|Posted by wtburnette | on Friday, June 07, 2002 - 06:05 AM EST|
|An article from over at Cnet about cheating in online games.|
Cheaters = Lamers !
"Rick Cortese knew he
was in a dicey neighborhood, so he played by the rules and made sure he
locked his doors before he went to sleep. But crooks still managed to loot
his home, sucking valuable possessions right through the walls.
Although online worlds such as "Ultima Online" and "EverQuest" account for only a small chunk of the game industry today, it's a profitable chunk, accounting for $210 million in revenue last year. Game publishers and analysts expect the segment to grow significantly in the next few years--to as much as $1.8 billion in 2005 by some estimates. That's because online games based on popular franchises such as "The Sims" and "Star Wars" will start cropping up to lure mainstream consumers into the arena.
Game companies are looking to subscription fees from online players as a major source of recurring revenue in the near future, with leading games publisher Electronic Arts predicting 400,000 subscribers paying about $15 a month for "The Sims Online" by the end of its current fiscal year.
But those subscribers may not stay around long if the new virtual worlds are full of the cheating and hacking that has marred previous online games. A small but fractious minority in online gaming circles, cheaters can suck the fun out of a game by introducing homemade characters with unauthorized powers and making it impossible for opponents to win or even survive. They can also quickly pollute the social atmosphere critical to many games.
"The cheaters are real fiction breakers, to say the least," said Cortese, a Los Gatos, Calif., chemist. "Nothing like fighting a guy that has a cheated character with twice your stats to put you off of a game. A lot of the third-party cheat programs gave people such a huge advantage it pretty much killed the (player vs. player) experience in the game for most people."
Matt Pritchard, a game developer at Ensemble Studios, best known for its "Age of Empires" series of strategy games, said cheating will become a particularly important issue as players without much online gaming experience enter the market.
"Cheaters get their kicks out of ruining the experience for other people," Pritchard said. "The people who are going to be most turned off by that are the newcomers. The hardcore gamers kind of know the lay of the land; they know if they have a problem, they can just find a server. But if you've got a 12-year-old girl going online to play 'The Sims,' and somebody figures out a way to destroy the character she's spent a lot of time developing--she's not coming back."
"If the average person goes out there and they have a bad entertainment experience, why are they going to continue to pay $9.95 to experience this crappy world?" Pritchard said.
Game publishers are obviously listening. At the recent E3 trade show in Los Angeles, one of the gaming industry's major shindigs, the issue made itself felt. A presentation for Xbox Live, Microsoft's online service for its game console, stressed hack-proof servers. And announcements surrounding upcoming PC games such as "Star Wars Galaxies" and "The Sims Online" discussed security measures that are being built into the games.
Michael Gartenberg, research director for research firm Jupiter Media Metrix, said security will be an important selling point in convincing consumers to invest the time and money such games will require.
"We're going to see a lot of investment in systems with military-grade security," Gartenberg said. "Protecting the integrity of players who invested significant time and money in these games is going to be very important. Nobody wants to pay a certain amount of money each month just to be killed off by a troll the minute they log in."
More than one way to break the rules
But thwarting cheaters won't be a simple matter, owing to the varied ways in which miscreants can bend or break the rules of online games. Common cheats in massively multiplayer online games such as "Ultima Online" and "EverQuest" include "trade hacks" that let players illicitly acquire in-game goods.
Another tactic is to employ automated programs that keep a character in play, allowing the character to quickly acquire new skills. "You're using a bot to play the character 24 hours a day, so you can go up from one level to the next without doing anything," said Erica MacGilp, co-founder of the Eternal Circle Association, a group formed last year to promote cheat-free gaming.
In multi-player action games such as "Quake III" and "Half-Life," hackers will try to tap into the servers running online games to execute cheats that let them see through walls or automatically aim weapons.
Then there are the troublemakers who tamper with the social interaction essential to many online games. "A lot of these games are as much about the social experience as the game play," Pritchard said. "If someone's running a bot that puts a constant string of profanity across the chat screen, that pretty much destroys that aspect of the game."
