Hacker News new | past | comments | ask | show | jobs | submit login

Lets call them what they really are, rootkits.



That's exactly what I tell my friends.

I can't play certain games, because they don't run on Linux and even if they did, I am not gonna install a rootkit to run them.


Getting a Steam Deck has done wonders for my piece of mind. I don't need to worry if whatever games I'm installing are malicious, because the machine is airgapped from anything critical.


Same, but I am only using it for couch gaming


piece of mind? or peace of mind?

/nitpick ;-)


OP shares with others


Ultimately, this is why we have consoles. We can have rootkits, or we can have cheating. Nobody has solved cheat prevention without rootkits. If you can, you’d make millions, if not billions. It’s not like the game creators want to have software on your system that has the potential to brick your system.


The real solution is games designed for playing with friends and treat all non-friend players as potentially malicious.

Early first-person shooter games had this figured out (small servers with 20-30 regular players, the server admin could choose to ban you), RTS games have this figured out, many MMOs have this figured out (interact with non-friends sometimes, but they have to 'join your party', etc.)

Playing with random strangers on the internet who may want to grief/destroy your game, be incredibly toxic, or cheat against you in general.. that's the cost of playing with random people in a completely public forum.


But people largely want matchmaking. They don't want to deal with having to find a server of like-minded players, they want to hop in a lobby with maybe a few friends, pick a map pool, and go.


> Ultimately, this is why we have consoles.

Nah. Consoles were a decade late to the online gaming party, and online gaming on consoles (counting Xbox Live as the first concerted attempt) has only been around half as long as consoles as a product segment have existed.


Running games in a VM appliance or an immutable container type of environment could be neat. Or some kind of hardware device. Like a console on an expansion card that could enable a secure environment while still letting you use your hardware.


This is a false dichotomy. Genshin is single player. Some people play multiplayer only with friends. The only legit use for anti-cheat is competitive multiplayer with strangers.


By this logic wouldn't chess and go need to be played after cavity searches? Cheating is enabled by tech but based on what people decide to do.


Not sure if you're referencing it but there was a recent scandal where it was suspected someone playing against Magnus might have had a wireless butt plug to enable some cheating...

The sibling comment makes a point about anonymity, I find these discussions interesting in comparison with the only online competitive game I play these days. It's Tekken, and neither the current rendition nor the previous one had any real form of anti-cheat. For the current Tekken 8, supposedly some players have been banned after manual review from the company of replay data, which of course doesn't scale. But at the same time it doesn't really matter. Cheaters don't seem to be that prevalent, their ability to spoil the experience of a match is limited by the fact that matches are short, and people can spoil the experience in non-cheating ways like plugging, lag switching, using a weak computer, and for some sensitive players they'll get unreasonably upset by ki charging/teabagging/taunting/continuing an attack after KO. The status of the highest rank is also not that much -- the most status comes from performing well at the big in-person tournaments, where it's going to be harder to cheat and players are somewhat de-anonymized. If the positive incentives to cheat are minimized in the first place, you don't need so many negative incentives like rootkits.

(It always amazes me how custom controllers and even keyboards are allowed in fighting game tournaments, officially certain macros are banned and at least for Street Fighter certain modes of leverless controllers got banned, but it'd be hard to perfectly enforce. And it's been hilarious to see the increasing use of fake buttons or controller-hiding covers/jackets because it was assumed some players were able to see inputs out of their peripheral vision before they were registered in-game and adjust.)


Chess and go aren't anonymous at levels people care about, and they don't have game publishers and creators expecting a return on investment.


Hmm, here’s a thought I’ve never had (but might be obvious to others).

Could I run windows as a VM guest under Linux and play Fortnite in that (with good GPU performance)? I don’t mind their rootkit running on some dedicated VM - I’ll just consider it my Fortnite unikernel.

(I’m also ok with the host OS being Windows or MacOS).


The anti-cheat will be very unhappy when it performs a bunch of arcane heuristics and determines it’s running in a VM.


Why would that matter? Pretty sure running in a VM doesn't facilitate cheating.


