Game Developers Cracking Down on Cheating 510
Hector73 writes "ZDNet has an article discussing a growing concern for the makers of on-line video games. Cheaters and trolls are making it harder for casual users and newbies to get hooked on the on-line versions of games. Considering that on-line gaming may become the major revenue source for game makers over the few years, maybe they will actually do something about it."
One method (Score:2, Insightful)
Re: Bots and Campers... (Score:2, Insightful)
Public voting (Score:3, Insightful)
This should be taken a step further though. If a cheater has been booted off a server a certain number of times, their cd key should be revoked or temporarily disabled from the master database. Then they won't be able to play online anywhere instead of simply moving to another one of the 1000's of servers.
The problem is this could be abused. People could vote against a player that just happens to be really good, but from all the games I have played the really good players almost never get booted off. It's always the real obvious cheaters that get voted off.
A perfect world? (Score:5, Insightful)
The bottom line is that there are cheaters in every aspect of life, whether it be real or virtual. Game companies, much like governments, can only do so much. The rest of the problems people just have to live with. Virtual worlds will never be perfect and people will always try and ruin someone else's day.
Tao Te Cheating Llama (Score:3, Insightful)
Of course.. the difference between Man and Beast, when you get down to it, is being able to think about things frm someone else's point of view, so when you think about it, this shows you something about the mental state of the organised online cheater.
Even a Chimp can think about something from someone else's perspective...
Basics? (Score:3, Insightful)
Sure you can require frequent patches to fill the holes after release. Or maybe require a check-sum of critical files to play. Etc, Etc... But, there will always be people that are willing to figure out ways to by-pass it.
Just like computer security in general. You trade amount of security to functionality.
Heck. I remember when I had snake on Qbasic. I was 6 and had no clue about programming. But, I realized that Player1_Lives = 5 means something and I wanted to change it.. I understand that this is an oversimplified analogy that is completely missing the multiplayer side but, people will always want something for nothing and this is a way they can do it.
Probably the only way to completly secure a game from cheating is to make the client side as thin as possible but, of course the trade off is the server would have to work extremely hard (already a problem now, with server's designed as the thin ware)....
As solution will work itself out eventually.
Re:Xbox live to combat cheating (Score:1, Insightful)
Re:Social stigma (Score:2, Insightful)
Are you kidding? The cheater will just simulate the two other people via a cheat. But I like the concept.
Re:CS 1.4 (Score:5, Insightful)
Re:Question. (Score:2, Insightful)
Dongle? Huh? (Score:2, Insightful)
You can't stop someone with tampering software on his own (or her own) computer.
Just, basically, dongles suck.
Re:Xbox live to combat cheating (Score:3, Insightful)
By controlling everything themselves they hope to limit the damage done by those looking for ways to cheat.
Isn't that the exact same approach Microsoft takes to Windows security? They think that if they control the code, no-one with be able to find the holes. Security through obscurity...
The tables are turned (Score:3, Insightful)
What pisses us all off isn't so much cheaters, as it is deceptive cheaters that try to take advantage or ruin other peoples' fun. Ceating is easy in almost all games where there is any client software at all. I would oppose any game that tried to prevent my use of my computer just like I oppose any os or application that tries to monkey with my computer.
This problem is very difficult to solve because all a player needs to do is outsmart dumb software. That's pretty easy. Everybody knows when someone is using a headshot bot in counterstrike, but it's a little tougher to notice cheaters who pay attention to who is watching and how obvious they are being. I quit playing CS because of cheaters.
Blizzard beat most of the maphack/exploits on StarCraft just by continually patching the software. I think CS and Half-Life should take a hint. Modify the code so that people can't exploit it... often. It's tedious to stack traces for exploitable code, and if the code changes frequently then it becomes very very tedious.
Which Is Only Half Of It (Score:5, Insightful)
Aim cheats have nothing to do with server stored data. It all has to do with the fact the classic protocols requires all players in the field to tell all other players in the field their positions in the field. If you can snoop the positions of people then you can calculate an accurate "from the hip" shot with merciless robotic accuracy. If an aim cheat isn't possible, then you can just snoop the data and realize where the other players are hiding and their positing.
