The engineering culture behind AAA video games is rotten to the core with regards to security. Everyone thinks they're making Doom 3 and they're really making Windows 2000 Service Pack 1.
The problem in big part stems from the business culture upstream. They're trying to produce a game, but what they're really after is e-sports money. They design multiplayer to be about organized pro play, which brings in all the cheating problems of professional sports, so they end up subjecting every player to e-sports-grade security like those anti-cheat systems, despite 99.9% of the player base not caring about pro play in the first place.
This is the worst possible combination: players are forced to accept first-party invasive rootkits that are disruptive and ineffective, while cheaters still cheat.
IMHO the only sensible solution is to separate out e-sports angle from the game itself. People who want to "go pro" would be free to subject themselves to anti-cheats and drinking verification cans and past some point might as well buy company-authorized computers to play on. Everyone else should just be allowed to play casually and enjoy the game without the anti-cheat nuisance (and a looming threat of false positive).
With main incentive for serious cheating separated out, non-pro players would only have to worry about griefers. Those are a problem too, but they can be dealt with by simpler and less invasive measures than a kernel-level rootkit.
As it is, AAA multiplayer games are basically like if FIFA was to micromanage Town Recreational Leagues and hold them to the World Cup standard, because cheating is a Big Deal so every kid needs to take regular blood tests before the match.
Microtransactions are a self-inflicted fuckup. They're like a zombie bite - once you add them in, your game will start to transform into a slot machine wearing the skin of a dead game, and there's fuck all anyone can do to stop it.
> Publisher driven esports is advertising.
Yes, of course. E-sports is advertising. All professional sports are advertising. That's what makes money. Sales of tickets, merch, guides, coverage, etc. A successful sport is a self-sustaining money printing machine. Now, traditional sports are "frozen in time" relative to business timescales; meanwhile, in e-sports, it's entirely possible for a company to introduce a new game and turn it into a worldwide phenomenon over a couple of years, and then keep getting a cut from aforementioned money printer for many more years still, all while trying to introduce a new game to keep the money running.
And it's okay, I honestly don't mind. As far as the advertising-driven economy goes, sports (traditional or otherwise) is one of the more benign fields. The problem I see is the relentless focus on building a game optimized for professional play ruins it for vast majority of players, and I fail to see why companies keep doing it instead of bifurcating the multiplayer aspect into "casual play" and "pro play", allowing for the latter while also letting the former have their fun.
> Nobody wants to play multiplayer (only) games with cheaters.
My point is that most of the cheating comes from structuring the game around pro-play. You get a global ladder, which establishes an ordinal ranking that invites cheaters who just want to score higher for less effort. All those cheaters end up ruining the game for regular people, who don't care that much about the ranking. Most of those cheaters would go away if the ladder was removed - but that ladder is critical to the company and wannabe progamers precisely because the top levels of that ladder are a gateway to pro-level play.
You can't eliminate all cheating - there's always some people who, for whatever reason, enjoy ruining the game for others. Fortunately, such people are a very small fraction of the playerbase, and most of them don't enjoy it enough to bother if you throw some small obstacles their way. It's manageable. Competitive rankings, on the other hand, are something cheaters love much more than regular players, so by adding it, you're basically creating the problem.
This is true for all competitive endeavors - the bigger the reward, the more it attracts competitive players, some of which are going to resort to cheating, and attempts at fighting cheating further ruin things for those who don't care about competing in the first place. And yes, it applies to the market economy too.
> My point is that most of the cheating comes from structuring the game around pro-play
I wanted to address the same point txpl did. As someone who's made multiplayer games, I'm stunned that so many players cheat, even when the stakes are low. It's not just the pro-players; it's at every level.
Some are optimizing their experience because they don't have as much time to play as they'd like. Some feel they deserve the enjoyment of winning without the effort. Some justify it with the belief that everyone else is doing it. And the really difficult ones to deal with feel rewarded by behaving badly (anonymously, of course).
So every design decision comes with an evaluation of how players will abuse the system, and there are no easy answers. And that's why you see companies adding (invasive and ineffective) anti-cheat solutions to band-aid the problem that developers were unable to anticipate or solve.
> My point is that most of the cheating comes from structuring the game around pro-play
This is incorrect. Both selling cheats and cheating are big businesses.
