
A Message About Vanguard From Our Security and Privacy Teams - houzi
https://www.riotgames.com/en/news/a-message-about-vanguard-from-our-security-privacy-teams
======
smoyer
Explaining your rationale doesn't change the fact that gamers (many
unwittingly) are potentially giving the keys to their computer kingdom to
Riot. This behavior on a console would be completely acceptable but unless
you're running a dedicated PC for gaming, I wouldn't install this software.

As a thought experiment, I wonder what happens when the FISA court orders Riot
to install a modified version on a suspected terrorist's computer. No need for
privilege escalation when you can just ask the user to install it at ring-0.

~~~
devit
All software that you install on the main desktop operating systems is given
the "keys to their computer kingdom": there is no privilege separation or
sandboxing, except for the "user vs root" division, which can be trivially
bypassed in countless ways (and anyway, most installers require root
privileges).

And yes, obviously you need to have a dedicated gaming PC and certainly not
install any games or any software that isn't strictly necessary on the
systems/VMs with important data.

~~~
smoyer
To some degree that's true. I keep an eye out for programs that insist on
running as root. And if someone breaches my account, they've still got to put
the work in to escalate their privilege through one of these programs.

I've also been installing more and more software into ~/bin rather than the
more traditional /opt and /usr/local/bin. I think that the trend towards
usermode software will take over in the next five years.

~~~
enitihas
Usermode software might be far more dangerous though. Any software you run on
your machine can change the files in ~/bin, and you won't know the difference.

------
haunter
>we wouldn’t work here if we didn’t deeply care about player trust and privacy

Bold message from a chinese company. People freak out about Huawei but Tencent
is 1000% worse. And here they are installing a kernel driver on your PC.

~~~
hellcow
This is being downvoted, but this is an important point. The Chinese
government has repeatedly shown they'll work with Chinese companies to carry
out the government's agenda.

Do you really think that after 100M people install this kernel driver that the
Chinese government won't lean on Tencent to gain access, or use it beyond its
original purpose?

~~~
sbarre
So let me ask you a question then..

Do you feel the same way about Microsoft and Apple, and every other company
that provides a hardware driver for a modern computer, and whether state
governments (USA included) put pressure on them to let them advance their
agenda by using back doors in their drivers or software?

Why is Riot special in all this? What, in your view, makes them more likely to
be so secretly and so deeply corrupted in the manner you suggest?

Note I'm not asking you if you run MacOS or Windows.

~~~
hellcow
Your argument boils down to, "If one country has access, then every country
should have access."

I don't agree with that.

It's clear the US has backdoors. That doesn't mean it's wise to invite China
to add backdoors as well.

~~~
sbarre
I am not arguing anything, and would never say anything that ridiculous.

I just find it tedious and irrational to see people up in arms about this
contrived and unlikely scenario (a video game company is going to spy on you -
a random nobody - for a big bad foreign power), while _not_ being up in arms
about the much bigger and more likely vectors of compromise they are exposed
to constantly (like your operating system or cell phone).

But of course protecting yourself from those possibilities would require real
sacrifice and inconvenience, so let's not talk about it.

~~~
hellcow
You've thrown out two, new arguments:

1\. "Nobody playing this game is important enough to be spied upon."

It might surprise you to learn that some people in the military, congress, the
DoD, and even important individuals in significant companies play video games.

2\. "Some vulnerabilities exist, therefore any new vulnerabilities should be
ignored or not discussed."

