One thing that may surprise HN readers is the widespread support some of these tactics have among the gaming community. I distinctly remember Shroud (a popular Twitch streamer and former CS:GO professional) asking for this (for PUBG) in 2018. I remember Chocotaco (another popular Twitch streamer) voicing support for South Korean laws[1] that criminalize cheating in video games.
It's harder to quantify support among typical players, but I imagine it's much higher than we might expect. People really hate cheating in videogames.
Criminalizing cheating in a game is insanity and I am shocked and appalled that this idea has so many supportive comments here. Here in the civilized world we should only be criminalizing conduct that causes actual harm. Not conduct that causes occasional frustration. What’s next? Shall we send the slippery fingered Monopoly Banker to actual jail, too? We’re talking about a game FFS.
Cheating in professional sports sometimes gets addressed by Congress, and that, too, is cheating in a game.
While I don’t think we should be putting cheaters in jail, I wish bans could stick harder, even across games. VAC does this to a certain extent, but only for some games. A shared database of cheaters that companies could use would be nice, but of course the sticking point is identity.
The current setup is a bit like if getting DUI’s only suspended your driver’s license in the particular town or stretch of highway where you got the DUI, and you were free to continue driving anywhere else.
And are there going to be any limits to this? If you cheat on a game when you're 13 by downloading some aimbot and get caught should you still be banned from all gaming when you turn 50? And will there be any kind of halfway transparent appeals process or is this going to work like all the other corporate run Kafkaesque bans we see every other day on HN?
I may be wrong, but I believe South Korea has a centralized identity system that game companies use so this kind of thing can be tracked and enforced. I wouldn't be against a similar system being used in the USA.
Yes - all players in SK essentially require identity verification. Using other's is a crime. Cheating is generally not directly prosecuted, but in other part of fraud/gang activity such as illegal match fixing, betting, fraudulent gains (tournaments), etc.
At least in the US I cannot think of any cheats that don't violate the CFAA/DMCA.
I wouldn’t be either, except that IIRC in South Korea you use your social security number, and I don’t imagine Americans (or other Westerners) will be comfortable with handing that over to gaming companies.
At the highest level of play, players who cheat to gain and advantage could be causing actual financial harm to others. The professional scenes of these games involve non-trivial amounts of money.
The sad thing is that in the professional scene you have a lot of players who are legitimately very good, but who still use the cheats to gain an edge.
The solutions to these problems are mercurial and at some point unless you get the players in one physical space with controlled/organizer supplied hardware it’s impossible to keep things clean but it is a real problem and it has real consequences for players who compete at that level.
But imagine if someone built purpose-built software for causing traffic jams, and a large community of regular users make traffic jams 5 times more common than they used to be. I don't say this out of any personal animus, I don't drive very often myself, but I think it would be reasonable to start talking about criminal penalties. At some point you have to be able to defend the commons, no?
>But imagine if someone built purpose-built software for causing traffic jams, and a large community of regular users make traffic jams 5 times more common than they used to be.
What's the difference between that and someone who simply drives bad/slow? Do they get a pass because it doesn't have "purpose-built software"? Or is it because they're not acting as a group? If cheaters are not acting in a coordinated way, do they get a free pass as well?
I haven't seen excessive coupon use banned, but I actually have seen a store make that person wait until the rest of the shoppers cleared the line. Very satisfying.
I’m a gamer. I value my time a lot. I hate cheaters. But I don’t think anyone’s civil liberties should be curtailed because they cheat in a game. And if we’re all going to be so outraged by people wasting gamers’ time then 95% of mobile games would be criminal.
Do you want to fine people for cheating? Whatever. But branding someone a criminal (for life!) over a game is ridiculous.
If wasting people's time is a crime, pretty much every advertiser and marketer in existence is commiting a crime.... Actually I might be able to get behind this idea.
In the federal US courts it's usually defined like this:
(A) General Rule.—Subject to the exclusions in subdivision (D), loss is the greater of actual loss or intended loss.
(i) Actual Loss.—“Actual loss” means the reasonably foreseeable pecuniary harm that resulted from the offense.
(ii) Intended Loss.—“Intended loss” (I) means the pecuniary harm that the defendant purposely sought to inflict; and (II) includes intended pecuniary harm that would have been impossible or unlikely to occur (e.g., as in a government sting operation, or an insurance fraud in which the claim exceeded the insured value).
I was thinking about this too, given recent events like Titanfall being pulled from sale due to the rampant cheating (which also led to many players abandoning the game before, leading to very low sales).
People cheating (and especially people making and selling cheats) cause actual harm to the publisher of the game for starters, by making the game worse for all legitimate players.
World of warcraft at some point reached a required level of farming where it was assumed that you needed a bot to just participate in endgame content (lot of material to gather and side quests), or devote your entire life (16 hours) to repetitive actions.
How you manage that?
What about cheating in single player in games that do have also a multiplayer components?
How about monster hunter, many people cheated in that game because the end game farming is unsustainable, however once the equipment is cheated, it's possible to play and really enjoy the endgame content.
It would be so detrimental to ban cheating.
There are games that are made with cheating presumed (e. g. Ultima online)
I'm not advocating criminalizing it, but it is essentially fraud in some contexts, especially where there's direct or indirect compensation for the players.
I don't know. I think disturbing the peace laws are generally reasonable, which essentially boils down to the same thing. You don't have a right to annoy others for your own entertainment.
Criminalizing (i.e. permanent record, can't ever take certain jobs) is probably to far i 99.99% of the cases.
Fining people who keeps on annoying others in a public context for no good reason (e.g. only for their own amusement) should be fine either they cheat in games, keep people awake at night by playing loud music in streets where this isn't common, harass kids playing on the playground etc etc.
Cheating in a video game does cause actual harm. And there are plenty of analogous actions that would be criminal in real life. For example if some dude came and interfered with your tennis game every week, that would be harassment and probably trespassing, even if the only thing that person did was to interfere with your tennis game.
You only cheat because you suck and that's the only way you enjoy the game. It takes time to get into the gaming flow, and enjoy the pastime, and cheating ruins this investment.
When I pay $100 for a game, and cheaters make me stop playing, I have been harmed with a wasted $100 plus hours of frustration. If you're too shallow and emotionally unintelligent to pick this arithmetic up, it's on you I guess.
I think most people don't fully understand the implications of things like this - it's not obvious in normal usage, so how would they? Cheating in online games is salient, but if you told the average person they had a program running on their computer, I imagine their answer would be "so?"
But if it was clearly pointed out in the OS, and the OS said something along the lines of:
"Riot anti-cheat is running in the background. This program may monitor all of your activity on this computer and track your physical location while you use your computer."
> This program may monitor all of your activity on this computer and track your physical location while you use your computer.
This is just disingenuous.
If you are talking about what could technically be done, then sure, they could do that. But if they wanted to own your machine then they technically could do it the moment you installed any software that they provided regardless of what it says in the EULA.
So then you must be talking about what they are legally allowed to do. And guess what, they also have a privacy policy that limits what information they are allowed to collect and for what purpose they may collect it. Them carving out the legal ability to run programs on your machine for anti-cheat purposes doesn't change any of that.
Now I'm not saying you might not have other reasons for not wanting to run their crap on your machine (I certainly don't want it either) but this here is just FUD and not a good argument.
>If you are talking about what could technically be done, then sure, they could do that. But if they wanted to own your machine then they technically could do it the moment you installed any software that they provided regardless of what it says in the EULA.
Yes, I am talking about what could technically be done, not what could legally be done. That's the only thing the OS is in a position to know about.
Yes, they technically could do all of this the moment you install any software, on current desktop OSes. Don't you think that's a problem? Is that the best we can do for OS security?
