• wolo
    link
    fedilink
    arrow-up
    12
    ·
    edit-2
    1 year ago

    There’s a concept I call “rule zero of cybersecurity”: “the user can and will exploit trust you place in them or anything they can touch.”

    You can make it more difficult to exploit the trust you put in the user by hiding it behind obfuscation, but ultimately the user can desolder your secure enclave, reverse engineer your anti-tampering measures, and falsify any check your program wants to do, if it happens on their computer.

    Client-side anticheat on Windows doesn’t “work” in the pure sense either, it’s just enough of a pain to bypass that most people don’t because you can’t recompile the kernel to change how it behaves. On Linux, it’s easier to take advantage of the fact that perfect client-side anticheat is fundamentally impossible.

    Same with device attestation, DRM, and other client-side verification measures: they’re doomed to be in an endless back-and-forth because what they’re trying to do is fundamentally incompatible with reality.

    The correct choice for anti-cheat is to detect cheaters like humans do: watch a player’s actions as they are received by the server, and use your knowledge of typical player patterns to detect if the player is cheating. Your server’s knowledge of the network messages coming from the user’s computer is the only thing you can trust (because it exists on hardware you control), so you should make your decision by analyzing that.

    • jackpot@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      alternative solution, one user account for every game that has a ‘cheating credit score’. just food for thought

      • TootSweet@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        How do you enforce “one user account for every game?” Require copies of state-issued picture ID’s to register accounts? That sounds like an episode of Black Mirror. No thank you.

        Not to mention that would really expand the black market for counterfeit IDs.

      • wolo
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Some games use a “trust” system based on human reviews of your gameplay that affects how you are matched with other players, but there isn’t a respectful way to force people to use just one account so that the trust score can follow the person. The best way I can think is to tie the purchase of the game to that account, which many services do, but that breaks the used games market…