All vulnerabilities should be considered, especially new ones that will affect
10s or 100s of millions of people. That's why we're discussing it. Since you
find it tedious, you're free not to participate.

~~~
sbarre
I'm not sure if you lack comprehension, or if you are just really paranoid and
can only see things in absolutes, or if I'm writing poorly. But yet again
you've taken what I've written and somehow twisted it into something
ridiculous.

> It might surprise you to learn that some people in the military, congress,
> the DoD, and even important individuals in significant companies play video
> games.

Anyone in this scenario who is using the same computer to run _any_ untrusted
software (like all games) as they are using for their national security work
is already compromising themselves.

> "Some vulnerabilities exist, therefore any new vulnerabilities should be
> ignored or not discussed."

This would be a more productive conversation if you addressed my points at
face value, and made your own without twisting my words into whatever
convenient position you want to argue against. That's the part I find tedious.

Everything is degrees.. you seem to only be willing to consider extremes.

Of course if you work in a sensitive position or are a likely target of
foreign spying, you should take many more precautions. But that's not most
people, in fact that's _almost no one_ , statistically speaking. So if we're
going to discuss _likely_ compromise scenarios, the risk-reward on using a
high-profile video game company as a vehicle for APT state-level actions
starts to fall into "movie plot" territory, in my opinion.

And I never said that new vulnerabilities should be ignored or not discussed .
Again, possible <> plausible.

In fact, you are basically contradicting yourself at this point because I
first brought up _way more plausible_ vulnerability scenarios (your underlying
operating system being compromised) and you dismissed that in favour of some
narrow and much more implausible scenario (a US-based video game company as a
deep-state plant for a foreign government).

Keep moving those goal posts..

------
TrueDuality
> ...some of you want to know more about the tech behind Vanguard. We can’t
> get too deep into the technical specifics without potentially compromising
> Vanguard...

That in itself tells me enough about the efficacy of the system. Security
through obscurity is only a hand wave of security. Making the trade off of all
the security architecture put in place over the past decades for something
that needs to be hidden to remain secure is a really poor value statement.

I understand why they want this in place, it does raise the level of effort on
cheating but there are other ways this can be accomplished without
compromising a user's security.

------
ds
The inherent issue with anti cheats as compared to anti-virus software is user
intention.

A user who installs a anti virus program wants that program to do its job and
find bad actors. The virus on the other hand is completely unwanted by both
the user and the software- Its existence is threatened by all fronts.

However, a anti-cheat lives in a extremely adversarial environment. The
cheater (and the cheat) wants the cheat on its computer. As such, the user
will be willing to do extra steps to assist the cheat. This makes the anti-
cheat software in this case, the 'un-wanted' virus, so it has to exist in the
most hostile of environments and somehow detect programs which have higher
privileges than itself.

That said, Cheating is something that will not go away. Years and years ago, I
developed with a friend of mine a completely undetectable cheat for all games
on the HL2 platform. It involved a second computer, which man-in-the-middled
all network data to the client computer. This second computer then would
display a 'radar' of where enemies were. As the anti cheat would have no
possible way of knowing the existence of this second computer, there was not
much they could do.

If you wanted to get more aggressive with the system above, you could have
that second computer modify outbound requests as well. So if you shoot your
gun and it would have hit the ground, it will now instead shoot a enemy in the
head- as such even something like a aimbot is entirely possible with this
setup.

However, there is indeed a anti cheat which can detect all known cheats and
its basically what Valve did/does for CS:GO - Allow users to report suspected
cheaters and then have the community analyze the reports. This catches all
blatant cheats, but unfortunately will never get rid of radar/esp cheaters,
only aimbots and the like.

Honestly, it sounds to me like there is a business model in the above. Years
ago we had companies like evenbalance/punkbuster, easy anticheat, etc.. which
provided software based anti-cheat systems. As you would expect, most would by
bypassed and a daily cat and mouse game would ensue. The solution imo is to
create a SaaS where you essentially provide a reporting + monitoring tool.
Users of your game can report suspected cheaters (which includes the demo file
/ vod / replay / whatever) and your trained wet-ware staff would review all
reports and take action where necessary. No invasive software necessary.
Actually, no software on the end users computer at all would be necessary- It
is all done on another users PC.

In fact, if someone is interested in doing the above, hit me up. Sounds like a
easy win.

~~~
lol768
> Years and years ago, I developed with a friend of mine a completely
> undetectable cheat for all games on the HL2 platform.

> It involved a second computer, which man-in-the-middled all network data to
> the client computer.

