I'll simplify for everyone: They don't. Although I do appreciate the author delving into this beyond surface level analysis.
Modern cheats use hypervisors or just compromise hyper-v and because hyper-v protects itself so it automatically protects your cheat.
Another option that is becoming super popular is bios patching, most motherboards will never support boot guard and direct bios flashing will always be an option since the chipset fuse only protects against flashing from the chipset.
DMA is probably the most popular by far with fusers. However, the cost of good ones has been increasing due to vanguard fighting the common methods which is bleeding into other anticheats (some EAC versions and ricochet).
These are not assumptions, every time anticheats go up a level so do the cheats. In the end the weakest link will be exploited and it doesn't matter how sophisticated your anticheat is.
What does make cheat developers afraid is AI, primarily in overwatch. It's quite literally impossible to cheat anymore (in a way that disturbs normal players for more than a few games) and they only have a usermode anticheat! They heavily rely on spoofing detection and gameplay analysis including community reports. Instead of detecting cheats, they detect cheaters themselves and then clamp down on them by capturing as much information about their system as possible (all from usermode!!!).
Of course you could argue that you could just take advantage that they have to go through usermode to capture all this information and just sit in the kernel, but hardware attestation is making this increasily more difficult.
The future is usermode anticheats and gameplay analysis, drop kernel mode anticheats.
No secure boot doesn't work if you patch SMM in bios, you run before TPM attestation happens.
> Another option that is becoming super popular is bios patching
I wouldn’t call BIOS patching “super popular”. That sounds like an admission that anti-cheat is working because running cheats now requires a lot of effort. Now that cheats are becoming more involved to run, it’s becoming less common to cheat.
When cheats were as simple as downloading a program and you were off to cheating, the barrier to entry was a lot lower. It didn’t require reboots or jumping through hoops. Anyone could do it and didn’t even have to invest much time into it.
Now that cheats are no longer an easy thing to do, a lot of would-be cheaters are getting turned off of the idea before they get far enough to cheat in a real game.
> Of course you could argue that you could just take advantage that they have to go through usermode to capture all this information and just sit in the kernel, but hardware attestation is making this increasily more difficult.
Didn’t the first half of your post just argue that these measures can be defeated and therefore you can’t rely on them?
Having gamed on and off over the years, I don’t think the average cheater is actually a highly motivated super genius who derives reward from patching their BIOS or installing PCIe DMA cards to an entire second computer built for the purpose of cheating.
The average cheater is (or was) basically a troll. They delighted in the act of ruining other people’s games, not installing the cheat. The harder you make it for them to get to that point, the less enjoyment they get.
The people you describe who are in it for the thrill of breaking through are not the ones playing 6 hours every night because the game itself is not the thrill. It’s the exploration of the hardware and software. They might get cheats set up, but once it’s working they get bored with the game and move on to another technical challenge.
I wish this was the case, but cheating addiction is real and there's people with PCs from 2016 spending $100+ on cheats a month. If they're spending that money they're also dedicated enough to jump through some hoops.
Can you tell me more? I'm curious about motivations.
* I use easy cheats for single player games - for example, infinite jumps in cyberpunk 2077 are just huge amounts of fun :)
* I have zero desire for cheating in multilayer games. Not some high morality righteous horse, just, what's the point? I have fun even when I lose, and having something else play for you takes away from visceral fun that I get.
* I could understand, even if not agree, people who cheat for profit. That's the basis of all crime everywhere.
* I do not understand people who cheat in multilayer games not-for-profit. It feel you need to have both a) some sort of anti social / non social tendency, and b) dopamine rushes along pathways I don't.
I'd be genuinely curious to hear about your acquaintances who cheat in multilayer for no profit and why they do it :-)
Some are just addicted, they really love the game, but playing without cheats doesn't make them feel anything so they pick the easiest solution: continue to cheat... forever.
Some are just delusional, they do not want to deal with the reality that they're not good at the game without cheats.
Some are just trolling and want to spinbot piss people off, make people angry. It's what makes them happy.
Some don't have a choice, they started their competitive career with cheats.
Some justify it that "I made the cheat, I deserve to use it"
If you want more I got a whole book of reasons. I am in a unique situation since I happen to be friends from back when I was cheating a lot my self, in that time I established relationships with a lot of developers and personally for me it was curiosity that got me not only into cheating, but the whole process and development. I ended up just making roblox games though.
I'm playing WoW and I've heard lots of compains about Blizzard banning innocent players. Just recently there was a wave of complains that they banned players who spent a lot of time farming one dungeon (like 10+ hours per day).
I, myself, got two accounts banned and I was innocent. I managed to make it through support and got them unbanned but I'm fairly certain that many players didn't, because they seem to employ AI in their support.
So I'm a bit skeptical about that kind of behavioural bans. You risk banning a lot of dedicated players who happened to play differently from the majority and that tend to bring bad reputation. For example I no longer purchase yearly subscription, because I'm afraid of sudden ban and losing lots of unspent subscription time.
I think you are right on every point, but I think it's worth noting that WoW is kind of a different beast.
You don't play a "match", you don't play "against" other players most of the time, in this context "botting" and "cheating" overlap because having your character do stuff 24/7 unattended is an evident advantage over the rest of the population, but it's not like you are hindering anyone's progress directly the vast majority of the time doing so.
How often does actual cheating happen in WoW, anywhere it matters? M+? Raiding? PvP?
Most of cheating is botting. When bots farm dungeons or other activities, earn gold and then that gold is being sold at black markets for dollars to other players.
That's indirectly hindering other players progression, because it causes deflation (so you can't earn as much gold selling your ores); because it causes inflation (more circulating gold, yes, these are contradictory); because it denies other player farm (if bot gathered ore, other player have to search for another vein) and so on; also illegal gold selling increases expectations (other players bought super good gear, why don't you do that) and causes burn-out (because farming gold fairly is much more hard, than just buying it).
But mainly it just makes players angry, because they can see these bots moving in a predetermined route and stealing resources from their noses. I'm not really sure if bots are that bad in the grand scheme of things, but living players certainly don't like to compete with automatons.
There were also cheaters who used instant cast interruptions at arenas, but it seems that competitive PvP is not that popular nowadays so I'm not sure how it's wide spread.
Everything you described increases the cost of attack (creating a cheat), and as a result, not everyone can afford it, which means anti-cheats work. They don't have to be a panacea. Gameplay analysis will only help against blatant cheaters, but will miss players with simple ESP.
It's almost the same as saying "you don't need a password on your phone" or something like that.
Economics work out, harder to make means that it's more profitable to do so. DMA crackdown has actually lead into innovation which has drove the prices down for "normal" DMA hardware what used to be thousands is now $120, excessive spoofing detection has driven down the cost of bios level spoofing and as a result the creation of bios level DMA backdoors - no additional hardware required.
ESP is a lot more obvious to a machine than one might think, the subtle behavior differences are obvious to a human and even more so for a model. Of course none of that can be proven, but it can increase the scrutiny of such players from player reports.
The number of people willing to spend $120 and hook up a hardware device compared to downloading and running an executable is significantly less. That’s kind of the point of it!
You can achieve the same with usermode anticheats, once you have bare minimum obfuscations the level of entry is roughly the same as kernel mode anticheats in terms of price. Cheats cost more than $100 a month (rest are scams or don't put any effort into being undetected).
A DMA cheat requires a hardware change (and a second device). That is a much higher barrier than a download plus reboot.
> you can achieve the same with user mode anticheats
A user mode anti cheat is immediately defeated by a kernel mode cheat, and cheaters have already moved past this in practice.
A user mode anti cheat (on windows) with admin privileges has pretty much full system access anyway, so presumably if you have a problem with kernel AC you also have a problem with user mode.
Lastly, cheating is an arms race. While in theory, the cheaters will always win, the only thing that actually matters is what the cheaters are doing in practice. Kernel mode is default even for free cheats you download, so the defaults have to cover that.
this is a common misconception, just because you're in kernel-mode doesn't mean you are immediately undetected and things are not as easy people initinally think.
First, point of ingress: registry, file caches, dns, vulnerable driver logs.
Detection: usermode exposes a lot of kernel internals: raw access to window and process handles, 'undocumented' syscalls, win32, user32, kiucd, apcs.
Loss of functionality: no hooks, limited point of ingress, hardened obfuscation, encrypted pages, tamper protection.
I could go on, but generally "lol go kernelmode" is sometimes way more difficult than just hiding yourself among the legitimate functionality of 3rd party applications.
This is everything used by anticheats today, from usermode. The kernel module is more often than not used for integrity checks, vm detection and walking physical memory.
It's too bad we have to play this semantics game of "most vs all" every. Single. Time. On. This Damn Site.
So let me summarize the above thread:
Yes, there will always be workarounds for ANY level of anti-cheat.
Yes, kernel-mode anti-cheat detects a higher number of cheats in practice, and that superiority seems durable going forward.
There, I think we can all agree on those. No need to reiterate what has already been posted.
I think it misses the fact that kernel anticheats generally do not reduce overall cheating compared to a good user-mode anticheat + good obfuscation and binary protection + strong report system and behavior analysis. If you add a kernel-mode anticheat to that I'd estimate that it helps only around 5% more while being way more invasive and causing widespread issues (as the original blog describes).
source: observation of games implying stronger anti-cheat measures over time and customer count staying exactly the same or growing. league of legends is a prime example, although it did create a crater for awhile. this all comes from people who actively sell cheats.
Sorry, what's wild about it? It's a pretty standard observation that defense in depth beats "here's a silver bullet to solve X". Is there something about gaming (or preventing cheating in gaming) that makes that not true?
>It's quite literally impossible to cheat anymore (in a way that disturbs normal players for more than a few games)
AKA the way that is easiest to detect, and the easiest way to claim that the game doesn't have cheaters. Behavioral analysis doesn't work with closet cheaters, and they corrupt the community and damage the game in much subtler ways. There's nothing worse than to know that the player you've competed with all this time had a slight advantage from the start.
In CS2, the game renders your enemies even though you can't see them (within some close range). The draw calls are theoretically interceptable (either on the software/firmware or other hardware level). Detecting this is essentially impossible because the game trusts that the GPU will render correctly.
if you cheated with wallhacks, post-game analysis can detect it.
And it is possible to silently put you into a cheating game match maker, so that you only ever match with other cheaters. This, to me, is prob. the better outcome than outright banning (which means the cheater just comes back with a new account). Silently moving them to a cheater queue is a good way to slow them down, as well as isolate them.
Not with 100% accuracy. This means some legitimate players would be qualified as potentially cheating.
You don't have to play with wallhacks constantly on, you can toggle. And it doesn't detect cases where you're camping with an AWP and have 150ms response time instead of 200ms. Sometimes people are just having a good day.
> cheating game match maker
This is already a thing. In CS2, you have a Trust Factor. The lower your trust factor is, the bigger the chance you will be queued with/against cheaters.
Overwatch has made the decision that closest cheaters are not a problem and have actually protected a cheater in contenders, although they were forced to leave the competitive scene. None of it ever became public.
Word of mouth, but if you looked at their twitter and proof presented it was undeniable. If you want to go digging check a french contenders player that there are videos of with an instance of where the aimbot bugged out and started aiming directly at the center of a player with perfect reaction time and movements.
I saw engine owning lawsuit verdict as the biggest loss for the companies. They proved that you can continue running a cheat provider service out in the open.
They won way more than they lost, people who left got given a free pass for ratting the remaining people out.
Kernel AC is currently the best way to protect against cheats by far, the game with the strongest protection is Valorant and it works very well. OW2 is lightyears behind Valorant.
Not sure what your point is. Most of your post is inaccurate, DMA cheats represent the minority of cheats because they're very expensive and you need a second computer.
elitepvpers - it's public. DMA cheats have grown and are the primary way people cheat in games these days it makes around 5m/month [retail] just from one of the providers that I know in the scene this includes selling the hardware, the bypass and the cheats (not under the same umbrella for obvious reasons).
The scene has shifted immensely in the last few years, everyone and their grandmother has DMA now, I mean you can buy these off amazon now. Korean's are a bit stuck since most of them use gaming cafes so they've been slow adopters, but cafe shops have the benefit of using an old version of hyper-v which allows you to just use the method described above. Hyper-V cheats are the most popular for valorant.
I would argue that valorant and overwatch are pretty much on the same level based on what it feels to play. I've seen just as many visible cheaters in valorant as in overwatch. Although I will admit that I am pretty outdated myself since around mid 2025. Valorant allows you to ** around so that might be related, overwatch bans rage hackers way faster than valorant does as well.
OW2 is very different from CS and Valorant, OW does not suffer from cheat the same way because it's not a pure aim based game game with hitscan as the main thing. The vast majority of classes don't benefits from cheat like other fps do.
I did main support and tank at master level in OW and beside esp there is 0 benefit of cheating.
Asked a guy I know since 2021 said that ability helpers are the most important features for an overwatch cheat and that ESP is basically unusable in gm since you get almost immediately called out for it, they are quite just sus you out and report. Trust score of high rated players eventually gets you banned (assumption).
Mucking about in the kernel basically bypasses the entire security and stability model of the OS. And this is not theoretical, people have been rooted through buggy anticheats software, where the game sent malicious calls to the kernel, and hijacked to anti cheat to gain root access.
Even in a more benign case, people often get 'gremlins', weird failures and BSOD due to some kernel apis being intercepted and overridden incorrectly.
The solution here is to establish root of trust from boot, and use the OSes sandboxing features (like Job Objects on NT and other stuff). Providing a secure execution environment is the OS developers' job.
Every sane approach to security relies on keeping the bad guys out, not mitigating the damage they can do once they're in.
Unfortunately (or fortunately depending on what side of the fence you live), boot chain security is not taken as seriously in the PC ecosystem as it is on phones. As as a result, even if you relying on os features, you cannot trust them. This is doubly the case in situations where the user owns the kernel (eg Linux) or hypervisor. Attestation would work, but the number of users that you could probably successfully attest are on on a trustworthy setup is fairly small, so it's not really a realistic option. And that is why they must reach for other options. Keep in mind that even if it's not foolproof, if it reduces the number of cheaters by a statistically significant amount, it's worthwhile.
I really thought this might change over time given strong desire for useful attestation by major actors like banks and media companies, but apparently they cannot exert the same level of influence on the PC industry as they have on the mobile industry.
