Game Developers Cracking Down on Cheating

Hector73 writes "ZDNet has an article discussing a growing concern for the makers of on-line video games. Cheaters and trolls are making it harder for casual users and newbies to get hooked on the on-line versions of games. Considering that on-line gaming may become the major revenue source for game makers over the few years, maybe they will actually do something about it."

A perfect world?

[bahtama]

Let's see. We have a world where most people behave themselves, except for a small minority that run around stealing and causing problems. Yeah, that sounds so strange and alien!

The bottom line is that there are cheaters in every aspect of life, whether it be real or virtual. Game companies, much like governments, can only do so much. The rest of the problems people just have to live with. Virtual worlds will never be perfect and people will always try and ruin someone else's day.

Re:CS 1.4

[Dimensio]

Why not inform Valve of this and give them the hacked opengl files so they can add it to their checksums?

Which Is Only Half Of It

[EXTomar]

Because nothing guarentees the data getting to their carefully guarded servers is valid if their communication protocol is weak.

Aim cheats have nothing to do with server stored data. It all has to do with the fact the classic protocols requires all players in the field to tell all other players in the field their positions in the field. If you can snoop the positions of people then you can calculate an accurate "from the hip" shot with merciless robotic accuracy. If an aim cheat isn't possible, then you can just snoop the data and realize where the other players are hiding and their positing.

The way to beat cheaters is to apply tried and true security practices. Don't trust that the machine on the other end of the connection is really a client(so don't feed it any extra data beyond what it should need to know to function). Don't blindly accept any data coming back from supposed clients(does the client really have "permission" do what it is telling the server to do?).

Protecting the data is a good thing but just like server farms just locking the machines behind a door isn't enough. You have to secure the lines of transmition as well.

Re:They need to

[Bonker]

They need to take cheats out of the game all together.

That works real well until you realized that many players cheat by unfairly reading information with a different application or proxy.

A good example of this is the 'aiming' proxy, which is a proxy application that sits between your FPS client and the server. The proxy parses the packets sent beteen client and server. Since the client is responsible for telling the server what actions you make and the server is responsible for telling the client what all the other players are doing, the proxy applies a little bit of math to the two pieces of information and 'corrects' your shot so that it hits another player despite where you really aimed.

Unless your game can somehow telepathically guess where the players are, there's no real way to hide this information from the client. Encryption strong enough to prevent a reasonable crack is too math intensive to run at the same time, meaning that hard encryption just isn't the answer.

There are apps out there for all the FPS servers that attempt to detect this sort of thing, but most of them work by checking ratios. If you happen to get luck and exceed the ratio of possible good shots to bad shots, you're tagged as a cheater.

If you can read the client-server data stream, you can cheat.

That's why the answer to cheaters lies not only in designing applications to prevent cheating, but allowing players to flag cheaters and bump them from the game.

In MMOG's, this means that GM's should respond quickly, intelligently, and decisively to player complaints. In smaller scale actions, players should always have a 'cheater' button that allows them to collectively police the game by booting and banning malicious players.

There's only one solution

[Rogerborg]

And it's the one that the designers of the open source multiplayer action game Netrek figured out from day 1. You accept that the clients will be compromised, and you design your server and your network model appropriately.

It's only very recently that commercial games developers are even beginning to understand this, and they're still not getting it right. For example, Counterstrike now attempts to check that your opengl.dll is correct. Fine, but that still relies on the client being uncompromised and reporting the correct number. That's a small barrier for a crackers with a hex editor.

They really need to get it through their heads: you can't trust the client. Every packet that comes in has to be assumed to come from a borg or robot client, and dealt with accordingly. What this means in practice is:

• The server has the final word on the world state. It accepts only requests for actions from the client, not state data, and it verifies that the client is in a state that it should be requesting this action. If that means that it rejects valid actions from a human player experiencing lag, tough, that's the cost of trust.
• The server sends only the information that each client needs to know. The Netrek server sends position, heading and speed information to clients, but only if there's a friendly unit close enough to scan them, less frequently for distant units, and when it sends information about cloaked units it lies, so that even if you hack the client to display cloaked units, you end up displaying an infrequently updating image of where they might be, which can sometimes be more of a hinderance than a help. All this requires extra processing on the server. Tough. Hardware gets cheaper by the day. Sometimes it means that clients miss out on information, and see things appearing and disappearing. Again, you have to accept that as a necessary price to pay.
• You design your game so that perfect execution doesn't guarantee you perfect results. Unlike the rail gun in quake, for example, in Netrek if you fire perfect vector torpedoes aimed precisely where your target is going, a decent human player will dodge them nearly every time. Instead, you have to use your (human) skill and judgement to decide where your (human) target will dodge once you fire, and fire where he's going to go, not where he was going. Or you fire where you don't want him to go, for strategic purposes. A netrek client firing perfect vector torpedoes is actually a liability against clued players!

