[HN Gopher] We outsmarted CSGO cheaters with IdentityLogger
___________________________________________________________________
We outsmarted CSGO cheaters with IdentityLogger
Author : mobeigi
Score : 109 points
Date : 2024-10-16 18:18 UTC (4 hours ago)
(HTM) web link (mobeigi.com)
(TXT) w3m dump (mobeigi.com)
| Broge wrote:
| Feels disgusting with the hidden fingerprinting but very
| technically impressive!
| Giorgi wrote:
| Thinking about it, steam should force this on every game
| developer that has cheating problem (I am assuming mainly
| shooters), maybe implemented better fingerprinting way, giving
| developers options to hide cookies somewhere in folders of their
| choosing.
| Ekaros wrote:
| Risk there is that what ever id is generated tends to leak. So
| lot of cheaters will either tamper with it or circumvent it. So
| the game will continue and not actually be effective for very
| long.
| jandrese wrote:
| The problem is that once a technique like this becomes
| standardized the cheat software will know how to automatically
| disable it. Even in the article it points out that had the
| cheaters put in the work they could have edited a single text
| file to break the system, but they did not. If this solution
| had been implemented for all CS:GO players then it would have
| been defeated fairly quickly, but since it was just one set of
| servers those were easy enough for the cheaters to avoid.
|
| That said, eyeballing the chart in the article you can see an
| enormous ban wave that happens when the system is turned on,
| but afterwards the total level of cheating quickly returns to
| roughly where it started. If there were long term impacts it
| was only in the reduction of staff hours needed to review game
| footage to determine if a player is cheating.
| therein wrote:
| I am surprised VGUI browser shares cookies across Steam accounts.
| When I log out of my Steam account, switch to another one, launch
| the same game, I would have expected an entirely different
| datastore to be used for the VGUI browser.
| awestroke wrote:
| The VGUI browser also allowed servers to steal the steam
| session cookies. So not a very hardened implementation at all.
| jandrese wrote:
| The VGUI browser was a security nightmare, which is why Valve
| eventually deleted it from Steam.
| mobeigi wrote:
| It was a security nightmare. Basically a half baked browser
| with a subset of the security considerations you'd expect from
| a browser.
|
| Valve worked on it for a little while patching bugs as they
| popped up (notoriously slowly I might add). Then in August
| 2017, an exploit in which server operators could execute
| JavaScript on players that joined their servers started to
| spread and was maliciously abused by bad actors. For example,
| some server operators using their player bases residential IP
| addresses to sign up to gambling websites so they got
| kickbacks. Others simply tried to hijack Steam accounts or sell
| rare Steam virtual items on the Steam marketplace to
| themselves.
|
| After Valve patched the above exploit, some smaller bugs popped
| up in the following weeks and 2 months later in October, Valve
| completely binned the VGUI browser in CSGO. They had enough!
| This broke a lot of plugins like IdentityLogger and music
| players that would play music in the background as you played
| the game. But at least the attack vector was removed.
| ZeroCool2u wrote:
| Server side only anti-cheat is one of the problem domains that
| I'd really love to work on at some point in my career. This is
| the type of adversarial arms race that just seems really fun to
| think long and hard about.
| Night_Thastus wrote:
| Only problem is, a lot of companies do NOT want to pay for it.
| It's 'treadmill work'. No matter how many people and how much
| money you throw at the problem, it still ends up just coming
| back. It's a losing battle because there are many, many more
| players than there are developers.
| anamexis wrote:
| Are there more sophisticated cheat developers though?
| Night_Thastus wrote:
| Cheat development these days is incredibly sophisticated.
| There are swathes of tutorials, old and recent examples to
| research, advanced inspection tools, etc.
|
| It's _so_ much easier to make cheats today than it was,
| say, 10 years ago.
|
| It's also easier because more and more games are sharing
| common infrastructure like game engines, as compared to the
| past. What works in one Unreal game may save you a lot of
| time developing a cheat for another Unreal game.
|
| These days, many online games encounter serious cheats
| within the first couple of days of release - if not the day
| OF release.
| oneplane wrote:
| Some of the sophistication is not really in the technical
| breaking of the game or protocol anymore, figuring out if
| something is plausible might yield detections that you
| cannot "cheat" because it no longer matters if your
| cursor clicked on a head at the right time or not, it
| matters if your posture/reputation/experience makes your
| behaviour plausible.
|
| Cheating and anti-cheat used to rely a lot on the pure
| technical parts (like "is something sneaking some reads
| from the memory the game engine uses to clip models?"),
| which is ultimately not something you will win as a game
| developer (DMA/Hardware attacks or even just frame
| grabbing the eDP or LVDS signal and intercepting the USB
| HID traffic has been on the market for quite a while).
|
| But implausible actions and results for a player can only
| be attributed to luck so many times. Do 30 360noscope
| flick headshots in a row on a brand new account and you
| can be pretty sure something is wrong.
|
| If we can get plausibility vs. luck sorted out to a
| degree where the method of cheating no longer matters,
| that's when the tide turns. Works for pure bots as well.
| But it's difficult to do, and probably not something
| every developer is able/willing to develop or invest in.
| Night_Thastus wrote:
| It's hard to balance around those sorts of things. For
| example, imagine a cheat that gives the player additional
| info about where enemies are and their state (ie:
| health). Even if they are of totally normal skill level
| in terms of movement and aim, that info will allow them
| to be substantially better than others. How are you going
| to detect that, and differentiate it from players who
| simply have a great sense of map awareness and a good
| ability to keep track of enemies and when to punish them?
|
| Anything that makes assumptions about player's skills
| runs into problems too. For any online PvP game, the
| skill ceiling will rise with time. What once may have
| been considered improbable may soon become what's
| consistent for the top 1% or even 0.1% of the playerbase
| given a few years.
