Slashdot Mirror
Open Source Quake Causes Cheating?
Stargazer writes "Well, looks like people are having problems with Quake's release under the GPL. It's not a conflict with the license, but rather, mean-spirited people are now creating clients which give them an unfair advantage, to say the least. John Carmack ponders this problem in his .plan file, and offers, unfortunately, a closed-source solution. "
This is a very interesting problem I haven't seen addressed before (I'm sure it has and I've just missed it up to this point)... does "closed" source actually and truly make hacking harder?
Also, is anybody still playing Quake I?
The .plan file talks at length about cheating related to the GPL'ing of the original Quake - and then goes on to talk about a Quake 3 source release. Is this just the virtual machine code? Can cheating be accomplished with a Quake 3 release also (be it the VM code or actual source)?
This is really sad, guys. ID is one of the few companies who have really embraced open-source gaming, and what he says is going to have an effect on all gamers in the future. If he finds that there is no way around massive cheating other than to keep the source closed, then this will have a major effect on all other gaming companies, and he will follow suit. A few can ruin this for everyone. If you know someone who plays QIII under linux and uses a cheat, plead for them to stop, and have them plead for others to stop. This is one of the first attempts at OSS gaming, and it may well be the last if cheaters don't cut the crap.
Surprise surprise... We suddenly have nothing holding us back but our conscience, and a few people abuse that.
It goes back to plausible deniability, and baseline ethics... i.e. I will do it if I can get away with it. People who have no love for the pure game have always tried to find ways to destroy it. Up until the GPL of Quake, at least, it was hard enough that the practice wasn't widespread. JWitt
Anyone got a client i could use? :) mite
I'm not against opensource, in fact, I love it. I was ecstatic when I heard Quake1 was opensourced. However, this does present the challenge for everyone who wants to play the game as it used to be. This is a problem with basically any opensourced game that really, to my knowledge, has yet to be addressed. The question is, how do you know whether that guy who noone can beat is really good at the game, or hacked a version that auto-aims, auto-fires, etc? I think it's good that someone is finally addressing the problem, at least for one game.
Just my 2 cents.
My plan is to pimp before they realize I'm a jackass. Hit 'em hard and fast.
This shows a big problem with the concept of open source games. Back in the days of doom, there was dehacked, and I remember playing my friend in a modem game with my hacked exe loaded (i was using the ol superwep7 mod) so I had 10x firespeed and unlimited ammo, it was good for a laugh, and in an hour, we were both using the hack for a new twist on gameplay. But with quake1 opensource now, its barely a challenge to hack up your client to give you extra health points, more damage, etc. One could make it very subtle and go undetected, which is really a shame. Many people still play qw, its a great game (especialy a weekend game of creeper ctf =])
Looks like Carmacks gift to the Q1 community may be what finaly kills it in the end =[
i think this exposes a large hole if OSS development. not that open source develepment is bad, its just the now that quake is open source it has flaws. although the source release of quake may good for developers trying something new or leaaning opengl development. its opened a whole world of possibilities to them. it has completely destroyed quake1 culture. team fortress players, a segment of quake players that never really moved on to q2 or q3, after a bit of wanning of interest have finally got there death blow.
disadvantages:
-no clear leader [carmack is certainly not gonna continue develepment]
-no standardation of versions
-cheating
"Are you satisfied with fucking?" - Dave Matthews from "Halloween"
Honesty is one of the things needed to make the GPL work for the long term. If the only thing people can think to do once they have access to the source is to cheat, then they have no place whatsoever in the world of the GNU Public License.
ID Software does a Good Thing, and releases the source code to Quake. Then, we have this group of people that change the code to cheat in Quake, making the general public think the Open Source community generally does things like this. Now ID has to play "damage control" and fix the problem, and the community also has to repair the damage done by the cheaters.
Instead of looking for ways to cheat in the game, how about really giving the source a good look and maybe LEARN a couple of things. God knows ID programmers know what they're doing, and that code is bound to have a gem or two in there nobody thought of.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
I am currently making a client cide interface that will work for all 4 versions of quake. I'm using my own network code on the client and server side of the games. How do you plan to use security by obsurity to block that?
You _can't_ - face it their a *legitamate uses for client side bots. I'm very interested in keeping them alive. Proxy cheat bots are only a small percentage of client side bots - also I've never seen a client side bot that really gave an advandage to the cheater.
John I was very disaapointed when my favorite programmer brought up legal action threats to stop client side bots. John we want to learn more about AI! Your games model real world phyics, so well and have so many variants... please don't do this!
- Mongoose ( from *old planetquake quakeC bot days )
...would a closed source solution...any solution...be bad?
Just a thought...
"Nobody owns the fucking words man." - James Dean
I was actually thinking about this some time ago and I concluded that the only way to have no one be able to cheat is with a closed-source system of checking. A good system would make it possible for the server to add 'known good clients' i.e: clients that they know don't cheat.
Contrary to what some others are saying, this would not stifle open-source gaming as the only closed-source part would be the executable that checks to make sure there's no cheating. If only this were closed-source, the rest could be made open-source. I believe that this method would actually increase the proliferation of open-source games.
Chris Hagar
"The price of freedom is eternal vigilance." - Thomas Jefferson
I really don't think this is such a big deal... It's a game, for pete's sake! When people start earning salaries for their quake performance, then maybe we need to worry about this.
It's been my experience that cheating in these games really isn't much fun (unless your really stuck and about to give up on the whole game), and I don't think that others would want to play with cheaters unless they were cheating too, which would make the game fair again, I suppose.
With the source, it's pretty trivial to undo just about any protection and spoof any values the program expects to find, so why bother?
I fear that by putting in encryption and protection schemes, we'll be hindering potential development of new variations and play modes of quake and quake derivative games. If altered clients could be used to introduce a handicap factor into games, it might encourage gameplay between experienced and less experienced players.
Why not add a HANDIcAP FACTOR to the quake game, and have that be shown for each player when joining a new game? It's probably easier to deal with cheating by making it a defined feature than trying to protect against it ever happening.
Perhaps this is an opportunity to come up with an open source solution to this problem. I'm not sure what that solution is, but if there is one, I feel certain that someone in the Free Software world will find it.
The ability to make "Unlimited technical changes" is what Richard Stallman demanded for Java... Now here in another arena we see what that means. These are just technical changes so you can't deny people the option of doing them under the RMS ethos. Cheating? No no, just creating an advantage. Pity it destroys all the intangibles of the culture like "fair play". Oh, other people could "cheat" too but now we're in a fragmentory arms war. Carmack's solution of, well, nearly certifying games as fair/allowed to play is doubly ironic when mapped on the idea of a GPLing or Open Source (Debian OSD stlyee) Java.
"You know you want me baby!" - Crow T Robot
I'm wondering if anyone has started a project for QW development. I'd like to help in getting fixes and code attentions into a "major" fork. I already know of a dozen people with different trees.
We need a major linux fork, before QW becomes as forked as BSD!
----------
OpenProjects #debian - we love you
There's got to be some way to verify the Quake exe using hashes etc. Maybee not the whole program, but just a small "subprogram" that can be verified directly via the connection, then it verifies that the whole .exe is untampered (for modded games, just compare MD-5's with each other) so that you know when the other guy has tampered with things.
Now, I suppose that this is not really a whole lot better since the verification system can be bypassed, but at least it should provide for some control mechanism which can then be altered, or improved untill it works.
This is instead a problem in game design. The only realistic way to stop this is to design the game
and network protocol so that the server only allows valid events to happen.
Obviously this some glaring drawbacks, like the server suddenly needs more horsepower, and hacked/insecure servers are no use, but that's a problem anyway. Also, it's too late to redesign all of quake so the server prevents any cheating, but this should be kept in mind when designing future open source games.
Another idea to toy with (which obviously haven't thought about) is to use encryption systems to validate every event, but not being a crypto-god, I don't know how exactly this would be done. It should allow for distributed servers however to work together, as there would be much harder for a server to cheat. Obviously this would also require lots of computing power for servers and clients though.
In short, games can be designed so cheating can't happen, but (as far as I can see) this needs more computing power. A quick fix is to make the game closed source so it can't be easily hacked.
- c.f. security through obscurity and security through openess.
Can anyone get this to build on glibc2.1? How about setting up a contrib somewhere so those of use who cant, can play. (the retail release is libc5)
Lars -
Cheating is bad because it destroys the community. Community is based on ideas like fairness and when you cheat you violate that idea. Cheating is good for people who do not want to live in a community, who are not able to use their own abilities and ingenuity. In short a cheater is lazy and care not for the good of others.
... is there more info on this ? I've never heard of this "episode".
Augusto
- sigs are for wimps.
Does anyone remember Netrek? The same problem happened with that game. The solution is to cryptographically bless binaries that don't have cheats, and allow people to configure their servers to reject all "non-blessed" clients.
Good maybe everyone still playing Quake1 will finally have a reason to stop.
So, this is really yet another example, in a long an sordid history, of why building a security model that depends on the client to be honest in a client/server model is a Bad Idea[TM] (can anyone say rexd?). Closing the source would be nothing more than security through obscurity. I guess its time to open that can of worms again and kick that dead horse around. There were cheats before they opened the source, their were cheats for UnReal and I'm sure their are cheats for other games as well. Anytime you rely on the client exclusively to report valid values you shift trust into an untrusted space. The users machine is not trusted, so why does it suprise anyone that someone would cheat? Why is it suprising that its possible? Its possible whether you open or close the source. This bears repeating, trusting an untrusted system (the client) to report trusted values is not possible! Thats the problem. Not the fact that the source is open, its the fact that the client is so implicitly trusted to report valid values.
Hopefully the ID folks will realize that if they want to stop cheating. Preventing cheating in the client alone is never going to work. It will of course take some more work on their part, but its been done correctly before and I'm sure they can do it too. If they're smart they'll embrace this and work with the open source community to get it fixed.
--
Python
Python
I haven't looked into the details of the cheating. Hey, I haven't even read the code in question. However, there are protocols that allow for fair games of chance over a network. Basically, a set of encrypted values are passed from server to client. The client picks and returns on to the server. The server uses it. Using public key encryption each party can verify that the other hasn't cheated. Presumably, the server is trusted in this particular case, but a protocol like this even leaves the option of verifying all of the options against their encrypted counterparts to ensure that the server didn't use a rigged deck.
This requires a significant amount of the control to be in the server. And to some extent for a workable game it requires that the server be trusted. All I can do in this case is point at a good reference, Applied Cryptography by Bruce Schneier, and ask whether such a solution is a viable alternative to locking up part of the source again.
The net will not be what we demand, but what we make it. Build it well.
No matter how "strong" Carmack's "anti-cheat" device is, it will be circumvented. Some joker will build a workalike to this complex proxy system that "tells the server what it wants to hear."
A real solution would be to build an actual community. This word is bantered around quite a bit, so allow me to explain further.
If people were positively identified by the server, they would be accountable to others on their server for their actions. I think that the Slashdot model would work very well in this situation, in fact probably better than it does on Slashdot.
You could, of course, only allow "known" players to login. You could also allow an "unknown" player to login, but allow any "known" player to, say, kick him out and ban his IP for 20 min.
This could be implemented as simply as a username and password, and as complexly as, say, you must send your username (player name) and the date and time signed by PGP.
"Oh, yeah, I know pete-classic. Naw, he doesn't cheat. Watch out when he has the Railgun though!"
-Pete
Unfortunately, this is the price we have pay for open source- you are all right, ID does a great thing for the computer community, but much like the inherent freedom of the Internet, the prize of free speech comes with the price tag of flamers and anonymity. There must be a way for the login to detect altered source; like the new Mod-Chip proof Playstation games which, I am assuming work on the basis of an architecture encoded in the CD that MUST match the system or the process terminates; any ideas, guys?...I imagine this would only affect the game servers, b/c who gives a %$#& if someone cheats on their own?
"There are only two things men want more than money, power, and sex; praise and recognition."
This is probably not a good answer now (slow networks) but maybe a solution, when everybody has faster connection, is to basically have servers that don't trust clients ?
:) code in the server , not the client.
For example, if somebody make a modification that allows unlimitted ammo, a better place would be to move the keep_ammo_count
Another example would be a modification that allowed invalid movement (ex: going through walls, running too fast, flying). This could be countered by the server monitoring movement and enforcing the proper laws of physics in the virtual world.
Anyways, I think there might be other alternatives that keep the whole thing Open Sourced. After all, this (hacked clients) is not a new problem nor one exclusive to online gaming.
Imagine if in your websites you relied on your JavaScript code to do all the data validation and integrity checks and you had none on the server side ! It's like letting a user validate his/her credict card and your server just going "no problem"...
Like I always tell my coworkers here when we do distributed apps, never trust the client (code that is), it can always get hacked or spoofed.
- sigs are for wimps.
Simply put. If I dedicate my time, my effort, my life to making anything, a game, a SETI@home client, a utility, I'm not going to want people to pervert my hard work. That's what it comes down to, really. Why should I, as a potential product designer, want to release my code if the potential exists for misuse? Suppose that they opened up the source to SETI@home. Then you'd most probably be able to figure out the protocol, and how it sends 'alert' messages. And I guarantee you, someone will start sending fake data to SETI, and it'll totally defeat the purpose of the collaboration.
Now. If your argument is that in all of the community, there will be no bad apples who will misuse the source, that's naive, I'm sorry. No group can be completely without its bad element, and I would wager that most developers don't want to open themselves up to that element, however small. There's security in a closed-source model, and companies want security. I know I wouldn't want to risk my userbase, my name, and my job security for something like this, and I would imagine that most people who do this for a living would tend to agree.
Do I think that an open-source model is necessarily always bad? No. It has its place. Is that place in the world of commercial business? I don't believe so, no. Companies make products for money. Cheaters, exploiters, and all of that will always be there, and will always be a danger to any company. By keeping their source private, the chance of this element exploiting their work falls dramatically. It's just a fact of economics.
Well-written, thoughtful replies are, as always, welcomed. Flames are not.
--Tsu
--- Now, go away 'cuz you all up in my Kool-Aid!
is continuing - see quake.sourceforge.net - Also, quakeforge is working closely with the quakeworld people, as well as some people from Loki games, to bring Q1 up to speed.
They have a development roadmap, and the cheating issue is addressed. They have already managed to merge QW/Q1 into a single client, port it to SDL, etc, etc, etc.. It's rocking along, and quickly.
To those of you saying "THIS is the problem with OSS.." - shut up and code. It isn't a problem, just a little bump in the road till things settle out. There are several solutions to it, including ones not mentioned by Carmack.
I am fairly certain that this does not spell Doom (hehe) for OSS id software. Get lives, and get over it, in the face of what's already been accomplished, it's really not that big of a deal.
--
Blue
i browse at -1 because they're funnier than you are.
Why try to deny bots? Just give 'em there own servers...
Like john said in his .plan, there have always been ways to cheat. Transparent maps that are not detected despite server-side mapchecking, proxies that allow (albeit very poorly implemented) auto-aiming, glowskins that let people seen through shadows easily, "spikes" that are built into the player model to let people know you are coming because they go through walls, and even proxies that allow a completely hacked up map.. there are numerous other cheats and hacks that are all possible with the original quake. Many of which are undetectable. The source code release lets people to much more obvious forms of cheating such as floating in the air, or zooming through the level like a cheetah on crack. But cheating has always been around.
what is really different now? The real problem is
that a) more people have been exposed to the possibility of cheating, and b) it is far more fun to cheat.
In my 3 years of playing quake up till now, I haven't used a cheat for more than 2 minutes, and then only to test it out. I believe in keeping the game pure and skilled. But with the release of the sourcecode, coders can play with a game they love. They can add special features, optimize code, and really just mess around. Its fun. It makes cheating a game all to itself, what cool feature can YOU code in? Its not the same type of cheating that plagued competitive and non-competitive gaming in the past. This cheating isn't being used to win at all costs, but to mess around. each successive build of quake becomes 'your' build, full of your customizations and features, not just something you download to get an edge.
The important question, is where will things go from here? In all reality, the ability to cheat has not suddenly appeared, it has always been here. The knowledge required to cheat has become mainstream, and has "come out of the closet" as it were. Will this rash of cheating continue, or is it merely a phase? Will it kill competitive match-play, or will the same people that cheated in competitions still do so, and everyone else will play by the rules.. Only time will tell
Jacob Lehrbaum jacob@linuxdevices.com
I dunno if you could do this with the current "client" versions of quake out there, but what the server could do (for future), is this:
When a client connects, do a checksum of the connecting binary of quake (1/2/3/whatever) and compare that with a database of "known good" binaries. I don't see that there can be *that many* different checksums to support...
If it doesn't match, don't allow the client to connect, until the version of the client they are using to connect with can be verified. It's up to the serveradmin as to what binaries he will allow.
This would still keep the source available, but any modified binaries could be excluded from online competition unless they have been verified as "legal" (ie they dont cheat).
smash
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
You obviously haven't thought hard about this. How can the server identify "know good" clients, considering that all of the information it gets comes from the client. Whatever the "known good" clients do to prove that they are "known good", I have my cheat client do the same thing.
You haven't even described the exact mechanism of this executable, but what I think you mean is fundamentally impossible.
It doesn't matter how sophisticated the anti-cheat technology is; as long as the client software runs on an untrustworthy client's system, there is a possibility of somehow subverting it in ways that make it possible to cheat. The problem of running trusted software on untrusted systems is an active area of theoretical research, and it shouldn't surprise anyone that it's not a problem that looks like it's generally solvable.
This is just like why software copy protection was a poor idea. It didn't matter how sophisticated the copy protection software got; the crackers simply got more sophisticated, too. And meanwhile, the innocent people get caught in the crossfire and really pay for it.
So what to do? How about exactly what's been done with cheaters before? If a player appears to be cheating, make a movie and make a judgement call. If there's good reason to suspect cheating, don't let that player play on your server. Social policing and a community understanding that cheating will not be tolerated seems to me to be a far more practical solution than an arms race.
Strictly speaking, under the GPL, wouldn't the cheaters have to make their code changes publicly available? When we all can "cheat" equally, we are again on a level playing field.
