Slashdot Mirror
Game Developers Cracking Down on Cheating
Hector73 writes "ZDNet has an article discussing a growing concern for the makers of on-line video games. Cheaters and trolls are making it harder for casual users and newbies to get hooked on the on-line versions of games. Considering that on-line gaming may become the major revenue source for game makers over the few years, maybe they will actually do something about it."
This is precisely why Microsoft announced that all of the Xbox's online games will be run off of Microsoft controller servers. They've seen how cheating can rapidly cause a subscriber base to shrink. By controlling everything themselves they hope to limit the damage done by those looking for ways to cheat. I imagine that just in case anything should go wrong, this means frequent backups that can be restored upon a users requests.
"Chances of RHIC-induced Armageddon are exceedingly rare, but... you never know." - MIT Physicist Bob Jaffe
How long would Tiger Woods put up with the PGA if people took a mulligan any time they wanted?
When I buy a game, I'm purchasing the entertainment. If you're on there with autoaimers or speed-up cheats, you're taking my entertainment away.
I'm all for people having the right to cheat as long as they're clearly labeled as such. Heck, that might be interesting to have an all-cheaters league. Let the best cheater win. Keep them out of the other normal games.
Designers should write in the ability for users to vote off other people they think are cheating. Usually it's obvious that certain people are cheating and so some mod writers for games like Counter Strike have already written this in. If enough people vote that someone is cheating, they will get booted.
This should be taken a step further though. If a cheater has been booted off a server a certain number of times, their cd key should be revoked or temporarily disabled from the master database. Then they won't be able to play online anywhere instead of simply moving to another one of the 1000's of servers.
The problem is this could be abused. People could vote against a player that just happens to be really good, but from all the games I have played the really good players almost never get booted off. It's always the real obvious cheaters that get voted off.
Outdoor digital photography, mostly in New Engl
The fact is that games can not simply act as a glorified frame buffer and transmit keystrokes and mouse movements to a centralized server and then display the results with minimal computation on the client side.
To get around the limits of network connectivity available to vast majority of people developers have to allow the client to render the graphics and interpret the input and then send back the minimum that is needed.
While we all know that open source generally increases security, when you're dealing with people who are trying to abuse features you can't let them know all your secrets. Open source security assumes that the people working together want access to each other, but want to keep others out. The game security model assumes you want to let anyone in, but keep them from doing bad things.
Thus unless you move all potentially abusable functionality to the server side, open source gaming will be limited except for games which tolerate low bandwidth and slow ping times.
Nascantur in Admiratione. (Let them be born in Wonder)
Well, we have seen valve put in code with Counterstrike 1.4 that checks to see if your opengl.dll is correct, to stop people with cheats like OGC. However, this sucks for all those using wine, becuase wine uses a hacked version of opengl to run windows games in linux. I've been cs free for about a month now, as a result.
The real irony is, wine will not load cheats (as far as I can tell), so people using wine cannot cheat. I had a similar issue with Cheating-Death.
=================
Unix is very user friendly, it's just picky about who its friends are.
The bottom line is that there are cheaters in every aspect of life, whether it be real or virtual. Game companies, much like governments, can only do so much. The rest of the problems people just have to live with. Virtual worlds will never be perfect and people will always try and ruin someone else's day.
=-=-=-=-=-=-=-=-=
Oh bother.
The main problem is that there is actually a rather strong, organised group of people out ther ewho distrubite exploits and hacks for online games, considering it their 'right' to cheat because they purchased a copy of the game. The problem is that when they do this they fail to take into consideringation the position of the other people who's gaming experiences they're wrecking.
Of course.. the difference between Man and Beast, when you get down to it, is being able to think about things frm someone else's point of view, so when you think about it, this shows you something about the mental state of the organised online cheater.
Even a Chimp can think about something from someone else's perspective...
The fundemental problem is that the game itself lies on the clients computer.... It is completly unfeasable to secure that program once it has been taken out of the shrink wrap...
