Security Issues

SECURITY ISSUES: ANTI-HACK MEASURES

INTRODUCTION:
Hi, I want to start a thread about security issues related to hacking - And are seeking a constructive debate both about security issues and possible fixes in regards to a central point stated in the Focus forum rules. I also recommend reading up on the subject, to make sure we all try to contribute with information with as high quality as possible.

I will also state a security issue with this type of thread that both moderators and all contributors must keep in mind. Hacking developers read these types of threads as a means to learn how to circumvent them, therefore it is important to send direct e-mails to the developers if you find sensitive information that may be exploited. Don't mail moderators as stated in forum rules.

From The Focus forum rules:
"No game is perfectly secure, but it is accepted that we, as the player base, want it to be as secure as possible. Therefore, should you discover a cheat, exploit, hack or other security issues then you are at liberty to post the existence of said issue on the boards. You are, however, requested to NOT post how to recreate the issue for other posters to emulate, or to link to such instructions. Instead please send details to members of the Focus Home Interactive or developer teams (NOT the moderators - they're players just like you!) so that they can recreate and resolve the issues."

A feedback from a moderator or developer would also be helpful in specifying rules or behaviours not specified clearly enough in forum rules, if this is the case, on the type of content a thread like this could contain, or even if a thread like this is even wanted or should be removed, as I can understand if it is better to send e-mails directly to the developers in all cases, though I believe in open discussions to get higher quality on the information and expose this to the public.

Personally I have researched and spent many hours on the subject, as I really would enjoy playing a hacking free game one day. In my opinion the technology to create that today is very difficult, but making games with a lot of focus on this kind of problems might minimize the problems to an extent where it is bearable - In competitions on public LANs it is probably possible with current technology if the involved parties takes the necessary steps - This would also expose cheaters who would play considerably worse with no access to hacks.

I have never used cheats myself, but seen remarkable improvements in my own skills when playing intensively earlier in my life - So I know you can "git gud" as well.
I have also played Ins2 for a ridiculous amount of hours, also cs:go for quite some time. For a long time I believed in the hollow statements provided in most comment sections regarding this problem, and it is difficult to expose these kind of people without first playing a game 100s of hours to be able to really understand the difference between "u need 2 git gud" and "something does not add up here", because it takes a lot of time to get skilled in pvp, which is a helpful skill to separate apples and oranges in this regard. I have also spectated players until they left the game, because they knew they were being watched and did not want to get exposed, even if I said or texted nothing negative when spectating.

It is not helping at all to use this thread to try framing any players in any game, and really skilled players exist, just look at something like a Dark Souls speedrun to see that the dedication some people invest can lead to unbelievable skills. Hackusations/defaming is not constructive and is very easy to do wrong, but it is interesting what you learn if you open your eyes about the reality of esports.

Many examples from a lot of different games which demonstrates the problem exist, but all you need is an internet connection to find proof of the existence of said problem yourself if you are not aware already, which may be a better and more effective way to understand the situation. Also many gamers don't understand the complexity of the problem (I have more to learn myself), but I will link to one video that can be a helping step in that direction if wanted.

CONCERNS:

  • In this video it is shown a document between the poster who is fishing/luring a hacker to expose what they want, also it shows that the Easy Anticheat [EAC] is already (2017) being tampered with by hacking developers on top of the other anti cheat programs (of course it is). The video is almost 1 hour long, but is the most pedagogic introduction summary I have seen so far on the topic. It is also some obvious and less obvious solutions shown at least regarding LANs, so I hope at least one developer finds the time to look at it if not familiar with the content.

THOUGHTS ON SOLUTIONS IN SANDSTORM:

  • Introduce spray patterns that makes it easy to expose bullet accuracy manipulations, but don't go public with it.
  • Keep RNG sway even if people complains about it, it can help to expose hackers by identifying impossible sway control.
  • Make other mechanics with similar goals and don't go public with it.
  • It has become such a huge problem that corruption can occur within even the most well-intended companies. Don't rely on too few programmers, and don't outsource security tasks without some healthy paranoia.
  • Don't cheat and be part of the problem obviously.
    VIDEO:
    I will take no legal responsibility for the content of this video. The examples seen in the video should not be regarded as proof of defaming of any players involved who has not been proven to be cheating by other legitimate means.