--removes rose-colored glasses--
Of course, any attempt to make the case that this is a drawback inherent in open source software would be just plain wrong. A cheat, in terms of Quake, translates to a technical advantage with other software. While a Quaker might be looking to squeeze off more rockets per second, a software vendor might be looking for faster database access, or better device drivers. The game environment insists that players observe essentially artificial limits, for the sake of sportsmanship. The real world environment has no such limits.
Closed source doesn't make any code less hackable. All it does is make a protocol not designed against a malicous client effective against those not willing to go through any effort in hacking.
The real solution for this is to make the protocol in a way so the client can only make requests to the server. Any time the client describes itself to the server, those things that can be described can not be trusted. In this case a safer protocol is to have the client request motion. The server will then provide updated info back to the client. If you want the client to track objects, then you can cryptologically sign them, so theywould be unique to the game session and non repeatable. The crypto could use very small keys to keep the performance managable, and the game exportable. 32 bits would probably be enough.
If opening the source of the client made multiplayer cheating possible, then it was possible before the source was open, just harder to implement. The obvious solution isn't really a fix for Quake, but care in the design of multiplayer games.
In any multiplayer game, you have a server and at least two clients. Anything critical and cheatable should be on the server, anything computation intensive should be on the client. For example, the client determines the keyboard/mouse/joystick/whatever state, and sends it to the server. The server resolves the action, and sends a schematic of the situation to the client (health, ammo, layout of area, etc.). The client then handles the 3d rendering, sound mixing, and so forth. No amount of cheating on the client end (short of out of game attacks on the other's computers or networks) would affect any other players. Cheating could be done on the server end, but there will always be cheat-free servers available.
----
----
Open mind, insert foot.
http://www.sourceforge.net/project/?form_grp=882
This is a Bad Thing (tm) - because who's going to check and verify them ?
The binaries would have to fulfill a couple of conditions:
- They are known not to cheat
- They have a valid checksum
- They have been entered into the closed source checking system.
As far as i know, only point 2 is manageable, and not bad for things.How do you know a binary is not cheating ? - somebody would have to do a _really_ thorough source analysis (i.e. diffs), and analyzing diffs is not a fun thing to do.
Then there needs to be a trusting party, that allows trustworthy people to enter the trusted checksum into the closed source checking system, wich will be a slow, annoying process that will return on each new binary release. (public key encryption/gpg and stuff might make a difference, but it's _still_ annoying to have to have your source checked (and compiled!) by a trusted party before you can use it on the game servers...)
If anyone has a better idea - i can always miss something...
I think that playing games using cheats is just not fun anymore. I also think that cheating players can be easily identified and booted out by the server administrator; unnoted cheats don't make that much difference, and are not always a Bad Thing.
Using opensource game systems will (as far as i know) always allow cheating, unless there is a _server_ solution that identifies that somebody's cheating - and we will probably not have that until everybody runs around with huge origin2000-ish computers, and the server is 1000fold that.
Just my $.02..
Emphyrio
Ever heard of netrek? http://www.netrek.org might help you if you haven't, or if you've heard the name, but know nothing about it (as I did yesterday).
Here's an open source game, with binary client distribution. Cheating problems get minimized, because they use the awesome power of mathematics to authenticate the clients (the FAQ calls it RSA, so I bet it's based on some public key cryptography).
GPL Quake could do the same thing.
Don't blame open source for the problem; look to open source for the solution!
Correct me if I'm wrong, but didn't this happen with Ultima Online 8? I believe I heard that they had open-sourced it to try and get improvements made to it, and people used the source to find all the secrets and such.... like letting players on a MUD see the code to all the monsters.
Anyway, does anyone have any suggestions other than the depressing don't-open-source-stuff-no-more one?
Devilled Eggs - A disturbing little creation of mine.
nope. closed source is just security by obscurity..it increases the time it takes to crack it.
Here's a simple solution (works with open or closed source):
[a] Take client A, a legitimate Quake client with no cheating. Compute a RIPEMD-160 signature for the client.
[b] Take client B, a hacked client.
[c] When A & B connect to legitimate server C, C passes a predetermined, randomly varying string to both clients which they load into memory. A snapshot is then taken which both clients have to pass back in the form of the computed RIPEMD-160 signature of their entire memory space (should take 1-2 seconds max) - and passing a 160 bit signature is negligible in terms of overhead.
[d] Server C knows what string it passed both clients and also know the signature of a legitimate client + random string. In this case, A will pass while B will fail.
[e] Server C denies B and allows A.
Since the string is set on the server and is varying randomly, it is very difficult for B to calculate the string dynamically at runtime in the length of time allotted. RIPEMD is open source , no patents and is stronger than MD5.
Amen.
I discussed this with John Carmack back in May, the real problem is that it is absolutely impossible to make a completely cheatproof system. This is because it will always be possible for a cheater program to load the original program along side itself, and then use this to reply to things like requests for a MD5 checksum of a random area of the executable. Closed source helps only in making it harder to reverse engineer the protocols used, it is no real solution. Terje
"almost all programming can be viewed as an exercise in caching"
Naturally because we all know that closed central command based systems are more efficient and less corrupt than open democratic ones. Without the high preists of the software industry to protect the average consumer what will stop the complete destruction of personal sovereignty and individualism. MS uber alles!
They should build a small scripting language into the code, and upon connecting to a server, a specialized authentication program could be downloaded off of the server. Ideally this would be a different authentication program, or a set of programs that are rotated. This program then would generate some sort of PGP-type signature of vital files, and return it to the server. The server would then look at the signature and see if it matches the signatures in its database, thus determining whether the client was a valid one or not. The scripting language would be limited on commands, to prevent any sort of abuse. Since the script sent by the server could be pseudo-randomly rotated, the client would never know exactly which response to send, if it were a hacked client with cheats.
I have spent much of the last year developing systems/protocols for hostile client to trusted server connections. There are ways to do this, but it requires that the base protocol be designed with it in mind. I don't know the quake protocol, but I will try to describe a possible method.
The client connects to the server with a request for a unique ID. What comes back is a two part ID, one public, one private. The client then makes universe change requests (movement of client in the universe, firing, etc...) with the pub ID, request, and a hash of the above with the priv ID. The server then can verify it's the same person that requested the ID (PKI can be used to send the intial ID back if snooping is a problem). The server sends back universe updates along with the verification. If you want these can be signed with the priv ID.
If you want to do object tracking then the objects could have seperate signatures so they are unique and verifiable. Ammo could also be tracked with a sub object or something like that.
Basically any rule that you don't want broken need to handled on the server in this model.
Encryption could be cut down to a low level to prevent computaional slowness and export problems. Even a mild algorithm would be acceptable so long as the key secure until the end of the game against a single PC.
If you want to do peer to peer, or move more handling back to the client, then one would have to look into one of the many blind poker algorithms, but it to should be doable.
Don't take my reply as meaning that I think your scheme was even reasonable in the first place - how could the server possible know what the ENTIRE memory space of the client should look like? That would include configuration options, models, player name, etc.
-sam
All this time I thought I just really sucked at Quake and I find out they were cheating.
$selfesteem++;
--
Joshua C. Stein
Superblock Information Systems
I haven't play networked games in a while and never more than a few people in the same real world room, so please flame me (on email, find it) if anything I suggest is too ignorant or stupid.
.plan mentioned trusted servers et al. I immediately thought of trusted peers.
Could a peer-to-peer, instead of server-client, system be useful to stop cheating? I have no idea, but since the
Maybe a new gaming paradigm should be introduced. 'To the best coder go the spoils,' anyone? 5 words: Dual Alpha Beowulf Bot Army.
Is anyone working on a VR client that could turn the gaming environment into a sort of 'holodeck'? With the appropriate hardware and code, we could make our Quake-selves look like us (or otherwise) and mimic our realworld movements. Add to this the peer-to-peer setup and then I'll show you a real home page! (No tactile-feedback fighting, please.)
Didn't everyone else think they would have caught on the manipulating 'The Matrix' while in it?
That's right. We all know that closed source projects like Diablo, Ultima Online, and IIS 4.0 are secure and uncrackable. Thank goodness for software like Windows 98 and Windows 95 which are immune to BackOrifice due to the superior protection of Security through Obscurity.
Can you *imagine* if someone like Alan Cox or Theo De Raadt had access to the source code? I mean, he might spend upwards of two hours fixing the security holes. That is plainly unacceptable.
It is a very good thing that reverse engineering and hex editing and asm disassembly are impossible and illegal, not to mention packet sniffing! Otherwise, our panacea of Ivory Tower software development might show some cracks.
Now if we can just rid the world of Computer Science classes and books, we can all hold hands and dance around. Huzzah!
--
how to invest, a novice's guide
As a non-quake player, I can't say for sure what exactly a client reports to a server. ...If the server doesn't want cheaters, and it detects one, it can boot them off with a message of "Player 1 was cheating, and has been removed from the game"
Exactly how hard would would it be for the server to be a little more intelligent? If a cheating person is shooting someone with a machine gun doing 50 points of damage per shot, I *think* it wouldn't be hard for the server to notice that the gun is doing too much damage. Maybe have the server know what damage each gun does, how much health a person should have, and how quickly a certain gun fires/recharges. In my thinking, I wouldn't assume that would be hard to do, but I'm always ready for corrections.
If this was actually possible, perhaps a flag could be added to the server. Something like AllowPlayerCheat=On/Off
To me, that's a pretty simple solution, but I also assume it would seriously bump up the required bandwidth, and also bump lag up. Again, I'm not sure what info is already passed to the server, but I'm assuming it will pass something about hit/miss fires from a gun, or how much health a user has left to drain.
In a scenerio like this, I assume you would just now have to rely on servers set to not allow cheat, or if they do, let people know. Anyone think of a way around that? I'm up for opinions, as this is pretty interesting.
On a side note, I don't think this actually damagages OSS, but proves at how quickly people can find paths that could damage your hard-worked program, amongst other pos. bugs...
There really is no way at all to prevent hacked clients as long as the server trusts the clients. The only way for the server not to trust the clients would be to offload everything to the server except inputs, which makes the client effectively just a remote viewer. Of course this is obviously impossible because it would render the game absolutely unplayable. Everything is "cheatable" basically, except the inputs. Making a closed source proxy won't work either, since the proxy can just be hacked. It is a stop-gap measure, but I think it won't really work. If the closed source proxy relies simply on a digest, it is trivial for any cracker, not to mention most pedestrian programmers, to hack the proxy to return one of a list of known valid digests, or simply use mechanisms of the os to fool the proxy (point it to a valid copy, but make it run the hacked one). There really isn't any way to stop it at all, except to just rely on the honesty of the Quake gaming community, and give a big fat walloping kick and ban to assholes found cheating.
Jazilla.org - the Java Mozilla
It's 10 PM. Do you know if you're un-American?
Unless the cheater is distributing his modified client to others, the GPL does not require him to release the source code to anyone. The distribute-the-source requirement isn't tied to the act of source modification -- it's tied to the act of distribution.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
One potential solution is to have all keyboard/joystick/etc. input be sent to all the other clients before any of it is handled. (This is like the client/server solution mentioned earlier, but treats everyone as servers.) As long as all the user input is applied synchronously at each client, and each client has the same set of deterministic rules, the game will proceed consistently. If anyone cheats (in any way that causes a change in the actions/properties of the objects in the game) then the game will lose consistency. To check this, simply have each client checksum their data every once in a while. If someone has a bad checksum, throw them out of the game (by a vote of the clients). If someone fakes a checksum, then they can continue playing, but they won't be seeing the same game everyone else is. One advantage of this method is that it does allow modification of the game source, as long as everyone uses the same set of modifications.
There is one game that attempts to use this mechanism (here), but it is incomplete (mostly graphics issues currently). I'm not sure that this approach is viable in practice, but I think it works in well in theory.
Strictly speaking, under the GPL, wouldn't the cheaters have to make their code changes publicly available?
what makes you think that someone who hacks up their client to give them an advantage is going to want other people to have that same advantage? exactly how do you think this is going to be enforced?
When we all can "cheat" equally, we are again on a level playing field.
what about those of us who WANT to play the game in its original form? i dont want to have to modify gameplay just to compete fairly with some fscker who doesnt want to play fair.
--Siva
Keyboard not found.
Keyboard not found.
Press F1 to continue.
hehe...if it can be exploited, u can be sure it will be.
It's not cheating if everybody can do it? It's just another way of showing that brains, not brawn wins the battle. Somehow us old (20+) software engineers have to even the score against those 13 year olds with unbelievable reflexes and non-carpul wrists. Some of us didn't go to college for nothing you know.
The solution to this is ludicrously simple: move inventory and damage control to the server. When a client goes over an item, make it so that it can't automatically add that to inventory, but instead the server becomes aware, and informs the client it has more inventory at its disposal. It keeps track of rounds fired, etc. Instead of having the client monitor damage, similarly, the server would inform the client when it was hit. To cut down on bandwith traffic, the server and client could both keep track, and when the client requested items it didn't have, fired a weapon where it had no more rounds, or tried to keep going after it died, the server would not allow it. The client could show others being shot at all it wanted with whatever weapon the person wanted; it just wouldn't have any effect in the arena, because the server would know that it didn't make sense, and not show the cheat. This wouldn't be too difficult to implement, I would think, though it would increase the server's hardware requirements. However, it does have the advantage of being an effective open-source solution.
No, no, no.
;-)
Most, *not all*, but most client side hacks work because the server is trusting the client to provide data that provides state data regarding a separate client not under the same security/permissions context.
For example--I shoot a rocket launcher at you, and the server lets me decide whether or not the rocket hits. It doesn't matter whether the system is open or closed source--this is a flaw. Give a dedicated opponent a day with TCPDump and rockets will be teleporting all over the place.
Any server, whether it is a game server, an IP Telephony Gateway, or a simple web proxy, must be designed to exclude all contexts but those that originate from the client from what content will be accepted from that client.
This is not an impossible endeavor. Starcraft, for instance, has binary modification software that changes unit commands. Even in a peer to peer two player game, the modifications work perfectly until they ask a unit to execute a command that unit cannot do. Then, the other client detects the cheat and the game is immediately cancelled.
The immediate response, of course, is that this peer to peer arrangement prevents information hiding. If your client is always verifying that other clients aren't cheating, then you can always watch the incoming datastream to know what's going on. Therein lies the reason why peer to peer isn't a particularly good topology for competitive gaming--there's no server to restrict the visible dataflow to that which the given client should see.
Interestingly enough, the most inevitable (and least fixable) hack involves changing not the game but the video card drivers. Metabyte, the dementedly gifted hackers that gave gamers the first multi-API stereovision solution(and the single-pixel-resolution-adjustment power for Voodoo 2's), had a single revision of their drivers out for one day that artificially forced transparency on all surfaces. They called it X-Ray--needless to say, it made shooting around corners quite a bit easier. It also got shouted of existence rather quickly
Reminiscent of Crypto, ain't it? Where's your trustable end point?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
What is needed here seems to be the right authentication protocols. Security is not just encoded communications, without the right protocol, the best cryptographic algorithm is useless.
Recommended bibliography:
1) Bruce Schneier "Applied Cryptography"
2) Menezes, van Oorschot, Vanstone "Handbook of Applied Cryptography"
3) Michael Rosing "Implementing Elliptic Curve Cryptography"
just for fun:
a) Neal Stephenson's "Cryptonomicon"
b) Electronic Frontier Foundation "Cracking DES"
Of course, this is a made-in-USA game, and due to the NSA mandated secrecy around anything related to cryptography in the USA, that country seems to be lagging behind in this respect. Perhaps they should try to hire some consultants in Israel or Russia to teach them the tricks that were originally developed in the USA...
If you wanted to get fancy, you could create a mechanism so that when a client logs in, it recieves a set of variables as the "ruleset" for what everything does. (IE how much damage a specific type of ammo does, how fast bullets move etc.) In that ruleset, if something isn't defined, it just uses the default, taking up less bandwidth.
In my scheme class, we actually just wrote a basic AI game player to play a game that's kind of a cross between 21, and cross-four. It was implemented very similar to above, but on a much simpler scale. I think it would work for something like quake, but I'm still not sure what the overhead on the server would be to check everything that the player is trying to do. It also wouldn't eliminate the problems of nightvision type stuff. Maybe we could implement a system were in the shadows, the server reports a 50% chance of "seeing" a client being there, and it's the job of the client to render that in whatever way it can do best. So if someone always draws a player being there with a 50% chance of him not being there, and that player fires, he tells other people were he is, and they know where to shoot.
Here is the idea in more detail:
You have the source code available so that people can play with it, improve it, check it for bugs etc. But the problem is that people program their own version of the client that cheats. To prevent cheating, people who run a server can choose to only allow clients whose binaries have been digitally signed to connect. This means you'd have a group of people setup to review the source code of the client and if it contains no cheat they would compile the code, digitally sign the binary and people using the "blessed" (digitally signed) binary wouldn't be rejected by servers.
Of course you could still run a server that doens't care if clients are blessed or not. In fact in the netrek days that was kind of fun sometimes.
This gives you the best of both worlds, open-source software that is free to evolve, and community based servers that have a system to prevent cheating.
As others have illustrated, it's not the open-source model but rather this particular client-server model that's at fault. Let's see what we can salvage out of the existing model:
Ideally, the server would check all of the client's requests to see whether they comply with the laws of physics, but that is unfortunately unworkable with today's hardware and bandwidth. It is possible to go half-way on this one, though.
If the server simply audits the client's behavior, that is, verifies the client's requests at random intervals, fair play can be insured. Remember: all it takes is one bad request for the client to be banned as a cheater. If the auditing is done at random intervals, then the client can't adapt by spacing its valid requests with the correct interval.
All that's left is for someone to code a server to do this, and then for people to play on only trusted servers. The need for trust can't be eliminated, but it can be lodged solely in the server, where it belongs.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
IMHO Quake I is still the number one realtime multiplaying game.k itchen-sink effect to play it.
Okay, the pure deathmatch is quite stupid, but still it beats Q2, Q3A, Unreal and all the others. Quake I may not be as pretty as the games listed above, but Q1 feel and atmosphere is something that any other game haven't been able to achieve.