Pritchard said the first line of defense against cheaters has to be technological, with developers looking for ways to break the game and building in appropriate defenses from the start.
"If the online component of the game is significant, you need someone thinking like a hacker up front," Pritchard said. "With 'Age of Empires,' we didn't design the game thinking about all the things people could do to muck with it. We found later there were ways to re-architect it so that a person who was cheating became incompatible with all the people he was playing with, and then they'd kick him out. It was a lot of meticulous detail work, but I think it really contributed to the success of the game."
Pritchard added that game developers could to do more to educate one another.
"There's not been a good sharing of information within the industry as far as dealing with cheating," Pritchard said. "The developers are happy for us to hang out in chat rooms and talk about C++ programming, but talking about cheats makes them nervous. If they admit to their games being hacked, they feel like they're being opened up to liability."
Software developer Tony Ray said that while it's impossible to prevent every type of cheat, good anti-cheat technology can shut cheaters down almost as soon as they emerge. PunkBuster, software Ray originally developed for the action game "Half-Life" and its offshoots, resides on the player's PC, checking for known exploits and shutting down a game if it finds any.
"It's sort of like a virus scanner in that it scans the PC for any kind of exploit," Ray said. "The user basically trades some privacy for the ability to play on a level playing field, which is what the vast majority of players wants."
Ray is working on building a version of PunkBuster into the popular action game "Return to Castle Wolfenstein" and is in contact with other developers building similar anti-cheat mechanisms into their games. He's confident such features will become mandatory as online gaming spreads.
"I think within the next few years, if your online multiplayer game can't promote being cheat-free, you're not going to be able survive," Ray said. "It's so frustrating to start a game and get killed off right away because some guy is using an exploit. People will just leave and go someplace that can ensure them that they'll have a fair game."
But technology alone isn't likely to do the job. Scott McDaniel, vice president of marketing for "EverQuest" publisher Sony Online Entertainment, said Sony has worked hard to block cheats in the "EverQuest" PC software and server technology. But much of the credit for keeping the game clean goes to the 120-person customer support staff that Sony employs for the game and fellow players who quickly report suspicious activity.
"Most of our notification of people breaking the rules come from other players," McDaniel said. "They want to keep the game fair, so they're very good at letting us know when they think something's wrong.
"We try to treat everybody as a reasonable adult," McDaniel added, "but if push comes to shove, we will ban characters and accounts. We do our best to ensure that all our players have an equitable, fair gaming experience."
Mythic Entertainment's "Dark Age of Camelot" has become one of the fastest growing paid online games partly because it has reacted seriously and promptly to any reports of cheating, said Mythic President Mark Jacobs.
"We have a very straightforward attitude to cheating: We see it; you're gone," Jacobs said. "I will happily sacrifice a small portion of my paying customers to ensure the rest of them have a quality experience."
Such monitoring accounts for a significant part of the expense of running an online game, said David Cole, president of research firm DFC Intelligence.
"It becomes a major challenge to have a customer service network monitoring everything on an ongoing basis, but you have to do it," Cole said. "The big risk is that you start getting real high churn if you don't. New players get fed up and just say, 'Forget it.'"
ECA co-founder Cory Nott said technology can go only so far in stopping cheaters. "It's really important to shut down the exploits as soon as possible, but I think there has to be a social aspect to any anti-cheating measure. Honest players basically have the same goals, and if they have the right tools, they can police themselves very well."
ECA's approach is to form a sort of neighborhood watch for online games. Players who join the group pledge to play cheat-free. Anyone found violating that pledge is publicly removed from the group. "We're promoting trust, playing with people you know and respect," MacGilp said.
Michael Bacarella, a New York software developer and aficionado of online action games such as "Doom" and "Half-Life," envisions a system similar to eBay's feedback ratings, with game companies maintaining a central repository where players could rate each other for honesty. The result would be a "network of trust," with honest players given reliable tools to find each other.
