1. 33
  1.  

  2. 17

    The best way to catch the cheaters is to watch how they play, not what they run on their computers. Valve has been doing for quite a while on CS:GO with the overwatch(players analyzing reported games, not the blizzard game) and their machine learning solution for simple hacks (video).

    1. 13

      A “negative” point I can think about regarding that method is that it doesn’t provide an excuse to install a rootkit in the player’s computer.

      1. 3

        I don’t think what they described requires running kernel code on a player’s computer.. the player behavior is monitored on the server.

        1. 8

          I’m pretty sure @ethoh was making a tongue-in-cheek joke that installing the kernel driver was the real goal.

      2. 5

        This also works great for Old School RuneScape.

        Almost all of it is statistical analysis performed server side. It’s usually quite effective and players can’t cry and complain about malware running on their computer.

      3. 31

        Do note the title has been edited by a moderator.

        My original submission used the original title, which calls it for what it is: A rootkit.

        Similarly, the tag “privacy” has been removed. I will not edit the article back, but I ought to point out this does not feel right.

        1. 16

          The article is inflammatory in tone, the title is clickbait, and it is a news submission without technical content beyond “Don’t install this game if you don’t want kernel-level unaudited anticheat” and a throwaway eyebrow waggle that your computer might end up as some part of the CCP botnet.

          A title change to make it less clickbaitey is probably the best outcome.

          1. 14

            People should be inflamed about video games including sneaky rootkits.

            1. 16

              The article is inflammatory in tone

              I do not see it.

              the title is clickbait

              It is actually accurate. I do not see the clickbait, honest.

              and it is a news submission without technical content beyond “Don’t install this game if you don’t want kernel-level unaudited anticheat”

              It raises legitimate concerns, as this code can be updated at any time once installed, for any purpose.

              your computer might end up as some part of the CCP botnet.

              A legitimate concern, as the company is under Chinese jurisdiction.

              A title change to make it less clickbaitey is probably the best outcome.

              If it was a story about a person, I would agree with you as I do most of the time. However, I do find the goodwill is wasted on a company.

              1. 8

                It is actually accurate.

                Right.

                It raises legitimate concerns, as this code can be updated at any time once installed, for any purpose.

                Which is true for most of the software running consumer device. Calling everything you disagree with a rootkit, wether you are right or wrong, won’t convince anyone already not convinced and only make you look to others like someone who doesn’t come to discuss.

                You can get much further by discussing the implication of running kernel code to support anti-cheat features developped by a foreign company from an area well known for its governement practice. Phrasing it as “Rootkit made by Chinese company”.

                your computer might end up as some part of the CCP botnet.

                A legitimate concern, as the company is under Chinese jurisdiction.

                That’s complete FUD. Are we going to post article about every software component coming from China and that run as admin?

                I’m writing all this while being convinced that installing kernel driver to run DRM and anti-cheat are totally unecessary and plainly a bad idea. But seeing those claims being made get just as tiring, especially when there are so many based fact and arguments already available (And especially after working in an industry where Rootkit has a clear definition and implication).

              2. 7

                Not only is it all of the things you stated, but it’s also just bad threat modelling. There seems to be this funny “well the attackers want kernel access” mentality, when in reality if you can maintain persistence and access to the data you are trying to get why would you need a rootkit? They already have their closed source userspace application that could already be harvesting the data. Why unnecessarily add a layer? I personally don’t understand that thinking either, but shouldn’t the article be focused on the application itself too since it’s closed source and from china?

                What about the fact that this has been common place for…. idk ever? I’d much much rather see some actual analysis of the kernel module itself, because as it stands there is no technical merit in this article and I really don’t think it belongs here.

            2. 8

              Am I the only one who thinks of this as a technical challenge?

              A driver is a piece of code that runs in ring 0 where usermode can ask it to do things, and it can reply with data. It doesn’t have to actually do the things, and the data it replies with doesn’t have to be accurate. If usermode trusted the driver implicitly, it should be possible to build a very simple driver that just responds with acceptable answers. This removes the rootkit potential, allows the game to run, and also happens to allow cheating.