To do real time analysis and interception probably not. But for after the fact analysis, if a player is moving on knowledge he couldn’t have had because it shouldn’t have been rendered yet or something, then you can assume cheating.
I’m not a particularly skilled overwatch player, but I know the cooldowns of probably half the characters to muscle memory. I can hit an ability pretty much perfectly on cooldown 90+% of the time.
The vast, vast majority of skilled FPS players will predict their shots and shoot where they think the enemy player will be relative to the known hit detection of the game. In high level play for something like r6 siege, I’d say it’s 99% shooting before you can possibly know where they are by “feeling”
Doesn’t matter. There’s no world where a multiplayer action game is worth it, and anyway this is a classic example of trying to solve a social problem with technology.
The reason cheating is a problem at all is that instead of playing with friends, you use online matchmaking to play with equally alienated online strangers. This causes issues well in excess of cheating, including paranoia over cheating.
> There’s no world where a multiplayer action game is worth it
To you. I’m perfectly happy to run a kernel level anticheay - I’m already running their code on my machine, and it can delete my files, upload them as encrypted game traffic, steal my crypto keys, screenshot my bank details and private photos all without running at a kernel level.
> trying to solve a social problem with technology
I disagree. I’m normally on the side of not doing that but increasing the player pool and giving players access to more people at the their own skill level is a good thing
This. Also the client knows more than its allowed to show the user, like the positions of enemy players. You can make aimbots and wallhacks without needing to tamper with the game state.
I'm still not seeing how that would solve it. These are all multiplayer games. You could intercept the network traffic before it reaches the machine and then use a separate device to give you audio or visual cues. In StarCraft, reading the network traffic with a pi and hearing "spawning 5 mutalisk" is gonna completely change the game.
That’s what I want as a gamer. I want a PC that works as a console. Whether I want that for other use cases or this
machine doesn’t matter. I’m happy to sandbox _everything else_, boot into a specific OS to game etc.
The thing about gaming is that it’s not acceptable to leave 5% performance on the table whereas for other uses it usually is.
Just know that it will still get cracked and cheats will exist. I suspect this is Microsoft's next "console" as they have been developing "anti-cheat" for quite some time.
_most_ games now do KBM on console and matchmake separately for it. It's still not perfect, but it's gotten much better.
> And I do want a high end PC for other use cases.,
Right, you don't want two devices (that's fair). How can you _possibly_ trust the locked down device won't interfere with the other open software it's installed side by side with?
I don’t think a sandbox like a VM would work even if it could be done with only 5% perf hit? Wouldnt any game run in a VM be possible to introspect from the hypervisor in a way that is hard to see from inside the VM? And that’s why these anticheats disallow virtualization?
That would mean those who are concerned about the integrity would want to sandbox everything else instead.
And even if people are ok with giving up a small bit of perf when gaming, I’m sure they’re even more happy to give up perf when doing online banking.
Or we just boot into some console-esque gaming OS or mode to game. I’m not sure why this would be so controversial. The alternative is the one we see here.
That’s not really incompatible with this? That’s just how secure boot works. You can re-enlist keys for a different root of trust, or disable it and accept the trade-off there.
The idea is that it would require a verified hypervisor, and verified operating system for the game, but you could still at the same time be running an unverified operating system with unverified software. The trusted and untrusted software has to be properly sandboxed from one another. The computer does not need to be locked down so you can't run other hypervisors, it just would require that the anticheat can't prove that it's running on a trusted one when it isn't.
The security of PCs is still poor. Even if you had every available security feature right now it's not enough for the game to be safe. We still need to wait for PCs to catch up with the state of the art, then we have to wait 5+ years for devices to make it into the wild to have a big enough market share to make targeting them to be commercially viable.
But if you can get in before the OS, you can change what it does. You'd need attestation in the hardware itself so the server can know that what's running isn't signed by Microsoft's key, for example.
> Every sane approach to security relies on keeping the bad guys out, not mitigating the damage they can do once they're in.
That’s not true at all in the field of cybersecurity in general, and I have doubts that it’s true in the subset of the field that has to do with anticheat.
>Mucking about in the kernel basically bypasses the entire security and stability model of the OS. And this is not theoretical, people have been rooted through buggy anticheats software, where the game sent malicious calls to the kernel, and hijacked to anti cheat to gain root access.
If you got RCE in the game itself, it's effectively game over for any data you have on the computer.
Hot take: It's also totally unnecessary. The entire arms race is stupid.
Proper anti-cheat needs to be 0% invasive to be effective; server-side analysis plus client-side with no special privileges.
The problem is laziness, lack of creativity and greed. Most publishers want to push games out the door as fast as possible, so they treat anti-cheat as a low-budget afterthought. That usually means reaching for generic solutions that are relatively easy to implement because they try to be as turn-key as possible.
This reductionist "Oh no! We have to lock down their access to video output and raw input! Therefore, no VMs or Linux for anyone!" is idiotic. Especially when it flies in the face of Valve's prevailing trend towards Linux as a proper gaming platform.
There's so many local-only, privacy-preserving anti-cheat approaches that can be done with both software and dirt cheap hardware peripherals. Of course, if anyone ever figures that out, publishers will probably twist it towards invasive harvesting of data.
I'd love to be playing Marathon right now, but Bungie just wholesale doesn't support Linux nor VMs. Cool. That's $40 they won't get from me, multiply by about 5-10x for my friends. Add in the negative reviews that are preventing the game's Steam rating from reaching Overwhelmingly Positive and the damage to sales is significant.
I don't understand why do you think that having the option to have secure boot and a good, trustworthy sandbox for processes implies you cant run Linux on a VM or Linux beside Windows etc.
People always freak out when I mention secure boot, and the funniest response usually are the ones who threaten to abandon Windows for macOS (which has had secure boot for more than a decade by default)
I'm not super technically knowledgeable about secure boot, but as far as I understand, you need to have a kernel signed by a trusted CA, which sucks if you want to compile your own, but is a hurdle generally managed by your distro, if you're willing to use their kernel.
But if all else fails you can always disable secure boot.
I would love to see a modern competitive game with optional anticheat that, when enabled, allows you to queue for a separate matchmaking pool that is exclusive to other anticheat users. For players in the no-anticheat pool, there could be "community moderation" that anti-anticheat players advocate for.
It'd be really interesting to see what would happen - for instance, what fraction of players would pick each pool during the first few weeks after launch, and then how many of them would switch after? What about players who joined a few months or a year after launch?
Unfortunately, pretty much the only company that could make this work is Valve, because they're the only one who actually cares for players and is big enough that they could gather meaningful data. And I don't think that even Valve will see enough value in this to dedicate the substantial resources it'd take to try to implement.
> I would love to see a modern competitive game with optional anticheat that, when enabled, allows you to queue for a separate matchmaking pool that is exclusive to other anticheat users. For players in the no-anticheat pool, there could be "community moderation" that anti-anticheat players advocate for.
This is roughly what Valve does for CS2. But, as far as I understand, it's not very effective and unfortunately still results in higher cheating rates than e.g. Valorant.
Huh. When you say that "it's not very effective" do you mean the segmentation between the pools, or the actual anticheat isn't very good? (I'm assuming the latter - I've heard that VAC is pretty bad as far as anticheat goes)
Oh sorry - I misread your suggestion! I thought you were talking about separate matchmaking logic for known cheaters, but you're asking about opt-in matchmaking for those willing to use invasive anticheat.
The example still kind of applies. In the CS world, serious players use Faceit for matchmaking, which requires you to install a kernel-level anticheat. This is basically what you're suggesting, but operated by a 3rd party.
Hmm, I guess that since VAC is not a kernel-level anticheat, the comparison between it and Faceit for CS is pretty close to my idea. Thanks for pointing that out.
VAC is actually an AI based anticheat. I guess IF (a big if) it ever gets good enough it will be better than any kernel level AC, because it analyzes the gameplay, not the inputs, meaning a DMA cheat would also be caught.
"VAC" is a catch-all term for all of Valve's anti-cheating mechanisms.
The primary one is a standard user-mode software module, that does traditional scanning.
The AI mechanism you're referring to is these days referred to as "VAC Live" (previously, VACNet). The primary game it is deployed on is Counter-Strike 2. From what we understand, it is a very game-dependent stack, so it is not universally deploy-able.
I don't think that's what VAC is. I think VAC just looks for known cheat patterns in memory and such, and if it finds indisputable proof of cheating it marks a player for banning in the next wave. Maybe there is some ML involved in finding these patterns but I think it's very strictly controlled by humans to prevent fase positives. That's why VAC bans are irreversible, false positives are supposed to be impossible.
Valve has some AI detection stuff for CS2, but it’s remarkably ineffective. VAC itself delivers small DLLs that get manual mapped by Steam service, do some analysis and send that to Valve (at least to the best of my knowledge, there may be more logic implemented in Valve’s games or in Steam/Steam service).
Wait, so the "community alternative" is also kernel-level anticheat? I think that's different from what I'm proposing - I'm suggesting a comparison between an anticheat and no anticheat (with community policing of lobbies and handing out of penalties).
It was terrible as it required the community to conclude beyond reasonable doubt the suspect was cheating, and cheats today are sophisticated enough to make that conclusion very difficult to make
Because their (or their friend's) computer can't run the anticheat, but they're interested in playing with friends? My sister and mom wanted me to play Valorant with them a free years back, but apparently it needs kernel anticheat, so I just can't run it. I'm not going to buy a new computer for a game.
And the way community policing worked in the past is that the "police" (refs) could just kick or ban you. They don't need a trial system if the community doesn't want that.
> Why would a player knowingly choose to play on matchmaking that is advertising no anti-cheat?
I guess I didn't exactly make that clear...
A few of the arguments advanced by the "anti-anticheat" crowd that inevitably pops up in these threads are "anticheat is ineffective so there's no point to using it" and "anticheat is immoral because players aren't given a choice to use it or not and most of them would choose to not use it".
I don't believe that either of these are true (and given the choice I would almost never pick the no-anticheat queue), but there's not a lot of good high-quality data to back that up. Hence, the proposal for a dual-queue system to try to gather that data.
Putting in the community review of the no-anticheat pool is just to head off the inevitable goalpost-moving of "well of course no system would be worse than a crappy system (anticheat), you need to compare the best available alternative (community moderation)".
> Why would a player knowingly choose to play on matchmaking that is advertising no anti-cheat?
My understanding of the proposal is that it advertises no invasive anticheat (meaning mostly rootkit/kernel anticheat). So, the value proposition is anyone who doesn't want a rootkit on their computer. This could be due to anything from security concerns to desiring (more) meaningful ownership of one's devices.
It exists, it's called FACEIT (for CS, specifically). Anyone who seriously cares about the game at a high level is pretty much exclusively playing there.
Community moderation simply doesn't work at scale for anticheat - in level of effort required, root cause detection, and accuracy/reliability.
I support this idea. Personally, I do not really care about cheating in video games. If some is cheating in a video game, I can just turn it off, go outside, and take deep breath of fresh air and touch some grass.
I rather play with cheaters here and there than install some kernel level malware on machine just to make sure EA, Activision, et al can keep raking in money hand over fist.
Or better yet, I can just play on console where there is no cheating that I have ever seen.
It's a whole lot of effort to go through just so corporations can get gamers playing with strangers instead of friends, while taking the whole thing way too seriously. You need anticheat when you want competitive rankings and esports leagues, but is any of that actually any better than just playing casual games with people you know and trust to play fair?
Yes it can be? This is a very strange statement to me. Many genuinely like testing themselves against other people, improving over time, and seeing how they stack up. Competition is a pretty basic human thing, e.g. sports, chess, card games, and therefore video games. And competing with the world is a far grander challenge than those you explicitly know.
Not everyone enjoys that, and that’s fine, but acting like it’s somehow unnatural or pointless feels way off.
I know gamers are drawn to it, that's why the game corps like it so much. But is this actually good? So very often with these hyper competitive games played between strangers competing for global ranking, the whole thing turns very toxic, with gamers often seeming to not even enjoy the moment to moment process, often raging at their incompetent team mates or raging at their opponents for supposedly cheating, or whathaveyou. All the while, not developing relationships as they could be if they were playing something with friends. Elevated cortisol levels, when they could be chilling out. Obviously it's profitable, but is it good?
This is why I keep asking myself if I should continue playing Marathon or just exclusively play ARC Raiders. The latter can be far more relaxing yet still challenging. The former encourages that hyper-competitiveness that often stresses me out.
> So very often with these hyper competitive games played between strangers competing for global ranking, the whole thing turns very toxic, with gamers often seeming to not even enjoy the moment to moment process, often raging at their incompetent team mates or raging at their opponents for supposedly cheating, or whathaveyou.
This is very true! I'll further grant that many competitive video games have pain points that fester this. Competition, facing failure, and recognizing that what they perceived to be a fair challenge wasn't so (e.g. cheating) does sometimes out the worst in people.
However, my point is that competition, and enjoying it, is something that's been fundamentally human for all our recorded history. The sensation of straining against the edge of your capabilities, to overcome a wall, and then succeeding even just barely is supreme. Competitive video games are just a subset of activities that appeal to this. And I think just as much as they are infuriating, they are also good!
Moreover, competitive video games can also be fairly social. Playing a chiller game with friends is one way to socialize, that I have nothing against. But there's also special bonds that are forged through shared struggle, even minor. For example, the fighting game community has a very strong local scene. If you can play fighting games, in most major cities in NA you can attend your local and make friends. With team competitive games, invite your homies.
Once again, I definitely do not dispute that competitive video games can be toxic. Especially in today's online culture. Taking fighting games as an example again, the online, anonymous, communities can be quite toxic. Ah, now that I've written this far, I'm realizing that maybe I've missed your point? Are you saying that it's specifically the strangers, that you never get to know and therefore trust, that makes this worse off?
There is a solution to cheating, but it's not clear how hard it would be to implement.
Cheaters are by definition anomalies, they operate with information regular players do not have. And when they use aimbots they have skills other players don't have.
If you log every single action a player takes server-side and apply machine learning methods it should be possible to identify these anomalies. Anomaly detection is a subfield of machine learning.
It will ultimately prove to be the solution, because only the most clever of cheaters will be able to blend in while still looking like great players. And only the most competently made aimbots will be able to appear like great player skills. In either of those cases the cheating isn't a problem because the victims themselves will never be sure.