In Escape from Tarkov, cheaters bought the game (50€), cheated to get in-game items, sold in-game items for money, got banned, and bought the game again. It's literally profitable to keep buying a 50€ game after getting banned.
Same happened with Diablo 3 when it had the real money auction house. A mate of mine earned around 10k in 3 months and went through a dozen accounts a week.
Team Fortress 2 basically has no competitive scene, but the casual games are full of cheaters anyway. And you can't even make money through it, unlike the previous two examples.
The bottom line about cheating is, it's relatively easy to prevent with manual moderation. But humans doing stuff dOeSn'T sCaLe, even though banning cheaters that will re-buy the game has a positive RoI.
> In Escape from Tarkov, cheaters bought the game (50€), cheated to get in-game items, sold in-game items for money, got banned, and bought the game again. It's literally profitable to keep buying a 50€ game after getting banned.
You can blame in-game microtransactions and the idea that in-game inventory is worth money on that one.
I don’t work in gaming, I know a few people who do, everyone of them does it for the love of the game. Certainly not for the job security or even the money. This idea that they’re also to handle security is too much. It’s not their fault, they’re writing “art” not secure micro services for multi national companies.
Publishers will pay to have 0level kernel ring on your system but not for software securing their game.
> the game runs with admin privileges for the sake of anti-cheat
Nobody higher than the devs thought “this might be risky?”
Because can assure you, the devs felt it stupid and risky.
Your “Everyone thinks their making doom 3”. As I see this is not the developer fault.
I've done IT support for a number of devs across multiple companies and they all expect local admin and admin access to everything. So no, I don't believe they feel it is risky. I believe they don't get it/don't care. It's just not their wheelhouse.
No, it's because the average IT infrastructure is abysmal and getting things done without admin is it's own full-time job filing and following up on tickets and trying to plead your case for the ten thousandth time to the exalted security dieties that you just want to do your job gets old.
Right and that's the thing, you don't need local admin for that. It can be done granularly or set up a dev env vm etc. It's a pain for everyone to be sure and some routes are easier than others.
I use a company managed machine. If my machine is compromised even in user space, my AWS credentials (which AWS stores in %UserProfile%/.aws) are hosed. Source code? Gone. Cookies from chrome? Gone. Files on the network share that everyone has mounted? Compromised.
If someone can run a python script on your machine, it’s game over whether it’s running as admin or not.
> they all expect local admin and admin access to everything
It practically doesn't matter on a single user system. You're screwed whether you're running as an admin or not. My machine has credentials in AppData stored to basically every internal service of my company. On a linux machine, they're all in my home dir - even my ssh keys are compromised.
IT does things that piss off devs like not allow python to be installed on the laptop because, yes, having python installed can be exploited. So we lock down the laptops and have isolated dev envs that you use instead.
Why would there be a strong engineering culture behind AAA video games at all? Game developers are underpaid, overworked and constantly told they can be replaced at a moments notice.
I wouldn't expect anything but code that "ships" out of them, and its understandable why.
In modern gaming you just make every texture max size even though it only covers a tiny surface and will only fill 6 pixels on a large monitor.
Also, half of their shaders are broken on some configurations. Also they used a function call wrong so their game tries to render something a bunch of times instead of once.
A huge portion of NVidia and AMD GPU drivers is literally hacks to make games actually run well. Both Nvidia and AMD patch game shaders at runtime to keep things from being unusable, and hack around broken behavior or wrong usage of APIs. It's exactly reminiscent of the situation Windows 95 had when all sorts of popular programs couldn't even save interrupt flags properly because they straight up did not read the manual which had many sentences and code fragments demonstrating that what they wrote would not work.
Also, Titanfall 1 shipped with like 30gb of uncompressed audio. They did this to "reduce CPU load". In 2014.
> in modern gaming you just make every texture max size even though it only covers a tiny surface
This completely false. Not even hyperbole, just plain false. We have budgets, we have tools. You need higher res textures for things that are smaller because you can get close to them. Is there waste? Sure, but no more so than in any other field. My local newspaper takes 15 seconds to load on gigabit WiFi, and hangs on scroll. Reddit can’t handle more than one tab open. Slack uses more ram than the game im developing sometimes. Even HN still falls flat on its face with a “moderately” popular link, and can’t handle it if you perform too many operations.
> A huge portion of NVidia and AMD GPU drivers is literally hacks to make games actually run well.