You said earlier:
> I think most people don't fully understand the implications of things like this
The "things like this" of which you speak were presumably to do with the topic at hand, which is a legal text.
You didn't provide any reason to suspect that your complaint was generally about OS security. But sure. It would be great if desktop OSes were capability based.
It just doesn't seem relevant to the issue at hand.
It's relevant insofar as granting a program that level of access in a capability based OS would be the exception, not the norm.
Today's OSes aren't in a position to make such a statement at all as they don't keep such tight control over a program's authority. But in a capability based OS, it would be - so a program that's in a position to monitor all your activity on your computer can be easily called out as such.
In other words, the notifications I mentioned that I'd like to see are only really practical in a capability-style system.
Caveat emptor allows me to assume the worst. Plus nobody is actually reading the EULAs every month to find the legalese clause that allows them to collect and sell even more of your data.
Yeah, although wrongly. The "may" there is a bit of a weasel word. Literally, it only indicates possibility, but lay-people read "may" as indicating probability. To a nerd, whether something is technically possible is interesting, but what ordinary folks want to know is whether Riot is likely to be acting against their interests (i.e. selling location or activity information to third parties, vs. simply conducting whatever monitoring they deem necessary to ensure cheats are not being deployed).
That type of language is up front and center every time you get a UAC prompt in Windows. Doesn't seem to do much. You'd really need to put the message forward, far more so than is warranted by any probability of actual harm, to get 99% of users to feel anything about it one way or another.
> This program may monitor all of your activity on this computer and track your physical location while you use your computer.
What incentive would they have to do that? They currently are making ridiculous amounts of money and you think they're going to risk all of that to know trivial details about you? Most people aren't that interesting and the information that could be obtained is worth far, far less than the money they make by keeping their player base happy.
A remote exploit in Vanguard is a much more reasonable concern.
"They currently are making ridiculous amounts of money and you think they're going to risk all of that to know trivial details about you?"
I hear this argument for the unlikelihood of corporate malfeasance all the time.
But look all throughout history and you'll see countless examples of very rich and powerful people and corporations taking extreme risks, including doing massively illegal things or risking consumer outrage and loss of good will.
It doesn't help that the real-world consequences of such acts are often just slaps on the wrist, no matter how illegal/immoral/reputation-trashing the acts might be. Very rarely do the rich and powerful suffer severe personal consequences... usually they can buy their way out or exit with a big bonus and just get hired somewhere else that's happy to turn a blind eye to their past (or might even prefer to work with sleazy/corrupt types)... and the public's memory is short.
I don’t think anyone is suggesting Riot would do anything underhanded.
Ironically, the idea that only Riot will ever be able to leverage the capabilities of this software service is probably why many don’t mind running it.
Unfortunately, that idea is flawed for the much the same reason the idea of backdooring encryption algorithms is flawed.
> Ironically, the idea that only Riot will ever be able to leverage the capabilities of this software service is probably why many don’t mind running it.
Just wait until someone finds a vulnerability in Riot's anti-cheat software and abuses it for more sinister purposes. No software is ever completely bug-free.
Some of the most profitable companies in the world today are in the business of collecting seemingly menial metadata about you, creating a profile, and leveraging/selling it.
I actually have no problem with criminalizing cheating to some extent, I’m not actually sure you need new laws for that since it should fall under existing computer misuse legislation and arguably you can also make a case for harassment and public nuisance.
Even without it being a full on felony in jurisdictions that have that distinction it should expose you to civil suits because you are degrading a service and costing the company money.
If you break into a paintball arena for example and start running around shooting everyone with your own gun you probably will get the cops called on you and they’ll drag you out and charge you with something.
And heck even without breaking in if you simply disregard the rules and don’t leave when asked the cops will be called.
That said you can support all of this without supporting being forced to install root kits and handing over the control of your devices to the game developer or publisher. The same goes for DRM, I honestly don’t see a problem if someone goes to jail for piracy I do care when companies use terrible DRM to protect their products.
> On the other hand I would welcome hazard game regulations for all games with lottery ticket like products for sale, like "loot boxes".
...especially with all the YouTube advertising. I see advertisements for these (what is essentially) gambling games quite frequently on YouTube. "One free spin if you use code XXXXX, guys! Go download it now!" type of stuff. They obviously get a kickback from these ads.
The audience for these types of channels are mostly going to be young / teenage boys. They know exactly what they're doing, and personally I find it despicable and harrowing that YouTube entertain this.
Try Googling "gachapon" to get an idea of how bad the epidemic is globally. These games have existed for a good while in Japan and China, and their sole purpose is to extract value out of people with obvious impulse problems (in both the real-life and digital incarnations). It's really just the abuse of capitalism driven to it's extremes; game companies will go "whale hunting" to try and create situations where limited-time assets can only be acquired through insane spending, and repeat it until their users either quit or run out of money. Seeing all this talk of incorporating Web3 into everything only makes me afraid of our gacha-ized future.
>If it is criminal to cheat it is not a game anymore.
It never has been a game in the sense you're implying here, that's to say as an informal arrangement, you're literally signing a TOS for a piece of software you're going to use abiding by some rules, it just happens to be a 'videogame'.
And I don't just mean it it in a pedantic sense, but a lot of these games involve money, either by paying for the game or by paying for content, not just gambling, and if someone ruins a product you paid for that's pretty bad.
I'm not sure concerning the details in regards to minors, but terms of service are legally binding contracts, although enforcement depends on the details of any given contract. Terms of service lawsuits absolutely do exist, both by companies as well as by customers. You may remember the George Hotz / Sony lawsuit over jailbreaking the playstation.
> But it is in no way worse to cheat in eg. Fortnite than in a board game like Monopoly.
If you cheat in Monopoly, I can simply not play with you anymore. This is not true of Fortnite. You also have the potential to impact a much higher number of people cheating in Fortnite.
I’m pretty sure it’s already criminal to use “hacks” to cheat. Abuse of game mechanics shouldn’t fall under that, tho I have no issue with banning people who do it knowingly and repeatedly after it’s been made clear it’s not an intended mechanic.
We do (try) prevent cheating in sports and other games and ban players and in fact whole countries for cheating.
Try cheating in a casino for example, card counting may get you thrown out, hacking a slot machine would land you in jail.
Loot boxes are another issue they should be regulated as gambling I have no issue with thst.
>I’m pretty sure it’s already criminal to use “hacks” to cheat
Server-side yes...client-side NO. You can do with you computer and the software running on it ~whatever you want...and you can throw TOS is the bin...TOS are not laws, more like unsigned contracts.
I'm okay with criminal laws that punish people for cheating in games that have cash prizes but I really don't want to see that applied to everyday games.
Let's so for old times sake I organize a lanparty with my friends from HS and during this event someone decides to turn on no clip to surprise their friends. Should this be criminal?
> But then if you cheat in a tournament where there are hundreds of thousands of $$$ at stake, jail time might be appropriate.
Please no. I mean athletes are not thrown in jail for doping in most places. If cheating are to be illegal, it needs gambling regulation and supervision, even if just for pros. And I don't think that would end well.
If you paid to attend an event and someone was disrupting it are you happy with the venue calling the police to come and deal with them so the event can resume?
>If you break into a paintball arena for example and start running around shooting everyone with your own gun you probably will get the cops called on you and they’ll drag you out and charge you with something.
"your own gun" meaning a gun that fires bullets, or a paintball gun that's more powerful than that's allowed by regulations? If it's the former the police would be dragging you away because you're literally putting holes in people, but the latter case I'm skeptical they'll do anything. Are they going to arrest a competition bicyclist when they find out that they had a hidden motor in their bike?
One could warn them to stop using their own equipment and then tell them to leave. If they don't, then you might start thinking about calling it Trespassing.
