Now that Stop Killing Games is actually being taken seriously - maybe we need to take a look at Stop Fucking Around In Our Kernels
I haven’t really been personally affected by it before - I don’t play any competitive multiplayer games at all. But my wife had her brother over, and he’s significantly younger than us. So he wanted to play FortNite and GTA V, knowing I have a gaming PC. FortNite is immediately out of the question, it’ll never work on my computer. Okay, so I got GTA V running and it was fun for a while, but it turns out all of those really cool cars only exist in Online. But oh look, now they’ve added BattlEye and I can no longer get online.
While this seems like a trivial issue (Just buy a third SSD for Windows and dual boot), it’s really not. Even if I wanted to install Windows ever again, I do NOT want random 3rd party kernel modules in there. Anyone remember the whole CrowdStrike fiasco? I do NOT want to wake up to my computer not booting up because some idiot decided to push a shitty update to their kernel module that makes the kernel itself shit the bed. And while Microsoft fucks up plenty, at least they’re a corporation with a reputation to uphold, and I believe they even have a QA team or 2. CrowdStrike was unheard of outside of the corporate world before the ordeal and tbh nobody has ever heard of it afterwards again.
So I think this would be a good angle to push. That we should be careful about what code runs in our OS kernels, for security and stability reasons. Obviously it’d be impossible to just blanket ban 3rd party kernel modules to any OS. However, maybe here in the EU at least we could get them to consider a rule that any software that includes a component running in the OS kernel, MUST justify how that part is necessary for the software to function in the best possible way for the user of the computer the software is running on. E.g I expect a hardware driver to have a kernel module, and I can see how security software needs to have a kernel module, but I do NOT see how a video game needs to have an anti cheat with a kernel module. How does that benefit me, the customer paying to be able to play said video game?
You must log in or # to comment.
I usually solve this issue by… just playing something else.
It sounds hard, but I assure you, nothing is impossible.
There us no need. CrowdStrike was such a disaster for Microsoft that they are already on the path to locking down the kernel. Noboby but MS will have kernel access eventually. Give it a few years (and 1-2 Windows versions)
Apple has already done the same with macOS 10.15 Catalina in 2019. No more kernel extensions = much better kernel-level security
This will become the industry standard
It should be said that I’m not against games detecting cheaters and banning them from online play. It’s very specifically kernel-level anticheats that I can’t stand on principle.
I’m against them being able to ban you from playing online in its entirety, which is something they can do because most online games don’t let you run the servers yourself anymore. Sure, if someone cheats on official servers, ban them from the official servers. They should still be able to play, cheating or not, on the server they run themselves, but that’s not an option we even have most of the time.
This one is such an overlooked part of this whole dilemma. The problem is NOT THAT the official servers not allowing clients without kernel level anti cheat. It’s just we don’t have an option to host our own servers anymore and we’re confined to following the rules.
It is “overlooked” because it is a non-answer.
Nobody wants to play with all the cheaters and the people who got banned because they couldn’t stop talking about how much they love CSAM in the lobbies.
I mean, look at twitter. After the recent mass exodus to bluesky there is anger because they are realizing their quarantine zone is REAL shitty.
I do wish more games would provide player run servers as an option. but I am under no illusion that that is going to be good for anything other than “Hey, remember when we all played Chivalry 2 for a few years? What say we play that on Friday night and then ignore it for another decade?”
That’s a strawman argument. First of all, plenty of people would be happy to self-host a game for their friends, if they were still allowed the option. Second, even people who want to run a public server would still be free to ban people (for whatever reason they wanted). We’re not talking about being forced to tolerate antisocial fuckwads.
As something nice to have? I fully agree (and said as much)
As an alternative to anti-cheat solutions/“solutions” as was being presented?
No, it is not an answer. Because it would indeed be forcing people to tolerate “antisocial fuckwads” or forcing people ti find private servers to play with each other like in the good old days.
In my experience with TF2, many popular community servers have common-sense rules like no slurs, cheats, etc. The great thing about a player-run server is that, if you want, it can be stricter than official guidelines, as Valve for example is pretty hands-off beyond the obvious in-game cheats. It allows pockets of the community to shape the experience they want to have more adeptly than official servers ever could.
Yes, that’s part of the StopKillingGames agenda as well. Allow us to control our own servers! For fuck’s sake, it’s CHEAPER for them, because WE’RE paying for hosting. A dedicated server costs money! And it keeps people buying into the ecosystem after the initial sales high because you form communities and then tell people IRL how awesome the game is. Assuming you have time for real life friends of course.