And because it's pretty old game, you don't need the latest 3D accelerator that supports transparent-bumbing-flare-with-5th-reality-and-a-
Overall game-play is just something that they don't do anymore, which is a shame. For example no delays when changing weapons - not very realistic but fun, easy and efficient.
And not to mention those great mods like CTF and TeamFortress.
Playing Q2 and Half-Life ports of these mods just don't rise the same feeling as the original ones do.
For example when I first tried TeamFortress Classics for Half-Life, I thought it just was a bad joke by people with sick sense of humour. Playing TFC just felt horrible when compared to the original TF. The great balance between classes was ruined and smaller versions of great TF maps with ugly textures almost made me puke. Never again, thanks.
Apparently quite a many other people thinks this way, too. At least here in Finland playing Q1/QW is still quite popular. To check out the state of Q1/QW scene, just join some major Finnish QW server like Sonera's small.qw.edome.net for deathmatch or tfa.qw.edome.net for TF or some other server.
From 10AM to 10PM GMT+00 you even may encounter some troubles when joining a game on the most popular servers since at that time they often are full. Around 03AM GMT+00 they all are empty, though.
Quake was the first well-working action game with multiplaying using IPv4.
Quake will be the last well-working action game with multiplaying using IPv4.
Since whe have the source, we can add IPv6 support.
You can be an Internet2 user and still you can play Quake I.
Quake One will never die.
This is proven not to work, look a software license managers -- When someone reverse engineers it, and they will, then what?
I don't think the 'mental poker' model adapts well to this situation, because the server and client do not have a 50-50 role here. It's a lot easier to have a server cheat than a client. Someone who has a cheating client will get kicked from the server and they lose the multiplayer experience, but the only choice a client that has detected a rogue server has, is to exit the game.
People can still created unblessed binaries, and people can still run servers that allow any client, blessed or not, to connect. This method just lets the people that are organizing games have a way to ensure cheating won't take place if they want to.
IM JUST CONFUSED AS TO WHY THE PEEPS AT SLASHDOT HAVEN'T MODDED IT YET :-)
1) to study coding, learn how it was done
2) to debug
3) to adapt it to other computers and operating systems
4) to create new user interfaces (e.g. to adapt it for impaired persons, or cripples, if you don't like PC talk))
5) to create new games based on it. For instance, GayQuake, where you throw flowers at your adversaries and suck the dogs' dicks. Or PCquake, where you throw sermons.
No matter what you propose as a possible way to stop the cheating, it won't stop. The availability of the source code (as I have stated above along w/others) hasn't caused the cheating. It was available long before the source was introduced. No matter what the game, no matter how well it was designed to not allow cheating, some asshole will always find a way to cheat. Look at swimming (the sport I am involved in, and the one that has seen the most recent drug problems -- the 84, 88, 92, and 96 Olympics). They have taken drugs that are undetectable, taken other drugs to mask the ones that they took, injected other people's urine, etc... There will forever be ways around pre-existing measures.
.02
I have played against "bots" for years now. I change my alias to BotOwner and even if I don't win, killing the little fuck is more annoying to him (especially when you laugh about it) than he is to me. Just shows that I have more skill than he does if his computer aided shit still can't frag me.
Just get over it. You can spot a cheater the second he joins and everyone just laughs at him. Play until he leaves, he is just trying to annoy you. Just let him cheat, he will get bored of letting the computer play for himself...
Just my worthless
this all sounds fine and dandy....but the cheater problem still exists...the second ID released quake Open-sourced, was the end of quake online as we know it...the only way to stop it is to have a new client..with standards...which defeats the purpose of open-sourceing it in the first place.
so everyone will be cheating! this will destroy the quake 1 culture but if those little brats want to do that, then let them. they now have that right. we then just laugh at them and point at all the losers that cheat. there is no honor in cheating.
the lessons of cuase and effect must be learned by people. if you screw up the game, then the game becomes meaningless. then POOF, you devalued the game and yourself.
once this happens, they'll only be a small group of trusted players, they will do what's needed to check and validate real players.
i don't see this being a big problem. life isn't fair and people will abuse you. you won't stop them, you'll just have to work around them.
"you get hit and your head goes ping" --rocky horror picture show
Why should I, as a potential product designer, want to release my code if the potential exists for misuse?
:-)
You are going to release your code one way or the other, regardless. If you release the source code under a generous, open source license, then everybody will benefit. If you release just the binary, with a restrictive license, then only those willing to ignore your license, break the law, and reverse engineer your program will benefit. (And if you don't release anything, nobody benefits.)
Security through obscurity never works. If your argument is that not releasing the source code is a serious roadblock to the crackers in the world, that is naive, I'm sorry.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Frankly, I don't see this as a problem of Open/Closed source. Cheats for various games have been around since games have been. I see an interesting fork here: (1) Client registration that is cryptologically secure for "fair" clients. and (2) a "no holds barred" clients section that would allow hackers to build superbots and have them duke it out in the arena against their own type. Cyberwar of man and machine at its finest perhaps?
.02; was really a $1 but after taxes...
my
Re: Does Anyone Play Quake I
Actually, since Quake was GPLed, I just downloaded & installed shareware Quake (to get a map of the level), and am about to browse the source code of it. I'm sure a lot of other people are doing the same.
Since Quake is open-source, how about
having each client download a signed
precompiled client each time they want to
play. The overall source would be open,
but players would deal with encrypted
black box only.
Ok, this might be a stupid question...why does the authentication program have to be closed-source? Wouldn't it be possible to keep all the code for authentication on the server side, and merely create a protocol which any client must implement? It seems to me that since we've gone open-source, any solution that's closed-source ultimately won't be feasible...we have to create code that's open source AND unhackable...perhaps it's impossible, but it's the ultimate goal. Of course, nothing can be totally unhackable... But what if an 'authentication client' was created...a client that connects and watches the logs and other players to make sure that everything tallies up as it should. It'd be separate code from the server, and could be applied when security is needed... Ultimately, however, it's up to the people who play and run servers. Server ops should watch their servers and kick+ban cheaters. And, ultimately...cheating has no point. It's not that fun to win if you do it every time. Cheating isn't a big issue if you play games with people you know and trust no to cheat. And for any kind of serious competition, people's clients can be examined...anyway, I've rambled on enough. I just hope someone will maintain the quake code and create some enhanced clients+servers that deal with this.
The nettrek clients were available as source or 'blessed' binaries that contained a RSA checksum which the server verified. Then the server can confirm the client is one downloaded from ID as binary than a hacked cheat client compiled from source.
Not much harder... But hopefully all the good compilers strip out things like comments prior to actually compiling the code. Yes, you can decompile or disassemble binaries, but those are only 50% useful compared to fully commented code... So, it does make things a slight bit more difficult than otherwise...
My opinion, at least.
I knew it! This is all part of Carmack's evil master plan. He wants people to buy Quake3, so how do you wean players away from Quake1? Release the source code and let the Q1 community be destroyed by cheaters and unscrupulous hackers. Then when they get sick of being toyed around with by hacked servers, they'll come crawling to Quake3. I figured out John Carmack! He's up to something sneaky, that John! Boycott Quake3!
Ut oh.. another anti-security through obscurity ranter. It is absolutely correct in saying that having closed source does not make it secure. But the original question, does it make hacking harder? Yes. Without a doubt! Obscurity is a tool used to discourage less motivated opponents. Now what are the disadvantages of the lack of public viewing? Obvious or not so obvious holes is certainly the big one. This is what we should be looking at. Once a motivated opponent gets passed the obscurity, they have complete knowledge of the system and are able to exploit it in any way possible. Ways that John didn't even imagine.
How will the Quake client work and are we to assume that it won't have a bunch of holes that will certainly be exposed? Shouldn't we have a more elegant open source solution that is much more secure? This certainly is a very difficult problem and must be very seriously thought about.
What the problem is, is the amount of trust given to the clients. Now, with some revamping of the system, all the cheats dealing with the communication between the server and the client could be cleared up (however, the clientside mods would be a little harder).
Using a combination of a "blessed" client model, guest access and random accuracy checking by the server, we might just have a workable system, where there is very little oppurtunity to cheat, while leaving everything open source.
Go through the posts and see what these various solutions are.
Jeff
You're abosultely correct that "game security" should be enforced by the server, and the server API should disallow any request from the client that would violate the rules.
But there's a huge practical problem in implementing that. When rule processing is done on the server, the client must wait for the server to process each rule. Even if you have a lightning fast network connection, eventually relativity limits the speed at which that sort of communication can travel. (Congrats, Al!)
For example: Let's say player A has some sort of invisibility power turned on. (I know very little about Quake, so I'm speaking generically.) Ideally, the server will not report player A's position to any other client, since the other players aren't supposed to know. But what happens when player A steps right in front of player B, turns off his invisibility, and starts shooting? Player B's client now needs to download all of player A's properties from the server. (Maybe even custom textures, sounds, or other bandwidth-intensive data.) And the client needs to do this fast enough to seem instantaneous to player B.
That's generally not possible, and that's why network games often need to place some trust in their clients.
MSK
And the proposed security-by-obscurity strategies.
This would also be an excellent opportunity to head off another rash of dumb patents. If Bruce -- being practiced in the relevant arts -- would comment on what is obvious to him, both re the immediate problem, and re CPU/architectural HW support to bullet proof this general kind of thing.
First, the Quake architecture of (reletively) dumb clients conencted to an authoritative server prevents the egregious cheating possible in some games ("I say you are dead now!", "I say I have infinite ammo!").
For the most part, a cheating client can't make their character do anything that couldn't happen as a result of normal game interaction.
The cheating clients/proxies focus on two main areas -- giving the player more information than they should have, and performing actions more skillfully.
The "more information" part can take a number of forms. A reletively harmless one is adding timers for items and powerups. Good players will track a lot of that in their heads, but a simple program can "remind" players of it.
Media cheating provides more information. Changing all the other player skins to bright white and removing all the shadows from a level give players an advantage not within the spirit of the game. Some would say cranking your screen brightness and gamma way up is one step on that path.
More advanced clients can make available information that is not normally visible at all. The server sends over all of the entities in the potentially visible set, because the client can move around a fair amount between updates. This means that the client is often aware of the locations of players that are around corners. A proxy can display this information in a "scanner window". The server could be changed to only send over clients actually visible, but that would result in lots of players blinking in and out as you move around or turn rapidly.
The worst cheats are the aim bots. In addition to providing more information, they override the player's commands to aim and fire with very high accuracy. The player usually "drives" around the level, and the program aims and shoots for them. This is usually extremely devestating and does ruin the game for most people.
There are many possible countermeasures.
There are server-side countermeasures that look for sequences of moves that are likely to be bot-generated and not human-generated, but that is an arms race that will end with skilled human players eventually getting identified as subtle bots.
Media cheats can be protected by various checksums, as we do in Q3 with the sv_pure option. This is only effective if the network protocol is not compromised, because otherwise a proxy can tell the client that it's hacked media are actually ok.
If the network protocol is not known, then the extra-information cheats generally can't happen unless you can hack the client source.
Q3 performs various bits of encryption on the network protocol, but that is only relying on security through obscurity, and a sufficiently patient person with a disassembler can eventually backtrack what is happening. If only they would find something more usefull to spend their time on...
With an open source client, the network communication protocol is right there in the open, so any encryption would be futile.
Any attempt at having the client verify itself isn't going to work out, because a cheating client can just always tell you what you want to hear. People have mentioned nettreck several times, but I don't see how a completelty open source program can keep someone from just reporting what it is supposed to for a while (perhapse using a "real" copy to generate whatever digests are asked for), then switching to new methods. Anyone care to elaborate?
I think a reasonable plan is to modify QW so that to play in "competition mode", it would have to be launched by a separate closed-source program that does all sorts of encryption and verification of the environment. If it just verifies the client, it would prevent the trivial modified client scanners and aim bots. It could verify the media data to prevent media information cheating. To prevent proxy information cheating and aim bots, it would have to encrypt the entire data stream, not just the connection process. That might have negative consequences on latency unless the encrypter is somehow able to be in the same address space as the verified client or scheduling can be tweaked enough to force task switches right after sends.
In the end, it is just a matter of making it more difficult for the cheaters. If all it takes is editing and recompiling a file, lots of people will cheat. This is indeed a disadvantage of open source games. If they have to grovel over huge network dumps and disassemblies to hack a protocol, a smaller number of cheats will be available.
Even if the programs were completely guaranteed secure (I havem't been convinced that is possible even in theory), an aim bot could be implemented at the device driver level.
It would be a lot more work, but a program could be implemented that intercepts the video driver, the mouse driver, and the keyboard driver, and does bot calculations completely from that.
Kind of sucks, doesn't it?
John Carmack
free systome is imposable. That is with respect to
avalable computing resources. even if you off load
all of the accounting to the server there is still the posibality to hack you GL driver so that it dosent render walles so that you can see who is on the othere side. this hack is even out side the game so you can't fix it with a closed game. the only way to fix this would to have the server to the rendering which is not feasable with todays resourses.
What I think you could do in stead is require users to get a CERT in a way that would make it hardish to get one with a false identity. you could then not wory about trusting the clyent you just have to trust the user if there is suspected cheeting then it can be investagetated and with the positive result being revocation of the CERT. This is of corse just moving the problime else where but I think that there are easer solutions in this relm. No I don't think the useing CERTs will solve the problime compleatly but I do think it will offer more effective sloution then through the use of just software.
And I understand the argument that "anyone who really wants to can hack closed source in a little more time" but I file it under the philosophy the nobody wants my bike. In brief this is the idea that, no, a kryptonite lock won't stop someone who really wants my bike, but it will cause someone who just wants "a" bike to look for an easier target, and add an extra component of time and therefore risk to disuade the casual thief. In the same way, it is unlikely that a casual cracker will suddenly turn into a devoted and more methodical cracker (or thief, mugger, corrupt politician, etc.) when faced with one more secure item.
This theory also applies to evolution, but thats another story.
...will work for Chick tracts...
This is simply more proof that some things are mean't to be kept secret. Lets say the source was never released...first off, boom, no more major cheating problem but then of course boohoohoo, you aspiring script kiddies can't learn how ID made quake. SO WHAT? It is my belief that not having access to the source will simply get kiddies off their lazy asses and figure code out for themselves instead of wasting countless hours attempting to make sense of other peoples work. In short, in 99 % of cases, OSS is totally inappropriate and in fact ruins other innocent consumers software (cheaters/crackers make sure of this).
Go with that application launcher that Carmack wants, that verifies then loads? Well, I give you this: Launcher loads 'virgin' copy of cody Checks it Executes it First DLL call it makes is boobytrapped (check LD_PRELOAD under Linux, similar mechanisms exist under Windows) Modified version is now executing, with all the nifty hacks you have in there
I suspect that the only reason there aren't many cheats for Nettrek is that there is no real incentive -- the mystique of the game is such that the people who play generally don't check. I'd make a bet that given some reasonable incentive (lets say a sum of cash dollars with some guarantee of a payout? ) that NetTrek would be hacked through like butter.
Again with the proxy, ANYTHING YOU RUN ON MY MACHINE WILL BE SURVERTED. If a game programmer wants to keep me from mucking with his pretty little protocol, then he'd damn well better have EVERYTHING useful checked and double checked on the server. Allow me to send a skin? I'll make sure it's nearly invisible.. Allow me to pick a shape? See that one pixel on your screen -- it just capped you.
And that designer had better be SURE that he isn't sending me any information that my client has that I don't? Sending me information that there is another player in the room? I'll flag him and auto-aim at him! Do I have the whole map? I'll make a map window which gives me locations of everything useful if I'm so inclined..
If you want fair network games, then the SERVER has to do the validation of commands and filtering of information.
THERE IS NO OTHER WAY.
MS more uber everything? I guess babelfish doesn't speak nazi german.
(This is not a troll)
Unfortunately, reading the comments, it is painfully clear that most of the posters are not truly familar with the history of cheating in Quake. The problem lies not with the client sending bad information to the server but the client doing things that don't involve the server at all.
I.E., here is what most people seem to think is happening:
client: I have 200 health
server: Okay! Whatever you say!
client: I just got quad
server: Super!
client: I just killed everyone
server: Alright! +7 frags
This isn't close to the truth. Here are how people have really cheated in Quakeworld -
1) Hacked models (aka Pak2)
Models can be editted on client side to be more visible and easier to see. The famous "pak2" example you hear about had player models with BIG bars along each axis. The result being you could see a guy behind a wall, or under your feet, or above you, etc before they could see you.
2) Hacked skins
Make the player skins fullbright textures so you can see everyone without a problem, negating dark areas on maps.
3) Hacked maps
Take the normal quake maps, then cut a bunch of a holes in it. Result - you can see people behind walls, through floors, in the water, etc.
These are not theoretical cheats, there are things that have been used successfully by cheats.
The solution that has been tried is to have the client report checksums of important data files and have the server verify that they're correct.
Now, with open source clients, it is a trivial matter to make your client report the correct values of the CRCs regardless of what the true values on the client are.
The point of the matter is all these cheats take place on the client level and don't effect in play data sent to the server. Therefore, they are undetectable. Now that the client is fully open source, the sky is literally the limit. Your client could tell you where everyone else is, what weapons they have, ammo, how much health, when the powerups respawn, etc. The possibilities are endless.
The point is, cheats of this kind don't taint the datastream. Therefore the only way of protecting against them are validating the client, which, with an open source system, is very difficult, if not impossible.
I *thought* all the ways of cheating in Quake have already been used and abused for years so I'm a little confused here. Exactly what new ways are people able to cheat with now just because the code has been released? I can see cheating being easier but proxy bots and and all that stuff have been around for a long time so I don't see any of this as being new. Someone please enlighten me.
-idealego
Well this raises an interesting point. With OSS how can we trust the security of _any_ program? I mean, we cannot use ssh on anyone's box, because it might be modified. We can only trust our own version on our own box. The closed software (binary only) may have an advantage here... we could compare checksums of the binaries to an accepted distribution.