Right, but even in that circumstance I doubt the police (or any part of the justice system) is going to punish you for it. At worst you'll be asked to leave and the police will only show up if you refuse to do so. You're not allowed to bring your own snacks/beverages at a movie theater either, but the police isn't going to arrest you for it unless you refuse to leave.
Do you know how many unintended consequences that criminalizing cheating in video games are going to have? Many, many things can be defined as though it is a "game" or even a "video game".
This is such a terrible policy decision, that I very much hope that no old fart in the US house or Senate ever has this idea. I worry every time that AOC plays league because she may run into the xearth scripter who causes here to have this very same "insight".
Again I stated that I don’t think new legislation is required computer misuse acts and civil litigation is more than adequate currently, ban cheaters find a way to issue a restraining order to prevent them from using your service and if they disobey it they are facing contempt which is a criminal offense.
For the people that make money off selling cheats and or are disrupting the service at scale current laws that cover computer misuse should be sufficient.
I am perfectly happy to have the book thrown at someone who hacks say a Minecraft server to fuck with someone just as I’m happy to see someone who breaks into someones property and ransacks it.
Computer misuse, trespassing, public nuisance and property damage are already criminal offenses.
Cheating in an online video game can easily fall into one or more of those categories.
I'm a game developer; the demand from players for these measures is loud and persistent.
The thing is that they're reasonably effective tools, and the harm, pain and misery caused by griefers and cheaters is real and widespread.
And there's not really much of a technical alternative; the only other response to something like an aimbot is to design such that good aim isn't an advantage, and now you have a totally different game.
Another thing that may surprise HN readers is people are willing to pay for a stronger os level anti-cheat. When I used to play CS:GO a lot of higher level players would play on ESEA [1] or FACEIT [2] specifically because they had better cheat detection. Essentially an anti cheat, ladder, and matchmaking service provided by a 3rd party for a subscription.
"I distinctly remember Shroud (a popular Twitch streamer and former CS:GO professional) asking for this (for PUBG) in 2018. I remember Chocotaco (another popular Twitch streamer) voicing support for South Korean laws[1] that criminalize cheating in video games."
And what are the 99.9999% other players' opinion on this approach? Surely their collective voices weigh heavier than those of a handful celebrities.
It's hard to overemphasize how weird the gamer threat model is compared to the average HN user's threat model. Another example: Peer to peer chat is considered less secure than something mediated by a server regardless of other features, because the threat model is "my opponent finds my IP and DDOSes me" rather than "the chat provider does something like publish my messages".
Too many people have a thought process that is along the lines of "[Bad thing] happens? They should make a law against that." That's the end of it, to them. They're not necessarily thinking about the Nth order effects that that their approach would have on society.
It's really the middle school teacher approach to cheating. It's also fascinating to see the sentiment difference between online gaming and remote education. Not that proctor malware isn't worse, it is, but that the arguments in this thread would have been aggressively downvoted in those other threads.
True, no one wants that. It's an entirely unsurprising sentiment, really. But it's in no way whatsoever mutually exclusive with disliking this specific approach.
Most people in the gaming communnity don't think about the implications of software like this. They just see it as more effective anti-cheat and don't consider the security and privacy concerns that come with something like this
They think about the implications, and have accurately judged the risk to be worth it. Riot games isn't going to steal your banking info, your nudes, or your super-secret startup idea. It's not going to post pictures of MAGA hats on your facebook, and it's not going to take over your web browser. It's not going to drone strike your location, or kidnap you into a concentration camp because you're ______. It doesn't have the power of pit and gallows over you.
If you're being repressed, what you have is a political problem, not a technological one. If you're being robbed, you should probably only install binary blobs that come from
legitimate enterprises.
The implication of this software isn't that Riot is going to steal your banking info. What would they possibly do with it? They're a legit business. They can't just starting selling bank credentials or billing people randomly. There's potentially lots of less sensitive information that most people would consider "not Riot's business" that they can get at with this software. Will they? probably not. It's how much do you trust Riot.
And none of that even begins to address the security concerns of having software running with elevated privileges.
I'm not saying it isn't worth it to some people or that it's unreasonable to decide that it is worth it. I'm saying most people don't understand or consider the implications.
> And none of that even begins to address the security concerns of having software running with elevated privileges.
Laymen are even more paranoid about it than techies. Most people incorrectly assume that a malicious program can do just as much damage to your system as a rootkit. They are already willing to accept the maximum possible risk, just from installing a binary blob.
But unlike techies, they spend less time wargaming all the ways in which vendors of these programs seek to wrong them.
This doesn't make them ignorant - at least, it doesn't make them ignorant in the way that you imply.
I was intrigued by this, because I always wonder if people who are calling for death or life imprisonments in the heat of the moment will think better when they are considering an issue in a relative state of calm.
I did a quick survey of Reddit threads that had to do with cheating criminalization itself, rather than people commenting on instances of people being caught cheating. Fortunately the vast majority of upvoted comments (besides jokey commentary) are anti criminalization. Representative highly upvoted comments: "Cheating is shit and shows no integrity but making it a crime in online gaming?... Idk man..." Or: "This is asinine, I have NEVER been in a game with a hacker and thought that they deserved to be in the same place as a rapist or murderer." I think you'll find a lot of in-the-moment raging over hackers, but when people are considering it as an issue they are more cautious.
But it could also be that different populations are interacting with different types of topics.
Caution: extremely unscientific five minute study above :)
> The point is that the celebrities' opinions are to an extent representative of the communities within which they are famous.
I think there's no particular reason to assume that the loudest and best-known voices in a community reflect the view of the broader community. (That's not to say anything about whether it's true here, just that I think it's far from a given, and, if true, is an additional data point rather than a consequence.)
If you are a professional gamer then of course you’re going to hate cheats. It’s no different to professional athletes hating peers who take performance enhancing drugs.
If your money and reputation comes from you being good at something, you’re going to dislike people who cheat.
Edit (for clarity): the more senior you are in a sport, the more likely you are to support invasive countermeasures compared to hobbyists.
You say that like amateur athletes think more highly of cheaters. I'd say almost anyone would be unhappy about competing against opponents who don't play fairly
I mean, players' standard advice for modding and such is: download this executable mentioned in a forum post off some janky site or a filesharing service, disable the antivirus, run the thing with administrator privileges. Older people tend to see those who grew up in 2000-10s as proficient in computing, but I'm now sure that gamers' understanding of security is on the level of the famed “where's the ‘any’ key” secretary.
Checksums for the linked files on our site dedicated to mod sharing? Dunno what you're talking about.
I would definitely support criminalizing cheating in video games. I also do not view Riot's running programs at times other than when I am playing in a negative light. What is the threat model? I've already let them own my computer via their rootkit, and their incentives are largely aligned with mine. Why should it matter when exactly their programs run?
It is apparent that many modern anticheat mechanisms are almost indistinguishable from root kits, which may pose additional security risks of their own.
Realistically, as potential consumers of those products, is there anything we can do to make a meaningful change for the positive? Education and raising awareness can only do so much...
not really, the vast majority of players care far more about having less cheaters than they do giving Riot/Activision etc higher levels of access. Personally I play on consoles for the most part to avoid having to install things like Riot Vanguard and whatever the new Call of Duty anti cheat is called.
I hope so. The Ubisoft terms of service lets them read your browsing history and the doom tos lets them search for medical records and sell what they find
Unfortunately, this only applies to single player games/indies/etc.
Almost every major game installs a rootkit of some sort. The only one I can think of that doesn't is FFXIV, but they do fingerprint your devices somewhat aggressively.
