this post was submitted on 31 Oct 2024
414 points (99.8% liked)

Linux Gaming

15516 readers
133 users here now

Discussions and news about gaming on the GNU/Linux family of operating systems (including the Steam Deck). Potentially a $HOME away from home for disgruntled /r/linux_gaming denizens of the redditarian demesne.

This page can be subscribed to via RSS.

Original /r/linux_gaming pengwing by uoou.

Resources

WWW:

Discord:

IRC:

Matrix:

Telegram:

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 31 points 1 month ago* (last edited 1 month ago) (11 children)

Genuinely curious, because this isn't my area of expertise, but how do you design a server to be "better" if it has to trust data from a remote client?

Example, if the client is compromised - because as they've said, they have no way to "attest" that the kernel is not compromised - how would the server know any better?

If my Apex client tells the server I got a perfect headshot, how would the server know I didn't fake the data? Is there a real answer to this problem or are we just wishing they come up with an impossible solution?

My general understanding is that EA is 100% correct. Now, on the other hand, maybe the should just limit plays between Linux <-> Linux so people can at least still enjoy the game (I'm moving to Linux soon so I'll basically no longer be able to play the game, which is, as my primary gaming addiction, a huge loss I'm willing to take).

There's compromises EA could take, but I think the Linux market share is just too small for them to care to spend any resources - even though they're raking in billions (~$3.4 Billion) and could spare a few resources to find a good middle ground. Capitalism at it's finest.

[–] [email protected] 59 points 1 month ago (5 children)

How do they know you haven't trained an AI to get headshots? The cheats often break the bounds of what is realistic in games, whether it is allowing you to see through walls (server shouldn't be sending enemy positions that aren't in view), going too fast (server should speed check pplayer positions), getting items they shouldn't have (server should do inventory sanity checks), etc. Other than that, look for signs of automated movement/things unrealistically precise for a human to do. Eventually the cheating will just be moved to a separate air gapped computer running AI on the video feed. Client side is an invasive, broken, and malicious concept.

[–] [email protected] 28 points 1 month ago (2 children)

Just tracking trended data in general would be sufficient to defeat a LARGE number of common cheats. One of the very few use cases "AI" might actually work for in a positive way. But that puts the burden on the developers and server hosters, and it's much easier to just burden the players directly instead.

[–] [email protected] 10 points 1 month ago (1 children)

I'm fairly confident that developers already do this. When the "ban hammer" comes down it is probably after analysing data trends for players.

[–] [email protected] 2 points 1 month ago

Yeah, they don't ban immediately. They collate a huge amount of data and then do it in waves.

That way cheaters know what software got them banned, but not the exact behaviour that gave it away.

[–] [email protected] 3 points 1 month ago

do you expect them to use data to fix their problems?

[–] [email protected] 9 points 1 month ago (1 children)

Servers often don't send player data that is outside of the immediate area of the player, but they have to for enemies that are nearby. If they walk around the corner and your client didn't know about it, then you'll be waiting for your ping time to even render the enemy. I.e. they walk around the corner and already shot you, then you see them suddenly appear a full players width away from the corner, and you die. Aka peekers advantage amplified.

Same deal with footstep sounds, bullet tracers, a player's shadow, etc. Your client needs to know where all this is coming from and it can't do that if it doesn't know the enemy exists and where. And that is a buffer zone for hackers to derive wall hacks from.

So basically, the overwhelming majority of servers do do all those things, since the late 90's. Hacks tend to work within those bounds. The most common, impactful and hard to detect cheats are based on providing perfect mechanical inputs. Aka aim hacks. Nothing about limiting info from the server can prevent that unless you also want the legitimate player to be unable to see their enemies.

[–] [email protected] 4 points 1 month ago (1 children)

The obvious solution is to make wall hacks an intended game mechanic.

[–] [email protected] 1 points 1 month ago

You joke but blops 6 is out rn and did this on tiny maps

Its horrible and amazing at the same time

[–] [email protected] 4 points 1 month ago

Eventually the cheating will just be moved to a separate air gapped computer running AI on the video feed.

At that point it isn't cheating anymore; the AI would be legitimately playing the game!

