes because bad first impressions can kill a game at any point, perhaps especially at launch.
> Many games have gone so far as to obfuscate the presence of hackers so that players are less likely to notice them (CoD)!
How does CoD accomplish this, or other games that use similar strategies. I can't wrap my mind around how you could do this effectively while also not identifying hackers for the purpose of banning. Banning = Cheater buying another license to the game, I thought they like banning people for that reason :/
One example I remember from CoD warzone is they've increased the number of in game 'wallhacks' available to players like UAVs and heartbeat sensors. So if you get killed by someone with wallhacks, it easy to tell yourself they were using the plethora of legitimate ways to be detected. It could just be a coincidence that these new features obscure a hackers visibility, but given the behavioral psychologist they have on team, I won't write off any coincidence as chance.
> Other games have an ID verified 3rd party system for competitive play (CSGO).
Ha ha, you mean paying for the game and holding your Steam account as collateral?
Your steam account is unaffected by anti-cheat measures. Being banned (vac or otherwise) from CSGO does not prevent you from playing other games, nor from playing CSGO alone.
The only trace of it is that your account profile will show that you have vac bans on record, but you don't have to show your profile.
Pretty sure the ban records show even if your profile is private.
even though im not a cheater in games, i wouldnt play a game that threatened to take me to court if they deemed me to be one. interesting thought though.
Are there more sophisticated cheat developers though?
Cheat development these days is incredibly sophisticated. There are swathes of tutorials, old and recent examples to research, advanced inspection tools, etc.
It's so much easier to make cheats today than it was, say, 10 years ago.
It's also easier because more and more games are sharing common infrastructure like game engines, as compared to the past. What works in one Unreal game may save you a lot of time developing a cheat for another Unreal game.
These days, many online games encounter serious cheats within the first couple of days of release - if not the day OF release.
Secure enclaves can solve the problem once for all. I don't understand why is not applied (given the support in current hardware).
Some of the sophistication is not really in the technical breaking of the game or protocol anymore, figuring out if something is plausible might yield detections that you cannot "cheat" because it no longer matters if your cursor clicked on a head at the right time or not, it matters if your posture/reputation/experience makes your behaviour plausible.
Cheating and anti-cheat used to rely a lot on the pure technical parts (like "is something sneaking some reads from the memory the game engine uses to clip models?"), which is ultimately not something you will win as a game developer (DMA/Hardware attacks or even just frame grabbing the eDP or LVDS signal and intercepting the USB HID traffic has been on the market for quite a while).
But implausible actions and results for a player can only be attributed to luck so many times. Do 30 360noscope flick headshots in a row on a brand new account and you can be pretty sure something is wrong.
If we can get plausibility vs. luck sorted out to a degree where the method of cheating no longer matters, that's when the tide turns. Works for pure bots as well. But it's difficult to do, and probably not something every developer is able/willing to develop or invest in.
It's hard to balance around those sorts of things. For example, imagine a cheat that gives the player additional info about where enemies are and their state (ie: health). Even if they are of totally normal skill level in terms of movement and aim, that info will allow them to be substantially better than others. How are you going to detect that, and differentiate it from players who simply have a great sense of map awareness and a good ability to keep track of enemies and when to punish them?
Anything that makes assumptions about player's skills runs into problems too. For any online PvP game, the skill ceiling will rise with time. What once may have been considered improbable may soon become what's consistent for the top 1% or even 0.1% of the playerbase given a few years.
As well, it can run into problems as rebalancing occurs and new abilities are released.
Even the base example would make that specific scenario trivial: an account that is new has no business "being better" than everyone else.
The only group you'd punish with that is skilled players that lose their account (and create a new one), but if you use a moving skill window they can grow back into their plausibility pretty quickly, and it's a small cost compared to everything else. And you could even mitigate that by making things like the first 10 matches require a different plausibility score than the matches after that.
And with different I don't mean "no scoring at all" or something like that. But a cheater tends to not cheat "a little bit". You might have togglers, but that sticks out like a sore thumb (people don't suddenly lose or gain skill like that). And even if that fails (lots of "cheating a little bit" for example), you've still managed to boot out the obvious persistent cheating.
And that's just with 1 example and 1 scenario. Granted, that bypasses the fact that it is still difficult and doing it broader than one example/scenario is even more difficult, but that's why I ended the previous comment pointing out the difficulty and associated cost, which goes hand in hand with the balancing difficulty you pointed out. Even tribunal-assisted methods (not sure if Riot games still does that) have the same problem.
What about new players who are competitive in other, similar titles, and thus start off with a strong advantage?
And - what about experienced players who cheat?
In some scenes, it's actually more often that cheaters are some of the best, most experienced players who have a strong competitive lean and feel they 'deserve' to win, so use cheats to get an edge. It's far more common than you'd think.
That's the problem with any anti-cheat system. It's all the what-ifs. Every single 'clever idea' that has been theorized under the sun has been tried and most have failed.
Those players would be initially quarantined either way and a sliding experience window would put a limit on what is plausible. Same goes for transferrable skills.
Experienced players who cheat will still be subject to plausibility. Say there is a normal amount of variance in humans but suddenly some player no longer has variance in their action. That's not plausible at all. Or a player looking at things they cannot see, that might sometimes be a coincidence, but that level of coincidence is not plausible to suddenly change a drastic amount.
Again, this sort of thing doesn't catch all subtle cheaters, but those are also not the biggest issue. It's the generic "runs into a room, beats everyone within 10ms", and "cannot see, but hits anyway all the time" type of cheat you'd want to capture automatically.
A what-if in a tournament or the top 1% of players is such a small set of players, you'd be able to do human observation. Even then someone could cheat, but you're so far outside of the realm of general cheating, I wonder if that's worth including in a system that's mostly beneficial inside the mass market gaming players.
Either way, this sort of detection is usually done in the financial and retail world, and results in highly acceptable rates and results. It's not perfect with a 100% success rate or something like that, but it's pretty successful. Just not something studios or publishers seem to want to invest in. It's much simpler to just buy or licence something (like Easy Anti-Cheat). Broad internal expertise isn't something the markets are rewarding at this point.
> Even the base example would make that specific scenario trivial: an account that is new has no business "being better" than everyone else.
You cannot and should not rely on that, depending on what account really means, e.g. in ioquake3 games, having a new GUID (you delete a specific file to get a new one) makes you a new player.
Sure, it would only work on games where the client and server both authenticate, otherwise none of this will work as there would be no reputation to be relied on.
I agree, just thought I would mention. :)
> A smurf is a player who creates another account to play against lower-ranked opponents in online games.
Happens in many games, including League of Legends on which people typically spend a lot of money.
I've even seen the weird combination of the client and server both authenticating, but the account owner being given a choice if they want to 'level up'. It essentially means your public reputation and match history (and actual experience) no longer align.