"I think if game communities started using tools to help players regulate themselves, it would be much more effective than chasing another software fix," Bacarella said. "You never see these anti-cheat tools get anywhere. They're successful for a few weeks, but then somebody figures out how to break them."
Source: David Becker, Cnet
Limited Trust in Online Gaming Communities
Cheating in online gaming has become a huge problem. Anti-cheat clients promise to deliver us all from evil, with some companies even seeing cheat prevention as a fledgling new industry. This paper will show why anti-cheat clients have no chance of success as well as suggesting an alternative plan.
This document is targeted at anyone involved in games. Players, developers, and the pointy haired bosses at game publishers.
A Matter Of Trust
When you play online games, you're usually playing client/server, with the client running on your computer and the server running the game world and servicing your client, among a host of other clients.
In many respects the server must place some trust in the client. It must be trusted to display the proper game environment, respond the same way to game controls, usually have the same concept of time that the server does, and many other pieces of game state. The server even trusts that the client is actually a playing client and not a robot or a proxy which is altering game state between the client and server.
Some servers go even further, allowing the client to manage all state related to the player, such as items the player may possess and the player's current position in the world.
The obvious problem with this kind of trust is that it can be easily abused for cheating. There are two areas of trust relevant for the discussion in this paper.
People. People can be untrustworthy. They tend to favor situations where they have something to gain. Many enjoy manipulating trust to their advantage, even when it comes to seemingly worthless scenarios like cheating at games. The fact that the consequences of cheating at games are little to none makes cheating all the more intruiging.
Computers. The game client runs on a computer, but usually a computer that the untrustworthy player owns. Because the computer is untrusted, and the player is untrusted, the client must be untrusted no matter what protocol or cryptographic mechanisms are utilized.
Anti-cheat clients are ``trusted'' applications that run on or with the participation of the client's computer that will both authenticate the player and verify that they are not in fact cheating. Typically they check for popular modifications, compromised system libraries, or resident cheat programs.
The problem with trusting anti-cheat clients is exactly the same as trusting the game client. They run on untrusted computers controlled by untrusted players. Everything they do can be blocked, manipulated, and otherwise foiled so that they can convince the anti-cheat server and/or game server that all is well.
There is no way around this through software. Period. Every method of frustrating anti-anti-cheat clients can be countered and every encrypted binary, secret code or checksum can be broken, every piece of inspected data can be spoofed. Even hardware tokens (as seen in some copy control schemes) are susceptible to this kind of attack.
The more effective an anti-cheat client is, the more people that will use it. If more people use it, the target becomes all that much more worthy of attack. Typically, people that break anti-cheat mechanisms are not themselves cheaters, but rather technically inclined individuals who enjoy the challenge. To prove that they can be broken, to gain notoriety, the adoration of their peers, and so on. They live to prove that software anti-cheat systems must fail by definition.
And fail it must. Developing an anti-cheat client isn't simply an uphill battle. More depressingly, it is a losing battle. Period. They cannot win. As clever as a few developers can be, the battle is not fought on their turf. The combined technical community proper is also far more clever, dedicated, and resourceful.
Attempting to control software on an untrusted computer system is not a new struggle. Even the multi-billion dollar music/movie industries have to deal with this.
For example: A 16 year old managed to crack DeCSS, the copy control system used on DVDs. All of that trouble they went to to sell DVDs that only work in specific regions went out the window. People could also release unauthorized software players which allow you to skip the coming attractions. Currently, this software is illegal under the Digital Millenium Copyright Act. Without discussing the serious constitutional issues in such a law, as we all know, making something illegal doesn't simply make it go away.
Another example: A small research group managed to crack every copy control mechanism in SDMI (a cadre of protocols for controlling digital music). This wasn't a bored teenager, but in fact a professor with the aid of his students. Under the DMCA, this research too is illegal to publish. The case is currently unfolding as this article is being written.
Don't forget about the warez community. To date there is still no copy control mechanism that has gone unbroken. People have too much control over their PCs. There are various moral issues to consider in software piracy, but all but the most naive of publishers know that there is little they can do to stop it.