|
| As well, it can run into problems as rebalancing occurs
| and new abilities are released.
| oneplane wrote:
| Even the base example would make that specific scenario
| trivial: an account that is new has no business "being
| better" than everyone else.
|
| The only group you'd punish with that is skilled players
| that lose their account (and create a new one), but if
| you use a moving skill window they can grow back into
| their plausibility pretty quickly, and it's a small cost
| compared to everything else. And you could even mitigate
| that by making things like the first 10 matches require a
| different plausibility score than the matches after that.
|
| And with different I don't mean "no scoring at all" or
| something like that. But a cheater tends to not cheat "a
| little bit". You might have togglers, but that sticks out
| like a sore thumb (people don't suddenly lose or gain
| skill like that). And even if that fails (lots of
| "cheating a little bit" for example), you've still
| managed to boot out the obvious persistent cheating.
|
| And that's just with 1 example and 1 scenario. Granted,
| that bypasses the fact that it is still difficult and
| doing it broader than one example/scenario is even more
| difficult, but that's why I ended the previous comment
| pointing out the difficulty and associated cost, which
| goes hand in hand with the balancing difficulty you
| pointed out. Even tribunal-assisted methods (not sure if
| Riot games still does that) have the same problem.
| Night_Thastus wrote:
| What about new players who are competitive in other,
| similar titles, and thus start off with a strong
| advantage?
|
| And - what about experienced players who cheat?
|
| In some scenes, it's actually more often that cheaters
| are some of the best, most experienced players who have a
| strong competitive lean and feel they 'deserve' to win,
| so use cheats to get an edge. It's far more common than
| you'd think.
|
| That's the problem with any anti-cheat system. It's all
| the what-ifs. Every single 'clever idea' that has been
| theorized under the sun has been tried and most have
| failed.
| berbec wrote:
| It can happen in days sometimes.
|
| 0: https://www.ign.com/articles/final-fantasy-14s-latest-
| raid-s...
| willcipriano wrote:
| My idea:
|
| 1. Determine minimum human reaction times and limit movement
| to within those parameters on the client side. (For example a
| human can't swing their view around [in a fps] in a
| microsecond so make that impossible on the client) this will
| require a lot of user testing to get right, get pro players
| and push their limits.
|
| 2. Build a 'unified field theory' for your game world that is
| aware of the client side constraints as well as limits on
| character movement, reload times, bullet velocities, etc. Run
| this [much smaller than the real game] simulation on server.
|
| 3. Ban any user who sends input that violates physics.
|
| Now cheating has to at look like high level play instead of
| someone flying around spinbotting everyone from across the
| map. Players hopefully don't get as frustrated when playing
| against cheaters as they assume they are just great players.
| Great players should be competitive against cheaters as well.
| bob1029 wrote:
| This is kind of getting into my idea - Statistical methods
| & maybe a sprinkle of old-school machine learning.
|
| What I would try is to hire a red team & blue team and put
| them in a sandbox environment. The red team cheats on
| purpose. The blue team is guaranteed to be playing
| legitimately. Both teams label their session data
| accurately. I then use this as training & eval set for a
| model that will be used on actual player inputs.
|
| The only downside is that you will get a certain % of false
| positives, but the tradeoff is that there is literally
| nothing the cheaters can do to prevent detection unless
| they infiltrate your internal operations and obtain access
| to the data and/or methods.
| berbec wrote:
| This is a slippery slope which we can view in real-time
| looking at the speedrunning community. Many current real
| person runs are using strategies once thought to be
| computer-only. A Mario run from 2024 would be viewed as
| totally impossible in 2004.
| jwagenet wrote:
| This isn't really a relevant concern for online games
| since speed running is mostly rehearsed play with
| predictable game mechanics, not inhuman response to novel
| stimulus.
| burnte wrote:
| No one does multiplpayer speedruns.
| jorvi wrote:
| > Now cheating has to at look like high level play instead
| of someone flying around spinbotting everyone from across
| the map. Players hopefully don't get as frustrated when
| playing against cheaters as they assume they are just great
| players. Great players should be competitive against
| cheaters as well.
|
| No, those are still just as vehemently hated as "closet
| cheaters", for example the whole XIM / Cronus infestation
| on any game that has controller AA.
|
| It's still possible to, on average, spot if it's a closet
| cheater or an actual good player due to things like
| movement and gamesense, but for the average player it will
| be much less obvious, leading to a huge amount of rage
| towards good players because they are by default suspected
| as "just another closet cheater."
| Workaccount2 wrote:
| The vast majority of cheaters are not "rage hacking", but
| instead using cheats as a skill assist.
|
| Take a moment and think about how you would design cheats
| that would be undetectable. Hot keys, real time
| adjustments, all the options and parameters you could
| provide cheater to dial in their choice experience while
| also keeping them looking legit.
|
| Then realize cheat developers thought of all that decades
| ago and it is _waaayyyy_ beyond what you can dream up in a
| few minutes. Hell cheats nowadays even stop cheaters from
| inadvertently doing actions that would out them as
| cheaters.
| J_Shelby_J wrote:
| > Only problem is, a lot of companies do NOT want to pay for
| it.
|
| Because they're 10 years behind the curve and don't
| understand that a game's lifespan is contingent on anti-
| cheat. Once it becomes clear to the casual player that a
| hacker is going to effect every gaming session, the game dies
| quickly. Many games have gone so far as to obfuscate the
| presence of hackers so that players are less likely to notice
| them (CoD)! Other games build from the ground up with anti-
| cheat in mind (Valorant). Other games have an ID verified 3rd
| party system for competitive play (CSGO).