There is also another method that the server can employ: Players can be actively probed with game world entities designed for them to react to only if they have cheats. Every such event would add probability weight onto the cheaters. Ultimately, the game world isn't delivered to the client in full so if done well the cheats will not be able to filter. For example: as a potential cheater enters entity broadcast range of a fake entity camping in an invisible corner that only appears to them, their reaction to it is evaluated (mouse movements, strategy shift, etc). Then when it disappears another evaluation can take place (cheats would likely offer mitigations for this part). Over time, cheaters will stand out from the noise, most will likely out themselves very quickly.
So are very good players, very bad players, players with weird hardware issues, players who just got one in a million lucky…
When you have enough randomly distributed variables, by the law of big numbers some of them will be anomalous by pure chance. You can't just look at any statistical anomaly and declare it must mean something without investigating further.
In science, looking at a huge number of variables and trying to find one or two statistically significant variables so you can publish a paper is called p hacking. This is why there are so many dubious and often even contradictory "health condition linked to X" articles.
> So are very good players, very bad players, players with weird hardware issues, players who just got one in a million lucky…
They will all cluster in very different latent spaces.
You don't automatically ban anomalies, you classify them. Once you have the data and a set of known cheaters you ask the model who else looks like the known cheaters.
Online games are in a position to collect a lot of data and to also actively probe players for more specific data such as their reactions to stimuli only cheaters should see.
But a good way of solving this in community managed multiplayer games is this: if a player is extremely good to the point where it’s destroying the fun of every other player: just kick them out.
Unfair if they weren’t cheating? Sure. But they can go play against better players elsewhere. Dominating 63 other players and ruining their day isn’t a right. You don’t need to prove beyond reasonable doubt they’re cheating if you treat this as community moderation.
Why do you feel someone has a right to play anywhere?
If a community manages a server, it’s basically private property. And community managed servers are always superior to official publisher-managed servers. Anticheat - or just crowd management - is done hands on in the server rather than automated, async, centralized.
Buying the game might mean you have a ”right” to play it, but not on my server you don’t.
It's like if Nikola Jokic showed up to your local court every day and consistent beat you day after day. You'd eventually give up because it's not fun anymore.
People who engage in competitive sports all agree to it. Most people want to play for fun. They have a natural right to do so.
”Your game”? It’s a publisher making a game. If I’m kicking someone off my server I’m not asking EA/Ubisoft etc.
I’m talking about normal old fashioned server administration now, I.e people hosting/renting their game infra and doing the administration: making rules, enforcing the rules by kicking and banning, charging fees either for vip status meaning no queuing etc, or even to play at all.
I've been advocating for a statistical honeypot model for a while now. This is a much more robust anti cheat measure than even streaming/LAN gaming provides. If someone figures out a way to obtain access to information they shouldn't have on a regular basis, they will be eventually be found with these techniques. It doesn't matter the exact mechanism of cheating. This even catches the "undetectable" screen scraping mouse robot AI wizard stuff. Any amount of signal integrated over enough time can provide damning evidence.
> With that goal in mind, we released a patch as soon as we understood the method these cheats were using. This patch created a honeypot: a section of data inside the game client that would never be read during normal gameplay, but that could be read by these exploits. Each of the accounts banned today read from this "secret" area in the client, giving us extremely high confidence that every ban was well-deserved.
This is said very often, but doesn't seem to be working out in practice.
Valve has spent a lot of time and money on machine learning models which analyze demo files (all inputs). Yet Counter-Strike is still infested with cheaters. I guess we can speculate that it's just a faulty implementation, but clearly the problem isn't just "throw a ML model at the problem".
Honeypots are used pretty often, sure. They're not enough, though useful.
Behavioral analysis is way harder in practice than it sounds, because most closet cheaters do not give enough signal to stand out, and the clusters are moving pretty fast. The way people play the game always changes. It's not the problem of metric selection as it might appear to an engineer, you need to watch the community dynamics. Currently only humans are able to do that.
In CS2, a huge portion of cheaters can be identified just by the single stat 'time-to-damage'. Cheaters will often be 100ms faster to react than even the fastest pros. Not all cheaters use their advantage in this way, but simply always make perfect choices because they have more information than their opponents.
I disagree with the premise that it doesn't matter as long as users can't tell. Say you're running a Counterstrike tournament with a 10k purse... Integrity matters there. And a smart cheater is running 'stealth' in that situation. Think a basic radar or a verrrrrry light aimbot, etc.
The problem is that traditional cheats (aimbot, wallhack, etc.) give users such a huge edge that they are multiple standard deviations from the norm on key metrics. I agree with you on that and there are anticheats that look for that exact thing.
I've also seen anticheats where flagged users have a session reviewed. EG you review a session with "cheats enabled" and try to determine whether you think the user is cheating. This works decently well in a game like CS where you can be reasonably confident over a larger sample size whether a user is playing corners correctly, etc.
The issue with probing for game world entities is that at some point, you have to resolve it in the client. EG "this is a fake player, store it in memory next to the other player entities but don't render this one on screen." This exact thing has happened in multiple games, and has worked as a temporary solution. End of the day, it ends up being a cat and mouse game. Cheat developers detect this and use the same resolution logic as the game client does. Memory addresses change, etc. and the users are blocked from using it for a few hours or a few days, but the developer patches and boom, off to the races.
These days game hacks are a huge business. Cheats often are offered as a subscription and can rank from anywhere from 10-hundreds of dollars a month. It's big money and some of the larger hack manufacturers are full blown companies which can have tens of thousands of customers. It's a huge business.
I think you're realistically left with two options. Require in-person LAN matches with hardware provided by the tournament which is tamper-resistant. Or run on a system so locked down that cheats don't exist.
Both have their own problems... In-person eliminates most of that risk but it's always possible to exploit. Running on a system which is super locked down (say, the most recent playstation) probably works, until someone has a 0day tucked away that they hoard specifically for their advantage. An unlikely scenario but with the money involved in some esports... Anything is possible.
> End of the day, it ends up being a cat and mouse game. Cheat developers detect this and use the same resolution logic as the game client does.
This is not well done. Only the server should be able to tell what the honeypot is. The point is to spawn an entity for one or more clients which will be 100% real for them but would not matter because without cheats it has no impact on them whatsoever. When the world evolves such that an impact becomes more likely then you de-spawn it.
This will only be possible if the server makes an effort to send incomplete entity information (I believe this is common), this way the cheats cannot filter out the honeypots. The cheats will need to become very sophisticated to try and anticipate the logic the server may use in its honeypots, but the honeypot method is able to theoretically approach parity with real behavior while the cheat mitigations cannot do that with their discrimination methods (false positives will degrade cheater performance and may even leak signal as well).
For example you can use a player entity that the client hasn't seen yet (or one that exited entity broadcast/logic range for some time) as a fake player that's camping an invisible corner, then as the player approaches it you de-spawn it. A regular player will never even know it was there.
Another vector to push is netcode optimizations for anti-cheating measures. To send as little information as possible to the client, decouple the audio system from the entity information - this will allow the honeypot methods to provide alternative interpretations for the audio such as a firefights between ghosts only cheaters will react to. This will of course be very complex to implement.
The greatest complexity in the honeypot methods will no doubt be how to ensure no impact on regular players.
Kernel level anti cheat is really the maximum effort of locking down a client from doing something suspicious. But today we still see cheaters in those games running these system. Which proofs that a game server just cannot trust a random client out there. I know it's about costs, what to compute on client and what to compute in server side. But as long as a game trusts computation and 'inputs' of clients we will see those cheating issues.
It’s not about costs, it’s about tradeoffs. In an online shooter game (for example) there is latency, and both clients are going to have slightly different viewpoints of the world when they take an action.
No amount of netcode can solve the fact that if I see you on my screen and you didn’t see me, it’s going to feel unfair.
While I’m not really a gamer, I do think the conundrum of online games cheating is an interesting technical problem because I honestly can’t think of a “good” solution. The general simplistic answer from those who never had to design such a game or a system of “do everything on the server” is laughably bad.
Anyway, this isn’t the Olympics, a professional sport, or Chess. It’s more like pickup league. Preserving competitive purity should be a non-goal. Rather, aim for fun matches. Matchmaking usually tries to find similar skill level opponents anyway, so let cheaters cheat their way out of the wider population and they’ll stop being a problem.
Or, let players watch their killcams and tag their deaths. Camper, aimbot, etc etc. Then (for players that have a good sample size of matches) cluster players to use the same tactics together.
Treating games like serious business has sucked all the fun out of it.
Matching based on skill works only as long as you have an abundance of players you can do that based on. When you have to account for geography, time of day, momentary availability, and skill level, you realize that you have fractured certain players far too much that it’s not fun for them anymore. Keep in mint that “cheaters” are also looking for matches that would maximize their cheats. Maybe it’s 8PM Pacific Time with tons of players there, but it’s 3 AM somewhere else with much limited number of players. Spoof your ping and location to be there and have fun sniping every player in the map. Sign up for new accounts on every play, who cares. Your fun as a cheater is to watch others lose their shit. You’re not building a character with history and reputation. You are heat sniping others while they are not realizing it. It may sound limited in scope and not worth the effort for you, but it’s millions of people out there tht ruin the game for everyone.
Almost every game I know of lets players “watch their kill cam”, and cheaters have adapted. The snipped people have a bias to vote the sniper was cheating, and the snipers have a bias to vote otherwise. Lean one way or the other, and it’s another post on /r/gaming of how your game sucks.
Well it is a professional sport -- there's tournaments worth tens of millions of dollars. But honestly it is probably easier to catch cheaters in that environment. The real issue is that cheaters suck the fun out of the game, and matchmaking doesn't fix this because cheaters just cheat the matchmaking (smurf accounts, etc) until they're stomping regular players again. I don't think throwing our hands up and letting the cheaters go on is a real solution.
Smurf accounts are a real problem, but they are a real problem whether the person stomping beginners is using cheats or is just experienced. The target should be preventing smurfing in the first place.
> The real issue is that cheaters suck the fun out of the game
Unpopular opinion: cheaters don’t, griefers do.
“Cheater” is a pejorative for someone who sidesteps the rules and uses technology instead of, uh, pardon a potentially word choice, innate skills. They don’t inherently want to see others suffer as they stomp - it’s a matchmaking bug they’re put where they don’t belong. They just want to do things they cannot do on their own, but what are technically possible. A more positive term for that is a “hacker”.
Griefers are a different breed, they don’t just enjoy own success but get entertained by others’ suffering. Not a cheating issue TBH (cheats merely enable more opportunities), more like “don’t match us anymore, we don’t share the same ideas of fun” thing. “Black hat” is close enough term I guess.
YMMV, but if someone performs adequately for my skill levels (that is, they also don’t play well) then they don’t deprive me of any fun irrespective of how they’re playing.
Yeah thats a really unpopular opinion. Cheaters dont want to play the game. There is no matchmaking for them that makes sense.
They have inhuman skills usually paired with terrible game IQ and generally awful toxicity. They get boosted up to play with intelligent players purely because they can hold a button to outplay. It gets to the point where you have a player on your team who has no idea how to play but is mechanically good and it breaks the entire competitiveness of the game.
> They don’t inherently want to see others suffer as they stomp
Cheaters want to dominate other players, feel like they deserve to dominate other players and are perfectly happy for other players to suffer as long as they feel good.
That’s provably not universally true, although I have no idea about the exact demographics.
Best I’ve ever seen was some online discussions about motives, but I never compiled any statistics out of random anecdotes (that must be biased and probably not representative).
That's a gross exaggeration. Some people just want to play the game, but lack motor skills commensurate with their other abilities.
Are players who take advantage of developer-supplied aim assist and other assistive technologies "motivated by a toxic sense of self regard and a desire to humiliate others"?
> let cheaters cheat their way out of the wider population
In a 5v5 shooter this ruins 9 people’s game along the way, times however many games this takes. Enough people do this and the game is ruined
> or let players watch their killams and tag their deaths
Players are notoriously bad at this stuff. Valve tried it with “overwatch” and it didn’t work at all.
Forgetting about anti cheat for a minute though, may hamming for different behaviours is a super interesting topic in itself. It’s very topical right now [0] and a fairly divisive topic. Most games with a ranked mode already do this - there’s a hidden MMR for unranked modes that is match made on, and players self select into “serious” or “non serious” queues. It works remarkably well - if you ever read people saying that Quick Play is unplayable it proves that the separate queues are doing a good job of keeping the two groups separate!
Did Valve really do that for Overwatch? It is on their store, so maybe, but I’d expect Blizzard to implement that sort of thing.
I agree that killcam tagging is not great for, like, actual “you are breaking the rules” type enforcement (because, yeah, players will generate a ton of false-positives). But if players had a list of traits and match-making tried to minimize some distance in the trait space (admitting it could’ve be perfect), it might result in more fun matches.
I’m sure there’s a game out there that has a prize pool for matchmaking mode, because any silly thing has happened somewhere, but I’d expect that sort of thing to mostly be handled in proper tournaments.
It's not so much tournaments but viewership. People watch others play on Twitch, that gets you money directly as well as sponsorships. This incentives people to cheat so they're good on stream.
I think from a purely technical viewpoint, cheaters will always have the advantage since they control the machine the game and anti-cheat is running on. Anti-cheat just has to keep the barrier high enough so regular players don't think the game is infested with cheaters.
I agree, but that’s precisely the interesting ‘technical’ problem. Like bitcoins “proof of work” in 2011 (it took me few years to comprehend) was an eye opening moment for me. While I do believe that it firmly failed to achieve its lofty goals, the idea of “proof of work” was a really captivating and interring technical idea. Can a video game client have a similar zero-trust proof of their authenticity? I personally can’t think of one. I can’t think of a way to have remote random agents (authenticates or not) to proof they are not cheating in a “game”, and like you, I suspect it’s not really possible. But what does that mean?
I grew up with star trek and star wars wondering what a “I’ll transfer 20 units to you” meant. Bitcoin was an eye opener in the idea of “maybe this is possible” to me. But it shortly became true to me that it’s not the case. There is no way still for random agents to prove they are not malicious. It’s easier in a network within the confines of Bitcoin network. But maybe I’m not smart enough to come up with a more generalized concept. After all, I was one of the people who read the initial bitcoin white paper on HN and didn’t understand it back then and dismissed it.
You could have replays where all player inputs are signed by the individual players. This replay file could be used as proof to report a cheater. Analysis tools can be developed later to identify what packets are only possible from cheaters. For example you could prove that a player was sending packets that they were flying around.
