This is so funny because rust has one of the worst cheating situations and majority of their players are windows users, and theres lots of games that have anticheat that allows linux and have notably less significant cheating problems like marvel rivals. in reality rust doesn’t take cheating very seriously because if they did they would have more server side software that detects illegitimate behaviour like tons of other games do successfully… even most popular Minecraft servers have better functioning anti cheat that is completely server side than rust has while getting kernel access to your pc. its pathetic and lazy development tbh and this entire post from them reads like such extreme cope…
“never trust the client” is pretty much a motto of infosec, idk what the hell game devs expect
See, the wild thing is that I used to run with some actual hackers in GMod… and… I learned from the exploits that they did, how you actually design at least a game mode script that can’t be fucked, can’t be poked proded or queried directly.
Of course, if the actual exploit is lower level than what I’m writing at, well then I’m still fucked…
I can remember at least one GMod originated, lower level exploit, caused by Garry leaving some direct, unsanitized interface to Steam itself directly exposed via lua… which caused Steam/Valve themselves to step in and rewrite a part of all of Steam, because Garry is s fucking moron, and more or less allowed a virus/malware to propogate through Steam itself, independent of Garry’s Mod…
Never did figure out if any of the goobers I knew had any direct ties to that or not.
But anyway, fucking yes, literally never trust the client with anything beyond their own GUI, and barely trust them with that, don’t just let them click on anything in their screen space to see if its an item they can put in their inventory, do an actual server side vector ray trace, from the item to the playet, make sure the thing they clicked on is actually near them, put that all into a buffer that locks up if they’re calling it at inhuman rates…
It was so easy to item dupe and stat boost and even hijack other players accounts in so many gamemodes I saw.
Fucking one of them had the user set and enter a login password to ‘access’ their various characters, pick one to spawn as.
Problem?
… That gamemode was actually doing the id check via SteamID, duh.
The username/password thing was a fucking phishing scam, that game mode had a forum, everyone used the same user names, a bunch of people got their hotmails or whatever fucked, by the dev of that gamemode.
… Anyway… yeah, I learned all this infosec type shit first hand, in an earlier ‘FacePunch Studios’ production.
Fuck Garry, fuck FacePunch, these people are idiot clowns.
Roblox exists now, the GMod roleplay communities independently invented their own ways of monetizing their gamemodes via syncing to their sites and forums with payoal widgets, ya’ll missed the boat on that one, no one is going to play S&ndbox in anything close to GMod in its heyday numbers.
That sounds entirely on Steam. The game is the client in this context, and Steam as the server shouldn’t be trusting anything from the client.
This was like, over a decade back, I don’t remember it in accurate detail, and also, Garry deleted all the old Facepunch forums, which I do remember having a lot of discussion about this…
But, best I can recall, it was something like a buffer overflow/memory space exploit, because Garry exposed a core Steam function, that normally is only called by other Steam functions, in c++…
Well, Garry decided to give basically a lua api / reference method of accessing it directly, allowing doing arbitrary code injection into it, from anyone running a GMod server or networked client.
So I mean yeah, you can say Valve should not have trusted Garry with low level access to Source and Steam, that that’s their bad, they should have expected he would create a serious security exploit out of naivette/hubris, like the proverbial junior sql db admin who just does ‘DROP ALL’ on prod, as an ‘experiment’.
Uh yep, I would agree with that.
… I think this may have had something to do with Steam’s, fairly new at the time, achievements system roll out, but I’m not sure if that’s correct.
EDIT:
For those that don’t know, the vast, vast majority of what GMod is, is basically just opening up core Steam/Source calls done in C++, opening those up to Lua, by mapping them with reference methods, and then allowing Lua scripting via those methods.
Then on top of that, you draw like, the item spawning menu, tool menus, make a standardized template for making a new tool or weapon (SWEPs) or entities, or players or NPCs, etc.
So uh, yeah, if you’re not careful with that, if you don’t know what you’re doing at the lowest level, that can be very dangerous and easily lead to uh, unforseen consequences.