Instead of attempting to control the uncontrollable through software agents or bought laws (hopefully it won't come down to that), the game industry would do far better to focus on non-software anti-cheat systems. But if anti-cheat clients are so flawed, you may be wondering why the industry continues to develop them. A couple of reasons:
- Information security is rarely taught in schools, and most professionals simply haven't had to deal with these issues in their careers. Perhaps they simply don't grok the futility in what they're trying to do yet.
- A game publisher has a significant investment in an online gaming system and management is screaming at developers to just do something about cheaters who are driving away business. Throwing money at their programmers might be the only thing they can think of.
- Assholes who want to capitalize on the disgust of the gaming community proper by offering false hope in the anti-cheat client of the week, preferably in exchange for money.
Anti-cheat systems should instead leverage the fact that game communities are in fact real communities. Players tend to interact, socialize, get to know one another, and form groups and trust relationships. Just like in real society, evildoers are dealt with through a variety of means. The activities of evildoers are dealt with or at least curbed through community trust models. You see it everywhere. Creditors will often consult a trusted third party (a credit reporting agency) when determining if it's safe to loan someone money, employers ask for references, etc.
The Blacklist Model
This one is simple enough and can be remarkably effective if all players require a unique identity which is tied to their real life identity in some way. It's useless if new player identities can be created arbitrarily.
Players that are determined without a doubt to be cheating are added to a server's blacklist. These server admins then share their blacklists with other admins. Some kind of verification can take place to determine if this player shows evidence of cheating on other servers.
Server admins can even organize to set up a system to publish their blacklists to a central repository which participating admins subscribe to. Players can choose to avoid servers with blacklisted players or admins can more aggressively reject blacklisted players from connecting.
Such an approach takes a lot of initial effort to start seeing results, but can prove remarkably effective with the assistance of the game developers. The author has seen evidence of this in certain gaming communities, but nothing very widespread.
Network of Trust Model
Some player groups often refuse to play with people that they don't trust. An example being passworded game servers where only a close circle of friends have the password. Another method is by playing in environments where the computers are owned by a trusted third-party, such as LAN gaming cafes.
The network of trust model aims to augment the small community trust model so that it may encompass an entire gaming community. Here's how it works.
Alice hereby takes a vow to never ever cheat. Trent, Alice's friend, can vouch that Alice is a person of integrity, that he trusts Alice, and that he can verify that she's not cheating. In turn, Alice does the same for Trent. They have developed a trust relationship and publish this fact to a well known location.
Bob also takes such a vow, and asks his friend Eve to do the same for him as Trent did for Alice, and vice versa. They too publish their newly formed trust relationship.
Trent and Eve just happened to know each other, and already had a trust relationship, and therefore Alice and Bob, who have never met, if they ever check the trust database can determine that since they trust people that trust one another, that it would be safe for them to trust one another. In an online game, the server would handle this automatically and tell each player how trusted the other players are. The players can make a judgement call whether or not to continue playing on the trusted server.
But the true beauty of such a system is that it is self-regulating. If a user with a high trust rating starts cheating and is caught, this would damage the trust rating of everyone who trusts him, reducing everyone's trustworthiness. Like in real life, when a member of a group comes under scandal, the remainder of the group will move to distance themselves from the member in question. In our model, the players would disassociate themselves from the cheater if they want to keep their standing.
This is more powerful than one may realize. If every player establishes a trust relationship with about 15 other players, most people will only be about 4-people-removed from one another in the trust network (which is enough to encompass about 50,000 players--a number typical of large gaming communities). Eight person displacement averaging 15 people each is enough to cover the population of the United States.
Servers can resolve all of the trust relationships and display customized trust levels for each user. To free admins from the burden of dealing with cheat complaints, the admins could set a minimum required trust level to play on the server. Other admins may choose to simply advise players that they're playing with untrusted players and leave it to the player to decide whether to keep playing on the server.