I’m not against the existence of a matchmaking system, or even against it being the default. Just give us a tiny menu item “Dedicated Servers” somewhere and keep that one around forever, even when the publisher is long bankrupt because the CEO blew all their profit on sculptures of oddly shaped penises or something.
“Butbutbutbut server side anticheat is haaaaaaard and requires us to actually think about what values are actually valid and understand our own internal game states. Kernel level anticheat
lets us be lazycosts us less and requires less development time!”Unless they deviate substantially from how they build games in genres like shooters, server side anti-cheat isn’t going to catch everything that kernel level anti cheat does. However, kernel level anti cheat doesn’t catch hardware cheating anyway, so if cheating is always going to be imperfect, we ought to stop short of the kernel.
Was it Delta Force that made everyone lose their shit because it “accidentally” warned people would be banned for usb thumb drives?
Because… that is coming. No, not the thumbdrive. But scanning your various devices to detect hardware based cheats. Which… is likely also going to be pushed by logitech and razer to get ahead of the crowd that are sick and tired of needing their bullshit software to properly use mice and are looking toward alternatives.
This will take a rogue agent to send malware or otherwise brick all machines by kernel injection. The crowd strike event poked a hole in the dam. This needs a full exploit to get major traction beyond game studios moving to the next kernel level drm/exploit engine.
Now that Stop Killing Games is actually being taken seriously
600k signatures to go. Link for EU citizens.
Arguing that buying something means you own it is much more digestible for the general public. Arguing that the video game codes run slightly different on your machine than you would like is esoteric and a non-starter. This is not a matter for the government, just don’t buy shitty games. Literally no game is required to be bought.
This is not a matter for the government, just don’t buy shitty games.
This IS a matter for the goverment. “just don’t buy shitty X” is “just use magic” argument.
The point is not enough people understand it to gain any momentum
It’s been time. Game companies have no right to access that level of any system I paid for. If they want to use kernal level anti-cheat on their consoles, that’s on them. But my computer? Absolutely not. They don’t have a right to that, when I bought the computer I didn’t agree to that in a EULA or TOS, and they do not make it apparent that their games carry this level of anti-cheat at sale.
You agree to that in the EULA/TOS of the game you want to play (and how legally binding that is is anyone’s guess). You just never read it (because nobody does).
The reality is that it is just another layer of risk. You are or are not choosing to install software on your personal computer that may or may not increase your risk level. It is no different than going to that website that makes your GPU spin up real hard or grabbing something from itch that is actually malware and so forth. Its why people increasingly suggest having a dedicated device for taxes and anything else private.
Personally? I understand the benefits to kernel level anti-cheat and, while we have no data as consumers, it is clearly effective considering the state of games today versus games in the 00s and publishers are willing to allocate funds for it. I still firmly believe that there are better methods that involve analysis of player behavior but I also understand the compute costs of that will be insane.
But also? I don’t want that shit on my computer (not that it would work because… Linux). So I choose not to play the games that require it. It means I miss out on some games but the good news is that there are way more games out there than I can ever play.
All that said: I increasingly think the end state is going to be competitive multiplayer games being console exclusive due to a mix of exclusivity rights and having a walled garden ecosystem that actually CAN be controlled.
We literally have a cloudstrike report giving direct examples of how bad it is potentially as a vector for malware. Additionally it doesn’t solve the problem it aims to solve, as reported by several outlets because it doesn’t stop hardware level cheating, just potentially stops scripts. So you could absolutely enable cheats through a device like a keyboard and mouse or controller and the Anti-cheat does nothing.
Additionally though, I am not buying products with kernel level Anti-cheat and that is intentional, so I am not agreeing to the TOS or EULA of those games. If you add to this the fact that some games retroactively added kernel level anti-cheat, it’s bogus to assume that people are in the know or that they agreed to such things in the original TOS or EULA. Steam only recently made developers list kernel level anti-cheat on store pages for their game.
Also, kernel level anti-cheat in single player games is just ridiculous and invasive.
There are a few layers to that
First: The crowdstrike issue had little to nothing to do with any kernel level hooks. The issue was one of software engineering and deployment. It could just as easily have… taken out an entire country by triggering false positives that prevent systems from connecting to the network.
Second: You’ll ALSO note that even after… taking out an entire country businesses still use crowdstrike. Because it is that damned good at its job.
Third: Yes, Current anti-cheat solutions are less than effective at hardware based hacks. It is lamost like there is a reason that the Delta Force (?) game made a big deal about banning people for thumb drives. That kind of scanning and testing is coming.