Youtube Video

last edited by Pacalis

SECURITY ISSUES: ANTI-HACK MEASURES

Found this gem in a comment section from a guy named Darren, it seems like an idea to consider that would actually make a difference. He is announcing it in a public comment section with 4500 views, so would believe he has no problem with it being repeated here:

A PROMISING TECHNIQUE TO MAKE AIMBOTS USELESS:

Darren
5 months ago (edited)
QUOTE
"I had an idea that the map designers could cover the map in entities that are processed in the exact same fashion as a player. For example, the map could be littered with corpses that look like a player to any code so that an aimbot would lock onto them if used. Aimbots could be rendered useless like this because only a human could tell the difference. The walls could be covered in player entities etc.

Offline bot play could use the normal unadulterated maps of course.

Maybe the cheat code could use movement to tell them apart, it depends on how the game is coded. The game could fool the aimbot code into thinking that the false entities are moving for example. I would do this by embedding player entities into walls and floor; the player would not see them but to the aimbot code they look like they are visible player entities. The player entities embedded into the wall would also be tagged randomly with the name of the players in the game. The game could also use ghost player entities that are randomly rendered to confuse the aimbot.

What we would have then is an impossible situation for the aimbot but would be normal for a human player. At the very least it would take a great deal more processing time to tell a player from a fake player entity. "

BY LAW:
Another idea that could be mentioned is for the different developers to cooperate in making cheating illegal by bringing it to government attention like in South Korea, so that at least blatant cheaters would think twice before cheating.
A point against this would probably be that "it is just computer games, who cares?" But the millions of young gamers out there are actually victims of fraud, which should be enough reason to not ignore this problem.

last edited by Pacalis

SECURITY ISSUES: ANTI-HACK MEASURES

EXPOSING A WHOLE TEAM CHEATING AT LAN TOURNAMENT
Hellberg is a great example for the gaming community to follow, play along to get them to open up, then expose them all if you encounter cheaters. He exposed a top tier team where all used hacking. This video also exposes security holes in LAN events, and the mentality of these hackers.

Youtube Video

last edited by Pacalis

SECURITY ISSUES: ANTI-HACK MEASURES

TOURNAMENTS FREE FROM HACKING, CLOSE TO BULLET PROOF ANTI CHEAT

-> quote from Far bound towards the concept "You run two key loggers (mouse loggers), one in the game engine and one in the kernel of the OS."

VIDEO CONCERNING THE HACKING PROBLEM:

It discusses the integrity of "The Consept" which in my opinion is unrefutable - But you will need to understand and learn about the methods used in his videos and watch them closely to see this yourself. He is probably not always right, as all humans makes mistakes, and I feel unsure about the accuracy in the less obvious ones as I haven't spent as much time learning about it. But he exposes a lot of blatant hacks that are obvious when you learn how they work. I recommend all his videos and also his introduction videos to start with like the one I posted above, as a tool to learn what measures is needed to prevent hacking, and on the bright side shows that hacks are impossible to hide if you invest time and use the correct approach when looking for them. Remember that many of his videos are shown at 20% speed, and he shows "pros" flicking their aim on and of targets up to seven times in a second on the most extreme example - This is humanly impossible, and a solid proof of using 3rd party software - The beautiful part is that these kind of hacks will probably always be distinguishable from legitimate playing, as the 3rd party software loses its function if it would "blend in" much more.

It will also be useful for NWI to understand what kind of video quality, video speed options and other feature toogling will be needed for themselves and the users who wants to help them to keep the game clean if NWI wants to tap into the pvp competition scene that is. As an easy anti cheat spokesman declares early in this video, the hacking business is extremely profitable.

So in my own opinion (EAC spokesman don't speak about NWI) NWI should decide early to implement the best measures available against hacks, that will show hackers that even if they unfortunately sometimes finds ways to hack without being caught when gaming from home, they stand absolutely no chance of passing at LAN events - Because the market share of the legitimate PVP scene open for grabs is huge in my opinion.

I know there is a lot of players who would love a legitimate competitive platform, anyone with any decency who is a gamer would. This does not exist today in first person shooters (I will not throw out a percentage number of legit vs criminal top tier players in different games, as the blatant hacks speaks for themselves), that is obvious. It also does not take much effort to understand that this problem extends far beyond csgo. In first person shooters it is a cancer, though I would argue that the problem seems smaller in games with a less competitive orientation.

