I don’t know if this makes me “a redditor” somehow or what, but…
As a dev, I am deeply troubled by the gaming industry so calmly walking into kernel anti cheats. It’s insane and being tossed around like it’s nothing.
Helldivers especially, since they picked one of the sketchiest ones and it’s a game that entirely doesn’t need it.
I have no idea if Reddit has suddenly picked up on this, but I’ve been pissed since at least Valorants release, but have seen more YT videos talking about it recently.
I really do not understand how server anti cheat is not way easier. I feel like devs are caught up on realtime anti cheat and not willing to do anything asynchronous. Or they really like paying licensing fees for client-side anticheat. I just don’t understand how any competent software engineer or systems admin or architect trusts the client so fervently.
Game servers are incredibly expensive, and server side anticheat is more costs.
Whether or not the studios can afford it (they can.) is irrelevant, it’s simply cheaper to go for flawed client side because the client will do most of the processing.
Any software developer worth their salt simply does not trust the client, but management is gonna manage and the engineers have to come up with a solution to “we must have anticheat because we said so, and you must keep server costs per user below x”. It’s easy to forget that most implementation choices in video games aren’t made by developers who like games, they’re made by middle managers who view games as a money-generaring industry.
I really do not understand how server anti cheat is not way easier.
In a clean slate, it is. It’s also way more effective (except for things like wall hacks, aim bots, recoil suppressors, etc, but most of those things are only really important and popular in competitive FPS). It’s also much simpler to understand and to leave no “holes” behind. It also lives in the developers domain so it can’t be “compromised” or circumvented.
The thing is that client side “anti cheat” can be commoditized. Every game with server authority/anti cheat needs specific server software to run their game logic. Client anti cheat is basically “look at everything else running on the system and see if any of it seems suspicious”. As such, there’s not really anything “game specific” to these - they basically are just a watch dog looking for bad actors - so as such, one company can come along, make one, and sell it to other devs.
This being “off the shelf” and not something the dev team has to think about besides a price tag means that management is just going to buy a third party solution and check off the “anti cheat” box on their task list.
I feel like devs are caught up on realtime anti cheat and not willing to do anything asynchronous.
First, this is a management problem and not the devs. Any dev worth their salt knows this isn’t really a good solution.
But I’d say the more relevant and prominent thing here is that game companies just don’t want to have to run servers anymore. It’s a cost, requires dev time, and requires maintenance, and they don’t want to do that. If these games had servers running the game world like games used to, they’d inherently have their own “anti cheat” built in for free that wouldn’t necessarily catch everything but would do a better job than some of these. And it could be enhanced to cover more bases.
But studios don’t want to do this anymore. It’s easier to make the game p2p and slap an off the shelf anti cheat and call it a day.
Some games still require matchmaking servers etc, but the overhead there is way lower.
Or they really like paying licensing fees for client-side anticheat.
Not that I agree with the decision, but it is definitely cheaper and faster than the alternative. But picking something like nprotect totally fucking baffles me. There are better options.
I just don’t understand how any competent software engineer or systems admin or architect trusts the client so fervently.
In some ways, same. Every project I’ve been on that has gotten anywhere near client side trust I’ve fought adamantly about avoiding it. I’ve won most arguments on it, but there are some places where they just utterly refuse.
But then there are things like New World… I don’t know how the fuck that shit released like it did. The number of things trusted to the client were absolutely baffling. I expected Amazon’s first foray into gaming to be a fucking joke, but I was totally appalled at how bad it turned out. They even touted hiring ex blizzard talent to get my hopes up first.
I imagine what makes it more of a grumble-fest for developers is that these days, a high majority of players will be coming from consoles. While cheaters do exist on consoles, they’re far less common, meaning that a majority of your playerbase is using game clients they can’t plausibly modify - meaning MOST of the clients can be trusted. So, signing on with something like EAC is really only resolving a cheating gap for a smaller percent of players.
There have even been situations with cheat-heavy games when console players will request the option to disable crossplay in order to assure they aren’t matched with cheaters, who are often on PC. Sea of Thieves may have been one such instance.
It was something I was aware of and against when I was on Reddit ever since I first heard of them.
And they don’t even make cheating impossible. Cheats don’t need to be running on the OS that is running the game. It could be running in a VM. I believe many VM implementations will let the guest OS know that they are running on a VM, but that isn’t mandatory. Other hardware in the system can have full access to the memory space and do reads/writes without the OS knowing (though caches complicate this). Some cheats just act as a display and mouse, processing the display as it passes through the device to the monitor, and modifying the mouse input to correct aim based on what it sees. If it spoofs a monitor and mouse, nothing in the kernel will necessarily see any difference.