|
| Personally, I think there is a middle ground between root
| level hardware access, and treating cheating as an
| afterthought. I'd lean more heavily on humans in the
| process... Use ML models to detect potential cheaters, and
| build a team of former play testers to investigate these
| accounts. There is zero reason a cheater should be in the top
| 100 accounts; An intern could investigate them in a single
| day! More low hanging fruit would be investigating new
| accounts that are over-performing. I'd also change the ToS so
| legal action could be persued for repeat offenders. Cheaters
| do real economic damage to a company, and forcing them to
| show up in small claims court would heavily de-incentivize
| ban evaders. This probably sounds expensive and overkill, but
| in the grand scheme of things it's cheap; it could be done on
| the headcount budget of 2-3 engineers. It'd also be a huge PR
| win for the game.
| andrewmcwatters wrote:
| The state of the art is pretty boring and you can learn about
| user command payloads in an afternoon.
|
| The world is much more complex now that YOLO-based aimbots
| exist, and I think the real answer is that anti-cheats are now
| defeatable, period.
|
| You can craft a private binary that has no hash registered to
| any major anti-cheat service on the client-side, and on the
| server-side you're limited to what is allowed by game rules.
|
| Since there's no mechanisms for preventing super human
| reflexes, and there probably shouldn't be, it's an issue that
| cannot be solved anymore.
|
| So you need community judgement, and that too is boring. Good
| players being accused of cheating in Counter Strike is a years
| old and entertaining problem.
| arminiusreturns wrote:
| Something I'm working on now. The real issue is that you get
| more perf hits trying to do all the important stuff server
| side, so devs have become lazy and offloaded more to the client
| than they should have, and then that became the standard.
| Moving all important actions server side isn't easy or cheap
| but it's how you prevent cheating much more holistically.
|
| Now add in that I'm running a physics-heavy game with 120
| tickrate, (considering higher after more tests), with fine
| motor control action combat, aimed to scale to mmorpg size, and
| it really becomes a challenge!
| beeboobaa3 wrote:
| > If a player joins with a different Steam ID but with an IP
| address that is already banned, the system now re-bans them
|
| This works great until you realize you're punishing innocent
| players because of CGNAT and IP addresses getting rotated.
| Cheaters usually know how to get their router to request a new IP
| address. That IP address then gets assigned to someone else
| later.
| therein wrote:
| Yeah, you would think they would rely on their secret cookie in
| that situation instead, to minimize false positives like that.
| cwmma wrote:
| They addressed this in the section entitled "Problematic cases
| of IP address fingerprinting"
| onli wrote:
| No, not specifically. That section is still written under the
| misconception that IPs are bound to households, or static
| networks like university networks. Instead they can swap at
| the very least country wide (or rather, however the provider
| manages the IP addresses it controls). Their mental model is
| just not how the internet works.
|
| By using IP as the ban id they created a system that
| constantly and regularly banned completely innocent steam
| IDs, thinking they are somehow linked when a new steam id
| uses a banned IP, which is nonsense. They just did not notice
| because the banned gamers did not complain.
| Ekaros wrote:
| Being from country with lot of IPs for operators. I did
| some packet sniffing on DHCP broadcast traffic seen by my
| router(ISP should filter that...) and I saw at least 3 non-
| continuous public IP blocks... And that was just day or
| less of monitoring this traffic...
|
| So if the same connection(plug in wall) can end up with IPs
| from different blocks, well, trying to do anything sensible
| with this is too complicated.
| lagadu wrote:
| I always found it funny how ip bans seemed to be so popular
| despite being apparently completely ineffective until I
| realized this was mostly a US thing. In my country (2 of them
| that I've lived in, in fact) ISPs always assign the client a
| dynamic address from their very large pools every time I
| reconnect. This was as true back in the 28.8kb dial up days
| as it is in the 10gbit FTTH days we live in. Having a static
| IP address here has always been a service you have to pay
| for.
|
| I remember this being hilarious when idiots would ip ban me
| back on the IRC days: "oh no, I have to press the reconnect
| button!"
| Vvector wrote:
| That was addressed in the article.
| mobeigi wrote:
| This scenario definitely did pop up and we would review it on a
| case by case basis to unban users or make exceptions. However,
| it was quite rare. Only a handful of reported instances over
| several months. If our servers were more popular we definitely
| would have run into it a lot more.
| Alupis wrote:
| I would wager most people just move onto a different server -
| leaving you with useless/suppressed data on how many people
| this may have impacted.
| LudwigNagasena wrote:
| You would need to ban random people and see how many of them
| report it to estimate the real amount of such errors.
| voytec wrote:
| Kudos to the author for using RFC5737[0] TEST-NET-2 address for:
|
| > An example of an IPv4 IP address is 198.51.100.1.
|
| [0] https://www.rfc-editor.org/rfc/rfc5737
| mobeigi wrote:
| I'm a big fan of using identifiers reserved for examples. I use
| TEST-NET-2 IP's and example.com all the time in my
| documentation!
| o11c wrote:
| Where it gets interesting is when documentation uses a _typoed_
| reserved address (e.g. 189.51.100.1 or 198.15.100.1). There are
| actually several RFCs that do this.
| beeboobaa3 wrote:
| I hope they asked permissions for storing those cookies.
| Otherwise they're violating various EU laws.
| latexr wrote:
| Not every cookie requires consent.
|
| https://commission.europa.eu/resources-partners/europa-web-g...
|
| In this case, this one might fit:
|
| > User centric security cookies, used to detect authentication
| abuses and linked to the functionality explicitly requested by
| the user, for a limited persistent duration
| beeboobaa3 wrote:
| It's _clearly_ a tracking cookie.
|
| > for a limited persistent duration
|
| FTA:
|
| > However, the VGUI browser had no issues saving cookies with
| expiry dates exceeding 10+ years!
|
| So no, it doesn't even qualify.
| unsnap_biceps wrote:
| GDPR didn't take effect until May 2018, this only worked until
| October 2017.