I have never worked on AAA games, but I have developed software for 35 years and play many competitive online games regularly.
I have always wondered why more companies don't do trust based anti cheat management. Many cheats are obvious from anyone in the game, you see people jumping around like crazy, or a character will be able to shoot through walls, or something else that impossible for a non-cheater to do.
Each opponent in the game is getting the information from the cheating player's game that has it doing something impossible. I know it isn't as simple as having the game report another player automatically, because cheaters could report legitimate players... but what if each game reported cheaters, and then you wait for a pattern... if the same player is reported in every game, including against brand new players, then we would know the were a cheater.
Unless cheaters got to be a large percentage of the player population, they shouldn't be able to rig it.
Less skilled players can't distinguish better players from cheaters, and reports are usually abused and used in bad faith. Even a good-faith report really just means "I don't want to see this player for whatever reason". It's used as a signal of something in most systems but never followed outright in good games because players get a ton of useless reports.
Players in some games with custom servers run webs of trust (or rather distrust, shared banlists). They are typically abused to some degree and good players are banned across multiple servers by admins acting in bad faith or just straight up not caring. This rarely ends well.
I used to run popular servers for PvP sandbox games and big communities, and we used votebans/reports to evict good players from casual servers to anarchy ones, where they could compete, but a mod always had to approve the eviction using a pretty non-trivial process. This system was useless for catching cheaters, we got them in other ways. That's for PvP sandboxes - in e-sports grade games reports are useless for anything.
A couple of years ago the bot situation in casual Team Fortress 2 was so bad that it wasn't uncommon to land in a game where the majority of at least one of the teams was a group of cooperating bots. In those matches you have the possibility to start a kick-vote on your team mates, and those bots would immediately vote “no” if you tried to vote on any of them and because they were the majority of the team these votes always failed. And if these batch were in your enemy team all you could do was to ask the remaining, hopefully real, players on the enemy team to try to kick them.
It was especially annoying when you tried to play certain game modes these bots weren't programmed to handle, they had no idea of the objective and the match would stall indefinitely, forcing you to queue for a different match.
And if I remember correctly these bots were pretty much headshotting everything they got in sight. Something the server can easily detect.
But VAC for example acts intentionally slow, so cheaters don't get immediate feedback.
Out of curiosity I did a quick internet search and a couple of months ago a new wave of bots has emerged. Those bots also join as majority group but never fully join the game, they simply take up slots in a team, preventing others from joining. Makes you wonder why the server isn't timing them out.
Counter-Strike has been doing this for years. It's called "Overwatch" (even before Blizzards Overwatch came out). And believe it or not it failed to reliably catch actual cheaters AND got non-cheaters in trouble (both repeatedly). A very good player is indistinguishable from a cheater with a good cheat. Sometimes people just get super lucky for a few rounds and you might get judged based on that.
> A very good player is indistinguishable from a cheater with a good cheat.
I played COD4 a lot, though not competitively. I used to say that I had a bad day if I didn't get called a cheater once.
I didn't cheat, never have, but some people are just not aware of where the ceiling is.
The cheaters that annoyed us back then were laughably obvious. They'd just hold the button with a machine gun and get headshots after headshots, or something blatant like that.
> some people are just not aware of where the ceiling is
True of everything. Getting good just lets you see the skill gaps. I've sunk a serious chunk of time into both pool and chess. In both I'd be willing to take a bet that I can beat the median player with my eyes closed (in pool, closing them after walking the table but before getting down on the shot).
And in both of those activities, there are still like 10-20 levels of "person at skill level A should always win against person at skill level B" between me and someone who is ACTUALLY good at pool or chess. Being charitable, in the grand scheme of things I might be an intermediate player.
> Anti-cheat just has to keep the barrier high enough so regular players don't think the game is infested with cheaters.
And even that's the (relatively) straightforward part. The hard part is doing this without injuring the kernel enough that the only sensible solution for the security conscious is a separate PC for gaming.
The only solution that seems to work well that I've seen is having very active and good server admins who watch the gameplay and permaban cheaters. Requires a lot of man hours and good UI and info for them to look at, as well as (ideally) the ability to see replays.
That solution only works on servers hosted by players - I've never seen huge game companies that run their own servers (like GTA) have dedicated server admins. I guess they think they can just code cheaters out of their games, but they never can.
It's interesting how often accuracy problems fall back to requiring humans in the loop, and in the case of big consumer systems that means employing people in low wage parts of the world. For playing a match of a video game I don't think there's that much money involved balanced against the amount of playtime to pay for enough monitoring or to ensure a timely response to reports. Gamers always wheel out community run servers and admins because it's pushing the cost onto someone else (I don't think I've ever seen someone volunteer themselves for it), and they'd mostly refuse pay to play if that meant employing a staff that scaled as their online games are popular.
By and large we do. Unfortunately, the losers don't care unless you identify them personally. For them, the thrill of cheating and griefing others easily overcomes some generalized cultural zeitgeist.
This has happened in online chess, with some people admitting to using engines (ie cheating) to "confirm their suspicion that the other guy is cheating".
Remember you're living in a world where people idolize Elon Musk, a person who employed someone to play path of exile and diabolo to boost his account (ie a cheater). Also a lot of people don't care (or claim not to care) whether people see them as losers as long as they wreck other folks day.
I don't know a single person who doesn't think that the PoE thing was super cringe. To the extent that people idolize Elon, it's because they think his accomplishments outweigh him making a massive fool of himself in that instance.
Most people ignore that "do everything on the server" kills any game that needs fast interactions or decent local prediction, latency goes through the roof and you might as well play chess by email. There isn't a clean answer.
Kernel anti-cheat isn't an elegant solution either. It's another landmine, security holes, false positives, broken dev tools, and custody battles with Windows updates while pushing more logic server-side still means weeks of netcode tuning and a cascade of race conditions every time player ping spikes, so the idea that this folds to "better code disipline" is fantasy.
I don't install games that require kernel level anticheat. I wish those games would stop using them because without that I'd play a few of them.
Kernel level anticheat isn't a silver bullet, either. It just simplifies the work of the anticheat programmers. I personally think that the silver bullet is behavioral anticheat and information throttling (don't send the player information about other players that he can't see/hear)
Do what Netflix did and run servers at ISPs (or at their providers or Cloudflare points).
It's kind of weird that we still don't have distributed computing infrastructure. Maybe that will be another thing where agents can run near the data their crunching on generic compute nodes.
If me and my roommate are both playing against each other on a server less than 10ms away, in the normal scenario at 60fps there is still ~60ms between me clicking and it appearing on your screen - and another 60ms before I get confirmation. Now add real world conditions like “user is running YouTube in the background” or “wife opens instagram” and that latency becomes unpredictable. You still are left with the same problems. Now multiply it by 10 people who are not the same distance from the ISP and the problems multiply.
Sorry to day this, but I don’t think you understand how any of this works. Whenever someone’s proposed “edge computing” as a way to solve trust problems, I know they are just stringing together fancy sounding words they don’t understand.
What “Netflix did” was having dead-simple static file serving appliance for ISPs to host with their Netflix auth on top. In their early days, Netflix had one of the simplest “auth” stories because they didn’t care.
There's different levels of cheating. We can avoid the worst cases by not putting the game state/Netcode in the users computer which basically makes it like an X Server.
It would add some latency but could be opt-in for those that care enough for all players in a match to take the hit.
All the games that use kernel anti cheat have the simulation running on the server.
You can't make a competitive fps game with a dumb terminal, it can't work because the latency is too high so that's why you have to run local predictive simulation.
You don't want to wait the server to ack your inputs.
> All the games that use kernel anti cheat have the simulation running on the server.
There's an exception with fighting games. Fighting games generally don't have server simulations (or servers at all), but every single client does their own full simulation. And 2XKO and Dragon Ball FighterZ have kernel anti cheat.
Well I'm just nitpicking and it's different because it's one of the few competitive genres where the clients do full game state simulations. Another being RTS games.
> Modern kernel anti-cheat systems are, without exaggeration, among the most sophisticated pieces of software running on consumer Windows machines. They operate at the highest privilege level available to software, they intercept kernel callbacks that were designed for legitimate security products, they scan memory structures that most programmers never touch in their entire careers, and they do all of this transparently while a game is running.
Okay, chill. I'm willing to believe that anti-cheat software is "sophisticated", but intercepting system calls doesn't make it so. There is plenty of software that operates at elevated privilege and runs transparently while other software is running, while intentionally being unsophisticated. It's called a kernel subsystem.
I think I'll just stick to simple games on iOS/iPadOS or just use my Nintendo Switch. These anti-cheat systems are far too invasive for my liking. I also worry about those things being hacked! The last time i built a gaming pc was 20 years ago, and i was playing Doom, FEAR, and Half Life Two.. Then i did some simple gaming on macOS
The amount of people in this thread who very clearly don't play competitive video games, let alone at a remotely high level, is astounding. The comment "it's your god given right to cheat in multiplayer games" might legitimately be one of the most insane takes I've ever read.
Kernel anticheat does work. It takes 5 seconds to look at Valve's record of both VAC (client based, signature analysis) and VACNet (machine learning) to know the cheating problem with those technologies is far more prevalent than platforms that use kernel level anticheat (e.g. FACEIT, vanguard). Of course, KLAC is not infallible - this is known. Yes, cheats do (and will continue to) exist. However, it greatly raises the bar to entry. Kernel cheats that are undetected by FACEIT or vanguard are expensive, and often recurring subscriptions (some even going down to intervals as low as per day or week). Cheat developers will 99% of the time not release these publicly because it would be picked up and detected instantly where they could be making serious money selling privately.
As mentioned in the article, with DMA devices you're looking at a minimum of a couple hundred dollars just for hardware, not including the cheat itself.
These are video games. No one is forcing you to play them. If you are morally opposed to KLAC, simply don't play the game. If you don't want KLAC, prepare to have your experience consistently and repeatedly ruined.
It’s crazy to me how hard people work to effectively ruin a game for themselves…
Imagine putting in this much effort to play Minecraft survival but on creative mode. It just doesn’t sound fun
They're getting some actual reward from having a big win/loss ratio. I don't know if that's monetary or just the feeling of being the best but I'd expect the latter group to realise this is all nonsense before spending money on hardware.
Kernel anti-cheats are a fascinating example of security trade-offs.
They solve a real problem (cheats running at higher privilege levels), but at the same time they introduce a massive trusted component into the OS. You're basically asking users to install something that behaves very much like a rootkit, just with a defensive purpose.
>TPM-based measured boot, combined with UEFI Secure Boot, can generate a cryptographically signed attestation ... This is not a complete solution (a sufficiently sophisticated attacker can potentially manipulate attestation)
I was not aware that attackers could potentially manipulate attestation! How could that be done? That would seemingly defeat the point of remote attestation.
Defeating remote attestation will be a key capability in the future. We should be able to fully own our computers without others being able to discriminate against us for it.
Sure, but the exploit presented doesn't really look practical for the everyman. And I'm not sure if it can be patched in HW/SW, and in any case this is just the first step to a fully fake secure boot.
Thank you for that link, that's super interesting! It looks like it's actually an architectural vulnerability in modern fTPMs, and considered out of scope by both Intel and AMD. So that's a reliable way to break attestation on even the most modern systems!
That doesn't sound accurate. The T in TPM stands for trust, the whole standard is about verifying and establishing trust between entities. The standard is designed with the assumption that anyone can bring in their scope and probe the ports. This is one of several reasons why the standard defines endorsement keys(EK).
Actually, it is completely true. The TPM threat model has historically focused on software-based threats and physical attacks against the TPM chip itself - crucially NOT the communications between the chip and the CPU. In the over 20 year history of discrete TPMs, they are largely completely vulnerable to interposer (MITM) attacks and only within the last few years is it being addressed by vendors. Endorsement keys don’t matter because the TPM still has to trust the PCR commands sent to it by the CPU. An interposer can replace tampered PCR values with trusted values and the TPM would have no idea.
It is correct, the measurement command to the TPM is not encrypted. So with MITM you can record the boot measurements, then reset and replay to any step of the boot process. Secrets locked to particular stages of boot are then exposed.
There is guidance on "Active" attacks [1], which is to set up your TPM secrets so they additionally require a signature from a secret stored securely on the CPU. But that only addresses secret storage, and does nothing about the compromised measurements. I also don't know what would be capable of providing the CPU secret for x86 processors besides... an embedded/firmware TPM.
I remember there's a PCI device that's meant to be snooping and manipulating RAM directly by using DMA. Pretty much one computer runs the game and one computer runs the cheat. I think kernel anti cheats are just raising the bar while pretty much being too intrusive
Technically yes, but it would produce an untrusted remote attestation signature (quote). This is roughly equivalent to using TLS with a self-signed certificate — it’s not trusted by anyone else. TPMs have a signing key that’s endorsed by the TPM vendor’s CA.
The real “competitive” game is not players playing against other players, but hackers playing against anti-cheat.
“Billiards is not as good a game as Physics”
It is, of course, only a matter of time - just like kernel-level copy protection and Sony's XCP - before something like Vanguard in particular is exploited and abused by malware.
Himata is correct, too. After DMA-based stuff, it'll be CPU debugging mode exploits like DCI-OOB, some of which can be made detectable in kernel mode; or, stealthier hypervisors.
A lot of the techniques that both sides use would be much harder on macOS. Of course, Hackintoshes have always existed and where there’s a will, there’s a way. But it makes me wonder how this would evolve if Apple eventually gets its act together and makes a real push into gaming.
There is hardware that you can simply plug into your PC, which can read and write arbitrary kernel memory. I have a feeling that kernel level anticheat isn't stopping someone who really wants to cheat.
Yes, a literal privilege escalation as a service "anticheat" driver.
Trusting these companies is insane.
Every video game you install is untrusted proprietary software that assumes you are a potential cheater and criminal. They are pretty much guaranteed to act adversarially to you. Video games should be sandboxed and virtualized to the fullest possible extent so that they can access nothing on the real system and ideally not even be able to touch each other. We really don't need kernel level anticheat complaining about virtualization.
The privacy points in general are valid, but what irritates me is using this rationale against kernel mode anti cheats specifically.
You do not need kernel access to make spyware that takes screenshots. You do not need a privileged service to read the user’s browser history.