Sure you can require frequent patches to fill the holes after release. Or maybe require a check-sum of critical files to play. Etc, Etc... But, there will always be people that are willing to figure out ways to by-pass it.
Just like computer security in general. You trade amount of security to functionality.
Heck. I remember when I had snake on Qbasic. I was 6 and had no clue about programming. But, I realized that Player1_Lives = 5 means something and I wanted to change it.. I understand that this is an oversimplified analogy that is completely missing the multiplayer side but, people will always want something for nothing and this is a way they can do it.
Probably the only way to completly secure a game from cheating is to make the client side as thin as possible but, of course the trade off is the server would have to work extremely hard (already a problem now, with server's designed as the thin ware)....
As solution will work itself out eventually.
I've played my share of online games, from the simple telnets to the varied mmorpgs. Technological and admin based solutions never seems to adequately solve any real poroblem.
You can boot players, ban IPs, reprimand, close servers, but the miscreants always find a way back in, because its an enjoyable game to them... annoying others.
The only viable solution I've ever come across is the social stigma. This method of self-regulations fails if the game doesn't implement a system of reliance on other players though. As long as several players are needed to band together to achieve certain goals, social stigma works.
Picture a mmorpg where you need 3 other players to help you defeat a certain barrier. There's no other way, its part of the game structure. If you're a cheater, others won't help and you're limited in your game play. Where's the fun now?
Game builders have to be aware that cheaters exist and really strive to construct game play in such a manner where players can self-regulate like that. Admins and code-limitations never seem to solve the real problem.
I can see you you can crack down on cheating, most people don't like it, and would support that kind of action, but Trolls? How could you ever crack down on that without censureing(sp?)? I personaly like the /. method of moderation, because all the posts still show up, but we can choose how much crap we want to see. But how can you implement that in a real-time senerio? I don't see how without using server-side filters which people will object to, or client-side filters which has already been done before.
Sigs are out of style, so I'm not going to use one...oh wait..
Games with huge numbers of people like EverQuest will suffer from a certain number of bad apples, just like the real world. They're ultimately going to need to rely on policing, technology can't solve everything.
Fortunately, many games don't have huge numbers of players. Quake games peak at a few dozen. Even as small scale games grow, there are practical limits that will keep size down.
There is a partial solution I haven't seen implemented yet: trust networks. To play, you generate a public key and share it with all of the other players. As you play, you mark other players as being friends. (You can also blacklist them, but it's easy for the other person to create a new identity, so it's only a very small part of the solution.) When you mark another player as a friend, your client provides them with a signature proving that you marked them as such. Then based on these networks of trust you can make judgements about who to play with. When you create a game, you might limit it to "my friends, my friends' friends, and 3rd generation friends if they have at least three references from 2nd generation friends." Maybe you leave a spot or two open for anyone to hop in on as a way to make new friends (and if they're a punk, you and your friends can blacklist him quickly).
This will make it harder for truely new people to make initial friends. Many gamers will know at least a few real-life friends who can give them a hand up. For the rest, they'll regrettably have to spend some time learning who they can trust. It's a shame, but it's just like real-life.
There are few details I'm admittedly handwaving (key revokation, special case exceptions), but they're all solvable problems. I'd really like to see a system like them when I play Quake, Half-Life, Diablo II, or Dungeon Siege online.
Dongles, in the historic sense have been cracked/emulated a long time ago.
A great sound editing software for the Mac was Power Tools. Originally package with a dongle to prevent piracy. The dongle was emulated about 24 hours after the release of the product.
Now though with the cheap USB storage devices hitting the market the concept of dongles might come back. Although the only way to truely secure it would be with a strong cryptographic code to secure both the device itself and the traffic between the device and the software. Althogh you still come down to the fundemental problem that the information is still passing through the users computer and is open to sniffing and cracking.