This system will not be perfect. It is vulnerable to betrayal, fraud, conspiracies, etc. Just like the rest of society. It will certainly not be easy. However, unlike software anti-cheat systems, this actually has a chance of succeeding.
All of these relationships can be established and maintained through cryptography and user authentication. Game developers are often very unique and talented people, and if they got into the right line of thinking, there's no doubt in my mind that they could implement a highly effective trust-network system that becomes as easy as second nature to players.
Anti-cheat clients are a red herring. While it's satisfying to see them work sometimes, they're largely an inconvenience to legitimate users and will only work for a limited amount of time before they're broken.
A solution that leverages the relationships that humans already build naturally is probably our only hope. At the very least, it's not doomed to fail without failure like anti-cheat clients are. Isn't someone going to give it a chance?
A Web of Trust system is proposed and supported by both PGP and GPG.
Advogato.org is an experiment in group trust metrics, and seems to be quite successful, although I make no claims to actually understand the math they use. See http://www.advogato.org/trust-metric.html
If you care at all about information technology, privacy, or security, run, don't walk to your nearest bookstore or e-tailer and pick up Secrets & Lies by Bruce Schneir.
While I myself am I no-name nobody, John Carmack (of id Software) expresses similar views in his .plan file:
I'm sure I will catch some flack about increased cheating after the source release, but there are plenty of Q2 cheats already out there, so you are already in the position of having to trust the other players to a degree. The problem is really only solvable by relying on the community to police itself, because it is a fundamentally unwinnable technical battle to make a completely cheat proof game of this type. Play with your friends.
About The Author
Michael Bacarella runs a legal fiction titled Netgraft Corporation which he uses to provide goods and services. He considers himself a wandering security analyst and masterful programmer.
Electronic mail address is mbac aaat netgraft daawwwt com. (Excuse the spambot armor)
Actual Impacts / Repercusions
DisillusionFound on 'Kiliad of Oz's RF Map site was the obvious annoyance at the inability / unwillingness inwhich 'Volition' is handleing the situation.
"The loss of the VBB has pretty much killed the RF community so I can't see the point of continuing. This page will remain up until I find a new game with a map editor. I feel very sorry for anyone who has just bought the game. With the huge number of cheaters and no support from Volition you've been royally ripped off."
When Pigs FlySo I emailed him for further comment and he responded . . .
Well where to begin... in the beginning I guess.
When RF first came out there was an official forum, the Volition Bulletin Board (VBB). It was a great because it was a central meeting place for RF players and new maps could be advertised there. The RF community was fairly big and growing fast.
Red Faction is a brilliant game but it has some major bugs in it, namely the ease with which people can cheat.
The game was designed so that you could use MODS (or modifications) which can be used to make new weapons and other fancy stuff.
Mods were supposed to only work when you were in a multiplayer game with everyone else using the same mod. They were and still are very popular but many people prefer not to use them because they like the game as it is without modifications. However, the bug allows people to enter a multiplayer game where nobody else has the mod giving them a huge advantage. This is just one of the cheats they use.
They fly through the sky, they can walk through walls and they make their weapons far more powerful than they normally are.
When the cheating first started there was an immediate call for Volition (the game maker) to come up with a solution. After a VERY long time they eventually produced a patch to overcome it but this was successful for only about 1 week after which the cheaters were back. They'd found a way to get around the patch and cheating became even worse. More and more people called for Volition to provide a better patch to stop the cheating but nothing came of it. Eventually they just announced that the VBB was to be closed down. This really made people angry because not only was it obvious that Volition would no longer support RF, there was no place for people to meet. One of the great things about the VBB was that you could go there for assistance. Even if Volition wouldn't help, other players provided trouble-shooting info from solving hardware problems to designing your own maps. After the VBB was closed many people just gave up and moved to other games like Return to Castle Wolfenstein and Medal of Honor. Other forums were started and still operate but they just don't have the number of people visiting them. If you are going to buy the game then you can still play games online and make your own maps but you've missed out on the best of it and you WILL encounter cheaters, and believe me they are incredibly annoying!