One thing to remember, is just like AV's, it's the norm for them to literally upload random archives, documents and whatever else to "Scan". There's a reason pretty much every Anglo country doesn't recommend Kaspersky for this reason. It makes you wonder the risk of China owning 100 % of Riot and the data gathering potentials. And since it's the standard industry practice, the American engineers won't even blink an eye when designing it. It's truly a national security and IP risk that alot of people don't realize.
Now I will say as someone who makes tools for and reverses their products(All in fairy land in the kingdom of tacobell in my dreams). They have pretty unobtrusive anticheat in League of Legends and mainly only hammer a whitelist. For example if you install Itunes, they will get really obtrusive with anything related to Bonjour. As well as with anything that injects into the module list.
With Vanguard, they get EXTREMELY intrusive and scan network drives, and I found VM memory pages being scanned, but i'm unsure if it's intentional or not as I didn't go to deep into it, since I don't really play shooters and mainly did it as a quick audit, unlike League of Legends. They do shut it off when you say shut it off though.
EDIT:
One thing to keep in mind. Is if they make a kernel driver which subverts the OS's control schemes(For example making a CreateFile, ReadFile, Memory write primitive, Memory read primitive. If you see this, REPORT IT. Microsoft bans these types of implementation and you can do that here. https://www.microsoft.com/en-us/wdsi/driversubmission . It's a MASSIVE security risk and they will REVOKE the driver certification and deny loading it on Windows! Do not let them rootkit your system, know what Microsoft allows and doesn't. They do care, they've fucked over AV products before, and they will do it again. The OS Security team at Microsoft is extremely good and genuinely cares about you as a user.
So it’s been a long, long while since I’ve explicitly run AV software but doesn’t signature, heuristic, and behavior based detection all run locally on the machine?
I suppose the exception might be sandbox but from what I understand this is usually in a corporate environment where connections are MitM’d any way and potentially harmful files are run in a sandbox.
Am I missing something?
That being said I’m not sure very many would even notice files being exfilled by an AV especially if it were user targeted.
It depends, but most consumer AV's upload. And alot of EDR's are implimenting cloud based detections, with the option for companies with IP risks to run an on prem version of their cloud server.
A good example is this hackernews post from not long ago detailing how Windows Defender uploaded a beacon he made from a VM with no internet access (But connected to a LAN with his main computer) and exfiltrated it from there to Redmond and ran it, most likely in some automated scanner. https://news.ycombinator.com/item?id=21180019
Wow that’s kind of alarming; I wouldn’t have expected that behavior from an OS provided AV (I would have assumed it would be more conservative) but maybe I shouldn’t be too surprised given the trends these days (and microsoft’s decisions with their recent OS’s too).
If that's what is needed to fight against cheating, then it will only escalate.
The bottom line then is don't do anything else with your gaming machine: no work related stuff, no banking, no email, no social networking, no personal data or any access to the home NAS, no projects, nothing but games. Connect it to a low latency firewalled network plug on the router that would let it see only the outside and that's it. Use then a lower power machine for everything else, and treat the gaming machine as already compromised out of the box.
They already have locked down special purpose gaming machines. They're called gaming consoles.
Really, if keyboards and mice were more accepted components of those that developers always accounted for, I would just buy a console for gaming (except all my old games, but really, that wouldn't be hard to handle on a console either).
It's already a little concerning to me that I play games on my main PC for the same reasons you most likely are worried about it. As it is, I try to keep it to things on Steam and the occasional old dosbox game from GOG, so at least I don't have to be hyper aware of all the different individual launcher capabilities.
It's not. Binary protection is easy and you won't be able to stop high level attackers. It's similar to the EDR field where it's monitoring heuristics and trying to correlate those to attacks. And it's also similar in that normally it functions off of a whitelist, but they get a bit more coverage since they only care about a singular program which they control.
Companies get most of it from either filter drivers or ETW. Which effectively give a callback and notification for every handle or handle operation (So Networking, File, Registry, InterProcess, etc...). The good way to do this is ETW which gives you events and doesn't allow changing of these events, unlike a filter driver that can modify these requests. And this stops 99 % of people. ETW even runs in usermode as opposed to a driver.
They also do malware techniques such as loading shellcode over the wire so it's difficult to audit the actual malicious stuff they're doing.
There's zero reason for them to need anything like what Riot does with Vanguard and it's a joke that consumers allow this. It's them trying to jump to the top of the stack and abuse Kernel. But they're engineers are to stupid to realize this opens up complexity in the architecture and makes it easier to break and bypass.
How much random open source code do you compile and execute? How many programs do you run?
At the end of the day it’s about trust. If you don’t trust Riot to run lol.exe then you definitely shouldn’t run their service! But if you trust Riot enough to run lol.exe it can do anything to your computer. The difference between lol.exe running in the foreground and something else running in the background is negligible from a security standpoint.
Foreground or background I can agree with, but there's definitely a different level of trust involved if Riot wants to run something in the kernel instead of just userland.
I somewhat agree. Realistically I’m not sure it actually matters. In user mode they can do anything to my computer and steal any data they want. In kernel mode they can do it slightly more sneakily? Feels like one those things that sounds scarier than it actually is.
Regular user mode software can be sandboxed by running the games in their their own user/graphical session dedicated to that specific game. Kernel mode software can by pass all security features implemented in the OS however.
If you run everything in a single account what you say is true, but at least some people do use basic sandboxing methods like described above, which makes kernel-mode anti-cheat much more invasive.
The shortcut to implementing this technique is buy a gaming console. Gaming companies seem very committed to their desire to root your box, so might as well just get one pre-rooted and use it for nothing else.
There's lots of cheap indie games and game pass services on the consoles too, from what I understand. I'm not sure games on PC are much cheaper. Do you have examples of what you're talking about? Are big titles like $10 more on consoles for licensing fees or something?
I think there are three arguments to be made for PC being overall cheaper
1) XBox Gamepass offers a huge library of often new games for a cheap rate. That service is also available on Xbox consoles but those are much less popular than their competition.
2) Epic Games offers a bunch of games for free to entice people into switching over from steam, not sure about the current situation though.
3) Steam often offers very deep discounts on games and due to the relative ease you can buy keys from resellers you can get games for super cheap.
As an annectode I was able to get my girlfriend 250€ worth of expansions for sims for less than 40€, discounts this deep are hard to get on console.
Not at all. With sites like isthereanydeal.com and random and seasonal sales, I very rarely pay more than $25 for a game. My typical price for a game is $10 and one that I can play with all my friends inline would run about $15.
Grandparent wasn't talking about the games, they were talking about the systems. If you can find one, a PS5 or XSX cost about $500. You can't buy very much gaming computer for $500.
This is exactly what I have been planning on setting up when I can save enough money for a new system, and when hardware is available again.
It would be very unwise to entrust your main system to any of these companies, which is exactly what you are doing when installing modern anti-cheat software.
Another option I have considered is setting up a gaming VM with GPU pass through. A totally separate system would be more secure, but the latency may be better with a VM, and working with VMs might be a bit more convenient I think.
I have been curious about the security of hardware (or just GPU) pass through with VMs though, I am not sure how safe or dangerous giving direct hardware access could be in the worst case. There is the issue of some anti-cheat software detecting when it's being ran inside of a VM also.
This is precisely why I own several game consoles. If I really want to play a game from known shady publishers (Ubisoft especially), it goes on the PS4 which has nothing on it that I actually care about. Go ahead, mess with Sony's OS, I don't care. But that nonsense does not touch my workstation.
That is just telling me that Windows Defender should start flagging Riot executables used as part of this malware injector. This does not, and cannot lead, to an improved user experience.
Are you being glib, or do you genuinely believe the OS should subvert its user to appease a different group of people?