They were adequate in trusted environment, and were replaced with ssh after the Internet became a bit less "trusted". The same thing will happen to game protocols -- they will be replaced with versions that will keep "world" integrity even if clients are hostile. And since this still allows cheating by giving player more information than he normally would have (for example, by making things transparent), more advanced future servers would have to limit the amount of information, every client receives from the server to only things that player will be able to see -- but this will benefit the game as a whole because it reduces the lag and amount of calculations in the clients' 3d engines.
The kinds of "cheating" that will always remain possible will thus become limited to client-side "automation" (scripts that determine parts of character's behavior, information keepers,...), however those things can be legitimized -- they require skills and creativity to be used, so the advantage won't be "unfair".
Contrary to the popular belief, there indeed is no God.
http://www.netrek.org
As several others have pointed out, Netrek solved this problem a LONG time ago. I'm responding where I am so that this post gets, hopefully, seen by everyone who hasn't read yet, so we don't get any more vague, unclueful debate on this.
The solution is very simple. ID compiles a 'vanilla blessed' server. ID compiles a 'vanilla blessed' client. They create an encrypted binary key for the 'blessed' client, based on the client binary itself. They distribute this key with the vanilla server. They allow server gods to add any additional compiled keys they want - and to turn off or on whether key checking is used.
Now, every single server will be able to be accessed by the vanilla blessed client, no matter what. It all works out of the box. Turn on key checking, and no hacked binaries or recompiled clients will work on your server. Want to make a mod? Compile your modified client binary and distribute a matching encrypted server key for it. Server gods add your key if they like your client. It's that simple. If you want to run a "chaos" server, turn off key checking. Anyone can come in and do what they want - and THAT is often pretty fun.
It works great. People have been trying, and failing, to make 'borg' clients for Netrek for quite a long time now. There are some very good borgs that used to play on the Chaos servers. But they don't and CAN'T get into the vanilla servers.
Well go figure, Quake comes out and tries to do the same thing as Netrek started doing over 10 years ago, and they run into the same problems.
I don't recall if it was Andy McFadden, or Sam Shen who first implemented it, I think they were both involved to some degree. But Netrek uses RSA public key encryption to do a client verification.
Public keys of authorized clients are stored on the server. A client connects, uses it's private key to prove it's identity and away you go.
The only thing closed is the private key. This is held by the client maintainer, and is also embedded into the compiled binary in a obfuscated manner.
If a private key comes into question, it can be yanked off the server immediately, requiring people to obtain new clients for that platform, whatever.
I think the other problem is that Quake allows too much processing to be done at the client side. In Netrek everything is server based, so about the only thing a borg client can do is auto aim for you, etc. No different than a robot playing your position. You can't defy the netrek rules at any rate, by increasing power or controlling whether you got hit or not.
Does anyone know of a gallery/collection of
_ .:*~*:._.
MEEPT[\!]? poems? They are truly moving and amusing.
.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:.
_.:*~*:._.:*~*:._.:*~*:._.:*~*:._.:*~*:._
ASCII art?? I thought it was a REGULAR expression
What if the hacked clinet lies about its memory space? The hacked clinet will always send data that the server wants to hear.
Personally I don't see what people get out of cheating like this. Where's the fun? Where's the challenge? If you make it so easy you don't need to work or think at the gamem, what's the point?
It's a Unix system - I know this.
We need a major linux fork, before QW becomes as forked as BSD!
Yes, we need to make sure that the Linux system and userland doesn't 'fork' into dozens of distributions, unlike the Net\Free\Open\BSD userland, which has 'forked' into three.
Carmack probably already wrote the proxy and is just waiting to release it. Seems logical enough, he could keep it closed source, its already probably done.
-HobophobE
Nothing laughs forever.
... to your scheme would be to only audit the "n" top players, because who cares if someone is cheating if they have a crappy score right ?
This would also allow the situation to have multiple servers with different levels of cheater prevention mechanisms. For example, the more bandwith you have the bigger the guarantee is that nobody is cheating (set n to "all"). For low bandwith situations n can be set low (1 , the best player) but you have less "assurance" that others are not cheating on that server.
I'm sure others can come up with many more simple heuristics to overcome the bandwith problem.
- sigs are for wimps.
Defeating proxy cheats are simple. You encrypt your client/server protocol stream. Thus a proxy can't actually rewrite the stream. In fact I'm quite disgusted that more on-line games don't encrypt their streams already. Sure there is a hit to the CPU but it is well worth it. Ultima Online could have saved themselves a lot of hassle by simply encrypting their client/server protocols.
Encryption is the key to preventing cheating:
i don't know if that specifically is the reason they didn't publish the lyrics, for those words specifically. the song is about dave's ex which he asked to marry him 3 times sehe said no everytime. i think its a interesting perspective, a man feeling, a feeling usually assiociated with women, 'the need for commitment'. lots of angst associated with the song too espescially on the BTCS version. please talk to me about it, love the discussion of jam band lyrics. ;)
"Are you satisfied with fucking?" - Dave Matthews from "Halloween"
The problem, Terje, is that Carmack decided to cheat on bandwidth, and tell the client more than they deserved to know. Yes, it makes the game more responsive and faster. However, it also allows cheating by a hacked or proxied client. There may not be any good solution for Q1, but in the long term the server will have to only tell clients things they should know.
-russ
Don't piss off The Angry Economist
Do you call it cheating if you re-write some of your kernel code to be optimised and allow you features other linux users dont hav? Didn't think so. It's winning by intelectual abbility and now who can get to the rocket launcher first. If you aren't smart enough to go in and fix your code then be dumb zombie walking around blasting without a brain, else get busy and fix up that code to make the game more fun for you.
As a few of my other posts on this topic have indicated, I really favour two things:
The community model is compelling, so I'm posting my thought under this thread.
Most people have been writing about the poblem as being cheating, and when the "cheating" is uncalled for it is a problem. But with a community in place, certain kinds of "cheating" could be allowed by certain groups of people. Kind of like the old saw about hackers getting together on a closed system and having a virus war.
The game no longer becomes who can wiggle the joystick the fastest but who can write the snazzier code. In fact, with this code being openned, there is ample opportunity to write some really fantastic AIs and pit them against other player's AIs.
All it needs is the checksums in place that would be put there by a community style system, or what have you.
-- "So far, I have not found the science" -Soul Coughing
Excellent post, and of course it was moderated down. I am so sick and fucking tired of hearing about open source this, open source that, blah blah blah. This situation shows why Linux is such a complete piece of utter dogshit. This will be the final nail in the coffin. I pray each night that God will smite all fucking open source users. Open source is not just anti-business, it's anti-Christian. You fuckers will pay for it in the afterlife, better believe it. He who laughs last ..
But first , let me point out that your example is a bit off. Player B doesn't need to download all of the players properties from the server , because the scheme is that the server knows and manages everybody's health. Also, the problem with skins, custom sounds, etc. is not related at all to the GPL Quake since you can do that with closed source version already. I think the current scheme is to simply ignore custom sounds/skins/etc and just use the standard ones, so that if you look like Barney you still look like a grunt to me :) [this is how it works in half-life]
Anyways, I think the general point you were trying to make (and very valid) is that waiting for the server to "approve" an action might take too long, and you're right. Unless we get really fast network connections, the only other way around this would be to use a hybrid approach hwere the server sortof trusts the clients, but then "audits" some players (randomly, or top players) and even if it let's actions go through (for speed) it might still reserve the right to analyse them and kick you out later. Once a cheater has been detected , his/her actions could be undone or simply ignored and the player is kicked out/banned from the server.
- sigs are for wimps.
Hasn't this been discussed a million times in connection with the SETI@home client (see their FAQ)? I don't think a real solution has been found yet, but it's kind of the same problem as with Quake.
Why is this? I can think of several reasons. First and perhaps most importantly, cheaters generally end up without anyone to play with.
Second, 'cheats' can turn into 'house rules' and 'variants' and become a part of the game, and people playing agree to the variants in play. If someone abuses this, we get back to the first point.
Thinking about it a bit further, it's possible that mail/e-mail games may be a more appropriate parallel. The additonal abilities imparted in gaming clients (e.g. targetting etc) may be more akin to players in a game talking out of band, or additional tools being used to assist play. In this situation, such communication and tools are a hazard that must be borne. It's somewhat mitigated by playing through a single arbiter (server). You're playing by the server's rules -- at least as far as actual gameplay. With the arbiter actually running the game as ordered by the players, cheating is less of a problem.
The applicability of this to computer gaming (specifically Quake) is limited, unfortunately. As a thought, granularity with some margin of error may improve the targetting situation (I'm not much of a computer gamer, so I'm not as versed in it as I might be).
Looking at role playing, I can see some parallels here as well. While there is an arbiter (GM, whatever), it's still possible for players to fudge, lie, use aids they shouldn't be (woe betide any player caught with a DMG in my campaigns). In this situation, the arbiter offers some form of consistency of play (at least within the GM's sessions). If the players or the GM goes outside of agreed bounds too often, the isolationism effect I mentioned near the start comes into play.
I'm not sure there's a need for a closed-source solution to this, just some responsibility and communication among players. However, since I don't see much of a real 'community' of gamers being constructed (other than to sell the next game), the relationships need to build up the needed web of trust aren't there yet. Might be a good time to start.
--
--
The Internet is the Suppository of All Knowledge. You get it in the end.
You think someone is cheating? Look at their source from the repository and see if you like it (and cross-breed it with your own source, and submit the offspring for signing). If you don't like it, vote with your companions to have it rejected from your server. [Some server-communities will like the cheat, and some won't.]
This requires a sane voting system, and multiple servers with moderately attentive and responsive server gods (or good automation). Different servers should have the different policies and accept and reject lists. "Genetic diversity" will be important. Voting acceptance and rejection will promote evolutionary progress. Some forks will die off, and some won't.
This way, cool cheats will make it into publically available source, while various mechanisms for rejecting stupid cheats can be explored by various server gods.
This requires servers that can compile sources for all the supported platforms, in sandboxes that prevent people from exploiting the compile-and-cryptographically-sign-the-binaries server.
What the hell are you reading Slashdot? It seems you might be more interested in non-free software (i.e microsoft.com). Free software is about giving freedom to users, in the case of games, that freedom means the ability to cheat, which is a problem, and as specified, has solutions, and involves bad design of protocol.. If you want to be limited, feel free to be non-free...
Its not foolproof, its not even close to full proof... hacking a game is easy enough without an open source encryption scheme being the only part its made up of.
:) So that adds an extra worry, but if you're already accepting a precompiled binary you probably don't care.
:)
Borging/botting and vision-cheats will always be possible, the only thing you can do is make it as difficult as possible.
IMO the most protection would give a scheme wich can upload verification&connection-encryption code on the fly so you could change it very often. In theory you could build a sandbox around the code wich in all instances pretended to be the correct client but wouldnt be... but thats about as hard to hack as I can think of making it. In an OS with adequate security uploadable code wouldnt even have to be a security risk, but we all know those dont exists
This way you might even get away with keeping the security source open, if you could find somoene mad enough to keep updating it on a daily bases
Now, I'm no crypto genius, but why can't the server submit a challenge phrase to the client and have the client do some mojo and crate a hash using some info from the client? I don't have a clue as to how this would be implemented, but I'm thinking of something like SSL. Am I crazy or what?
--
--
Just lurking, thanks!
AMEN! AAAAAAAAAAAAAAAAAAAAAAAAAAMEN! AMEN!
someone moderate this down? please?
2 quake clients will easily bog down any good system. And anyway, it doesnt have to compute the total memory space, just the binary code + the random server string. if the hacked client lies about its space it wont be able to compute the correct signature..hence it will be rejected.
"predetermined, randomly varying"--this doesn't make much sense.
"Since the string is set on the server and is varying randomly, it is very difficult for B to calculate the string dynamically at runtime in the length of time allotted"--nor does this. The main delay will be network latency, as most hash functions are *very* fast and some special optimizations are possible that can probably compute Hash([modified client binary]|[Random string]) where | denotes concatenation in around 850 cycles (this is a back of the envelope calculation).
If you just use public/secret key encryption to negotiate a key for a normal symmetric key algorithm the cheater can just read the key from host memory. (this doesnt require changing the client)
Just for your information, the cheating that is being talked about is not about giving oneself extra health, ammo, or weapons, but rather the use of such aim proxy bots. These such cheats do all the aiming for the player. These are hard to detect because it looks like the player is exceptionally good, and implementing some sort of proxy bot detector will unfortunately weed out the best of players, calling them cheaters.
Anyways, my two cents Canadian, which is worthless to most of you Americans....
So bascially encrypting the data stream and signing the client should work. Because you can only get a client signed by some "authority" who verifies there are no cheats, if you modify the client then the signature is invalid and the server won't let you play. If you try to use a proxy to cheat, your proxy would have to be able to decrypt the client/server conversation in real-time which would should be sufficiently difficult as to stop people from doing that.
hooray! time to whip some linux butt!
We'll shortly all be seeing the death of open source once the bubble bursts. Everyone will be so glad that there is closed-source stable software out there! John's doing the right thing by closing the source. I had my doubts about even allowing gaming software to be open source. It doesn't make sense. The developers/creative artists put too much time and effort into it to make it available to the non-innovative open source copyists.
'Nuff said.
Creating a closed-source proxy is a quick-and-dirty solution to a not-so-relevant problem. However solving the client-side cheating paradox purely in open source is a challenge and it's solution would surely be a milestone in the advancement secure networking.
Personally I think the development of the Doom/Quake series will prove to have contributed more to modern computing than we yet realize, and releasing the code will be remembered as a Good Thing overall.
What gets authenticated? The client? What authenticates the client? You might say the server... but if you think thats the case you are not thinking it through. The server sees what the client tells it is there, the only way the server could authenticate the client is if it had guarantueed untainted code on the client host... wich was what we wanted to check for in the first place :)
:)
Im sure you can make it difficult with open source (but not without communicating a lot of the internal state all throughout the connection IMO) but not as difficult as it would be if it were closed.
This isnt about security in the classic sense, this is about temporarily patching unrepairable security holes. In theory you could remedy vision tricks by making the client ultra-dumb but that does not work due to latency and bandwith limits, the client needs to have an accurate representation of the game situation on the host to combat latency and to be able to render the view itself.
But the only solution to borging/botting in fact is sitting next to the guy playing, its an unsolvable problem... (they could always construct a real robot for instance
This is a good point. This might be why John Carmack says that their would have to be a closed-source part of the system. You could put a "global" secret key put into "blessed" clients known only to the authority that does the blessing and encrypted in the client itself.
I thought all of these calculations were done server side? Since they aren't... why can't they be? If all the client does is display the info it would be a lot harder to cheat. Maybe see through ways... but even that could be server side... Course this ups the demands on the server.
Of Quake1/world/2/3 the one coming closest to that is Quake1, that should tell you something.... its just not an option. If everyone has a 30 msec ping and high bandwith connection it might, so it doesnt.
And it does not combat the problem of borging/botting, I could always do pattern matching on framebuffer data and provide straight keyboard input... how you gonna fix that without sitting next to me?
I'm not a big quake player, so I don't know if this will work, but...
What about the server having to sign each client with a private key, together with a random string. The cheater will therefore be unable to reproduce this signature, and the server will therefore be able to determine wether to trust a client or not.
Because it lets dorks like you have an even chance at the hand/eye coordination thing that would have killed losers like you off 300 or so years ago. it is technology/modern medicine that lets people like you continue to breath/live/breed... Evolution has stopped for the human race. Any half-brained loser can now reproduce inferior offspring in this day and age.
Lets talk about some of the classic cheats:
eye-model cheat, does that have to do with passing trusted values to the server? No.
Old school concussion grenade disabler, same question same answer.
Concussion was a client side effect because effecting the view point server side has some really jarring effects due to lag, after a lot of cheating they did replace it with a server side effect... and it was horrible.
And of course good oll bot's, same question same answer.
Server doing checks on all client input only solves a minority of FPS cheats, since FPS's are already mostly server authorative.
Bot's are the main problem, Quake is already mostly server authorative.
Then someone would find a way for the AI to not hit the target. The targets would then have to be ligit players. The only way to try and catch this would be to randomly send the client that a player has appeared infront of it, but this could be curcumvented by putting a delay on how soon the bot would shoot and if the fake player exists for too long it might get annoying to the human players.
-- "Well, Hello, Mr. Fancy-pants. I've got news for you pal, you ain't in control but two things right now, Jack and s
This would be more interesting to me than the effect of random attention from appointed moderators, but could be run in parallel with the old system. Just two more columns in the database, and a little perl to implement some new threshholding.
As you say, they still get hacked...
How? All it knows is what the client tells it. What would stop a hacked client from giving the signature of a version of the client that's on disk rather than the one that's running?
In quake, game logic is handled on the server side. It would not be possible to hack up your own executable that makes it so you do 50 points of damage per shotgun pellet and run twice as fast, all of this is determined on the server side. The problem here is not preventing hacked clients, but making sure server operators keep themselves honest enough not to compile something in that says if your name = "Anonymous Coward" then you get 5000 health. Whatever anti hack scheme is created it should be geared towards a client verifying the server is "pure" rather than vice versa.
Just like you're banking account can't be overdrawn, you still have checks in your checkbook. Come on cheaters/open source advocates, get responsible!
Not that I know any of this first hand, but from what I have read in other threads, the cheating does not have to be with trusted values. Mods to the program which dodge and aim for you affect only the client's position -- these are values which only the client can report, and there is no way to check them. It seems to me that it would have been very hard to modify the program to cheat this way before the code was releases, and it will be impossible to check for cheating now.
--Jack
This is nothing new. For almost every game there is some cheaters that exist. The problem with people cheating is not new. Blizzard has this problem with their battlenet servers (for diablo). A closed source or blessed client fix is not always the right option. Either fix can be gotten around if someone has enough time on thier hands. The article does not say cheating at Q.1 is anything new. It just simply states that it is easier for the average gamer to do.
On another note: Will this effect Q.3 - Yes. Diablo II was effected quite a bit by all the lamers that used trainers on battlenet and blizzard has said they added code to stop trainers from being used. When the Q.3 source is released there probably be a patch to prevent hacked clients or clients that are modified.
