
PC games are fighting a new surge of cheaters and hackers - aspenmayer
https://www.theverge.com/2020/5/6/21246229/pc-gaming-cheating-aimbots-wallhacks-hacking-tools-developer-response-problem
======
rasz
New surge of bad programmers is a more apt title, or "We gave game clients
absolute control and you wont believe what happened next!!1". Pretty much all
the games listed have ZERO server side validation. As I commented under
previous Valorant anti cheat backdoor story:

'what is actually crazy are modern game servers lacking even the most basic
server side assertion logic(1) letting players FLY around the map, teleport,
summon items, kill other players on the server at the press of a button, etc.
Seen in all massive FPS games, for example Apex Legends, PUBG, Escape from
Tarkov.'

~~~
dijit
> New surge of bad programmers is a more apt title, or "We gave game clients
> absolute control and you wont believe what happened next!!1". Pretty much
> all the games listed have ZERO server side validation.

I feel like I should share an inside opinion, but you will not like it. So
please take it as an opinion and don't crucify me.

The Industry itself is mired in complexity, year on year we have to build
bigger games, better and more complex games and we have diminishing amounts of
budget (both in time and money) to do so. Failing to make something truly
great will cause the next iteration to have even less budget and then you're
dead.

When it comes to gameservers, which is actually something I understand very
well[0] there are additional budgetary constraints. The cost of a player,
playing the game is an eternal one. If you keep playing we only get the
upfront game sale from you, so there's an incentive to keep the costs as low
as possible.

NDA prohibits me from saying an exact number, but lets assume (and it's mostly
true) that if you play a game for 3 months then we've lost money on you from
server time alone, and we well optimise our servers. The more you put in for
verification and detection, the more cost there is.

This is why when we originally talked about releasing the game we were
intending to forego a PC release entirely, as consoles are barely affected by
this, and when they are it's quite easy to detect comparatively.

[0]: you can see me talking about it here:
[https://youtu.be/d29tHMRJIU8?t=2060](https://youtu.be/d29tHMRJIU8?t=2060)

~~~
cwhiz
Game companies invented this “problem” so they could extract more money from
gamers. Go back 10-12 years ago and most PC games had server software and the
community hosted most of the matches. The community handled the cheaters.

Game companies took this away so that they could sell season passes, hats,
shirts, and other cosmetic garbage.

This is a problem your industry created. So please spare us all the woe is me
charade.

~~~
dijit
I did warn you that you wouldn't like it.

But go back 10-12 years; lets see what's available;

2008:

Battlefield: bad company. - no self-host option

GTA IV. - no self host option

Fallout 3 - no self host option.

Left for Dead 2 - downloadable server option, no official servers

\--

I think your interpretation is very uncharitable.

The cost of making games has increased in a near exponential rate, regardless
of if there's servers or not.

On a more personal note: I don't understand why everyone wants to eat the
fancy cake but hate the baker for telling you what it took to make it.

~~~
cwhiz
That is a supremely cherry picked list. GTA4 was a single player game with
some thrown in "community" features. Fallout 3 was a single player game.

You see... we didn't ask for you all to ban dedicated servers and take on the
cost of official servers. You did that to us against our objections so that
you could extract more money from us. PC gamers would be perfectly happy
playing Modern Warfare on dedicated servers. We don't have that option. We are
forced to play on official servers and then you whine about the cost of doing
that. That was YOUR decision!

You can't force players to play on official servers and also whine about the
cost of official servers. You have created this problem! If it is too
expensive to host official servers then let the community host them like we
used to.

>I did warn you that you wouldn't like it.

We don't like being patronized. It is peak irony for game developers to lament
the cost of official servers when official servers were something they forced
on the community so that they could sell more hats.

~~~
dijit
I know you hate me, frankly I don't really care at this point. I've been in
the industry 6 years and I'm so utterly and completely burned out by being "a
patronising and evil" presence when I make the mistake of trying to actually
confer real information to people.

Everyone complains that the game companies are ivory towers and that their
voices aren't heard: we hear you. But you don't want what you think you want
and I'm not trying to patronise you by saying that.

Additionally, I didn't cherry pick the list I intentionally grabbed the first
ones that had networking, almost no cross platform games from 2008 were
heavily networked. (Fallout 3 was an oversight, I meant far-cry 3).

As I've stated repeatedly in this thread: Self-hosting servers only works for
session based games.

Even then, those sessions can leave players with a very mixed experience
(weird rules, mods, someone might have made themselves "god", it opens up the
client to be exploited by the server). Weird latency issues and connection
drops not withstanding.

If it's dedicated servers that you rent from us as a company then: it can be
expensive for you, if it's too expensive, less people do it, less people do
it, the more expensive it becomes to maintain the provisioning/admin tools and
it's amortised across much less players so the price goes _even higher_.

Then there's the server list fiasco. Where do you connect?

* XxXxBubBas-BayxxXx--freelootlvl25OnlY!?1

* 174.255.121.2:5543

* bit.ly/free-nudes

We listened to the community before, many times, sometimes people are so
outspoken that we really believe we'll have competitive edge if we're the ones
to "listen" and every fucking time we get burned by it. So I don't blame
anyone in the industry for listening to their CMK department more than the
hardcore PC Master Race.

The Hardcore PC Master Race do not represent all gamers.