Securing end client software has always been an extremely difficult problem to solve....
From the article (ya know, that thing you should read before commenting on its contents):
Kick. Ass. I know nothing about this company or their games, but I like them already.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Cheaters do have a right to ceat, on their own servers.
What pisses us all off isn't so much cheaters, as it is deceptive cheaters that try to take advantage or ruin other peoples' fun. Ceating is easy in almost all games where there is any client software at all. I would oppose any game that tried to prevent my use of my computer just like I oppose any os or application that tries to monkey with my computer.
This problem is very difficult to solve because all a player needs to do is outsmart dumb software. That's pretty easy. Everybody knows when someone is using a headshot bot in counterstrike, but it's a little tougher to notice cheaters who pay attention to who is watching and how obvious they are being. I quit playing CS because of cheaters.
Blizzard beat most of the maphack/exploits on StarCraft just by continually patching the software. I think CS and Half-Life should take a hint. Modify the code so that people can't exploit it... often. It's tedious to stack traces for exploitable code, and if the code changes frequently then it becomes very very tedious.
My $0.02 will always be worth more than your â0.02, so
Because nothing guarentees the data getting to their carefully guarded servers is valid if their communication protocol is weak.
Aim cheats have nothing to do with server stored data. It all has to do with the fact the classic protocols requires all players in the field to tell all other players in the field their positions in the field. If you can snoop the positions of people then you can calculate an accurate "from the hip" shot with merciless robotic accuracy. If an aim cheat isn't possible, then you can just snoop the data and realize where the other players are hiding and their positing.
The way to beat cheaters is to apply tried and true security practices. Don't trust that the machine on the other end of the connection is really a client(so don't feed it any extra data beyond what it should need to know to function). Don't blindly accept any data coming back from supposed clients(does the client really have "permission" do what it is telling the server to do?).
Protecting the data is a good thing but just like server farms just locking the machines behind a door isn't enough. You have to secure the lines of transmition as well.
Still doesn't solve the problem. Even if you have a dongle, then you write some code that sits inbetween the dongle and the network that injects cheated packets and info to the server or lets you see more, etc...
(as a side note, all usb devices use more cpu then they should)
You will always be able to reverse engineer the protocol, it will just take more and more effort to do so..
Could encrypt the network packets as you send them, but someone can still patch the binary of the game to inject bad data into them.
Could encrypt the instruction code for the network play, until a valid key is obtained from a server, but then it has to be decrypted sometime, probably ahead of time to be good. Maybe if they implemented a hardware feature where you could give the processor an encryption key, and sent it an encrypted instruction stream, it would decrypt it on the fly. That would be hard to decrypt, unless the attacker were to get ahold of the key, then they could decrypt it.
Any way you look at it, someone, somewhere will be able to figure out a way around it. Social solutions are a much better way to solve the problems of cheating.
I play a lot of online MOHAA and trolls are as much of a problem as cheaters.
One of the most realistic ways to play MOHAA is with friendly fire on -- you have to know where you're chucking grenades and so on. However, it's nearly impossible because trolls will kill most of the team right at the spawn point. Some trolls block tight passageways or just play obnoxiously. In a full 8-user server, two trolls on one team can shift the balance of power so far its just not any fun.
Then there are cheat trolls that combine cheats with trolling behavior (noclipping under the road and killing people, for example) to be seriously obnoxious.
I don't know how you combat this, really. I think the best way would be enabling a kickban command that would kick a user from the server and then ban their IP, username, or both for a specified period of time. Banning IP blocks might be an option as well.
I know, I know, NAT, DHCP pools, etc etc will lessen the effectiveness of such techniques, but if you make it just annoying enough to troll people might stop and go back to making prank phonecalls or whatever they did before they messed with games.
TV Network cracking down on Tivo commercial skipping: bad
Microsoft cracking down on security hole advertisers: bad
AT&T cracking down on cable theft: bad
Game developers cracking down on cheating: good
To summarize:
Minority restricting a majority: bad
Majority protecting itself from minority: good.