An ez solution would simply to have a little bit of code in the server that makes sure that the clients have not been edited yet and require people to use non-edited clients - they can always have another on their comp to use if they do not want to always comply with the rule.
Is it progress if a cannibal uses a fork?
First of all the client doing the rendering allows an array of vision cheats, because the turnrate is way too high to not have whats behind you stored client-side at all time you can use that information to have eyes in your back. Same goes for stuff behind walls.
:)
And theres no solution for bots, if worsed came to worse you could just read the framebuffer do some pattern matching and use that to generate keyboard input... although it would take some good AI and a lot of processing to make a good bot like that
What you describe is already what quake and its descendants are mostly like.
In an ideal world the server would send only essential input to the client (e.g. a sequence of 2D images) and request only actual output from it (e.g. key/mouse-strokes). All calculations would take place at the server-end. Hence all interactions would be legal, which would prevent all forms of cheating - except skill, or a client-side bot with human limitations.
Unfortunately, this is clearly impractical wrt bandwidth. So instead one ends up sending more information to clients (e.g. the present universe state) and receiving more back (e.g. a chunk of the future universe state), letting them do all the calculations in between. Malicious clients can use this for 'extra knowledge' such as seeing through walls, and 'extra power' such as rockets that don't miss.
One way of dealing with these is:
1. All information arriving from the client is audited once in a while. That is, the client is required to 'show the working' as it were and send the actual output. Of course, if no actual output would produce the client's chosen future state (or if calculating such an output is impractical) then the client is well and truly buggered.
2. Occasionally, data sent to the client is sent with misleading information. That is, chunks of the present universe state which should have no effect on the desired output (e.g. hidden characters) are replaced with whatever the server feels like. This will not prevent the client from trying to use 'extra-knowledge', but will counteract most of the benefits by providing an inconsistent environment, and will probably piss the cheat off enough for him to give up.
As a sidenote, does anyone know if someone's tried writing a client-side bot that uses just visual input? Would make a darn interesting alternative to handwriting and face recognition...
You could be required to download a trusted binary for every game (even every level). The binary and source would be randomly modified for a unique cheating challenge, and as the source is different each time, cheaters would have to spend all their time d/ling and compiling source and no time playing.
This solution is a little off the wall, but I think the quakeworld client could be as little as a 300k file.
My overall suggestion is this: if the conditions needed for sucessful cheating are randomly changing all the time, to cheat will be very time-consuming.
Still, I believe external personal authentication or secondary checksum programs are the future.
All I know is that this technique is used succesfully for other games. I believe that cryptography is one of the keys to building an effective client/server trust system in software; we do it for Java Applets, SSL transactions, banking transactions, and we should do it for games too.
So an aim bot can shoot behind and front instead of just in the front... big deal. Even if the client only knows as much as it needs to know to render the present frame that doesnt preclude cheating. And on the internet its just not an option.
Cheating has been a problem in multiplayer games since Doom. A closed-source, security-through-obscurity solution isn't going to work in the long run, as observed above. Chances are the problem will simply degenerate into a circular "arms race" between those that are trying to cheat, and those who are trying to stop them.
The most practical solution is already in place. As cheats are released, obviously a number of people, mostly 'script kiddies' and the like, will start to use them. If cheaters start frequenting a game server, leave. Just leave. Eventually, the only people left will be the cheaters, and the servers will shrivel and die.
In this way, the problem effectively solves itself. The novelty of patching the game in order to cheat will, eventually, wear off. Servers that are known to harbor cheaters will dissolve. And, most importantly, the source remains open and free for all to study and learn from.
--jwriney
This is *exactly* why games shouldn't be open sourced!!!!!
Bots to play against in a single player game or to fill out a less than full server are okay. Bots that allow lame players to rack up big frag counts suck... period.
This is the second time I read trends here at /.. This time, it is the set of projects that atempts security by obscurity: First Napster, then DVD, and now John Carmack's ideas. This is never a good solution - someone will dissassemble the closed source program some time and implement a cheat. It's only a matter of time.
The problem with Quake is that the client is smart. It is not just steered by the server, but acting by itself. If it was dumb, it would have been easy - there would be no way to cheat since you don't have access to the server.
I don't have any solution right now, but there surely is one. An open-source one.
--The knowledge that you are an idiot, is what distinguishes you from one.
I was just reading through a comment above, and the following ocurred to me:
If both ends record events and send them as part of the protocol then it should be possible to have your client check that the behavior is consistent with the model. This could cost some significant bandwidth especially in large games.
Since AFAIK the bottleneck is actually network bendwidth, the compute time may not be an issue.
Now, if someone writes a client that produces keystrokes such that the enhanced activites are accounted for, then that client will effectively be a macro box.
This doesn't account for modified clients which allow you to see through walls or such, but it's a beginning. Although if you were concerned, you could watch the movie generated by the other guy's keystrokes and check if it mae sense/ was legal.
That is, Carmack doesn't want to have to maintain the Q1 code. He released the code, and he's nominally interested in whatever happens to it, but to ask him to stick around and bless any modifications that others make is asking too much of him. Maybe you can set up an international standards body to perform that function, but it's an uphill battle.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
One of things I've never liked about Quake is how the servers are so independent of each other. You can basically choose any name you like and go anywhere. This isn't all bad, although it isn't exactly good for forming a community.
Subspace uses centralized 'Billing' servers (No one actually charges though) to hold information on users and squadrons. While it does have it's faults, it provides fairly nice stat tracking and cross-arena chat. This is also a good platform for dealing with cheaters and troublemakers on both arena and network wide levels.
Subspace has had serious problems with cheating throughtout it's lifetime, mostly stemming from the fact that most of the game's calculations are performed client-side, allowing a cheater to alter their location, inventory, or life levels at will.
Building a community structure helped stave off quite a bit of the most blatent cheating, at the cost of having to submit to the whims of frequently incompetent SysOps.
Lessons to learn from subspace's mistakes:
Whatever you do, allow users to reset their own playing stats and hold various pseudonyms under a single account. I'm betting that over 70% of subspace's billing database entries are created lamers either trying to go for the coveted 50:0 kill ratio, or using a name like 'SUICIDE BOY' just to screw around with.
Don't over-centralize. If the billing server went down in subspace, things seriously screwed up. A distributed solution similar to IRC may be in order, or something where servers could possibly on several different billing networks at a time.
Look into providing IRC-like communications with name servers that you don't control. Being unable to talk to your squadron while playing was a major issue in Subspace, and one of the reasons why independent zones have such a rough time.
Run a hierarchy where servers may ban independently of each other, but enter everything into the main database so that other servers may implement the ban as well, if they want to. This helps against overzealous Ops and whatnot. 'Oh, so GodOfTheServers has banned SkillzedPlayer again. Whoopee.'
Moof!
The Subspace Moof, not any of the others you've seen before.
QuakeForge is already discussing this problem and is planning to fix it WITHOUT requiring a closed source solution because we believe any closed source solution could at best be considered a stopgap measure. We will be coordinating our efforts to fix the problem with the Quake Standards Group. Any ways we discover in which cheating is possible will be fixed as soon as we discover the nature of the problem and the best course of action to correct it.
In the meantime we'd like to ask everyone to consider that at least half of the reports of people cheating are probably false alarms anyway. There are real problems in how the client and server trust eachother at the moment which are bound to lead to some problems now that it's possible to modify the clients, but they're certainly not fatal to quake as a game or the quake development projects such as QuakeForge.
I think we could save the old good quake I by making servers check the data send back by clients at random. For example, every ten seconds the server check one client at random, it make all the calculation for some action and compares it with the client answer, if it isn't the same, the client gets banned for half an hour (and a rocket emailed him :-). This way it will be harder to cheat, or at least to cheat in a way that you get advantage over the rest. Because as everybody has already pointed out, OSS is not the problem, people with inferior capabilities when playing networked games, with low cost egos and with half the brain necessary for playing *ARE* the problem.
Because of the way the internet works the client has to store a lot more state information than just whats needed for the present frame... wich allows you to do look behind your back/wall kind of tricks. And of course theres the good old model hacks, wich checksums never really solved. (initially the checksum was just send unencrypted over the Quakeworld connection for instance, so changing it to the valid number with a proxy was trivial... but however you implement an integrity check you can get around it)
The encryption you describe sounds like a symmetric one, or diffie/hellman at best. (since you suggest the key could be broken) The first can be easily broken by finding the way the key is stored in memory, and for the second you just use the man in the middle approach. You really need a large public/secret key pair.
And even if you get the integrity checks so good hacked executables/models are not possible, and you use RSA with large keys to make proxies impossible... there will always be ways to use an aim bot.
Maybe someone thought about this already. But this morning soon after I read about the cheating problem in linuxgames.com, I wonder:
One solution would be to opensource everything completely. that is opensource the game (which they did) and have a thorough tutorial of the workings of the client so that any joe schmoe can rewrite the code and cheat/counter-cheat. So in the end the invisible hand of self-interest may produce a balanced gameplay. It is like one of those homemade robots competetion where people bring in their bots who try to knock each other out. So now you have different quake clients competing in accordance to a server side protocol. So for example if someone uses an aimbot, you can rewrite the code so that you can dodge incoming projectiles automatically. The cheating would go as far as the game remains fun to the player... Of course this does not apply to people who really don't care about the fun of the game...
But then again as i always will believe, this is a whacked out idea.
nuff said
Encryption is only part of the solution of authentication... it can be used to authenticate a connection, but not the client. If you can fake the input to the encrypting authentication routine the encryption doesnt do much good.
There are 2 parts to the problem here, the code that allows the cheating, and the cheater who uses that cheat in a game. The hacker who comes up with a cheat will always be around. What needs to be stoped is the deployment of that cheat on a large scale. Interestingly, I think that there is a parallel between this and the gun control debate. There will allways be guns (legal or not) and what needs to be stoped is the people's use of them to make bad things happen. To continue on this parallel, there are some who would seek to place restictions on the advanced 'guns that cause the damage'.
Lets just assume for a moment that it was possible to screen on the server side for the video driver used, the software running on the client, and share that information across servers. How would one implement such a 'big brother' layer of abstraction without touching off a 'your rights-on-line' debate? (see:Another Software Spy - November 28 (/.)
This comes down to a trust model, and the ability of a server op(or designated trusted players) to kick a bot when they see one. It's worked in IRC for decades.
_________________________
>I can think of a number of ways around that one,
>but if the motion (rotation included) is
>controlled by the server then all the client
>could do is implement a control system to track
>the target.
We're not talking about Duke Nukem 3D here. In
Quake/QW the server is actually the only instance
that controls motion and everything else except
the client input. The most important cheat we are
talking about IS tracking of targets (aimbots).
>The better solution for that may be logging and
>fingerprinting.
You won't get far with logging. There are players
out there who have an aiming that might look
inhuman to some people (and some algorithms) and
on the other hand there may be aimbots that don't
aim DIRECTLY at their target or implement some
kind of synthetic jitter.
Fingerprinting is actually implemented in QW as
the client adds a checksum to it's UPDATE-message.
But now as the sources are laid open (and the
sources of new versions have to be laid open too)
it is very easy to write a workaround for ANY
fingerprintinging mechanism I can think of.
I like the idea of random targets. To make it work, you would need to make the clients unaware of which clients are visable. If any client identifying info is added, then an aiming bot could quite easily distinguish between the real ones and the fakes (insert breast joke here). A counter could be maintained on how many times the fake targets were hit. A large hit ratio would indicate that somebody was either very lucky (and should be spending more time at the roulete wheel in Vegas), or else using some sort of aiming bot. This information could be used in addition to a player voting system whereby the players can vote if they think a given player is a bot or not. Different degrees of punishment could then be implemented. The easy solution would be to simply kick players off the server. However, I think that a more lenient policy would be better. Guilty players could be reduced to using only certain weapons, take a health penalty of some kind, lose there frags, be forced to listen to Britany Spears, etc... Bot users would likely move to another server were they can rack up there 50 frags in 2 minutes. So too would those that may have been wrongfuly accused, however, if they really were innocent (and as stubborn as I tend to be while playing), then I think that they would stick around to clear there name.
"The only thing closed is the private key. This is held by the client maintainer, and is also embedded into the compiled binary in a obfuscated manner."
Break the obfuscation and the security is broken. And for a good determined cracker (in the original sense of the world, ie somoene who cracks software protection scheme's) thats not going to be very difficult IMO. I think netrek escapes massive cheating because it isnt popular enough to have an effective spreading of cheats and enough lamers to want them.
>[d] Server C knows what string it passed both
>clients and also know the signature of a
>legitimate client + random string.
If the server knows the valid signature then
this means that the memory dump of the client
(not included the random string) is static. This
is certainly possible if you make a dump of the
code (problem with different platforms!) or
any other data that is included in the valid
client execuable or computed by this executable.
The problem: this data could also be constructed
by a hacked client (especially if the qw-sources
are public).
...people from faking their client keys?
/proc/kmem byte by byte, you can pull out that data somehow.
Maybe I don't understand the scheme you're proposing, so bear with me.
Proving that someone has a "blessed" client sounds theoretically impossible, for many of the same reasons why creating an uncrackable copy protection scheme in software is impossible. You can't have a perfectly hidden private or symmetric key in your "blessed" client, because to use that key the client has to decrypt it sometime, which implies:
A. The algorithm for decrypting it is there, in the client code. Making the client closed source may make it more difficult, but no less possible, to recover/reproduce this algorithm.
B. The decrypted key is in memory sometime. Whether you run the "blessed" client through a debugger, or halt its execution and examine
There are more ingenious techniques, I suppose - someone mentioned running a "blessed" client and using your cheating client as a proxy between it and the server, passing any "key requests" or "checksum requests" to the blessed client while handling most of the gameplay with the cheating program.
Two more points, as long as I'm posting:
There have been near invincible client-side bots on public servers since I started playing Quake over two years ago, with all the aim improving, sight improving, etc. cheats that Carmack outlined. Closed source didn't do anything to stop them. In other words, to the idiot QW player who whined that he was never buying another Id game: shut up; it's not Id's fault.
The best way to prevent cheating from a client-side bot is to have the client-server protocol such that the client is completely untrusted. Unfortunately, this isn't perfect:
Just because it prevents the client from cheating doesn't mean it prevents the client from being a borg or a bot. You can make a Quake game such that borg clients can't see around corners, but you can't make one such that borgs can't have perfect night vision, perfect (aside from dodging projectile weapons) aim, etc.
There are technical complications in realtime games to making the client completely untrusted. Quick example: Not sending the Quake client data on opponents who are around a corner means that the client can't do any local prediction on that player's movement, which means that you're subject to the full 200+ ms modem lag before the opponent becomes visible after he rounds the corner. I've already been too spoiled as a LPB to enjoy modem FPS games; this would just make them near-unplayable.
Having a number of "blessed" clients as you've suggested is the perfect way to prevent cheating, but short of a magic uncrackable piece of hardware to locally verify the "blessed" client status, I don't see any way of preventing people from creating cheating clients. Closed source makes it harder, but no less possible.
I'd hate to start a new thread, so I'll just follow up to this one :-) Hope you don't mind.
I've been working on a multiplayer networked rocket game (see Turboraketti 1/2, turbis and others for a definition of "rocket game") for a while, and I think I've solved the clientserver trust problem pretty well, although the result may not be satisfactory if you're on a slow / laggy link.
I designed the client -> server part of the protocol so that the client only tells the server what changes to the state of the user have just occurred. It is then up to the server to cause that player's ship to turn, fire its engine or something like that. But the point is, the input data packets don't contain anything that could be falsified (like a command "move my ship to some random position and set its velocity to 0,0", to quickly get out of trouble when no such thing can be done without cheating). This also causes the client not to be able to compensate for its lag to the server, but hey - life is tough.
The server also keeps count of shots fired, checks for collisions and other stuff like that. Most of the calculations are also shadowed by the client program, so object movement is pretty smooth with relatively low consumption of bandwidth. This scheme also doesn't require encryption; the server simply performs strict sanity checking of all incoming packets and kicks clients who violate certain constraints right out.
This should make the server side completely cheat-proof, unless I've been smoking crack at some point and just haven't noticed :-)
Unfortunately, as I see it, this method of client-to-server communication can't be easily migrated to Quake, and absolutely not without breaking backward compatibility.
It has been possible to verify documents for years now using public/private key encryption techniques, for example PGP. For example, using PGP you can sign an email message and others can then verify that the message really came from you. Obviously the same thing could be done for an executable file. This doesnt depend on the source that does the checking be hidden. So why not have "signed" versions of all the acceptable quake 1 clients and then use public/private key techniques to check them ? Even if you limit yourself to a key-length which would avoid export problems, it would take considerable effort to break a scheme like this.
Quake 1 was good, nr 2 and 3 sucks
:) And some silenced close-combat weapons too.
Here is a list of GOOD multiplayer games
Teamfortress I&II, Delta Force I&II
Nothing beats a game with a big and good sniper rifle
Would targetting computers and nightscopes be cheating if everyone used them? Of course not. It's only cheating when people don't agree on the rules.
You might think that robot/cyborg players were cheating unless your goal was to see how good you were playing against the AI. Or unless you were competing with other humans to see who could build the best robot.
So making it impossible for the game to have bots and timers and other add-ons isn't necessarily the best approach, since that eliminates the potential for whole new forms of gameplay among consenting participants.
That's why this is and will always be a social problem, not a technical problem. And it's one with a simple solution: don't play with jerks.
It's just like Usenet: it used to be a nice place, but then it got overrun by idiots, and so newer, smaller communities like Slashdot appeared. If you are playing Quake and there are a lot of cheaters and idiots around, chances are your community got too big (and thus lost the elements of it that made it actually be a community) and you need to find or create a more intimate one.
People should be forced to read the QW-Protocol specification before they contribute to this forum! The situation is: the server DOES actually all the damage/movement calculations! All the client does is input and rendering (in QW it with prediction).
That's nice in theory, but when performance
extremes are needed (e.g. quake), you have
to make compromises. To get the kind of
performance you need from a game like this,
you have to put as much work into the client
as possible.