For many artists, not having their art copied would be an improved user experience, so should the OS prevent you from copying files tagged as copyrighted? Windows Defender already removes torrent software and gives scary warnings for LibreOffice [1] so it's not a big step.
I'm choosing to install anti-cheat software into MY OS, on MY hardware, to improve MY gaming experience. The OS isn't subverting anything by allowing me to do that. I can't see how that's anything like your hypothetical. The anti-cheat software isn't being rolled into Windows for everyone in the globe, it's part of a voluntary, user-directed game installation on a specific computer.
If it's voluntary, then obviously cheaters are not going to install it. You choosing to install the anti-cheat software on your own computer will not magically stop people you play with from cheating. Therefore your whole argument goes out of the window.
It’s voluntary as installing the game is voluntary. You can’t opt out of the anti cheat tech yet opt into playing the online game. One might disagree with a part of the product (the anticheat part) but then one has to choose not to buy or use the product at all. It’s voluntary.
This is not a case of the OS subverting it's user, the user is installing Riot's anticheat of their own will. If you'd like Windows Defender to stop that, then you should be fine with the warnings it gives with those other apps too.
But that's just it - Riot's anti-cheat gets far fewer warnings than FOSS software, because MS has tilted the system to favor corporate entities willing to pay MS for certificates.
If a "trusted developer" is one of the heuristics, then any kind of honest anti-virus should trust major free software developers/apps to at least the same degree as someone like Adobe or Riot.
What about communities of gamers and hackers who get their fun in environments where everyone spends their time hacking away at game code to use against each other? This is pretty common in many Minecraft servers, for example- hundreds of people developing the best cheats to use against opposing factions in said communities.
I'm sure you don't want Apple allowing people to have illegal images on their phones, are you willing to have all your photos constantly scanned to improve that?
I don't see how this is related. I'm installing a game with anti cheat software on my computer to improve my experience. This is my choice, my hardware, and is for my own benefit.
It really isn't when you're forced to install the anticheat software to play the game. The corresponding phone analogy would be saying that it's "your choice" to have your pictures scanned for CSAM, because you made the choice to buy apple instead of a pinephone or whatever.
The anti-cheat code is an integral part of an online game. I can choose not to install and play that game if I don't want the anti-cheat code on my computer. I can't choose not to run iOS on an Apple phone. These are not analogous situations.
Malware is subjective, as everyone who's made any new executable and sent it to a friend knows as Defender immediately destroys the program and quarantines it.
Surely many, many people are willing to pay the price of running this anti-cheat that 'runs in the background' (not consuming many resources, mind you - the vgc executable isn't constantly running, only vgtray which is the tray icon and it's sitting at 640K), so this obviously isn't malware to them.
Torrent programs get silently deleted, LibreOffice and other FOSS installers get big scary warnings [1], installing an open-source audio package pops up no less than seven warning screens [2], but Riot can install a literal rootkit to only a single "this program will make changes to your computer" notification, in a friendly blue color.
It's painfully obvious Microsoft is looking out for its own interests, and those of its corporate partners, instead of their users, when they subjectively determine what is malware.
It's not a rootkit, it's a kernel-level driver. The same goes for any other driver that can be installed via just UAC - for example, Corsair installs their kernel driver[0] and cpu-z as well[1].
Somewhere at the end of last century, start of this one. I personally gave up on playing games on non dedicated hardware. One of the main reason I did that, was that it was becoming clear that games, was shipped with something that looked a lot like a root kit or a virus, and if you didn't want that on you computer, you couldn't play games on it.
So for me, I went with a console for games, but a dedicated PC works as well. But from my point of view, a PC with games on it, that is security hazard, and should never run anything you want to keep private.
I made the exact same choice about 10 years ago. For security and privacy reasons. Also every couple of years I get the need for a new rig when obviously I didn’t really need one. It’s definitely better over here in the dedicated hardware world
For anyone looking to jump to the part about background programs:
> 9.2. Does Riot run programs on my device while I’m not using the Riot Services?
> (We may, for limited anti-cheat purposes.)
> In order to prevent cheating and hacking, we may require you to install anti-cheat software. This software may run in the background of your device.
The language here implies you will be notified and consent to install the anti-cheat software - it doesn't seem like these programs will install and run without your approval but that's just based on the very brief summary here which might not be accurate.
For valorant (FPS), Vanguard starts at boot, and you can disable it from userland/tray icon. Disabling it blocks your ability to play the game until the next reboot.
For lol, Packman/stub is not kernel mode and starts with the game and exits with the game.
The operating system should not allow Riot to do stuff like this. Sandboxing on the desktop is badly needed. Flatpak may have its problems but it's probably the best effort so far.
I think the operating system should allow users to do whatever they want with it, as long as they consent to it.
I'm honestly a little bit baffled how the discussion swings the other end when it comes to software like this, compared to say the Google Manifest V3 debate. If people value having fewer cheaters in their video games and they're willing to accept the trade-off of having software run at a low-level to be effective at detection that's their choice.
Flatpak's are a great choice to have but I don't want to have the operating system force them on me.
I agree. I want sandboxing technology that increases user control, not the other way around. I don't accept the trade-off you described and I don't think anyone else really wants to either, they're just forced to if they want to play the game. We shouldn't let this invasive kernel-level anti-cheat technology become normalized.
Now when you say want to play the game, do you mean getting instantly killed on spawn by cheaters?
More specifically, given that you want the game to be playable without anti-cheat, do you imagine that the cheaters will just agree not to cheat?
I think it's pretty clear that the choice in popular games is between a strong anti-cheat vs a strong cheat. For some types of games a lot can be enforced by the server (think chess), but for other types of games it is just inevitable that there is an arms race at the point of input. Nevermind rootkits, soon enough we'll have mandatory webcams monitoring that you're actually physically moving your mouse in a way that matches the signal coming out of your mouse.
What people want are to only play games with other people running this anti-cheat software, and are more than willing to run it themselves to achieve that. Seems really like missing the point to argue that running or not running anti-cheat is a personal choice that doesn't impact anyone else. It totally impacts other people. In fact, that's precisely why folks want it!
This is the exact opposite of consent. People are being forced to install the anti-cheat software. While you may personally find it acceptable, you do not have the authority to consent on behalf of all other players, therefore it is not consent but simply an opinion.
Installing the anti-cheat software on your own computer will provide you absolutely no benefits. It needs to be installed on the cheaters' computers for it to be effective. Obviously if there was actual consent involved and people were allowed to not install the anti-cheat software, then cheaters would simply not install it.
There are plenty of valid reasons to be concerned about this, even for people who have no intention of cheating at all. While you may trust Riot, others may not. Even if Riot won't do anything nefarious with it, all software has bugs. It's only a matter of time until someone finds a vulnerability in Riot's anti-cheat software and actual malicious actors start to exploit it.
I hate cheaters as much as anyone else, but an anti-cheat program running with kernel-level privileges is simply a ticking time bomb and should never have been approved by Microsoft. But of course, it's easy for gaming companies to brainwash the masses who have no awareness of security and privacy risks with "you don't want cheaters in your games, do you?" These are the same people who get brainwashed by arguments like "if you're not doing anything illegal you have nothing to hide, therefore you should have no issue with your communications being surveilled 24/7 because it will help reduce terrorism".
> you do not have the authority to consent on behalf of all other players,
I don't, I'm not forcing anyone to play League of Legends at gunpoint and I don't force them to install anything on their machines. If you don't trust Riot there's a simple solution, don't install their software on your computer.
The basis of consent isn't that Microsoft gets to dictate security standards to both users and third parties, it's you getting to decide what you run on your own machine.