| ketkev wrote:
| GDPR is about the processing of personal data. Cookies (and
| such) are subject to 2002's ePrivacy directive
| mobeigi wrote:
| Great point!
|
| This community is Australian & New Zealand based, we had 0
| European players or visitors. And as @unsnap_biceps this
| predated GDPR compliance.
|
| You are right though that you wouldn't be able to do this in
| Europe today because asking for fingerprinting consent defeats
| the purpose because the hacker would likely quickly figure out
| what is happing and circumvent it.
| leoff wrote:
| LOL
| ketkev wrote:
| I'm not a lawyer, but I think this actually has some
| interesting things to think about. Not all cookies require
| consent under the ePrivacy directive, there is an exception for
| cookies that are "strictly necessary for the delivery of a
| service requested by the user". I think that'd fit in this
| case, since providing a cheater free experience is part of the
| "service" the players are looking for. At the same time, the
| ePrivacy directive also mentions that the user should be
| provided with "clear and comprehensive information" about what
| is stored. Providing that would render the cookies useless.
|
| I don't know how these would balance each other out legally,
| but it's fun to think about
| beeboobaa3 wrote:
| No, that doesn't count. Companies have tried arguing that
| their ads' tracking cookies are strictly necessary otherwise
| they wouldn't be able to offer their services (ads pay the
| bills). And yet, they require consent.
|
| Preventing cheaters is similar. And this is blatantly a
| tracking cookie.
| eqvinox wrote:
| You aren't considering that ad cookies/tracking are used to
| enable a service to _someone else_ (ad buyers), while this
| anti-cheat tracking cookie is used to enable a service to
| _the user themselves_ (a cheat-free gaming experience.) I
| think that _may_ make the difference.
|
| Also, all of this was in 2017. Anyone doing it in 2024
| should indeed run it past a lawyer.
| aftbit wrote:
| >Now, in order for a player to appear to us as a "fresh player"
| they would need to change their Steam ID, IP address and Steam
| installation folder. As you can imagine, no one is going to do
| the latter.
|
| Really? I would expect that a dedicated cheater would reinstall
| Windows (or reload from a snapshot) every time they are caught.
| Ekaros wrote:
| Seems like they were private servers. So they really need only
| hurdle enough to have cheaters go somewhere else. Not totally
| kill their ability to play. And well most people will move on.
| Only those who take it most personally start to spend lot of
| time.
| latexr wrote:
| > The best part was that no one knew how we were able to do this
| and our admin team kept the implementation a top secret. We
| should have filed a patent!
|
| I know you're joking, but if you had filed a patent you would
| have had to reveal the trick, thus rendering it immediately
| useless.
|
| Doesn't detract at all from your post. Fun read.
| LinuxAmbulance wrote:
| Excellent write up and solution. Cheating in video games makes
| for a wretched experience for those who don't cheat.
|
| It's crazy how rampant cheating in multiplayer games, especially
| competitive ones has gotten. Ten years ago, I thought it was at
| an extreme, but it's only gone up since then.
|
| Part of the problem is that for some software developers, writing
| cheats brings in a massive amount of money.
|
| So instead of some teenager messing around making unsophisticated
| cheats, you have some devs that are far better at writing cheats
| than game developers are at preventing them.
|
| It doesn't help that game devs have to secure everything,
| everywhere, but cheat devs only have to find a single flaw.
| DJBunnies wrote:
| I think a better question here is: why is game code so
| exploitable?
|
| A: laziness and cost. It just doesn't matter the same way that
| baking code matters, I guess.
|
| So they toss on some cheap anti cheat instead of architecting
| it safely (expensively.)
| tedunangst wrote:
| No kidding, implementing multiplayer as a VNC session on a
| controlled server is very expensive.
| doctorpangloss wrote:
| > I think a better question here is: why is game code so
| exploitable?
|
| The nature of FPS games means only environment integrity can
| stop cheating. It's not exploitable per se. Just the game
| skill can be done by a computer perfectly.
|
| Conversely who knows how long it will take for AIs to play
| Hearthstone with never-before-seen-cards well.
| wbl wrote:
| Probably three years
| jsheard wrote:
| Architecture can help up to a point but it can't stop
| everything - the usefulness of ESP can be reduced by not
| sending the client information it doesn't need to know, but
| that gets computationally expensive on the server, and
| culling information too aggressively can interfere with lag
| compensation. Perfect recoil compensation can be prevented by
| not replicating the servers RNG state on the client so it
| can't predict where the next bullet will go, which CS:GO
| started doing at some point. Aimbots though? Those are just
| automating an input the user _could_ theoretically make
| legitimately, so you 're pretty much stuck with statistical
| heuristics or client-side detection.
| andrewia wrote:
| I think that's a very naive way of looking at game
| development. There are many reasons why games are exploitable
| besides lack of reasonable dev effort.
|
| - Almost all games are going to use a licensed or shared game
| engine. That means the softwsre architecture is already known
| to skilled cheat developers with reverse engineering skills.
|
| - Obfuscating the game will only go so far, as demonstrated
| by the mixed success of Denuvo DRM.
|
| - The game will not be the most privileged process on the
| machine, while cheaters are glad to allow root/kernel access
| to cheats. More advanced cheaters can use PCIe devices to
| read game memory, defeating that mitigation.
|
| - TPMs cannot be trusted to secure games, as they are
| exploitable.
|
| - Implementing any of these mitigations will break the game
| on certain devices, leading to user frustration, reputation
| damage, and lost revenue base.
|
| - And most damning, AI enabled cheats no longer need any
| internal access at all. They can simply monitor display
| output and automate user input to automate certain actions
| like perfect aim and perfect movement.
| maccard wrote:
| A couple of thoughts, but I largely agree with you.
|
| > Obfuscating the game will only go so far, as demonstrated
| by the mixed success of Denuvo DRM.