Running a VM gives the parent the ability to read/write arbitrary memory without [even rootkit] anticheat being able to detect, which can facilitate cheating, and therefore can earn you bans. The whole point of the rootkit is that the game can confirm that you don’t have any way to read/write arbitrary memory.


Isn't Windows running under a hyper-v hypervisor these days anyway?

In practice, I'd settle for a peer Windows OS, like the WSL2 kernel, with the rootkit seperate from my main work one. Can I run two copies of Windows simultaneously as peers?


Yes. https://wiki.archlinux.org/title/PCI_passthrough_via_OVMF

You basically let your guest OS use your GPU instead of the host.


And yet you install driver on Linux without knowing it, I mean Linux has 0 security for drivers.


When was the last time you had to install a Linux driver from out of tree?


Most people do install Nvidia’s out‐of‐tree graphics driver. It is definitely a risk.


If you've already put a piece of hardware into your computer made by nvidia, installing a kernel driver also made by nvidia does not increase your risk at all.

Installing some random anti-cheat kernel driver is not the same thing, at all.


But you are not installing a random anti-cheat kernel driver, you're installing anti-cheat kernel driver provided by a game you've already put on your computer. It's very much the same thing.


User space is not the same as kernel space.

User space applications can't access hardware or physical memory. They can't bypass permissions enforced by the OS. None of that applies to hardware or kernel drivers.


I've always appreciated the forthrightness League of Legends deployed here (talking about introducing a kernel driver for anti-cheat: https://www.leagueoflegends.com/en-au/news/dev/dev-null-anti...):

> This isn’t giving us any surveillance capability we didn’t already have. If we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network. The purpose of this upgrade is to monitor system state for integrity (so we can trust our data) and to make it harder for cheaters to tamper with our games (so you can’t blame aimbots for personal failure).


Where did I say they are the same? We have a kernel-space thing (anti-cheat or gpu driver) and a user-space thing ((a game actually talks to both) that talks to a kernel-space thing.


I understood that you were making an analogy between installing a piece of hardware and its associated kernel driver with installing a game and its associated kernel anticheat.

When you install a hardware device you are trusting the manufacturer with full access to your machine, so installing a driver does not give them any more powers. You have already "unlocked the door".

When you install a game that runs on user space you are not trusting the vendor nearly as much as you are trusting a hardware manufacturer. Installing a kernel anti cheat is granting them a level of trust and access to your machine that they didn't have before.


> When you install a game that runs on user space you are not trusting the vendor nearly as much as you are trusting a hardware manufacturer.

I'm not sure where this trust comes from. I absolutely do not trust any hardware vendor. I just have no choice here.


> Most people do install Nvidia’s out‐of‐tree graphics driver

Most people that use Nvidia. I specifically don't buy Nvidia graphics cards or laptops that use them in my Linux computers because they're not in-tree.


I am not using Nvidia since 2011. Last nvidia device was bought in 2007.

Back then I migrated to Archlinux and in all these years I only had problems with nvidia. Since then they are dead to me :)


A few things to consider here:

- This is an abnormal case. Most hardware will work with in-tree drivers. Indeed, few vendors provide out-of-tree drivers for Linux.

- Nvidia is an established and reputable source. We aren't talking about some small hardware developer who doesn't have the resources to create secure drivers.

- Most Nvidia cards have in-tree drivers. There is a loss in performance, but the option usually exists.


Those who do, choose to do so and generally take responsibility for their actions. It's not the same as tainting a kernel and just winging it.


It's a risk, but a very minor additional one - if you trust their hardware with direct access to your PCIe bus, you have already given them the metaphorical keys to the vault.


Approximately no one with a Steam Deck installs Nvidia's out of tree graphics driver (because the Steam Deck is built on AMD).


You gotta think about surface area and risk when comparing apples to oranges here.


This, so much this. Also often spyware.


First party malware.


And in the case of Vanguard, a bootkit.


Can't wait to find out what China hid in Riot's Vanguard rootkit for all their games. It's 100% a conspiracy theory, but nobody can convince me it's perfectly clean, or if it is, that there isn't an easy way to add some power to it quietly.