>But of course, it's easy for gaming companies to brainwash the masses who have no awareness of security and privacy risks
This securocrat mindset is the exact problem. To you every user who makes choices that you don't approve of is part of the mindless and brainwashed masses, and you'd prefer if an operating system owner gets to dictate conditions to everyone else likely because they align with your own. That is the opposite of user freedom and it is paternalistic. It's extremely ironic you don't realize that you want Microsoft to act like a sort of discount nanny state that interfers in every decision between users and third parties because you're afraid of security threats. In this analogy you have chosen, you are the guy who smells sinister plots on every corner and wants to move control from the user to the operating system manufacturer. It is the same walled garden bs that Apple forces on everyone.
Counter argument: The operating system should do this instead. PC gaming would be better off if Windows shipped with “Xbox Anti-cheat” that had similar protections but was baked into Windows instead of relying on a half dozen third party implementations.
Microsoft did ship the Windows 10 "TruePlay" anti-cheat component for sandboxed UWP games. I believe it was removed because game developers largely ignored the UWP format.
I should rephrase: the user should have control over whether or not Riot is able to do stuff like this, and the operating system should enforce the user's decision.
They are. They can choose not to install the game (which obviously has several parts, of which the anti cheat is one).
I’m sure if someone feels tricked into buying it as they disagree with that part and only found out at install time, they can ask for a refund.
Users are free to block the anticheat from running - but obviously the game should then not allow them to enter an online server.
I mean how is this different from say, the users tampering with the game files? Of course no one stops users from manipulating the texture files in the game. It’s their system. They do what they want. But obviously the user that tampered with the textures will be blocked from joining the multiplayer game.
I don't get your point, if you don't want the anti-cheat on your machine then don't install and play the game, it's that simple. You can't have your cake and eat it too.
You can indeed "have your cake and eat it too" if the platform is on your side. Take ad blocking software, for example. A browser that really works for you will let you visit websites that want to force ad views on visitors and will not display those ads. The same should be true of an OS. It should do its best to help you run software the way you want to run it. If that means gratuitously violating the TOS of some online game, then that matter can be settled by a legal team. The OS should just be a tool--your tool--throughout the whole ordeal.
It’s really unfortunate that Apple’s blown gaming so badly. I built a mid-high range gaming PC during the first year of the pandemic. The awful software that PC gamers have to put up with, from the basic stuff like NVidia’s driver software updates that they seem to want to be a social network to the ASUS labyrinth of random apps + UI just to update various bits of motherboard support where it’s not clear what you actually need and what’s actually cosmetic to the MSI daemons to support RGB lights on RAM modules that cause some games to crash at launch Just Because.
Windows gaming is a real shitshow. But that’s where the games are. You can avoid running most of this crap. But you wouldn’t have to put up with it in the first place on the Mac, because there’s an assumed baseline of non-scummy software and vendors would get called out and shunned.
This wasn't near as much an issue when you had actual servers run by actual people. Too bad the technology to implement a server browser has been lost to time. : ( Perhaps one day we will rediscover it.
I don't get the past tense used here. The creators of the biggest game in the market are using the same model right now, making the sever available for free, with people creating their own server modifications etc. There is a whole culture around it.
He is possibly referring to Minecraft? You can self-host your own server and connect to it via Minecraft, although I am unsure as to whether the server-side component is open-source.
IIRC the server isn't technically open source, but has been heavily reverse-engineered and, for customization purposes at least, might as well be. Most/all of the major extension/plugin frameworks are open source as well.
I don't have the energy right now to have yet another big debate about it, but I've long held that we make our cheating problems in the gaming industry significantly worse and harder to solve by focusing on a very narrow and limited view of competition: https://news.ycombinator.com/item?id=28635316
The situation reminds me a lot of piracy. The difference is that it's generally accepted by a large portion of the tech industry that design choices and product offerings can increase piracy, and in contrast there seems to be a lot of denial in the games industry that forcing everything into global ranking systems that teach players to prioritize winning over anything else might exasperate cheating incentives, and make cheating more annoying to normal players, and might make it harder for us to moderate and ban cheaters.
The more subtle point I'm getting at here is not even that global rankings are bad, it's to question: is it good for us to rank people in our games primarily based on whether they win, or does it make more sense to build player-facing mechanics that reward people's ability to create fun matches?
A few other people here commented that the problem with individual servers is that people would get banned for being too good even if they didn't cheat. But why is that a problem? What practically is the difference between getting sniped at spawn by an aimbot and getting sniped by an expert player? Does one feel better than the other? Not really, they both stink for the same reasons. Neither is competitive, neither gives you the opportunity to learn and get better as a player, both feel like you're just getting picked on.
This could be a much, much longer conversation, which I just don't have the time/energy right now to get into in extensive detail, but one very narrow aspect of it is that we optimize for player "legitimacy" when I suspect even many players who love global servers care a lot more about having a competitive game with matches that they win roughly 50% of the time, and with a community that tests their skill and that pushes them to get better at the game.
So why are players cheating just to win random encounters? Well, we optimize for that, we build games that teach players that winning is the primary thing that matters even when there are a lot of other metrics in multiplayer games that are just as valid and just as surfaceable to players. We ignore the fact that our design often creates incentives to cheat. And in contrast, if we stop treating winning as the only primary player motivator, not only can we hopefully reduce a little bit of incentive to cheat, but more importantly we can start to get a lot more direct about combating griefers or players who are spoiling the game in public ways.
I don't expect that literally every game could work this way, but if you can that gives you an advantage while moderating users. If you have an expectation that great players shouldn't be stomping new players just in general, then you don't really need to check if someone is using a cheat to do that, you can monitor for the behavior directly without caring about the method. If you have an expectation that players shouldn't be trolling or griefing each other, you don't need to install a rootkit and check to see if they're using an aimbot to troll, you just ban them for trolling. I would encourage multiplayer developers to think more about optimizing for outcomes rather than methodology.
The issue then was that anyone that was even half decent would get banned off the majority of servers because most admins can't actually distinguish between someone that is cheating and someone that is actually good. I use my Windows computer to play games and I don't really care what level of access Riot needs to provide a good experience. I'd bet the majority of people that play online FPS games don't care either.
The entire point of a ranked matchmaking-based game is to assess your skill, including implementing teamwork with four other players you've never seen before (for solo matchmaking). Server browsers are still a thing if you want to play some rotating game modes in games built for that sort of thing, but way more people want to play ranked CS:GO/FACEIT than CS:GO's custom servers.
Ranked matchmaking is worse at delivering a competitive experience than a community of people who want to have a competitive experience. Don't kid yourself, competitive gaming existed long before ranked matchmaking.
In the days of ‘aim sporadically improved by a slight percentage’ style cheats, I wouldn’t be so sure.
I played on an active Battlefield server with a community constantly ripping itself apart with cheating allegations. This even extended towards well established supporters who donated significant money to the server operation and graphics cards to other players.
Then they’d demand videos and then videos showing mouse movement and pore over them for hours. I know someone who absolutely didn’t cheat (and wasn’t particularly exceptional at playing) but whose movements in game were subject to hours of scrutiny and suspicion.
Yes and also it was the tight nit communities that hung around on the more popular servers that helped monitor and deter cheaters and even have rights to kick users as needed to assist the server operators.
By this logic you couldn't have 2 different anti-cheats on a system because only one could start first. The truth is the OS always starts before the anti-cheat(s) and can't be trusted regardless of how early the anti-cheat loads in.
Thats totally false. Moderns OS have a chain of trust, on windows, the drivers starts and all drivers know the other loaded drivers, and they whitelist the drivers.
Which means the OS loaded what it was configured to load by someone with rights to the OS not that the anti-cheat controls the OS's chain of trust before it has loaded.
> On windows, the drivers starts and all drivers know the other loaded drivers, and they whitelist the drivers.