Best introduction to the subject I've seen. Has things for everyone to think about and this was two years ago. I think games coming out now will have at least all these cheat prevention measures in them.
development.lombardi.com
Proxy cheats require 2 computers: the one you game on and a proxy that you connect to the server through. The proxy keeps track of what's going on in the game by analyzing the packets that get sent through it. It then makes adjustments (ie aiming corrections) to the packets as they are sent out to the server. This in no way involves breaking into the server.
The common transparency cheats are to a) replace the textures used on the walls with translucent/transparent ones or b) hack your video card's drivers. Neither of those affects the server in any way.
There's a multitude more of these types of cheats. I know because I used to run a decent Half-life and Counterstrike server. I got so depressed at the prevalence of cheating (and cheating accusations), I shut down the server and very rarely play any online games.
Monday is a horrible way to spend 1/7 of your life.
A little cryptography plus a net of trusted compilers (as in people, not gcc) who produce signed binaries goes a long way. See Netrek, for instance -- most servers will boot you if you're not using a 'blessed' binary as determined via an RSA-based challenge. You can create modded clients all you want and unleash them on anything-goes servers; but while it's almost certainly possible to play on a blessed-only server, it'd be a hassle and isn't often done (e.g. rig a program to monitor the socket and redirect the authentication challenges to the 'blessed' binary, and otherwise send the data to the modded client).
Only the dead have seen the end of war.
The moral of the story? Cheating not only hurts the newbies who want to get into some online games, but also hurts those of us who play often and occasionally show a glimmer of skill.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
How can Microsoft turn its back on cheating? I mean, cheating, lying and stealing, that's how they got where they are today!
Please, Microsoft, give us the freedom to innova... I mean, cheat!
Monty Burns put it best, "Cheating is a gift Man gives himself!"
I agree. Playing with people you know is probably much more fun too.
The only other solution I see is a -- and you've heard me say this before -- a web of trust. Integrate game-matching / chat and a PKI. Players will sign the keys (this can be abstracted in the GUI of course to make it simple) of players they trust and enjoy playing with.
Then it is up to the players, some may risk it and play with anyone, others might only play with close friends, and the majority might opt for the middle ground and play with any player within some distance of the web of trust.
You could do a lot of things with this. A client could chose to play any other client based on the number of signatures and their age (trusting it even if there is no path to it), etc.
Belief is the currency of delusion.
At the Hollywood Stock Exchange simulated stock market, there have been problems with cheaters for many years. HSX cheaters - called "manipulators" and "shills" - use information tactics and coordinated buying and selling patterns to dishonestly make HSX dollars.
Internally we have an "SEC", which consists of individuals who seek out cheating patterns in the trading data. We also get suggestions from players as to who may be cheating and how they are able to cheat. HSX Traders that are "guilty" of manipulation are fined according to set procedures.
One of the most interesting cases of cheating was when we received an AIM transcript of real-time cheating behavior. It read like someting out of "Wall Street", except with lots of net slang. We busted them and fined their accounts (after an investigation and due process, of course).
Despite the "threat" that cheating poses to the "civility" of a game community, cheaters and the interesting tactics that they use no doubt make online games more interesting. I often ponder about how to better design game play which can harness the criminal instincts of simulated market manipulators (for the betterment of the game).
As cool as this sounds, I do not think that unleashing 1980's style "media raiders" onto the trading community will ever happen at HSX. HSX trades are transformed into marketing data used by movie production studios, hence requiring us to ensure that game play is fair, and, generally, that trades reflect the real media preferences of HSX traders.
- James
They need to take cheats out of the game all together.
That works real well until you realized that many players cheat by unfairly reading information with a different application or proxy.