~~~
MaxikCZ
I was indifferent about you until this post. While I appreciated the
information you are giving "from the other side", I also understand why simply
telling us this wont make you look any better.

But then you present us that the reason for only official servers is because
community servers might have mods/weird rules, or ,dear god, funny names? How
exactly is that a problem? Currently I spend some time in Rust. It has
official servers as well as community ones. And let me tell you, the community
servers are whats keeping the game afloat. Funny names in server list
virtually doesn't exist. Its like people in general have a certain level of
taste and it just so happens that servers with cringe names are left empty.
Mods are great. Different people enjoy different mechanics, and thank god for
different rules on some server, like "solo only", because it's actively sought
out by people that don't want to combat 20 men teams on official servers.

Your statement that community servers are only working for session based games
couldn't be more diverged from reality. Some of those servers are hosted for
years continuously, only restarted to apply updates. And for many other games
this is the case.

You say that we don't want what we want and Hardcore PC Master Race ain't
representing all gamers, but frankly, if anyone knows what they want, wouldn't
you agree Hardcore PC gave it more thought than your "average gamer"?

The issues you described ain't problem of community, which you heroically
solve by taking our toys away, but are exaggerated, misunderstood, almost
nonexistent issues that mainly come from skewed views of you as game
developers and yours personally.

Maybe you are burned out of people hating while proclaiming "Im only the
messenger" because it touches you personally, correctly, because you also
believe the wrong message we Hardcore PC Master Race gamers so hate to hear.

EDIT: And the fact that multiplayer game becomes unprofitable once player
spends more time in it is horrifying. So you telling me the studios are
actually incentivized to make games we stop playing almost immediately after
purchase? And you use this to defend your point why servers cant afford basic
anti-cheat?

~~~
SebastianKra
Just as a small side note:

I still play some Battlefield 4 from time to time. Custom servers are awful.

You'll randomly get kicked because you didn't pay for a VIP slot, randomly
killed because only 5 snipers per team are allowed and randomly kicked because
the admin didn't like the particular gun you're using.

I can see why game developers would (and should) prevent that.

~~~
magahacka
If i remember correctly BF4 follows the same logic of BF3, meaning that
"Custom" servers are actually running only on hostings that EA has given
license to, so at best the administrator has the ability to manage the players
and not the game itself.

The only thing that may dissuade game creators from creating openly available
dedicated server software is that they will need to let everyone access the
list of servers(like Valve), so they would get traffic without any kind of
ROI.

------
ashtonkem
It’s probably an artifact of aging, but one of the more beneficial things I’ve
done in the past half decade is switch from online games to single player or
coop.

The peaks of online games are very high; when you get a team that’s
cooperative and communicative it can be great. But the expected outcome is
much much lower, especially when trolls and cheaters show up.

Single player games let me enjoy the experience without it being ruined by
anything other than my relatively low skill level at the game in question.
Also, I can buy games that are older and play them on weaker hardware to
significantly reduce my cost of ownership, since there’s no penalty for
playing single player games later.

------
nyxxie
I built my initial programming/security skills by making PC game cheats, and
now that I'm actually working in the software industry on other stuff I
decided at the beginning of quarantine to see if I could still do it.
Specifically, I targeted PUBG.

They've added obfuscation, that's about it. Even one of the guys the author
interviews admits it:

> “Last year, we spent time working on various measures to block cheat
> programs,” explains Taeseok Jang, executive producer of PUBG PC. “Most of
> these actions focused on blocking cheat program developers to make it more
> difficult for them to create these highly lucrative cheats.”