VIDEO:
Skip to 43 minutes to see anti cheat measures that would be useful in tournaments.

Youtube Video

last edited by Pacalis

Hi @Iyagovos and/or @Arc
I have some questions for the developers at NWI. Could you be so kind as to forward my questions to NWI at some point when you find the time so I could get a reply here if possible on these questions? That would be greatly appreciated=)

SECURITY ISSUES: ANTI-CHEAT MEASURES

WHAT IS THE PERSPECTIVE FROM NWI? QUESTIONS TO NWI:

First of all you are doing a fantastic job and Sandstorm looks and feels beautiful. Excited for the final release, and hope you will continue to flourish as a company and pursue both growth and success.

I have some concern as I like pvp the most in fps games, but really see no personal incentive or a future for a competitive fps scene in general being honest and fair, if cheaters is not reduced and future competitions in games like Insurgency Sandstorm will introduce hack proof LANs when organizing these events. The entertainment value goes down when competitions are held from home computers, as it seems most developers either are unaware or careless about cheaters. I mean a lot of people like staged wrestling, I prefer the real deal. I have this general feeling that most game companies does not care too much about anti cheat measures as the hacker bans that leads to players buying new copies on new accounts generates profit, and sales of hacking software with the help of insiders and the money involved creates a lower incentive to use proper counter measures also to avoid drawing negative attention. I would like to hear your thoughts on this matter and made up some questions that are more meant as an idea to what you could talk about in an answer, much more than a formula to what your reply would be.
I understand that this matter may be sensitive, and would reflect the answer to some degree. I do not pass any judgement on NWI in particular, and choose to believe that you have the best of intentions.

Questions for NWI:

  1. What are NWIs thoughts on the current competitive FPS scene in being fair and honest (considering unbalanced games due to hacking)?
  2. Are you mainly interested in creating a non-competitive game with casual competitive?
  3. If you want to make a competitive game, do you have any official growth/market share targets?
  4. Do NWI believe that the current percentage of cheaters in competitive FPS games is low enough to create a fair competitive environment to such an extent that the top players can be mostly legitimate?
  5. Would you consider having competitions and LANs in the future, and if so would they genuinely do whatever they could to prevent cheating?
  6. Would NWI agree or disagree that more should be done to give cheating in-game multiplayer legal consequences?
  7. Do NWI agree or disagree that LAN competitions could be made hacker free?
  8. Is this type of threads considered useful from the perspective of NWI as constructive feedback regarding safety concerns, or more of a thread that can be interesting for players but nothing else as these are all well known issues and solutions for developers already?
  9. From my point of view, games like pubg has failed in its current state in regards to making a honest and fair competitive game (but highly successful financially). NWI have talked about the possibility of introducing a similar gamemode down the road, would you consider it to be possible within reasonable measures to make it more honest and fair as well?

I know many thousand players have these same questions, but I have no idea if this is a significant concern for the customer segments playing your games in particular or for you as a game developer in matter of having a high priority.

last edited by Pacalis

SECURITY ISSUES: ANTI-CHEAT MEASURES

MORE BACKGROUND FOR MAKING THIS THREAD:

Players of all multiplayer games online should know this, especially if they are young because young people are often scammed (giving their money to streamers who cheat as an example), or you are uninformed (no matter your age) and play a game because you want to be a top player based on a false premise. The premise that it is fair and possible when playing fair. - Understand me correctly, if you play Insurgency 2014 or also Insurgency Sandstorm you can legitimately get a high rank on the scoreboard of most casual pvp games only because of skills (this is what I have done). You can also play competitive and win matches only with skill.
Just don't expect to win consistently when playing fair in competitive popular fps games, unless on secure LANs.

The chance of winning competitions with several matches on the other hand, is a completely different ballpark, but will vary from game to game and years after release etc, but mathematically decrease being possible the more people play the game if the developers are not making sure the LANs are completely hack proof. That is why I also want the attention of the developers of NWI in regards to those questions- Because I want them to succeed in this if they choose to make competitions. If the apple first starts to rot it is so difficult to get out unharmed, and seeing grown-up men defending views they are way too smart to believe in themselves is cringy to watch, so developers need to take a clear stand early to avoid being consumed in a cycle of self-preservation. NWI has avoided this because they have been a small developer with a motivated team from what I can see (not gonna give examples, this is easy to find on many different people in other games). This information is not directed as a critique of any individual game or developer.