A good example of this is the 'aiming' proxy, which is a proxy application that sits between your FPS client and the server. The proxy parses the packets sent beteen client and server. Since the client is responsible for telling the server what actions you make and the server is responsible for telling the client what all the other players are doing, the proxy applies a little bit of math to the two pieces of information and 'corrects' your shot so that it hits another player despite where you really aimed.
Unless your game can somehow telepathically guess where the players are, there's no real way to hide this information from the client. Encryption strong enough to prevent a reasonable crack is too math intensive to run at the same time, meaning that hard encryption just isn't the answer.
There are apps out there for all the FPS servers that attempt to detect this sort of thing, but most of them work by checking ratios. If you happen to get luck and exceed the ratio of possible good shots to bad shots, you're tagged as a cheater.
If you can read the client-server data stream, you can cheat.
That's why the answer to cheaters lies not only in designing applications to prevent cheating, but allowing players to flag cheaters and bump them from the game.
In MMOG's, this means that GM's should respond quickly, intelligently, and decisively to player complaints. In smaller scale actions, players should always have a 'cheater' button that allows them to collectively police the game by booting and banning malicious players.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
If you can identify cheaters from the server side, don't kick them off, just dump them into a dungeon. One where they can frag NPCs all day without affecting the other customers. That way, the cheaters keep playing, theyr're happy, and they're diverted from getting a new account and making more trouble.
Ignore them.
Yes, it's hard, that's why there are so many cheaters and trolls.
If everyone collectively stopped playing when they see a cheater or troll they would go away.
But unfortunately most players cannot tell good players from cheaters, trolls from newbies, and will keep giving the attention the cheaters/trolls want so bad.
Shoddy code is the reason OGC works? Hardly. You can NOT trust anything on the client, and yet if the client can perform all the aiming and shooting for the player, how can you tell who's doing what? That's the real problem, and reactive detection is the only practical way to deal with it at this point... ;P
That, or me standing behind you with a baseball bat at the ready while you play.
Valve left the Half-Life code more "open" for a reason. Counter-Strike is the biggest. Mods don't show up often if you try to lock down your client code too much.
And it's the one that the designers of the open source multiplayer action game Netrek figured out from day 1. You accept that the clients will be compromised, and you design your server and your network model appropriately.
It's only very recently that commercial games developers are even beginning to understand this, and they're still not getting it right. For example, Counterstrike now attempts to check that your opengl.dll is correct. Fine, but that still relies on the client being uncompromised and reporting the correct number. That's a small barrier for a crackers with a hex editor.
They really need to get it through their heads: you can't trust the client. Every packet that comes in has to be assumed to come from a borg or robot client, and dealt with accordingly. What this means in practice is:
This isn't theoretical. I wrote a 'borg client for Netrek (bypassing the pretty darn good RSA binary check that still surpasses that in many commercial games), and found that it gave me at most a marginal advantage. It hardly effected my combat ability at all, and it made only a slight improvement to my strategic ability (by recording the limited information it received and making best guesses about what was actually going on in the game state). It certainly didn't spoil play balance like many FPS hacks do, and it didn't require any server fixes, because I simply could not exploit it very far to start with.
The reason why the Netrek developers understood all this was that it was open source (so it was trivial to hack up a client), and also that servers developers were somewhat separate from the client developers. The server developers could dictate the architecture and packets and the client developers had to work with what they were given. Contrast that with the way that commercial games development tends to get done, with the same people writing both server and client, with a mandate to get it working as quickly and easily as possible.
If I was back in commercial games development, this is the first change I'd make: separate the server developers and client developers, and only let them communicate through the code - and with the server guys calling all the shots. That sounds inefficient, but if you don't make the effort early on, you'll damn well have to do it later, once the problems are out there in the field. We need to fix the attitude endemic in commercial games development that there's never time to do it right, but always time to do it twice.
If you were blocking sigs, you wouldn't have to read this.
Why hasn't anyone pointed out the obvoius?
The point of the oh-so-disputed Bnetd project was
to counter cheats and trolls.