Unless you tell your trustfully signed (legitimately or via insecure mode and then hiding that with your cheat) anti-anti-cheat driver to load first in which case what the anti-cheat sees is whatever you tell it to see - just make sure it's 100% consistent with what a normal setup would report.
It'll get harder with Windows 11 anti-cheats mandating secureboot and TPM (I think Riot's was the first to announce these plans) but even that generation won't be infallible, just less feasible for something a normal user can realistically install and run to cheat in a game. Until the anti-cheat is loaded before Windows and is the only thing the bootloader trusts to load then the anti-cheat can never trust Windows chain of trust as it didn't see the start of the chain.
"physically moving the mouse/controller".
Yes you can do that.
It cause 2 issues:
In competition, cheating will be impractical (cheating would imply bringing it's own hardware).
Cheating will be harder, because you need to buy physical hardware (and will be far easier to stop).
It will cause the amount of cheater to drop signifiquantly.
RIOT's anti-cheat is one of the strongest I have seen. Even if you close the service and enable it again, it won't let you open the game. Only after a restart.
Counter-intuitively, I wonder what gaming would be like if everyone ran the same cheats/mods? Would it be the same as "if everyone is rich, then nobody is" or would it devolve into such a state where cheating/modding gets so boring that people just go back to casual play ...
On the other hand, gaming is now a big commercial entity, including 'pros' and 'streamers'. With money involved, fraud and cheating ain't far behind.
If you look at what's happened to certain games without anti-cheat you can actually answer that question! It turns out that it mostly devolves into a bunch of AIs playing against each other with the actual humans just passively watching. Perhaps exciting to see your aim bot beat the others, but overall not much of an interactive experience anyone
And a hell of a lot more where that came from. There was one instance where players had exploited a popular no-rules server to spawn in items that dealt 32,000 damage, the administrator attempting to patch it and the players playing the cat-and-mouse game of trying to keep using them for as long as possible. The creativity is really something else. As for their music choice in that video- par for the course when dealing with the 4chan of Minecraft.
I played Valorant for a month until I was banned for no reason. They said it was for running unauthorized software but they wouldn't say which. No recourse.
I understand that this probably isn't popular opinion, but I believe we need hackers/exploiters in games, and we need recognized communities for them in those games.
People cheat in games for almost an endless amount of reasons. But many times, I've seen that it usually comes down to wanting to 'be the best' or just a general interest in understanding how things work. Creating a 'safe space' for people to cheat in games becomes a net plus for everyone because it keeps a lot of the non-malicious cheaters out of legitimate player's games. It also helps developers understand where some flaws are in their systems that they wouldn't ordinarily catch because they'll end up with communities openly discussing their latest exploits, or specific servers where they can look to see what bugs or hacks people are coming up with now. It also means the people who are cheating so they can 'be the best' will get bored of it very fast once they finally have everything and move to the next game. A cheater that's in a designated server is someone that is not interrupting a legitimate game.
There will, of course, always be malicious hackers and trolls that won't want to stick to designated servers or openly discuss exploits so they don't get patched. But this is going to happen regardless of whether or not there's a recognized community, and it doesn't make sense to punish everyone because of this. Popular cheating communities also tend to be self-enforcing. It's not uncommon for people to get blacklisted from these groups or reported in games by other cheaters if they cross a line(ie. Caught cheating in non-designated servers, DOSing servers, etc..).
Disclaimer: I was an admin and regular on a couple popular cheating/exploit communities over 15 years ago at this point. It was my first introduction to how computers actually work but also should put in perspective how this is a never-ending battle
But yeah the sticking point is that cheaters wanna “be the best”, even if that requires cheating, and if they’re surrounded by other cheating users that doesn’t really work anymore, so why would they stick to those servers?
> But yeah the sticking point is that cheaters wanna “be the best”, even if that requires cheating, and if they’re surrounded by other cheating users that doesn’t really work anymore, so why would they stick to those servers?
There's so many different games so there's no single answer. But from my own experience, in FPS games, people love building better aimbots, or augmenting different abilities to get a better edge, or adding overlays to their visuals to better calculate trajectories. Being a better cheater becomes its own competition.
The end-goal of this wouldn't be to move all cheaters to designated servers, that will never happen, it's to make it more obvious and easier to take action when there's a cheater in a legit match.
Yeah, the number of people who go from cheating on games to interested in programming cheats to FAANG engineer is non-trivial and means that cheating ends up as a value add for reality, even if it hurts the enjoyment of the other gamers in the moment.
This is really the endgame of cheating and anti cheat wars. The anti cheat has to basically become root kits. I wonder if they will eventually offer a unprotected server to people who refuse to install the root kits or not.
It's interesting; their anti-cheat already is a root kit that runs as a ring-0 (or lower?) kernel module in Windows, yet they keep having to ban cheaters every month. But this goes beyond root kits. It's now apparently acceptable to operate arbitrary applications on users' PCs even when not playing the game. Utter spyware.
The very dedicated cheaters use special PCIe hardware to alter and monitor memory through DMA, there's always a step up.
The only way to prevent cheaters is to control the hardware. With modern Xbox and PlayStation being basically a PC that you control with a controller, I can imagine a future where you buy special online gaming consoles that you control with mouse and keyboard to play competitive games. Even that can be foiled, of course, because hardware can be manipulated as well, but it's the furthest PC gaming will go.
What I wonder about it why people put so much effort into cheating. I don't see how playing more than a few games with an aimbot is any fun. What are these people even getting out of it? Is it just having their name on a board somewhere?
> What are these people even getting out of it? Is it just having their name on a board somewhere?
Based on my observations (during 20k+ hours of playtime in multiplayer games), I don't think a leaderboard is even necessary. It often seems to be more about asserting dominance. Very simple and very primal. No deep thoughts, just imposing your will over others. It's satisfying. [1]
--
[1] Of course there's a spectrum of reasons one might have to cheat. Some might be temporary cheaters who are just curious about the possibilities, others might be aiming for a specific prize in a contest. With the dominance angle I'm characterizing a certain kind of obsessive regular cheater.
Xbox and PlayStation games can already use keyboard and mouse. Not many developers make use of them. Partially because consoles aren't installed used at a desk, partially because the difference in precision between a controller and a mouse makes it difficult to balance competitive games.
> yet they keep having to ban cheaters every month
It's not perfect but the cheaters generally get banned fairly quickly and it's far better than the alternative. I've played tons of games of Valorant at
Radiant (the highest rank) and it's extremely rare to even run into someone that I suspect is cheating. In comparison, I get extremely blatant cheaters in about 25% of my games of CS and far more than that in CoD: Warzone.
There is, of course, a substantial issue re: privacy with this approach. A ring-0 driver can essentially do everything the system can (it's running in kernel mode). It's a two-sided coin.
Basically everything of interest on the average user's computer can be obtained without a ring-0 driver. Riot's incentive for the driver is extremely clear and it's not in their financial interest to abuse it.
> This is really the endgame of cheating and anti cheat wars.
I'm of the opinion the eventual endgame is game streaming like Google Stadia (though I don't think Google Stadia itself is the final answer). Can't compromise a local client if there is no local client.
> I wonder if they will eventually offer a unprotected server to people who refuse to install the root kits or not.
Absolutely not, for one simple reason: that segment of their audience is insignificant to the bottom line.
Camera pointed at screen with some image recognition and a bit of code to synthesize controller/kbm input. No need for compromising any sort of local client. Wouldn't be terribly hard to make a little rpi-based solution to sell.
As long as there's money to be made, cheating will continue. In fact, making it harder to cheat in games can make it more lucrative to develop cheats for them.
There is still the possibility of computer vision based cheats, but a streamed game would pretty much make current cheats impossible. Even with a hardened OS specifically for running games (I think this has been proposed before) or a locked-down game console it is still possible, albeit difficult, for someone to exploit it.