The way to beat cheaters is to apply tried and true security practices. Don't trust that the machine on the other end of the connection is really a client(so don't feed it any extra data beyond what it should need to know to function). Don't blindly accept any data coming back from supposed clients(does the client really have "permission" do what it is telling the server to do?).
Protecting the data is a good thing but just like server farms just locking the machines behind a door isn't enough. You have to secure the lines of transmition as well.
Re:Solving cheating requires closed source! (Score:1, Insightful)
The logic that open source is more secure isn't limited to productivity apps or server apps. Widespread ability to see the source code and find problems in order to fix them is a key benefit to using open source. Cheats are vulnerabilities just like any root vulnerability, they just destroy entertainment instead of another form of service.
Doesn't solve the problem. (Score:3, Insightful)
(as a side note, all usb devices use more cpu then they should)
You will always be able to reverse engineer the protocol, it will just take more and more effort to do so..
Could encrypt the network packets as you send them, but someone can still patch the binary of the game to inject bad data into them.
Could encrypt the instruction code for the network play, until a valid key is obtained from a server, but then it has to be decrypted sometime, probably ahead of time to be good. Maybe if they implemented a hardware feature where you could give the processor an encryption key, and sent it an encrypted instruction stream, it would decrypt it on the fly. That would be hard to decrypt, unless the attacker were to get ahold of the key, then they could decrypt it.
Any way you look at it, someone, somewhere will be able to figure out a way around it. Social solutions are a much better way to solve the problems of cheating.
Re:Slashdot hypocrisy (Score:3, Insightful)
TV Network cracking down on Tivo commercial skipping: bad
Microsoft cracking down on security hole advertisers: bad
AT&T cracking down on cable theft: bad
Game developers cracking down on cheating: good
To summarize:
Minority restricting a majority: bad
Majority protecting itself from minority: good.
Never Trust the Client (Score:3, Insightful)
Don't store any information (encripted or not) on a user's HD or RAM that, if the user were to alter it, would give him an edge. The server should send only what information the client needs to handle the user interaction, and nothing more!
Ask yourself, can an "unofficial" client cheat? If the answer is yes, you have some server-side code to fix.
Re:Xbox live to combat cheating (Score:3, Insightful)
More than likely, Microsoft just wants to extract more cash for the games.
As far as frequent backups go, they will NOT be listening to user's requests. No game with a HUGE amount of data is going to listen to ONE customer who gets a "cheater" and needs to restore his data from the previous day, week, whatever. Blizzard runs backups, and the only time they use them is once they've done something and horribly screwed the game up.
There isn't any real way to stop all cheating. I don't think cheating stops people from playing as much as they think. Cheating pisses people off yes, but what about all the flaws that are in the games as they are designed? People camping out spots where monsters respawn and what-not? That's no fun. Less cheating isn't going to make that aspect of the game any better.
Cheaters make games suck...but people will still play a good game with cheaters on it. I played Counter-Strike well after all the cheats starting coming out. Eventually, we'd find a place where there weren't cheaters and have a good time. I didn't bother trying to do that with Tribes 2, even though there weren't any cheaters there. If the game's GOOD people will find a community of other players they can play with and they'll have an enjoyable time. If it isn't, they won't, cheating or no cheating.
Re:They need to (Score:5, Insightful)
That works real well until you realized that many players cheat by unfairly reading information with a different application or proxy.
A good example of this is the 'aiming' proxy, which is a proxy application that sits between your FPS client and the server. The proxy parses the packets sent beteen client and server. Since the client is responsible for telling the server what actions you make and the server is responsible for telling the client what all the other players are doing, the proxy applies a little bit of math to the two pieces of information and 'corrects' your shot so that it hits another player despite where you really aimed.
Unless your game can somehow telepathically guess where the players are, there's no real way to hide this information from the client. Encryption strong enough to prevent a reasonable crack is too math intensive to run at the same time, meaning that hard encryption just isn't the answer.
There are apps out there for all the FPS servers that attempt to detect this sort of thing, but most of them work by checking ratios. If you happen to get luck and exceed the ratio of possible good shots to bad shots, you're tagged as a cheater.