              Things get harder if usermode is asking other drivers for services and is asking its own driver for things and is trying to cross-check. But I’m very doubtful that something like this can be super well engineered, because the target market is comprised of a huge variety of systems that differ in OS version, hardware, and configuration. The set of things that can be reliably cross checked can’t be huge.

              From an anti-cheat point of view, it sounds like the “security” aspect of it is just making it harder for would-be cheaters who now need to contend with driver signing. It’s not the functionality that prevents cheating, it’s the signature that provides a roadblock. But even there, can the game be run under detours such that it thinks it’s asking the driver for services but the answers are coming back from another usermode component?

              This game sounds like it will provide hours of entertainment while we’re in lockdown, one way or another.

              1. 6

                what’s up with the first sentence in this article? really not a good way to start off a post

                1. 12

                  How so? Honest question. Riot is wholly owned by Tencent, so it’s not inaccurate. It’s similar to the Huawei / 5G situation, in my view.

                  1. 12

                    Riot’s engineering is headquartered in Los Angeles.

                    Allegations made against Riot prior to being bought by Tencent include bro culture, glass ceilings, and sexual harrassment. In addition, I’ve heard anecdotes that they routinely ask design interviewees to show them ideas for chamipions, which are then gently copied into the game, regardless of whether the interviewee gets the job.

                    Riot already did not sound like a good kernel-driver vendor, regardless of whether any particular governments have undue influence over them.

                    1. 6

                      I spent a very short time working from their office as a contractor to another company that had a project with them.

                      It’s hard to quite explain it - particularly as I’m not American, and it was only my second time in the country - but the whole time we were there, the place seemed.. weird.

                      1. 3

                        Please elaborate

                        1. 2

                          As I said, some of what experienced could be cultural.

                          The mentality seemed a bit like you sometimes see in futuristic movies where “corporations” are the new nation states, and people are loyal to a company, even more than most would currently be loyal to a country.

                          The company itself had expectations of all employees playing their game for a significant amount of time on a daily basis. There’s eating your own dog food, and then there’s force-feeding your dog food to your staff through a tube. Our work was related to a web-rendered “store” - no more related to gameplay than an online shopping site for groceries is related to cooking - but they still insisted we all play their game at least once while there.

                          The experience left me with the feeling that they’re convinced of their own self-importance, and can’t fathom how a computer game is less interesting than washing dishes to some people.

                    2. 2

                      then why doesn’t it say “would you allow a tencent application [etc etc]”? it’s not inaccurate, but saying it’s accurate is even more of a stretch, and the regardless of what the author intended, it only furthers the image of china that’s also used for yellow peril rhetoric

                      1. 2

                        It’s similar to how Donald Trump called coronavirus the “Chinese virus”. Its complete accurate the pandemic started in China but to call it in that manner feels like a dog whistle for other racial prejudices. ie. that Chinese people are foreign or anti-freedom. I get the impression that the author tried to find the adjective that would have the most impact, and that Chinese was the scariest word they come up with.

                      2. 6

                        Yet it is quite appropriate.

                        Would you? I wouldn’t. Hell no.

                        1. 7

                          I would remove the word “Chinese”. Sony, the classic running example of a rude DRM manufacturer, is Japanese; Xperi, the shambling pile of holding companies and patents that once produced such fine product lines as Macrovision, is in the USA. Moreover, we ought to be careful when describing multinational corporate entities as loyal to any one particular government; we know from history that corporations will gladly ally themselves locally with any government willing to give them tax breaks.

                          For consideration, here’s that first line with my change:

                          If an application from a company installed a kernel driver onto your system with complete access to your computer, but they pinky-promised not to abuse this access and power, would you install the application?

                          Isn’t that so much conceptually cleaner?

                          1. 4

                            I would remove the word “Chinese”.

                            There’s valid concerns about the actions of the government of China. This takes into consideration actions that are still recent.