That is definitely the endgame for cheating. I know in WoW, they explicitly ban hardware input broadcasting for multiboxers yet actually detecting that can be quite difficult.
At the end of the day, we are trying to find technological solutions for social problems. What I think would really help would be to decrease the ease of duplicate account creation for services which care about cheating. Without that capability, punishing cheaters socially (i.e. bans) is never going to be particularly effective. I think social solutions can work because you don't need to stop 100% of cheaters like some people seem to believe. All you need to do is prevent enough cheating that people believe the game is honest overall. Locks only make sure honest people stay honest, but that actually works pretty well since most people are honest.
Have built computer vision based bots for Diablo III, World of Warcraft, Bookworm (make words from letters), a real-life Scrabble solver on a phone, a real-world jigsaw puzzle solver on a phone, various online poker games, a proctored online test and a match 3 game on an iphone. Computer vision cheating is surprisingly easy and just getting easier.
A computer vision system is still disadvantaged in that it can only see what the player can see, and no more than that. For example a wallhack won't work well as the cheat simply can't get the locations of all the enemies, and can only highlight them when they actually appear on screen. Also most of the games you listed above are relatively simple to work with both in terms of rules and graphics - it would be much harder to have a functional bot for the many variables involved in a 3D FPS game with fog, bullet drop, friendly fire, and so on.
The submitted title was "Riot may run programs in the background on your PC when not using the service". We might have let that pass if it were a quote from the article (even though that is already editorializing and against the site guidelines - see https://news.ycombinator.com/newsguidelines.html and https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...). But it's not a quote from the article and it's too hard to assess whether it's strictly accurate or not.
If you want to say what you think is important about an article, that's fine, but do it by adding a comment to the thread. Then your view will be on a level playing field with everyone else's.
The reason anti-cheat penalties don't really do anything is because people can just create a new account (on a free-to-play game) or play 20-60 dollars when they get detected. Video game developers usually won't ban cheaters for several weeks because it makes it harder to tell what program caused the ban. But it also gives you basically a guaranteed period of time to ruin other people's games.
I think in the future we might have a shared player registry for competitive video games, where people link their BrightID, basically proving that they are an individual without disclosing any additional personal information about themselves. And when they are banned for cheating, the ban is applied to their BrightID account, so they can't evade by changing IP/game account/etc. And other games by other companies can choose to look at this registry and reciprocate the ban as well. It seems like an effective, but less dystopic solution than throwing people in jail for in-game cheating.
If there is no personal information, what is to stop me from creating a new ID? I personally find this idea at least as worrying. I don't want to be having to put my name on a list for every given community I belong to.
Your friends verify you as a unique human, generating a web of trust and a cryptographic fingerprint you can use to identify yourself as such. This fingerprint doesn't contain any more info about you other than you are a unique human, and you can provide a different fingerprint to each app you use.
I can't bring myself to install their client with these practices in place. Even if I trust Riot not to abuse their root privilege, how long will it take before their anti cheat service running on my machine is hijacked by a third party? I'd love to play their games again, but it's way more risk than I'm willing to take.
A lot of comments are talking about cheating, but there are so many "free" games that have launchers that auto start at boot.
Several of my friends recommended genshin impact. It registered a background service that starts at boot and runs as Administrator. This is a PvE game! Uninstalled quickly.
It's to the point that I will _only_ install games from steam, however that even that is not solid as it used to be with many games installing their launcher service at first run (origin, epic, etc)
Android games also regularly install services well, the games are always running _something_ in the background.
Free games, even those with many in game purchases, seem to not care at all about running their software even when you are not playing their game.
If they really wanted to stop cheating but also preserve privacy, then why not get players to login to a dedicated machine like a game console or a virtual machine service like NVIDIA and Google have?
Riot should also get there players to run a Riot-specific VPN too.
I wonder if console use with a mouse and keyboard will grow in popularity owing to this issue. People hate cheaters, but also don't want to run anticheat on their primary OS. At this point it seems like Sony, MS and Valve machines are pretty locked-down and aren't as easily tampered with.
I just use consoles now, because cheating is annoying and it's harder on a console. I only play games on my PC that are single player or where I only have to play with friends. I don't like anti cheat software like this on my PC.
this will all go away once the client runs in the cloud. we are probably one more generation of consoles away. stadia has not been the moving force it appeared to be. but its only a matter of time
Probably not. Some hacks would not work anymore (eg. wallhacks). Yet, how would you detect, say, an aimbot identifying the pixels on the screen and simulating mouse moves?
How would you detect that, anyway? Behavioural analysis and neural networks?
It's not that hard to point a smartphone at a screen and have it send fake keyboard and mouse commands through USB, the challenge is in interpreting the pixels themselves. This is the analogue loophole all over again, for a different kind of DRM.
Anti-cheat should be on the server... not on the client. Otherwise, it will never work (probably still won't because no one figured out perfect software, but it would be a start).
What's being discussed here is presenting spying on your user base as a good thing because "it stops cheating". They simply want more dirt on the kids who play their games.
Installing spyware on people's computers is not enough for you? I guess I am done here if I am being hyper cynical. Dqmn, we have apologists for everything
I don’t care about playing games online against strangers, I should be able to opt out of this crap. No access to multiplayer servers would not be a problem for me.
> I don’t play this game and I don’t approve of the anti-cheat measures!
This seems to be a common pattern. People who actually play the game hate cheaters and are okay with more extreme measures, while outsiders tut-tut that acceptance. Don’t you know that’s bad for you, gamers?
Riot may not. One more reason to never install anything from them. I understand that cheating is bad but it is pretty easy to create a system that monitors behaviour at Riots infra instead of the gamer's and filter out bad users.
Imagine the two sides of user behaviour, one side you can observe on the client while the other side is observed on the "server" (more like the infra where the servers are running). There are several ways of monitor traffic (that is sent by the client to the server) and identify patterns (good or bad patterns). I have seen machine learning based network intrusion detection projects that quite successfully identified bad user behaviour in HTTP traffic for example.
Riot has 100M+ users, it is probably the most statistically significant user base on Earth. You could start to map out user behaviour parameters that you need to monitor to have them as "features" in your machine learning model. There is also a ton of historical data where they identified bad behaviour somehow (reported by other players, etc.) that you can use to train the ML models.
Let's say you are trying to catch people with aim bot or in Riot's case farm bot (helping the player last hit, if you know LoL you know what I mean, if you don't nor problem, the example is probably understandable anyways).
There is the way to catch this guy by observing what is running on the client and see if there is a last hit bot process or not.
Or, you could come up with a number (or multiple numbers) that represent a typical player behaviour (CS / min adjusted by ELO, I am just making this up though) and you could try to build models around this try to see if the data to have is giving you any meaningful accuracy of predicting cheating.
I know, this is more work, more resources, probably more challenging, but it does not violate the user's privacy and it does not require the good users also having to install rootkits on their devices.
I would be a big surprise for me if it was not possible to achieve ML based user behaviour monitoring when the rest of tech companies implemented this years ago. I know that Amazon done this for sure (probably 10-15 years ago).
I am saying that an effective server side cheat is system is certainly not "easy" to build. Nor do I think all cheats are even detectable server side.
Take a hack that allows you to see enemy positions through fog of war in League or wall hacks in CSGO/Valorant.
While I don't think it's necessarily impossible, detecting that players are making decisions based on information they shouldn't have is going to be a challenging problem even for ML.
In comparison detecting it client side is a much more tractable problem.
It's harder to quantify support among typical players, but I imagine it's much higher than we might expect. People really hate cheating in videogames.
[1] https://www.gamedeveloper.com/console/south-korea-cracks-dow...