I think from a purely technical viewpoint, cheaters will always have the advantage since they control the machine the game and anti-cheat is running on. Anti-cheat just has to keep the barrier high enough so regular players don't think the game is infested with cheaters.
I have never worked on AAA games, but I have developed software for 35 years and play many competitive online games regularly.
I have always wondered why more companies don't do trust based anti cheat management. Many cheats are obvious from anyone in the game, you see people jumping around like crazy, or a character will be able to shoot through walls, or something else that impossible for a non-cheater to do.
Each opponent in the game is getting the information from the cheating player's game that has it doing something impossible. I know it isn't as simple as having the game report another player automatically, because cheaters could report legitimate players... but what if each game reported cheaters, and then you wait for a pattern... if the same player is reported in every game, including against brand new players, then we would know the were a cheater.
Unless cheaters got to be a large percentage of the player population, they shouldn't be able to rig it.
Less skilled players can't distinguish better players from cheaters, and reports are usually abused and used in bad faith. Even a good-faith report really just means "I don't want to see this player for whatever reason". It's used as a signal of something in most systems but never followed outright in good games because players get a ton of useless reports.
Players in some games with custom servers run webs of trust (or rather distrust, shared banlists). They are typically abused to some degree and good players are banned across multiple servers by admins acting in bad faith or just straight up not caring. This rarely ends well.
I used to run popular servers for PvP sandbox games and big communities, and we used votebans/reports to evict good players from casual servers to anarchy ones, where they could compete, but a mod always had to approve the eviction using a pretty non-trivial process. This system was useless for catching cheaters, we got them in other ways. That's for PvP sandboxes - in e-sports grade games reports are useless for anything.
No, I wasn’t saying the human player would report them, I am saying the game itself would. If the game receives an update from another player showing them in a location that is too far away from their previous spot, for example, the client would know the other client is cheating, and would report it automatically.
That's pretty redundant then, and also subject to abuse. Server state is already an authoritative source of truth, and the server itself should be doing behavioral analysis (which many do, it's not enough). In real-life conditions of most games, what you see, what server sees, and what each other client sees are entirely different and unrelated things.
Yeah, that is why the reputation factor matters. If these games are relying on peer-to-peer connections for gameplay, then a client could lie and send different data to the server and to the other players. I acknowledge you can't trust the clients to report a cheater, because cheaters could report innocent users. My idea is that if you see the same player being reported by many clients across many games with random pairings, it becomes less and less likely that those reports are from other cheaters trying to get innocent players in trouble.
A couple of years ago the bot situation in casual Team Fortress 2 was so bad that it wasn't uncommon to land in a game where the majority of at least one of the teams was a group of cooperating bots. In those matches you have the possibility to start a kick-vote on your team mates, and those bots would immediately vote “no” if you tried to vote on any of them and because they were the majority of the team these votes always failed. And if these batch were in your enemy team all you could do was to ask the remaining, hopefully real, players on the enemy team to try to kick them.
It was especially annoying when you tried to play certain game modes these bots weren't programmed to handle, they had no idea of the objective and the match would stall indefinitely, forcing you to queue for a different match.
And if I remember correctly these bots were pretty much headshotting everything they got in sight. Something the server can easily detect.
But VAC for example acts intentionally slow, so cheaters don't get immediate feedback.
Out of curiosity I did a quick internet search and a couple of months ago a new wave of bots has emerged. Those bots also join as majority group but never fully join the game, they simply take up slots in a team, preventing others from joining. Makes you wonder why the server isn't timing them out.
Counter-Strike has been doing this for years. It's called "Overwatch" (even before Blizzards Overwatch came out). And believe it or not it failed to reliably catch actual cheaters AND got non-cheaters in trouble (both repeatedly). A very good player is indistinguishable from a cheater with a good cheat. Sometimes people just get super lucky for a few rounds and you might get judged based on that.
> A very good player is indistinguishable from a cheater with a good cheat.
I played COD4 a lot, though not competitively. I used to say that I had a bad day if I didn't get called a cheater once.