Here I will use statistics from pubg as an example of how many cheaters exist. I will also mention that I think pubg is a fun concept game that can be fun to play and know that the developers at Bluehole tries to reduce the amount of hackers, and that they are hopefully nice people who wants to make a cool game.

COLD FACTS:

Let us step back and only look at real numbers from the developers of pubg as an example, then use fairly simple math to get a fact-based picture, free from bias.

If any of the numbers used seems wrong, you can use others or check the sources, and if you find a mistake you are of course free to reply. I do use conservative estimates here, , and are rounding numbers up or down but staying very conservative. So please don't correct the rounding as it is done on purpose. We only need these numbers to make an accurate estimate of the average percentage hackers in a random game.

13 million cheater accounts banned in pubg in 69 weeks. That is approximately 188 000 players on average every week and are conservative numbers as ban waves have increased in time.
Console and PC players was 50 million users online in total June 2018 (only pubg), or an average of 11 667 000 users online each week. (Bans each week) / (Users each week) = 1,6% cheaters only accounting for players detected. Other estimates exist that is taking more factors into consideration, but my simple calculation is both easy to follow and will be a conservative number, meaning the real number must be higher. This calculation also eliminates multiple account bans on each user if we consider bans will logically be done in waves to ensure more users are banned each wave (preventing hackers form warning each other).
Using binomial distribution the chance of at least one cheater in a random game of pubg with 100 players (when cheaters are 1,6% of players) is 80,07%.

You can of course change these numbers to give estimates of cheaters in any given game with different amount of players and different percentage of cheaters. Try yourself with wolframalpha, link below.
I have heard on a conference (youtube) with the developers of pubg putting the number of hackers at about 3%, but I can't find this specific video. a report in on Forbes from april 30th 2018 doing a survey confirms this number, even showing that 3% of gamers are always cheating, but many more cheat sometimes. But surveys are also not hard facts, l will stay conservative to make my point clear:
5v5 , n=10, p=1,6%, chance of at least one hacker = 14,9%.
16v16 , n=32, p=1,6%, chance of at least one hacker = 40,3%

EDIT: EXPLANATION BELOW IN CORRECTION POST: WHEN YOU JOIN BEING PURE!
The chance of at least one cheater in a random game of pubg with 100 players (when cheaters are 1,6% of players) is 79,75% -> n=99, p=1,6%
5v5 , n=9, p=1,6%, chance of at least one hacker = 13,51%.
16v16 , n=31, p=1,6%, chance of at least one hacker = 39,35%

SOME OTHER STUFF TO CONSIDER WHEN FINDING APPROX % HACKERS:
If we would start putting in a more realistic percentage of hackers, the numbers will go up, maybe to about 3% like stated by Forbes, who knows, but I would rather explain what may be realistic with reasoning.

Consider that the only concern a hacker have is getting caught and always try to avoid that, and that hackers who get attention because of tournaments, streaming, spectators or match recordings knows that they are being watched and will actively hide their fraud and protect each other by lying or excusing themselves for self preservation. Darwinism tend to promote those who use all means possible to reach the top of any hierarchy and that financial gains and fame are extremely motivating for many people and must not be underestimated as a drive for ignoring moral, especially when the only consequence is that they have to stop doing it. Even if someone is smart, they don't need to have any high moral values and the human brain often rationalize immoral behaviour for reasons of self-preservation, especially in individuals who constantly push their moral boundaries.

SOURCES:
Source wolframalpha chance of a cheater in a random game of pubg with 100 players [n] and 1,6% cheaters [p]=0,016:
http://www.wolframalpha.com/input/?i=binomial+distribution+with+p%3D.016,+n+%3D100
Source total bans (later confirmed by Kotaku):
https://www.reddit.com/r/PUBATTLEGROUNDS/comments/9kotf0/bluehole_banned_13million_cheaters_so_far/
Source player total pubg june 2018:
https://www.statista.com/statistics/791791/pubg-player-base-world/
Source of another approximation introducing more variables:
https://www.reddit.com/r/PUBATTLEGROUNDS/comments/9nc5kn/approximating_the_percentage_of_cheaters_on_pubg/
Source explaining binominal distribution: Search for example "An Introduction to the Binomial Distribution" on youtube (not providing link to avoid video popup).
Source Forbes about the cheating problem and why developers should care:
https://www.forbes.com/sites/nelsongranados/2018/04/30/report-cheating-is-becoming-a-big-problem-in-online-gaming/

last edited by Pacalis

SECURITY ISSUES: ANTI-CHEAT MEASURES

A fresh example of LAN security being bad, and a reply from the comment section explaining the obvious problems in todays "pro" scene.