China's national security assistance law came up in the TikTok hearings. There's no reason to believe that the CCP doesn't have the legal authority to compel Riot to push an update with a backdoor to a few select high value targets.


Companies rule the United States. Companies that do business in China are ruled by China. Therefore, the United States is ruled by China.


The same line of thinking leads me to conclude that the world is ruled by the United States.

Can we stop with the nationalistic hyperbole already, and discuss acute issues, instead of vague fingerwaving at the foreign boogieman?


I wasn't being serious.

Sorry to offend your motherland. You deserve all the social credit coming to you.


If it is written in C you can always introduce a buffer overflow or something similar by just adding a little bit of line noise here or there and nobody can prove it was deliberate.


It's closed source and the assembly is obfuscated. You don't even need to bother with plausible debiability.


Surely the NSA has tools, people, resources etc to figure that out?


Dedicated to reverse engineering every update to vanguard? Huge waste of effort. They would probably just steal the source code.


The NSA just needs a call to Riot headquarters to ensure their rootkit is also included.


The vanguard drivers are signed by Microsoft, the procedure for which includes a safety audit by Microsoft.

The driver is just what the developers say it is (as with all other anti-cheat). It provides an untempered interface for the userland anti-cheat to use to get info from the kernel. Because modern cheats tend to alter the output of kernel syscalls by running in the kernel themselves.

I really don't see why anyone needs to think it's anything more than that.

If Tencent needed to spy on you so badly there's no reason kernel anti-cheats need anything to do with it...


It says something about Microsoft when they OK a known harmful bootkit that expects your computer to act like an XBox with a fancy keyboard (but not too fancy), requests invasive changes to UEFI that have broken systems, and have an overall opacity that rivals an Arthur C. Clarke Monolith.


Drivers are generally not audited by Microsoft to be signed, you only need to register your EV cert to get it signed. Cheat developers have registered their own/gotten their hands on EV certificates to create a kernel driver cheats. Anti cheat like Battleeye also download anti cheat modules at runtime to obfuscate what they do.


MS usually don't bother with driver audit... They mostly rely on EV certificate to check driver dev is a proper legal entity.

If they audit properly, they should not let the Asus AuraSync driver certified at the first time. (basically opens PORT instruction to every userland app, unristricted)


>The vanguard drivers are signed by Microsoft, the procedure for which includes a safety audit by Microsoft.

Did the crowdstrike driver get the same audit?


The level of sophistication that can go into a hack when sponsored by a nation-state is incredible. Just remember Stuxnet all the way back in '06 or whatever it was. Tech was a lot less advanced nearly two decades ago. It's not right, imo, to leave your safety up to this process.


EAC and other kernel-level anticheat software will dynamically load and execute signed payloads at runtime. Does Vanguard do this? If so, does Microsoft check these payloads?


> EAC and other kernel-level anticheat software will dynamically load and execute signed payloads at runtime

Are you sure about that?


100%


If I wanted to deploy a trojan horse then the last place I would try to hide it is in an anti-cheat driver that will without any doubt be exhaustively analysed by people attempting to bypass it.


Gamers are great targets. They'll disable security for higher polling rates. Not discerning, gladly walk to the slaughterhouse.


There's a ton of gamers that like to figure out how the game itself works. There's a ton of them trying to figure out how anti cheats work, sometimes to cheat, but more often because they're curious, resourceful teenagers taking it as a challenge.


Oh, I know. That's how my career was started. I made invitational in CS: Source (CAL) and then sold cheats to pay for college. My first Real Job was through a teammate.

Far more would have accepted a RAT and been deprived money than expressed genuine interest. Some did... not many. Most wanted the acclaim without the effort.


But also there's parties there with a big interest in circumventing these securities, and have done so for decades. The new release of RDR for PC (shamefully asking $50 for a 14 year old game) was cracked within days, if not earlier, of its releae.


