This is easier and cheaper. Just take replays and audit them for cheats at a later date should people complain or due to obvious triggers. Again easier and cheaper. Make the response to cheats more of a social slap on the wrist.
It never makes any sense to even take away their account unless you plan to sell them a new one. Turning it more into a central audit system that solidifies when necessary the otherwise shared hallucination.
Much of the auditing can even be done client side, with clients flagging other clients as suspicious. For me, after playing the game as intended for awhile, the meta-game of hacking and automating it, is far more interesting than the original gameplay.
Programmers, by definition, are keen on automating boring, repetitous and dumb tasks. The one who endures the boredom longer and spends the most time in the game gets the biggest rewards. So how do you prevent cheating? Reward actual skill over forbearance, make the core gameplay interesting enough so players will feel they are missing out if they are cheating.
No one sends a bot to see a movie for him… Also, make the interface of the game as streamlined as possible.
A small note: FPS games have performed a lot of culling, starting with Quake. ID used a concept called a vismap, or a visibility map. Basically, the map designer calculated in advance which parts of the map are visible from each location. However, the main reason for calculating vismaps was not to deter cheaters, but to speed up rendering. All the server needed to do was to put the vismap to a new use and check whether players were in areas that could not be seen by the other players.
As Raph says, people move very fast in FPS games. What may be invisible in one frame may become visible in the next, and in the high-stakes Quake 3 Arena world, frames matter.
Also, you have to consider the worst-case scenario. Static items can be filtered properly, however. For example, all the weapon and ammo pick-ups. It may have been during the beta, though. We were at Origin then, and someone on the UO2 team was analyzing the packet stream? The way to think about is this — you have a static dataset the map and a dynamic, quickly moving dataset objects like players, pickups, bullets.
The map is pre-cached, which means that the client knows ALL of it — it can make automaps if it wants, it can tell you the best paths, it can hack the art. But it can also optimize what to render. The dynamic stuff has the potential to move very fast, so the server tells you where all of it is at any time. After all, it might round a corner, or you might round a corner. The renderer then does render culling, which is decide which items to draw. Or autoaim at them, lining up the shot before they come out from behind the wall.
So the map gets chopped up into network update areas. The only total solution is to do line of sight network culling, but that is both CPU-intensive, and also would require a round-trip to the server, which makes it impossibly slow.
Most MMOs settle for radial network culling. I suspect that even a single UDP exchange with the server may introduce too much lag.
Using something similar for precached client-side material ought to be viable, though. But yes, a token exchange of hashes or keys in classic key exchange style could be done. That decryption-keys-sent-on-demand sounds interesting. While you may not be able to decode the contents, the act of transmitting encrypted data can be telling in itself.
These are serious problems now, but will they not eventually go away as bandwidth and server hardware get better? Do you think that the demands of things we want to do are growing faster or slower than the abilities of the physical infrastructure? They can, but most of these improvements are being put to use in driving bigger and better features, rather than locking down security. It just keeps you from losing too much.
The other option is to pre-load multiple data sets or assets and then simply point to the right one when needed. In many cases you can stop tampering by using a keyed hash function or MAC instead of encryption. My personal maxim when writing business software for internal use over a LAN or Intranet: You can try to monkey-proof your software but a monkey is still a monkey.
It saved a lot of time in testing and customizing. Later, someone got the bright idea that certain outside clients and vendors should have access. What a nightmare. Security in general does require a specific mindset. With respect to sending encrypted data to the client speculatively, to be decrypted only when it becomes appropriate, it seems to me that it can be useful to cache potentially relevant data on the client.
For example, the stealther problem in Dark Age of Camelot. Pre-sending unencrypted data could give a compromised client some information you would not like to present to an unmodified client — the appearance, allegiance and perhaps the name and Realm Rank of the would-be assailant. Sending it early but encrypted sounds like an effective compromise technique. You can disguise it by filling otherwise unused bandwidth with nonsense that you never ask the client to decrypt.
The missing data, position, speed and animation, should hopefully form a small enough packet it will not introduce any significant latency by itself. In Metaplace, the packet stream is completely open, and the client is completely stupid.
So you are forced to verify everything on the server and do everything on the server. Raph was correct about EQ. Then Verant got smart and made mobs only spawn loot when killed. Another wonderful aspect of the way they used to do it was that rogues could pickpocket loot off of mobs leaving them empty when actually killed!