You can do all of this, completely unprivileged on Windows. People always seem to conflate kernel access with privacy which is completely false. It would in fact be much harder to do any of these things from kernel mode.
Kernel access is related to privacy though, and its the most well documented abuse of such things. Kernel level access can help obfuscate the fact that it'a happening. However, it is also useful for significantly worse, and given track records, must be assumed to be true. The problem is kernel level AC hasnt even solved the problem, so the entire thing is risky, uneccesary and unfit for purpose making an entierly unneccesary risk to force onto unsuspecting users. The average user does not understand the risks and is not made aware of them either.
There are far better ways to detect cheating, such as calculating statistics on performance and behaviour and simply binning players with those of similar competency. This way, if cheating gives god-like behaviour, you play with other godlike folks. No banning required. Detecting the thing cheating allows is much easier than detecting ways in which people gain that thing, it creates a single point of detection that is hard to avoid and can be done entierly server side, with multiple teirs how mucb server side calculation a given player consumes. Milling around in bronze levels? Why check? If you aren't performing so well that yoh can leave low ranks, perhaps we need cheats as a handicap, unless co sistently performing well out of distribution, at which point you catch smurfing as well.
point is focusing on detecting the thing people care about rather than one of the myriad of ways people may gain that unfair edge, is going to be easier and more robust while asking for less ergregious things of users.
Counter Strike is a pretty good example that the statistical analysis alone doesn't work at all...at least not now. Valve has been collecting data since at least 2017 for their VAC Live system and it still doesn't work well enough to prevent or decrease the amount of cheating. The model only gives a cooldown of 20 hours if it flags your gameplay as irregular, and that cooldown resets over time.
It usually takes months, if not years for cheaters to get banned, but it takes a couple of dollars for a cheater to get a new account and start cheating again. Every time Valve fine tunes their models, they end up accidentally banning more innocent players in the process, so nobody has trust in that system anyways. There's too many datapoints to handle in competitive games, and there is no way to set a threshold that doesn't end up hurting innocent people in the process.
>This way, if cheating gives god-like behaviour, you play with other godlike folks.
Anti-cheat is not used to "protect" bronze level games. FACEIT uses a kernel level anti cheat, and FACEIT is primarily used by the top 1% of CS2 players.
A lot of the "just do something else" crowd neglects to realize that anticheat is designed to protect the integrity of the game at the highest levels of play. If the methods you described were adequate, the best players wouldn't willingly install FACEIT - they would just stick with VAC which is user-level.
> There are far better ways to detect cheating, such as calculating statistics on performance
Ask any CS player how VAC’s statistical approach compares to Valorant’s Vanguard and you will stop asserting such foolishness
The problem with what you are saying is that cheaters are extremely determined and skilled, and so the cheating itself falls on a spectrum, as do the success of various anticheat approaches. There is absolutely no doubt that cheating still occurs with kernel level anticheats, so you’re right it didn’t “solve” the problem in the strictest sense. But as a skilled player in both games, only one of them is meaningfully playable while trusting your opponents aren’t cheating - it’s well over an order of magnitude in difference of frequency.
There is no need for irritation. I condemn all sorts of anticheating software. As far as I'm concerned, if the player wants to cheat he's just exercising his god given rights as the owner of the machine. The computer is ours, we can damn well edit any of its memory if we really want to. Attempts to stop it from happening are unacceptable affronts to our freedom as users.
Simply put, the game companies want to own our machines and tell us what we can or can't do. That's offensive. The machine is ours and we make the rules.
I single out kernel level anticheats because they are trying to defeat the very mitigations we're putting in place to deal with the exact problems you mentioned. Can't isolate games inside a fancy VFIO setup if you have kernel anticheat taking issue with your hypervisor.
> As far as I'm concerned, if the player wants to cheat he's just exercising his god given rights as the owner of the machine.
By this same logic: As far as I'm concerned, if the game developer only wants to allow players running anticheat to use their servers then they're just exercising their god given rights as the owner of the server.
This is just yet another example of the remote attestation nonsense where your computer is only "trusted" if it's corporate owned. If you own your machine, you "tampered" with it and as a result you get banned from everything. You get ostracized from digital society.
My position is this is unfair discrimination that should be punished with the same rigor as literal racism. Video games are the least of our worries here. We have vital services like banks doing this. Should be illegal.
This take sucks. The anticheat software in this context is for competitive games. No one cares about people cheating in isolation in single player games. The anticheat is to stop 1 guy from ruining it for the 9 others he's playing with online.
You can argue about the methods used for anticheat, but your comment here is trying to defend the right to cheat in online games with other people. Just no.
PvE shouldn't need it either, and yet games routinely ship with anti-cheat applied to everything (including single player).
I rather suspect that the reason for this is the current gaming economy of unlockable cosmetics that you can either grind for, or pay for. If people can cheat in single player or PvE, they can unlock the cosmetics without paying. And so...
That is not the solution if you want to play competitively of whenever you feel like it.
Kernel level AC is a compromise for sure and it's the gamers job to assess if the game is worth the privacy risk but I'd say it's much more their right to take that risk than the cheaters right to ruin 9 other people's time for their own selfish amusement
Cheating may not be moral but it's better to put up with it than to cede control of our computers to the corporations that want to own it.
If it kills online gaming, then so be it. I accept that sacrifice. The alternative leads to the destruction of everything the word hacker ever stood for.
I'm sorry but you are fighting a crusade you can not win by definition. If I am free to use my computer for anything I want then I am also free to lock it down to enjoy my favorite game. If I care about my freedom I will have a dedicated machine for this game that I accept I will not have control over.
You are hijacking this thread about VOLUNTARY ceasing of freedom as if the small community even willing to install these is a slippery slope to something worse. You have a point when it comes to banking apps on rooted phones and I'm with you on that but this is not the thread for it
Valve drives significant development of compatibility layers for Linux for the sake of gaming. Their customer base is anything but small. There is potential for this kernel stuff to spill into the entire Linux ecosystem. It was bad enough having to deal with nvidia. I really don't want other companies screwing up the kernel.
Realistically I don't see how Valve can avoid this. They want all those games on Steam Deck and the new console. Game devs want KAC. Therefore Valve can either provide them with some way to implement KAC - which effectively requires a "signed kernel / drivers only", same as on Windows - or tell them to go away. Why would they do the latter?
Mind you, it doesn't mean that the Linux kernel will be "infected for everyone". It means that we'll see the desktop Linux ecosystem forking into the "secure" Linux which you don't actually have full control of but which you need to run any app that demands a "secure" environment (it'll start with KAC but inevitably progress to other kinds of DRM such as video streaming etc). Or you can run Linux that you actually control, but then you're missing on all those things. Similar to the current situation with mainline Android and its user-empowering forks.
> we'll see the desktop Linux ecosystem forking into the "secure" Linux
> Or you can run Linux that you actually control, but then you're missing on all those things
We cannot allow this stuff to be normalized. We can't just sit by and allow ourselves to be discriminated against for the crime of owning our own devices. We should be able to have control and have all of those nice things.
Everything is gonna demand "secure" Linux. Banks want it because fraud. Copyright monopolists want it because copyright infringement. Messaging services want it because bots. Government wants it because encryption. At some point they might start demanding attestation to connect to the fucking internet.
If this stuff becomes normal it's over. They win. I can't be the only person who cares about this.
I wish that is an option. Nowadays many non competitives games that you play with friends you trust still use EAC (yet accept non-kernel mode operation on Linux). I suppose other than VAC you can't buy a usermode anticheat middleware now.
This is the most asinine take I've seen on the subject in a while.
You may think it's your "god-given right" to cheat in multiplayer games, but the overwhelming majority of rational people simply aren't going to play a game where every lobby is ruined by cheaters.
I don't like cheaters either. I just respect their power over their machine and wouldn't see that power usurped by corporations just to put a stop it.
The computers are supposed to be ours. What we say, goes. Cheating may not be moral but attempts to rob us of the power that enables cheating are even less so.
Game compagny have to have those kernel anti cheat because MS never implemented proper isolation in the first place, if Windows was secured like an apple phone or a console there wouldn't be a need for it.
Anti cheat don't run on modern console, game dev knoes that the latest firmware on a console is secure enough so that the console can't be tempered.
Consoles and phones are "secure" because you don't own them. They aren't yours. They belong to the corporations. They're just generously allowing you to use the devices. And only in the ways they prescribe.
This is the exact sort of nonsense situation I want to prevent. We should own the computers, and the corporations should be forced to simply suck it up and deal with it. Cheating? It doesn't matter. Literal non-issue compared to the loss of our power and freedom.
It's just sad watching people sacrifice it all for video games. We were the owners of the machine but we gave it all up to play games. This is just hilarious, in a sad way.
And if we embraced instead of feared remote attestation and secure enclaves, the days of game companies having this level of access would come to an end.
That's arguably even worse. Remote attestation means you get banned from everything if you "tamper" with "your" computer.
Remote attestation is the ultimate surrender. It's not really your machine anymore. You don't have the keys to the machine. Even if you did, nobody would trust attestations made by those keys anyway. They would only trust Google's keys, Apple's keys. You? You need not apply.
I feel like this whole problem is just made up. Back in the day, when I played lots of Counter Strike, we had community servers. If a cheater joined, some admin was already online and kicked them right away. I'm sure we hit some people that were not actually cheaters, but they would just go to another server. And since there was no rank, no league, no rewards (like skins, drops, etc.), there was no external reward for cheating. It annoys me that cheating in competitive video games seems like a bigger problem than it has been in the past for no good reason.
Uh, isn’t the IDT one of these things that PatchGuard explicitly checks? Mind you, anticheats keep PatchGuard corralled these days because they want their own KiPageFault hooks assuming HVCI is not in place.
The article doesn’t go too in depth on the actually interesting things modern anticheats do.
In addition:
- you can’t really expect .text section of game/any modules except maybe your own to be 100% matching one on disk, because overlays will hook stuff like render crap (fun fact for you: Steam will also aggressively hook various WinAPI stuff presumably for VAC, at least on CS2)
I still don't understand why people don't cheat in FPSes by looking at the video stream and having a USB mouse that emits the right mouse movements. (The simplest thing is to just click when someone's head is under your crosshair, in games with hitscan weapons.)
The problem with these bots is that they are indiscriminate which makes them vulnerable to active detection methods. They can also introduce an amount of latency that begins to defeat the purpose for sufficiently skilled players. 100ms is an eternity when you are playing with shotguns in close quarters.
i've said it before, but is anti-cheat mechanisms needed on consoles? If not, (presumambly due to their locked down nature), what's the problem with having a locked down mode (trusted secure boot path that doesn't allow other programs to run, ala "the xbox mode" that microsoft has started to implement), that is similar to a console.
This seems much more doable today than in the past as machines boot in moments. Switching from secure "xbox mode" to free form PC mode, would be barely a bump.
Now, I see one major difference, heterogenous vs homogenous hardware (and the associated drivers that come with that). In the xbox world, one is dealing with a very specific hardware platform and a single set of drivers. In the PC world (even in a trusted secure boot path), one is dealing with lots of different hardware and drivers that can all have their exploits. If users are more easily able to modify their PCs and set of drivers one, I'd imagine serious cheaters would gravitate to combinations they know they can exploit to break the secure/trusted boot boundary.
Not sure if they are considered anti-cheats, but there are some measures to detect usage of input devices like XIM that allow keyboard and mouse inputs which allow for superior aim over controllers.
Well it's definitely not game developer written kernel anti-cheat on consoles.
Kernel anti-cheats are weaponized by hackers. It is all over HN.
Play games which are beyond that: dota2, cs2 for instance.
On linux, there is a new syscall which allows a process to mmap into itself the pages of another process (I guess ~same effective UID and GID). That is more than enough to give hell to cheats...
But any of that can work only with a permanent and hard working "security" team. If some game devs do not want to do that, they should keep their game offline.
How about this: Instead of third-party companies installing their custom code to fuck with my operating system,
How about just having the OS offer an API that a game can request to reboot the OS into "console mode": A single-user, single-application mode that just runs that game only.
Similar to how consoles work.
That mode could be reserved for competitive ranked multiplayer only.
I could have sworn online gambling people fixed this years ago with just wifi. I thought I remembered reading a comment on here about the online gambling for kids no cheating people not talking to the online gambling for adults no cheating people.
The "just wifi" is about getting your true geolocation so regulated gaming platforms can operate legally. Ironically, I bet whatever API they use can be intercepted by a kernel level process.
They also have VM checks. I "accidentally" logged into MGM from a virtual machine. They put my account on hold and requested I write a "liability statement" stating I would delete all "location altering software" and not use it again. (Really!)
looking at cards is a way easier problem than rendering a 3d world with other players bouncing around. I imagine you could just send the card player basially a screenshot of what you want them to see and give them no other data to work with and that would mostly solve cheating.
But gambling can be way more complicated than just looking at cards so maybe there's a lot more to it.
Modern cheats use hypervisors or just compromise hyper-v and because hyper-v protects itself so it automatically protects your cheat.
Another option that is becoming super popular is bios patching, most motherboards will never support boot guard and direct bios flashing will always be an option since the chipset fuse only protects against flashing from the chipset.
DMA is probably the most popular by far with fusers. However, the cost of good ones has been increasing due to vanguard fighting the common methods which is bleeding into other anticheats (some EAC versions and ricochet).
These are not assumptions, every time anticheats go up a level so do the cheats. In the end the weakest link will be exploited and it doesn't matter how sophisticated your anticheat is.
What does make cheat developers afraid is AI, primarily in overwatch. It's quite literally impossible to cheat anymore (in a way that disturbs normal players for more than a few games) and they only have a usermode anticheat! They heavily rely on spoofing detection and gameplay analysis including community reports. Instead of detecting cheats, they detect cheaters themselves and then clamp down on them by capturing as much information about their system as possible (all from usermode!!!).
Of course you could argue that you could just take advantage that they have to go through usermode to capture all this information and just sit in the kernel, but hardware attestation is making this increasily more difficult.
The future is usermode anticheats and gameplay analysis, drop kernel mode anticheats.
No secure boot doesn't work if you patch SMM in bios, you run before TPM attestation happens.
I wouldn’t call BIOS patching “super popular”. That sounds like an admission that anti-cheat is working because running cheats now requires a lot of effort. Now that cheats are becoming more involved to run, it’s becoming less common to cheat.