Out of interest, was there no transport level encryption to deal with here? Or
did you need to do something special to capture keys on the client?

~~~
ruialmeida
In order for your game to render other players you have to know their
position, so the game server has to send them to all players.

As an example, for CSGO in the past, the server always sent all player
positions from anywhere, so it was possible to create cheats to draw players
anywhere in the map. They changed the way it's done, coordinates are only sent
when other players are nearly visible, although distant, or close by. This
limited the way that wallhacks work, it's not possible to see where players
are from far away :)

What needs to be done is reverse engineer the communication protocol. If
encryption is made, some kind of key to decrypt has to be somewhere in your
game client. Then you can convert 3D coordinates to 2D and even draw a radar
on your smartphone if you make an app.

~~~
gpderetta
>In order for your game to render other players you have to know their
position, so the game server has to send them to all players

I know nothing about game engines, but I have always wondered why is that the
case. The server could compute visibility and only send the opponent position
if there is a chance the player might see it. Computing visibility server side
is not cheap, but it would still be significantly cheaper than fully rendering
a scene, right?

~~~
belltaco
Riot's Fog of War for Valorant does exactly what you describe.

[https://technology.riotgames.com/news/demolishing-
wallhacks-...](https://technology.riotgames.com/news/demolishing-wallhacks-
valorants-fog-war)

------
SpaceManNabs
I skimmed, but it seems none of this addressed why the service (edit) runs at
boot-time? Also, expecting a service to not not look at your data if they have
access is not security.

If Valve can mitigate hacking in CSGO without such an intrusive service, I am
sure Riot can. I, myself, did a very, very, very poor job with an autoencoder
to detect anomalous matches in Dota and caught a large amount of players
abusing the system. As far as I know, CSGO anti cheat does involve an ML
component.

My point is that a non-intrusive anti cheat, advanced analytics, and tracking
of user feedback goes a long way.

Ofc, none of this matters. If the playerbase actually cared, they'd boycott or
stay away. And I cannot remember the last time gamers ran a successful boycott
campaign.

edit: Also read that uninstalling the game will not always uninstall the ring
0 anti cheat. I can't verify since I would never install this on my system,
but for what it is worth: That is terrible IF true.

~~~
houzi
Hackers in standard CSGO games are rampant from what I understand.

Serious players pay extra to queue up in a dedicated service for high tickrate
servers and anti-cheats which I believe are rootkits as well.. not sure about
any of this though.

~~~
SpaceManNabs
rampant years ago. It took a long time to get where it is now. There are still
cheaters here and there, but that is to be expected, and relatively rare in my
experience.

~~~
Draiken
It is absolutely still rampant. I could count at least 5 cheater encounters in
the last 30 days (blatant cheaters, btw).

They try their best to isolate cheaters with a "trust factor" system but the
reality is, unless you pay an external service with their own anti-cheat
software (that's probably as bad as Valorant's) you will get a high amount of
cheaters.

Given they have zero transparency on the trust factor system, I could have a
lower factor than you (I definitely rage too much), so because of it I see
them more often. But there's no way to know if I'm in the cheater bubble, or
you're in the no-cheater bubble.

~~~
SpaceManNabs
I agree that it could be more transparent. I haven't faced a single suspicious
player in quite some time (and similar with my friends that I talked to about
this since this came up). Sorry that your experience is worse. Player
"toxicity" should not be involved in this since it might be used as a proxy.

------
swiley
League of legends is a real pain in the ass to play even when you’re doing
everything right. Personally I don’t even like the game, it’s just popular so
I played it to hang out with friends. The way their launcher handles updates
is crazy inefficient and so it always takes _hours_ to launch if it launches
at all. It also runs terribly in wine.

~~~
danaris
...Hours? The longest update I've ever had for League of Legends (in the ~6
years I've been playing casually) is about 20 minutes. And I'm on Mac—not
exactly the high-priority platform for them.