[–] [email protected] 3 points 1 month ago

God I was pissed when riot did it for league. They didn't even have a terrible cheating issue, it was rare and they suuslly caught it and parched it quickly. If blizzard can do it so can they.

load more comments (1 replies)
[–] [email protected] 34 points 1 month ago* (last edited 1 month ago) (2 children)

Your core premise is broken. Relying on trusting anything from a remote client cannot possibly result in a fair game.

[–] [email protected] 6 points 1 month ago (1 children)

It's not that simple. Especially not for real time shooters, latency is a killer.

[–] [email protected] 9 points 1 month ago* (last edited 1 month ago) (7 children)

It is exactly that simple. You already have to account for latency because everyone but one player (who you also can't trust no matter how many rootkits you install) is not the server. Having a proper server doesn't change that in any way.

Client side validation cannot possibly provide any actual security, but even if that wasn't the case and it was actually flawless, it would still be unconditionally unacceptable for a game to ever have kernel level access.

load more comments (7 replies)
[–] [email protected] 4 points 1 month ago (1 children)

Too bad the server at least needs the player input data.

[–] [email protected] 14 points 1 month ago (1 children)

Yes, people can still cheat with a camera and manipulating inputs. There will never be a way around that.

But that's entirely unchanged by adding malware, that, even if it could theoretically work, should be a literal crime with serious jail time attached. Client side validation is never security and cannot resemble security.

[–] [email protected] 2 points 1 month ago (1 children)

There are ways to detect and stop that, but they can and should happen on the server, not on the client.

[–] [email protected] 1 points 1 month ago (1 children)

Only if you're OK banning real people.

[–] [email protected] 2 points 1 month ago (1 children)

There are lots of options such that you can tune your false positive/negative rate. 🤷‍♂️ Tons of ways you can structure this depending on your game's tech.

[–] [email protected] 2 points 1 month ago (1 children)

No options that resemble legitimate or evidence based in any way.

If a computer has the exact same input and output tools as a human, you cannot possibly do better than guessing. It is a literal certainty that you will ban legitimate players doing nothing wrong for being too good if you try, and it's unconditionally not acceptable to do so.

[–] [email protected] 1 points 1 month ago (1 children)

Client side anti-cheat faces similar issues, and there unlike your server you don't control the hardware.

[–] [email protected] 2 points 1 month ago

I'm not sure why you think I'm saying client side is better when I called it malware.

There is no approach that is theoretically capable of doing anything at all to impact a camera and automated inputs, and there is no way of trying to do so that is acceptable. It's simply a reality of online gaming.

[–] [email protected] 22 points 1 month ago (2 children)

If my Apex client tells the server I got a perfect headshot, how would the server know I didn't fake the data?

Any game that works like that is fundamentally flawed and AC is nothing but an attempt at a cheap bandaid at best.

The client should be doing nothing but rendering and sending player actions to the server and the server should be managing the game state as well as running its checks on those actions. And when one client sends actuons that are weird and doesn't line up with it's internal game state it should kick the client immediately always deferring to what ITS game state is telling it, not the client.

[–] [email protected] 10 points 1 month ago

The cheat in this case would send legitimate actions. Like maybe you, the human, would have missed the headshot, but your cheat corrected to the inputs that would have landed one.

[–] [email protected] 1 points 1 month ago

And when one client sends actuons that are weird and doesn’t line up with it’s internal game state

What if my hacked client sends actions that are not weird, completely plausible, but didn't happen and instead were faked? E.g. I take a headshot and would have missed, but my client sends data that I actually shot them dead center, because I wasn't completely off? How would the server know it wasn't me?

[–] [email protected] 13 points 1 month ago (2 children)

Genuinely curious, because this isn't my area of expertise, but how do you design a server to be "better" if it has to trust data from a remote client?

Check the data on the server ("oh no, incredibly expensive"). Don't give any data to the client it doesn't need, like enemies around the corner ("oh no, now my game is so very laggy because caching and future position assumption just became impossible")

Example, if the client is compromised - because as they've said, they have no way to "attest" that the kernel is not compromised - how would the server know any better?

Now the server doesn't need to care. There's input? Validate and use it.

If my Apex client tells the server I got a perfect headshot, how would the server know I didn't fake the data? Is there a real answer to this problem or are we just wishing they come up with an impossible solution?

