The fact that companies think client side anti cheat is a good idea is so insane. Maybe try designing your server better instead of blaming the operating system for not letting you control your users
Genuinely curious, because this isn’t my area of expertise, but how do you design a server to be “better” if it has to trust data from a remote client?
Example, if the client is compromised - because as they’ve said, they have no way to “attest” that the kernel is not compromised - how would the server know any better?
If my Apex client tells the server I got a perfect headshot, how would the server know I didn’t fake the data? Is there a real answer to this problem or are we just wishing they come up with an impossible solution?
My general understanding is that EA is 100% correct. Now, on the other hand, maybe the should just limit plays between Linux <-> Linux so people can at least still enjoy the game (I’m moving to Linux soon so I’ll basically no longer be able to play the game, which is, as my primary gaming addiction, a huge loss I’m willing to take).
There’s compromises EA could take, but I think the Linux market share is just too small for them to care to spend any resources - even though they’re raking in billions (~$3.4 Billion) and could spare a few resources to find a good middle ground. Capitalism at it’s finest.
Right, but the server is still receiving data from the client. If the client sends a plausible head shot, even though it was actually a miss, how would the server know? You still need client-side “police”, AKA anti-cheat software to mitigate a significant type of software-based hacks.
Now that I’ve typed it out, cops are actually a great analogy to anti-cheat software. Cops play the exact same role. Nobody wants them around until a crime has been committed. Cops/anti-cheat software don’t catch everyone, but the threat of being caught mitigates some crime/hacks, and for the cases where criminals/hackers are caught, society/gamers are better off for it.
In closing ACAB - I completely understand why we don’t want anti-cheat software on our computers, but there really is no better way; or if there is, I still haven’t heard it.
If my Apex client tells the server I got a perfect headshot, how would the server know I didn’t fake the data?
Any game that works like that is fundamentally flawed and AC is nothing but an attempt at a cheap bandaid at best.
The client should be doing nothing but rendering and sending player actions to the server and the server should be managing the game state as well as running its checks on those actions. And when one client sends actuons that are weird and doesn’t line up with it’s internal game state it should kick the client immediately always deferring to what ITS game state is telling it, not the client.
And when one client sends actuons that are weird and doesn’t line up with it’s internal game state
What if my hacked client sends actions that are not weird, completely plausible, but didn’t happen and instead were faked? E.g. I take a headshot and would have missed, but my client sends data that I actually shot them dead center, because I wasn’t completely off? How would the server know it wasn’t me?
It is exactly that simple. You already have to account for latency because everyone but one player (who you also can’t trust no matter how many rootkits you install) is not the server. Having a proper server doesn’t change that in any way.
Client side validation cannot possibly provide any actual security, but even if that wasn’t the case and it was actually flawless, it would still be unconditionally unacceptable for a game to ever have kernel level access.
Client side validation cannot possibly provide any actual security
Except it already does.
but even if that wasn’t the case and it was actually flawless
Nobody is claiming its flawless. This is the same anti-seat belt, anti-air bag, anti-mask, anti-vax argument. It “DoEsn’T WoRk iN eVeRy CaSe!” - that was never the intent. It’s about harm reduction.
it would still be unconditionally unacceptable for a game to ever have kernel level access.
Anyone with a technical background would agree with you, as do I, but the reality is anti-cheat software with kernel level access already exists and it works specifically because it has kernel level access.
No, it doesn’t. Cheating is still incredibly common on games that install malware. If people care enough to cheat, they will cheat whether you have kernel access or not. It doesn’t make a dent. They use it for the exact same reason they use DRM. Because they can.
It also can’t possibly theoretically “reduce harm” when every single installation on every individual computer is many orders of magnitude more harm than all cheating in every game ever made.
No, it doesn’t. Cheating is still incredibly common on games that install malware
I never claimed it’s flawless or that it works in all cases. Think of it like antivirus software. Does it catch every and any malware that has and will ever exist? No. Does it still work to minimize all kinds of “bad shit” for normal end users? Yes.
If people care enough to cheat, they will cheat whether you have kernel access or not.
Lets rephrase that: If people care enough to commit crimes, they will commit crimes whether you have cops in your city or not - Your statements logical conclusion would be to get rid of police and crime investigators. Does that sound reasonable? It shouldn’t, and it doesn’t make sense against anti-cheat software for the exact same reason.
They use it for the exact same reason they use DRM. Because they can.