I suppose that matters less if we're doing checks on the actual data, but for the player base, you cannot rely on what the game reports about the experience of your opponent, which makes for very confusing matchups (and the accusations that go with it).
> account owner being given a choice if they want to 'level up'
Like level up without getting XP by playing? That renders it pretty useless.
Speaking of, I hate games that are "pay to win".
It can happen in days sometimes.
0: https://www.ign.com/articles/final-fantasy-14s-latest-raid-s...
It's funny, with "sophisticated", I would have expected "so much harder".
But I guess the documentation and standardization are even more advanced ?
My idea:
1. Determine minimum human reaction times and limit movement to within those parameters on the client side. (For example a human can't swing their view around [in a fps] in a microsecond so make that impossible on the client) this will require a lot of user testing to get right, get pro players and push their limits.
2. Build a 'unified field theory' for your game world that is aware of the client side constraints as well as limits on character movement, reload times, bullet velocities, etc. Run this [much smaller than the real game] simulation on server.
3. Ban any user who sends input that violates physics.
Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
The vast majority of cheaters are not "rage hacking", but instead using cheats as a skill assist.
Take a moment and think about how you would design cheats that would be undetectable. Hot keys, real time adjustments, all the options and parameters you could provide cheater to dial in their choice experience while also keeping them looking legit.
Then realize cheat developers thought of all that decades ago and it is waaayyyy beyond what you can dream up in a few minutes. Hell cheats nowadays even stop cheaters from inadvertently doing actions that would out them as cheaters.
You misidentify the core problem, or at least why it is a problem from a business perspective.
The problem isn't cheating itself, the problem is players feeling like they have been cheated (and thus not buying micro transactions in the future).
If you can limit player action to things that look plausibly human, less players will feel cheated and will be less likely to drop out.
This system would be put in place on top of existing systems and if implemented as I have described could be done so fairly cheaply from a operational perspective (getting it off the ground will require a good bit of dev time).
If you had ELO based matchmaking (that dropped matches where the player performed far below what they had previously done to prevent sandbagging) a cheater with "perfect play" would end up only playing against other cheaters after a time.
> The problem isn't cheating itself, the problem is players feeling like they have been cheated (and thus not buying micro transactions in the future).
Any game I pay for that pressures me to pay with micro transactions already makes me feel like I've been cheated. "Free" to play games might be motivated that way though.
Although I doubt it would stop cheating, making sure that players can't do impossible things is absolutely a good idea and something that should have been done ages ago.
The best solution to avoid cheating is to play with people you know. Expecting a good time when playing with internet randos from all over the globe is maybe too optimistic.
> skill assist
Yeah, most games have builtin aimbot, called "aim assist". I do not like it, in fact, I find it annoying as a player, too (I come from Quake 3).
Playing against subtle cheaters is imo more rage inducing once you realize it's actually happening. New or poor players won't notice and won't call them out on it or participate in a votekick because they genuinely can't tell the player is cheating. Average to good players get tilted because they might have enough game knowledge to know something is off but not notice it every time or be able to call out exactly what's happening. They end up second guessing too much. And you can't improve and get better playing against subtle cheaters because they're going to be doing things you just can't. Great players can probably tell more often than not but they're going to quit in droves when they realize the playing field isn't fair. Subtle cheating is much more destructive to a games longevity because trust in public matches is heavily eroded over time. Rage hackers you can just kick/ban/leave the match yourself because it's obvious.
> Now cheating has to at look like high level play instead of someone flying around spinbotting everyone from across the map. Players hopefully don't get as frustrated when playing against cheaters as they assume they are just great players. Great players should be competitive against cheaters as well.
No, those are still just as vehemently hated as “closet cheaters”, for example the whole XIM / Cronus infestation on any game that has controller AA.
It’s still possible to, on average, spot if it’s a closet cheater or an actual good player due to things like movement and gamesense, but for the average player it will be much less obvious, leading to a huge amount of rage towards good players because they are by default suspected as “just another closet cheater.”
What are you referring to by "gamesense"? FWIW you can implement all sorts of movement hacks, from dodging bullet particles to appearing laggy enough to seem to be teleporting.
Gamesense: a mental model of the game by which players can anticipate and pre-empt the actions of other players.
A CS:GO player with good gamesense will habitually keep their crosshairs at head height and aim at corners where an enemy is likely to emerge. They'll have an intuitive sense of how long it takes to run from one point on the map to another. They'll listen through walls for footsteps to try and decode where the enemy are, where they're headed to and what strategy they might be about to attempt.
To the uninitiated, it looks a lot like cheating - you peek through a window and instantly get headshotted before you've had any chance to react. To the guy who hit you, it's just basic gamesense - you did a predictable thing and he punished you for it.
Yeah, it feels like a dead giveaway when someone at higher ranks has near perfect but within the realm of believable gameplay from a mechanical standpoint (great aim control/accuracy, hitting lots of flick shots) but then they're running all over like a headless chicken, getting lost on the map, have no regard for positioning and angles when pushing or defending, just purely leveraging "skill" alone.
Thank you, that makes sense.
This is a slippery slope which we can view in real-time looking at the speedrunning community. Many current real person runs are using strategies once thought to be computer-only. A Mario run from 2024 would be viewed as totally impossible in 2004.
This isn’t really a relevant concern for online games since speed running is mostly rehearsed play with predictable game mechanics, not inhuman response to novel stimulus.
> rehearsed play with predictable game mechanics, not inhuman response to novel stimulus
You just described most competitive games (even vaguely so), and 100% of esports.
No one does multiplpayer speedruns.
Counter example: https://www.youtube.com/watch?v=8g_7Hx42P1Y
There's also the multi-world randomiser community, where people network a bunch of emulators together, and finding an item in one game can actually unlock something else in another player's game.
Yes they do. Eg https://youtu.be/WU-00UdoXdQ?si=gQAh50XsK6xcxEWF
Of course a lot of people do them. They even do them with multiple teams in parallel, starting at the same time !
Cheaters who spin don't care if they get caught. Its the closet cheaters you can't catch like this who's aim bot only locks on the head of someone when the cross hair its a certain amount of pixels from the head, or they set it to never lock on the head.
Or to autotrigger. That's how they do for backstabs in team fortress 2. Just go around and have it trigger immediately when it'd be an instant kill.
Demomen on the other hand use an aimbot so they can hit you with those parabolic projectiles in the face, even if you're behind a wall and they can't see you at all.
This is kind of getting into my idea - Statistical methods & maybe a sprinkle of old-school machine learning.
What I would try is to hire a red team & blue team and put them in a sandbox environment. The red team cheats on purpose. The blue team is guaranteed to be playing legitimately. Both teams label their session data accurately. I then use this as training & eval set for a model that will be used on actual player inputs.
