Client running code should always be considered compromisable, that’s security 101. Relying on kernel module checks is a terrible practice, and not a fundamental guarantee of safety either.
Good, secure anti-cheat happens serverside. But that’s harder and less broadly applicable, so Epic doesn’t want to bother with it.
Client code isn’t trusted but no matter what the is one set of data you most trust that comes from the client. Input data. So with input data it can be manipulated that another application calculate out a headshot and sends that input. So even only trusting the client where you have to, you’ve failed to secure the game fully because you need to trust input data.
The first rule of network programming: Never trust the client. How does anti-cheat software work? It trusts the client.
All clientside anti-cheat is fundamentally flawed and broken by design. It doesn’t actually prevent cheating it just creates an illusion that it’s preventing cheating. The fewer people that believe in that illusion the better off we’ll all be.
Besides, you can train AI to play any game via MITM in USB (plug the mouse and keyboard into the Raspberry Pi or similar which then pretends to be a mouse and keyboard to the computer playing the game). The simplest method is to just point a camera at the monitor but there’s much lower latency ways where you use some cheap Chinese HDMI decoder/encoders to feed the raw video signal right into the AI.
With methods like that becoming cheaper and easier every day the whole client-side anti-cheat bullshit kinda seems pointless, yeah?
Most people put security cameras in their homes despite them being able to be remotely hacked. Lots of people have an Alexa which could also be seen as letting a stranger in. A lot of people use tools that could be used to compromise their direct use but trust they don’t as for things like anti-cheat being malware. That’s all FUD. There has not been a single large anti-cheat company known to be sending unneeded or personalized user data.
Client running code should always be considered compromisable, that’s security 101. Relying on kernel module checks is a terrible practice, and not a fundamental guarantee of safety either.
Good, secure anti-cheat happens serverside. But that’s harder and less broadly applicable, so Epic doesn’t want to bother with it.
Client code isn’t trusted but no matter what the is one set of data you most trust that comes from the client. Input data. So with input data it can be manipulated that another application calculate out a headshot and sends that input. So even only trusting the client where you have to, you’ve failed to secure the game fully because you need to trust input data.
The first rule of network programming: Never trust the client. How does anti-cheat software work? It trusts the client.
All clientside anti-cheat is fundamentally flawed and broken by design. It doesn’t actually prevent cheating it just creates an illusion that it’s preventing cheating. The fewer people that believe in that illusion the better off we’ll all be.
Besides, you can train AI to play any game via MITM in USB (plug the mouse and keyboard into the Raspberry Pi or similar which then pretends to be a mouse and keyboard to the computer playing the game). The simplest method is to just point a camera at the monitor but there’s much lower latency ways where you use some cheap Chinese HDMI decoder/encoders to feed the raw video signal right into the AI.
With methods like that becoming cheaper and easier every day the whole client-side anti-cheat bullshit kinda seems pointless, yeah?
We’ve already established you have to trust the client to some extent in a typical game.
Also do you lock your front door despite people being able to lockpick it? Most people do because it raises the barrier to entry.
Do I lock my door? Absolutely.
Do I let strangers into my home? As little as possible.
Most people put security cameras in their homes despite them being able to be remotely hacked. Lots of people have an Alexa which could also be seen as letting a stranger in. A lot of people use tools that could be used to compromise their direct use but trust they don’t as for things like anti-cheat being malware. That’s all FUD. There has not been a single large anti-cheat company known to be sending unneeded or personalized user data.