That obfuscation was probably a huge problem when PUBG initially started
adding it, but so long as some bored high school kid has a pirated copy of IDA
and a desire to prove themselves, that info is going to end up online. Each
new obfuscation feature or anticheat detection becomes a challenge, and the
results of that challenge being inevitably solved are inevitably posted in a
public and high-visibility place for others to learn from and use.

All of this public information meant that creating a cheat for the game
probably added around a month or two of work to adapt to the cheat prevention
efforts, on top of the month or so that I spent looking for the actual in-game
structures necessary to implement the radar I was going for. I already
expected every hindrance I encountered when reversing the game and writing the
tooling to interact with the game's process. It was still daunting, especially
since I had never touched the windows kernel until this project, but
ultimately when I ended up getting everything working it felt like I was just
using the same techniques I used to use back in the day only with extra steps.

My takeaways for anyone interested in preventing videogames from being cheated
in:

    
    
      - Cheaters will eventually find a way, but you can always reduce the quantity and quality of them.
      - All information on how to write a cheat for your game eventually ends up in public forums. Keep an eye on those and learn how most people are writing cheats and target those methods specifically.
      - Obfuscation (new detentions, new anti-reversing measures, new countermeasures to cheating methods) buys you time in the immediate term and invalidates existing online information in the long term. They're like antibiotics--they increases the barrier to entry and pain factor of cheating only if you continue adding/changing it. 
      - Obfuscation will never be adequate to prevent cheating entirely. Human monitoring, ML, skill-based pairing, and full visibility & control over hardware the game is executing on are probably the next generation in terms of cheat prevention.

~~~
lucb1e
Without horizontal scrolling (annoying on desktop, let alone mobile view:
[https://snipboard.io/yJ8Lfo.jpg](https://snipboard.io/yJ8Lfo.jpg)):

> \- Cheaters will eventually find a way, but you can always reduce the
> quantity and quality of them.

> \- All information on how to write a cheat for your game eventually ends up
> in public forums. Keep an eye on those and learn how most people are writing
> cheats and target those methods specifically.

> \- Obfuscation (new detentions, new anti-reversing measures, new
> countermeasures to cheating methods) buys you time in the immediate term and
> invalidates existing online information in the long term. They're like
> antibiotics--they increases the barrier to entry and pain factor of cheating
> only if you continue adding/changing it.

> \- Obfuscation will never be adequate to prevent cheating entirely. Human
> monitoring, skill-based pairing, and full visibility & control over hardware
> the game is executing on are probably the next generation in terms of cheat
> prevention.

------
Jonnax
Cheating in online gaming is prevalent. I think there's a lot of people that
find the enjoyment of it so there's a captive market for people to sell
cheats.

But I also wonder about competitiveness when it comes to people playing with
others with better than average hardware.

Like someone who has a 240hz monitor and the performance to back it up versus
someone with a low power slim laptop.

Then consoles could be considered a level playing field. Except for Pro
variants of the console. And also there seems to be fancier controllers with
extra buttons on the rear side.

Of course adding cheating to the mix. Personally I have no interest in playing
online multiplayer games.

But that's just me.

~~~
kroltan
Not really, just like a beginner painter using the finest unicorn-hair brushes
or whatever would not be able to paint the Mona Lisa, "gaming" hardware gives
a very marginal benefit, that is better taken advantage of when you actually
have the game skill.

For all but the highest ranks, it does not make much of an actual difference.

Most games have some sort of skill ceiling, or at least narrow bands of
clustered players. Hardware will put you slightly above competitors of the
same cluster, but will not by itself enable you to climb to the next cluster.

This is evident in cross-platform games, where in casual or non-professional
competitive play, a good console player can still beat a slightly less good
fully-geared PC player, despite the 30fps and controller "handicaps".

------
cwhiz
It just seems trivially easy to me to just look at game stats and catch 80% of
cheaters. I assume they are gathering all sorts of information to balance the
game... so just use that data to catch cheaters and ban them after the game.

When you watch these cheaters play it is obvious. They laser everyone in the
head. Number of kills, type of guns used, distance of kills, hit rate, head
shot rate, distance traveled, etc, etc. Just look for consistent extreme
outliers.

~~~
midnightclubbed
There is a push towards this and some companies offering 3rd party systems to
do ML based detection of cheaters.

The basic checks trivially are easy to put in to place (kills past weapon
range, warping, impossible movements etc) although someone has to do the grunt
work (and make sure the checks are not invalidated by certain gameplay
features).

Once you get in to things like head-shot rates it gets trickier to
differentiate players with amazing hand-eye co-ordination and cheaters. The
line is really really thin. Add in internet latency spikes and it gets even
harder.

Some cheaters will use things like aim-bots to nudge their mouse inputs and
give an advantage that is difficult to see even when watching them live on
stream. Others will blatantly cheat, get detected and kicked within a few
minutes (after ruining some people's experience), create a new account and
repeat, multiple times an hour.

