
Ring 0 of fire: Does Riot Games’ new anti-cheat measure go too far? - kingsleyvn
https://arstechnica.com/gaming/2020/04/ring-0-of-fire-does-riot-games-new-anti-cheat-measure-go-too-far/
======
dannyw
It’s important to know that Riot Games is 100% owned by Tencent, making it a
Chinese company.

This doesn’t even mean a grand conspiracy is required. They have an office in
Shanghai, so it’s trivial for the CCP to persuade a couple employees and
leverage this as a kernel level backdoor into hundreds of millions of western
PCs.

If you think this is unfounded speculation, remember US intelligence was
accusing Karspersky with distributing malware for Russian state backed cyber
operations just a number of years ago...

Or the recent BGP hijackings on US ranges that are transparently obvious by
China Telecom.

------
Nursie
> "This isn’t giving us any surveillance capability we didn’t already have,"
> Riot noted in its blog post (using language that isn't exactly comforting on
> its own). "If we cared about grandma’s secret recipe for the perfect
> Christmas casserole, we’d find no issue in obtaining it strictly from user-
> mode and then selling it to The Food Network."

So not only are they injecting kernel level code and running it from boot, but
they're being flippant about the level of control this gives them and
downplaying the security implications here.

This gives me serious pause, because I have work on my gaming machine too,
some of which is confidential client information, and confidential personal
information as well. It's getting to the stage that games, a distraction,
can't be trusted to be on the same machine as anything else.

~~~
Razengan
> _It 's getting to the stage that games, a distraction, can't be trusted to
> be on the same machine as anything else._

The iOS/macOS sandbox, for games purchased through the App Store/Apple Arcade,
provides some degree of reassurance.

~~~
Nursie
Unfortunately the continuing spat between Apple and Nvidia, and the lack of
games available, make the Mac a path less travelled for gamers.

Which is a shame, I'd love to use it for more, but it's poorly supported.

~~~
Razengan
I've been gaming on a Mac for years. There are many Windows-only games, but I
don't really miss that operating system. Between native Mac ports and the
Nintendo Switch/3DS, my gaming needs are well covered. When there's something
I really badly want to try on Windows, I fire up CrossOver, Parallels, or Boot
Camp, in that order.

Right now the GPU in my 2019 16" MBP (5300M) seems to be good enough for
everything I want to play, and the 5500M is said to be even better. Of course
the problem remains optimization for macOS which most ported games don't have.

Apple Arcade is actually a ray of hope, even for core gamers. There's some
good stuff on it, give it a try.

Right now I'm going to remove anything Riot-related I find on my macOS
installation.

------
dfgdghdf
For those who don't know, Riot Games recently released a closed beta of
Valorant, their new game with this anti-cheat. Valorant is a direct competitor
to Valve's CS:GO, borrowing it's core loop and even some of its weapons.

It's interesting to compare the two approaches to anti-cheat that the two
companies are taking here:

* Valve use VAC, an unobstrusive memory scanner in user-space with an emphasis on never having false positives.

* Valve use machine learning on game replays to detect obvious aim-bots and spin-bots

* Valve enlists the community via the "Overwatch" program to review game recordings and spot cheaters.

* Valve supports CS:GO on Linux.

* Leveraging your Steam history, Valve creates a "Trust Factor" score for every player and keeps trusted players together.

* Riot uses ring-0 scanners.

* Riot will not allow you to run Valorant in a VM.

* Riot will ban specific hardware if a cheat is detected. Beware when buying 2nd hand motherboards!

* Riot does not allow you to host your own Valorant servers (this makes hack-vs-hack servers, which some people enjoy, impossible)

I think that in the long run Valve's approach, particularly with Trust Factor,
will be proven the better of the two.

[https://www.youtube.com/watch?v=ObhK8lUfIlc](https://www.youtube.com/watch?v=ObhK8lUfIlc)

------
dang
[https://news.ycombinator.com/item?id=22855600](https://news.ycombinator.com/item?id=22855600)

[https://news.ycombinator.com/item?id=22230168](https://news.ycombinator.com/item?id=22230168)

[https://news.ycombinator.com/item?id=22870975](https://news.ycombinator.com/item?id=22870975)

------
mikkelam
Apparently, the anti-cheat system is also blocking VMs from running the game
[https://twitter.com/RiotSupport/status/1248402073269309441](https://twitter.com/RiotSupport/status/1248402073269309441)

~~~
sebazzz
I wonder if this also prevents running the game if you have Hyper-V or Hyper-V
based technologies (Windows Defender protection, Container support, WSL2)
installed. That would be a real bummer - because you can't game on your dev-
computer then.

------
wilt
Its a rootkit. Hopefully microsoft pushes an update to remove it like they
have done for other malware like this in the past.

------
jdjrirkfkfk
Some cheats are using PCIe FPGA boards to get access to game memory totally
outside of the OS. The boards are controlled from a separate computer.

~~~
dang
Could you please stop creating accounts for every few comments you post? We
ban accounts that do that. This is in the site guidelines:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html).

You needn't use your real name, of course, but for HN to be a community, users
need some identity for others to relate to. Otherwise we may as well have no
usernames and no community, and that would be a different kind of forum.
[https://hn.algolia.com/?query=by:dang%20community%20identity...](https://hn.algolia.com/?query=by:dang%20community%20identity&sort=byDate&dateRange=all&type=comment&storyText=false&prefix&page=0)

------
ttalle
The wonderful world of games running on your PC.

Recently I tried to get Dirt Rally 2.0 to run on my Linux gaming machine.
Apparently, according to ProtonDB [0], the solution to get it to work is
installing a fully trusted root-certificate from Codemasters on your system
(not only in the Wine/Proton environment) [1].

In case you don't know, this means Codemasters can now man-in-the-middle every
https connection from your computer. This is insane imho.

I tried to comment on that thread but they need full system information before
you can post anything on ProtonDB.

[0]:
[https://www.protondb.com/app/690790](https://www.protondb.com/app/690790)

[1]:
[https://gist.github.com/PeXArtZ/020931f0182cafe84c623b5584da...](https://gist.github.com/PeXArtZ/020931f0182cafe84c623b5584da6f9a)

------
animal531
I have a problem with it, even ignoring the Chinese influence or any direct
spyware/vulnerability issues.

If it's seen as a good idea then soon everyone will want to do it and our
computers will suddenly be back in the hellscape of 00's browsers. I don't
want to know what my computer will be doing when 10 companies' kits are
actively competing with each other, the OS, anti-virus etc.

------
zaro
You know what they say about the cloud.

There is no cloud, it's simply somebody else's computer.

Welcome to the next level where even your personal computers is somebody
else's.

------
0x8BADF00D
Isn’t it trivial to defeat this type of AC? Grant your program
SeDebugPrivelege and open a handle to the AC process. Inject away. NOOP any
memory scanning routines.

~~~
akx
The... ring0 process?

~~~
0x8BADF00D
That's a good point. It will be a bit harder, but not entirely impossible.
Position independent code/memory layout will complicate any attempts to modify
the AC.

------
lollerk1
How does that work with having say 2 copies of the same OS (Win) on the same
computer? On 2 separate drives? If I have the game on one does the kernel
access affects both or just one? Obviously I'm not an expert but I actually
want to give a game a try but I'd not install just on its own as is. Apart
from buying an other PC or waiting an eventual console release I wonder what
else can be done

~~~
pjc50
You can only have one running at once, so presumably the game simply won't run
if it's kernel-level countermeasures aren't in place.