If you can read the client-server data stream, you can cheat.
That's why the answer to cheaters lies not only in designing applications to prevent cheating, but allowing players to flag cheaters and bump them from the game.
In MMOG's, this means that GM's should respond quickly, intelligently, and decisively to player complaints. In smaller scale actions, players should always have a 'cheater' button that allows them to collectively police the game by booting and banning malicious players.
Bullshit (Score:2, Insightful)
Two words: Cheating Clans.
Many cheaters just don't care about the 'stigmas', but rather relish their negative reputations.
There is only one way to beat them (Score:3, Insightful)
Yes, it's hard, that's why there are so many cheaters and trolls.
If everyone collectively stopped playing when they see a cheater or troll they would go away.
But unfortunately most players cannot tell good players from cheaters, trolls from newbies, and will keep giving the attention the cheaters/trolls want so bad.
Shoddy code? (Score:3, Insightful)
That, or me standing behind you with a baseball bat at the ready while you play.
Valve left the Half-Life code more "open" for a reason. Counter-Strike is the biggest. Mods don't show up often if you try to lock down your client code too much.
There's only one solution (Score:5, Insightful)
And it's the one that the designers of the open source multiplayer action game Netrek [netrek.org] figured out from day 1. You accept that the clients will be compromised, and you design your server and your network model appropriately.
It's only very recently that commercial games developers are even beginning to understand this, and they're still not getting it right. For example, Counterstrike now attempts to check that your opengl.dll is correct. Fine, but that still relies on the client being uncompromised and reporting the correct number. That's a small barrier for a crackers with a hex editor.
They really need to get it through their heads: you can't trust the client. Every packet that comes in has to be assumed to come from a borg or robot client, and dealt with accordingly. What this means in practice is:
This isn't theoretical. I wrote a 'borg client for Netrek (bypassing the pretty darn good RSA binary check that still surpasses that in many commercial games), and found that it gave me at most a marginal advantage. It hardly effected my combat ability at all, and it made only a slight improvement to my strategic ability (by recording the limited information it received and making best guesses about what was actually going on in the game state). It certainly didn't spoil play balance like many FPS hacks do, and it didn't require any server fixes, because I simply could not exploit it very far to start with.
The reason why the Netrek developers understood all this was that it was open source (so it was trivial to hack up a client), and also that servers developers were somewhat separate from the client developers. The server developers could dictate the architecture and packets and the client developers had to work with what they were given. Contrast that with the way that commercial games development tends to get done, with the same people writing both server and client, with a mandate to get it working as quickly and easily as possible.
If I was back in commercial games development, this is the first change I'd make: separate the server developers and client developers, and only let them communicate through the code - and with the server guys calling all the shots. That sounds inefficient, but if you don't make the effort early on, you'll damn well have to do it later, once the problems are out there in the field. We need to fix the attitude endemic in commercial games development that there's never time to do it right, but always time to do it twice.
Re:Which Is Only Half Of It (Score:3, Insightful)
Imagine how hard it would be for someone to use an aiming cheat or bot in UT if there was a small program that monitored all the scores on a group of servers for cheating. If this program detected someone scoring way out of the norm, an employee of the network could observe the game, see if the guy was really cheating, and then boot him and suspend or cancel his account.
That's just one example, of course, and other cheats may be harder to track (like the one you mentioned about simply knowing where the other players are). I imagine, however, that MS intends to throw a lot of money (and therefore manpower) into this newest of markets. And if they can make cheaters have to deal with a very serious chance of getting their accounts cancelled through good use of human monitoring, I think they'll win the battle.
BNETD, anyone? (Score:3, Insightful)
The point of the oh-so-disputed Bnetd project was
to counter cheats and trolls.
Set up your own server - invite your friends, and
kick out whoever you don't like.
So what M$, Blizzard and the others should do is turn the situation to their advantage,
stop selling server time - sell server software.
The more trolls out there, the more people will want to run their own server.
Re:PKI? (Score:3, Insightful)
Distinguishing trolls from bona fide newbies? (Score:3, Insightful)
Another way is if you kill more than X teammates, you get kicked, or kbanned for a period of time.