This is because nvidia and AMD offer this as service but without access to your codebase. The days of them being required to function are long behind us.
> Titanfall 1 shipped with like 30gb of uncompressed audio. They did this to "reduce CPU load". In 2014.
As I’ve said many times, you might disagree but it was intentional. The Xbox one was an 8x1. 75GHz CPU, and some of that was reserved for system use
All software is shit, and held together by duct tape. All industries have products that we can point at and call a disgrace - it’s not games that are the problem.
> Slack uses more ram than the game im developing sometimes.
I think this should be said more often: the ratio of content to non-content is absurd in some electron-based apps.
Look at it this way: the average video game probably has about 30GB (uncompressed) of content and uses about 10GB-12GB of RAM.
In a busy slack, with hundreds of messages, we're still only looking at maybe <5MB of content while the app chews up 800MB - 100MB of RAM.
I think the video game devs are doing a much better job at writing desktop software than the Slack/Postman/etc guys.
Additionally, security in video games (it's poorest metric) has, over the last 10 years or so, improved considerably, while efficiency in desktop software (it's poorest metric) has gotten worse!
It's unfair to single out video game developers for poor software considering that they are making gains in their weakest measurement while those doing the criticising are happily using software that is losing points in it's weakest metric.
>As I’ve said many times, you might disagree but it was intentional. The Xbox one was an 8x1. 75GHz CPU, and some of that was reserved for system use
I'm sorry, the Xbox One was a what CPU?
Doesn't matter, it's possible that loading in uncompressed audio takes more CPU and RAM resources than just decompressing good MP3 audio. Nobody else ships uncompressed audio, and Titanfall 2 did not release with uncompressed audio.
Mind you, this was like 30gb of uncompressed audio, including several different audio languages. No matter how you played the game, most of that 30gb was unused.
> You could decode a 320kbps mp3 on an 83mhz Pentium I.
Only if doing nothing else at the same time!
I was there; I had a 486 that could decode 96kbps mp3.
But, like the P1, if you tried to do anything else while decoding mp3s, the entire computer, including the sound output, would stutter.
I'm not defending 30GB of uncompressed audio (obviously they could have compressed it a little, at least), but to claim that a P1@80MHz could indeed decode mp3s@320kbps is a bit of a stretch.
It could do so only if you weren't doing anything else at the time.
How about 30-40 of them at the same time, while sending off video to be rendered by the GPU, tracking as many entities positions 60x per second and more?
It’s definitely games that are the problem. There’s no way that websites are still embedding third party code that is just slopped together shit and wildly vulnerable [0]. Or that domain registrars, one of the core points of trust of the internet would lie about their security practices and be sued by the FTC almost a decade after it[1]. Or that an endpoint management system would take down multiple airports due to basic bounds checks missing [2]. How about a massive software company used by huge enterprises for storing their knowledge bases having an RCE [3]. A global CDN definitely wouldn’t break DNS and take down half the internet [4].
Now you might say, those companies are irresponsible and that well maintained open source software doesn’t have this issue. That would mean no 0 days for linux [5], and that the most battle tested libraries in the world are immune from basic issues [6][7].
Software engineering is broken, it’s not just games. (Although, if you think physical construction is any better I suggest you stick a T square in the corners of your house and figure out how many of your walls aren’t square ). You
Preach. I often point towards games for examples of good balance of density, as well as elements of modern-looking skeuomorphism in UI.
Of course I get all the usual garbage non-arguments in response from designers who don't want to take up a challenge and actually design, and instead fall back on a "tried and true" (except it is shit) fashion.
Some games, sure, most games, no. There are tons of games out there with dialog options that don't support choosing with numbers, a ton of games where you can't quickloot/drop with shift-click, comparing equipment is a chore, confirmation screens don't have y/enter to confirm or n/esc to cancel, missing/useless tooltips, custom fonts that are unreadable...
These things are _trivial_ to implement, it's just nobody thinks about the UI as long as it 'works'.
True, but even the most vile loot box filled triple A slop game has better UI than the atrocities the OP refers to. At least there you can see some decent density of information and a hint of three-dimensionality, which is more than you can say about the "clean UI" desert landscape.
These are game developers. Not backend developers. Not web guys. Not remotely trained in infosec. They make games. Not security software. And for the longest time this was acceptable.
I think for a GaaS in 2025 it's unacceptable to not have security minded engineers on staff for the backend stuff. Too much money is involved not to. Especially for studios very familiar with shipping online games.