Now the client can go pound sand. Server decides if it's a headshot. Client only sends coordinates of origin and target. Lag? Sucks to be you, with or without cheat.

My general understanding is that EA is 100% correct. Now, on the other hand, maybe the should just limit plays between Linux <-> Linux so people can at least still enjoy the game

That would only create more work for the developers, all for the defacto expulsion of Linux users (Way less players at all times). The best course of action here would be the actual expulsion of Linux users. Also, EA is at most 25% correct. (Not a rational argument, I just very much dislike them)

(I'm moving to Linux soon so I'll basically no longer be able to play the game, which is, as my primary gaming addiction, a huge loss I'm willing to take).

Damn, sorry to hear that. It's always bad to leave something one knows because something's become unbearable. I wish you best of luck on your journey! (I'm assuming a lot, but why else would you switch despite your choice of use of free time?)

There's compromises EA could take, but I think the Linux market share is just too small for them to care to spend any resources - even though they're raking in billions (~$3.4 Billion) and could spare a few resources to find a good middle ground. Capitalism at it's finest.

On the other hand: I quite like it. It forces them to keep their grubby little hands from my kernel.

I do not like anything anti cheat. But I also don't really like cheaters, especially in online games, so anti cheat could be tolerated. The only thing is: nothing trumps my systems integrity. Definitely not online player satisfaction.

[–] [email protected] 9 points 1 month ago (1 children)

The server already determines if a shot's valid or not though. Once a client receives information on where the enemy is at, then the client can send message to the server that they are shooting exactly at that location.

[–] [email protected] 2 points 1 month ago

Well, the server acts mostly as a single source of truth. The clients are the ones registering the shot, the server confirms or denies it.

My approach would be prohibitedly expensive, as I suggested the registration would also happen on the server. It would also result in bigger lags

[–] [email protected] 5 points 1 month ago

Check the data on the server

I believe this already happens to some degree.

Don’t give any data to the client it doesn’t need, like enemies around the corner

Enemies around the corner still make noise/peek/shoot/etc. You can't just hide data of nearby enemies from the client because their actions still have in-game consequences that need to be reproduced across all active/nearby players.

Now the server doesn’t need to care. There’s input? Validate and use it.

How do you validate data that is within the realm of possibilities? if my head shot would have been 1 pixel too far to the left to hit and my hacked client sends it 1 pixel to the right so it makes a hit, how does the server know this isn't fake?

Server decides if it’s a headshot.

If my fake data doesn't look out of the ordinary i'm still hacking the system and tricking the server-side validation.

Client only sends coordinates of origin and target. Lag? Sucks to be you, with or without cheat.

The math to send the perfect headshot isn't difficult if you know where you are, where the enemy is and you can only send origin & target coords, I'm not sure this solves anything.

That would only create more work for the developers, all for the defacto expulsion of Linux users (Way less players at all times). The best course of action here would be the actual expulsion of Linux users. Also, EA is at most 25% correct. (Not a rational argument, I just very much dislike them)

Agree with you 100%.

Damn, sorry to hear that. It’s always bad to leave something one knows because something’s become unbearable. I wish you best of luck on your journey! (I’m assuming a lot, but why else would you switch despite your choice of use of free time?)

Thanks! I'm a huge open source supporter and only ever installed Windows on my desktop to play games, still using Linux on my laptops. Thanks to Valve, Proton, and Wine, I'll be able to go back to Linux and maybe discover some new games.

On the other hand: I quite like it. It forces them to keep their grubby little hands from my kernel.

I do not like anything anti cheat. But I also don’t really like cheaters, especially in online games, so anti cheat could be tolerated. The only thing is: nothing trumps my systems integrity. Definitely not online player satisfaction.

Kinda agree with you on this. Although I have my desktop as a strict "gaming" machine, I wouldn't mine an EA rootkit on my Desktop Linux system if all I did on it was game. But yes, they can keep their hands off my kernel on my "work" devices.

[–] [email protected] 12 points 1 month ago* (last edited 1 month ago) (1 children)

The fact that this thoughtful comment was downvoted, while the computer illiterate reply was upvoted, speaks to the hive mind on this ~~subreddit~~. We all detest EA, but this guy has a legitimate point.

[–] [email protected] 4 points 1 month ago (2 children)

"In this subreddit"

Yeah I have a hell of a time remembering what Lemmy things are called as well.