The occasional quest mob would drop his head when you killed him — rogues could pickpocket those too. Pretty funny. There is no reason to not use heavy-duty encryption on the client side, but I suppose it could be heavy for the server for real time data. However, you might get away with just encrypting the most vital information. Separating information into their own streams tends to give better compression ratios, so it makes sense to do it for two reasons.. Cool topic.
Raph, you need to push a lot of data for that to be a problem. Here is a random page which suggests that cryptos takes less than cycles per byte. A modern CPU can do billions of cycles per second…. You might be thinking of public key encryption? Authentication rather than pure symetric encryption?
Like SSL? I still think the server is on the loosing end, but I could be wrong. Solok — the cryptographic system would have a unique key for each client SSL does this as a default. Therefore, unless the client willingly shares its key with another, the server can tell them apart and it is cryptographically hard for a client to spoof another.
Raph — It would seem surprising to have the computation problem for encryption on the client side. After all, they only have to encrypt one data stream while the server has to encrypt N times the data streams one for each client with whatever computational overhead is associated with each.
Also, it is distressing as to how willing people are to work at attacking these systems. There have been several online games that have been brought to their knees by security problems.. This is Guild Wars, created by ArenaNet with 3 guys from the battle.
The client only has the static files textures, maps, etc. The next wave will be, like in real-life, more social engineering approaches, exploiting the game mechanics and the virtual economies. For those interested in more about this, Raph Koster recently posted an elaborate examination of hacking and cheating in MMOGs.
I fully agree. Security is not a feature. Servers are part of the game experience, too: without them, you have no game. A couple extra spares? A little extra security? But a game is not a bank. Well… not yet. Any kind of community wide comparative measures that can be exploited for gain raises the bar of the standard. Ladder PvP systems like the early WoW rank system.
I disagree with the premise of an open-source client having any bearing on what people do with the software that the developer does not like. Finding something to exploit in the client is extremely hard work without the source. Any benefit derived from more eyes on the source will be handily wiped out by… more eyes on the source.
By turning off gibs in the original Team Fortress, the only corpses you would see were actually spies laying on the ground. Or people would use skins they thought were hard to see, but locally I would have that file name assigned to a fluorescent Bozo the Clown skin instead. That would be approximately 10, hackers to be caught everyday. Also, aside from anti-cheat, is there a virtual surveillance that lets the admin and spy program teams to monitor each game server of an MMO game for some weird actions?
When an admin saw a user doing flying-hacks, for example, via virtual surveillance, it will automatically gave a probation or else permanently ban the user? How effective is this one? That will guarantee that players can't cheat by using hacked clients, the only changes they will be able to make will be cosmetic changes that only they themselves can see. Don't send information to the client the user isn't supposed to know like enemies behind walls Don't trust the client when it reports its location or any other game state information - only receive input commands and then tell the client the results Do any collision- and hit detection on the server.
Save, maintain and persist the game state on the server, not the client When a game allows the client to increase its cash shop credits without a server confirmation, the developers seriously don't know what they are doing.
Philipp Philipp k 22 22 gold badges silver badges bronze badges. When you use binary space partition and portals, you can already rule out most trivial cases of obstructed sightlines. Unfortunately, all victims have been kicked everyday considering them as cheaters even though they're not using hack tools.
Sadly but true. Also, Philipp, you're saying that less info on the MMO program project will be less chance to let hackers to cheat for the win, aren't you? Most of all, most users never stop complaining because of hackers still alive even after server maintenance. Or maybe, is it some of the company's server having hard time to get rid of the hacks? A cheat can only expose and manipulate the information which is available on the client computer. So the best way to prevent cheating is to not give the client any information which must not be exposed to the player and to not store any information on the client when manipulating it could give the player an advantage.
When you design a network protocol, never assume that the client does only what it's supposed to be doing. The Overflow Blog. Does ES6 make JavaScript frameworks obsolete? Podcast Do polyglots have an edge when it comes to mastering programming Featured on Meta. Now live: A fully responsive profile. Linked Related 3. Hot Network Questions. Cheat Engine will allow you to make scripts that do the hacking for you, just like game trainers.
You cannot hack any server based game with any cheating software. Originally Answered: Can I hack online games? Yes, basically any game can be hacked if you are able to get into the source code which is what aim bots do. So if you were looking for Cheat Engine that runs on Android, it is not the right article for you although there is a version for Android, but it requires the root and at the moment is not as powerful as the PC version, however i wrote an article on it, you can find here: Use the Cheat Engine app on an Android device ….
0コメント