It's a tradeoff. In this case, open sourcing
the software didn't _create_ a security hole,
it just widened it to be big enough to drive
a semi truck through.
Well, it seems to me that this presents the open source community with an excellent chance to prove itself... People have said that open sourceing quake is not the cause of the cheating. That cheating still would have been/was possible, just harder.
:)
/.), what I've proposed might be impossible. It might not interest anyone. But I hope it does. I use to run Linux but stopped when I got into CG and found that the best software was not available for the platform and that I didn't have the disk space to devote to something that was not my primary interest. Since then I've watched Linux and open source software bloom into something that I never though possible. Because the software I use is still not available I remain a windows user, but I have watched and waited for the day that this will change. I put my faith in all of you to help expand the boundaries of what has been the conventional limit of open source software.
The real issue here is this: A software developers time is money. This is amplified by the slimmer profit margin on games and the pressure to innovate. When something like the protocol for a network game is developed closed source it take much more initial effort to hack it. So much so that in many cases people simply don't take the time to do such a thing (after all, it's a game and we are talking about high scores, not a high security server). Additionally it is fairly easy for a manufacturer to make some sort of simple "Band-Aid" type fix that renders all the effort that went into hacking the protocol worthless. Compound this by the fact that with game hacking the only _real_ payoff is the esteem that a person might get for the oh-so-sexy first hack, a repeat attempt is a lot less likely.
Games being games there is also a lot less pressure on manufacturers to make them secure. A game that someone can cheat at will hardly serve to tarnish the reputation of a game company, the only real loss is that of some gamers pride for a little while. All the company must do is simply produce the previously mentioned fix and everyone is happy again.
On the other hand if a game is released as open source and a plethora of hacks start appearing faster then anyone can fix them nobody will want to play the game and the manufacture (and the community) will lose big-time.
Now as a community if we want thing like games to be open sourced then the burden would seem to fall on us to provide a way for game makers to do what we want, yet still live securely in their little profit driven world. Therefor what needs to happen here is the creation of an open and secure framework for game client server communication. Something such at this would have to have the following requirements:
Speed - Speed is paramount, our solution must be extremely fast. The fastest solution available really. I'm sure everyone here has felt the pain of laggin network games.
Ease of implementation - It has to be flexible enough that it can be incorporated into all types of games but really painless to implement. The best way to get a game programmer to make use of something like this is to make it better then what he could accomplish by himself.
Security - Though obviously security is what is most important to "us", it's the last concern for "them"... Game companies have a model right now that works just fine for them. In order for something like this to work (and to have any sort of point) the security would have to be good enough to make cheating as rare on occurrence as it is with existing closed source models but not impact ether of the previous two goals.
As I finish writing this I've almost convinced myself of it's impossibility. Iron clad security with no penalty? Speed comparable to or better then anything that has come before? The goals are numerous the obstacles large and the reward comparatively small, remind anyone of anything?
I'm not a programmer or an organizer (nor do I ordinarily spend an hour writing things to post to
The "opensourceing" of Quake I may very well be the first and last chance the open source community has to prove that their model for software development is good for situations outside it's current scope. I hope that some of you pick up this ball and run with it.
Happy New Year and good luck,
Peter M.
You can't embed "a cryptographically signed secret" into an open sourced program.
In every sort of game there exists the potential for cheating. From thursday night poker games to the World Series.
In Quake gaming and client/server computer games in general I doubt the remedy to this will be in software.
It seems more likely to me that an adjustment in the attitudes/customs of the community will bring swifter, better results. The higher the stakes the participants are playing for, the more severe security measures the community will have to take. Leagues and other "official" organizations will start to assume more importance.
In other words games for money will probably have to be played on league property, on the league's hardware, using the league's clients and servers, with league referrees monitoring the participants at all times. Just like all other games played for money.
There will still be cheating. The World Series has been fixed and people are occassionally caught in the Majors with corked bats, but the frequency will have been reduced to a level that the community can stand.
As for smaller pick-up games for fun, every time you go into a new community (or in this case, server) there is always the chance that you will be cheated. The same holds true for poker, basketball, pool or Quake.
Basically you need to look around for a community that holds values similiar to your own.
With the game being open sourced hopefully there will be a large number of servers out there and you can find one that values your mad fragging skills or insane hax0r ability appropriately.
"Hey... don't be mean." --Buckaroo Banzai
hi,
at first I was very excited that the source code of my favorite online game was finally gpl'ed. Now the several problems and incompatibilities can be adressed.
The remaining problem is cheating. I read several thoughts in this discussion about checksumms, cryptography, etc. but in my opinion nothing like this will work.
To prove this I'll give you an example of a typical clan match in team fortress (a quake mod). 20 people join the server. Their maps are checked with a crc32 checksum (maybe md5, dont remember exactly), their models too. The movement protocol is a bit encrypted too. Then we perform a f_modified check. f_modified is the keyword for qizmo, a qw proxy, to calculate the checksum of the executable, the models, maps, sounds, etc and replies it to the server so that everyone knows that there is nobody cheating.
This system with qizmo is quite safe and trusted by the online community.
Now with the source release several problems come to the surface.
The f_modified check still works, it reports incorrect binaries sucessfully. The problem now is the server. My clan is called "CORE", so it's a five minute hack to implement a function in the server executable like: if (teamname = "CORE") then give health 150%
This cheat is not detectable for the other players and clan matches are useless now.
Everyone here discusses about trust and encryption. With the gpl'ed quake we can not trust the clients and the servers! In my opinion this problem is almost unsolvable. Maybe we need a closed source program like qizmo for the serverside too, any suggestions?
Vario
--
for more infos about qizmo check http://qizmo.sci.fi
People have been cheating in the original Quake for quite a while.. that has made even more annoying and irritation that the game was to begin with. Open Source quake might make it a bit easier, but there has been so much cheating in quake already - big deal.
Juln
Damn straight! You better believe it! When the shit hits the fan this New Year's Eve, all those heathens who do not follow Christ and don't promote closed, proprietary, slash-and-burn capitalism will be taking the Expedia Express straight to *Hell* (rumored to be near Seattle). Thank God for Christians like Trent Lott, Bill Gates, and George W. Bush who will be there to lead us in the *Afterlife*.
There is a difference between the source code and the binary. The only thing that you want to "bless" is the binary. The source lives its open life as it normally would but people could submit copies of their customized versions to be compiled, "blessed", and distributed.
I'm affrde a lot of people are responding with the same old answers.
The fact is on-line games like Quake are VERY sensitive to cheating. The client is trusted with "to much information" it's nessisary becouse the server can not deliver all nessisary information on time. Instead the server delivers information the client MIGHT need.
Time City preposes to solve this problem by building the client/server pacage ground up with an auditing system. All Quake servers and clients were built ground up on a trust system. To change this would require a compleate rewrite.
The problem is Quake expects the client to be 100% reliable and trustworthy. Now that the client is open sourced this is no longer the case. Just as you can close security holes in open source you can open them.
Thies defects have been known for quite some time and could NOT be addressed. Eventually some punk would make a cheat clinet based on the server code (allready open) not the client code and we'd be in the same position. But it would have been sevral years from now and by then Quake would not be that iteresting.
Many open sourced multiplayer games suffer exactly the same problem. They solve it with a closed sorce solution. Trusted clients are compiled by the games develupers and given encryption keys. If your client has a valid key you can play if not you may have compiled it yourself and could be running a cheat client.
So the source is only there to fix the bugs and improve the game but to accually use it you have to return the code to the develupers and let them compile it.
Or you can fork the code and make your own keys.. But then only the servers recognising your keys/code could be used by your fork.
Time citys solution is unqiue and time will tell if the game server will effectively detect cheating or if people will be able to make cheat clients using the open source code.
The way it was explained to me BTW is that if the server detects someone cheating he will be dropped form the server.. It dose this by mesuring to make shure the user really really really could do what he says he's doing and if not.. disconnect...
Some of the cheats in a Quake client rely heavy on the fact that Quake clients MUST have data on ALL players at ALL times. Raidar and transparent walls are the result. The client is trusted to do "the right thing" with the data. A cheat need only take advantage of this...
If Quake did not yeald as much information as it dose it wouldn't be so easy to cheat... but that would take a compleate rewrite of the client server interface....
I don't actually exist.
Carmack is an idiot and should burn in hell for proposing a closed source solution. It shows that he knows little about real coding. Real coders support 100% Pure Open Source. Also, the fact that he released first for Windoze shows that he has no respect for the huge Linux community.
Goto http://www.planetquake.com/botshop then goto to ( Clients ) link.
I'm amazed at everyone acusing me of making a cheat proxy. I've written serverside and clientside bots, but I've never released CS code. I will be releasing CS code ASAP. Client side cheats aren't effective to any degree more than having a low ping or camping. I notice everyone posting otherwise is AC.
It's the same with sports or any game. People who cheat do so in order to clame suppereority. "I'm better than you becouse I won and you lost... loser.."
Compeating is great and when you lose you learn and when you win you learn.. when someone cheats the cheater steals the experence from everyone including himself so he can feel better about himself becouse he won...
It's sad but some people can not see past the win itself... They want to win so badly they'll hurt anyone to do it.
But what is gainned? Hurt feelings... a cheater is not going to notice or care.. he feels the need to be better not to experence or to bond.. he wants to put himself on the pedistal.
The real irony is some people play FPS just to get away form that kind of person... blow off stome steam.. beat up on someone.. if only in a VR type sence.
I personnaly play against bots as a test of skill. So cheaters can not steal the experence from me.. it adds a new dimention to the game for me... but thats me...
It's certenly no fun for newbes... it roaly stinks.. Whats the fun of beating someone up on-line if you had to cheat to do it?
It's more fun when you frag a cheater...
But a cheater is infereor.. he dosn't open himself to the challange.. instead he cheats... So in the end he hasn't proven himself to be better... he proves himself to be worse...
I don't actually exist.
The answer to (A) is client CD Keys, as discussed in my earlier post. Obviously this won't work for pure open-source-only games (since it requires you to "buy" something), but since Q1 is an open-source hybrid (as will be Q3 and others if they get released) this scheme can certainly works. It requires that the game be distributed with CD Keys to begin with, but I think you'll see that more often than not, starting with Q3 (especially future id games).
That also is the solution to (B) -- disputes are settled the same way the company settles the normal "he stole my CD key dispute"
(Darn! Of all the days to be gone visiting relatives, there are ~320 posts already - I'm hoping someone still has moderator points left)
The article for Game Developer discusses not only cheating in fast client/server games like Quake and other shooters, but in strategy games such as Age of Empires and Starcraft, Action-RPG's such as Diablo, Massively multiplayer games such as Ultima Online, and others. It also makes an effort to identify and classify cheating efforts from the blatant hacks to the gray-area issues of a game's design. It discusses the various architectures games use, and the inherent strengths and weaknesses in them. It talks about the specifics of how games get hacked, specific counters for them, and the limits therein. It also examines programming weaknesses that can lend themselves to cheating in non-obvious ways. My goal with this article is to provide to others in the game industry a reference to assist them in their efforts to secure their games. (For those interested in my credentials, I've written significant portions of all three "Age of Empires" games, and worrying about cheating and designing counters for them is something I'm paid to do in my day job.
With that said, there are four rules that apply to Cheating in ALL Multiplayer games:
1) Despite what you think, someone really wants to cheat bad enough to do it.
2) Despite what you think, cheating in game (insert title here) is possible.
3) Despite what you think, someone really wants to cheat bad enough to do it
4) Despite what you think, cheating in game (insert title here) is possible.
I repeat myself because denying the problem (which many game publishers do) does not make it go away.
-----------------------------
In response to various issues raised in the ~320 posts so far, I would like to assert the following regarding online gaming:
Closed Source will not prevent cheating, only slow it down (a little)
Terje Mathisen is correct - it is absolutely impossible to make a completely cheatproof system
This is not a case of "Security Holes" in the game programs, but rather basic aspects of the design of our computers and network communications being used to achieve particular results. To perceive it as such is to promote a fallacy.
You can verify that a game is running a specific and trusted executable. This does not achieve security. You can not verify anything else that is running on that computer or any other computer between you and the other players that passes your communication packets along.
Security through obscurity is not security
John Carmack's post includes pretty much all I was planning on saying about cheating in Quake-engine games and clarifies the misconceptions in many of the other posts. The issues with the Quake Architecture are summed up in his comment: "The cheating clients/proxies focus on two main areas -- giving the player more information than they should have, and performing actions more skillfully. " - What I classify as "Information Exposure" and "Reflex Augmentation".
Information exposure will remain one of the biggest problems for most games. In nearly every game, there is a degree of interpretation in the display of a fixed piece of information. A cheater can alter that interpretation (display something that should not be shown, make bright something dark, make a sound louder, whatever) on his and only his machine without altering that information with respect to the game world it is a part of.
Information exposure does not have to involve modification of game's code, data, or network communications. Passive reading of network packets and key values from another processes' memory space are sufficient to provide a cheater with a significant advantage with some games.
Reflex Augmentation will remain a big problem for games where player's reflexes are an important part. How fast you can move the pips in Backgammon does not matter - it has no bearing on the outcome of the game, or the other player's turn. In Quake or Half-Life, it's all about being fast and accurate; that's why you can never have a fast enough system, video card, or ping. Aim-bots and other proxies will always be capable of passing themselves off as the real thing. The fundamental problem here is the inability to distinguish human inputs into the game from computer generated inputs. Quake server modifications to attempt to distinguish the two have led to the Aim-Bots adding human-style "errors" into their inputs until their accuracy is reduced to just below the statistical threshold that the server will allow. That really good human players may be incorrectly fingered as cheaters only underscores the limits of this option.
Game Design decisions may inadvertently add to the problem and lead to quicker dissatisfaction with a given game. I'll use Half-Life for an example. Let's assume an auto-aim proxy exists for it (I believe it does). Half-Life has a weapon in Deathmatch that has two interesting capabilities (which have a place in normal gameplay): 1) it kills with a single shot no matter how much health or armor the target has. 2) it shoots through walls. I will leave it as an exercise to the reader as to how much less fun the game becomes (became) the day that proxy makes (made) the rounds.
Encryption in communications has some important limitations:
1) Any sort of protocol that involves adding any back-and-forth to complete a single action will raise "ping" times significantly. Games are already struggling to do everything possible to reduce lag. The gaming community would reject adding 250 ms to everyone's ping.
2) Packet loss is accepted for some portion of communications in some action games. Any sort of encryption on those packets has to be able to survive lost packets.
3) CPU bandwidth is limited. Too many cycles devoted to encryption and decryption (especially on the server) will negatively impact game performance.
4) If the end user has access to both the client and server, they can and will be debugged. By very smart people.
Slashdot user 'Pete-classic' touched on one of the anti-cheating efforts that I feel has been under-explored to date: identifying people that cheat at a game and exposing them to the online user community for that game. Being able to record games and play them back from the perspective of other players (as you can in Age of Empires II) brings the ability to audit a game after it is played. While this can't address all possible forms of cheating, it's a good tools for raising suspicion in those cases that it can't outright detect. It's also equally useful for proving that you were beaten by a better opponent.
An opportunity exists for developers to add hooks into future games to assist the user community in policing itself. Imagine if you will, that when your server browser bring up a list of games, next to the net-speed indicator is an indication of the controversy and reputation of the server. Social solutions are going to be complex and take time evolve, but they offer possibilities that programming alone can't.
So much more to say, but I have to sign off now. Thanks for reading and caring.
-Matt Pritchard
Ensemble Studios
Age of Empires, Rise of Rome, Age of Empires 2: Age of Kings
lets say each client uses 10% of its processing time for physics (maybe the rest is for polygons drawing/lighting, etc). lets say you have 35 clients. if u move all that calculation to a server, it will have to do 350% of the processing each frame that a normal client would do just for the physics. Your server would have 2 be pretty fast i think.
This boils down to the server being able to get trusted code executed at the client which is able to exchange secure messages back to the server, and bootstrapping trust from there. The key element of course is the KxSec chip itself. The new vertical gate technology you've heard about (~10 x current density) permits huge on-chip cache, and this chip will have two, one of which will be dedicated to holding trusted code.
The trust comes from the fact that the only way the code can be loaded is through an added on-chip special execution unit which has built-in capability to take an encrypted memory image and decrypt it and store it only in the secure cache.
The encrypted image in our case is encrypted by the server using the KxSec's public key. Each chip is manufactured with a unique key pair, with the private half permanently hidden, even to debuggers etc.
The chip executes the decryption/load operation in parallel with normal chip functions, something like floating point going on in parallel, only a lot lengthier.
It takes a kernel mode special instruction to kick off the load sequence, and similarly to kick off execution starting at a location in secure cache, but the execution is done by the special unit, providing in effect an added CPU mode which is the only execution mode allowing data storage into the secure cache area.
So, if we have loaded the right secure code, it can, e.g., compute checksums etc., and prepare an encrypted message securely in the cache for transmission back to the server.
But what if the poor chip is being used by a hacked OSS OS? Well, the secure code will transfer its encrypted message to insecure memory and call on OS network functions to send it to the server. It will either arrive or not, but if it arrives, it can be trusted if it can be decrypted, (and if it is known that the public key really belonged to a KxSec chip, which can be determined via public data base). Privacy issues similar to the P3 PSN may be relevant. Comments?
The anticipation is that new BIOSs will use this feature starting with the boot block, and that OS loading, and driver loading will all eventually be securely controlled to allow guarantee of what is executing in the system (e.g., so a Quake server can verify that a "blessed" video driver is installed). Secure random audits could be well supported this way too.
Certainly Open Source, compiled and signed, with signatures for all desired modules, will help, not hinder, the goal of security.
Eventually perhaps most significant devices in a system will have on their controller chips a secure execution core of this type, to allow secure aggregation into larger trusted systems, where in truly paranoid cases all links will be treated as untrusted and requiring secure comm protocols.
When is this due to be fabbed and sampled? Suspicion is it is tied up trying to shake patent parasites at the moment. So, it is hoped this little hoax will help fight them off with disclosure of the obvious into the public domain ;-)
Athlon is a trademark of AMD, and AMD has not authorized this post.