[–] [email protected] 5 points 1 month ago (4 children)
[–] [email protected] 7 points 1 month ago

Communities or "comms". Reddit would be quick to legal action if someone started using their trademarks.

load more comments (3 replies)
[–] [email protected] 4 points 1 month ago (1 children)
[–] [email protected] 1 points 1 month ago
[–] [email protected] 6 points 1 month ago (1 children)

how do you design a server to be “better” if it has to trust data from a remote client?

Because it doesn’t have to.

[–] [email protected] 4 points 1 month ago (1 children)

Because it doesn’t have to.

But according to that article it's still trusting the client. It's just validating that the action was within the realm of possibilities, not that it wasn't faked.

From the article (highlighting from me):

Here’s how it works:

  • When you shoot, client sends this event to the server with full information: the exact timestamp of your shot, and the exact aim of the weapon.

The article continues to state:

The enemy may be the only one not entirely happy. If they were standing still when he got shot, it’s their fault, right? If they were moving… wow, you’re a really awesome sniper.

But what if they were in an open position, got behind a wall, and then got shot, a fraction of a second later, when they thought they were safe?

Well, that can happen. That’s the tradeoff you make. Because you shoot at him in the past, they may still be shot up to a few milliseconds after they took cover.

What's stated above already happens in Apex, telling us that they already do everything this article is talking about. This article mentions nothing new and doesn't solve the problem of clients sending fake data that is within the realm of possibilities - e.g. a headshot when you were actually off by a bit.

[–] [email protected] 1 points 1 month ago

The question was about client trust, which the server doesn’t. If the shot wasn’t possible, it’s not valid and did not happen.

[–] [email protected] 4 points 1 month ago (1 children)

Keeping untrusted clients in their own ecosystem is an interesting idea, and would let people access the game without affecting anyone in the "trusted" chain, but you will all be lumped in with the obvious cheaters with blatant speed/flying/aiming bots.

If you were playing without cheats on Linux, I'd imagine you'd stop soon after.

The best idea would be to let people run their own servers and then allow or IP ban cheaters themselves, but I guess with everything needing to make money from skins and paints or whatever the fuck Apex sells, that's out of the question and has been since about the Xbox 360 era.

load more comments (1 replies)
[–] [email protected] 3 points 1 month ago* (last edited 1 month ago) (1 children)

They should just use the same approach big minecraft servers use, the game itself has no anticheat, but the server makes sure the data it's getting from the client makes sense and kicks clients sending weird data. Doing any checks client side will always be insecure and a nuisance to players

[–] [email protected] 3 points 1 month ago

Yeah there's no Minecraft cheats /s

[–] [email protected] 3 points 1 month ago (1 children)

Because the actual calculations aren’t done by the client but the server, or they should be

load more comments (1 replies)
[–] [email protected] 2 points 1 month ago (1 children)

how do you design a server to be "better" if it has to trust data from a remote client?

By minimising the trusted data exchanged and checking it against server side data.

[–] [email protected] 2 points 1 month ago

They already do this, so this doesn't solve the problem.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago) (1 children)

I see you all over this thread and I want to share something you might find interesting.

You keep mentioning the server can't handle the anti cheat because it needs to trust client data. Here's an interesting thought: how is client anti cheat supposed to work when it needs to trust input data?

Look up direct memory access cheats. TL;DR Two computers are hooked up such that PC 1 runs the game, PC 2 reads memory from PC 1, and can then output keyboard/mouse inputs, as well as wallhacks/esp. How is the client side anti cheat supposed to know that the keyboard and mouse inputs are legitimate? How is the client side anti cheat to know wallhacks are being used when they are being rendered on an entirely different machine?

[–] [email protected] 1 points 1 month ago

I completely agree with you, there's always ways to bypass the system. But at the end of the day its about raising the barrier to entry for everyone to be hacking. In the example you're giving, someone who wants to hack the system now needs to configure to separate systems to work AND have the technical skills to set it up. Without any local anti-cheat software, all someone needs to do is run software written by one person and run by thousands.

My overall point is that the current anti-cheat systems do work, not in every case, just like spam or antivirus software, but raise the barrier to entry so that you see less hackers while gaming vs without.