But I'm also kind of disappointed in how much we're forgetting that these people are not infosec nerds. Last year there was a cute fishing game made by a single dude messing around making things. It got popular and a kid found an RCE bug with the multiplayer. The dude got a TON of shit for the flaw, which feels deeply unfair. I don't expect my mom to configure a router correctly. I don't expect video game developers to understand defensive network programming without training.
Maybe I'm just a little frustrated at the Internet largely unable to understand that defensive programming is something that isn't in a game devs trained skills. I would expect better of Netease however
Hey, I feel there's some predisposition in infosec-minded people that insecure software must not exist regardless of its purpose or threat model. And also that people who can't write secure code must not write code...
For some little indie setup, sure. But AAA studios are like any other software companies— the folks putting their network stack together aren’t the same people that are making the gameplay logic, many of whom probably went to art school and learned how to script and write some less-complex C++, and they’re different from the people working with the low-level graphics programming in the game engine, many of whom probably have PhDs in computer science or other related math disciplines. Having a connection low-latency enough and reliable enough to have fighting game tournaments on servers with many thousands of players isn’t a job for a general purpose game developer.
They generally make software that runs with (at least) unrestricted user level access on client devices, as opposed to backend guys who have no client access, and web guys whose code runs in a sandbox.
If anything these devs should be more cautious than the others as the risk to the end user is extreme.
I think for web or "backend for network" people, you are always deploying into a hostile environment (the Internet) and so you really should be at least aware of basic security measures. If you consider yourself a professional in that field, it's table stakes.
If you're a game dev, you were taught to write optimized code that runs locally on a computer.
Not everything you do will run on the network, and networking/multiplayer might not be relevant every single time you ship a game. So it's less relevant (if still important)
This isn't really true, game devs have had to deal with client-server authenticity issues since the beginning of multiplayer gaming. There's a lot of lessons learned around and why there's whole sets of middleware designed to alleviate/lessen these issues. For as long as multiplayer games have been around this has been an issue.
The impact ie: RCE vs just ruining the game experience may be different but the concepts are all the same- adversarial clients.
The excuses you listed aren't any different for business apps.
There is nothing special about game development that justifies not knowing/caring about security. It's 2025. Everyone is deploying into a hostile environment (the world). Security is now a horizontal that cuts across all kinds of development: frontend, backend, web, mobile, PC, console. You can't just say "Oh, security is the job of a Security Developer. I am just a Xyz Developer."
Hey I'm with you... I literally have a talk I give at my company about security being every developer's job (it's called "Developers are bad at security" and it's very popular).
I'm not arguing that it's "not their job", I'm saying they are less likely to have been trained in security because of the nature of their job...
There are no triple A games today that doesn't run in a networked/internet environment, and your code lives on the hostile user; this seems like an even bigger risk than a web app.
AAA game are a small fraction of the whole games market though (and there are still plenty that don't have multiplayer - Cyberpunk 2077 comes to mind, or the Horizon games, lots of mobile games, etc).
Like I said in the other reply, I am not arguing against the need for security, I am saying a lot of game developers don't get, or seek out, security training because single player local games don't have the same network-driven risks.
Great commentary, today the industry is focused on delivering free game with tons of cosmetics (which gives a ton of money) but forgetting about performance and security.
Your average networked game these days is probably a bazillion times more secure than one from 20 years ago. It was super common that there were cheat tools to crash all game clients in a match. It was super annoying, we can just be glad that it was usually not used for anything more nefarious.
This is the worst possible combination: players are forced to accept first-party invasive rootkits that are disruptive and ineffective, while cheaters still cheat.
IMHO the only sensible solution is to separate out e-sports angle from the game itself. People who want to "go pro" would be free to subject themselves to anti-cheats and drinking verification cans and past some point might as well buy company-authorized computers to play on. Everyone else should just be allowed to play casually and enjoy the game without the anti-cheat nuisance (and a looming threat of false positive).
With main incentive for serious cheating separated out, non-pro players would only have to worry about griefers. Those are a problem too, but they can be dealt with by simpler and less invasive measures than a kernel-level rootkit.
As it is, AAA multiplayer games are basically like if FIFA was to micromanage Town Recreational Leagues and hold them to the World Cup standard, because cheating is a Big Deal so every kid needs to take regular blood tests before the match.