They use it because it solves a real-world problem that’s unsolvable by other means. There’s no real alternative because you have to trust the end-user, who, although may not be very likely to cheat, makes it extremely easy for a bad person to spoil the fun for everyone else.
I would love to live in a fantasy world where we don’t need cops, a government, rules, regulations, and anti-cheat software, but there are bad apples that will spoil the fun for everyone.
It also can’t possibly theoretically “reduce harm” when every single installation on every individual computer is many orders of magnitude more harm than all cheating in every game ever made.
I mean “reduce harm” in the strict sense of spoiling the fun in gaming. vulnerabilities happen with all software, this isn’t unique to anti-cheat.
It doesn’t meaningfully impact the rate of cheating at all. You’re making the deluded assumption that it does something despite a complete absence of evidence to support it. It’s a complete fabrication with no connection in any way to the real world.
It is not security. It does not in any way resemble security. It’s pure theater that catastrophically compromises the actual security of everything it touches.
Yes, people can still cheat with a camera and manipulating inputs. There will never be a way around that.
But that’s entirely unchanged by adding malware, that, even if it could theoretically work, should be a literal crime with serious jail time attached. Client side validation is never security and cannot resemble security.
There are lots of options such that you can tune your false positive/negative rate. 🤷♂️ Tons of ways you can structure this depending on your game’s tech.
No options that resemble legitimate or evidence based in any way.
If a computer has the exact same input and output tools as a human, you cannot possibly do better than guessing. It is a literal certainty that you will ban legitimate players doing nothing wrong for being too good if you try, and it’s unconditionally not acceptable to do so.
How do they know you haven’t trained an AI to get headshots? The cheats often break the bounds of what is realistic in games, whether it is allowing you to see through walls (server shouldn’t be sending enemy positions that aren’t in view), going too fast (server should speed check pplayer positions), getting items they shouldn’t have (server should do inventory sanity checks), etc. Other than that, look for signs of automated movement/things unrealistically precise for a human to do. Eventually the cheating will just be moved to a separate air gapped computer running AI on the video feed. Client side is an invasive, broken, and malicious concept.
Well thank god this computer genius is on the scene. Don’t worry, EA can solve everything as soon as they hear about these great and very original ideas.
Just tracking trended data in general would be sufficient to defeat a LARGE number of common cheats. One of the very few use cases “AI” might actually work for in a positive way. But that puts the burden on the developers and server hosters, and it’s much easier to just burden the players directly instead.
The fact that companies think client side anti cheat is a good idea is so insane. Maybe try designing your server better instead of blaming the operating system for not letting you control your users
Genuinely curious, because this isn’t my area of expertise, but how do you design a server to be “better” if it has to trust data from a remote client?
Example, if the client is compromised - because as they’ve said, they have no way to “attest” that the kernel is not compromised - how would the server know any better?
If my Apex client tells the server I got a perfect headshot, how would the server know I didn’t fake the data? Is there a real answer to this problem or are we just wishing they come up with an impossible solution?
My general understanding is that EA is 100% correct. Now, on the other hand, maybe the should just limit plays between Linux <-> Linux so people can at least still enjoy the game (I’m moving to Linux soon so I’ll basically no longer be able to play the game, which is, as my primary gaming addiction, a huge loss I’m willing to take).
There’s compromises EA could take, but I think the Linux market share is just too small for them to care to spend any resources - even though they’re raking in billions (~$3.4 Billion) and could spare a few resources to find a good middle ground. Capitalism at it’s finest.
Because the actual calculations aren’t done by the client but the server, or they should be
Right, but the server is still receiving data from the client. If the client sends a plausible head shot, even though it was actually a miss, how would the server know? You still need client-side “police”, AKA anti-cheat software to mitigate a significant type of software-based hacks.
Now that I’ve typed it out, cops are actually a great analogy to anti-cheat software. Cops play the exact same role. Nobody wants them around until a crime has been committed. Cops/anti-cheat software don’t catch everyone, but the threat of being caught mitigates some crime/hacks, and for the cases where criminals/hackers are caught, society/gamers are better off for it.
In closing ACAB - I completely understand why we don’t want anti-cheat software on our computers, but there really is no better way; or if there is, I still haven’t heard it.
Any game that works like that is fundamentally flawed and AC is nothing but an attempt at a cheap bandaid at best.
The client should be doing nothing but rendering and sending player actions to the server and the server should be managing the game state as well as running its checks on those actions. And when one client sends actuons that are weird and doesn’t line up with it’s internal game state it should kick the client immediately always deferring to what ITS game state is telling it, not the client.