This isn't theoretical. I wrote a 'borg client for Netrek (bypassing the pretty darn good RSA binary check that still surpasses that in many commercial games), and found that it gave me at most a marginal advantage. It hardly effected my combat ability at all, and it made only a slight improvement to my strategic ability (by recording the limited information it received and making best guesses about what was actually going on in the game state). It certainly didn't spoil play balance like many FPS hacks do, and it didn't require any server fixes, because I simply could not exploit it very far to start with.

The reason why the Netrek developers understood all this was that it was open source (so it was trivial to hack up a client), and also that servers developers were somewhat separate from the client developers. The server developers could dictate the architecture and packets and the client developers had to work with what they were given. Contrast that with the way that commercial games development tends to get done, with the same people writing both server and client, with a mandate to get it working as quickly and easily as possible.

If I was back in commercial games development, this is the first change I'd make: separate the server developers and client developers, and only let them communicate through the code - and with the server guys calling all the shots. That sounds inefficient, but if you don't make the effort early on, you'll damn well have to do it later, once the problems are out there in the field. We need to fix the attitude endemic in commercial games development that there's never time to do it right, but always time to do it twice.

My cheating experiences

[icey5000]

First off, I'll start by saying that I AM a casual online gamer and have had a number of bad experiences with cheating. In fact, I ONLY play with direct connections to friends because of these problems. Quite frankly, I have been burned badly enough and often enough that I WILL NOT go online to play in a public game -- whether it is free or not. I've tried many times and have given up -- this really sucks since it seemed to have great potential. Here is why...

My first online game experinces was on Yahoo Games. It looked interesting: meet new people, have some fun. I was a newbie, and so, went to the newbie area. I a game of cards seemed like fun but was dropped out of the game (lag). When I returned to the server I was chased and verbally harassed (with swears) through 3 other card games. I've never been back... and will never go back.

Sometime later I regained my curiosity and thought I'd try Diablo online. Foolishly I took a high level character (can't remember how high, but had made it to hell difficulty) online and was killed instantly (twice! once in town!). I didn't know anything about 'hacks' then and persisted thinking this was due to server lag (or bugs). Then all of my equipment was stolen after a healing spell was cast on me. No backups, so goodbye all the effort. That was my last Diablo I game online.

The pattern seems to repeat itself with frightening regularity: Quake II: dead, dead, dead and dead again), Unreal Tournament: similar to Quake, Starcraft: rushed (after making no rushing agreements) and had defences repelled by infinite numbers of enemies and attacks that failed even with overwhelming technical and numerical superiority, AOE 2: faced impossible tech advances and armies, Diablo 2: PK'd in no-pk mode. The list goes on.

I make no claims to be an expert player in these games and would have no problem being beaten by a better player -- I find that's often the best way to improve! But, I have taken efforts to use the newbie areas to find other newbies to play with. Unfortunately, cheaters look at these areas as their playground too!

I give up. Too bad, it could have been fun.

Re:Taking it too serious...

[JohnCub]

Online, the "newbie" or "novice" channels seem to be full of experts getting their jollys off by fragging inexperienced players. Tell me, how is *that* not cheating?

I understand what you are saying here and I call this "dirty playing" but not cheating. Cheating is running a program / plugin / etc that specifically allows you an advantage. I've never become very good at any online games, though I have tried from time to time, specifically in the Half Life (and mods) areas. When I suspect someone to be cheating I go into spectator mode to see if they are just hella good or if they are walking through walls. When they are walking through walls or making shots that are simply unbelievable (through the wall, through the post behind the wall, straight between the center of the eyes), I give up. I can accept being owned by a better player. I cannot play if I am being owned by a cheater.

And in that case, the odds of me using my personal purchasing power to get another online game? Not gonna happen. Who is left to suffer from this? Well, the cheaters have one less PLAYER to kill and the game companies won't be getting their part of the purchase price from my wallet.