The only downside is that you will get a certain % of false positives, but the tradeoff is that there is literally nothing the cheaters can do to prevent detection unless they infiltrate your internal operations and obtain access to the data and/or methods.
Even worse, now people will not automatically immediately kick them from the server.
Something I'm working on now. The real issue is that you get more perf hits trying to do all the important stuff server side, so devs have become lazy and offloaded more to the client than they should have, and then that became the standard. Moving all important actions server side isn't easy or cheap but it's how you prevent cheating much more holistically.
Now add in that I'm running a physics-heavy game with 120 tickrate, (considering higher after more tests), with fine motor control action combat, aimed to scale to mmorpg size, and it really becomes a challenge!
The state of the art is pretty boring and you can learn about user command payloads in an afternoon.
The world is much more complex now that YOLO-based aimbots exist, and I think the real answer is that anti-cheats are now defeatable, period.
You can craft a private binary that has no hash registered to any major anti-cheat service on the client-side, and on the server-side you’re limited to what is allowed by game rules.
Since there’s no mechanisms for preventing super human reflexes, and there probably shouldn’t be, it’s an issue that cannot be solved anymore.
So you need community judgement, and that too is boring. Good players being accused of cheating in Counter Strike is a years old and entertaining problem.
> now that YOLO-based aimbots exist
the what ?!?
Probably refers to the YOLO family of object detection/classification models. Though I wasn't aware that they could be used for something like cheating in csgo. They are really fast compared to most AI models but I thought that it still wouldn't be fast enough to give you a real advantage (especially for pros), as cheats usually depend on "wall hacks" or similar, and being able to see more than what you could see on your screen.
https://en.wikipedia.org/wiki/You_Only_Look_Once
If the website is down or slow and you want to read the article, here is a full page screenshot of the post: https://i.imgur.com/SPp6IHX.jpeg
Sorry :'( I didn't expect the post to get this much traffic.
> but the traffic itself was encrypted over HTTPS. This meant that even if one were to use a packet sniffing tool like Wireshark, you would not be able to find the raw token.
It's trivial to decrypt HTTPS with tools like Fiddler or Burp Suite, assuming this build in browser used system proxy and system certificates list.
Its all about how apparent the issue is if you're running Wireshark - it does not stand out, so you have to do a lot more work to discover what is actually happening. The request is also hidden in plain sight along other requests, and those requests are what you'd expect (you'd normally expect a motd request, so this isn't out of the place).
Given that the way of circumventing the issue at hand is to delete a single local file, which is far simpler than finding the actual request and setting up fiddler or burp suite, this worked good enough.
No need to overengineer.
I think the author has the average script kiddie in mind, rather than the HN crowd.
It's also pretty easy to export the secret keys from Firefox and import it into Wireshark. Like, it's some clicks, and (depending on which TLS it uses) you gotta do it for every connection, but it's not too hard.
respect the ingenuity of the solution and how well it did.
although it has to be said that we are better off without having vgui in the first place.
this kind of sneaky tracking is so widespread today on the Web that it is nearly impossible to be bothered with evading it. whether it is the "wideport" or what extensions you use, you might as well use tails to surf the internet at that rate.
but using a logical fallacy, to exploit for the better good does seem appealing.
This isn't about stopping cheaters (cheat detection). This is about stopping repeat cheaters trying to ban evade. Detecting cheats, especially nowadays with hardware cheats (DMA, etc), is an entirely different ballgame.
IMHO, one of the most effective way to stop ban evaders is to actually charge money for the game.
At the time of the events in the blog, CS:GO was NOT free, and yet there were still cheaters that apparently had access to 80+ accounts.
Why pay for the game when you can go to an onion site that will sell you hundreds of compromised accounts that own the game for a fraction of the price?
At that time CS:GO would cost around $3 during various Steam sales and it was possible to buy a huge amount of gift copies that could be stored in your Steam inventory. So one "legit" account would buy lots of copies and then "gift" them to new accounts that would go on a cheating spree.
Charging money and banning at the payment provider level can be quite effective. It isn't a perfect answer but it cuts out gigantic chunks of the problem space.
I'll take a ~99% cheat-free experience over not having any improvement at all.
Agreed, but in this particular case the blog writer was running private servers, rather than being Valve. They had no control over payment processing etc.
That's fair. There will always be cheaters like this. However, anecdotally, after CS or any other game I've played that went free-to-play, cheaters became a much much larger problem: from seeing one every now and again, to at least one in nearly every match.
Banning by TPM also makes ban evasion pretty expensive. At which point the cheater has to either buy a new mobo or solder a new TPM chip onto their mobo (not always possible). Though I guess at some point a sloppy vendor will leak TPM keys and it'll be spoof-able.
I could be wrong but couldn't you just get a pcie card that is effective a tpm card?
Ah you're right, I didn't know external TPM modules were a thing. Looks like they're only ~10ish usd too.
Banning new Steam IDs on banned IPs seems too strict to me. Some ISP use CG-NAT or rotate IPs, meaning a single bad actor could harm many innocent players.
They actually cover these concerns, acknowledge it was a problem with examples of siblings or students behind a shared IP, and then developed a parallel cookie based tracking system, using the "server welcome message" which is served as a web page in the in-game browser.
It's also worth noting this is a 3rd party dedicated server provider, who manages and leases community run game servers. Getting a ban here would prevent you from playing on that provider's servers, but not any of the official matchmaking ones or servers from another hosting provider.
This is mentioned in the article, hence why they added a third method.
They added the third identifier to detect ban evasion by changing the Steam ID and the IP address.
They implemented some specific exceptions but generally recommended to not play on untrusted networks to avoid getting banned along cheaters in the same network.
That's my take from the article.
Yeah that sounded like a very bad idea. It was already a bad idea years ago when there were enough IPv4 addresses, because still people were using NAT behind routers. So, it could happen that you just ban a whole family or people that are living together in the same flat, although only one of them cheated. But now, with this whole carrier grade NATting, it seems like not only a bad, but a dysfunctional idea.
NAT is a problem, but in this case I think it's a valid consideration regardless. Banning innocent players behind shitty ISPs sucks, but cheaters suck more.
Yeah. IPs are NOT identifiers. At best they are a session ID. Using IPs to ban players on the basis that they've been used by a cheater before seems extremely unfair and probably even an opportunity for denial-of-service.
I'd agree if it was being used to ban players across many servers, but a single community server is not that big a deal to be banned from. And they seem to have had an appeals process.
> I only shared the solution and technique with one other server operator I fully trusted based in the UK
I think that was us! We ended up combining it with other fingerprinting indicators, but the whole 'use VGUI' was a surprisingly effective way at handling this. I believe they removed the web browser in ~2018, which was disappointing. Being able to have custom skill trees / fun integrations with servers was really powerful!
> I'm not being funny and I mean no disrespect.
