top | item 46986509

(no title)

kuschku | 18 days ago

> The client should be treated as untrusted. All the real classification logic belongs server-side where it can’t be tampered with.

That's such a hilarious quote, as it explains exactly why client-side anti-cheat is silly in the first place.

discuss

B3L|18 days ago

It's not silly, for many types of games, having access to privileged information on the client is simply a necessity. Any multiplayer FPS client will have to know the positions of other players before they come into view for latency reasons. The client will have to know exact origin points of any sounds other players might make. Player models fully occluded by transparency effects will still have to be rendered and cheaters could just forgo the transparency pass all together. Same story with things like overlay effects and postprocessing (flash bangs, blurry vision, b&w image, ...). Texture changes can give a visibility advantage. The list goes on and on. Developers rely on client-side AC out of necessity, not out of ignorance.

kuschku|18 days ago

The reason client-side AC is used is not technical, but economical.

It's possible to calculate what information should be available to a client at a given time (and within of the motion range of the clients' latency), only send that data, and calculate the time delta between when a player should have been able to know something, and when they reacted to it.

A lot of games used to do that in the past, and some still do.

But it requires powerful servers. Gamers could self-host dedicated servers, but publishers put an end to that as it's not compatible with micro transactions.

Developers could host servers, but that's not as profitable as using p2p gaming where a random client is used as the server.

It's a self-made problem really, none of this was necessary.

charcircuit|18 days ago

If PCs caught up to Mac in terms of hardware security you would be able to use remote attestation to be able to detect tampering.

kuschku|18 days ago

Please read https://www.gnu.org/philosophy/right-to-read.en.html as to why that's a horrible idea

arcfour|17 days ago

fTPMs and attestation/endorsement, Boot Guard, Secure Boot etc. have existed for years. They are just now beginning to be discussed/used for anti-cheat. I still think the ideal solution is server-side data analysis, however.

Hikikomori|18 days ago

Hard to believe that not a single game developer thought of this.

kuschku|18 days ago

They did, and many games actually used to do that.

But it's a simple issue of economics:

- you can't have cosmetic microtransactions if players can self-host and modify their own servers

- developers hosting servers is costly

- using a p2p architecture with the "server" running on a random gamers' computer is much more profitable

- but that requires trusting the client, which means

- client-side anti-cheat

Without the live-service lootbox gambling microtransaction bullshit that has infested the gaming industry, none of this would have ever been necessary.

You don't need client-side anticheat if your clan/guild is self-hosting your dedicated servers, you can just ban the obvious cheaters.