I didn't cheat, never have, but some people are just not aware of where the ceiling is.
The cheaters that annoyed us back then were laughably obvious. They'd just hold the button with a machine gun and get headshots after headshots, or something blatant like that.
> some people are just not aware of where the ceiling is
True of everything. Getting good just lets you see the skill gaps. I've sunk a serious chunk of time into both pool and chess. In both I'd be willing to take a bet that I can beat the median player with my eyes closed (in pool, closing them after walking the table but before getting down on the shot).
And in both of those activities, there are still like 10-20 levels of "person at skill level A should always win against person at skill level B" between me and someone who is ACTUALLY good at pool or chess. Being charitable, in the grand scheme of things I might be an intermediate player.
I was imagining specific things that are impossible, not just things that would be unlikely.
For example, in NBA2k there are a lot of players running around who are like 12 feet tall. The client has to render that, and the client could have a “if another client tells us their player is more than 8 feet tall, it is a cheater”
I agree, but that’s precisely the interesting ‘technical’ problem. Like bitcoins “proof of work” in 2011 (it took me few years to comprehend) was an eye opening moment for me. While I do believe that it firmly failed to achieve its lofty goals, the idea of “proof of work” was a really captivating and interring technical idea. Can a video game client have a similar zero-trust proof of their authenticity? I personally can’t think of one. I can’t think of a way to have remote random agents (authenticates or not) to proof they are not cheating in a “game”, and like you, I suspect it’s not really possible. But what does that mean?
I grew up with star trek and star wars wondering what a “I’ll transfer 20 units to you” meant. Bitcoin was an eye opener in the idea of “maybe this is possible” to me. But it shortly became true to me that it’s not the case. There is no way still for random agents to prove they are not malicious. It’s easier in a network within the confines of Bitcoin network. But maybe I’m not smart enough to come up with a more generalized concept. After all, I was one of the people who read the initial bitcoin white paper on HN and didn’t understand it back then and dismissed it.
You could have replays where all player inputs are signed by the individual players. This replay file could be used as proof to report a cheater. Analysis tools can be developed later to identify what packets are only possible from cheaters. For example you could prove that a player was sending packets that they were flying around.
> Anti-cheat just has to keep the barrier high enough so regular players don't think the game is infested with cheaters.
And even that's the (relatively) straightforward part. The hard part is doing this without injuring the kernel enough that the only sensible solution for the security conscious is a separate PC for gaming.
I actually went to get away from some friends, whom were presenting that year (they needed prep time — and I needed escape). Top 10 memories made by myself out at Hoover Dam, watching as the bypass got completed (that is another incredible feat of engineering).
Definitely a cool experience, and I'm glad I did. My last year attending DEF CON me and a Hadoop buddy (nobodies) just walked up onto a stage [during a terrible presentation] and started drinking whiskey with the ESL speaker (again: nobodies) — predicting we'd get banned from attending (but didn't — nobody cared... audience appreciated the break from hard-to-understandings).
I've got a CalDigit TS4 that I connect to my Macbook Pro. Connects to a 4K 120Hz monitor, mouse, keyboard, wired ethernet, hard drive reader (not always connected), external blu-ray drive, and DAC. Works perfectly.
I used to post on a forum that did this, as well as showing the OS and browser you were posting from. Some users would be funny and modified their user agent so that it said they posted from a Wii.
Heh, in 2014 I remember taking a taxi that only accepted card using an imprinter, which was unfortunate because I had just gotten a new card and the numbers weren't embossed. He had to drive me to a gas station to get cash from an ATM.
I've never experienced it but I've been told that if an emergency responder needs to enter an area where classified information is stored you let them in, escort them, and security will debrief them and have them sign an NDA after the fact if they saw any classified information.
My understanding is that the fire department has pretty broad legal authority to tell you where to shove your policies your if your building is on fire. They can legally smash down your doors, haul you out kicking and screaming, and detain you outside of the building while they put the fire out.
This is largely correct. However, staff also need to be trained and drilled on security policies and procedures. That's often lacking, especially if security is outsourced to third party contractors.
reply