> But cheaters are cunts. They're cunts now, they've always been cunts.
> And the only thing that's going to change is they're going to become bigger cunts.
> Maybe have some more cunt kids.
That statement is really shows how big of a dick you are, like come on man, it's just a game. Without learning game cheats and writing trojans and botnets since 14, although I'm kind of clean now, I wouldn't have mastered C++, C# and Java together and later get deep into computer science (and cybersecurity to some extent).
I disagree. Cheating in singleplayer games is fine, but you're ruining the experience of others when hacking in multiplayer games.
> but you're ruining the experience of others when hacking in multiplayer games
What I meant was, cheating can be a good learning experience to programming for a lot of kids, because they get immediate feedback and rewards. At least that's what I see it as.
By breaking the agreed-upon rules you gain resources and others lose resources (energy, morale, money, w/e). That the activity impacts the cheater in other ways is beside the point if its a dick move or not.
> By breaking the agreed-upon rules you gain resources and others lose resources (energy, morale, money, w/e).
Ah, isn't that something politicians and countries around the world always do? And you think game cheating is a bigger problem?
I'm with you, but the environment they cheat in matters. Learning to hack with CTFs is great, but against real targets? Of course, I'm overplaying the severity of cheating a bit, but the point still stands.
> The best part was that no one knew how we were able to do this and our admin team kept the implementation a top secret. We should have filed a patent!
I know you’re joking, but if you had filed a patent you would have had to reveal the trick, thus rendering it immediately useless.
Doesn’t detract at all from your post. Fun read.
Excellent write up and solution. Cheating in video games makes for a wretched experience for those who don't cheat.
It's crazy how rampant cheating in multiplayer games, especially competitive ones has gotten. Ten years ago, I thought it was at an extreme, but it's only gone up since then.
Part of the problem is that for some software developers, writing cheats brings in a massive amount of money.
So instead of some teenager messing around making unsophisticated cheats, you have some devs that are far better at writing cheats than game developers are at preventing them.
It doesn't help that game devs have to secure everything, everywhere, but cheat devs only have to find a single flaw.
Some competitive multiplayer games.
Which seem to be exclusively FPS games with ~10+M players ?
I don't even remember the last time when I've heard of a game outside that very narrow (albeit decently popular) category to have complaints about cheaters. Meanwhile for these games, I hear about it like every month, and all this despite this genre being amongst the ones that I play the least !
No, that figure is way off. Check out a website that sells digital goods or cheats and you will see that even far smaller games have cheats available.
Escape from Tarkov comes to mind. An extremely hard and niche first person shooter with RPG elements. It is a private Russian company so we don't know exact player numbers, but it is estimated to be ~200k by some hits in a google search.
There are people who will provide carry services and guns and gear for plenty of people who will pay for it, as well as other providers selling the cheats that the carriers use for a weekly fee. The people who are providing these services are getting paid in USD when their local currency has a far lower value. It isn't a moral thing, it is a money thing.
You know that you sometimes don't know a bug exists before someone exploits it or uses your software in a way that you did not think of. There are experts who stand to make tons of cash if they can create or use an exploit that people will pay money to advance with.
The only way to prevent this is something that no one wants to hear, but it needs to be a unique citizenship identifier of some sort, since HWIDs and other means of tracking are mostly useless.
One thing to note is that CSGO can be considered a play-to-earn type game; you play the game, get lootboxes, get lucky, sell the item for... idk, hundreds? thousands? So it's an incentive to cheat and buy new copies of the game if found out. A single item can be a month's income easily.
Mind you I don't know if that's the case on privately hosted servers as well, since those could be manipulated to give players the points needed to get the lootboxes.
That system incentives against it. Your inventory becomes locked meaning worthless if you get the proper ban. So for farming stuff, it is much better not to cheat.
Not that there isn't options of making money that do benefit from cheating. Like creating high ranking accounts to sell. Which some people buy for the status of the rank...
Maphack that gives vision of other players and resources is a common cheat in many games, including very popular moba games.
Well, it's just a genre that's immensely popular and easy to cheat in.
If you have access to the game's memory etc, it's pretty easy to create an aimbot or thing that lets you see thru walls et cetera.
How you gonna cheat in a moba? It's a strategy game, you need, like, cutting edge AI to beat the best humans at it. In fact OpenAI specifically worked on an AI to play Dota 2, it was that hard.
You don't need to improve your individual performance to cheat, anything that improves game-sense works just as well. A common one for moba (and other genres) is a radar style hack, which can show an overlay of the map with the player locations in real time. Knowing where you enemies are at all times is a HUGE advantage in a moba.
Cheating is commonplace in lots of games much smaller than that. Company of Heroes 2 (an RTS released in 2013) for example is pretty much ruined by map hackers.
I think a better question here is: why is game code so exploitable?
A: laziness and cost. It just doesn’t matter the same way that baking code matters, I guess.
So they toss on some cheap anti cheat instead of architecting it safely (expensively.)
I think that's a very naïve way of looking at game development. There are many reasons why games are exploitable besides lack of reasonable dev effort.
- Almost all games are going to use a licensed or shared game engine. That means the softwsre architecture is already known to skilled cheat developers with reverse engineering skills.
- Obfuscating the game will only go so far, as demonstrated by the mixed success of Denuvo DRM.
- The game will not be the most privileged process on the machine, while cheaters are glad to allow root/kernel access to cheats. More advanced cheaters can use PCIe devices to read game memory, defeating that mitigation.
- TPMs cannot be trusted to secure games, as they are exploitable.
- Implementing any of these mitigations will break the game on certain devices, leading to user frustration, reputation damage, and lost revenue base.
- And most damning, AI enabled cheats no longer need any internal access at all. They can simply monitor display output and automate user input to automate certain actions like perfect aim and perfect movement.
A couple of thoughts, but I largely agree with you.
> Obfuscating the game will only go so far, as demonstrated by the mixed success of Denuvo DRM.
Denuvo is for the most part DRM, rather than anticheat. It's goal is to stop people pirating the game during the launch window.
> The game will not be the most privileged process on the machine, while cheaters are glad to allow root/kernel access to cheats.
This ship has sailed. Modern Anticheat platforms are kernel level.
> TPMs cannot be trusted to secure games, as they are exploitable.
Disagree here - for the most part (XIM's being the notable exception) cheating is not a problem on console platforms.
> AI enabled cheats no longer need any internal access at all. They can simply monitor display output and automate user input to automate certain actions like perfect aim and perfect movement.
I don't think these are rampant, or even widespread yet. People joyfully claim that because cheats can be installed in hardware devices that there's no point in cheating, but the reality is the barrier to entry of these hyper advanced cheats _right now_ means that the mitigations that are currently in place are necessary and (somewhat) sufficient.