How about this: At connect time, the server transmits the authentication code to the client as a Java .class file (or reasonable equivalent)? The authentication code is run (in a sandbox) and checks out the game environment to make sure it's "approved", before generating the correct response code that can then be sent back to the server to allow the game to start.
Of course this is still vulnerable to all the previously mentioned spoofing attacks, but the advantage here is that the server could use a different authentication method every day (or even generate a custom authenticator for each connection), which would hopefully make it a giant pain-in-the-ass to keep your cheat code "compatible" with the server...
I don't care if it's 90,000 hectares. That lake was not my doing.
The open source model lets creative people come up with superior strategies for winning. It's retarded to run around with the mouse and fire if you can use your brains and hack up some code to kick everyone's asses.
Plus isn't it, at least to some extent, the fault of the design of the game protocol in that it facilitates cheating? A well designed protocol would not allow client modifications to give rise to cheats---other than the creation of robot players with superhuman reflexes. Even that could be eliminated; the game server could be equipped with detection heuristics in order to kick suspected robot players off, or handicap them in some way.
I think that people who cry ``cheat'' are just damn whiners lashing out against nerds who are applying ``alternative skills'' to the game.
Why is everybody bitching about people cheating at this old game? There's some killer network code in there! There's an awesome game engine! There's interface, resource management, and multiplayer code! Why, oh why is everyone so hung up on people cheating all of a sudden? The game is how old? How many people have moved on? How easy is it to cheat at any aspect with mods and patches already in existance?! How many actually read his .plan? Shit, use it, modify it, and send it back out.. Am I missing something, or isn't that the point of releasing the thing in the first place?
How can the server verify the HASH key? If the
server is asking the client, then it would be
easy enough to fake the response??? I have never
seen a good idea for client-server gaming where
the server puts *any* trust into the client.
Thanks,
Ben (greearb@candelatech.com)
Were there cheat clients before this? No. Q1 was nice and secure until the source was released and cheat clients showed up. Security through obscurity was working.
C'mon people, let's show some perspective here.
Quake is a game. Yes, it's annoying to enter a game where someone employs one of the various descendents of Stooge-Bot to blast you from here to oblivion. But to claim that this is somehow a big problem with the Open Source methology is just silly.
As far as I know, the first client of this type was the StoogeBot stuff done by some students at Stanford with lots of time on their hand. Note: this was well before the source code for Quake was available. It's a relatively straightforward thing to make a proxy to intercept and log the conversations between the server and client, and since the original protocol was done pretty much without any kind of authentication or security, it apparently wasn't very difficult to reverse engineer the protocol.
I view the whole thing as a rather clever bit of hacking, perhaps not worthy of slashdots top 10 list, but rather good overall. Yes, it does ruin the fun for some people. But you'll find that some people will cheat at pretty much anything. I'd merely advise not to play with such people...
To me, it's pretty damned silly to play a game that you always win.
There is much pleasure to be gained in useless knowledge.
Absolutely nothing. We just make it as difficult as we can. Someone with enough determination can (and has) spoof us.
Let me introduce myself. I am the current netrek client KEYGOD. I am the one who edits and serves the keyring that go to all the servers who wish to validate keys. How does it work? Not by open source. Well, not very open source.
The people who own the RSA patent have given us permission to use a version of their algorithm for authentication purposes only. That source snippet is not included with any server OR client source tarball. Neither gets it, so the source isn't really "out there" or open-source. Who gets it and how are things blessed? Well, here's where trust comes in.
The source for the RSA verification is relatively tightly controlled for US export, and patent and copyright reasons. There's a US version and a non-US version. You get the RSA source by becoming an established client developer or Server God. You ask us, who run the metaservers to give you the key to unlock the source tarball and include it in your source compilation.
For a server, you're done, it will go fetch the keys from the keyring automatically. For the client, the verification source generates a public/private key pair stores it in about 20 different variables in random order and random .o files. Each .o file is randomly linked in to the final binary, and symbols are stripped. No binary CRC checking is done. Multiple binaries can be compiled with the same key, and yes, you read that right, the key IS stored in the client binary. The client maintainer will then offer the client public key to me, and I have a fixed set of criteria for accepting or denying a key.
We, the server gods, client developers, and I, have to trust each other for this system to work. We have to trust that someone didn't compile a borg using the same key as a non-borg. Hell, we have to trust that someone didn't out and out try to bless a borg outright since it is practically impossible for us to check all the clients. Server Gods have to trust me to not slip in my own or my buddy's borg. The players have to trust the Server God to not put in server side cheats for himself. But there are recourses. Someone can cry foul on rec.games.netrek and we can investigate and yank a key. Server Gods can add their own keys of people they trust, and can reject keys from the keyserver.
Maybe I'm overemphasizing this, but at some point, people ARE going to try to cheat. There is nothing anyone can do about that. You have to hope that that number is small and trust that people are generally going to Do The Right Thing. Barring that, we try to make it as difficult as possible for the casual cheater to succeed. Heck, the non-casual cheater doesn't even need to hack the binary. They can twiddle with the IP stack. They can even write something under X to send X events to the client, I'm sure you can do the same under Windows.
Another level of trust is with the client developers. We have always been adding new features and new clients. Every once and a while a feature introduced by a client developer may be deemed borgish. A flame-fest/discussion occurs on rec.games.netrek, and if a feature IS declared borgish, we have to trust that the client developer retracts that feature.
If you want to see how we discuss this, do a Deja search on rec.games.netrek. Keywords like "New Client" and "borg" will hit most of those discussions.
Now to find a moderator to moderate this up...
--Carlos V.
I looked into this a long while back, and this is what I remember of it. It's probably 85% correct.
The 'blessed' netrek clients are clients compiled by a few, trusted people. Netrek's verification scheme uses some sort of RSA or RSA-like encryption scheme which uses private and public keys. When someone is generating a blessed binary, they create a key pair, and compile the private key into the binary.
The normal source code that everyone downloads essentially has the routines which return the secret key stubbed out to do nothing. When you're compiling a blessed binary, you replace the normal routines with a routine which actually returns the secret key. The secret key isn't just compiled in directly (if it were, someone could just open it up with a hex editor and find it if they knew what they were looking for). Instead, a pretty hairy series of function calls and macros are generated which, when evaluated, returns the secret key. This makes it much harder for someone to pull out.
Nothing is going to be perfect, and someone is always going to be able to find a way to cheat. If you're distributing the binaries, then there will be a way to find out the secret key and make a borg (cheat client). It happens with everything... for example, DVD. Quite a few people have defeated the scheme netrek uses. Some may have poked around by running the client under a debugger, or disassembling the binary and finding the code that generates the key. I've heard that someone managed to make borg by writing a customized X server that understood the specific X calls a specific client makes, and sending appropriate input back to the client.
It does keep the majority of people from doing stupid cheats, though. FWIW, quite a number of the major netrek servers would allow any client to connect (borg or not) and didn't really have too much of a problem. I play on servers with people who I know are using borgs, and it doesn't really make it any less fun... even with the borgs, they are usually quite a bit less dangerous than the players who are truly good at the game.
the only way to have no one be able to cheat is with a closed-source system of checking.
:-)
We have GnuPG under the GPL, as well as Quake 1 and OpenSSH. So why not setup a system where first the client and server exchange keys and begin encrypting the session, then they verify the identities (this could allow a global "stats" centre) of the client and server. If the server is a good one, and the client has not been blacklisted, play commences. By encrypting the stream (or just compressing it), you make it harder for others to break in and/or forge identities. This could dovetail quite well with Netrek's blessed binaries, and would allow better "global" rankings
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Haha. You are from AOL. AOL shift key(s) keep(s) getting stuck, and because of that, AOLers are so easily viewed to be the senseless morons they really are.
If you had left shift off, you might have been able to masquerade as a non AOLer, and perhaps someone else might have read your post.
people can and will always attempt to do stuff
like this but thta does not mean it should not be
open for all.
You could trade Quake Clients like Pokemon cards!! they could gold plate the cd's and have them in happy meals!
I have never looked at the netrek source code, but is there anything stoping you from just changing the protocoll to prevent cheating.. and perhaps changing the game mechanics and ideas about fair play too. After all any cheats that could be accomplished by an external program which monitored the X events is not really a cheat. The ``proper open source''' solution to borg clients is to include a scripting language to incurage them.. giving everyone equal opertunity via sharing these scripts.
Now, an interesting application of your existing blessed clients system would be to make a clients which gave a copy of your scripts to your oponent trivial.. and roge clients which did not give away the script a pain in the ass.
Finally, if people are sharing lots of borg scripts (even via some automatic script sharing system) then there would eventually be no benifit in making a client to keep your scripts secret since your scripts wouldn't really be that much better then anyone else, i.e. the user interface to the game has evolved.. which is what we all want anyway.. especially in those build and send troops games like StarCraft. A script system is exactly what they need.
Jeff
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
Yet another reason why giving people the code to your programs. This happends to 99% of all open source games. And almost 4% closed source games
This post should be marked up as informative. I mostly played team fortress not dm so maybe I just don't get it, but I don't agree that the sky is the limit. Or I should say I don't believe it because I don't know. Does the server send the full state of the current level to a client? I thought that in some version of qw, in the interest of saving bandwidth, the server only sent information that was pertinent to the client. basically just what the client could display at that point in the game.
We actually do need 1 borg badly. Something we can run on an empty server that is smart enough to teach newbies how to play. The Netrek learning curve is steep. Any volunteers?
--Carlos V.
It actually works quite well. It's difficult to pull the key out of the binary, because it's been obfuscated into the binary.
As Carlos pointed out in another message if the key is compromised, it's easy to yank the key, create a new one, and recompile the binaries.
And since the code is obfuscated per compilation, to find the key out would require the same amount of work each and every time... i.e. disassembly of the client. Sooner or later someone will give up.
Netrek isn't very popular these days, because of eye-candy games like quake. But at it's height back in the early 90's there were quite a few people who looked at the authentication mechanism and tried to break it... thus strengthening it.
The trick in making sure clients are trustworthy is to have them calculate results that are easily verified. For example, if a client reports that a move gives a particularly favorable position (so favorable that it beats all other client's suggestions), then it can be rechecked by the trusted server for correctness. It's fun, easy, and doesn't even require messing around with trusted hardware (i.e. the AMD post above) or trusted executables embedded with an obfuscated private key (a.k.a the netrek solution outlined by the nettrek keymeister above.)
But how does this work for quake? My chess example is all about hunting for an optimal solution that can be easily checked once found. Quite frankly, I can't think of any way of phrasing Quake 1 client functionality as a similar task. So, lets talk about another, hypothetical game, which we'll call, um, how about "Quake 4."
In Q4, computer assistance (targeting, dodging, whatever) is built in to the client. Even better, multiple computers may team up to collaborate on a superbot. (The "AI" would have to be moved from a bunch of heuristics (I assume) to something more resembling minimax. These superbots could either fight other superbots, or perhaps the Kasparov's of the Quake 4 world running manually.
Now, before you object that this doesn't sound very fun (having the computer do all the work) imagine if serious swordplay was introduced. The AI assisted parrying and blocking could end up similar to the sword fighting scenes in Princess Bride, with far more entertaining results than might be accomplished by humans banging away on their keyboards or mousbuttons trying to control every thrust.
The more sophisticated and subtle player actions can get, the more difficult they will be able to control without AI assistance, and there are some great games to be made in the future. And yes, I'm still pissed that Kasparov lost to Deep Blue, foiling a great opportunity for a collaborative computing rematch.
Id should create two version of Quake: An open-source version, and a binary version. The versions will be almost identical, except one thing: the binary version will use strong cryptography to pass it's messages. When connecting to open-source version of Quake server, or a Quake client, a player with the binary version will get a warning. Then, he/she can decide to play or not.
It is possible to use private-key cryptography (no need for public-key cryptography). However, the binary version will need some kind of anti-debugging code.
Doron.
i'm sick of this "open-source at any cost" shit. if open source has good effects with certain types of software-- hey, awesome. make your os super secure. but if open source is NOT the best for certain types of applications, so what? it doesn't have to be all or nothing. THERE WILL ALWAYS BE CHEATERS. it's true. open source or not. but that's not what's important. the game is fun when fewer people cheat-- and if closed source means fewer people write borgs, and fewer people cheat in fewer ways, then that's what should be done. i already know it can be cracked. but i know with closed source its more of a pain. and that means fewer people cracking.
I believe that server cheats present only a very small problem. In the Quake community, people know the server operators, and server operators spend a large amount of resources to keep their servers running and are generally of good will. A clan who hosted a server for clan matches would have a hard time running a 'cheat' server without getting caught. Most clans, in fact, are not interested in cheating, but playing the game and competing.
The majority of cheaters are those who join public servers for pickup or deathmatch games and just wanna see their name at the top of the scorelist. There's no way to stop cheating, the same problem exists with chess by mail or email. I can't make any illegal moves, but I most certainly can have a computer make my move for me and that might give me an unfair advantage. Qizmo is great, but it's certainly not foolproof.
"Netrek, now there's a name I haven't heard in a long time..." LOL.
OK, as one of the original Paradise coders (yeah, I know, boo-hiss) I spent a lot of time thinking about borgs and prevention and such. Here's the conclusion: there is no way to prevent cheating in a situation where you can't fully control both the client and the server. As long as you have to trust a data stream coming over a network, you are at the mercy of an hacker intelligent enough to reverse engineer your protocol.
The same thing applies to Quake. Even with Carmack's proposed solution, it's impossible to stop a determined wanker. You best bet is to make it as difficult as possible and then change stuff as quickly as is reasonable possible.
Bubbles
ps - does anybody know why that first responder up top has been moderated up to +4? Is it because he used big words or what? I know it's not because he has a clue what the hell he is talking about. Sheesh.
Matt Pritchard said a lot of good things and then said:
I have to disagree with the first part: I don't believe that you can verify that a game is running a specific and trusted executable.
Maybe I'm wrong -- I am not a cryptographer, and don't even play one on TV -- but I just don't understand how this is technically possible. If someone thinks they know how to do this, I'd like to hear how.
Amen.
So, what you're saying it that it's fine to fuck up a perfectly good game, because in doing so you further the glorious Open Source movement? I guess that's a marginally defensible position (and is bound to attract lots of karma), but isn't it at least as reasonable to say "gee, y'know what, maybe there are some things that just shouldn't be Open Source".
Look at it this way: I've not seen any practical solutions proposed that don't ultimately rely on security through obscurity. Perhaps this is because of something fundamental about the problem that only permits such solutions. If this is the case, then you might as well have the most obscure obscurity you can lay your hands on. Which means closed source.
Incidentally, I really hope I'm wrong (I'm working on a network game myself and I'm bashing up against this very problem), and if anyone comes up with a solution that doesn't rely on security through obscurity then I'm sure there would be lots of us that would love to hear about it. Until then, it looks like closed source is the way to go.
How about the server, doing a check to see if the client responds with a appropriate action. Say a user gets hit with a server created rocket at a known percentage loss, then the client has to admit to the right percentage. Plus if the user normally would be killed, but isn't acting as it ought, then a immediate kick/ban?
Apart from a pasty looking dude in Star Trek?
Heh, I was suprised to read a post by someone who actually understood that you need two trusted parties for encryption to work, and who understood the Quake client/server model and it's strengths/limitations... Then I read the name...
The 'unfortunate' truth is that there is nothing which runs on your computer which you can't subvert with some work. As long as the computer is an open platform, which you can debug programs on, and monitor device traffic on, this will be the case. There is NO way around this. Anything the program can run for authentication, the hacker can rip apart to spoof said authentication.
Both game models, peer-to-peer and client-server are vulnerable to this, in their own ways.
The problem is that you can't control what the client does. If it returns the same information, you don't know what program is running.
There is no cryptographic was around this. For crypto to be used to communicate between two parties, you have to trust both. If I send you a private encrypted message, I can make sure it can't be decrypted without the key (or cracking, which we'll assume is impossible in the scope of the problem.) but once you have that message, you can share it with the world and I can't stop you.
Likewise, with digital signatures, I can be sure you sent me the information that appears to be from you, but that doesn't tell me if you're telling the truth or lying.
Anything added onto this is security by obscurity (which, is possible in open source code, simply see the OCCC for proof...) If the source code is available, it's a bit easier, but that doesn't mean binaries are secure. Anything that happens on my computer is ultimately subject to my control.
So, what can be done?
Nothing really. Servers can check for unlikely shots and moves, but as JC notes, this ends up eventually kicking off Threshes as bots, and allowing any bots set to perform well but still below the cutoff.
There are some tricks, such as invisible targets that are labelled players, but that the humans don't see, this will stop bots, until someone analyzes stored network code from before they got detected as a bot, sees this invisible target, and codes the bot to ignore invisible targets. One generation of bots stopped, no net gain.
The only way to stop cheaters is to ship computers as black-boxes, that run a restricted OS, don't allow OS-level code, for debuggers and such, and that have private keys and serial numbers embedded, and are encassed in tamper-resistant materials. But, if we liked that sort of computer, we'd be using an N64...
Half measures, such as dongles, have been suggested, but are simply more obscurity. Any half-measure *will* fail.
So, are we doomed? Are good network games something we'll never have?
Nope.
I downloaded a ZBot, as did most people I know. Certainly any quake-playing programming person I know downloaded one. But I don't play with it. I don't even keep it installed. Why? Because it's not fun. A few wankers find distupting games to be fun, but if we simply vote to kick them and continue, they will eventually go away, simply because bugging people for fun relies on people being bugged.
We have to put up with these people if we want the freedom of open computers, in the same way we have to put up with street mimes in a free society. But, if you just ignore them, they will go away.
I should mention that bots exist in games like Quake because there are some actions that require little mental skill.
Shooting a railgun is trivial. A monkey could be trained to do it, if they had a fast computer and a nice video card. This is why bots are usually used with the railgun. It's a no-brainer. You don't often see bots use weapons like rockets, or grenaes, especially across an open area, because those are least effective when fired at the current player location. To work, they need to be fired either where the player is going to be, or where you don't want the player, to herd them. Bots can't do this.