Then how will people who just bought a copy of the game yesterday and don't yet have full control of their input devices be able to play? How do we distinguish trolls from legitimate newbies?
My cheating experiences (Score:5, Insightful)
My first online game experinces was on Yahoo Games. It looked interesting: meet new people, have some fun. I was a newbie, and so, went to the newbie area. I a game of cards seemed like fun but was dropped out of the game (lag). When I returned to the server I was chased and verbally harassed (with swears) through 3 other card games. I've never been back... and will never go back.
Sometime later I regained my curiosity and thought I'd try Diablo online. Foolishly I took a high level character (can't remember how high, but had made it to hell difficulty) online and was killed instantly (twice! once in town!). I didn't know anything about 'hacks' then and persisted thinking this was due to server lag (or bugs). Then all of my equipment was stolen after a healing spell was cast on me. No backups, so goodbye all the effort. That was my last Diablo I game online.
The pattern seems to repeat itself with frightening regularity: Quake II: dead, dead, dead and dead again), Unreal Tournament: similar to Quake, Starcraft: rushed (after making no rushing agreements) and had defences repelled by infinite numbers of enemies and attacks that failed even with overwhelming technical and numerical superiority, AOE 2: faced impossible tech advances and armies, Diablo 2: PK'd in no-pk mode. The list goes on.
I make no claims to be an expert player in these games and would have no problem being beaten by a better player -- I find that's often the best way to improve! But, I have taken efforts to use the newbie areas to find other newbies to play with. Unfortunately, cheaters look at these areas as their playground too!
I give up. Too bad, it could have been fun.
Possible technical cheat solution? Critique away.. (Score:2, Insightful)
How to stop it?
The usual problem is that the client software is untrusted, so you can't do anything unless you take a netrek like approach and design the game with non-instant weapons and then clamp down data transfer so bots can't see more than humans and perfect aim doesn't help.
That sucks because it doesn't reward good aim, and we're limiting weapon design due to some technological limitation instead of a legitimate game play problem.
What if you changed the equation and made the client software trustable?
My proposal would be to have the game engine take a dynamically loadable module for the networking and security checks.
Have the module by crypto-summed and verifiable, have it verify the client, and have it control the network interaction (all encrypted itself).
Now set the server up to generate these modules on the fly for each map, and force the player to download it on each map cycle, thus getting a new encryption seed/key to protect the network tunnel (no more proxy bots!), and constantly verifying the client (no client side hacks!)
I think this is a lot of hand-waving, and may not be possible, but OTOH, it might be. What would be left to do to plant a seed of trusted code on the client and then leverage it to trust the whole client?
Re:CS 1.4 (Score:1, Insightful)
1) Find out what the hash/CRC/checksum/whatever of the opengl file is BEFORE the value gets encrypted and sent out. Patch in the expected value at that point, who cares about the encryption? You don't even have to touch it.
2) Intercept/misdirect the check to another file. You have a hacked opengl file that's used in-game, but when the game goes to CRC it, it will wind up looking at the original file instead, thinking all is good. Again, no need to attack the encryption.
Re:A perfect world? (Score:2, Insightful)
A thief IRL may get away with robbing a couple 7-11's before they get caught. A thief in a virtual world can write a script to automatically rob every person they com into contact with. And they probably won't ever get caught, they'll keep doing it until the exploit is fixed. Then they'll just switch to a new exploit.
--Jeremy
Re:Taking it too serious... (Score:4, Insightful)
I understand what you are saying here and I call this "dirty playing" but not cheating. Cheating is running a program / plugin / etc that specifically allows you an advantage. I've never become very good at any online games, though I have tried from time to time, specifically in the Half Life (and mods) areas. When I suspect someone to be cheating I go into spectator mode to see if they are just hella good or if they are walking through walls. When they are walking through walls or making shots that are simply unbelievable (through the wall, through the post behind the wall, straight between the center of the eyes), I give up. I can accept being owned by a better player. I cannot play if I am being owned by a cheater.
And in that case, the odds of me using my personal purchasing power to get another online game? Not gonna happen. Who is left to suffer from this? Well, the cheaters have one less PLAYER to kill and the game companies won't be getting their part of the purchase price from my wallet.