It's not AI enabled cheats that are the issue, it's DMA through things like PCIe devices disguised as regular hardware. Sophisticated cheats no longer run on the same computer as you're playing on. Google "pcie dma cheat" for a fun rabbit hole.
Right, but the barrier for entry for those cheats is huge - the sp605 board is $700, for example. There are cheaper ones, but you’re not going to have rampant cheating testing through games when you add hundreds in hardware to the requirements.
Antiecheats work in layers and are a game of cat and mouse. They can detect these things some times, and will ban them (and do hardware bans). The cheaters will rotate and move on, and the cycle continues. The goal of an effective anti cheat isn’t stop cheating, it’s be enough of a burden that your game isn’t ruined by cheaters, and not enough of a target to be fun for the cheat writers.
> This ship has sailed. Modern Anticheat platforms are kernel level.
so you use a kernel level anti-anti-cheat
Because at the end of the day the game is running on the user's machine, a machine in which the user has full access to every part of the execution and the software developer does not. You can only get around that by streaming the game instead of running it on the client side and even then an aimbot or some type of automation would be possible nowadays.
> I think a better question here is: why is game code so exploitable?
The nature of FPS games means only environment integrity can stop cheating. It's not exploitable per se. Just the game skill can be done by a computer perfectly.
Conversely who knows how long it will take for AIs to play Hearthstone with never-before-seen-cards well.
Probably three years
Oh, that's an easy one.
- GOOD software are simple and easy to understand, which makes it EASY to cheat.
- BAD software are needlessly complex and finicky, so it's HARD to rig it for a cheat.
- Anti-cheats intentionally make software BAD and over-complicated, so cheaters would have hard time modifying it. But computers are brittle and also aren't smarter than humans so cheaters will eventually find a way.
- Security is completely irrelevant topic since game clients are "bought" and run on your hardware; Digital Restrictions Management built to work against you as user is anti-consumer, anti-right-to-repair, anti-human, super bad thing, and lots of efforts are made to keep PC away from it as much as practical.
It has nothing to do with laziness or cost. If anything it'll be the best programmed game that gets hacked fastest. And PS2 that gets emulated last.
Architecture can help up to a point but it can't stop everything - the usefulness of ESP can be reduced by not sending the client information it doesn't need to know, but that gets computationally expensive on the server, and culling information too aggressively can interfere with lag compensation. Perfect recoil compensation can be prevented by not replicating the servers RNG state on the client so it can't predict where the next bullet will go, which CS:GO started doing at some point. Aimbots though? Those are just automating an input the user could theoretically make legitimately, so you're pretty much stuck with statistical heuristics or client-side detection.
No kidding, implementing multiplayer as a VNC session on a controlled server is very expensive.
Priorities. Games need content and performance. Give game developers more budget, and they will work on making the game faster, fix game breaking bugs, and add content rather than make the game less exploitable.
And cheats do not always rely on exploitable bugs. A bot using screen capture and input device emulation works at the OS level and in other contexts (ex: accessibility), it would be a legitimate thing to do.
A very large amount of games that are released nowadays all use well known and well documented engines, that's what makes it a lot easier, there's an interview on YouTube with a company that develops cheats for multiple games that mention this here: https://youtu.be/zwruk-tLIOU?si=3O2jBKQneur-n3iS
It’s not that simple.
Some games aren’t able to prevent cheating. The client has the data on where the enemies on their screen are. The cheat only needs to move the mouse and click on the enemies heads. Other games like MMORPGs involve the cheat just playing the game and farming on behalf of the player.
It just becomes a cat and mouse game where the anti cheat is trying to detect something hooking into the game process while the cheat tries to hide itself.
> MMORPGs involve the cheat just playing the game and farming on behalf of the player
From a player perspective that's not cheating, that's running a bot. It's automation of a routine grind - which is typically designed to make players hate it and spend money instead. Automating boring stuff is simply natural.
For pay-to-win games it's effectively a balancing system, a pushback against player-hostile mechanics. Not unlike an adblocker on the web.
That's strictly in context of MMORPG genre, of course.
I think GP's last line covers it. It's the same reason why DRM is ultimately ineffective, and why even companies that work hard and spend time and money to secure their infra still sometimes get popped: the game devs have to be perfect 100% of the time, but the cheaters only have to get lucky and find a flaw once.
This isn't the better question.
When you have software running locally, you can arbitrarily modify how it runs.
Like an aimbot is a powerful cheat, and there's no amount of security that can prevent one from being used outside of an anticheat being able to look deep into what your system is doing, what it contains. The only way to prevent that kind of thing is to remove your control of your own computer.
And even then you could do aimbot with camera pointed on the screen and either faking a mouse or providing sensor sufficient data somehow to simulate movement... That is reach super human reaction times and accuracy...
I wish I'd live to see the time of true cyborgs who will exceed ordinary human capabilities in some regard.
How attached and how technical does it have to be to be "cyborg".
Me with a pen and paper exceeds many human capabilites.
Likewise with wearables like a smartwatch.
Does it have to be direct neural integration to be a cyborg? Definitely people with profound brain injuries have been enhanced to the ability to interact again.
Good question! IMHO, it's a spectrum, of course, not a binary concept.
But if we have to define a criteria... I guess, integrated just enough so it can't be trivially removed, making it more of a "body part" rather than a "tool".
Point is, it'll certainly spark a discussion and re-evaluation of what's "fair", potentially shifting the consensus from somewhere around the current "glasses are fair game, but a programmable mouse is not" to somewhere more accepting of differently-abed individuals.
> When you have software running locally, you can arbitrarily modify how it runs.
Well, you can on PC at least. Xbox and Playstation security has matured to the point that code modification in online games isn't really a thing anymore, the worst they have to deal with is controller macros most of the time.
Until they get jailbroken that is. There is no such as a perfectly secure platform in which the user has complete physical control over it.
The PS4 and PS5 have been jailbroken numerous times, but...
1) Their secure boot implementation has never been broken, which means you can't upgrade from an exploitable version N firmware to a non-exploitable version N+1 while persisting a backdoor like you could on older systems like the PS3. You're stuck at version N until another exploit is found.
2) They rotate the crypto keys used for online play with every new firmware so they can easily lock those old exploitable firmwares out of online play for good, even if they try to spoof their version number. There's no getting around not having the new keys.
Meanwhile the Xbox One took a decade to get even a limited jailbreak that allows arbitrary code execution inside the game sandbox, but can't escape the game sandbox to take over the kernel, and the Xbox Series systems have yet to be jailbroken at all on any firmware.
Hypothetically being able to break anything with physical access doesn't count for much in practice if the thing you want to physically attack is buried inside a <7nm silicon die, doesn't trust anything outside of itself, and has countermeasures against fault injection attacks. The Switch may well be the last big victory for console hackers, the writing has been on the wall for years now.