What if my hacked client sends actions that are not weird, completely plausible, but didn’t happen and instead were faked? E.g. I take a headshot and would have missed, but my client sends data that I actually shot them dead center, because I wasn’t completely off? How would the server know it wasn’t me?
Your core premise is broken. Relying on trusting anything from a remote client cannot possibly result in a fair game.
It’s not that simple. Especially not for real time shooters, latency is a killer.
It is exactly that simple. You already have to account for latency because everyone but one player (who you also can’t trust no matter how many rootkits you install) is not the server. Having a proper server doesn’t change that in any way.
Client side validation cannot possibly provide any actual security, but even if that wasn’t the case and it was actually flawless, it would still be unconditionally unacceptable for a game to ever have kernel level access.
Except it already does.
Nobody is claiming its flawless. This is the same anti-seat belt, anti-air bag, anti-mask, anti-vax argument. It “DoEsn’T WoRk iN eVeRy CaSe!” - that was never the intent. It’s about harm reduction.
Anyone with a technical background would agree with you, as do I, but the reality is anti-cheat software with kernel level access already exists and it works specifically because it has kernel level access.
No, it doesn’t. Cheating is still incredibly common on games that install malware. If people care enough to cheat, they will cheat whether you have kernel access or not. It doesn’t make a dent. They use it for the exact same reason they use DRM. Because they can.
It also can’t possibly theoretically “reduce harm” when every single installation on every individual computer is many orders of magnitude more harm than all cheating in every game ever made.
I never claimed it’s flawless or that it works in all cases. Think of it like antivirus software. Does it catch every and any malware that has and will ever exist? No. Does it still work to minimize all kinds of “bad shit” for normal end users? Yes.
Lets rephrase that: If people care enough to commit crimes, they will commit crimes whether you have cops in your city or not - Your statements logical conclusion would be to get rid of police and crime investigators. Does that sound reasonable? It shouldn’t, and it doesn’t make sense against anti-cheat software for the exact same reason.
They use it because it solves a real-world problem that’s unsolvable by other means. There’s no real alternative because you have to trust the end-user, who, although may not be very likely to cheat, makes it extremely easy for a bad person to spoil the fun for everyone else.
I would love to live in a fantasy world where we don’t need cops, a government, rules, regulations, and anti-cheat software, but there are bad apples that will spoil the fun for everyone.
I mean “reduce harm” in the strict sense of spoiling the fun in gaming. vulnerabilities happen with all software, this isn’t unique to anti-cheat.
It doesn’t meaningfully impact the rate of cheating at all. You’re making the deluded assumption that it does something despite a complete absence of evidence to support it. It’s a complete fabrication with no connection in any way to the real world.
It is not security. It does not in any way resemble security. It’s pure theater that catastrophically compromises the actual security of everything it touches.
Too bad the server at least needs the player input data.
Yes, people can still cheat with a camera and manipulating inputs. There will never be a way around that.
But that’s entirely unchanged by adding malware, that, even if it could theoretically work, should be a literal crime with serious jail time attached. Client side validation is never security and cannot resemble security.
There are ways to detect and stop that, but they can and should happen on the server, not on the client.
Only if you’re OK banning real people.
There are lots of options such that you can tune your false positive/negative rate. 🤷♂️ Tons of ways you can structure this depending on your game’s tech.
No options that resemble legitimate or evidence based in any way.
If a computer has the exact same input and output tools as a human, you cannot possibly do better than guessing. It is a literal certainty that you will ban legitimate players doing nothing wrong for being too good if you try, and it’s unconditionally not acceptable to do so.
How do they know you haven’t trained an AI to get headshots? The cheats often break the bounds of what is realistic in games, whether it is allowing you to see through walls (server shouldn’t be sending enemy positions that aren’t in view), going too fast (server should speed check pplayer positions), getting items they shouldn’t have (server should do inventory sanity checks), etc. Other than that, look for signs of automated movement/things unrealistically precise for a human to do. Eventually the cheating will just be moved to a separate air gapped computer running AI on the video feed. Client side is an invasive, broken, and malicious concept.
Well thank god this computer genius is on the scene. Don’t worry, EA can solve everything as soon as they hear about these great and very original ideas.
Just tracking trended data in general would be sufficient to defeat a LARGE number of common cheats. One of the very few use cases “AI” might actually work for in a positive way. But that puts the burden on the developers and server hosters, and it’s much easier to just burden the players directly instead.
do you expect them to use data to fix their problems?