Hacker News new | ask | show | jobs
by advael 735 days ago
Jokes

I think there are three fundamental categories of cheating threat models that actually matter: State poisoning, Information leakage, and Input automation

State poisoning means your game was poorly written, period. Either that's a vuln within the code itself or badly implemented netcode. A 2-player game can have total asynchronous client separation and still be peer-to-peer. A more-than-two-player game is almost always run on a server that serves as the single source of truth. In either case, a game that doesn't make the fundamental guarantee that the inputs available to a player and maybe some initial random seeds are the sole determinant of the gamestate have no hope, and rootkitting your computer because they wrote their game's statemachine or interfaces like shit is not the correct solution. If your answer to this is that big game studios shouldn't have to learn how to write more solid code, this means that the sanctity of their game isn't that important to them, not that they should get to root your computer

Information leakage may be somewhat harder. Often you want the simulation to be running client-side, so a naive model of netplay would have the full state available to all clients from a technical perspective... but this doesn't have to be true. In most cases, you can do partial state with rollbacks to make it much harder to cheat from a technical perspective, even making no guarantees about the clients themselves. I think even when this is hard, the correct path here isn't rootkits, it's approaches that start to approximate zero-knowledge proofs. This also means there's a rich literature of zero-knowledge proofs to draw on

Input automation, to be honest, is basically hopeless to prevent upfront regardless of what you do. If you can plug external hardware into your device at all, you can rig up something that automates your inputs. This can be hard to even verify in person, let alone through even a rootkit. I don't personally think it's worth worrying about that much, but if you care about macros and the like, it's really difficult to prevent. However, if there's money on the line or something, there are good analytic forensic techniques to detect this kind of cheating after the fact. Maybe this is where "AI" could actually help, as some kind of sequence-based anomaly detection that can run in real time might be able to detect unusual input clusters, but I worry that the false positive rate is going to be super high. Honestly seems like a lost cause. But crucially, not a lost cause that you get around via compromising the OS at a kernel level

Anti-cheat that "needs to own your kernel" is more user-hostile corporate bullshit. Most games work fine on linux, but frankly no game is worth a rootkit, and no game needs one. The fact that some companies demand it should be viewed as those companies trying to scam you. That's not how the security of anything on the internet works. It's only how security of a bunch of mobile stuff works because Microsoft has trained generations of otherwise smart people to believe their total lies about security, and Google and Apple have taken advantage of this to secure a massive amount of control and surveillance over everyone who owns a smartphone (Which is increasingly required because they've also convinced people that fake 2FA that's just your phone as a single source of identity that can in fact often effectively be 1FA because it can override other authentication methods in most cases is somehow secure. The fact that everyone has a device with a bunch of proprietary backdoors that they don't have root on and that serves as a single lynchpin through which their life can be ruined is the most fundamental destruction of personal computer and identity security that's ever been realized - to say nothing of privacy, and that's a huge accomplishment given all that Microsoft, Facebook, and Amazon have done and still do to compete for the title)

Giving a corp a backdoor to your computer doesn't secure anything except that corp's ability to fuck with you. Don't believe Microsoft, Apple, Epic Games, The NSA, or anyone else who tells you that the best way to secure something is to give them a backdoor. Fuck all those people. They have not only gotten their slimy tendrils in a ton of people's stuff through these lies, but have propagated bad information about how to do security to a ton of organizations. If someone who works at one of these scummy companies or agencies responds to this with some condescending corp-speak at me, I've got a bunch of work to do so I'll probably not get to you immediately, but I pre-emptively say that making this argument at all fundamentally undermines your credibility, and also I hate you on a personal level. You've been a spook too long and it's rotted your brain, hypothetical internet stranger who might not even exist, quit your job and fix your heart

Basically, don't believe any of this "We have to own your computer for your own good" nonsense. That's a scam. Every time. Also, proprietary software should be assumed inherently insecure by default, not the other way around. A better world is possible
3 comments
Arch-TK 735 days ago
The reason companies seem to bother at this point is that, by implementing increasingly intrusive anti-cheat, they force cheaters to be increasingly subtle. With sufficiently intrusive anti-cheat you end up with gamers believing that the game they're playing has no cheaters.

This currently happens in at least some of the games which utilise kernel level anti cheat, as demonstrated by numerous videos on the topic which also shed light on massive communities of cheaters who just end up buying or making their own hardware based cheats.

link
advael 734 days ago
Gamers will believe anything a company they like tells them. The fact that these companies can attract arguably the most insufferably delusional audience of frothing bootlickers to ever walk the earth to defend them doesn't justify their decisions on a technical or an ethical level

If the explanation for why a company needs a rootkit is "they don't want to spend effort on a better solution" that means that solving cheating isn't a priority for them, and if we care about that we shouldn't buy their game. It especially doesn't mean you should accept a rootkit to buy their game

link
Arch-TK 732 days ago
I agree, but I am not the kind of person you need to persuade not to buy spyware.