                            The company is Chinese, so it is expected to comply with the requests of that government.

                            1. 10

                              ‘Chinese’ describes a set of ethnic identities, a set of languages, and a set of authorities.

                              When I want to talk about their government specifically, I find it clearer to say “CCP” or “PRC” because it avoids dragging in the rest of those concepts.

                              1. 3

                                I have flirted with this as well. I dunno. I tried “Chicom” but 1) no one knows what the hell that means 2) bc it’s from a bygone era.

                                Anyhoo, during the Cold War wasn’t “Russian” synonymous with “Soviet/USSR” in many contexts? Seems like something similar might be happening nowadays.

                                1. 3

                                  I understood Chinese as about the company (the subject) being Chinese (Country the company is based on, with the associated legal framework), not about any person being Chinese.

                        2. 3

                          I’d really love it if there was even a teency bit of technical detail on what this ‘rootkit’ actually does.

                          Because I’m ignorant, what doea a binary blob need to be considered a ‘root kit’ ?

                          1. 7

                            It runs at ring 0. Starts at boot time. Modules in the Windows kernel have access to kernel memory, which crosses processes. This isn’t just a video driver. Anti-cheating software, by definition, has to be able to monitor mouse and keyboard actions.

                            1. 5

                              (anticheat) also needs to be difficult to observe (antidebug tricks, obfuscation), and easy to update at any time to do new checks (to catch new cheating methods). This is pretty bad when it’s running ring0. And for some reason, this driver runs as soon as the computer boots.

                              1. 5

                                This is exactly how I would design an anticheat if I were ignoring all considerations other than “does this detect cheats pretty well”.

                                I wish they’d make this mandatory only for the highest echelon of players; as a low-skilled player I’m not getting matched with cheaters anyways, so there’s no advantage (and substantial disadvantages) to it.

                                I’m moving on from the game instead.

                          2. 3

                            I’m pretty sure this won’t do anything to prevent cheating at high levels. Now people will just have to run a hypervisor and run their cheats in ring “-1” so to speak.

                            1. 2

                              When did we start upvoting security theater? There are plenty of articles with technical content about game integrity assurance. Flagged.

                              1. 1

                                I see this article as off-topic for this site, for the following reasons:

                                • it’s about a closed-source application
                                • which is a game
                                • not only a game, a specific genre of game (MOBA)
                                • that only runs on Windows

                                (Edit to clarify that Valorant is not a MOBA game)

                                This submission would be on-topic at a gaming forum, and hopefully there’d be more discussion about why Riot is implementing this (anti-cheating) rather than innuendo and thinly-veiled racism.

                                1. 5

                                  I see the four points you list as irrelevant to the actual relevance of this article.

                                  It is relevant because a company that makes games is asking players to give them full access to their computers just so that they can play. And is doing so in a manner where most players won’t understand the severity of the situation.

                                  I don’t understand what innuendo you see in there, nor see any racism.

                                  1. 0

                                    How many members of this community are MOBA players?

                                    1. 4

                                      How many members of this community are MOBA players?

                                      Why would this matter?

                                      1. -1

                                        Can you give a recent example of a mainstream application vendor doing this sort of stuff?

                                        This is PC gaming specific, therefore off-topic.

                                        1. 5

                                          Can you give a recent example of a mainstream application vendor doing this sort of stuff?

                                          Riot’s games are extremely popular.

                                          Riot does very much fit into the “a mainstream application vendor” box.

                                          1. 5

                                            Pretty much all modern games use ring 0 anti-cheat. Here’s two common ones:

                                    2. 4

                                      I agree with you, but minor nitpick: VALORANT is not a MOBA, it’s a tac shooter that’s basically cargo culted from CSGO.

                                      1. 1

                                        Thanks for the correction!

                                        1. 1

                                          In what way is it “cargo culted”?

                                          1. 3

                                            Bad use of “cargo culted”. I really should have said “CSGO Clone w/ Heroes”.