|
| Denuvo is for the most part DRM, rather than anticheat.
| It's goal is to stop people pirating the game during the
| launch window.
|
| > The game will not be the most privileged process on the
| machine, while cheaters are glad to allow root/kernel
| access to cheats.
|
| This ship has sailed. Modern Anticheat platforms are kernel
| level.
|
| > TPMs cannot be trusted to secure games, as they are
| exploitable.
|
| Disagree here - for the most part (XIM's being the notable
| exception) cheating is not a problem on console platforms.
|
| > AI enabled cheats no longer need any internal access at
| all. They can simply monitor display output and automate
| user input to automate certain actions like perfect aim and
| perfect movement.
|
| I don't think these are rampant, or even widespread yet.
| People joyfully claim that because cheats can be installed
| in hardware devices that there's no point in cheating, but
| the reality is the barrier to entry of these hyper advanced
| cheats _right now_ means that the mitigations that are
| currently in place are necessary and (somewhat) sufficient.
| ghxst wrote:
| It's not AI enabled cheats that are the issue, it's DMA
| through things like PCIe devices disguised as regular
| hardware. Sophisticated cheats no longer run on the same
| computer as you're playing on. Google "pcie dma cheat"
| for a fun rabbit hole.
| maccard wrote:
| Right, but the barrier for entry for those cheats is huge
| - the sp605 board is $700, for example. There are cheaper
| ones, but you're not going to have rampant cheating
| testing through games when you add hundreds in hardware
| to the requirements.
|
| Antiecheats work in layers and are a game of cat and
| mouse. They can detect these things some times, and will
| ban them (and do hardware bans). The cheaters will rotate
| and move on, and the cycle continues. The goal of an
| effective anti cheat isn't stop cheating, it's be enough
| of a burden that your game isn't ruined by cheaters, and
| not enough of a target to be fun for the cheat writers.
| heavenlyblue wrote:
| > This ship has sailed. Modern Anticheat platforms are
| kernel level.
|
| so you use a kernel level anti-anti-cheat
| colechristensen wrote:
| This isn't the better question.
|
| When you have software running locally, you can arbitrarily
| modify how it runs.
|
| Like an aimbot is a powerful cheat, and there's no amount of
| security that can prevent one from being used outside of an
| anticheat being able to look deep into what your system is
| doing, what it contains. The only way to prevent that kind of
| thing is to remove your control of your own computer.
| Ekaros wrote:
| And even then you could do aimbot with camera pointed on
| the screen and either faking a mouse or providing sensor
| sufficient data somehow to simulate movement... That is
| reach super human reaction times and accuracy...
| drdaeman wrote:
| I wish I'd live to see the time of true cyborgs who will
| exceed ordinary human capabilities in some regard.
| jsheard wrote:
| > When you have software running locally, you can
| arbitrarily modify how it runs.
|
| Well, you can on PC at least. Xbox and Playstation security
| has matured to the point that code modification in online
| games isn't really a thing anymore, the worst they have to
| deal with is controller macros most of the time.
| lagadu wrote:
| Until they get jailbroken that is. There is no such as a
| perfectly secure platform in which the user has complete
| physical control over it.
| jsheard wrote:
| The PS4 and PS5 have been jailbroken numerous times,
| _but..._
|
| 1) Their secure boot implementation has never been
| broken, which means you can't upgrade from an exploitable
| version N firmware to a non-exploitable version N+1 while
| persisting a backdoor like you could on older systems
| like the PS3. You're stuck at version N until another
| exploit is found.
|
| 2) They rotate the crypto keys used for online play with
| every new firmware so they can easily lock those old
| exploitable firmwares out of online play for good, even
| if they try to spoof their version number. There's no
| getting around not having the new keys.
|
| Meanwhile the Xbox One took a decade to get even a
| limited jailbreak that allows arbitrary code execution
| inside the game sandbox, but can't escape the game
| sandbox to take over the kernel, and the Xbox Series
| systems have yet to be jailbroken at all on any firmware.
|
| Hypothetically being able to break anything with physical
| access doesn't count for much in practice if the thing
| you want to physically attack is buried inside a <7nm
| silicon die, doesn't trust anything outside of itself,
| and has countermeasures against fault injection attacks.
| The Switch may well be the last big victory for console
| hackers, the writing has been on the wall for years now.
| Matheus28 wrote:
| It's not that simple.
|
| Some games aren't able to prevent cheating. The client has
| the data on where the enemies on their screen are. The cheat
| only needs to move the mouse and click on the enemies heads.
| Other games like MMORPGs involve the cheat just playing the
| game and farming on behalf of the player.
|
| It just becomes a cat and mouse game where the anti cheat is
| trying to detect something hooking into the game process
| while the cheat tries to hide itself.
| drdaeman wrote:
| > MMORPGs involve the cheat just playing the game and
| farming on behalf of the player
|
| From a player perspective that's not cheating, that's
| running a bot. It's automation of a routine grind - which
| is typically designed to make players hate it and spend
| money instead. Automating boring stuff is simply natural.
|
| For pay-to-win games it's effectively a balancing system, a
| pushback against player-hostile mechanics. Not unlike an
| adblocker on the web.
|
| That's strictly in context of MMORPG genre, of course.
| lagadu wrote:
| Because at the end of the day the game is running on the
| user's machine, a machine in which the user has full access
| to every part of the execution and the software developer
| does not. You can only get around that by streaming the game
| instead of running it on the client side and even then an
| aimbot or some type of automation would be possible nowadays.
| GuB-42 wrote:
| Priorities. Games need content and performance. Give game
| developers more budget, and they will work on making the game
| faster, fix game breaking bugs, and add content rather than
| make the game less exploitable.
|
| And cheats do not always rely on exploitable bugs. A bot
| using screen capture and input device emulation works at the
| OS level and in other contexts (ex: accessibility), it would
| be a legitimate thing to do.