Fourth: Crowdstrike is not something you install on your personal device (unless your job’s IT department are idiots). It is something you install on company owned devices.
Additionally though, I am not buying products with kernel level Anti-cheat and that is intentional, so I am not agreeing to the TOS or EULA of those games.
Cool. I am also not. So no “rights” are being violated.
AMD had a graphics driver blocked because kernel level Anti-cheat flagged it as a cheat program. Genshin Impact’s anti-cheat was literally used to stop anti-virus programs running on people’s computers and mass deploy ransomware, and the gaming industry as a whole is extremely lax about the security of their users. Several companies anti-cheat have been flagged by anti-virus software as malicious.
There are layers to the kernel level anti-cheat business too and people still do buy games with kernel level anti-cheat. The fact that that kind of scanning is coming isn’t acceptable which is the point. I choose not to spend my money at companies that enable this kind of crap in their games. That’s not enough. It should be facing opposition from every quarter specifically because it is not only invasive, but also only raises the barrier to entry at the detriment to user’s security, and which is likely to cause the same boom that things like the campaign against piracy did in the 80’s/90’s. People didn’t know they could cheat so easily and now they do. Congratulations this has done the opposite of what is intended.
https://www.xda-developers.com/kernel-level-anti-cheat-tech-disaster/
Anti-viruses flag a lot of things. It is called a False Positive (or sometimes a “Someone didn’t pay us for an exception” Positive but…). It has nothing to do with something hooking into a kernel or just being a program you run in userspace.
Genshin Impact’s anti-cheat was literally used to stop anti-virus programs running on people’s computers and mass deploy ransomware,
I assume you are referring to https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
Which… I’ll just raise you https://www.polygon.com/22898895/dark-souls-pvp-exploit-multiplayer-servers-remote-code-execution which allows for ridiculously dangerous RCEs without needing any kernel level hooks at all. So…
and the gaming industry as a whole is extremely lax about the security of their users.
THAT I do not disagree with in the slightest. Which is why I am glad that most studios outsource anti-cheat because they are not at all qualified to handle it themselves.
. I choose not to spend my money at companies that enable this kind of crap in their games.
I mean this in the most inflammatory and blunt way imaginable:
Nobody gives a shit about you. Nobody gives a shit about me either.
We are two people. We don’t fucking matter. What matters is the people who play every single Riot game ever made for thousands of hours each. THEY spend money.
Like I said before: it is about accepting risk. Knowingly or unknowingly, it doesn’t matter any more than telling your parents that you must have gotten a virus from that pokemon cheat code rather than the hardcore pornography that came in exe form for some reason.
You don’t want to compromise your security more than you already do. Cool. Most people playing these games are fine with that if it reduces the odds that they have their free time ruined for them by aimbots and wallhacks. And… clearly there is merit to this approach if studios are willing to pay for it.
Because, at the end of the day? We’ve been through this. Back then it was DRM. DRM was bad and DRM was horrible and EVERYONE had a super obscure russian (?) cd rom drive that Starforce would brick. And the same arguments of “ideologically this is bad and it could ruin things for a very small percentage of people” came up. And the answer was always “I refuse to buy anything”
And… everyone else DID buy things. The genuinely bad shit like starforce went away in favor of activation model DRMs (which continues to this day) but also… alternatives were actually presented. Steam is basically a variation of GOO (which is also basically what GoG does) but Steam has the added benefit of people being scared shitless of getting caught by Uncle Gabe and having their account taken away.
And that is what we need here. Not asinine requests for politicians who understand nothing to solve this for us. We need actual alternatives that work better AND are less invasive.
As an aside: I increasingly notice that you say very inflammatory things based on a misunderstanding or misconception of the thing you are criticizing. That is a bad habit in general but it is a REALLY bad thing when it comes to cybersecurity (which this basically is). Because it gives you a false sense of security when you think you are following best practices but are actually spewing nonsense and ignoring all your other risk vectors.
Money talks.
Don’t buy the game.
This doesn’t work. It will never work. You can’t shame conscious consumers into voting with their wallets while the other 99% keeps buying the bad practices.
Thing is, if nobody on Lemmy, and literally nobody in general who cares about anticheat, buys GTA 6, you know what effect that would have on the company’s bottom line? None, they’ll make record profits.
So now you try to convince the 99% of players that are buying the bad practices, that a magic (to them) program that prevents cheaters is bad (since “has too much access” doesn’t really explain anything). They don’t care and won’t care.
They applaud it even.
…still not buying it, tho.
