[sthomas1618]

I feel like the industry would be better off being transparent about anti-cheat strategies and maybe even embracing open-source. Protecting "secret sauce" is basically admitting their anti-cheat are largely through obfuscation and can be defeated by knowing any details.

[monocasa]

You obviously shouldn't rely entirely on security through obscurity, but obfuscation can absolutely be an important component of defense in depth.

Especially when your attackers own the hardware.

[sthomas1618]

Agreed. Definitely not trying to say encryption is a poor strategy. But it does seem obfuscation is most of their anti-cheat techniques.

But the larger point I was trying to make is that all these studios are very secret about anti-cheat but they all seem to be fighting the same battle. Makes me wonder if the industry would be better off with cross-studio collaboration and open-sourcing anti-cheat libraries (that won't be defeated by knowing the details).

[Thaxll]

> open-sourcing anti-cheat libraries (that won't be defeated by knowing the details).

This doesn't make any sense. Anti cheat rely on the fact that it's not known. There is no such a thing as open source in the anti cheat world. It's all very secret for a good reason.

[sthomas1618]

I'd curious to know what strategies make secrecy a necessity. I come from a WebDev background and open-source libraries are almost always always secure and safer then your own (due to the sheer amount of developers and ingenuity working on one repo). Admittedly, game development is a different beast and has to deal with far more client-code so I'm admitting my ignorance here.

[Thaxll]

The attack surface is not only on the game but on the operating system that the client controls. I mean the game is just a process, the process runs on your computer, you control the computer so you can do anything.

[monocasa]

The attackers are literally already able to run arbitrary code on the same machine, which is normally game over from a security perspective. Your secure webdev libraries also break under the same constraints.

[sthomas1618]

> Your secure webdev libraries also break under the same constraints.

No argument there. Different design goals. But I still stand by quality of engineering that open source allows.

[def_true_false]

Or you could design the game mechanics so that client-side cheating offers little advantage... but that would probably require doing more than ripping off a popular mod of another game.

[B-Con]

That's literally impossible. The entire point of the game is to have client-side input and for that input to be generated by a human and not a computer. There's no way to move that to a server.

[wild_preference]

I’m pretty sure their comment only really existed to dismiss LoL as a “copy of a popular mod”.

[def_true_false]

I'm merely saying that they could have avoided some of the issues if they designed a new game from scratch.

[B-Con]

These problems are inherent to nature of being in the real-time PvP genre.

And AFAIK LoL was designed from scratch, it's Dota that actually based on the code of the WoW mod. Not that it matters today, that code is long gone.

[Sohcahtoa82]

> Or you could design the game mechanics so that client-side cheating offers little advantage

Not possible in any sort of real-time game that involves reacting quickly to what your opponent does, or a game where user input precision is paramount.

I mean, that idea basically eliminates all first-person shooters, where aimbots run rampant.

[def_true_false]

> I mean, that idea basically eliminates all first-person shooters, where aimbots run rampant.

Indeed, mechanics that reward mechanical skill are more susceptible to abuse.

From the article:

> For example, some common techniques we see include helping players dodge skillshots, zoom out farther than they normally could, or perform perfectly executed combos to smash their opponents’ faces.

Scripting perfect combos can be mitigated by introducing more delay (i.e. backswing after using abilities/attacking), zooming out by giving the client less information about the game state. I can't think of anything that helps with dodging and skillshots.

[sthomas1618]

Aside from strategy/RTS games, I'm not sure if thats even possible? How does is ripping off a popular mod relevant here?

[monocasa]

And even in strategy/RTS games, I can imagine a client side rendering hack that removes the fog of war for instance.

[sthomas1618]

That would assume the server is sharing the knowledge of other players through the fog of war.

[monocasa]

You'd probably need at least some so that you don't lag every time the fog changes.

[tjohns]

But anti-cheat is largely obfuscation. Unless the host system is locked down (i.e. game consoles, systems with TPM-based verified boot), any state the game has access to is also going to be accessible to attackers.

You can limit what state the game itself has access to, but that's just one class of attack. It won't prevent aimbots, for instance.

It's the same reason why secure DRM is so hard. If the user has root, it's not a level playing playing field for developers.

[atesti]

Given the state of toolkits like OpenCV one might even imagine an aimbot which scans the HDMI output or a webcam picture taken from your screen and does aiming or grinding!

[sanlyx]

See: https://en.wikipedia.org/wiki/High-bandwidth_Digital_Content...

[monocasa]

I mean, all HDCP is broken AFAIK.

[sthomas1618]

That's good point and their random debuggers are definitely a clever obfuscation technique. And also not trying to say encryption is a poor strategy. The larger point I'm trying to make is that its possible being so secret about anti-cheat is to the industry's disadvantage. Feels like there is an opportunity for many studios to collaborate on anti-cheat tools and techniques (perhaps with open-source). For example, is Riot Game's packer/unpacker a specific solution to their codebase or could it be abstracted and open-sourced? This is a industry-wide problem and studios should be competing for the most creative and fun games, not the best anti-cheat.