Forgot your password?
typodupeerror
Games Entertainment

Game Developers Cracking Down on Cheating 510

Posted by michael
from the attack-troll-with-rusty-knife dept.
Hector73 writes "ZDNet has an article discussing a growing concern for the makers of on-line video games. Cheaters and trolls are making it harder for casual users and newbies to get hooked on the on-line versions of games. Considering that on-line gaming may become the major revenue source for game makers over the few years, maybe they will actually do something about it."
This discussion has been archived. No new comments can be posted.

Game Developers Cracking Down on Cheating

Comments Filter:
  • One method (Score:2, Insightful)

    I suppose it's not an optimal solution, but you can always lock down the server and only play with people you know. The drawback is, of course, that you won't always have a full server, but then, locking down the server is a good way to manage how much time you spend playing online =)
    • PKI? (Score:5, Interesting)

      by eddy (18759) on Friday June 07, 2002 @04:55PM (#3662144) Homepage Journal

      I agree. Playing with people you know is probably much more fun too.

      The only other solution I see is a -- and you've heard me say this before -- a web of trust. Integrate game-matching / chat and a PKI. Players will sign the keys (this can be abstracted in the GUI of course to make it simple) of players they trust and enjoy playing with.

      Then it is up to the players, some may risk it and play with anyone, others might only play with close friends, and the majority might opt for the middle ground and play with any player within some distance of the web of trust.

      You could do a lot of things with this. A client could chose to play any other client based on the number of signatures and their age (trusting it even if there is no path to it), etc.

      • Re:PKI? (Score:3, Insightful)

        With a solution like this, I see a lot of the "good" players being quite some distance from most webs. I've been accused of cheating quite a few times online, just from being able to aim well and having a few games in a row "in the groove."
    • The trolls take the fun away. I used to have an Unreal Tournament server offered up to anyone who wanted to play. I called it Uncoveror's UT. The cheaters made it no fun. When one of them put a remote access trojan on my server, and I found it, I closed it down. Do these kids think they're funny?
  • Counterstrike (Score:2, Interesting)

    by AKAJack (31058)
    I don't know about you guys, but CSGuard and HLGuard have just about killed Counterstrike for me. If I go into servers without them there's no problem, with them and it's constant crashing.

    I don't mind products to even the playing field (a 12 year old with OGC can ruin a whole game you've been in for hours), but when they interfere with game play, what's the point?
    • I don't know about you guys, but CSGuard and HLGuard have just about killed Counterstrike for me. If I go into servers without them there's no problem, with them and it's constant crashing.

      I dont know what servers you are playing on but I run my own CS server and admin/manage 3 others and I havent had csguard or HLGuard crash my server even once. Agreed There were issues the day 1.4 was released but that was due to needing a metamod update for Adminmod to work.

      Also you have to realise that many server admins dont know or dont follow the hlds server mailing lists so they may be unaware of necessary updates for the different mods they run on the server.

      As for cheating, any form of cheating takes away all the fun in the game. 90% of the people who cheat, dont cheat to get a good score, they cheat to piss off the players who are on the server. HLG and CSG arent *that* accurate , the best anti cheat for CS was Cheating Death and even if the person had cheats it didnt really matter since C-D would disable most of them. But no anti-cheat is as good as an experienced Admin who is playing and who can tell the difference from a cheater and a good player.

      dvNuLL
    • Re:Counterstrike (Score:3, Interesting)

      by rockwall (213803)
      Valve's new anti-cheat seems to be working pretty well. System (the maker of OGC) was saying that it was completely useless, but so far since VAC has been out it has stopped every version of OGC within days. At this rate the cheaters can't possibly keep up, I think that it's only a matter of time before they give up.

      With regard to HLGuard and CSGuard, I have found that they are buggy. For example, when attempting to change your name on a server and using a % in order to have spaces (e.g. Counter%Strike%Player), CSGuard will automatically cause your Half Life to quit. And one of the latest revisions of VAC kicks people off with no cheats installed -- this has happened to me. But eventually these bugs will be fixed, and pretty soon admins will find that they no longer need to run HL/CSGuard to reliably catch cheaters.
  • by magicsquid (85985) on Friday June 07, 2002 @04:22PM (#3661868) Homepage
    This is precisely why Microsoft announced that all of the Xbox's online games will be run off of Microsoft controller servers. They've seen how cheating can rapidly cause a subscriber base to shrink. By controlling everything themselves they hope to limit the damage done by those looking for ways to cheat. I imagine that just in case anything should go wrong, this means frequent backups that can be restored upon a users requests.
    • Backups? It's not like you can just stop an online game and restore a backup because a single character feels the got ripped off by another player. The online games are fairly integrated and you can't typically just restore one user.

      And in MS's case, I thought they already had something like 500,000 game servers setup. Aren't they running a beta of "crash the server by sending too much data at once v0.5"?
      • It is not for "a single character feels the got ripped off by another player" that one goes to back ups. One goes to backups when a player hacks in a mighty wand of smiting and kills everyone within reach till caught.If you have good enough records you can at the least remove those deaths caused by the renegade player.
    • By controlling everything themselves they hope to limit the damage done by those looking for ways to cheat.

      Isn't that the exact same approach Microsoft takes to Windows security? They think that if they control the code, no-one with be able to find the holes. Security through obscurity...

    • by EXTomar (78739) on Friday June 07, 2002 @04:38PM (#3662031)
      Because nothing guarentees the data getting to their carefully guarded servers is valid if their communication protocol is weak.

      Aim cheats have nothing to do with server stored data. It all has to do with the fact the classic protocols requires all players in the field to tell all other players in the field their positions in the field. If you can snoop the positions of people then you can calculate an accurate "from the hip" shot with merciless robotic accuracy. If an aim cheat isn't possible, then you can just snoop the data and realize where the other players are hiding and their positing.

      The way to beat cheaters is to apply tried and true security practices. Don't trust that the machine on the other end of the connection is really a client(so don't feed it any extra data beyond what it should need to know to function). Don't blindly accept any data coming back from supposed clients(does the client really have "permission" do what it is telling the server to do?).

      Protecting the data is a good thing but just like server farms just locking the machines behind a door isn't enough. You have to secure the lines of transmition as well.
      • I would think, if Microsoft is truly serious about the level of cheating on XBox Live, they'd use an even more basic and time-tested security measure - people. If all the games take place on their servers, this is easy to do (and I'm sure they've already planned for it).

        Imagine how hard it would be for someone to use an aiming cheat or bot in UT if there was a small program that monitored all the scores on a group of servers for cheating. If this program detected someone scoring way out of the norm, an employee of the network could observe the game, see if the guy was really cheating, and then boot him and suspend or cancel his account.

        That's just one example, of course, and other cheats may be harder to track (like the one you mentioned about simply knowing where the other players are). I imagine, however, that MS intends to throw a lot of money (and therefore manpower) into this newest of markets. And if they can make cheaters have to deal with a very serious chance of getting their accounts cancelled through good use of human monitoring, I think they'll win the battle.
      • The way to beat cheaters is to apply tried and true security practices. Don't trust that the machine on the other end of the connection is really a client(so don't feed it any extra data beyond what it should need to know to function). Don't blindly accept any data coming back from supposed clients(does the client really have "permission" do what it is telling the server to do?).

        This isn't always possible, depending on what type of game it is. The other systems need to know certain information, especially if there is any kind of synchronization going on.

        Synchronization is in many ways a good thing, because since each computer does its own calculations individually it really limits what kinds of cheats can be run. You can't make a cheat that boosts your stats becuase your stats will remain normal on my machine, and a desynch will occur the next time your stats effect gameplay.

        However in order for synchronization to work just about all data needs to be shared, which makes the data hacks mentioned above possible.

        On an RTS i was working on recently it was my job to eliminate the map cheat, whereby the user made the entire map visible, giving them a huge advantage. I did this by having each system report the state of its map to the other players and synchornizing that value. It was still possible to cheat and clear the map, but doing so imemdiatly caused you to be booted from the game.

        Although peer to peer is more computationally expensive than client-server models, it does make it easier to control many kinds of cheating.

        And on a side note, given some of the other discusions i've seen on this topic, i thought i would mention that both the producers and i agreed that no cheat detection should be used in single player mode. What do we care what you do with the game on your own time? If cheating is the way you enjoy it most, fine with us. When it becomes our problem is when you try to cheat against others online, and ruin _their_ experience, which they have a right to.

    • by Anonymous Coward
      How can Microsoft turn its back on cheating? I mean, cheating, lying and stealing, that's how they got where they are today!

      Please, Microsoft, give us the freedom to innova... I mean, cheat!

      Monty Burns put it best, "Cheating is a gift Man gives himself!"
    • Since the capability of using one's cable modem with the XBox is there, it's just a matter of attaching the XBox to a hub along with a packet sniffing system, then either alter the packets as they go in/out or just view them. Encryption is poor, since you're sacrificing performance if it's too effective. People already do this with Dark Age of Camelot [darkageofcamelot.com], sniffing the packets and displaying maps on a Linux system, including where enemies are.
    • Precisely...yeah right. You think Microsoft's going to be any better at making cheat-proof servers than the company who wrote the game?

      More than likely, Microsoft just wants to extract more cash for the games.

      As far as frequent backups go, they will NOT be listening to user's requests. No game with a HUGE amount of data is going to listen to ONE customer who gets a "cheater" and needs to restore his data from the previous day, week, whatever. Blizzard runs backups, and the only time they use them is once they've done something and horribly screwed the game up.

      There isn't any real way to stop all cheating. I don't think cheating stops people from playing as much as they think. Cheating pisses people off yes, but what about all the flaws that are in the games as they are designed? People camping out spots where monsters respawn and what-not? That's no fun. Less cheating isn't going to make that aspect of the game any better.

      Cheaters make games suck...but people will still play a good game with cheaters on it. I played Counter-Strike well after all the cheats starting coming out. Eventually, we'd find a place where there weren't cheaters and have a good time. I didn't bother trying to do that with Tribes 2, even though there weren't any cheaters there. If the game's GOOD people will find a community of other players they can play with and they'll have an enjoyable time. If it isn't, they won't, cheating or no cheating.
  • by imta11 (129979)
    Gamers should take power into their own hands. Some people will write cheats, so others have to write anti-cheats, and they don't have to be the fluffy "detect and block" kind either. Some jackasses at my school were cheating at CounterStrike, the only game worth playing, so I took it into my hands to write a little java app that crashes their server whenever they do it. Legal, maybe not, effective hell yes.
    They stoped cheating, we started playing.
    • I used to run a cs server and we had very strict policies towards cheaters - i.e. ip banned, logged, etc. Invariably this would piss them off and they would try to hack into the server. Since we where on a campus network we would promptly report them to the IS guys who would then deactivate their ports. Problem Solved. The problem is lazy admins who don't do anything OR the difficulty in proving somebody is cheating.

      Also, I don't think game developers have taken security into account enough in their games. In the past cheating wasn't a real big deal - you could ruin the game for yourself but not for others. Now, you can ruin a perfectly good 20+ or 1 million+ (diablo 2) game by cheating. Simply put game programmers need to incorporate some type of security systems into their games to prevent this kind of thing.
  • Black ice.
  • Great, now if only we can get rid of the plethora of bots and campers in Quake!
  • Question. (Score:2, Interesting)

    by 3-State Bit (225583)
    Remember dongles of a by-gone era? (They were hardware that would "activate" your game by returning the proper answer to challenges given through the serial/parallel/etc. port).
    Well, why don't gaming industries today make dongles that have /lots/ of the game logic in the hardware? Besides fancy graphics, etc, I bet you could basically /cripple/ a game by having the basic maps/character stats/whatever be controlled by secure hardware attached on a USB slot. Since this solution would cost far less than the $49.95 for which a next-generation game retails today, why don't we see more "cheating isn't possible" solutions based on having lots of the "easy" (low-computing power) solutions based on a dongle attached via USB?
    • Actually, you're on to something here. Most comptuers come standard with MORE than enough USB ports.

      Maybe if they made it so you could plug in your USB dongle into another computer and bring your saved settings and stats too....on the computer there's the game engine and graphics, but the data and networking code (and CD-Key) are encrypted onto a USB dongle with a few megs of flash memory. This would not only make it extremely easy to transfer the game between PCs, without actually copying it. As long as you made the host software not care *what* dongle was attached, it'd be a lot easier. Just check the CRC of certain files on it.

      I bet we'll see something like this in the future.
    • Re:Question. (Score:2, Insightful)

      by BigZaphod (12942)
      There is a reason why dongles aren't used much anymore--they are easy to crack.
    • Dongle? Huh? (Score:2, Insightful)

      by Sendy (31825)
      And what about cracking the dongle? Like that hasn't happened before? Just store the maps on your computer.

      You can't stop someone with tampering software on his own (or her own) computer.

      Just, basically, dongles suck.
    • Re:Question. (Score:4, Informative)

      by Peridriga (308995) on Friday June 07, 2002 @04:37PM (#3662007)
      Dongles, in the historic sense have been cracked/emulated a long time ago.

      A great sound editing software for the Mac was Power Tools. Originally package with a dongle to prevent piracy. The dongle was emulated about 24 hours after the release of the product.

      Now though with the cheap USB storage devices hitting the market the concept of dongles might come back. Although the only way to truely secure it would be with a strong cryptographic code to secure both the device itself and the traffic between the device and the software. Althogh you still come down to the fundemental problem that the information is still passing through the users computer and is open to sniffing and cracking.

      Securing end client software has always been an extremely difficult problem to solve....
    • Still doesn't solve the problem. Even if you have a dongle, then you write some code that sits inbetween the dongle and the network that injects cheated packets and info to the server or lets you see more, etc...
      (as a side note, all usb devices use more cpu then they should)
      You will always be able to reverse engineer the protocol, it will just take more and more effort to do so..
      Could encrypt the network packets as you send them, but someone can still patch the binary of the game to inject bad data into them.
      Could encrypt the instruction code for the network play, until a valid key is obtained from a server, but then it has to be decrypted sometime, probably ahead of time to be good. Maybe if they implemented a hardware feature where you could give the processor an encryption key, and sent it an encrypted instruction stream, it would decrypt it on the fly. That would be hard to decrypt, unless the attacker were to get ahold of the key, then they could decrypt it.

      Any way you look at it, someone, somewhere will be able to figure out a way around it. Social solutions are a much better way to solve the problems of cheating.
    • Yeah, but it's the same like WIndowsXP activation. The software makes a request to some psudo-foreign hardware for authentication, a dongle, an isp.. just about anything. In the past, people have broken this security scheme by just either modifying the binaries/programs to not do this call and continue processing.

      It's a nice idea, but problem is, once someone's program is on your machine, youi can make it do just about whatever you want, supplying you have either the know-how or the tools written by someone else with the know-how.

      Autocad used dongles.. and you know how much autocad gets.. 'shared'.
  • There have been many attempts to do things about this. Plenty of bot detectors for the fps's. Between diablo 1 and 2 there were many changes made for anti-cheating concerns. If you look at the top of the changelog here. [counter-strike.net] You'll see that anti-cheat protection is right on top. I believe its goin to be the same battle as OS security, and game console copy protection. There is always going to be something that somebody can do to cheat the system, and there will always be somebody willing to do it just to make themselves feel a little more powerfull.

    edge

    "It's all fun and games untill somebody looses a harddrive."
    • >I believe its goin to be the same battle as OS security, and game console copy protection.

      Console protection is hard, because it's a static target. Cheating prevention is easier, as you have a network connection, and thus can patch the executable in response to cheat attacks.
  • Public voting (Score:3, Insightful)

    by MongooseCN (139203) on Friday June 07, 2002 @04:26PM (#3661898) Homepage
    Designers should write in the ability for users to vote off other people they think are cheating. Usually it's obvious that certain people are cheating and so some mod writers for games like Counter Strike have already written this in. If enough people vote that someone is cheating, they will get booted.

    This should be taken a step further though. If a cheater has been booted off a server a certain number of times, their cd key should be revoked or temporarily disabled from the master database. Then they won't be able to play online anywhere instead of simply moving to another one of the 1000's of servers.

    The problem is this could be abused. People could vote against a player that just happens to be really good, but from all the games I have played the really good players almost never get booted off. It's always the real obvious cheaters that get voted off.
    • Re:Public voting (Score:4, Interesting)

      by LowneWulf (210110) on Friday June 07, 2002 @04:36PM (#3661994)
      I know lots of Counterstrike players who are constantly banned from servers for winning too much: unless the other players are at the same level, they assume the better players must be cheating.

      (of course, this never happens to me; nobody could cheat and still suck so badly)

      Perhaps a ranking system. Players of approximately equal skill are pooled together by the server automatically after a certain minimum number of games. Cheaters can then play to their heart's content, but will end up with other cheaters and those who are so good that they can take on cheaters and still live.
      • Player Respect (Score:2, Interesting)

        by 23_Elders (147014)
        Most of the servers I play on generally give a lot of respect to the good players. I think one thing that helps are programs that display player statistics, like Psychostats for C-S. This program collects 2 weeks of playing info on certain players which you can access via the web... it is an awesome system. Not only can you check out how you rank, but you get a sense of how other players perform. If I see someone on there with a 37:1 k:d record, obviously I am going to watch that person for cheating. You can also see the patterns that makes a player good vs. a cheater. Frankly I am surprised no one writes a statistics analysis program for these sorts of things... there must be certain player stats that spike or behave differently for certain kinds of cheating.
    • won't work in MMORPG.
      Take EQ as an example. Pretty much, who ever has the largest guild would wield all the power.
      • well, they want EQ to reflect real communities, right?
      • Re:Public voting (Score:3, Interesting)

        by cwebster (100824)
        the topic of this article is cheating, not who is most powerful.

        I'll take EQ as an example too, but tell you it does work to some extent. I've got some basis to go on here since i am a dev on showeq and host the irc server that #showeq and #eqemu live on.

        Currently one can cheat in EQ via playing with memory. The effects you can cause are limited to things like turning off fall damage, no lava damage, unlimited underwater breathing, etc. nothing of too much consequence. With a little extra work, one can teleport to an arbitrary location in zone, and move around quite a bit faster than normal (not the generic speedhack, that will get you banned.)

        Previous cheats that were out and semi-widespread among a certain crowd allowed you to do things like using arbitrary skills (even accessing those not available to your class), zoning from anywhere in zone to any zone adjecent to it, permanant sow, removing spells like root, making any number you want show up for /random, etc.

        There were more, to varying degrees of impact, but as each was made public, VI was pretty quick to fix it (one member of thier dev team alluding to the site promoting the exploits as a fix-it list).

        So i would say in this respect, developers can restrict cheating in mmorpgs.

        As for showeq, they change up packets and opcodes quite often, but you always run into the basic problem with trying to hide your data: you have to get it to the client somehow. But even here they have made attempts to curb its usefulness. Over time they've reduced what they send, Hit points are now a % rather than absolute numbers, experience likewise is expresses in 1/330th units, rather than absolute numbers. Faction values are now just an index value so the client knows what to print rather than you actual faction. They are a bit more limited in movement update packets.

        They can stop it, but they do a decent job at limiting it.

        So while the most powerful guild in a server, does run things, that has absolutly nothing to do with cheating in game.
    • What if instead of being banned, they were ranked, and if they're a certain rank they can only get in to certain games. The ranking being stored on the master servers of course.

      Then the people with the cheats would be ranked "Best" and would only get to play with others that cheat or superhuman players. Maybe the superhuman players (there would be very few of these at this level) would then be able to appeal.
  • by limpdawg (77844) on Friday June 07, 2002 @04:26PM (#3661899) Homepage Journal
    The fact is that games can not simply act as a glorified frame buffer and transmit keystrokes and mouse movements to a centralized server and then display the results with minimal computation on the client side.
    To get around the limits of network connectivity available to vast majority of people developers have to allow the client to render the graphics and interpret the input and then send back the minimum that is needed.
    While we all know that open source generally increases security, when you're dealing with people who are trying to abuse features you can't let them know all your secrets. Open source security assumes that the people working together want access to each other, but want to keep others out. The game security model assumes you want to let anyone in, but keep them from doing bad things.
    Thus unless you move all potentially abusable functionality to the server side, open source gaming will be limited except for games which tolerate low bandwidth and slow ping times.
    • by alriddoch (197022) on Friday June 07, 2002 @04:37PM (#3662009) Homepage

      At WorldForge [worldforge.org] we have obviously been considering this point since soon after we started, and we believe that this is not the case. It is true that to achieve the twitch responce of a first person shooter it is extremely difficult to detect client side cheating, but the more moderate pace of online RPGs can be different. If a model is chosen where the client is totally untrusted, the players ability to cheat by modifying the source of the client is minimised. An additional benefit is that this security model means it is far more difficult to cheat using add-on programs like those available for many current online RPGs.

      • FreeCiv takes the approach of not trusting the clients (all verification is performed in the server; nothing is sent to the client that the user should not know; etc.), and it has excellently playable performance. Of course, it's not a FPS or real-time system. Players do all take their turns simultaneously, though, and it seems to scale up well (max 30 players per game, I think).

        Plus, it's a great game!

    • Thus unless you move all potentially abusable functionality to the server side, open source gaming will be limited except for games which tolerate low bandwidth and slow ping times.

      Another solution is to limit your games to small networks of players that you trust (the solution in the article's second to last paragraph.)

      I'm afraid it may come to this, as cheats can always be made, closed source or not, and with all the virus/trojan/spyware nonsense we see even in legal, commercial products, closed source programs outside video game consoles are going to be trusted less and less.

  • CS 1.4 (Score:4, Interesting)

    by wbav (223901) <Guardian.Bob+Slashdot@gmail.com> on Friday June 07, 2002 @04:26PM (#3661902) Homepage Journal
    Well, we have seen valve put in code with Counterstrike 1.4 that checks to see if your opengl.dll is correct, to stop people with cheats like OGC. However, this sucks for all those using wine, becuase wine uses a hacked version of opengl to run windows games in linux. I've been cs free for about a month now, as a result.

    The real irony is, wine will not load cheats (as far as I can tell), so people using wine cannot cheat. I had a similar issue with Cheating-Death.
    • Re:CS 1.4 (Score:5, Insightful)

      by Dimensio (311070) <darkstar AT iglou DOT com> on Friday June 07, 2002 @04:32PM (#3661966)
      Why not inform Valve of this and give them the hacked opengl files so they can add it to their checksums?
      • Re:CS 1.4 (Score:2, Informative)

        by wbav (223901)
        Actually valve is aware of the problem, they have a fix if you pay for winex. But if you're a poor college student like me, you're up the creek.
      • Yes, and CS1.4 hack detection wont let you play CS1.4 in linux with winex. This really pisses me off, as I was using Linux full time, and had to boot back into WinXP. CS1.4 didnt stop the wall hack, Wallhack still works, seen it in action at a lan party on a Patched server!

        BTW, CS1.5 should be out shortly, im hoping I can play CS under linux again.
  • A perfect world? (Score:5, Insightful)

    by bahtama (252146) on Friday June 07, 2002 @04:27PM (#3661911) Homepage
    Let's see. We have a world where most people behave themselves, except for a small minority that run around stealing and causing problems. Yeah, that sounds so strange and alien!

    The bottom line is that there are cheaters in every aspect of life, whether it be real or virtual. Game companies, much like governments, can only do so much. The rest of the problems people just have to live with. Virtual worlds will never be perfect and people will always try and ruin someone else's day.

    • The problem lies in that when people are anonymous they tend to cheat more because they know they can get away with it without any consequences.
  • by GearheadX (414240) on Friday June 07, 2002 @04:27PM (#3661912)
    The main problem is that there is actually a rather strong, organised group of people out ther ewho distrubite exploits and hacks for online games, considering it their 'right' to cheat because they purchased a copy of the game. The problem is that when they do this they fail to take into consideringation the position of the other people who's gaming experiences they're wrecking.

    Of course.. the difference between Man and Beast, when you get down to it, is being able to think about things frm someone else's point of view, so when you think about it, this shows you something about the mental state of the organised online cheater.

    Even a Chimp can think about something from someone else's perspective...

    • America's Army (Score:2, Interesting)

      by TonyZahn (534930)
      From what I've read about the Army's promotional game, it's probably got one of the strictist anti-cheating things I've herd of. If you shoot too many civillians or ANY of your teammates, you're given a time-out, and if you do it a few times in a row, you're banned. Automatically.

      As an aside, and I really hate to ask this, I still haven't figured out how to post a root-level comment. I mean, even the First Post-ers and gotse lamers can figure it out, but I'm stumped. Where's the "post comment" button?

    • The cheaters in this case do think about the game from someone else's point of view. They just don't care if anyone gets upset about what they're doing.
  • Basics? (Score:3, Insightful)

    by Peridriga (308995) on Friday June 07, 2002 @04:27PM (#3661914)
    The fundemental problem is that the game itself lies on the clients computer.... It is completly unfeasable to secure that program once it has been taken out of the shrink wrap...

    Sure you can require frequent patches to fill the holes after release. Or maybe require a check-sum of critical files to play. Etc, Etc... But, there will always be people that are willing to figure out ways to by-pass it.

    Just like computer security in general. You trade amount of security to functionality.

    Heck. I remember when I had snake on Qbasic. I was 6 and had no clue about programming. But, I realized that Player1_Lives = 5 means something and I wanted to change it.. I understand that this is an oversimplified analogy that is completely missing the multiplayer side but, people will always want something for nothing and this is a way they can do it.

    Probably the only way to completly secure a game from cheating is to make the client side as thin as possible but, of course the trade off is the server would have to work extremely hard (already a problem now, with server's designed as the thin ware)....

    As solution will work itself out eventually.
  • Social stigma (Score:5, Interesting)

    by LBrothers (583483) on Friday June 07, 2002 @04:28PM (#3661921) Homepage
    I've played my share of online games, from the simple telnets [ibgames.net] to the varied mmorpgs. Technological and admin based solutions never seems to adequately solve any real poroblem.

    You can boot players, ban IPs, reprimand, close servers, but the miscreants always find a way back in, because its an enjoyable game to them... annoying others.

    The only viable solution I've ever come across is the social stigma. This method of self-regulations fails if the game doesn't implement a system of reliance on other players though. As long as several players are needed to band together to achieve certain goals, social stigma works.

    Picture a mmorpg where you need 3 other players to help you defeat a certain barrier. There's no other way, its part of the game structure. If you're a cheater, others won't help and you're limited in your game play. Where's the fun now?

    Game builders have to be aware that cheaters exist and really strive to construct game play in such a manner where players can self-regulate like that. Admins and code-limitations never seem to solve the real problem.
    • Re:Social stigma (Score:2, Insightful)

      by Pvt_Waldo (459439)

      Picture a mmorpg where you need 3 other players to help you defeat a certain barrier. There's no other way, its part of the game structure. If you're a cheater, others won't help and you're limited in your game play. Where's the fun now?


      Are you kidding? The cheater will just simulate the two other people via a cheat. But I like the concept.
    • Bullshit (Score:2, Insightful)

      by Anonymous Coward
      Picture a mmorpg where you need 3 other players to help you defeat a certain barrier. There's no other way, its part of the game structure. If you're a cheater, others won't help and you're limited in your game play. Where's the fun now?
      You assume that cheaters are completely antisocial and incapable of gaining allies and friends to help them along.

      Two words: Cheating Clans.

      Many cheaters just don't care about the 'stigmas', but rather relish their negative reputations.
  • I understand that having a GM be the final arbiter can be both fair and unfair, so are there any/many instances where a non-cheater was expelled as a cheater?

    I understand the example in the article (fighting a guy with twice your stats) perfectly-
    I went to a live action role playing event (LAIRE for those who know) and it SUCKED. In the first round of combat, in one hit, the "npc" character completely decimated me. Yes, they were given orders by the GM's not to actually kill anyone.

    NOTE: this message is free from any comments regarding Microsoft servers as military grade.
    • No fault of the NPC.

      In theory, your average revenant (I play NERO from time to time) doesn't know a low level guy from a high level guy. They just pick a target and swing 4's. If you have 3 body, you fall down on the first hit.

      The dedicated players, who have given way more money to the chapter than you, need to have fun too, and that's typiclly done by giving the players something big to fight.

      Also, if LAIRE is anything like NERO, the rule is "don't *killing blow* anybody". Taking that one minute of available healing time away is generally considered a no-no, because once you cross from "bleeding out" to "dead", the cost to make you not dead goes from a level 1 spell to a level 9 spell.
  • Trolls? (Score:3, Interesting)

    by RealisticWeb.com (557454) on Friday June 07, 2002 @04:29PM (#3661933) Homepage
    I can see you you can crack down on cheating, most people don't like it, and would support that kind of action, but Trolls? How could you ever crack down on that without censureing(sp?)? I personaly like the /. method of moderation, because all the posts still show up, but we can choose how much crap we want to see. But how can you implement that in a real-time senerio? I don't see how without using server-side filters which people will object to, or client-side filters which has already been done before.
  • It's not just the security of the servers but also the data packets. Authenticating packets as having come from the game itself not some hacking tool for example. Authenticating users is also troublesome, near-positive ID is needed to enforce policies. Relying on IP numbers and cd keys is insufficient. This topic is far more complicated than the article suggests.
  • by ChaosDiscordSimple (41155) on Friday June 07, 2002 @04:37PM (#3662006) Homepage

    Games with huge numbers of people like EverQuest will suffer from a certain number of bad apples, just like the real world. They're ultimately going to need to rely on policing, technology can't solve everything.

    Fortunately, many games don't have huge numbers of players. Quake games peak at a few dozen. Even as small scale games grow, there are practical limits that will keep size down.

    There is a partial solution I haven't seen implemented yet: trust networks. To play, you generate a public key and share it with all of the other players. As you play, you mark other players as being friends. (You can also blacklist them, but it's easy for the other person to create a new identity, so it's only a very small part of the solution.) When you mark another player as a friend, your client provides them with a signature proving that you marked them as such. Then based on these networks of trust you can make judgements about who to play with. When you create a game, you might limit it to "my friends, my friends' friends, and 3rd generation friends if they have at least three references from 2nd generation friends." Maybe you leave a spot or two open for anyone to hop in on as a way to make new friends (and if they're a punk, you and your friends can blacklist him quickly).

    This will make it harder for truely new people to make initial friends. Many gamers will know at least a few real-life friends who can give them a hand up. For the rest, they'll regrettably have to spend some time learning who they can trust. It's a shame, but it's just like real-life.

    There are few details I'm admittedly handwaving (key revokation, special case exceptions), but they're all solvable problems. I'd really like to see a system like them when I play Quake, Half-Life, Diablo II, or Dungeon Siege online.

  • by devphil (51341) on Friday June 07, 2002 @04:38PM (#3662020) Homepage


    From the article (ya know, that thing you should read before commenting on its contents):

    "We have a very straightforward attitude to cheating: We see it; you're gone," Jacobs said. "I will happily sacrifice a small portion of my paying customers to ensure the rest of them have a quality experience."

    Kick. Ass. I know nothing about this company or their games, but I like them already.

  • by SkyLeach (188871) on Friday June 07, 2002 @04:38PM (#3662028) Homepage
    Cheaters do have a right to ceat, on their own servers.

    What pisses us all off isn't so much cheaters, as it is deceptive cheaters that try to take advantage or ruin other peoples' fun. Ceating is easy in almost all games where there is any client software at all. I would oppose any game that tried to prevent my use of my computer just like I oppose any os or application that tries to monkey with my computer.

    This problem is very difficult to solve because all a player needs to do is outsmart dumb software. That's pretty easy. Everybody knows when someone is using a headshot bot in counterstrike, but it's a little tougher to notice cheaters who pay attention to who is watching and how obvious they are being. I quit playing CS because of cheaters.

    Blizzard beat most of the maphack/exploits on StarCraft just by continually patching the software. I think CS and Half-Life should take a hint. Modify the code so that people can't exploit it... often. It's tedious to stack traces for exploitable code, and if the code changes frequently then it becomes very very tedious.
  • by ajm (9538) on Friday June 07, 2002 @04:42PM (#3662055)
    Best introduction to the subject [gamasutra.com] I've seen. Has things for everyone to think about and this was two years ago. I think games coming out now will have at least all these cheat prevention measures in them.
  • by Corby911 (250281) on Friday June 07, 2002 @04:43PM (#3662064) Homepage
    In multi-player action games such as "Quake III" and "Half-Life," hackers will try to tap into the servers running online games to execute cheats that let them see through walls or automatically aim weapons.
    Most, if not all of the cheats for Half-life and Quake III are client-side or proxy cheats.

    Proxy cheats require 2 computers: the one you game on and a proxy that you connect to the server through. The proxy keeps track of what's going on in the game by analyzing the packets that get sent through it. It then makes adjustments (ie aiming corrections) to the packets as they are sent out to the server. This in no way involves breaking into the server.

    The common transparency cheats are to a) replace the textures used on the walls with translucent/transparent ones or b) hack your video card's drivers. Neither of those affects the server in any way.

    There's a multitude more of these types of cheats. I know because I used to run a decent Half-life and Counterstrike server. I got so depressed at the prevalence of cheating (and cheating accusations), I shut down the server and very rarely play any online games.
  • I always appreciated blizzard's solution to this problem. On the realm battle.net servers, the information is kept by blizzards servers, there is no "file" you can manipulate on your machine. (At least for Diablo 2). It is consequently very hard to "hack" in the realms. However, if you desire to cheat or hack the open battle.net servers are there to use in whatever way you want. IMHO, they don't appear to mind people hex-editing their charachter files as long as they are kept away from the people who want to play legit.

    The other option (which I use) is to play on closed TCP-IP sessions. Online play for the most part sucks. If the cheating diminishes, the lag exponentially increases (even on my DSL line). Kind of a nasty catch-22.

    The simple solution is to sell their damn server code and to stop harassing the open bnet project. However, that would screw them when they (inevitibly) move to a subscription system. Which will suck.

    ----rhad

  • From the article:
    Ray is working on building a version of PunkBuster into the popular action game "Return to Castle Wolfenstein" and is in contact with other developers building similar anti-cheat mechanisms into their games. He's confident such features will become mandatory as online gaming spreads.

    As a big fan of RTCW, I know PunkBuster is already integrated into the game. Makes you wonder how old this interview is. :)
  • by Stiletto (12066) on Friday June 07, 2002 @04:52PM (#3662127)
    Never Trust the Client.

    Don't store any information (encripted or not) on a user's HD or RAM that, if the user were to alter it, would give him an edge. The server should send only what information the client needs to handle the user interaction, and nothing more!

    Ask yourself, can an "unofficial" client cheat? If the answer is yes, you have some server-side code to fix.
  • Accusations (Score:3, Interesting)

    by Winterblink (575267) on Friday June 07, 2002 @04:52PM (#3662128) Homepage
    One issue I have with the whole cheating thing is the accusations. I play Counter-strike [counter-strike.net] still and I've never used a hack or a cheat at all. Occasionally I get on a streak or something and end up massacring people. All of a sudden the accusations come flying in about me cheating. One server I got banned from when this happened, and I never did a thing.

    The moral of the story? Cheating not only hurts the newbies who want to get into some online games, but also hurts those of us who play often and occasionally show a glimmer of skill.

    • Yes, I too am not the greatest player on earth but have been accused a fair number of times. Once I got a permanent ban from a server just because I got lucky and got a knife kill directly followed by a headshot to a guy across the room.

      I bet that for every accusation I see probably 10% of them are true, and even fewer have concrete proof of it. I wonder if anyone has been wrongly blacklisted? There's quite some large blacklists out there that are maintained and many servers make use of them. This is probably a real problem with hijacked wonids.
  • Cheaters and trolls are making it harder for casual users and newbies to get hooked on the on-line versions of games.

    If they got rid of cheaters, they'd just be losing an excuse. Hell, I've been accused of cheating when I'm having an "on" night, and I suck. In the end, a player that is playing far over the head of the others on the server can suck the fun out of the game as effectively as one that's cheating. If they are really concerned with playability they'll probably need to come up with some sort of skill rating, as well, so that games will be competitive. That and a killfile ability so you can avoid some of the crap that gets posted to chat by some, without missing the say's from other folks. Actually, a filter that translated variations of "ur momma" to "my momma" would at least make it more entertaining...

  • I don't know about the viability of this but allow the central server to snoop in on the data sent to players, if the client isn't responding correctly given the inputs (ie server registers hit but the client doesn't) you know that client is cheating and you can block their IP. The only thing I wonder is how to ensure that only the central server can access the incoming data. Any ideas?
  • by Sludge (1234)
    Here's an interesting one. What if one of the developers nailed a cheater, or the creator of a cheat who distributed it across the net for clearly malicious purposes with a DMCA violation?
  • HSX Cheaters (Score:4, Informative)

    by jamesmartinluther (267743) on Friday June 07, 2002 @05:01PM (#3662192) Homepage
    This article is right on, especially with regard to tapping your game players for help in regulating and busting cheaters.

    At the Hollywood Stock Exchange [hsx.com] simulated stock market, there have been problems with cheaters for many years. HSX cheaters - called "manipulators" and "shills" - use information tactics and coordinated buying and selling patterns to dishonestly make HSX dollars.

    Internally we have an "SEC", which consists of individuals who seek out cheating patterns in the trading data. We also get suggestions from players as to who may be cheating and how they are able to cheat. HSX Traders that are "guilty" of manipulation are fined according to set procedures [hsx.com].

    One of the most interesting cases of cheating was when we received an AIM transcript of real-time cheating behavior. It read like someting out of "Wall Street", except with lots of net slang. We busted them and fined their accounts (after an investigation and due process, of course).

    Despite the "threat" that cheating poses to the "civility" of a game community, cheaters and the interesting tactics that they use no doubt make online games more interesting. I often ponder about how to better design game play which can harness the criminal instincts of simulated market manipulators (for the betterment of the game).

    As cool as this sounds, I do not think that unleashing 1980's style "media raiders" onto the trading community will ever happen at HSX. HSX trades are transformed into marketing data used by movie production studios, hence requiring us to ensure that game play is fair, and, generally, that trades reflect the real media preferences of HSX traders.

    - James

  • by Animats (122034) on Friday June 07, 2002 @05:06PM (#3662220) Homepage
    If you can identify cheaters from the server side, don't kick them off, just dump them into a dungeon. One where they can frag NPCs all day without affecting the other customers. That way, the cheaters keep playing, theyr're happy, and they're diverted from getting a new account and making more trouble.
  • by afidel (530433)
    The problem is if you don't let people cheat or pk they just find other ways to be annoying. They can chat bomb, grief kill. In diablo you just heard up enemies and put em near portals etc, in warcraft3 they can team up and then drop out in a 2X2 and let you get decimated by 2 opponents, there are endless ways to cause people grief in online games without cheating. Basically until there are no areseholes in the world there will be aresholes online, and to get their kicks they will find some way to ruin others experience. In any game more complex than solitaire someone can and will find a way to make in unfun for others. Guess people will have to learn to live with it online just like in the real world.
  • by kraf (450958) on Friday June 07, 2002 @05:09PM (#3662233)
    Ignore them.
    Yes, it's hard, that's why there are so many cheaters and trolls.
    If everyone collectively stopped playing when they see a cheater or troll they would go away.

    But unfortunately most players cannot tell good players from cheaters, trolls from newbies, and will keep giving the attention the cheaters/trolls want so bad.
  • by Rogerborg (306625) on Friday June 07, 2002 @05:21PM (#3662310) Homepage

    And it's the one that the designers of the open source multiplayer action game Netrek [netrek.org] figured out from day 1. You accept that the clients will be compromised, and you design your server and your network model appropriately.

    It's only very recently that commercial games developers are even beginning to understand this, and they're still not getting it right. For example, Counterstrike now attempts to check that your opengl.dll is correct. Fine, but that still relies on the client being uncompromised and reporting the correct number. That's a small barrier for a crackers with a hex editor.

    They really need to get it through their heads: you can't trust the client. Every packet that comes in has to be assumed to come from a borg or robot client, and dealt with accordingly. What this means in practice is:

    • The server has the final word on the world state. It accepts only requests for actions from the client, not state data, and it verifies that the client is in a state that it should be requesting this action. If that means that it rejects valid actions from a human player experiencing lag, tough, that's the cost of trust.
    • The server sends only the information that each client needs to know. The Netrek server sends position, heading and speed information to clients, but only if there's a friendly unit close enough to scan them, less frequently for distant units, and when it sends information about cloaked units it lies, so that even if you hack the client to display cloaked units, you end up displaying an infrequently updating image of where they might be, which can sometimes be more of a hinderance than a help. All this requires extra processing on the server. Tough. Hardware gets cheaper by the day. Sometimes it means that clients miss out on information, and see things appearing and disappearing. Again, you have to accept that as a necessary price to pay.
    • You design your game so that perfect execution doesn't guarantee you perfect results. Unlike the rail gun in quake, for example, in Netrek if you fire perfect vector torpedoes aimed precisely where your target is going, a decent human player will dodge them nearly every time. Instead, you have to use your (human) skill and judgement to decide where your (human) target will dodge once you fire, and fire where he's going to go, not where he was going. Or you fire where you don't want him to go, for strategic purposes. A netrek client firing perfect vector torpedoes is actually a liability against clued players!

    This isn't theoretical. I wrote a 'borg client for Netrek (bypassing the pretty darn good RSA binary check that still surpasses that in many commercial games), and found that it gave me at most a marginal advantage. It hardly effected my combat ability at all, and it made only a slight improvement to my strategic ability (by recording the limited information it received and making best guesses about what was actually going on in the game state). It certainly didn't spoil play balance like many FPS hacks do, and it didn't require any server fixes, because I simply could not exploit it very far to start with.

    The reason why the Netrek developers understood all this was that it was open source (so it was trivial to hack up a client), and also that servers developers were somewhat separate from the client developers. The server developers could dictate the architecture and packets and the client developers had to work with what they were given. Contrast that with the way that commercial games development tends to get done, with the same people writing both server and client, with a mandate to get it working as quickly and easily as possible.

    If I was back in commercial games development, this is the first change I'd make: separate the server developers and client developers, and only let them communicate through the code - and with the server guys calling all the shots. That sounds inefficient, but if you don't make the effort early on, you'll damn well have to do it later, once the problems are out there in the field. We need to fix the attitude endemic in commercial games development that there's never time to do it right, but always time to do it twice.

  • BNETD, anyone? (Score:3, Insightful)

    by k98sven (324383) on Friday June 07, 2002 @05:44PM (#3662437) Journal
    Why hasn't anyone pointed out the obvoius?

    The point of the oh-so-disputed Bnetd project was
    to counter cheats and trolls.

    Set up your own server - invite your friends, and
    kick out whoever you don't like.

    So what M$, Blizzard and the others should do is turn the situation to their advantage,
    stop selling server time - sell server software.

    The more trolls out there, the more people will want to run their own server.
  • Supplemental reading (Score:5, Informative)

    by defile (1059) on Friday June 07, 2002 @06:27PM (#3662627) Homepage Journal

    The ZDNet article is missing the link to my original article [bacarella.com] which is what lead the news.com writer to interview me.

    I can see why they left it out though, it calls a lot of the people they interviewed in addition to me names. ;)

  • by icey5000 (461582) on Friday June 07, 2002 @06:33PM (#3662659) Homepage
    First off, I'll start by saying that I AM a casual online gamer and have had a number of bad experiences with cheating. In fact, I ONLY play with direct connections to friends because of these problems. Quite frankly, I have been burned badly enough and often enough that I WILL NOT go online to play in a public game -- whether it is free or not. I've tried many times and have given up -- this really sucks since it seemed to have great potential. Here is why...

    My first online game experinces was on Yahoo Games. It looked interesting: meet new people, have some fun. I was a newbie, and so, went to the newbie area. I a game of cards seemed like fun but was dropped out of the game (lag). When I returned to the server I was chased and verbally harassed (with swears) through 3 other card games. I've never been back... and will never go back.

    Sometime later I regained my curiosity and thought I'd try Diablo online. Foolishly I took a high level character (can't remember how high, but had made it to hell difficulty) online and was killed instantly (twice! once in town!). I didn't know anything about 'hacks' then and persisted thinking this was due to server lag (or bugs). Then all of my equipment was stolen after a healing spell was cast on me. No backups, so goodbye all the effort. That was my last Diablo I game online.

    The pattern seems to repeat itself with frightening regularity: Quake II: dead, dead, dead and dead again), Unreal Tournament: similar to Quake, Starcraft: rushed (after making no rushing agreements) and had defences repelled by infinite numbers of enemies and attacks that failed even with overwhelming technical and numerical superiority, AOE 2: faced impossible tech advances and armies, Diablo 2: PK'd in no-pk mode. The list goes on.

    I make no claims to be an expert player in these games and would have no problem being beaten by a better player -- I find that's often the best way to improve! But, I have taken efforts to use the newbie areas to find other newbies to play with. Unfortunately, cheaters look at these areas as their playground too!

    I give up. Too bad, it could have been fun.
  • by edrugtrader (442064) on Friday June 07, 2002 @06:56PM (#3662769) Homepage
    i built and run edrugtrader.com (now moving to better colo facility so don't try to hit it, its down)

    i built the game from day 1 with "how could someone use this to cheat" in mind. if MMORPG developers don't have that mindset their game WILL fail. redundant and flamebait, mod as you wish.
  • by dh003i (203189) <dh003i@@@gmail...com> on Friday June 07, 2002 @07:40PM (#3662991) Homepage Journal
    And the anti-cheating organization? Come on. Don't these people have lives'? Its just a game. Lets not bring this to the level where we destroy the game because we take it so seriously, which sucks the fun out of it (prime example, chess). Also, many non-cheating players have no problem playing with players who use cheats.

    When I played Descent 2 on Kali, I used to play against some of the people who had hacks so they could fire two EarthShaker missles at a rate as fast as Gauss cannons. It made me better, and was fun.

The Force is what holds everything together. It has its dark side, and it has its light side. It's sort of like cosmic duct tape.

Working...