| kelnos wrote:
| I think GP's last line covers it. It's the same reason why
| DRM is ultimately ineffective, and why even companies that
| work hard and spend time and money to secure their infra
| still sometimes get popped: the game devs have to be perfect
| 100% of the time, but the cheaters only have to get lucky and
| find a flaw once.
| numpad0 wrote:
| Oh, that's an easy one.
|
| - GOOD software are simple and easy to understand, which
| makes it EASY to cheat.
|
| - BAD software are needlessly complex and finicky, so it's
| HARD to rig it for a cheat.
|
| - Anti-cheats intentionally make software BAD and over-
| complicated, so cheaters would have hard time modifying it.
| But computers are brittle and also aren't smarter than humans
| so cheaters will eventually find a way.
|
| - Security is completely irrelevant topic since game clients
| are "bought" and run on your hardware; Digital Restrictions
| Management built to work against you as user is anti-
| consumer, anti-right-to-repair, anti-human, super bad thing,
| and lots of efforts are made to keep PC away from it as much
| as practical.
|
| It has nothing to do with laziness or cost. If anything it'll
| be the best programmed game that gets hacked fastest. And PS2
| that gets emulated last.
| ghxst wrote:
| A very large amount of games that are released nowadays all
| use well known and well documented engines, that's what makes
| it a lot easier, there's an interview on YouTube with a
| company that develops cheats for multiple games that mention
| this here: https://youtu.be/zwruk-tLIOU?si=3O2jBKQneur-n3iS
| ycombinatrix wrote:
| >We Outsmarted CSGO Cheaters by Exploiting the Client
|
| Fixed
| mobeigi wrote:
| The game's the game.
| snarfy wrote:
| For UT2004, you can ban by player GUID (a hash of the CD key) or
| IP. With the game abandoned by Epic, a number of key generators
| have cropped up, which makes GUID bans useless. IP bans only go
| so far with VPNs costing $2 these days.
|
| The main solutions we have today are IP ban + VPN blocking using
| a database of known VPN subnets and adding them all to the
| firewall, and a similar fingerprinting technique which scans
| their folder structure of certain system folders.
| ghxst wrote:
| This still leaves you wide open to cheaters using mobile data
| tethering and proxies. Have you considered more advanced
| network analysis? It's one of the areas I have an interest in
| (professionally and personally) so if you want any suggestions
| let me know.
| kelnos wrote:
| > _This still leaves you wide open to cheaters using mobile
| data tethering and proxies_
|
| Is latency going to be good enough on mobile data (especially
| if they're also using proxies) for a FPS, though? Sure,
| they're using cheating software, but I wouldn't be surprised
| if the software gets the information it needs to cheat too
| late often enough for it to be useful.
| Sayrus wrote:
| Assuming obvious cheat, even 100ms or 200ms latency is
| unbeatable by a human. Especially since the cheat doesn't
| need time to aim.
|
| Even for non-obvious use-cases, it's hard to beat the
| advantage provided by knowing the position of players.
|
| On my own hotspot, I have less than 30ms of latency.
| ghxst wrote:
| Yes the latency is not nearly as bad as you might think,
| it's comparable to a VPN in my experience, though the
| quality will depend on your location and the available
| connections.
|
| Sophisticated cheats in games like CSGO (and other
| competitive shooters) are usually very subtle, such as
| displaying enemies on the mini-map when they shouldn't be
| visible which provides a major advantage without requiring
| superhuman input, and the added latency is often negligible
| --especially when the info can be relayed to teammates and
| now you essentially have the entire team cheating with only
| 1 player suffering from a bit of increased latency.
|
| And I wouldn't say this is an edge case either as in my
| experience the majority of cheaters I encountered are
| individuals that play on an alt account and offer a service
| to guarantee wins in ranked games.
| jjmarr wrote:
| I regularly played CSGO in Europe because the North
| American ranking system were screwed up.
|
| I got to Supreme (2nd highest rank) with 150 ms ping. The
| people I queued with hit Global.
|
| It's possible to play legitimately with very high ping. The
| higher ping put us at a disadvantage, but the skill gap
| between regions made it worth it to arbitrage.
| Systemmanic wrote:
| What was screwed up about the NA ranks?
| xnyan wrote:
| NA is (or at least was when I played) the most populated
| and visible play zone and attracts a lot of players
| attempting various kinds of rank manipulation. On the one
| hand you have smurfing, which is the practice of a
| relatively high skill player using a an account with
| relatively low rank so that they can dominate lower
| ranked players. On the other side you have boosting,
| which is a relatively high skill player ranking up new
| accounts for later sale.
| mouse_ wrote:
| The tactic 4chan uses:
|
| Regular IPs can post freely
|
| VPN or mobile IPs (blacklisted) must pay for a key ($20/year)
| that allows posting from blacklisted IPs. Key is good for
| posting from one blacklisted IP, locked for 30 minutes, so
| users cannot share keys. That way, you can ban the user by
| their key, if their IP is public.
|
| It's not a perfect solution but it seems to be the best
| they've found for such a situation so far.
| ryandrake wrote:
| I mean, in this case it's 4chan so who cares, but I hope we
| are not very slowly moving towards a troubling world with
| lower classes of IPs and upper class IPs. IPs should be IPs
| should be IPs, it shouldn't matter whether it comes from an
| ISP, a mobile network, a VPN, or anything else, and we
| shouldn't attach some kind of IP caste to providers or
| countries. I think we really need Internet-wide IP
| randomization, where you can't just block a /24 or a /16
| because they're in some icky ghetto. Yes, I know there is
| abuse, but if this is the alternative, it doesn't seem
| worth the cost in terms of innocent people losing access.
| kbolino wrote:
| We are already there and have been for a long time.