~~~
rland
I play a game that has hacks publicly available with no real enforcement. 95%
of people go the obvious route. If you got rid of the obvious hackers I would
see a couple cheaters per year instead of multiple per day.

~~~
midnightclubbed
No excuses for that! Assuming the game publisher wants to pay for developer
time to do the fixes, generally that doesn't happen until the hackers are
obviously affecting the bottom-line.

------
iforgotpassword
For a long time, this was sold as a plus for gaming consoles, but afaik even
there a bunch of cheating tools are available now. So right now game streaming
is being sold as the next savior of online gaming since everything runs in the
cloud.

But being the pessimist I usually am, and reading about how the cheating
business is apparently a multi million dollar market, I expect this to also
not hold up forever. There's already AIs that can play doom and starcraft just
by scraping the screen, so if people are willing to pay for cheating tools,
they'd probably also be willing to attach stuff to their Google Stadia that
captures the screen and simulates input.

~~~
dijit
> For a long time, this was sold as a plus for gaming consoles

And it will be again when the next generation comes out this year. This
happens every console generation, in the last year cheating tools finally
catch up.

------
namelosw
Cheating is so common nowadays simply due to game companies are not willing to
pay to make dedicated online games.

A lot of so called online game are just basically client side modified
version, how they are doing it would simply shock web devs.

~~~
midnightclubbed
BS. There are thousands of games developed as dedicated online games without
any intention of having a client only version.

The difficulty is balancing how much of the game runs on the client, how much
on the server and how state is synchronized between clients and server. Oh and
it needs to render a photorealistic world with 2km Draw distances at a
constant 144Hz with no more than 50ms latency between a button press and the
other players seeing the result of that press. The servers will be receiving
hundreds of packets per second for each game instance, will potentially be
hosting thousands of game instances and must cost at most a few cents per
player hour.

Web devs shocked, really?

~~~
namelosw
I understand how difficult it is to build an online game, especially real-time
MMOs with seamless maps.

> The difficulty is balancing how much of the game runs on the client

However, it's important to have the mentality to build on the server by
default. And try other optimization before give up to the client.

The reason that games are fighting this cheating surge is mostly due to the
mindset is more "security bolt-on" in the game industry, instead of "security
built-in" which you could see more in Web development.

------
whatever1
Would distributing PC games in their own Virtual Machine mitigate any of the
cheating risks?

Now we do have enough RAM, CPU cores and the capability of passing through the
GPU to a VM.

~~~
pjc50
How does that help? The host can see inside the VM.

There have been a few games whose obfuscation was effectively a different
instruction set being run in a VM, and it does slow down hacking by a few
months while people reverse engineer and retool. Can't remember names though.

------
jameslk
Why not offer a bounty program for reporting "game vulnerabilities" that lead
to hacks? Or report hacks in the wild? Or is this already done?

~~~
throwaway2048
Because some hacks, like aimbots are always going to be possible no matter
what, even if all the client does is displays a video stream.

------
slightwinder
I wonder whether some day the industry will discover cloud-gaming as a
"solution" for cheating. After all, if the gamer has no access to the system,
many ways for cheating are impossible. And if you design a game around the
additional lag, it might work well enough to feed it to the masses.

~~~
SeanBoocock
I doubt anyone will pursue game streaming purely as a solution for cheating,
but it is a nice second order effect. Hosted servers are already an expensive
ongoing cost to supporting a live game and cloud streaming would magnify that
cost several times.

~~~
slightwinder
What costs? Im talking about Google Stadia or Nvidia Now(?), which is paid by
the users, not the gaming-company. If anything, the gaming-Company might even
get paid from the cloud-provider for enforcing usage of the cloud.

------
elorant
Same story two days ago:
[https://news.ycombinator.com/item?id=23102375](https://news.ycombinator.com/item?id=23102375)

How is it possible the same link can be submitted twice?

~~~
jsnell
Submitting duplicates is not impossible indefinitely, just for something like
12 hours.

(And yes, it's quite random whether even a good submission ends up on the
front page or not. But there's no point in complaining about it in the
comments. Linking to earlier submissions mostly makes sense if there's
interesting discussion there.)

~~~
elorant
I'm not complaining, just asking an honest question.