Set up your own server - invite your friends, and
kick out whoever you don't like.
So what M$, Blizzard and the others should do is turn the situation to their advantage,
stop selling server time - sell server software.
The more trolls out there, the more people will want to run their own server.
Valve's new anti-cheat seems to be working pretty well. System (the maker of OGC) was saying that it was completely useless, but so far since VAC has been out it has stopped every version of OGC within days. At this rate the cheaters can't possibly keep up, I think that it's only a matter of time before they give up.
With regard to HLGuard and CSGuard, I have found that they are buggy. For example, when attempting to change your name on a server and using a % in order to have spaces (e.g. Counter%Strike%Player), CSGuard will automatically cause your Half Life to quit. And one of the latest revisions of VAC kicks people off with no cheats installed -- this has happened to me. But eventually these bugs will be fixed, and pretty soon admins will find that they no longer need to run HL/CSGuard to reliably catch cheaters.
Another way is if you kill more than X teammates, you get kicked, or kbanned for a period of time.
Then how will people who just bought a copy of the game yesterday and don't yet have full control of their input devices be able to play? How do we distinguish trolls from legitimate newbies?
Will I retire or break 10K?
The ZDNet article is missing the link to my original article which is what lead the news.com writer to interview me.
I can see why they left it out though, it calls a lot of the people they interviewed in addition to me names. ;)
First off, I'll start by saying that I AM a casual online gamer and have had a number of bad experiences with cheating. In fact, I ONLY play with direct connections to friends because of these problems. Quite frankly, I have been burned badly enough and often enough that I WILL NOT go online to play in a public game -- whether it is free or not. I've tried many times and have given up -- this really sucks since it seemed to have great potential. Here is why...
My first online game experinces was on Yahoo Games. It looked interesting: meet new people, have some fun. I was a newbie, and so, went to the newbie area. I a game of cards seemed like fun but was dropped out of the game (lag). When I returned to the server I was chased and verbally harassed (with swears) through 3 other card games. I've never been back... and will never go back.
Sometime later I regained my curiosity and thought I'd try Diablo online. Foolishly I took a high level character (can't remember how high, but had made it to hell difficulty) online and was killed instantly (twice! once in town!). I didn't know anything about 'hacks' then and persisted thinking this was due to server lag (or bugs). Then all of my equipment was stolen after a healing spell was cast on me. No backups, so goodbye all the effort. That was my last Diablo I game online.
The pattern seems to repeat itself with frightening regularity: Quake II: dead, dead, dead and dead again), Unreal Tournament: similar to Quake, Starcraft: rushed (after making no rushing agreements) and had defences repelled by infinite numbers of enemies and attacks that failed even with overwhelming technical and numerical superiority, AOE 2: faced impossible tech advances and armies, Diablo 2: PK'd in no-pk mode. The list goes on.
I make no claims to be an expert player in these games and would have no problem being beaten by a better player -- I find that's often the best way to improve! But, I have taken efforts to use the newbie areas to find other newbies to play with. Unfortunately, cheaters look at these areas as their playground too!
I give up. Too bad, it could have been fun.
i built and run edrugtrader.com (now moving to better colo facility so don't try to hit it, its down)
i built the game from day 1 with "how could someone use this to cheat" in mind. if MMORPG developers don't have that mindset their game WILL fail. redundant and flamebait, mod as you wish.
MARIJUANA, SHROOMS, X: ONLINE?! - E
And the anti-cheating organization? Come on. Don't these people have lives'? Its just a game. Lets not bring this to the level where we destroy the game because we take it so seriously, which sucks the fun out of it (prime example, chess). Also, many non-cheating players have no problem playing with players who use cheats.
When I played Descent 2 on Kali, I used to play against some of the people who had hacks so they could fire two EarthShaker missles at a rate as fast as Gauss cannons. It made me better, and was fun.
social sciences can never use experience to verify their statemen