| Geoblocking is very common for low-effort DRM and abuse
| mitigation, common VPN providers are easy to detect by IP
| but generally frustrate and/or ignore abuse reporting
| (until serious illegal activity is committed), college
| and other institutional networks are often no better than
| VPNs in this regard, etc. The Internet hasn't been able
| to operate as a network of peers at least since it was
| opened up to the public.
| gosub100 wrote:
| Just curious if IP bans work with IPv6 or if they are
| fundamentally incompatible?
| ghxst wrote:
| IP bans are fundementally flawed since you can't assume a
| static IP in the vast majority of cases anymore, if you rely
| on an IP blocklist then it's inevitable that you will end up
| hurting the experience of small amount of unlucky but
| innocent players. I suppose this might be more of an issue on
| ipv4 than it could be on ipv6, but really you should always
| expire IP bans to avoid issues like these, or you want to
| combine another data point with the IP such as a hardware ID
| (or a hash of a combination of hardware IDs). Cheaters do
| know this so even if we could assign everyone a static ipv6
| they would likely just disable ipv6 support on their NIC and
| rely on their ipv4 exit ip.
|
| Edit: If you don't think this is an issue I urge you to
| Google "pokemon go belgium ip ban" for a fun rabbit hole.
| IncreasePosts wrote:
| How about just a whitelist? I can't imagine there are a ton of
| legit ut2k4 players left?
| snarfy wrote:
| Yes, we have a whitelist ability also, but it is definitely a
| last resort. The game is mostly dead and difficult to
| discover for new players. We don't want that roadblock if we
| can avoid it.
| Syntonicles wrote:
| TIL people still play UT2004.
|
| I was going to mention how much I loved that game, until I
| realized I played UT99. Time sure does fly...
| dietr1ch wrote:
| What about banning VPNs?
| project2501a wrote:
| sorry for the not-so-smart question.
|
| the cheats are software, software has certain quirks, like the
| way it aims or the way it tracks. And I'm willing to bet it has
| enough distinctiveness from human aiming to be classified.
| Couldn't a classifier work on the behavior of the cheating
| software itself, rather than use IP bans?
| snarfy wrote:
| It's more effort than it's worth. There are server aimbot
| scanners which do something like this. There are also aimbots
| written to thwart this type of detection, adding delays,
| random drift, etc. It's a cat and mouse game. We don't have a
| lot of players left so it's not that much of an issue.
| treyd wrote:
| This is part of what Valve does in CS. It works pretty well
| but it does have false positives so it requires user
| intervention for confirmation of bans.
| derefr wrote:
| In order to actually catch a cheater mid-match rather than
| long after the match is already over, you'd need the servers
| that players are interacting through to have enough CPU
| grunt-force to do that kind of analysis "faster than
| realtime" -- i.e. for the server's CPU to be able to run the
| game's physics faster than any client can, so it can run the
| physics _with extra math_ in the same time it takes the
| clients to just run the physics.
|
| Which _might_ be something you could guarantee, _if_ the game
| were locked to wimpy console hardware; or if the game had
| minimal CPU physics such that it was effectively never
| running CPU-bottlenecked and there were massive gaps in
| frame-time where even the client CPUs are sitting idle, that
| a server running in lockstep could cram that kind of analysis
| into.
|
| But gaming is a race-to-the-top, hardware-wise. The CPU in a
| gaming rig might not have as many cores as your average
| server CPU, but it's almost certainly going to have higher
| single-core perf.
|
| And part of the reason for that, is that games really _do_
| try to use your whole CPU (and GPU), with AAA studios
| especially being factories for constant innovation in new
| ways to make even the minimum requirements just to run a game
| 's physics, higher and higher every year.
|
| And if the server _can 't_ do "faster than realtime" analysis
| of the streams of inputs of the players, then by queuing
| theory, it'll inevitably get infinitely backlogged -- the
| server keep receiving new analysis work to do every frame,
| and will fall further and further behind, never catching up
| until new work stops being generated -- i.e. until the match
| is over. And then it'll have to probably sit there for five
| more minutes thinking really hard before spitting out a "hey,
| wait just a minute..." about any given match.
|
| Which is fine if your goal is to ensure that a central
| statistic like match-ranking ELO is calculated correctly, and
| cheaters are banned from the leaderboards. But it does
| nothing to prevent cheaters being _matched with a cheater_ in
| a non-centralized (and therefore non-ELO-based) lobby, if the
| cheaters can just roll up with a new key+IP each match.
|
| ...and that 's assuming there even _are_ servers. You can
| forget about any of this working in a p2p context. (Think
| about what a Sybil attack means in the context of a federated
| set of individual tiny disconnected p2p networks.)
| johnisgood wrote:
| > IP bans only go so far with VPNs costing $2 these days.
|
| https://redman.xyz/doku.php/schachtmeister2 was made
| specifically against people using VPNs.
|
| It was made for Tremulous (ioquake3 fork) where people kept
| evading IP bans, but it can be used for any other games.
|
| It is not my project, but I know the author, and I could
| personally fork it and make it suitable for specific (or any)
| games if there is demand for it.
| leetbulb wrote:
| This isn't about stopping cheaters (cheat detection). This is
| about stopping repeat cheaters trying to ban evade. Detecting
| cheats, especially nowadays with hardware cheats (DMA, etc), is
| an entirely different ballgame.
|
| IMHO, one of the most effective way to stop ban evaders is to
| actually charge money for the game.
| kemitche wrote:
| At the time of the events in the blog, CS:GO was NOT free, and
| yet there were still cheaters that apparently had access to 80+
| accounts.
| connicpu wrote:
| Why pay for the game when you can go to an onion site that
| will sell you hundreds of compromised accounts that own the
| game for a fraction of the price?
| leetbulb wrote:
| That's fair. There will always be cheaters like this.