I don’t know if this makes me “a redditor” somehow or what, but…
As a dev, I am deeply troubled by the gaming industry so calmly walking into kernel anti cheats. It’s insane and being tossed around like it’s nothing.
Helldivers especially, since they picked one of the sketchiest ones and it’s a game that entirely doesn’t need it.
I have no idea if Reddit has suddenly picked up on this, but I’ve been pissed since at least Valorants release, but have seen more YT videos talking about it recently.
I really do not understand how server anti cheat is not way easier. I feel like devs are caught up on realtime anti cheat and not willing to do anything asynchronous. Or they really like paying licensing fees for client-side anticheat. I just don’t understand how any competent software engineer or systems admin or architect trusts the client so fervently.
Game servers are incredibly expensive, and server side anticheat is more costs.
Whether or not the studios can afford it (they can.) is irrelevant, it’s simply cheaper to go for flawed client side because the client will do most of the processing.
Any software developer worth their salt simply does not trust the client, but management is gonna manage and the engineers have to come up with a solution to “we must have anticheat because we said so, and you must keep server costs per user below x”. It’s easy to forget that most implementation choices in video games aren’t made by developers who like games, they’re made by middle managers who view games as a money-generaring industry.
In a clean slate, it is. It’s also way more effective (except for things like wall hacks, aim bots, recoil suppressors, etc, but most of those things are only really important and popular in competitive FPS). It’s also much simpler to understand and to leave no “holes” behind. It also lives in the developers domain so it can’t be “compromised” or circumvented.
The thing is that client side “anti cheat” can be commoditized. Every game with server authority/anti cheat needs specific server software to run their game logic. Client anti cheat is basically “look at everything else running on the system and see if any of it seems suspicious”. As such, there’s not really anything “game specific” to these - they basically are just a watch dog looking for bad actors - so as such, one company can come along, make one, and sell it to other devs.
This being “off the shelf” and not something the dev team has to think about besides a price tag means that management is just going to buy a third party solution and check off the “anti cheat” box on their task list.
First, this is a management problem and not the devs. Any dev worth their salt knows this isn’t really a good solution.
But I’d say the more relevant and prominent thing here is that game companies just don’t want to have to run servers anymore. It’s a cost, requires dev time, and requires maintenance, and they don’t want to do that. If these games had servers running the game world like games used to, they’d inherently have their own “anti cheat” built in for free that wouldn’t necessarily catch everything but would do a better job than some of these. And it could be enhanced to cover more bases.
But studios don’t want to do this anymore. It’s easier to make the game p2p and slap an off the shelf anti cheat and call it a day.
Some games still require matchmaking servers etc, but the overhead there is way lower.
Not that I agree with the decision, but it is definitely cheaper and faster than the alternative. But picking something like nprotect totally fucking baffles me. There are better options.
In some ways, same. Every project I’ve been on that has gotten anywhere near client side trust I’ve fought adamantly about avoiding it. I’ve won most arguments on it, but there are some places where they just utterly refuse.
But then there are things like New World… I don’t know how the fuck that shit released like it did. The number of things trusted to the client were absolutely baffling. I expected Amazon’s first foray into gaming to be a fucking joke, but I was totally appalled at how bad it turned out. They even touted hiring ex blizzard talent to get my hopes up first.
I imagine what makes it more of a grumble-fest for developers is that these days, a high majority of players will be coming from consoles. While cheaters do exist on consoles, they’re far less common, meaning that a majority of your playerbase is using game clients they can’t plausibly modify - meaning MOST of the clients can be trusted. So, signing on with something like EAC is really only resolving a cheating gap for a smaller percent of players.
There have even been situations with cheat-heavy games when console players will request the option to disable crossplay in order to assure they aren’t matched with cheaters, who are often on PC. Sea of Thieves may have been one such instance.
It was something I was aware of and against when I was on Reddit ever since I first heard of them.
And they don’t even make cheating impossible. Cheats don’t need to be running on the OS that is running the game. It could be running in a VM. I believe many VM implementations will let the guest OS know that they are running on a VM, but that isn’t mandatory. Other hardware in the system can have full access to the memory space and do reads/writes without the OS knowing (though caches complicate this). Some cheats just act as a display and mouse, processing the display as it passes through the device to the monitor, and modifying the mouse input to correct aim based on what it sees. If it spoofs a monitor and mouse, nothing in the kernel will necessarily see any difference.