VIDEO LATEST LAN BAN
With questionable commentary
Youtube Video

COMMENT SECTION REPLY EXPLAINING THE OBVIOUS

"CelestG
1 day ago (edited)
You’re kinda contradicting yourself there Richard. First you say the cheat is the most amateur cheat you ever seen. Simply disguised as word.exe. Further saying he looked like it was his first time even using it. But then to defend your stance on pros not cheating you turn around and say this is solid proof that pros arent cheating because either these admins were really amazing or that cheating and getting away with it is impossible because this bozo got caught.

It’s pretty fair to say a pro who actually has a career and a real backing behind them in the industry would be using much more sophisticated cheats and would actually know how to use them. Just saying. You cant go both ways to justify the way you see fit. I also find it hilarious because a big tournament like this with a 100 grand prize pool couldn’t even pick up on the fact he was using a blatant exe file. How did he even get it on the pcs? Thats the question you have to ask. If he can get that far in a lan and only be caught cause his cheat is garbage and he doesn’t even know how to use it then it only proves that anything is possible. "

" Richard Lewis
1 day ago
Literally didn't say any of that. Congratulations on imagining what you want to be angry about though."

"CelestG
1 day ago (edited)
Richard Lewis You didn’t straight out say that it was proof but you alluded to it through the use of maybes and hypothesis’s. And I quote “The sensible conclusion is maybe if anything this proves how hard it is to cheat on lan”. Really now? After you just admitted this guy waltzed in and blatantly didn’t even try to hide he was cheating. Certainly a smart man like yourself wouldn’t conclude that this case proves anything of the sort. You even went as far as to say you didn’t personally believe their anti cheat even caught him. So how does this prove that cheating on lan will always result to this outcome? Clearly you realize for every person caught doing something they shouldn’t be. Several more are getting away with it.

Pretty easy to hide behind words and to play the fence though isn’t it? Say anything you want to even if it opposes everything you previously said. As long as you state it in a way that isn’t directly reflected upon yourself. I guess that’s what journalism is. State your initial opinion and then when it reaches something you don’t agree with you disguise your contradictions to promote your agenda. Thus giving you some kind of merit to claim that’s not what I said at all when you get called out on it. "

This is exactly what I mean by being caught in self preservation.

last edited by Pacalis

@pacalis

EDIT: COLD FACTS HAVE TO STAY COLD -> CORRECTION
I did more research and also thought about a detail that makes the odds of meeting a cheater smaller if there is not very large servers. Not by much, but got to make it right: When you join a game being a pure player you have of course eliminated one spot on the team from being a cheater already, so the correct statistics by using binominal distribution (chance of selection to contain at least one cheater in this case), goes down by 1 possible player being a cheater.

The chance of at least one cheater in a random game of pubg with 100 players (when cheaters are 1,6% of players) is 79,75% -> n=99, p=1,6%
5v5 , n=9, p=1,6%, chance of at least one hacker = 13,51%.
16v16 , n=31, p=1,6%, chance of at least one hacker = 39,35%
This also implies that if it is possible to create pure arenas by filtering honest players through completely secure LANs, a pure pro scene could be nurtured.

Now the calculation is solid.
Helped watching a Valve conference with John Mcdonald -> I hope guys like him with the implementation of narrow a.i. can make it right some day.
Also watched some conference about how hard it is to make money in the gaming business nowadays, and hope all these posts are serving my intention: Not to make players stay away from FPS games, but understand that they should not play a bunch of hours in the hope of becoming a pro someday, because it is no pure competitive scene today in any fps games. So just try having fun at random matches like I do. Insurgency Sandstorm is definitely my favourite spot to do so=)

last edited by Pacalis

SECURITY ISSUES: ANTI-CHEAT MEASURES
Again, if moderators pm or contact me on the forum I will of course leave this thread if this types of posts are just noice.