Perhaps not applicable to a hidden web browser in counter strike but for public webpages you can apply the same fingerprint technique and only include the payload on _some_ page loads for non-fingerprinted users.
Has a very nice advantage of if they go looking for fingerprinting they may or may not find it by random chance. It is security through obscurity but by making the bar higher for ban evasion you did actually remove a lot of people.
It feels like cheating as become endemic, every game I've played online in the last 2-3 years seems to be rampant with cheating. I don't remember it being this big of an issue 5-10 years ago, or maybe I was just ignorant to it? It's at the point now where I run into cheaters frequently enough that I find it hard to justify investing time into multiplayer games anymore.
I can only assume the recent uptick is due to games adding tradable cosmetic items which has made it financially viable to cheat as most cheaters seem happy to drop a lot of money on cheats as well as $80 to re-buy a game once they eventually get banned.
Don’t most games with expensive cosmetics lock them behind paywalls?
I assume there is lots of cheating because of every game having matchmaking system for fair with rankings. And there’s a huge amount of people that feel locked into low ranking because of bad teammates (which makes no sense statistically speaking), and if they just bump something they would do well.
There’s others who just want to showoff an high ranking.
And the guys that just want a cheap win, at the expense of ruining everyone else game.
And then there’s the business of this. Cheat tool makers making money of these lind of people. High ranking players selling boosting services or high ranking accounts (smurfing and cheating feels very similar on the loosing side). And even the high ranking players selling player providing boosting can cheat to perform the service in less time.
Skill based matchmaking with any form of public ranking (showing a number or tier) will always be full of people trying to game the system instead of trying to get better at the game. Specially in team games.
What about some sort of shadowbanning ? Or "shadowsegregating" : I mean if you detect and group cheaters so that they play with other cheaters ? Leaving normal players alone ? (I am not a player, I don't know how these multiplayer games work, I'm just wondering)
No idea about CSGO but Dota 2 already does this (another Valve game).
The idea of client-side "cookies" existed even before CS:GO. I remember in CS:S the server was able to change game variables set on the client. I wrote a script for a CS:S server that would fingerprint a cheater by setting an obscure game variable to a unique value and so being able to identify the player through that even if they had a different steam id and ip. It seemed to work well for a long time for getting rid of the most common cheaters but of course the most commited and capable ones with RE skills will always be ahead of the game.
So adtech tracking techniques also work for fingerprinting ban evaders. Go figure.
https://archive.ph/xcad7
This link is 404ing for me. Anyone else?
seems like the whole site is 404'ing
Would it be worth charging for CSGO? Or Counter-Strike 2, whatever the latest is? Because being banned by Steam ID might mean something if you have to pay $10 each time for the privilege.
I used to believe this, but in Call of Duty you burn $40-60 a ban plus it was or is tied to a phone number at one point and that didn't slow cheating down one bit. It's ultimately why my group quit playing.
But in that case I suppose you could pass around a disk, at least for physical. For digital-only I imagine it would be more expensive.
While the game is free, they do charge $14.99 if you want access to the ranked matchmaking called Premier. Sadly, the cost of entry is not enough to dissuade most cheaters it would seem.
Well that's annoying. Perhaps they just aren't being detected?
They semi-charge, i.e. the new “Premier” league is gate-kept by a $15 charge and an XP gate that requires extensive playtime in their other game modes.
However, one can pretty easily buy a wholesale account if and when that happens and skip the time-money sink.
You do have to pay to play the ("prime") competitive mode. Sadly that doesn't seem to be much of a deterrence.
At the part were he writes about the human analysis of game data, I thought the article would end up with training an AI or just statistical analysis on that data to identify players. That would have been a little more interesting (but harder to do) than exploiting the game.
That is actually how current CS cheat detection works. I think valve had a talk about it. I think it's called valve overwatch.
> If a player joins with a different Steam ID but with an IP address that is already banned, the system now re-bans them
This works great until you realize you're punishing innocent players because of CGNAT and IP addresses getting rotated. Cheaters usually know how to get their router to request a new IP address. That IP address then gets assigned to someone else later.
This scenario definitely did pop up and we would review it on a case by case basis to unban users or make exceptions. However, it was quite rare. Only a handful of reported instances over several months. If our servers were more popular we definitely would have run into it a lot more.
I would wager most people just move onto a different server - leaving you with useless/suppressed data on how many people this may have impacted.
You would need to ban random people and see how many of them report it to estimate the real amount of such errors.
They addressed this in the section entitled "Problematic cases of IP address fingerprinting"
No, not specifically. That section is still written under the misconception that IPs are bound to households, or static networks like university networks. Instead they can swap at the very least country wide (or rather, however the provider manages the IP addresses it controls). Their mental model is just not how the internet works.
By using IP as the ban id they created a system that constantly and regularly banned completely innocent steam IDs, thinking they are somehow linked when a new steam id uses a banned IP, which is nonsense. They just did not notice because the banned gamers did not complain.
Being from country with lot of IPs for operators. I did some packet sniffing on DHCP broadcast traffic seen by my router(ISP should filter that...) and I saw at least 3 non-continuous public IP blocks... And that was just day or less of monitoring this traffic...
So if the same connection(plug in wall) can end up with IPs from different blocks, well, trying to do anything sensible with this is too complicated.
I always found it funny how ip bans seemed to be so popular despite being apparently completely ineffective until I realized this was mostly a US thing. In my country (2 of them that I've lived in, in fact) ISPs always assign the client a dynamic address from their very large pools every time I reconnect. This was as true back in the 28.8kb dial up days as it is in the 10gbit FTTH days we live in. Having a static IP address here has always been a service you have to pay for.
I remember this being hilarious when idiots would ip ban me back on the IRC days: "oh no, I have to press the reconnect button!"
Is it ? I'm not in the US and I've always had a fixed IP.
Which seems to have been best practice for IPv4 and is still best practice with IPv6 :
https://www.ripe.net/publications/docs/ripe-690/#5--end-user...
That was addressed in the article.
Yeah, you would think they would rely on their secret cookie in that situation instead, to minimize false positives like that.
Cheating in online games is a scourge and I really don't understand why people do it. It's one person selfishly getting a "win" at the expense of ~60 other people in that match having their time, pleasure, potentially money absolutely wasted.
I think even more infuriating than blatant hacking is this epidemic of "micro cheating" for lack of a better way to put it that I've seen prevalent in some games that just boost some stats or reactions by amounts large enough to help the cheater but low enough where new or inexperienced players have absolutely no way of telling if someone is cheating or genuinely good especially in games with high skill ceilings. At least when it's blatant you can leave without time wasted but when they're doing it subtly you end up getting tilted and spending the whole match with a bad taste in your mouth second guessing if someone is actually playing fair or not. Chivalry 2 is a really bad offender for this, once you notice it you can't unnotice it anymore, almost every match will have at least one guy with his swing/move speed adjusted by ~10% and in a game where swing manipulation is a legitimate mechanic it can be borderline impossible to catch someone out on it unless you're really paying attention.