Right, well they are trying to start a campaign to popularize the comment you just made. Or at least that’s my understanding
I think it should also be noted that the games industry is not audited for security to the same degree as a lot of other industries. So vulnerabilities may not be found until years after launch and then go unpatched indefinitely because the company has already moved on to the next thing.
Hell, one of the older CoD games had an RCE vulnerability that as far as I’m aware is still not patched.
Plus, major publishers like EA are now pushing to create their own kernel-level anticheat in-house. Why should anyone trust them to create a secure piece of software that runs with the highest permissions possible when they can’t even be trusted to create stable, functional games?
Someone discovered Dark Souls games had a RCE but they never responded to the person that kept emailing them about it for months. The security guy then started invading streamers and crashing the game while doing fun stuff like showing text on the screen. Only then did Fromsoft take down the servers and patch things up - which took a few months.
Yes, game companies really don’t take security seriously.
I was boycotting it before it was even in the news.
competitive multiplayer
I feel it should be added that this is one use of anti-cheat, but it also gets used on noncompetitive single player games, too.
Usually if a game has micro-transactions, but also to “protect our IP” as has been seen with a number of older non-MTX single player games recently being retrofitted with it.
Guess I’m OOL. What non-competitive games have kernel anti-cheat?
With you on this, regardless of the method used, no app has any business running or snooping outside of the container that it was set up in. And this doesn’t just apply to desktop operating systems, mobile and entertainment consoles too.
I’d even take it a step further, that nonsense shouldn’t be on my machine in the first place.
Want to run anticheat stuff? Run it on your own crappy servers at your own cost and processing power. Live detect it through packets that are sent to you and are being processed, be it voice or input.
Whatever happens on my machine is none of your business.
This issue would be solved / non existent if matchmaking was not the only option for playing online game, which wouldn’t be an issue if publishers stopped being so greedy and predatory when it comes to player retention, which wouldn’t be an issue if the economic system we live in didn’t promote this toxic behaviour.
So yeah, kernel based anticheats are mostly just a symptom of a larger problem, the rotten video games industry
This issue would be solved / non existent if matchmaking was not the only option for playing online game
This is incredibly false.
Back in the day? Counterstrike 1.6 was SO good that we played through it with rampant hackers everywhere. Finding the rare server where people weren’t using aimbots and wallhacks was a bigger find than a hyper attractive alien asking you to teach it what love is. Same with UT and Quake.
And none of those did “matchmaking”.
Now that Stop Killing Games is actually being taken seriously
It is? They’re still at 39%. Let’s not call victory before reaching the start of the race. Getting to 100% will just be the beginning.
Also, kernel level anti-cheat seems like an easy thing to fix: don’t buy the game. Be a little bit more principled and selective in your purchasing choices.
I don’t live in the EU, and am not sure it’s a good idea to sign the petition for that reason even though I agree with them 100%.
Let me assure you, if you’re not actually an EU citizen, signing would be a decidedly bad idea. All that would accomplish is pumped numbers that will be disregarded in the end, so it can only serve to hurt the campaign.
I’ve seen the Government in America ignore more than one petition they claimed was tampered with and I wouldn’t want that to be the result here (The EU seems to be more on the up and up than the US government, but still).
Drag picked up Helldivers recently, which uses a KLA. Drag’s had no problems with it. But drag’s dragon also downloaded it, and it completely borked its computer. The voltage regulator chip for the CPU failed, and its computer started crashing on completely different games, even after uninstalling Helldivers.
deleted by creator
Drag uses person-independent pronouns, which are conjugated and inflected the same way in all grammatical persons. When drag uses drag’s pronouns, they’re first person. And to answer your question, drag has a pet dragon. We’re engaged to be married. It’s @HonouraryDragon@lemmy.nz
deleted by creator
Thanks. A lot of people lived through the “singular they” controversy, where conjugation was a big issue, yet they never fully understood the conclusion that conjugation in English depends on the pronoun, not on the inflection. Latin has different rules, of course, but we’re not speaking Latin. A lot of people are still upset about that fact after all these centuries. They’re usually the kind of people who think the Romans were the good guys, and the Goths who spoke a precursor to English were evil. Fun fact: Adolf Hitler hated Gothic script. He called it “Jewish letters”. It’s funny how Germany changed sides over the whole issue. One minute Germany is sacking Rome, and the next they’re the home of the Holy Roman Empire. The whole “Third Reich” thing was an attempt at claiming a lineage descended from Rome. And of course England and the US spent a long time establishing themselves as the inheritors of Rome too. That’s probably why there’s so many old people who want English to be Latin.