I am just explaining the kinds of reasoning I've heard first hand coming from "gamers".

link
advael 732 days ago
I view self-identified "gamers" as a cult at this point. If my goal were to persuade them of anything, I'd probably fail. I'm not in marketing for a reason. But the fact that a bunch of fools believe in something doesn't make it true
link
RandomGuy45678 734 days ago
I bit of anger or at least disappointment in your post. However, "The fact that everyone has a device with a bunch of proprietary backdoors that they don't have root on and that serves as a single lynchpin through which their life can be ruined is the most fundamental destruction of personal computer and identity security that's ever been realized" is completely true.

Biggest scam ever!!!

link
advael 734 days ago
You should be angry at people who try to hack your computer with the express intent of spying on you or controlling your behavior. I am angry that people will waste my time trying to defend this behavior to me, whether it's about phones, smarthomes, or video games

Also, the thing where people think being angry makes you automatically wrong has gotta be a holdover from lead paint. I truly can't believe people are that stupid naturally

link
DEADMINCE 735 days ago
> Basically, don't believe any of this "We have to own your computer for your own good" nonsense. That's a scam. Every time.

Not really. It's all they can do to stop PC gamers cheating without having control of the hardware.

link
advael 734 days ago
I just gave an in-depth breakdown of why that's not true. Your reply amounts to saying "nuh uh!" with no justification. There is nothing to engage with in this reply. It doesn't even attempt to have any substance
link
DEADMINCE 733 days ago
Your in depth breakdown doesn't address the substance of the argument at all, it's mostly a distraction.

Servers can not bear the entire weight of guarding against cheat, it's impossible. If you don't understand that then you are not in a position to be writing any sort of breakdown.

Several games and game protocols require security on the client side to be able to stop cheats. You can't have security on the client side if the client has full access to the hardware and OS.

It's not more complicated than that, and your 'breakdown' doesn't adequately address that. You can dismiss this point if you like as you did when I made it in my previous reply, but it doesn't make it any less a fact.

link
advael 732 days ago
That's ridiculous. A server only needs to be capable of running a single authoritative copy of the game and handling dead simple network requests to prevent every kind of cheating that matters except input automations, which you can't prevent reliably with a rootkit anyway. If you have a case where this isn't true, feel free to expand on it instead of just blindly believing it must exist. You don't need client-side control to make very powerful guarantees of systemic security in much more serious contexts than a game. You're not only doing special pleading, but you're doing it for a scenario that, as far as I can tell, has no theoretical reasoning and no examples, because you haven't provided any. I have to conclude it's imaginary. I gave you a good breakdown of what threat models I think exist and some sketches of technical solutions, like client separation and authoritative servers. I speak from both sound theory and experience implementing netcode here. Maybe you are too, but I can't tell from what you're saying, because again all I'm hearing is "nuh uh, sometimes you need it!" I see no why, how, or when in that argument. Is the problem you can only fix by having total control over the whole platform of every client in the room with us right now?
link
DEADMINCE 732 days ago
> every kind of cheating that matters except input automations

So basically, except the most common types of cheating.

> which you can't prevent reliably with a rootkit anyway

Yes, this is basically what I was saying when I said you can't stop cheating so long as the consumer has control of the hardware.

> instead of just blindly believing it must exist

Well, with respect, I think it is you who is blindly believing all cheating can be stopped server-side. I find that claim to be patently ridiculous.

> no examples, because you haven't provided any.

> all I'm hearing is "nuh uh, sometimes you need it!"

You're right, I haven't provided examples because this is common knowledge in the industry or to anyone that knows anything about trying to prevent cheating. I wasn't prepared to have to give a lecture to defend my point. But really, if what you are saying was correct, then all these companies must just be incredibly incompetent for not preventing cheating server-side, right? Because it's just so easy?

More than that, it's a very basic principle in security that if someone controls that hardware, most security can be defeated. The exception is stuff with DRM and things like a TPM where the consumer doesn't have full control, and that is the only way to truly prevent cheating. That's just a fact.

link
advael 732 days ago
So you're saying that the sole concern in anticheat software is macroing? Alright, do you need to control every peripheral connected to the computer as well? How can you guarantee there isn't a SoC on someone's keyboard that sends a bunch of signals that they didn't have to type? Maybe we gotta put a little spy chip in every copper wire sold in every country, just to be sure it's not connecting anything to anything else. You know, in case someone is trying to cheat

Anyway, the fact that industry giants want to be in the very lucrative business of controlling the computers people use and have made up all manner of silly justifications for it is not news to me, but I have no reason to believe them, and saying "well lots of people who I consider to have enough authority that you should take their word for it also believe this, take my word for it" isn't particularly compelling. If you don't expect to need to justify your position why even bother making the claim? I don't assign automatic unquestioned epistemic authority to you just because you claim to be espousing the consensus view of an industry, and it's an industry full of crooks built on an industry full of crooks in the first place

link
yownie 732 days ago
what a nonce.
link
DEADMINCE 732 days ago
If you can't keep up with or follow the discussion, that's fine, but please don't insult those of us engaging in good faith discussion.
link
scheeseman486 729 days ago
There is nothing about your posts that are good faith.
link