When cheats were as simple as downloading a program and you were off to cheating, the barrier to entry was a lot lower. It didn’t require reboots or jumping through hoops. Anyone could do it and didn’t even have to invest much time into it.
Now that cheats are no longer an easy thing to do, a lot of would-be cheaters are getting turned off of the idea before they get far enough to cheat in a real game.
> Of course you could argue that you could just take advantage that they have to go through usermode to capture all this information and just sit in the kernel, but hardware attestation is making this increasily more difficult.
Didn’t the first half of your post just argue that these measures can be defeated and therefore you can’t rely on them?
Anticheats, especially kernel-mode ones does not make the problem smaller. All they do is make it more rewarding for capable people.
The average cheater is (or was) basically a troll. They delighted in the act of ruining other people’s games, not installing the cheat. The harder you make it for them to get to that point, the less enjoyment they get.
The people you describe who are in it for the thrill of breaking through are not the ones playing 6 hours every night because the game itself is not the thrill. It’s the exploration of the hardware and software. They might get cheats set up, but once it’s working they get bored with the game and move on to another technical challenge.
* I use easy cheats for single player games - for example, infinite jumps in cyberpunk 2077 are just huge amounts of fun :)
* I have zero desire for cheating in multilayer games. Not some high morality righteous horse, just, what's the point? I have fun even when I lose, and having something else play for you takes away from visceral fun that I get.
* I could understand, even if not agree, people who cheat for profit. That's the basis of all crime everywhere.
* I do not understand people who cheat in multilayer games not-for-profit. It feel you need to have both a) some sort of anti social / non social tendency, and b) dopamine rushes along pathways I don't.
I'd be genuinely curious to hear about your acquaintances who cheat in multilayer for no profit and why they do it :-)
Some are just addicted, they really love the game, but playing without cheats doesn't make them feel anything so they pick the easiest solution: continue to cheat... forever.
Some are just delusional, they do not want to deal with the reality that they're not good at the game without cheats.
Some are just trolling and want to spinbot piss people off, make people angry. It's what makes them happy.
Some don't have a choice, they started their competitive career with cheats.
Some justify it that "I made the cheat, I deserve to use it"
If you want more I got a whole book of reasons. I am in a unique situation since I happen to be friends from back when I was cheating a lot my self, in that time I established relationships with a lot of developers and personally for me it was curiosity that got me not only into cheating, but the whole process and development. I ended up just making roblox games though.
I, myself, got two accounts banned and I was innocent. I managed to make it through support and got them unbanned but I'm fairly certain that many players didn't, because they seem to employ AI in their support.
So I'm a bit skeptical about that kind of behavioural bans. You risk banning a lot of dedicated players who happened to play differently from the majority and that tend to bring bad reputation. For example I no longer purchase yearly subscription, because I'm afraid of sudden ban and losing lots of unspent subscription time.
You don't play a "match", you don't play "against" other players most of the time, in this context "botting" and "cheating" overlap because having your character do stuff 24/7 unattended is an evident advantage over the rest of the population, but it's not like you are hindering anyone's progress directly the vast majority of the time doing so.
How often does actual cheating happen in WoW, anywhere it matters? M+? Raiding? PvP?
That's indirectly hindering other players progression, because it causes deflation (so you can't earn as much gold selling your ores); because it causes inflation (more circulating gold, yes, these are contradictory); because it denies other player farm (if bot gathered ore, other player have to search for another vein) and so on; also illegal gold selling increases expectations (other players bought super good gear, why don't you do that) and causes burn-out (because farming gold fairly is much more hard, than just buying it).
But mainly it just makes players angry, because they can see these bots moving in a predetermined route and stealing resources from their noses. I'm not really sure if bots are that bad in the grand scheme of things, but living players certainly don't like to compete with automatons.
There were also cheaters who used instant cast interruptions at arenas, but it seems that competitive PvP is not that popular nowadays so I'm not sure how it's wide spread.
It's almost the same as saying "you don't need a password on your phone" or something like that.
False, people that have information they shouldn't have will act in detectable ways, even if they try their hardest not to.
ESP is a lot more obvious to a machine than one might think, the subtle behavior differences are obvious to a human and even more so for a model. Of course none of that can be proven, but it can increase the scrutiny of such players from player reports.
> you can achieve the same with user mode anticheats
A user mode anti cheat is immediately defeated by a kernel mode cheat, and cheaters have already moved past this in practice.
A user mode anti cheat (on windows) with admin privileges has pretty much full system access anyway, so presumably if you have a problem with kernel AC you also have a problem with user mode.
Lastly, cheating is an arms race. While in theory, the cheaters will always win, the only thing that actually matters is what the cheaters are doing in practice. Kernel mode is default even for free cheats you download, so the defaults have to cover that.
First, point of ingress: registry, file caches, dns, vulnerable driver logs.
Memory probe detection: workingsets, page guards, non trivial obfuscation, atoms, fibers.
Detection: usermode exposes a lot of kernel internals: raw access to window and process handles, 'undocumented' syscalls, win32, user32, kiucd, apcs.
Loss of functionality: no hooks, limited point of ingress, hardened obfuscation, encrypted pages, tamper protection.
I could go on, but generally "lol go kernelmode" is sometimes way more difficult than just hiding yourself among the legitimate functionality of 3rd party applications.
This is everything used by anticheats today, from usermode. The kernel module is more often than not used for integrity checks, vm detection and walking physical memory.
So let me summarize the above thread:
Yes, there will always be workarounds for ANY level of anti-cheat. Yes, kernel-mode anti-cheat detects a higher number of cheats in practice, and that superiority seems durable going forward.
There, I think we can all agree on those. No need to reiterate what has already been posted.
source: observation of games implying stronger anti-cheat measures over time and customer count staying exactly the same or growing. league of legends is a prime example, although it did create a crater for awhile. this all comes from people who actively sell cheats.
AKA the way that is easiest to detect, and the easiest way to claim that the game doesn't have cheaters. Behavioral analysis doesn't work with closet cheaters, and they corrupt the community and damage the game in much subtler ways. There's nothing worse than to know that the player you've competed with all this time had a slight advantage from the start.
And it is possible to silently put you into a cheating game match maker, so that you only ever match with other cheaters. This, to me, is prob. the better outcome than outright banning (which means the cheater just comes back with a new account). Silently moving them to a cheater queue is a good way to slow them down, as well as isolate them.
Not with 100% accuracy. This means some legitimate players would be qualified as potentially cheating.
You don't have to play with wallhacks constantly on, you can toggle. And it doesn't detect cases where you're camping with an AWP and have 150ms response time instead of 200ms. Sometimes people are just having a good day.
> cheating game match maker
This is already a thing. In CS2, you have a Trust Factor. The lower your trust factor is, the bigger the chance you will be queued with/against cheaters.
They won way more than they lost, people who left got given a free pass for ratting the remaining people out.
Not sure what your point is. Most of your post is inaccurate, DMA cheats represent the minority of cheats because they're very expensive and you need a second computer.
The scene has shifted immensely in the last few years, everyone and their grandmother has DMA now, I mean you can buy these off amazon now. Korean's are a bit stuck since most of them use gaming cafes so they've been slow adopters, but cafe shops have the benefit of using an old version of hyper-v which allows you to just use the method described above. Hyper-V cheats are the most popular for valorant.
I would argue that valorant and overwatch are pretty much on the same level based on what it feels to play. I've seen just as many visible cheaters in valorant as in overwatch. Although I will admit that I am pretty outdated myself since around mid 2025. Valorant allows you to ** around so that might be related, overwatch bans rage hackers way faster than valorant does as well.
So no, my post is pretty accurate.
I did main support and tank at master level in OW and beside esp there is 0 benefit of cheating.
Mucking about in the kernel basically bypasses the entire security and stability model of the OS. And this is not theoretical, people have been rooted through buggy anticheats software, where the game sent malicious calls to the kernel, and hijacked to anti cheat to gain root access.
Even in a more benign case, people often get 'gremlins', weird failures and BSOD due to some kernel apis being intercepted and overridden incorrectly.
The solution here is to establish root of trust from boot, and use the OSes sandboxing features (like Job Objects on NT and other stuff). Providing a secure execution environment is the OS developers' job.
Every sane approach to security relies on keeping the bad guys out, not mitigating the damage they can do once they're in.
I really thought this might change over time given strong desire for useful attestation by major actors like banks and media companies, but apparently they cannot exert the same level of influence on the PC industry as they have on the mobile industry.
Secure boot with software attestation could also be used for good.
There should be a physical button inside the case labeled "set up secure boot"
The vast, vast majority of skilled FPS players will predict their shots and shoot where they think the enemy player will be relative to the known hit detection of the game. In high level play for something like r6 siege, I’d say it’s 99% shooting before you can possibly know where they are by “feeling”
The reason cheating is a problem at all is that instead of playing with friends, you use online matchmaking to play with equally alienated online strangers. This causes issues well in excess of cheating, including paranoia over cheating.
To you. I’m perfectly happy to run a kernel level anticheay - I’m already running their code on my machine, and it can delete my files, upload them as encrypted game traffic, steal my crypto keys, screenshot my bank details and private photos all without running at a kernel level.
> trying to solve a social problem with technology
I disagree. I’m normally on the side of not doing that but increasing the player pool and giving players access to more people at the their own skill level is a good thing
The thing about gaming is that it’s not acceptable to leave 5% performance on the table whereas for other uses it usually is.
> And I do want a high end PC for other use cases.,
Right, you don't want two devices (that's fair). How can you _possibly_ trust the locked down device won't interfere with the other open software it's installed side by side with?
Also you can plug a mouse in a console… that's a weird excuse.
I think that’s an incredibly rare stance not held by the vast majority of gamers, including competitive ones.
That would mean those who are concerned about the integrity would want to sandbox everything else instead. And even if people are ok with giving up a small bit of perf when gaming, I’m sure they’re even more happy to give up perf when doing online banking.
The security of PCs is still poor. Even if you had every available security feature right now it's not enough for the game to be safe. We still need to wait for PCs to catch up with the state of the art, then we have to wait 5+ years for devices to make it into the wild to have a big enough market share to make targeting them to be commercially viable.
That’s not true at all in the field of cybersecurity in general, and I have doubts that it’s true in the subset of the field that has to do with anticheat.
If you got RCE in the game itself, it's effectively game over for any data you have on the computer.
https://xkcd.com/1200/
Hot take: It's also totally unnecessary. The entire arms race is stupid.
Proper anti-cheat needs to be 0% invasive to be effective; server-side analysis plus client-side with no special privileges.
The problem is laziness, lack of creativity and greed. Most publishers want to push games out the door as fast as possible, so they treat anti-cheat as a low-budget afterthought. That usually means reaching for generic solutions that are relatively easy to implement because they try to be as turn-key as possible.
This reductionist "Oh no! We have to lock down their access to video output and raw input! Therefore, no VMs or Linux for anyone!" is idiotic. Especially when it flies in the face of Valve's prevailing trend towards Linux as a proper gaming platform.
There's so many local-only, privacy-preserving anti-cheat approaches that can be done with both software and dirt cheap hardware peripherals. Of course, if anyone ever figures that out, publishers will probably twist it towards invasive harvesting of data.
I'd love to be playing Marathon right now, but Bungie just wholesale doesn't support Linux nor VMs. Cool. That's $40 they won't get from me, multiply by about 5-10x for my friends. Add in the negative reviews that are preventing the game's Steam rating from reaching Overwhelmingly Positive and the damage to sales is significant.
People always freak out when I mention secure boot, and the funniest response usually are the ones who threaten to abandon Windows for macOS (which has had secure boot for more than a decade by default)
I'm not super technically knowledgeable about secure boot, but as far as I understand, you need to have a kernel signed by a trusted CA, which sucks if you want to compile your own, but is a hurdle generally managed by your distro, if you're willing to use their kernel.
But if all else fails you can always disable secure boot.
It'd be really interesting to see what would happen - for instance, what fraction of players would pick each pool during the first few weeks after launch, and then how many of them would switch after? What about players who joined a few months or a year after launch?
Unfortunately, pretty much the only company that could make this work is Valve, because they're the only one who actually cares for players and is big enough that they could gather meaningful data. And I don't think that even Valve will see enough value in this to dedicate the substantial resources it'd take to try to implement.
This is roughly what Valve does for CS2. But, as far as I understand, it's not very effective and unfortunately still results in higher cheating rates than e.g. Valorant.
The example still kind of applies. In the CS world, serious players use Faceit for matchmaking, which requires you to install a kernel-level anticheat. This is basically what you're suggesting, but operated by a 3rd party.
But so far that still seems to be miles away.
The primary one is a standard user-mode software module, that does traditional scanning.
The AI mechanism you're referring to is these days referred to as "VAC Live" (previously, VACNet). The primary game it is deployed on is Counter-Strike 2. From what we understand, it is a very game-dependent stack, so it is not universally deploy-able.
But anyway counterstrike did have community policing of lobbies called overwatch - https://counterstrike.fandom.com/wiki/Overwatch
It was terrible as it required the community to conclude beyond reasonable doubt the suspect was cheating, and cheats today are sophisticated enough to make that conclusion very difficult to make
And the way community policing worked in the past is that the "police" (refs) could just kick or ban you. They don't need a trial system if the community doesn't want that.
I guess I didn't exactly make that clear...
A few of the arguments advanced by the "anti-anticheat" crowd that inevitably pops up in these threads are "anticheat is ineffective so there's no point to using it" and "anticheat is immoral because players aren't given a choice to use it or not and most of them would choose to not use it".
I don't believe that either of these are true (and given the choice I would almost never pick the no-anticheat queue), but there's not a lot of good high-quality data to back that up. Hence, the proposal for a dual-queue system to try to gather that data.
Putting in the community review of the no-anticheat pool is just to head off the inevitable goalpost-moving of "well of course no system would be worse than a crappy system (anticheat), you need to compare the best available alternative (community moderation)".
My understanding of the proposal is that it advertises no invasive anticheat (meaning mostly rootkit/kernel anticheat). So, the value proposition is anyone who doesn't want a rootkit on their computer. This could be due to anything from security concerns to desiring (more) meaningful ownership of one's devices.
Community moderation simply doesn't work at scale for anticheat - in level of effort required, root cause detection, and accuracy/reliability.
I rather play with cheaters here and there than install some kernel level malware on machine just to make sure EA, Activision, et al can keep raking in money hand over fist.
Or better yet, I can just play on console where there is no cheating that I have ever seen.