WHY NOT GIVE THIS ANTI CHEAT MEASURE A TRY:
Seems like something that will be difficult to deal with for cheaters. It will make many of their 3rdparty software useless if done correctly as far as I understand.

Found another post again explaining what I have mentioned previously, this time from a game developer [name below].

QUOTE:
"HeathersZen
86 points ·
9 months ago

Thanks for the post. I’m also a dev of going on 25 Years now.

[MEASURE]:
Another way to combat this type of cheating is to randomly add various noise to the client side structures, like popping in fake/“ghost” players in rooms all around the players, but never anywhere in a player’s view. Players that are not cheating will never see these since they don’t have a wall hack. Cheaters will see all of them and never be able to tell which of them are real and which are ghosts. They won’t trust their hack anymore, especially if the devs employ both of these techniques simultaneously" end quote

EDIT another user ADDED PROBLEMS DOING THIS:
QUOTE:
"1.This will kill performance, loading models/data that serves no purpose. Our FPS is bad enough already and the game eats up RAM.
2 I think it would be pretty easy to adapt the program to detect this." quote end

If statement [2] is solvable this could go. [1] is only about clearing away some eye candy to create a real competitive experience at the moment. I mean if pubg can manage with 100 players and good fps, Insurgency Sandstorm or a game in the future with also max 32 players could have around 70 ghost players on the map at all times and graphics like pubg.
This will make problems for much more than old wallhacks ("pro" players use esps anyway of another kind) conserning different types of esp
shown in previous videos above.

last edited by Pacalis

SECURITY ISSUES: ANTI-CHEAT MEASURES:

Quote from youtuber Matt Smith, according to himself a unity game dev.
[Brackets text] inserted by me to avoid misunderstanding which would be clear if inspecting source. (just to make sure I don't breach forum eula).

ANTI CHEAT MEASURE LAN FROM UNITY GAME DEVELOPER:
QUOTE "My thoughts on cheat prevention:

[Aaginst for example basic external injection cheat] a cheat with slight LAN capabilities. Want to prevent cheating at LAN's? Provide all gear to pros at lans. Ask team managers in advance for a list of hardware the pros use, mice and keyboards, etc, and their config for them. Set the computers and peripherals up for them. Don't let anyone on the team or anyone involved with the team anywhere near the computers or peripherals until game time. They show up, play, and leave. Then the LAN organizers image the machine and wipe the PC using a backup image and compare the the two images, default and Post-Game, for any discrepancies, then switch out the peripherals for the next teams. This almost ensures clean gameplay. The only remaining factor is money and influence breeding corruption in the LAN organizers which may make them pre-install cheats."

RNG sway and recoil don't have a place in this game. The core game design should not be based around stopping hacking; the game should be designed for legitimate players, with anti-hacking measures being a secondary concern. The existence of cheaters is anti-competitive, but not as anti-competitive as RNG.

@cyoce
Yes, I agree that the game should focus on being cool to play without letting measusers against hacking be a problem for that, definitely. There is a lot of ways they can implement that, so my suggestions are more like examples of what I mean.

Thank you for your time in creating your posts on the Focus Forums and for sending your questions in to us. We appreciate your in-depth analysis of the cheating that goes on in multiplayer games.

There is much work to be done to ready Insurgency: Sandstorm for release and we aren't ready to make official statements in response to your questions at this time. However, the prevention of unfair and toxic gameplay is, of course, important to us, especially when it comes to competitive play. We want all players to have a fair and fun experience, and as such have implemented one of the leading anti-cheats (EAC) into to Insurgency: Sandstorm.

Again, your time is appreciated for putting together such a detailed statement on the negative player behavior that can be experienced in multiplayer games. This sort of stuff is helpful to us as developers.

@jonny-higgins

Hi, I appreciate your feedback. I would not need any answers on those questions, you have a lot on your plate as it is. That you as developers have seen them and given them some thought is all that matters in the end. Best of luck with this great game and company.

Spray patterns are a terrible idea.
guns in reality don't have spray patterns, that's a videogamey copout and would ruin the shooting in this.
when you fire a gun, the bullet leaves the barrel in a straight line, I'd like them to keep it that way in Sandstorm.