I’m still confused why any game having a way to upload a worm into Steam is good and why it was uniquely a GMod problem. It sounds like a case of a problem waiting to happen and the first place it happened to happen was GMod.
sir, this is a wendy’s
Fuck you, take my order, stupid hallucinating AI drive thru working off an 18 year old microphone!
Oh Wait!
You’re closing half your locations after trying to push realtime adjusting prices.
Nah I’m good, I’m gonna be posted up at the abandoned Wendy’s, screaming at it all day long.
Get those pigtails in a hairnet, and my fries in a bag, thanks very much.
The issue with pure client side is latency. At some point, you need some kind of predictive client side to smooth out the gaps to feel playable, but that also can lead to rubber banding and jumping around.
The Problem is that that would increase the load on the server as well as make latency-mitigation much harder.
As with everything, it‘s always a tradeoff.
And this naïve understanding of infosec somehow makes people forget that this is not infosec, and there is more to anti-cheats than ignoring a client which says its travelling at warp speed.
It’s not a motto. It’s a given must design. (I have work context)
They’re totally different scenarios. How is the server supposed to know if a player has (e.g.) walls disabled and knows where the enemies are?
Because the client has to know where the enemies are while still hiding it from the player.
People who have no idea how things work and go off on quotes they see online is why these discussions are useless.
Why? :3 If a player shouldn’t be able to see someone, just don’t send their location.
But if they’re not rendered, what about their sound effects like walking, or something like their bullets?
This is actually an issue in War Thunder, where if the server thinks you shouldn’t be able to see a tank, it won’t render it, but this also causes it fairly frequently to not play noises from the tank like the engine or shots, and to not render projectiles from them either. So a teammate can die right next to you and you won’t know how because the shot wasn’t rendered on your screen even though you were looking in the direction of the enemy when they fired it. Or a tank with an engine louder than a semi truck will sneak up and kill you because the game simply decided that you shouldn’t be able to hear them.
Just send sounds too
So send their location then, since sounds have to be played from the player’s location in order to project from the right spot.
Only when you’re making sounds. Not when you’re being silent.
That’s the neat part: you don’t. If their idea of anti cheat means taking over my machine to scan everything that runs on it, it’s a lost battle. Either find a way to do it server side based on behavioral heuristics, or don’t bother.
Oh, so the only options are rootkits and server-side. Weird, I didn’t know the calculator app was one of those.
I love how in every anticheat discussion someone who actually knows something about how games work get downvoted into oblivion.
Depends on the game but largely enemies don’t need to appear in the client until they’re becoming visible to the player
So the server has to compute whether a single pixel of the enemy’s body or shadow is visible to every client? How does the client play spatialised audio for enemy footsteps if it doesn’t know where they are - does the server calculate that as well?
I mean, if the client is thin, with everything computed server-side, this works, but that’s not what games are.
Easy to say but if you use Unreal Engine it’s very hard to do that. Unreal doesn’t have a built in way to not replicate something not seen and the inbuilt networking is built on any action a player makes is tied to the player. So if you want to hear that player walking or shooting that player will exist on the client.
Finally someone who seems to have some sense of how things actually work and if course they get down voted…
Sure I get why people don’t like kernel anti cheat but they should at least understand the difficulties from not having it.
There’s been an increase in games that don’t give the client full knowledge of enemies. That data doesn’t actually need to be sent to the client if you can do checks on the server to know if they’re visible. Yeah, it needs to be simplified from a full raytraced solution from the camera, but it can be good enough that it isn’t much of a issue, depending on the game.
IIRC, some game (it may be Counter Strike, but idk) only gives your client player data for the “room” you’re in, and adjacent ones, or something like that. You can still see through walls near you, but you can’t see people on the other side of the map.
Yes, there’s always going to be a point where there’s nothing more you can do and you just have to hope for the best, and mitigate what you can on the client. Still, the naive “the client has to know where the enemies are” isn’t accurate. A well designed anti-cheat solution will try to come up with a solution for this. Sometimes it isn’t possible, but often there’s some amount of information that doesn’t need to be sent to players that can be hidden.