Not everyone enjoys that, and that’s fine, but acting like it’s somehow unnatural or pointless feels way off.
> So very often with these hyper competitive games played between strangers competing for global ranking, the whole thing turns very toxic, with gamers often seeming to not even enjoy the moment to moment process, often raging at their incompetent team mates or raging at their opponents for supposedly cheating, or whathaveyou.
This is very true! I'll further grant that many competitive video games have pain points that fester this. Competition, facing failure, and recognizing that what they perceived to be a fair challenge wasn't so (e.g. cheating) does sometimes out the worst in people.
However, my point is that competition, and enjoying it, is something that's been fundamentally human for all our recorded history. The sensation of straining against the edge of your capabilities, to overcome a wall, and then succeeding even just barely is supreme. Competitive video games are just a subset of activities that appeal to this. And I think just as much as they are infuriating, they are also good!
Moreover, competitive video games can also be fairly social. Playing a chiller game with friends is one way to socialize, that I have nothing against. But there's also special bonds that are forged through shared struggle, even minor. For example, the fighting game community has a very strong local scene. If you can play fighting games, in most major cities in NA you can attend your local and make friends. With team competitive games, invite your homies.
Once again, I definitely do not dispute that competitive video games can be toxic. Especially in today's online culture. Taking fighting games as an example again, the online, anonymous, communities can be quite toxic. Ah, now that I've written this far, I'm realizing that maybe I've missed your point? Are you saying that it's specifically the strangers, that you never get to know and therefore trust, that makes this worse off?
Cheaters are by definition anomalies, they operate with information regular players do not have. And when they use aimbots they have skills other players don't have.
If you log every single action a player takes server-side and apply machine learning methods it should be possible to identify these anomalies. Anomaly detection is a subfield of machine learning.
It will ultimately prove to be the solution, because only the most clever of cheaters will be able to blend in while still looking like great players. And only the most competently made aimbots will be able to appear like great player skills. In either of those cases the cheating isn't a problem because the victims themselves will never be sure.
There is also another method that the server can employ: Players can be actively probed with game world entities designed for them to react to only if they have cheats. Every such event would add probability weight onto the cheaters. Ultimately, the game world isn't delivered to the client in full so if done well the cheats will not be able to filter. For example: as a potential cheater enters entity broadcast range of a fake entity camping in an invisible corner that only appears to them, their reaction to it is evaluated (mouse movements, strategy shift, etc). Then when it disappears another evaluation can take place (cheats would likely offer mitigations for this part). Over time, cheaters will stand out from the noise, most will likely out themselves very quickly.
So are very good players, very bad players, players with weird hardware issues, players who just got one in a million lucky…
When you have enough randomly distributed variables, by the law of big numbers some of them will be anomalous by pure chance. You can't just look at any statistical anomaly and declare it must mean something without investigating further.
In science, looking at a huge number of variables and trying to find one or two statistically significant variables so you can publish a paper is called p hacking. This is why there are so many dubious and often even contradictory "health condition linked to X" articles.
They will all cluster in very different latent spaces.
You don't automatically ban anomalies, you classify them. Once you have the data and a set of known cheaters you ask the model who else looks like the known cheaters.
Online games are in a position to collect a lot of data and to also actively probe players for more specific data such as their reactions to stimuli only cheaters should see.
But a good way of solving this in community managed multiplayer games is this: if a player is extremely good to the point where it’s destroying the fun of every other player: just kick them out.
Unfair if they weren’t cheating? Sure. But they can go play against better players elsewhere. Dominating 63 other players and ruining their day isn’t a right. You don’t need to prove beyond reasonable doubt they’re cheating if you treat this as community moderation.
it is, if you're not cheating and is in fact just that good. That's called competitive sports, which participants voluntarily engage in.
If a community manages a server, it’s basically private property. And community managed servers are always superior to official publisher-managed servers. Anticheat - or just crowd management - is done hands on in the server rather than automated, async, centralized.
Buying the game might mean you have a ”right” to play it, but not on my server you don’t.
People who engage in competitive sports all agree to it. Most people want to play for fun. They have a natural right to do so.
I’m talking about normal old fashioned server administration now, I.e people hosting/renting their game infra and doing the administration: making rules, enforcing the rules by kicking and banning, charging fees either for vip status meaning no queuing etc, or even to play at all.
> With that goal in mind, we released a patch as soon as we understood the method these cheats were using. This patch created a honeypot: a section of data inside the game client that would never be read during normal gameplay, but that could be read by these exploits. Each of the accounts banned today read from this "secret" area in the client, giving us extremely high confidence that every ban was well-deserved.
https://www.dota2.com/newsentry/3677788723152833273
Valve has spent a lot of time and money on machine learning models which analyze demo files (all inputs). Yet Counter-Strike is still infested with cheaters. I guess we can speculate that it's just a faulty implementation, but clearly the problem isn't just "throw a ML model at the problem".
Behavioral analysis is way harder in practice than it sounds, because most closet cheaters do not give enough signal to stand out, and the clusters are moving pretty fast. The way people play the game always changes. It's not the problem of metric selection as it might appear to an engineer, you need to watch the community dynamics. Currently only humans are able to do that.
The problem is that traditional cheats (aimbot, wallhack, etc.) give users such a huge edge that they are multiple standard deviations from the norm on key metrics. I agree with you on that and there are anticheats that look for that exact thing.
I've also seen anticheats where flagged users have a session reviewed. EG you review a session with "cheats enabled" and try to determine whether you think the user is cheating. This works decently well in a game like CS where you can be reasonably confident over a larger sample size whether a user is playing corners correctly, etc.
The issue with probing for game world entities is that at some point, you have to resolve it in the client. EG "this is a fake player, store it in memory next to the other player entities but don't render this one on screen." This exact thing has happened in multiple games, and has worked as a temporary solution. End of the day, it ends up being a cat and mouse game. Cheat developers detect this and use the same resolution logic as the game client does. Memory addresses change, etc. and the users are blocked from using it for a few hours or a few days, but the developer patches and boom, off to the races.
These days game hacks are a huge business. Cheats often are offered as a subscription and can rank from anywhere from 10-hundreds of dollars a month. It's big money and some of the larger hack manufacturers are full blown companies which can have tens of thousands of customers. It's a huge business.
I think you're realistically left with two options. Require in-person LAN matches with hardware provided by the tournament which is tamper-resistant. Or run on a system so locked down that cheats don't exist.
Both have their own problems... In-person eliminates most of that risk but it's always possible to exploit. Running on a system which is super locked down (say, the most recent playstation) probably works, until someone has a 0day tucked away that they hoard specifically for their advantage. An unlikely scenario but with the money involved in some esports... Anything is possible.
https://www.documentcloud.org/documents/24698335-la22cv00051...
This is not well done. Only the server should be able to tell what the honeypot is. The point is to spawn an entity for one or more clients which will be 100% real for them but would not matter because without cheats it has no impact on them whatsoever. When the world evolves such that an impact becomes more likely then you de-spawn it.
This will only be possible if the server makes an effort to send incomplete entity information (I believe this is common), this way the cheats cannot filter out the honeypots. The cheats will need to become very sophisticated to try and anticipate the logic the server may use in its honeypots, but the honeypot method is able to theoretically approach parity with real behavior while the cheat mitigations cannot do that with their discrimination methods (false positives will degrade cheater performance and may even leak signal as well).
For example you can use a player entity that the client hasn't seen yet (or one that exited entity broadcast/logic range for some time) as a fake player that's camping an invisible corner, then as the player approaches it you de-spawn it. A regular player will never even know it was there.
Another vector to push is netcode optimizations for anti-cheating measures. To send as little information as possible to the client, decouple the audio system from the entity information - this will allow the honeypot methods to provide alternative interpretations for the audio such as a firefights between ghosts only cheaters will react to. This will of course be very complex to implement.
The greatest complexity in the honeypot methods will no doubt be how to ensure no impact on regular players.
No amount of netcode can solve the fact that if I see you on my screen and you didn’t see me, it’s going to feel unfair.
Anyway, this isn’t the Olympics, a professional sport, or Chess. It’s more like pickup league. Preserving competitive purity should be a non-goal. Rather, aim for fun matches. Matchmaking usually tries to find similar skill level opponents anyway, so let cheaters cheat their way out of the wider population and they’ll stop being a problem.
Or, let players watch their killcams and tag their deaths. Camper, aimbot, etc etc. Then (for players that have a good sample size of matches) cluster players to use the same tactics together.
Treating games like serious business has sucked all the fun out of it.
Matching based on skill works only as long as you have an abundance of players you can do that based on. When you have to account for geography, time of day, momentary availability, and skill level, you realize that you have fractured certain players far too much that it’s not fun for them anymore. Keep in mint that “cheaters” are also looking for matches that would maximize their cheats. Maybe it’s 8PM Pacific Time with tons of players there, but it’s 3 AM somewhere else with much limited number of players. Spoof your ping and location to be there and have fun sniping every player in the map. Sign up for new accounts on every play, who cares. Your fun as a cheater is to watch others lose their shit. You’re not building a character with history and reputation. You are heat sniping others while they are not realizing it. It may sound limited in scope and not worth the effort for you, but it’s millions of people out there tht ruin the game for everyone.
Almost every game I know of lets players “watch their kill cam”, and cheaters have adapted. The snipped people have a bias to vote the sniper was cheating, and the snipers have a bias to vote otherwise. Lean one way or the other, and it’s another post on /r/gaming of how your game sucks.
Unpopular opinion: cheaters don’t, griefers do.
“Cheater” is a pejorative for someone who sidesteps the rules and uses technology instead of, uh, pardon a potentially word choice, innate skills. They don’t inherently want to see others suffer as they stomp - it’s a matchmaking bug they’re put where they don’t belong. They just want to do things they cannot do on their own, but what are technically possible. A more positive term for that is a “hacker”.
Griefers are a different breed, they don’t just enjoy own success but get entertained by others’ suffering. Not a cheating issue TBH (cheats merely enable more opportunities), more like “don’t match us anymore, we don’t share the same ideas of fun” thing. “Black hat” is close enough term I guess.
YMMV, but if someone performs adequately for my skill levels (that is, they also don’t play well) then they don’t deprive me of any fun irrespective of how they’re playing.
They have inhuman skills usually paired with terrible game IQ and generally awful toxicity. They get boosted up to play with intelligent players purely because they can hold a button to outplay. It gets to the point where you have a player on your team who has no idea how to play but is mechanically good and it breaks the entire competitiveness of the game.
Cheaters want to dominate other players, feel like they deserve to dominate other players and are perfectly happy for other players to suffer as long as they feel good.
Best I’ve ever seen was some online discussions about motives, but I never compiled any statistics out of random anecdotes (that must be biased and probably not representative).
Are players who take advantage of developer-supplied aim assist and other assistive technologies "motivated by a toxic sense of self regard and a desire to humiliate others"?
Gonna have to ponder if people who aren't cheating are cheaters.
In a 5v5 shooter this ruins 9 people’s game along the way, times however many games this takes. Enough people do this and the game is ruined
> or let players watch their killams and tag their deaths
Players are notoriously bad at this stuff. Valve tried it with “overwatch” and it didn’t work at all.
Forgetting about anti cheat for a minute though, may hamming for different behaviours is a super interesting topic in itself. It’s very topical right now [0] and a fairly divisive topic. Most games with a ranked mode already do this - there’s a hidden MMR for unranked modes that is match made on, and players self select into “serious” or “non serious” queues. It works remarkably well - if you ever read people saying that Quick Play is unplayable it proves that the separate queues are doing a good job of keeping the two groups separate!
[0] https://www.pcgamer.com/games/third-person-shooter/arc-raide...
I agree that killcam tagging is not great for, like, actual “you are breaking the rules” type enforcement (because, yeah, players will generate a ton of false-positives). But if players had a list of traits and match-making tried to minimize some distance in the trait space (admitting it could’ve be perfect), it might result in more fun matches.
Valve did it for CS, and it was called overwatch, sorry. [0]
[0] https://counterstrike.fandom.com/wiki/Overwatch#Verdict
Yes, its prize pool is order of magnitude higher than either of Olympics sports or Chess.
I grew up with star trek and star wars wondering what a “I’ll transfer 20 units to you” meant. Bitcoin was an eye opener in the idea of “maybe this is possible” to me. But it shortly became true to me that it’s not the case. There is no way still for random agents to prove they are not malicious. It’s easier in a network within the confines of Bitcoin network. But maybe I’m not smart enough to come up with a more generalized concept. After all, I was one of the people who read the initial bitcoin white paper on HN and didn’t understand it back then and dismissed it.
I have always wondered why more companies don't do trust based anti cheat management. Many cheats are obvious from anyone in the game, you see people jumping around like crazy, or a character will be able to shoot through walls, or something else that impossible for a non-cheater to do.
Each opponent in the game is getting the information from the cheating player's game that has it doing something impossible. I know it isn't as simple as having the game report another player automatically, because cheaters could report legitimate players... but what if each game reported cheaters, and then you wait for a pattern... if the same player is reported in every game, including against brand new players, then we would know the were a cheater.
Unless cheaters got to be a large percentage of the player population, they shouldn't be able to rig it.
Players in some games with custom servers run webs of trust (or rather distrust, shared banlists). They are typically abused to some degree and good players are banned across multiple servers by admins acting in bad faith or just straight up not caring. This rarely ends well.
I used to run popular servers for PvP sandbox games and big communities, and we used votebans/reports to evict good players from casual servers to anarchy ones, where they could compete, but a mod always had to approve the eviction using a pretty non-trivial process. This system was useless for catching cheaters, we got them in other ways. That's for PvP sandboxes - in e-sports grade games reports are useless for anything.
Out of curiosity I did a quick internet search and a couple of months ago a new wave of bots has emerged. Those bots also join as majority group but never fully join the game, they simply take up slots in a team, preventing others from joining. Makes you wonder why the server isn't timing them out.
I played COD4 a lot, though not competitively. I used to say that I had a bad day if I didn't get called a cheater once.
I didn't cheat, never have, but some people are just not aware of where the ceiling is.
The cheaters that annoyed us back then were laughably obvious. They'd just hold the button with a machine gun and get headshots after headshots, or something blatant like that.
True of everything. Getting good just lets you see the skill gaps. I've sunk a serious chunk of time into both pool and chess. In both I'd be willing to take a bet that I can beat the median player with my eyes closed (in pool, closing them after walking the table but before getting down on the shot).