In the case of CSGO, playing means earning lootboxes, and the items contained therein can be resold / auctioned off. It's the same problem as in Diablo 3 when it first launched, you could sell items found (randomly) in-game for real money. I read one guy's project, I'm sure it was posted on HN, who had 25 bots / copies of the game running to monitor the in-game currency market for deals, then resell those for real money.
Every once in a while there would be a ban wave - implying bot detection and handling was a manual / batch job process - but he'd just get 25 new copies / accounts, the income he made was more than enough to make up for it.
Of course, that assumes he was able to funnel the money out quick enough. And also, both Valve and Blizzard have their own incentive to not be too hard on bots, as they get a cut for every transaction. As long as people don't stop playing / paying because of bots.
> Cheating in online games is a scourge and I really don't understand why people do it. It's one person selfishly getting a "win" at the expense of ~60 other people in that match having their time, pleasure, potentially money absolutely wasted.
The article addresses this specifically and concisely. It starts with “I'm not being funny and I mean no disrespect.” and then becomes very Australian.
Some "micro cheating" are really easy to develop. When I was younger and a bit bored, I wrote my own "micro-cheat" in AutoIt[0] with less than 10 lines of code.
This was for the game counter-strike (I don't remember which version, either Source or early CSGO). The logic of the cheat was:
This was fun for maybe 1-2h, but the fun was more about the success of the project (from an idea to a working cheat) than getting some free kills while playing.[0] -- https://www.autoitscript.com/site/
Cheating is also big business. Players can pay big bucks to rent (!) a cheat.
IIRC there is an episode on darkness diaries podcast about this.
What a bunch of absolute losers. If it's taught me anything though, it's that you can't underestimate the pathologies of people you encounter 'in the real world'.
Yeah I get that, I understand why cheat developers do what they do. It seems like there's a huge market and I find it hard to blame them trying to make a living- morality wise they're probably more worried about rent, bills, family than whether or not someone's game time is ruined. But it's only this way because so many people are willing enough to cheat that dropping money on it is fine for them. It's their psychology I don't really get. Even if they're doing it because they want the satisfaction of a "win", doesn't that victory feel hollow because it's something they paid money for? It's like the difference between a community valuing you enough to give you an award vs going down to the trophy shop and paying someone a make you your own trophy that doesn't really mean anything.
I always felt that valve didn't go far enough to prosecute cheaters (back in the day). I wonder if there are metrics out there for how effective methods like Overwatch actually were.
>We Outsmarted CSGO Cheaters by Exploiting the Client
Fixed
The game's the game.
a bit late to the party, but recently watched this video: https://www.youtube.com/watch?v=x-EbjGSRyKA
Interested to hear thoughts on this level of both cheating and detecting cheats
>Now, in order for a player to appear to us as a "fresh player" they would need to change their Steam ID, IP address and Steam installation folder. As you can imagine, no one is going to do the latter.
Really? I would expect that a dedicated cheater would reinstall Windows (or reload from a snapshot) every time they are caught.
Seems like they were private servers. So they really need only hurdle enough to have cheaters go somewhere else. Not totally kill their ability to play. And well most people will move on. Only those who take it most personally start to spend lot of time.
I loved the idea!! How clever. Congrats on your accomplishment, I learned a lot from your approach. Thanks for sharing.
I suppose different people are entitled to different opinions about fingerprinting, but I reckon it only takes working on a single project where this is a real issue for you to change your mind.
We do behavioural analysis on top of various fingerprinting for bot detection - some people are trying really hard to ruin the internet!
I suspect a sufficiently advanced server side behaviour analysis could do a pretty good job discovering cheaters.
Not at the expense of false positives, though. Sophisticated cheat developers and bot creators are skilled at exploiting that narrow margin of error where companies can't push detection further without compromising the experience for legitimate users and destroying their game or service.
I wonder what kind of theories these cheaters invented to explain how they were getting caught.
I am surprised VGUI browser shares cookies across Steam accounts. When I log out of my Steam account, switch to another one, launch the same game, I would have expected an entirely different datastore to be used for the VGUI browser.
It was a security nightmare. Basically a half baked browser with a subset of the security considerations you'd expect from a browser.
Valve worked on it for a little while patching bugs as they popped up (notoriously slowly I might add). Then in August 2017, an exploit in which server operators could execute JavaScript on players that joined their servers started to spread and was maliciously abused by bad actors. For example, some server operators using their player bases residential IP addresses to sign up to gambling websites so they got kickbacks. Others simply tried to hijack Steam accounts or sell rare Steam virtual items on the Steam marketplace to themselves.
After Valve patched the above exploit, some smaller bugs popped up in the following weeks and 2 months later in October, Valve completely binned the VGUI browser in CSGO. They had enough! This broke a lot of plugins like IdentityLogger and music players that would play music in the background as you played the game. But at least the attack vector was removed.
The VGUI browser also allowed servers to steal the steam session cookies. So not a very hardened implementation at all.
The VGUI browser was a security nightmare, which is why Valve eventually deleted it from Steam.
> Wonderful, we have found a way to silently persist a cookie for each player as they join the server.
This violates GDPR, no?
Edit: It sounds like this took place before GDPR was being enforced.
GDPR isn't a blanket ban on cookies. You don't require a cookie notice for strictly necessary cookies, which you have a "grounds of legitimate interest" for: https://commission.europa.eu/law/law-topic/data-protection/r...
Fraud prevention is listed as an example of a "legitimate interest."
So no, by my layman's interpretation, they would not have been bound by GDPR to notify the user of cookies or other fingerprinting used solely for anti-cheat. They'd run into trouble if they use that same ID for marketing/advertising without consent, though.
They're perhaps not required to gather explicit opt-in consent, but my understanding is that they'd be required to disclose what information they collect/store.
The same rules apply to the steam ID and IP address.
As far as I'm aware, you can get away with disclosing the fact that you are tracking "unique identifiers for the purpose of anti-cheating" in the terms and conditions, without explicitly explaining the technical details that it's a cookie.
Also, this is a server covering the Australia/New Zealand region, so it doesn't have to worry about GDPR compliance.
>the fact that you are tracking "unique identifiers for the purpose of anti-cheating"
A person can requests to delete their data at any time, and also can request to provide all the personal data collected.
This does not apply to fraud. You can store the data if it is relevant to an illegal act, and since cheating voids the ToS of the server ...
GDPR is toothless eurotrash.
I saw a consent form that had 72 optional, 21 “legitimate interest” cookies.
GFB
If GDPR were entirely toothless then they wouldn't have shown you the consent form but they would've just served the cookies regardless. The GDPR is not about reducing the cookies served, it's about letting people opt out.