Ah, yes, for most of us, getting our computer pwned is just like being murdered.


l o l

Fine, they'll gladly eat shit


How much shit, and how does it compare to the risk profile of, say, not wearing a five points seat belt and motorcycling helmet while driving, or a bulletproof vest when going to school, or an N95 mask literally everywhere?

Security theorists are always ready to tell us about the horrifying risks of installing kernel-level code from a vendor, but can they actually quantify the likelihood times damage those billions of installations have inflicted on Joe Random's life?

And contrast them to other risks that we regularly take in the name of comfort and convenience?


Funny that you initially used "Joe Ransom" as your example name (before your edit), as that describes one of the possible situations our friend Joe can end up in: malware that encrypts all his data and asks for a ransom to get it back.


Its possible. Roughly how likely is that to happen to him from installing a game with EAC? Are there a lot of documented cases of this?

Is it more or less likely than them dying from the 'Rona because they didn't wear an N95 24/7?


I'm not really that interested in chasing this, but a point I do want to make: it isn't just risk.

If you want to participate in a lot of these multiplayer games that place cheating far too highly, you can't use a hypervisor. You must have gaming device and computing device. They cannot be the same.

That's fine for most, but I consider it shit. VFIO makes it possible for a big computer to make a smaller gaming one. Ask me how I know.

My greater point is I don't care if I get cheated out of a finals match. I can actually speak from experience. I prefer autonomy over my devices. I kind of want to eat poop with them. A little.


State sponsored actors only target a few people and they only send the backdoored version to their target list.


Ah yes, that’s why stuxnet wasn’t a big deal


What do you mean? They burned several high value 0days on a high value target. Why wouldn't China burn a high value backdoor on a target they deem valuable enough.


I mean, they're not rootkits. Rootkits are either to gain root access (thus the name) or to hide something from a user. Anticheats don't do either of these.

They expose a kernel API to allow games to verify the state of the system, and they're knowingly installed by the user.


> They expose a kernel API to allow games to verify the state of the system

And that API has root access... thus it's a rootkit.


The API doesn't provide root access, it's typically a simple "is this game running in a secure environment" read API.

I really hate "it's a rootkit!" posts like this because it diminishes the severity of actual rootkits.


Can you please clarify how an API which runs in the kernel does not have root access? Because I don't believe that's possible, but perhaps I'm wrong.


The API itself has root access, but does not give user space root access, is what I think the commenter is trying to say.


That's the promise of eBPF.


I'm already counting down the days for eBPF to blow up in our face. But admittedly, it's the cheapest way of gaining more capabilities and privileges than you need, thus it's here to stay.


How do you think it is able to tell if the game is "running in a secure environment" without having root access itself?


The thing is the Kernel does not have that API.

The real solution, and not the hack Riot uses, is for Kernel to provide an API for anticheats, like it does for everything useland.


That's not really possible as long as the kernel allows the loading of arbitrary user-provided modules. Because the cheater will certainly run the cheat that requires kernel mode. If it's run in kernel mode, the API call can be intercepted.

How does the anticheat then work? Corewars. It's a cat and mouse game between the cheat provider and the game developer.

One would need a secure base layer, where also the MS anti-cheat lives, and all drivers can only run in a layer between this base layer and userland. I think that's already done for most of the graphics stack.

On the other hand, I am not convinced I want a system where I cannot load arbitrary kernel mode code if I choose to do so.


Windows only loads arbitrary modules if you enable some debug mode no? If not they need to be signed. But not a big hoop for cheat developers, they can get an EV cert to sign their own cheat kernel module or abuse a vulnerable kernel module.


> They expose a kernel API to allow games to verify the state of the system, and they're knowingly installed by the user.

Can you give examples of games where you do that?


Riot games use theirs (Vanguard) to improve detection of cheating software. basically the idea is by being on from the moment the computer is booted up it can validate the environment better.

Here's a recent blog post by riot detailing their recent deployment of the system for league of legends, the biggest online multiplayer game in the world

https://www.leagueoflegends.com/en-gb/news/dev/dev-vanguard-...

towards the end it talks about how and why it works




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: