Game Developers Cracking Down on Cheating

Hector73 writes "ZDNet has an article discussing a growing concern for the makers of on-line video games. Cheaters and trolls are making it harder for casual users and newbies to get hooked on the on-line versions of games. Considering that on-line gaming may become the major revenue source for game makers over the few years, maybe they will actually do something about it."

Xbox live to combat cheating

[magicsquid]

This is precisely why Microsoft announced that all of the Xbox's online games will be run off of Microsoft controller servers. They've seen how cheating can rapidly cause a subscriber base to shrink. By controlling everything themselves they hope to limit the damage done by those looking for ways to cheat. I imagine that just in case anything should go wrong, this means frequent backups that can be restored upon a users requests.

Re:Question.

[Peridriga]

Dongles, in the historic sense have been cracked/emulated a long time ago.

A great sound editing software for the Mac was Power Tools. Originally package with a dongle to prevent piracy. The dongle was emulated about 24 hours after the release of the product.

Now though with the cheap USB storage devices hitting the market the concept of dongles might come back. Although the only way to truely secure it would be with a strong cryptographic code to secure both the device itself and the traffic between the device and the software. Althogh you still come down to the fundemental problem that the information is still passing through the users computer and is open to sniffing and cracking.

Securing end client software has always been an extremely difficult problem to solve....

Re:CS 1.4

[wbav]

Actually valve is aware of the problem, they have a fix if you pay for winex. But if you're a poor college student like me, you're up the creek.

Excellent article from gamasutra about this

[ajm]

Best introduction to the subject [gamasutra.com] I've seen. Has things for everyone to think about and this was two years ago. I think games coming out now will have at least all these cheat prevention measures in them.

The author needs to check their facts

[Corby911]

In multi-player action games such as "Quake III" and "Half-Life," hackers will try to tap into the servers running online games to execute cheats that let them see through walls or automatically aim weapons.

Most, if not all of the cheats for Half-life and Quake III are client-side or proxy cheats.

Proxy cheats require 2 computers: the one you game on and a proxy that you connect to the server through. The proxy keeps track of what's going on in the game by analyzing the packets that get sent through it. It then makes adjustments (ie aiming corrections) to the packets as they are sent out to the server. This in no way involves breaking into the server.

The common transparency cheats are to a) replace the textures used on the walls with translucent/transparent ones or b) hack your video card's drivers. Neither of those affects the server in any way.

There's a multitude more of these types of cheats. I know because I used to run a decent Half-life and Counterstrike server. I got so depressed at the prevalence of cheating (and cheating accusations), I shut down the server and very rarely play any online games.

Re:What about open source and cheating?

[Stonehand]

A little cryptography plus a net of trusted compilers (as in people, not gcc) who produce signed binaries goes a long way. See Netrek, for instance -- most servers will boot you if you're not using a 'blessed' binary as determined via an RSA-based challenge. You can create modded clients all you want and unleash them on anything-goes servers; but while it's almost certainly possible to play on a blessed-only server, it'd be a hassle and isn't often done (e.g. rig a program to monitor the socket and redirect the authentication challenges to the 'blessed' binary, and otherwise send the data to the modded client).

HSX Cheaters

[jamesmartinluther]

This article is right on, especially with regard to tapping your game players for help in regulating and busting cheaters.

At the Hollywood Stock Exchange [hsx.com] simulated stock market, there have been problems with cheaters for many years. HSX cheaters - called "manipulators" and "shills" - use information tactics and coordinated buying and selling patterns to dishonestly make HSX dollars.

Internally we have an "SEC", which consists of individuals who seek out cheating patterns in the trading data. We also get suggestions from players as to who may be cheating and how they are able to cheat. HSX Traders that are "guilty" of manipulation are fined according to set procedures [hsx.com].

One of the most interesting cases of cheating was when we received an AIM transcript of real-time cheating behavior. It read like someting out of "Wall Street", except with lots of net slang. We busted them and fined their accounts (after an investigation and due process, of course).

Despite the "threat" that cheating poses to the "civility" of a game community, cheaters and the interesting tactics that they use no doubt make online games more interesting. I often ponder about how to better design game play which can harness the criminal instincts of simulated market manipulators (for the betterment of the game).

As cool as this sounds, I do not think that unleashing 1980's style "media raiders" onto the trading community will ever happen at HSX. HSX trades are transformed into marketing data used by movie production studios, hence requiring us to ensure that game play is fair, and, generally, that trades reflect the real media preferences of HSX traders.

- James

Re:Which Is Only Half Of It

[Daetrin]

The way to beat cheaters is to apply tried and true security practices. Don't trust that the machine on the other end of the connection is really a client(so don't feed it any extra data beyond what it should need to know to function). Don't blindly accept any data coming back from supposed clients(does the client really have "permission" do what it is telling the server to do?).

This isn't always possible, depending on what type of game it is. The other systems need to know certain information, especially if there is any kind of synchronization going on.

Synchronization is in many ways a good thing, because since each computer does its own calculations individually it really limits what kinds of cheats can be run. You can't make a cheat that boosts your stats becuase your stats will remain normal on my machine, and a desynch will occur the next time your stats effect gameplay.

However in order for synchronization to work just about all data needs to be shared, which makes the data hacks mentioned above possible.

On an RTS i was working on recently it was my job to eliminate the map cheat, whereby the user made the entire map visible, giving them a huge advantage. I did this by having each system report the state of its map to the other players and synchornizing that value. It was still possible to cheat and clear the map, but doing so imemdiatly caused you to be booted from the game.

Although peer to peer is more computationally expensive than client-server models, it does make it easier to control many kinds of cheating.

And on a side note, given some of the other discusions i've seen on this topic, i thought i would mention that both the producers and i agreed that no cheat detection should be used in single player mode. What do we care what you do with the game on your own time? If cheating is the way you enjoy it most, fine with us. When it becomes our problem is when you try to cheat against others online, and ruin _their_ experience, which they have a right to.

Supplemental reading

[defile]

The ZDNet article is missing the link to my original article [bacarella.com] which is what lead the news.com writer to interview me.

I can see why they left it out though, it calls a lot of the people they interviewed in addition to me names. ;)

Re:Question.

[stonecypher]

Now though with the cheap USB storage devices hitting the market the concept of dongles might come back. Although the only way to truely secure it would be with a strong cryptographic code to secure both the device itself and the traffic between the device and the software. Althogh you still come down to the fundemental problem that the information is still passing through the users computer and is open to sniffing and cracking.

Steps to crack:

Find function which checks for dongle

Find successful response datagram

Alter binary to change dongle-check function's caller pointer to that of new function

Cause new function to always return success datagram

Include 3l33t installer, text ph1lz, and greetz to various 14-year-olds

they should have thought of this a long time ago..

[edrugtrader]

i built and run edrugtrader.com (now moving to better colo facility so don't try to hit it, its down)

i built the game from day 1 with "how could someone use this to cheat" in mind. if MMORPG developers don't have that mindset their game WILL fail. redundant and flamebait, mod as you wish.