
Anti-Cheat Kernel Driver - haunter
https://eune.leagueoflegends.com/en-pl/news/dev/dev-null-anti-cheat-kernel-driver/
======
dang
[https://news.ycombinator.com/item?id=22855600](https://news.ycombinator.com/item?id=22855600)

[https://news.ycombinator.com/item?id=22230168](https://news.ycombinator.com/item?id=22230168)

------
TheCraiggers
I find it interesting that in their "Should I panic" section, they miss one of
the biggest panic-inducing points for me: That a program running in ring 0 has
some form of internet access.

They don't go into detail here about how far this goes, but I wouldn't be at
all surprised to hear that it is directly sending and receiving data from the
internet. That is such a bad idea for obvious reasons.

~~~
united893
Why would they do that? They don't need to send the data through the kernel,
they can just IPC it to the process and use the existing telemetry stack.

Also, what gives you panic here? What more damage can they do than running in
user mode? They can already access all your files, steal all your cookies etc.

~~~
zeusk
well because if an attack vector is found in their anti-cheat driver,
attackers could use it to access memory space of other processes and not just
user accessible files or launch a privileged process for keeping tab on your
system.

------
verall
Wow that's a shite article. It starts with "This post is kinda tech-heavy" and
then never gets tech heavy.

The "I think I'm going to panic" section is super condescending. It obviously
does give surveillance capabilities it didn't previously have: I could
previously disallowed the user that was running a game from viewing a file,
and Windows would respect that. The game might crash, but it would not have
accessed the file.

They are being directly misleading in the article and trying to use technical
terms to confuse people. Ick.

~~~
anonymousab
Yeah. I'd question the motivation of any explanation that obscures the "yes,
it does enable all of those BadThings but we promise to do our best not to
exploit them and here's why we can be trusted" truth of the matter.

That said, they're writing for multiple gun-jumpy audiences so I don't think
they lose all of the benefit of the doubt here. Just that this isn't good
enough at the moment/yet.

------
jimbob45
I was more okay when Valve did it years ago because Valve isn’t majority-owned
by a scummy Chinese company.

~~~
SCdF
What concern do you have because the ethnicity and location of the company is
in China?

How does that compare to American or five eyes countries, given what we know
about those situations?

What makes, to you, one a higher threat than the other?

Edit: to be clear I'm trying to work out, as someone who is clearly OK
contributing and participating in the Chinese economy (gotta get dat new
iphone), why is my concern for the morality of the Chinese government in this
exact instance higher than, say, the government I actually live under (UK) or
their allies (US and the rest of 5 eyes)

~~~
mey
The amount of autonomy and legal recourse of a private corporate entity in
China compared to the United States. While the US does not have a great track
record (Room 641A, National Security Letters, v-chip, putting export controls
on strong encryption, etc) entities like the EFF and ACLU, plus corporate
entities have successfully and repeatedly pushed back. I am not an expert on
Chinese corporate entities, but my anecdotal observations from working in
companies with arms in China has been it's always a very careful process to
not annoy the government, as it means losing everything with little recourse.

Edit: The implication is that, if the government of China, was exceptionally
interested placing a backdoor in the software of a Tencent system, they may
not be able to reasonably object. Where if the FBI came to Apple, (and we know
they have) they can say no. [1]

[1]
[https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_d...](https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute)

~~~
SCdF
> Where if the FBI came to Apple, (and we know they have) they can say no

I thought the point was they couldn't say no? Hence the warrant canaries and
things like that. And the NSA hooking directly into Google's internal fibre
etc etc.

To be clear I think your points are interesting from the perspective of "the
chinese government is morally worse and I'm worried about those implications",
I'm just trying to work out as someone who doesn't live there (but is clearly
OK participating in their economy, I buy endless chinese goods) how that
affects me concretely.

~~~
mey
I'm going to side step the morality of the respective governments. I am a US
Citizen, I have opinions, bias and an incomplete picture.

My point is, I think it is harder to de-tangle a Chinese corporation's
objectives from China (the governments) objectives than say a corporation in
the US or EU. There are stronger laws and separation of controls (on the books
and in practice) in those regions.

Do I trust the US government? Not terribly. Do I trust the US government more
than China as a US Citizen? Yes. Should you? I don't know.

Defending against nation state targeting as an individual may be an impossible
task unless you follow in Richard Stallman's footsteps, in which case, the
conversation about LoL installing a kernel driver in Windows is very much
outside your concerns :)

------
Pfhreak
> This isn’t giving us any surveillance capability we didn’t already have.

Wait, really? What surveillance capabilities does LoL already have without a
kernel driver?

~~~
freeone3000
The update process runs as admin, so basically anything.

------
volak
New counter strike ish game Valorant also just confirmed a similar anti-cheat
system driver
[https://old.reddit.com/r/VALORANT/comments/fzxdl7/anticheat_...](https://old.reddit.com/r/VALORANT/comments/fzxdl7/anticheat_starts_upon_computer_boot/fn6yqbe/)

~~~
Operyl
It’s not similar, it’s the same in the end. They’re both Riot games and they
plan to be moved under the same umbrella.

------
Analemma_
I'd really rather this sort of thing came directly from Microsoft. They're not
perfect, but I definitely trust them more than Riot to not create a bunch of
security vulnerabilities or spy on all my active processes. Plus, if people
are signing kernel extensions who shouldn't be, isn't that a concern for
Microsoft in and of itself?