And in both of those activities, there are still like 10-20 levels of "person at skill level A should always win against person at skill level B" between me and someone who is ACTUALLY good at pool or chess. Being charitable, in the grand scheme of things I might be an intermediate player.
[0]: https://steamdb.info/patchnotes/14178987/
And even that's the (relatively) straightforward part. The hard part is doing this without injuring the kernel enough that the only sensible solution for the security conscious is a separate PC for gaming.
Problem is that only works if the two OSes are different (Windows vs Linux) or else they can just stomp each other
That solution only works on servers hosted by players - I've never seen huge game companies that run their own servers (like GTA) have dedicated server admins. I guess they think they can just code cheaters out of their games, but they never can.
(Not being sarcastic.)
Sort of like nuclear weapons
https://www.forbes.com/sites/paultassi/2025/01/20/elon-musk-...
Kernel anti-cheat isn't an elegant solution either. It's another landmine, security holes, false positives, broken dev tools, and custody battles with Windows updates while pushing more logic server-side still means weeks of netcode tuning and a cascade of race conditions every time player ping spikes, so the idea that this folds to "better code disipline" is fantasy.
I play fps competitively and valorant is by far the most least cheater fps game on the market
nothing perfect in software world and this is the best tool for its job
if your pc is so important then maybe don't install these particular software
its all about trade off
Kernel level anticheat isn't a silver bullet, either. It just simplifies the work of the anticheat programmers. I personally think that the silver bullet is behavioral anticheat and information throttling (don't send the player information about other players that he can't see/hear)
if you can design a better one without drawback then you could try to release a better one
It's kind of weird that we still don't have distributed computing infrastructure. Maybe that will be another thing where agents can run near the data their crunching on generic compute nodes.
> The general simplistic answer from those who never had to design such a game or a system of “do everything on the server” is laughably bad.
What “Netflix did” was having dead-simple static file serving appliance for ISPs to host with their Netflix auth on top. In their early days, Netflix had one of the simplest “auth” stories because they didn’t care.
It would add some latency but could be opt-in for those that care enough for all players in a match to take the hit.
You can't make a competitive fps game with a dumb terminal, it can't work because the latency is too high so that's why you have to run local predictive simulation.
You don't want to wait the server to ack your inputs.
There's an exception with fighting games. Fighting games generally don't have server simulations (or servers at all), but every single client does their own full simulation. And 2XKO and Dragon Ball FighterZ have kernel anti cheat.
Well I'm just nitpicking and it's different because it's one of the few competitive genres where the clients do full game state simulations. Another being RTS games.
It works fine for LAN but as soon as the connection is further than inside your house, it’s utterly horrible.
Okay, chill. I'm willing to believe that anti-cheat software is "sophisticated", but intercepting system calls doesn't make it so. There is plenty of software that operates at elevated privilege and runs transparently while other software is running, while intentionally being unsophisticated. It's called a kernel subsystem.
Kernel anticheat does work. It takes 5 seconds to look at Valve's record of both VAC (client based, signature analysis) and VACNet (machine learning) to know the cheating problem with those technologies is far more prevalent than platforms that use kernel level anticheat (e.g. FACEIT, vanguard). Of course, KLAC is not infallible - this is known. Yes, cheats do (and will continue to) exist. However, it greatly raises the bar to entry. Kernel cheats that are undetected by FACEIT or vanguard are expensive, and often recurring subscriptions (some even going down to intervals as low as per day or week). Cheat developers will 99% of the time not release these publicly because it would be picked up and detected instantly where they could be making serious money selling privately. As mentioned in the article, with DMA devices you're looking at a minimum of a couple hundred dollars just for hardware, not including the cheat itself.
These are video games. No one is forcing you to play them. If you are morally opposed to KLAC, simply don't play the game. If you don't want KLAC, prepare to have your experience consistently and repeatedly ruined.
They solve a real problem (cheats running at higher privilege levels), but at the same time they introduce a massive trusted component into the OS. You're basically asking users to install something that behaves very much like a rootkit, just with a defensive purpose.
I was not aware that attackers could potentially manipulate attestation! How could that be done? That would seemingly defeat the point of remote attestation.
https://tee.fail/
Defeating remote attestation will be a key capability in the future. We should be able to fully own our computers without others being able to discriminate against us for it.
There is guidance on "Active" attacks [1], which is to set up your TPM secrets so they additionally require a signature from a secret stored securely on the CPU. But that only addresses secret storage, and does nothing about the compromised measurements. I also don't know what would be capable of providing the CPU secret for x86 processors besides... an embedded/firmware TPM.
[1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_-CP...
A more sophisticated attacker could plausibly extract key material from the TPM itself via sidechannels, and sign their own attestations.
But the main point there is that this setup is prohibitively expensive for most cheaters.
It is not "fake", a software TPM is real TPM but not accepted/approved by anticheat due to inability to prove its provenance
(Disclosure: I am not on the team that works on Vanguard, I do not make these decisions, I personally would like to play on my framework laptop)
(https://mag.uchicago.edu/billiards)
Himata is correct, too. After DMA-based stuff, it'll be CPU debugging mode exploits like DCI-OOB, some of which can be made detectable in kernel mode; or, stealthier hypervisors.
Now industry propaganda has gamers installing them voluntarily.
See https://github.com/ufrisk/pcileech
https://www.vice.com/en/article/fs-labs-flight-simulator-pas...
Company decides to "catch pirates" as though it was police. Ships a browser stealer to consumers and exfiltrates data via unencrypted channels.
https://old.reddit.com/r/Asmongold/comments/1cibw9r/valorant...
https://www.unknowncheats.me/forum/anti-cheat-bypass/634974-...
Covertly screenshots your screen and sends the image to their servers.
https://www.theregister.com/2016/09/23/capcom_street_fighter...
https://twitter.com/TheWack0lian/status/779397840762245124
https://fuzzysecurity.com/tutorials/28.html
https://github.com/FuzzySecurity/Capcom-Rootkit
Yes, a literal privilege escalation as a service "anticheat" driver.
Trusting these companies is insane.
Every video game you install is untrusted proprietary software that assumes you are a potential cheater and criminal. They are pretty much guaranteed to act adversarially to you. Video games should be sandboxed and virtualized to the fullest possible extent so that they can access nothing on the real system and ideally not even be able to touch each other. We really don't need kernel level anticheat complaining about virtualization.
You do not need kernel access to make spyware that takes screenshots. You do not need a privileged service to read the user’s browser history.
You can do all of this, completely unprivileged on Windows. People always seem to conflate kernel access with privacy which is completely false. It would in fact be much harder to do any of these things from kernel mode.
There are far better ways to detect cheating, such as calculating statistics on performance and behaviour and simply binning players with those of similar competency. This way, if cheating gives god-like behaviour, you play with other godlike folks. No banning required. Detecting the thing cheating allows is much easier than detecting ways in which people gain that thing, it creates a single point of detection that is hard to avoid and can be done entierly server side, with multiple teirs how mucb server side calculation a given player consumes. Milling around in bronze levels? Why check? If you aren't performing so well that yoh can leave low ranks, perhaps we need cheats as a handicap, unless co sistently performing well out of distribution, at which point you catch smurfing as well.
point is focusing on detecting the thing people care about rather than one of the myriad of ways people may gain that unfair edge, is going to be easier and more robust while asking for less ergregious things of users.
It usually takes months, if not years for cheaters to get banned, but it takes a couple of dollars for a cheater to get a new account and start cheating again. Every time Valve fine tunes their models, they end up accidentally banning more innocent players in the process, so nobody has trust in that system anyways. There's too many datapoints to handle in competitive games, and there is no way to set a threshold that doesn't end up hurting innocent people in the process.
Anti-cheat is not used to "protect" bronze level games. FACEIT uses a kernel level anti cheat, and FACEIT is primarily used by the top 1% of CS2 players.
A lot of the "just do something else" crowd neglects to realize that anticheat is designed to protect the integrity of the game at the highest levels of play. If the methods you described were adequate, the best players wouldn't willingly install FACEIT - they would just stick with VAC which is user-level.
> There are far better ways to detect cheating, such as calculating statistics on performance
Ask any CS player how VAC’s statistical approach compares to Valorant’s Vanguard and you will stop asserting such foolishness
The problem with what you are saying is that cheaters are extremely determined and skilled, and so the cheating itself falls on a spectrum, as do the success of various anticheat approaches. There is absolutely no doubt that cheating still occurs with kernel level anticheats, so you’re right it didn’t “solve” the problem in the strictest sense. But as a skilled player in both games, only one of them is meaningfully playable while trusting your opponents aren’t cheating - it’s well over an order of magnitude in difference of frequency.
Simply put, the game companies want to own our machines and tell us what we can or can't do. That's offensive. The machine is ours and we make the rules.
I single out kernel level anticheats because they are trying to defeat the very mitigations we're putting in place to deal with the exact problems you mentioned. Can't isolate games inside a fancy VFIO setup if you have kernel anticheat taking issue with your hypervisor.
By this same logic: As far as I'm concerned, if the game developer only wants to allow players running anticheat to use their servers then they're just exercising their god given rights as the owner of the server.
My position is this is unfair discrimination that should be punished with the same rigor as literal racism. Video games are the least of our worries here. We have vital services like banks doing this. Should be illegal.
You can argue about the methods used for anticheat, but your comment here is trying to defend the right to cheat in online games with other people. Just no.
I rather suspect that the reason for this is the current gaming economy of unlockable cosmetics that you can either grind for, or pay for. If people can cheat in single player or PvE, they can unlock the cosmetics without paying. And so...
Don't play with untrusted randoms. Play with people you know and trust. That's the true solution.
Kernel level AC is a compromise for sure and it's the gamers job to assess if the game is worth the privacy risk but I'd say it's much more their right to take that risk than the cheaters right to ruin 9 other people's time for their own selfish amusement
If it kills online gaming, then so be it. I accept that sacrifice. The alternative leads to the destruction of everything the word hacker ever stood for.
You are hijacking this thread about VOLUNTARY ceasing of freedom as if the small community even willing to install these is a slippery slope to something worse. You have a point when it comes to banking apps on rooted phones and I'm with you on that but this is not the thread for it
Do you have evidence valve is working to infect the linux kernel for everyone?
Mind you, it doesn't mean that the Linux kernel will be "infected for everyone". It means that we'll see the desktop Linux ecosystem forking into the "secure" Linux which you don't actually have full control of but which you need to run any app that demands a "secure" environment (it'll start with KAC but inevitably progress to other kinds of DRM such as video streaming etc). Or you can run Linux that you actually control, but then you're missing on all those things. Similar to the current situation with mainline Android and its user-empowering forks.
> Or you can run Linux that you actually control, but then you're missing on all those things
We cannot allow this stuff to be normalized. We can't just sit by and allow ourselves to be discriminated against for the crime of owning our own devices. We should be able to have control and have all of those nice things.
Everything is gonna demand "secure" Linux. Banks want it because fraud. Copyright monopolists want it because copyright infringement. Messaging services want it because bots. Government wants it because encryption. At some point they might start demanding attestation to connect to the fucking internet.
If this stuff becomes normal it's over. They win. I can't be the only person who cares about this.
People can dual boot, what's wrong with a special gaming linux distribution?
You may think it's your "god-given right" to cheat in multiplayer games, but the overwhelming majority of rational people simply aren't going to play a game where every lobby is ruined by cheaters.
The computers are supposed to be ours. What we say, goes. Cheating may not be moral but attempts to rob us of the power that enables cheating are even less so.
Anti cheat don't run on modern console, game dev knoes that the latest firmware on a console is secure enough so that the console can't be tempered.
This is the exact sort of nonsense situation I want to prevent. We should own the computers, and the corporations should be forced to simply suck it up and deal with it. Cheating? It doesn't matter. Literal non-issue compared to the loss of our power and freedom.
It's just sad watching people sacrifice it all for video games. We were the owners of the machine but we gave it all up to play games. This is just hilarious, in a sad way.
Remote attestation is the ultimate surrender. It's not really your machine anymore. You don't have the keys to the machine. Even if you did, nobody would trust attestations made by those keys anyway. They would only trust Google's keys, Apple's keys. You? You need not apply.
The harder thing probably is getting a dataset for “all x64/ARM64 Windows drivers that aren’t already considered vulnerable”.
Also it depends what’s considered a vulnerability here.
The article doesn’t go too in depth on the actually interesting things modern anticheats do.
In addition:
- you can’t really expect .text section of game/any modules except maybe your own to be 100% matching one on disk, because overlays will hook stuff like render crap (fun fact for you: Steam will also aggressively hook various WinAPI stuff presumably for VAC, at least on CS2)
This seems much more doable today than in the past as machines boot in moments. Switching from secure "xbox mode" to free form PC mode, would be barely a bump.
Now, I see one major difference, heterogenous vs homogenous hardware (and the associated drivers that come with that). In the xbox world, one is dealing with a very specific hardware platform and a single set of drivers. In the PC world (even in a trusted secure boot path), one is dealing with lots of different hardware and drivers that can all have their exploits. If users are more easily able to modify their PCs and set of drivers one, I'd imagine serious cheaters would gravitate to combinations they know they can exploit to break the secure/trusted boot boundary.
I wonder if there are other problems.
Well it's definitely not game developer written kernel anti-cheat on consoles.
Play games which are beyond that: dota2, cs2 for instance.
On linux, there is a new syscall which allows a process to mmap into itself the pages of another process (I guess ~same effective UID and GID). That is more than enough to give hell to cheats...
But any of that can work only with a permanent and hard working "security" team. If some game devs do not want to do that, they should keep their game offline.
How about this: Instead of third-party companies installing their custom code to fuck with my operating system,
How about just having the OS offer an API that a game can request to reboot the OS into "console mode": A single-user, single-application mode that just runs that game only.
Similar to how consoles work.
That mode could be reserved for competitive ranked multiplayer only.
They also have VM checks. I "accidentally" logged into MGM from a virtual machine. They put my account on hold and requested I write a "liability statement" stating I would delete all "location altering software" and not use it again. (Really!)
looking at cards is a way easier problem than rendering a 3d world with other players bouncing around. I imagine you could just send the card player basially a screenshot of what you want them to see and give them no other data to work with and that would mostly solve cheating.
But gambling can be way more complicated than just looking at cards so maybe there's a lot more to it.