| However, anecdotally, after CS or any other game I've played
| that went free-to-play, cheaters became a much much larger
| problem: from seeing one every now and again, to at least one
| in nearly every match.
| bob1029 wrote:
| Charging money and banning at the payment provider level can
| be quite effective. It isn't a perfect answer but it cuts out
| gigantic chunks of the problem space.
|
| I'll take a ~99% cheat-free experience over not having any
| improvement at all.
| kemitche wrote:
| Agreed, but in this particular case the blog writer was
| running private servers, rather than being Valve. They had
| no control over payment processing etc.
| lwansbrough wrote:
| I suppose different people are entitled to different opinions
| about fingerprinting, but I reckon it only takes working on a
| single project where this is a real issue for you to change your
| mind.
|
| We do behavioural analysis on top of various fingerprinting for
| bot detection - some people are trying really hard to ruin the
| internet!
|
| I suspect a sufficiently advanced server side behaviour analysis
| could do a pretty good job discovering cheaters.
| ghxst wrote:
| Not at the expense of false positives, though. Sophisticated
| cheat developers and bot creators are skilled at exploiting
| that narrow margin of error where companies can't push
| detection further without compromising the experience for
| legitimate users and destroying their game or service.
| Retr0id wrote:
| > Wonderful, we have found a way to silently persist a cookie for
| each player as they join the server.
|
| This violates GDPR, no?
|
| Edit: It sounds like this took place before GDPR was being
| enforced.
| kemitche wrote:
| GDPR isn't a blanket ban on cookies. You don't require a cookie
| notice for strictly necessary cookies, which you have a
| "grounds of legitimate interest" for:
| https://commission.europa.eu/law/law-topic/data-protection/r...
|
| Fraud prevention is listed as an example of a "legitimate
| interest."
|
| So no, by my layman's interpretation, they would not have been
| bound by GDPR to notify the user of cookies or other
| fingerprinting used solely for anti-cheat. They'd run into
| trouble if they use that same ID for marketing/advertising
| without consent, though.
| Retr0id wrote:
| They're perhaps not required to gather explicit opt-in
| consent, but my understanding is that they'd be required to
| disclose what information they collect/store.
| phire wrote:
| The same rules apply to the steam ID and IP address.
|
| As far as I'm aware, you can get away with disclosing the
| fact that you are tracking "unique identifiers for the
| purpose of anti-cheating" in the terms and conditions,
| without explicitly explaining the technical details that
| it's a cookie.
|
| Also, this is a server covering the Australia/New Zealand
| region, so it doesn't have to worry about GDPR compliance.
| newZWhoDis wrote:
| GDPR is toothless eurotrash.
|
| I saw a consent form that had 72 optional, 21 "legitimate
| interest" cookies.
|
| GFB
| Ylpertnodi wrote:
| That means gdpr is working.
| Joel_Mckay wrote:
| In general, hardware/GPU/MAC signature hash checks are the only
| consistent way to bind player account histories, and even then
| cheats will change their identity with new hardware on fake
| postal addresses. Best to add a few weeks delay with "reviewing"
| ban status to prevent them returning hardware to retailers. Each
| day randomly permute which hardware signature trips the auto-re-
| ban after a random number of minutes.
|
| Cheaters ruin the fun for everyone including themselves. Admins
| need to provide a personal cost deterrent for problem users, and
| randomly hang the game for people using code mods.
|
| Let the ban hammer fall =3
| wnevets wrote:
| I wonder what kind of theories these cheaters invented to explain
| how they were getting caught.
| ultimafan wrote:
| Cheating in online games is a scourge and I really don't
| understand why people do it. It's one person selfishly getting a
| "win" at the expense of ~60 other people in that match having
| their time, pleasure, potentially money absolutely wasted.
|
| I think even more infuriating than blatant hacking is this
| epidemic of "micro cheating" for lack of a better way to put it
| that I've seen prevalent in some games that just boost some stats
| or reactions by amounts large enough to help the cheater but low
| enough where new or inexperienced players have absolutely no way
| of telling if someone is cheating or genuinely good especially in
| games with high skill ceilings. At least when it's blatant you
| can leave without time wasted but when they're doing it subtly
| you end up getting tilted and spending the whole match with a bad
| taste in your mouth second guessing if someone is actually
| playing fair or not. Chivalry 2 is a really bad offender for
| this, once you notice it you can't unnotice it anymore, almost
| every match will have at least one guy with his swing/move speed
| adjusted by ~10% and in a game where swing manipulation is a
| legitimate mechanic it can be borderline impossible to catch
| someone out on it unless you're really paying attention.
| daghamm wrote:
| Cheating is also big business. Players can pay big bucks to
| rent (!) a cheat.
|
| IIRC there is an episode on darkness diaries podcast about
| this.
| avree wrote:
| This link is 404ing for me. Anyone else?
| notwhereyouare wrote:
| seems like the whole site is 404'ing
| mobeigi wrote:
| If the website is down or slow and you want to read the article,
| here is a full page screenshot of the post:
| https://i.imgur.com/SPp6IHX.jpeg
|
| Sorry :'( I didn't expect the post to get this much traffic.
| codefined wrote:
| > I only shared the solution and technique with one other server
| operator I fully trusted based in the UK
|
| I think that was us! We ended up combining it with other
| fingerprinting indicators, but the whole 'use VGUI' was a
| surprisingly effective way at handling this. I believe they
| removed the web browser in ~2018, which was disappointing. Being
| able to have custom skill trees / fun integrations with servers
| was really powerful!
| kjkjadksj wrote:
| Couldn't you stop cheaters by just looking at how their telemetry
| metrics are different from the baseline? If you get to a point
| where the cheater has to cheat to only be as good as a median
| player in the lobby in order to evade detection, you've
| effectively neutered it.
___________________________________________________________________
(page generated 2024-10-16 23:00 UTC)