Since they changed their launcher system a few months ago, it's been unusual
to have to wait more than ~2 minutes for a new patch.

~~~
swiley
That's true if you update often.

If you're like me and only played occasionally the updates would build up and
take very long.

------
quezzle
Whenever I hear/read lots of words about how secure something is and how
strong their commitment to security I think “they don’t know what they don’t
know”.

~~~
smoyer
We should all admit that we don't know what we don't know. But the default
behavior afterwards should be to assume that the software/system is insecure,
fixing the defects we can find and surrounding in by rings of moats (defense-
in-depth). When you don't know what you don't know and then declare it to be
secure, there's an extra layer of indirection and perhaps a bit of hubris.

------
davidw
I was concerned about the index funds for a moment...

------
ruialmeida
This will always be a cat and mouse game. There are some anti-cheat software
more intrusive than others. Even Valve Anti-Cheat (VAC) which is considered by
many to not be very intrusive, used to intercept DNS queries to detect
communication with paid cheats DRM.

Most anti-cheats also scan all processeses memory and even files to detect
know cheat signatures. They tend to run with high privileges and some take in-
game screenshots for analysis. Basically they have permissions to do anything
and receive silent updates.

I wonder if statistical methods to detect cheaters result in too many false
positives.

~~~
blattimwind
> Even Valve Anti-Cheat (VAC) which is considered by many to not be very
> intrusive, used to intercept DNS queries to detect communication with paid
> cheats DRM.

I was surprised hearing this. It seems like what they actually did was if VAC
already found something, it checked the hashes of the contents of the DNS
cache against a list as a second check. That's quite a bit different from
"intercepting DNS queries".

Overall VAC always made a reasonable impression on me as far as privacy and
security are concerned (no SYSTEM services, no kernel driver, no screenshots,
no scanning and uploading random files etc.), although this non-intrusive
approach naturally limits the kinds of cheats it is able to discover. I feel
like the approach taken by Vale is, on the whole, well balanced.

Source: [https://www.pcgameshardware.de/Steam-
Software-69900/Specials...](https://www.pcgameshardware.de/Steam-
Software-69900/Specials/Steam-VAC-soll-DNS-Cache-ausspionieren-1109977/)

~~~
ruialmeida
Yes, thanks for clearing up the intercept part, I didn't remember how they did
it exactly. They do make right decisions in my opinion to balance
security/privacy issues at the cost of less ability to detect cheats. I think
they also have a pretty good record of not banning inocent people.

------
dsr_
If people want to play games in anti-cheat environments, the only sensible
solution I can see involves the reinvention of the cartridge.

In this case, make the cartridge a bootable SSD which entirely avoids touching
any other disk in the system (perhaps with the exception of an SD card or USB
storage stick for saves.)

The downsides include:

\- the game company now has to ship a complete OS and do hardware support.
They nearly have to do that anyway, so whatever.

\- you'll need to reboot your computer for each game.

The upsides, I think, are obvious.

~~~
sbarre
The other option that is touted a lot is cloud gaming, with services like
Stadia.

There are outstanding issues to resolve there, like input lag and visual
fidelity, but it certainly removes the ability to cheat at the system level by
hooking into game processes and memory.

Aimbots would be still be theoretically possible through MITM video feed
analysis (as has been speculated) but that would also work in your cartridge
scenario.

------
maallooc
yeah, a chinese company will gain root of your pc to stop you from tampering
with memory but it's totally fine guys don't worry

------
emagdnim2100
Potentially dumb question: how do cheats even work in a game like LOL? I
understand aimbots in a FPS and how they can give a pure mechanical advantage,
but the LOL equivalent isn’t obvious to me. Does the client have access to
data that’s not supposed to be exposed to the player?

~~~
kleinsch
Aimbots work in LoL too, there are champs that are balanced around lots of
skill shots (Xerath) who you’d see hitting every single shot all game. There’s
also a lot of scripting, both for account leveling or just to automate boring
parts of the game. You’d see people afk playing their lane for 20 mins and not
responding to anything happening in the game, then suddenly running into the
other team for a big fight.