~~~
SlowRobotAhead
Microsoft has a locked down kernel for gaming already. It’s called Xbox.

~~~
kllrnohj
Microsoft also releases games on Windows, though, and also has the cheater
problem in them.

It is still odd that in all their gaming pushes on windows with things like
the Windows 10 Game Mode ( [https://support.microsoft.com/en-
us/help/4028293/windows-usi...](https://support.microsoft.com/en-
us/help/4028293/windows-using-game-mode-on-your-pc) ) that they haven't just
made this a "thing" yet. Have a flag or some way for an application to signal
that they want their memory actually restricted. You'd at least stop all user-
mode cheats overnight, and can also attempt to impose restrictions on kernel-
mode drivers. Or let a game know if there's unsigned drivers installed, and
let the game segment off that user population.

But I guess they won't do anything about this until someone's kernel-level
driver anti-cheat becomes a PR disaster for Microsoft. The same way they
didn't do anything about anti-virus protection out of the box until McAfee &
Norton went off the deep end and contributed to the constant perception of
Window's horrible slowness.

------
VWWHFSfQ
riots games will start shipping with a rootkit or you can't play

------
icarus_camp
I wonder how this will play our on the OS X version of LoL. Apple straight
killed that Zoom webserver awhile back with an OS update. I wonder if they
make a similar move here against Kernel Level anti cheat? Assuming you even
pull it off on OS X.

~~~
duskwuff
> Assuming you even pull it off on OS X.

Doubtful. Apple has generally been ratcheting up restrictions on kernel
extensions [1] -- currently, kernel extensions must be signed with a developer
certificate that has explicit entitlements for kernel extensions, and must be
explicitly approved by the user in security settings. [2] A normal Apple
developer certificate is _not_ sufficient to sign a kernel extension, and
Apple has signalled that they intend to end all support for loadable kernel
extensions in the future.

[1]: [https://developer.apple.com/support/kernel-
extensions/](https://developer.apple.com/support/kernel-extensions/)

[2]:
[https://developer.apple.com/library/archive/technotes/tn2459...](https://developer.apple.com/library/archive/technotes/tn2459/_index.html)

------
ewired
They named this blog post after a component of Unix/Linux (/dev/null);
ironically, it doesn't look like their games will ever be available for macOS
or Linux, especially when they're doing something like this.

~~~
kalium_xyz
The nt kernel of windows is a very real component of the OS, which is what
they are talking about. Microsoft keeps their low level well hidden though.

~~~
kroltan
GP was referring to /dev/null in the actual article title (not the HN title)

------
ungzd
Linked article about DMA-based cheats is even more interesting:
[https://blog.esea.net/esea-hardware-cheats/](https://blog.esea.net/esea-
hardware-cheats/)

------
vbezhenar
Huh, time to uninstall LoL I guess.

------
madjam002
When SR-IOV becomes mainstream do you think it would be a good idea to start
virtualising every game in its in sandbox? So each game runs in its own VM and
doesn’t have access to the host?

------
peter_d_sherman
Can't the cheaters just get their own server, and the people who want to play
fairly just get their own server?

~~~
breischl
If everyone is cheating, then you don't have an advantage, so what's the
point?

I guess you could look at it as another level of metagame, though.

~~~
peter_d_sherman
Why not simply group gamers on different servers depending on how well they're
doing or not doing?

You win a lot, you get grouped on a server with other winners, you lose a lot,
you get grouped on a server with others that lose a lot.

This keeps skill levels (and challenge) consistent.

Or, is that too much of an algorithmic challenge for the game designers?

If they can write the game in the first place, it shouldn't be...

------
GoOnThenDoTell
I’m surprised Microsoft allows this

~~~
icarus_camp
Microsoft tried to put a stop to this in Vista, with having a very proactive
UAC permissions popup. Folks hated it.

~~~
lostmsu
Microsoft can still revoke the driver signing certificate, and disallow this
purpose in the future. I think that would be a good move.

------
trasz
And they can do it without using any GPL-only symbols?

~~~
duskwuff
What GPL symbols? They don't support Linux.

Their most popular game (League of Legends) used to be somewhat playable on
Linux through WINE, but that was never officially supported. They've banned
Linux users on multiple occasions due to false positives in bot/cheat
detection (e.g. [1], [2]), and rolling out this anti-cheat driver is likely to
make Linux play completely impossible.

[1]: [https://dotesports.com/league-of-legends/news/riot-games-
ant...](https://dotesports.com/league-of-legends/news/riot-games-anti-cheat-
lol-single-case-exception-players-linux-25056)

[2]:
[https://www.reddit.com/r/leagueoflinux/comments/8pag4y/banne...](https://www.reddit.com/r/leagueoflinux/comments/8pag4y/banned_for_scriptingrunning_game_through_wine_on/)

------
kalium_xyz
The real question is, where does rito hire from?

~~~
bmn__
I'm under the impression they have lots of hires from the fanbase.
[https://tvtropes.org/pmwiki/pmwiki.php/Main/PromotedFanboy](https://tvtropes.org/pmwiki/pmwiki.php/Main/PromotedFanboy)

------
droobles
I really like the writing style of this, drives the point to non-techies.

~~~
Pfhreak
Does it? I think it comes off as extremely patronizing. To each their own, I
suppose.

~~~
duskwuff
I came to the same conclusion. The tone is incredibly condescending, and
there's very little technical substance to the article. (As mjg59 pointed out
[1], the Wikipedia infographic they used -- without attribution! -- even
implies that drivers run in Ring 1 or 2, which is only true if you're running
OS/2.)

[1]:
[https://twitter.com/mjg59/status/1249962092850900992](https://twitter.com/mjg59/status/1249962092850900992)

------
diebeforei485
Sigh...

As annoying as MacOS is, I find myself reassured every now and then that
Windows is worse.

------
SlowRobotAhead
Under why you shouldn’t panic:

> This isn’t even news. Several third party anti-cheat systems— [install
> kernel drivers]

Is there is a different in a rootkit and kernel driver? I think so.