If we want to get rid of bots, we'd be 90% of the way there if we'd remove the no-brainer weapons.
-Springfield Fragfest
I know it's sort of out of the range of solutions you were considering, but it would be possible with various forms of redundant distributed processing (amoung player machines) to verify that each client is running the correct executable. Still doesn't help, of course, since a client could always cheat with programs that act purely on the inputs and outputs of the game.
>Security through obscurity is not security
Amen.
That aphorism has always bugged me, useful as it is. All security is obscurity, in a sense. The data that will clear up the obscurity can be seen as the "key". The important thing is to isolate the obscurity (to the recognized key), and to be reasonably confident that one can't determine the key without solving a Hard Problem (finding large prime factors, obtaining data from the brain of an unwilling human, getting ahold of the disk I keep in my left breast pocket, etc).
I'll be the first to admit that I don't really have a grasp on this subject, but would it be possible to make it so that the client had to download the server's version of the game code?
I'll try to make this as straight forward as possible...
1) Clients need to dl game code each time they connect.
2) Servers need to compile their own binary, which results in adding a random password to some varible.
3)Server checks for the correct password in the binary.
I have no idea how large the game code would be, so if it's of fair size this would be impractical.
I'm sure there are other problems associated with this, but I figure that I might as well put this "out there"... maybe someone could fill in the holes and make this work. (If it's not horribly flawed to begin with...)
Wiwi
--
"I trust in my abilities,
but I want more then they offer"
Wiwi
"I trust in my abilities,
but I want more then they offer"
The problem ISN'T open source, it's the players themselves. There have been cheaters since there has been Quake. The most popular page on my site (to my dismay) is the single player cheats page, followed by the console command page, followed by the server commands page. The Quake "community" has the same proportion of assholes as the world at large. If you think the preponderance of "first post" posts here is pathetic, you should see the trolls on sCary's messageboard (shugashack.com) It's not a new problem; people have been hacking the source, creating cheatbots, etc. since online gaming started. Besides, if I am on a T1 and you are on a 33.6, am I cheating? And why isn't it counted as a kill if I push you into the lava? The simple answer is- if you don't like the server or the players, get out and use one of the thousands of other ones. This is easy with Q1, open sourced or not. Unfortunately, you can't do that with Q3A, as they make you wait 5 mins to join another server (according to the .plans).
Get off your butts and buy Quake 3. The lightning gun is back, and the rocket launcher doesn't suck anymore. No lamer-friendly bfg anymore either. Gameplay is soso, but it was the same with q1 and q2...wait for the REAL game*PLAY* programmers to make the mods. id makes wonderful clients, but has little clue on truly FUN gameplay.
A disturbing amount of this discussion is simply garbage. What is staggering is not the lack of technical knowledge displayed by some of the people posting, but their arrogance in assuming that they can, with a few seconds' consideration, solve problems that the authors of Quake/QW/Quake2/Quake3 have been fighting for years. Why do you think John Carmack wrote about this problem? Because he's so stupid that he never thought of a) checksums of some form or b) moving game decisions to the server? Or because these suggestions are useless?
Checksums cannot work because they can be faked. Reading Carmack's plan/post would have helped inform some of the people who, despite professing to knowing nothing about Quake, still feel the need to give of their knowledge. Whatever checksum you demand of the client, it can be supplied by a cheating client. This was made significantly easier by the release of the source. Yes, keeping the software closed source only slows down the cheaters, but that is better than nothing. That this conflicts with people's religious feelings about open source's superiority is irrelevant: it is simply a technical fact.
The helpful suggestions to enforce damage levels, physics and ammo counts on the server are as useless as the checksum ideas: all of this has always been done in Quake. Had the posters in question bothered to gather any facts at all before submitting their ramblings they might have realised this. Because the list of entities sent by the server is necessarily imprecise, clients often have more information than they strictly need to construct a given frame. Thus cheats which allow seeing players round corners are possible. Worse, even given a client that uses no more information than a legitimate one, automatic aiming can be used.
The solution used by Netrek is essentially the same as the one proposed in Carmack's plan: a closed source one. There is no completely secure technical solution - maybe the real solution does lie in how the community itself works - but the best attempt at a technical solution relies on closed source, and no amount of platitudinous sermonising about open source will change that.
just to set the record straight, there are source ports of doom with jump and mouselook now :) and now that the quake sources have been released, server/client multiplayer is on the horizion for doom :) i dont care what anyone says, doom is the first and only game in the genre that doesnt require a supercomputer ro run and is still very cool :)
The client/server protocol in Netrek already pretty much prevents cheating.
Everything is calculated at the server side, and only information which the enduser should know about is sent to the client.
This opens up ways to automate tasks for the user, but there's absolutely no way you can become God incarnate within the game with a client.
Wasn't there a rogue source code version available on the net? I know because I actually had it stored on my box for a while. Someone (not mentioning who to protect the guilty) offered it to me almost a year back. Since source code was allready available, why weren't there rogue clients appearing everywhere?
;-)
I don't think GPL'ing will murder the game. It will make it a better game. I downloaded it, am sifting through it now and seeing what makes it tick.
Sure I'll hack around in it, to see what the possibilities are, and I might even fix bugs, introduce new ones, or add new features.
Who cares? I think it's a wonderful thing that's happened. I can finally port quake to my Palm IV!
Gtx,
Me
You people make it sound like you have bouts of depression every time you discover that a project is closed source. There is nothing WRONG with closed source. In addition, you people need to learn that it would be IMPOSSIBLE to secure the Quake client if all code involved were open source. So don't go blabbing about how "unfortunate" a closed source solution is. It's the ONLY solution, and you know it. There isn't an alternative, so DON'T COMPLAIN!
Online cheating in games has become common. Diablo comes to mind. The solution is that there will have to be anti-cheating systems which are strong enough to make OSS. Its not as if closed source makes something safe. To an asm cracker, everything is open source.
And that is why you need to go Closed source. That will keep a game fun and cheater free for the longest possible time. And maybe then you can put out a patch with a different protocol so that all the honest players can stretch play cheater free for a little longer until the next version of the game comes out. Then it doesnt matter any more, cause there will be a better game to play.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
Forget generation X, now we how the open source cheater's generation. Finally, the lie of open source has been exposed. And, will be exposed even more once the bubble bursts! I can't wait till it does.
I hate to break this to you all.
But we *ARE* talking about a game here. Soemthing people do for entertainment.
And, for some, having the computer do some of the helping (like aming/shooting/scripting) is how they get entertainment.
This "robot problem" is one that has existed for YEARS in the mudding community. And, rather than get an ulcer over a game, its better to just play the game the way YOU enjoy to play it, rather whan worry about how everyone ELSE is playing.
If it was said on slashdot, it MUST be true!
> And anyway, it doesnt have to compute the total
> memory space, just the binary code + the random
> server string. if the hacked client lies about
> its space it wont be able to compute the correct
> signature..hence it will be rejected.
So,....
This code has to be static or else the whole
system doesn't work...as long as they have a copy
of the original correct code (say a binary dump
in a file of some sort) then the hacked
client can computer the signature from the
static dump instead.
How about "man in the middle" style? Hacked client
contains a proxie built in. When you tell it to
connect, it spawns a real Quake that connects to
it...it proxies the connection over to the real
server and listens. The real client then
participates in the protocol, when it finishes,
it is killed and the hacked client takes over
the connection.
Yes...this can be worked around and possibly
stopped. However as long as someone has the
original code, they have the "secret" you want to
authnticate with. Thus they can authenticate.
"I opened my eyes, and everything went dark again"
No. It just makes 'hacking' different. Open Source games allow coders to write their own mods. Closed Source promotes script-kiddie growth, because making those mods is more difficult.
Blizzard's Diablo is the best example of what happens in a closed source game when people want to cheat. Several months after Diablo's release, all manner of cheats and hacks and other ways to take advantage of the game started appearing. When Blizzard tried to combat cheating, hackers found another way. One patch to prevent cheating lasted all of 18 hours before someone found a way around it.
Changing the nature of the source won't change people's desire to cheat. It only changes the means by which they do so.
If you want to play honest games, simply refuse to play games with cheaters.
C'mon - there are *very* few people who play Quake 1 with any frequency who don't already own Q2 or Q3 as well.
Related question to commo overhead... It usually takes much more effort to make/break a connection than to maintain one, correct?
The only real solution I see is centralized control over servers. Not necessarily closed source, but using an untrusted client model with a server in control of someone who has an interest in seeing that the game is played by the rules. This is pretty much the way I'm leaning with an idea that I'm kicking around at the moment... I as a game designer have a vision of how things should run in "my" universe, so I feel that I would need to keep server-side control. Is this unreasonable?
--Fesh
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
The whole idea of releasing software under the GPL is to allow people to modify the source code. This is not cheating, it's programming. The obvious solution is to setup servers to allow people to run their hacked clients to their hearts content. This would allow the "cheaters" to play against others of their kind. The key competition on this kind of server would not be who has the most frags, but rather who has coded the most stunning "feature" into his/her client. Imagine a game of quake in which players have the abilities to alter reality much like in "The Matrix." Would't it be fun to play against other players who can walk on the ceilings/walls or jump 100 feet if your player were camelion like and could take on the texture map of your surroundings? Sure, these aren't cool cheats in a regular game of quake, but if you dedicate certain servers for nothing but hacked code, you will have one excellent competition running.
Brought to you by Frobozz Magic Penguin Fodder.
and that is that this is the code for Quake *1*. The game itself has been around for years, and Id has long since stopped actively supporting it.
Id released the source to the community so that people could learn from it. They never claimed that the client or protocol was unhackable and should not be expected to take any responsibility for the hacking that's occurring now. If people have a problem with the way the code is implemented, they should take it upon themselves to change it. After all, that is why it's in the public domain now.
Thing is the simplest cheats require no source code mods...like allowing hacking of 2-fort-5 at the local quake server. All walls and floors are invisible, as the map was hacked on the client side. I was doing well, then I started getting my ass kicked. I finally got up to the point I was doing good against them (my walls were there). I then I saw that they were all using the invisible map...we set the server to not allow that...and they could not even play at remedial levels anymore. I now play elsewhere, where I have some opponents that can play.
You can take routines out of the client side, which in essence makes thinks like flares and mines not hurt you...the client side will just say things like "Missing Routine XYZ" on their client console. The client does indeed control things...at least in team fortress and the like. And yes your health is stored on server side, but it is deducted by the client.
fortress on top of quake version 1. I wonder if the guy who stated this knows he don't have a fucking clue.
I really dont understand why ID released the source. Sure it is great that people can help fix it up and maybe make the game better, but over all it will just cause more problems. Already I have seen hacks that crack the admin codes and rcons for all servers, I have seen bots galore, radars, and much more. This is all within the first week or so, I dont even want to think what will happen in a month or two. Id is saying that people will just have to make a client with better cheat protection for everyone to use for tourneys, this will be extreemly dificult, because you will always have people who are unhappy with the way it turned out, or that dont like certain features. I was always taught that if it aint broke why fix it. I dont see why they did not just release it to a few trusted people that could work on it themsleves and keep the security of the game. My thoughts on why id released the q1 source code is because they realised that there is still a huge qw comunity that are not going to q3 and that will not be purchasing their game, and by releasing the source they made it more vulnerable to cheats and hacks, which in turn makes the game no where near as fun. Which they hope will make all us die hard quake players get completely pissed and change to Q3 so that there will be fewer bots. I do know that there will never be a game with no cheats, there is always someone who can hack it. I just dont see why id had to make it so easy for them to do it. I just think they should have waited awhile before releasing it to the general public. that is my two cents... or maybe 20$
I've heard from the people complaining that releasing the source had just killed QW, because it was going to increase cheating.
I'm not sure what these guys are playing. I stopped playing QW because of all the cheaters. People who could run faster, whos weapons did more damage, who would get gibs on every shot they fired. They were rife about two years ago, when I was still playing. I haven't played since one game where a guy started blasting away with the lightning gun on a level that had no lightning gun.
It'll probably make it harder, as you can now modify the server to better recognize when people are violating the base rules.
What I'm thinking is this: A server mod that gives far more detailed information about each player. Things like: Average Speed, % of shots that hit, amount of damage per shot per weapon, rate of fire per weapon, things like that.
I don't really care about some of the more cosmetic cheats. Yes, modifying pak2 so the character models had axis bars sticking out of them so you could see them through walls is a cheat, but it's not one that gives that much of an advantage. I'm more concerned about people with abilities that give them 50% or more kills over the honest players. All of that stuff can be pretty easily checked on the server side.
It's shitty - for the cheaters.
>Client side cheats aren't effective to any >degree more than having a low ping or camping. LOL! Maybe YOUR CS cheats aren't effective. There are proxies out there that you don't even know about, that have features you can't even think about. And you really can't compare cheats to low pings or camping. If you take football that's like comparing a defensive tactic (camping) or a better team budget (ping) to doping (CS cheats).
The other problem is with network latency/round trip time. Calculate everything on the server side, and the playability of the game suffers.
You're certainly living proof of this! (Give my regards to you're parents!)
No, a guaranteed trusted server still doesn't solve problems like auto-aim, auto-dodge, radar, etc.
I have to disagree with the first part: I don't believe that you can verify that a game is running a specific and trusted executable.
Maybe I'm wrong -- I am not a cryptographer, and don't even play one on TV -- but I just don't understand how this is technically possible. If someone thinks they know how to do this, I'd like to hear how.
Jamie,
You are technically correct. A more accurate thing to have said whould have been:
Even if the game executable running is unaltered it doesn't mean damn thing. Someone can still be cheating bigtime.
As a game developer, the underlying issue is that there are more ways to cheat than just hacking up the code. A good game will assume that it is running in a hostile environment and attempt to raise the difficulty and cost of cheating (with an understanding of its vulnerabilities).
Since opening the source of a given program generally makes it free, why not just make it closed source freeware? Might be a little too late now, but leaving it closed and making it free would be have stopped this whole thing from happening. The only thing I personally would like to see, is a REAL OpenGL implementation, rather than this crap 3Dfx OpenGL implementation. It would be nice to see regular Quake the way I see Quake2. Thats my two cents.
Under Linux, you can statically link to libc, and people will just be unhappy, and your program will break under different library schemes.
Under Windows, you *NEED* to do dynamic linking because of the differences between 98, 98SE, and NT if you support it.
It didn't work for copy protection, it won't work for anti-cheating!
I remember getting quake 1 source that was stolen from..stomped.com ? back a couple years ago, i wasn't too into linux then but from what i heard it compiled fine..this was when id gave stomped the source to port it to linux. so at least in this case, having the source GPL'd wouldn't help the people trying to cheat because the good ones would of had theee source years ago and would have 'been there done that'.
Yeah, let's suppose I wrote QW autoaim patch. Also let's suppose that I want to distribute it. I can do it with sources included. What's wrong with it? Does it help other people playing fair?
After talking with Zoid about hypothetical ways to crack Quake 3's CD Key, and me coming up blank other than cracking the Quake server which turned out to be unacceptable ( I had already purchased the game before any of this talk went on in private ), I was quite impressed with the "server's server" verification:
:)
The Quake 3 server sends the CD key verification to the Master server along with it's heartbeat.
Would it not be possible for Quake 3 to also do a CRC check on it's own binary, send that with the CD key info, for requirement of validation?
While this would require a small deviation from cross platformism, a list of valid CRCs would be on ID's server of servers.
In order to stop proxies, the closed source binary would encrypt the data of a port on the localhost being sent to the server. The server would decrypt this, and establish a new connection (or connections for both UDP and TCP) on the localhost.
Essentially, the server would connect to the client.
I'm still only 25 pages into Richard Steven's TCP/IP Illustrated, so if this sounds a bit naive, know that it is the product of my fascination with abstraction and my good will.
Um, after reading over the above, would it be possible with winsock or BSD sockets API implementation to have a program open every socket from 1024 to 32768, and then wait on them all? (All of Quake 3's potential resocket ports.) Also, you'd have to beat the proxy to bind(), which would be just another chapter in the bot cold war.
Note that Quake one users could be prevented from cheating by implementing what I mentioned for Quake 3. At least in my head.
After limiting to threshold 3 (Thank GOD) I came across many great comments. I like open source quake. I learned a mound from the source to QE4 and continue to learn more from Q1. I'm not a 'pro' c or opengl programmer, but now I can see more of how to do it. John C: Keep it up, we love you. I also like this discussion on cheating. Consider carefully the lasting effects of so many intelligent people working twords the objective of secured cheat-free gaming. Don't you think other game companies will pick up on what we learn from Quake today? I like pure gaming, and I think this will only help promote it and make it better.
------------------------ LordLobo - Because I can
A few years back one of the universities in the states (Can't remember which one, can't find a url) had a code war, where people would write short programs that would try to kill the other program to be king of the hill. It'd be amusing if some group of people decided to do the same with deathmatches, two people with extremely hacked clients connect to a standard server and battle, whoever has the better code wins. :P
This is incompatible with the GPL: you can't release binaries in this way without also releasing the network black box code.
Carmack's method won't work in Linux, either: there's no way for a loader to validate a client binary and then run it while guaranteeing the binary won't get changed (ie. via copying a new one in, or just shifting a symlink) between the two steps.
Even accomplishing this, you still have a weak point: IPC. A decent kernel hacker could redirect any form of IPC, so he could start his own client and make it hijaak the connection between the proxy and trusted client.
Er, you're wrong. All damage is controlled server-side ... the network protocol just has things like "your health is X".
Now, I don't see how people could have cheated as he said in Doom: it would have desynchronized the client states. Even if it didn't die with sync lost, the other client would have been playing a completely different game (most likely seeing the other guy bashing around wildly.) Doom's protocol was trivial: it sent button events. (You *could* cheat by changing models and so on, however.)
By the way, where did you pull "missing routine XYZ" from? That's not a Quake message (nor Doom.)
Before I nitpick let me say that I agree with your post in all but the final detail.
;)
IRC hasn't quite been around a decade yet...but still...point granted.
--
Gellor
who is feeling analretentive today...