------
Youden
As someone who mainly deals with web services, this all seems really weird to
me. I was told from very early on "never trust the client". There was a lot of
emphasis on server-side validation; client-side validation was only ever for
UX, e.g. highlighting the field in red instead of making the user submit the
form first.

Reading through this, it seems the game development world is doing the exact
opposite and pushing all the "security" measures to the client. Is that
incorrect? If it's correct, does anybody have any idea why?

~~~
banachtarski
You’re a bit out of your depth. Of course “trust the server” is preferred but
many forms of cheats are purely client side. For example an aimbot that
steadies your cursor on someone’s head or dodges automatically when a
projectile is inbound. Maybe the client hijacks the UI to hide terrain and
walls.

I’m not saying what valorant has done here is right, there are other things
you can do. But you’re oversimplifying the problem.

~~~
Youden
I understand that but it feels like there's a lot of focus on client-side
anti-cheat while cheats that should be trivially detected server-side still
exist (like flying through the air in a game where that shouldn't be
possible).

Plus, there seems to be a lot of focus on client-side anti-cheat when a lot of
it could be addressed server-side:

> For example an aimbot that steadies your cursor on someone’s head or dodges
> automatically when a projectile is inbound.

This sounds like a similar problem to "like" fraud and things like that.
Couldn't it be addressed by measuring the number of incidents? If someone is
able to headshot or dodge at an abnormal/superhuman level, that can be
detected server-side and the user banned (or flagged for human review).

> Maybe the client hijacks the UI to hide terrain and walls.

Someone mentioned a solution for this elsewhere in the thread: don't send
positions of important resources to the client if it doesn't need them. Keep
the client about as blind as the player.

And again, you should be able to detect this server-side. If somebody has an
abnormally high kill-rate for enemies coming around a corner, flag them for
review.

~~~
banachtarski
Humans can and do in fact do all the things you suggest. False positives are
generally to be avoided, and mitigations for reverse engineering are still
required (anti debuggers, anti dll injection measures).

All the stuff mentioned like not sending positions of people who aren’t
visible are typically already done, but sometimes the position is needed for
reasons you don’t understand. Like some gameplay ability to suddenly see
through walls, etc.

This thread just has a lot of backseat programming.

I think I would find your post a little less irksome if you approached it from
a neutral questioning tone as opposed to “what about these obvious things
every junior engineer learns” :/

~~~
Youden
I'm not trying to condescend or be a backseat programmer, I apologize if my
tone suggested otherwise. I know that I have no idea what I'm talking about
and I know that there are plenty of competent game developers in the industry.

The problem is that I don't know what I don't know, so I can't directly ask
it. The best thing I can do is to present the flawed results of my current
understanding so that somebody more knowledgeable (such as yourself) can tear
them apart and show me what it is that I'm missing.

> False positives are generally to be avoided

This sounds like the biggest difference to me. Generally in my limited
experience in handling abuse on web platforms, the value of a single user is
so low that a false positive doesn't really matter too much.

I suppose when it comes to games, each user represents a ~$60 investment and
potentially a lot of time and emotional investment, so a false positive can't
be so easily tolerated and there's an incentive to go to extreme ends (like
intense client-side validation) that wouldn't make sense for say Twitter
likes.

------
kerng
Also worth highlighting, Riot Games belongs to Tencent.

------
butz
Considering that client will always find a way to cheat, isn't it more logical
to do all anti-cheat detection on server side? Gather data from trusted
players during closed beta test and after launch just look for abnormalities
on data coming from clients.

------
lidHanteyk
Folks should build alternative clients for Riot's games. Riot has demonstrated
that they should not be trusted to write clients.

~~~
sk0g
That is a lot more effort than re-building the game, isn't it?

At that point, just make your own game, or easier yet, play another one.

~~~
learc83
I don't think it's a feasible plan, but there's probably some demand for that
specific solution--people have friends who play riot games, so they want the
ability to play those those specific games without the invasive anti-cheating
software.

