• Client running code should always be considered compromisable, that’s security 101. Relying on kernel module checks is a terrible practice, and not a fundamental guarantee of safety either.

    Good, secure anti-cheat happens serverside. But that’s harder and less broadly applicable, so Epic doesn’t want to bother with it.

    • MJBrune@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      1 year ago

      Client code isn’t trusted but no matter what the is one set of data you most trust that comes from the client. Input data. So with input data it can be manipulated that another application calculate out a headshot and sends that input. So even only trusting the client where you have to, you’ve failed to secure the game fully because you need to trust input data.

      • Riskable@programming.dev
        link
        fedilink
        English
        arrow-up
        14
        ·
        1 year ago

        The first rule of network programming: Never trust the client. How does anti-cheat software work? It trusts the client.

        All clientside anti-cheat is fundamentally flawed and broken by design. It doesn’t actually prevent cheating it just creates an illusion that it’s preventing cheating. The fewer people that believe in that illusion the better off we’ll all be.

        Besides, you can train AI to play any game via MITM in USB (plug the mouse and keyboard into the Raspberry Pi or similar which then pretends to be a mouse and keyboard to the computer playing the game). The simplest method is to just point a camera at the monitor but there’s much lower latency ways where you use some cheap Chinese HDMI decoder/encoders to feed the raw video signal right into the AI.

        With methods like that becoming cheaper and easier every day the whole client-side anti-cheat bullshit kinda seems pointless, yeah?

        • MJBrune@beehaw.org
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          1 year ago

          We’ve already established you have to trust the client to some extent in a typical game.

          Also do you lock your front door despite people being able to lockpick it? Most people do because it raises the barrier to entry.

            • MJBrune@beehaw.org
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              1 year ago

              Most people put security cameras in their homes despite them being able to be remotely hacked. Lots of people have an Alexa which could also be seen as letting a stranger in. A lot of people use tools that could be used to compromise their direct use but trust they don’t as for things like anti-cheat being malware. That’s all FUD. There has not been a single large anti-cheat company known to be sending unneeded or personalized user data.