Unfortunately it is lacking some teeth because normally opting out of all cookies should be as easy and straightforward as opting in to all cookies, but I've seen quite a few forms that hide 'reject all' behind a 'more info' button type of thing. Maybe I could file a complaint about that, I should look into it.
That means gdpr is working.
IANAL, but there is a "Legitimate Interest" exception, which gets abused a lot when a consent popup has about 50 of those pre-checked on a hidden tab, but this looks like a valid case to me.
The UK DPA (basically a fork of GDPR) has this to say [1]: "the following purposes do constitute a legitimate interest [...] fraud prevention; ensuring network and information security; indicating possible criminal acts".
Under the Computer Misuse Act 1990 [2], there's a possible reading under which "hacking" to cheat (even if someone else does the hacking and you jsut install the program) could actually be a crime.
[1] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
[2] https://www.legislation.gov.uk/ukpga/1990/18/section/3
Thinking about it, steam should force this on every game developer that has cheating problem (I am assuming mainly shooters), maybe implemented better fingerprinting way, giving developers options to hide cookies somewhere in folders of their choosing.
The problem is that once a technique like this becomes standardized the cheat software will know how to automatically disable it. Even in the article it points out that had the cheaters put in the work they could have edited a single text file to break the system, but they did not. If this solution had been implemented for all CS:GO players then it would have been defeated fairly quickly, but since it was just one set of servers those were easy enough for the cheaters to avoid.
That said, eyeballing the chart in the article you can see an enormous ban wave that happens when the system is turned on, but afterwards the total level of cheating quickly returns to roughly where it started. If there were long term impacts it was only in the reduction of staff hours needed to review game footage to determine if a player is cheating.
Risk there is that what ever id is generated tends to leak. So lot of cheaters will either tamper with it or circumvent it. So the game will continue and not actually be effective for very long.
Sure but that can be completely randomized, no? like keep changing folder where cookie gets hidden, or the ID generated.
Problem is that you do not want random. You want it to be generated. It should be same say after you reinstall OS and the drivers and the game.
Idea really is that you can identify single device time after time. So even if there is slight change in anything like software that can be easily changed that is not good enough.
Not that fingerprints should lead straight to bans, but maybe at least heightened awareness.
I got 404
Feels disgusting with the hidden fingerprinting but very technically impressive!
Couldn’t you stop cheaters by just looking at how their telemetry metrics are different from the baseline? If you get to a point where the cheater has to cheat to only be as good as a median player in the lobby in order to evade detection, you’ve effectively neutered it.
How would something like that work?
Still doing IP bans in the year 2024? Lmao.
Why not? It's effective and easy to do and while it can be circumvented it will stop some players with very little effort. Also, the article is about 2017/2018.
[delayed]
In general, hardware/GPU/MAC signature hash checks are the only consistent way to bind player account histories, and even then cheats will change their identity with new hardware on fake postal addresses. Best to add a few weeks delay with "reviewing" ban status to prevent them returning hardware to retailers. Each day randomly permute which hardware signature trips the auto-re-ban after a random number of minutes.
Cheaters ruin the fun for everyone including themselves. Admins need to provide a personal cost deterrent for problem users, and randomly hang the game for people using code mods.
Let the ban hammer fall =3
Unless I misunderstood, I do not see how this would actually work in practice considering the client can be modified and I can send whatever I want to the server, i.e. spoofing.
Even the Webgl signature check is resilient, and is the new tracking cookie on many sites like YT etc. It is a robust unique property of a specific system, and GPU. Not just the serial number...
Indeed, duplicate salted-hash signatures on multiple active users mean shills, and immediate bans issued for both accounts tainted by the black list.
The trick is to randomize a mix of easy and difficult signature checks daily.
i.e. the exploit writers will have to spend time cleaning up bugs, redistributing the patches, and dealing with angry people that have a GPU that is on the blacklist for a game. The more hardware details collected, the more difficult it is to prevent tripping the admin alert.
This is already done by some studios... "Play Stupid Games, Win Stupid Prizes" as they say... =3
> M̶a̶y̶b̶e̶ ̶h̶a̶v̶e̶ ̶s̶o̶m̶e̶ ̶m̶o̶r̶e̶ ̶c̶u̶n̶t̶ ̶k̶i̶d̶s̶.̶
He took that back. A very clever nod to In Bruges. Well played sir.
I hope they asked permissions for storing those cookies. Otherwise they're violating various EU laws.
Not every cookie requires consent.
https://commission.europa.eu/resources-partners/europa-web-g...
In this case, this one might fit:
> User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
It's clearly a tracking cookie.
> for a limited persistent duration
FTA:
> However, the VGUI browser had no issues saving cookies with expiry dates exceeding 10+ years!
So no, it doesn't even qualify.
10 years is a limited duration
So is a million years. Not how it works.
I'm not a lawyer, but I think this actually has some interesting things to think about. Not all cookies require consent under the ePrivacy directive, there is an exception for cookies that are "strictly necessary for the delivery of a service requested by the user". I think that'd fit in this case, since providing a cheater free experience is part of the "service" the players are looking for. At the same time, the ePrivacy directive also mentions that the user should be provided with "clear and comprehensive information" about what is stored. Providing that would render the cookies useless.
I don't know how these would balance each other out legally, but it's fun to think about
No, that doesn't count. Companies have tried arguing that their ads' tracking cookies are strictly necessary otherwise they wouldn't be able to offer their services (ads pay the bills). And yet, they require consent.
Preventing cheaters is similar. And this is blatantly a tracking cookie.
You aren't considering that ad cookies/tracking are used to enable a service to someone else (ad buyers), while this anti-cheat tracking cookie is used to enable a service to the user themselves (a cheat-free gaming experience.) I think that may make the difference.
Also, all of this was in 2017. Anyone doing it in 2024 should indeed run it past a lawyer.
Great point!
This community is Australian & New Zealand based, we had 0 European players or visitors. And as @unsnap_biceps this predated GDPR compliance.
You are right though that you wouldn't be able to do this in Europe today because asking for fingerprinting consent defeats the purpose because the hacker would likely quickly figure out what is happing and circumvent it.
GDPR didn't take effect until May 2018, this only worked until October 2017.
GDPR is about the processing of personal data. Cookies (and such) are subject to 2002's ePrivacy directive
LOL
Seems trivially easy to hit their evade scenario though.
If I merely change the mac address in the device connected to my cable modem, I get a new IP, every time. Combined with the fact that the game is free, so you can easily make new steam accounts.
The whole point of the article is that they set an identifier in the in-game browser, which will survive MAC address, IP resets, and new steam accounts.
They said if a user changes their IP and SteamID then it would be considered a new user and they wouldn't know.
What did I miss?