A Message About Vanguard From Our Security and Privacy Teams(riotgames.com) |
A Message About Vanguard From Our Security and Privacy Teams(riotgames.com) |
As a thought experiment, I wonder what happens when the FISA court orders Riot to install a modified version on a suspected terrorist's computer. No need for privilege escalation when you can just ask the user to install it at ring-0.
That's the approach I've been taking for a long time now.
If you don't, you will always a) have your fun ruined by trying to be security conscious b) in the end, most likely give in and allow things you really shouldn't allow on a trusted machine because otherwise you can't achieve your task (getting a game to run).
So I have a game box, try to make sure that nothing important ever touches it (which is a huge PITA when game clients insist on forcing email-based 2FA on you), but in exchange I don't worry too much about its security.
That also fits nicely with games requiring Windows 10 and Windows 10 being so outright privacy- and user-hostile that I can't imagine running it on my primary machine.
They are tiptoeing quite carefully there.
I wonder if a lot of "collect or process" can be blocked by users, but with a kernel module actually prevents opt-out attempts and identifies everyone.
And yes, obviously you need to have a dedicated gaming PC and certainly not install any games or any software that isn't strictly necessary on the systems/VMs with important data.
I've also been installing more and more software into ~/bin rather than the more traditional /opt and /usr/local/bin. I think that the trend towards usermode software will take over in the next five years.
What are realistic security issues with ring0 access on personal computer? I bet most interesting stuff on personal computers is easily accessible with normal user privileges that every game client has.
Which is why the current tendency is towards more sandboxing, not less; things like flatpak on Linux, the app stores on Windows and Mac, the heavy sandboxing on phones, and so on. Running an in-kernel component for an application goes against that.
FISA? Try the CCP.
Bold message from a chinese company. People freak out about Huawei but Tencent is 1000% worse. And here they are installing a kernel driver on your PC.
Do you really think that after 100M people install this kernel driver that the Chinese government won't lean on Tencent to gain access, or use it beyond its original purpose?
Do you feel the same way about Microsoft and Apple, and every other company that provides a hardware driver for a modern computer, and whether state governments (USA included) put pressure on them to let them advance their agenda by using back doors in their drivers or software?
Why is Riot special in all this? What, in your view, makes them more likely to be so secretly and so deeply corrupted in the manner you suggest?
Note I'm not asking you if you run MacOS or Windows.
That in itself tells me enough about the efficacy of the system. Security through obscurity is only a hand wave of security. Making the trade off of all the security architecture put in place over the past decades for something that needs to be hidden to remain secure is a really poor value statement.
I understand why they want this in place, it does raise the level of effort on cheating but there are other ways this can be accomplished without compromising a user's security.
A user who installs a anti virus program wants that program to do its job and find bad actors. The virus on the other hand is completely unwanted by both the user and the software- Its existence is threatened by all fronts.
However, a anti-cheat lives in a extremely adversarial environment. The cheater (and the cheat) wants the cheat on its computer. As such, the user will be willing to do extra steps to assist the cheat. This makes the anti-cheat software in this case, the 'un-wanted' virus, so it has to exist in the most hostile of environments and somehow detect programs which have higher privileges than itself.
That said, Cheating is something that will not go away. Years and years ago, I developed with a friend of mine a completely undetectable cheat for all games on the HL2 platform. It involved a second computer, which man-in-the-middled all network data to the client computer. This second computer then would display a 'radar' of where enemies were. As the anti cheat would have no possible way of knowing the existence of this second computer, there was not much they could do.
If you wanted to get more aggressive with the system above, you could have that second computer modify outbound requests as well. So if you shoot your gun and it would have hit the ground, it will now instead shoot a enemy in the head- as such even something like a aimbot is entirely possible with this setup.
However, there is indeed a anti cheat which can detect all known cheats and its basically what Valve did/does for CS:GO - Allow users to report suspected cheaters and then have the community analyze the reports. This catches all blatant cheats, but unfortunately will never get rid of radar/esp cheaters, only aimbots and the like.
Honestly, it sounds to me like there is a business model in the above. Years ago we had companies like evenbalance/punkbuster, easy anticheat, etc.. which provided software based anti-cheat systems. As you would expect, most would by bypassed and a daily cat and mouse game would ensue. The solution imo is to create a SaaS where you essentially provide a reporting + monitoring tool. Users of your game can report suspected cheaters (which includes the demo file / vod / replay / whatever) and your trained wet-ware staff would review all reports and take action where necessary. No invasive software necessary. Actually, no software on the end users computer at all would be necessary- It is all done on another users PC.
In fact, if someone is interested in doing the above, hit me up. Sounds like a easy win.
If Valve can mitigate hacking in CSGO without such an intrusive service, I am sure Riot can. I, myself, did a very, very, very poor job with an autoencoder to detect anomalous matches in Dota and caught a large amount of players abusing the system. As far as I know, CSGO anti cheat does involve an ML component.
My point is that a non-intrusive anti cheat, advanced analytics, and tracking of user feedback goes a long way.
Ofc, none of this matters. If the playerbase actually cared, they'd boycott or stay away. And I cannot remember the last time gamers ran a successful boycott campaign.
edit: Also read that uninstalling the game will not always uninstall the ring 0 anti cheat. I can't verify since I would never install this on my system, but for what it is worth: That is terrible IF true.
Serious players pay extra to queue up in a dedicated service for high tickrate servers and anti-cheats which I believe are rootkits as well.. not sure about any of this though.
Since they changed their launcher system a few months ago, it's been unusual to have to wait more than ~2 minutes for a new patch.
If you're like me and only played occasionally the updates would build up and take very long.
Most anti-cheats also scan all processeses memory and even files to detect know cheat signatures. They tend to run with high privileges and some take in-game screenshots for analysis. Basically they have permissions to do anything and receive silent updates.
I wonder if statistical methods to detect cheaters result in too many false positives.
I was surprised hearing this. It seems like what they actually did was if VAC already found something, it checked the hashes of the contents of the DNS cache against a list as a second check. That's quite a bit different from "intercepting DNS queries".
Overall VAC always made a reasonable impression on me as far as privacy and security are concerned (no SYSTEM services, no kernel driver, no screenshots, no scanning and uploading random files etc.), although this non-intrusive approach naturally limits the kinds of cheats it is able to discover. I feel like the approach taken by Vale is, on the whole, well balanced.
Source: https://www.pcgameshardware.de/Steam-Software-69900/Specials...
In this case, make the cartridge a bootable SSD which entirely avoids touching any other disk in the system (perhaps with the exception of an SD card or USB storage stick for saves.)
The downsides include:
- the game company now has to ship a complete OS and do hardware support. They nearly have to do that anyway, so whatever.
- you'll need to reboot your computer for each game.
The upsides, I think, are obvious.
There are outstanding issues to resolve there, like input lag and visual fidelity, but it certainly removes the ability to cheat at the system level by hooking into game processes and memory.
Aimbots would be still be theoretically possible through MITM video feed analysis (as has been speculated) but that would also work in your cartridge scenario.
This anti cheat software is for their new game valorant which is a counter strike like shooter.
Reading through this, it seems the game development world is doing the exact opposite and pushing all the "security" measures to the client. Is that incorrect? If it's correct, does anybody have any idea why?
I’m not saying what valorant has done here is right, there are other things you can do. But you’re oversimplifying the problem.
Plus, there seems to be a lot of focus on client-side anti-cheat when a lot of it could be addressed server-side:
> For example an aimbot that steadies your cursor on someone’s head or dodges automatically when a projectile is inbound.
This sounds like a similar problem to "like" fraud and things like that. Couldn't it be addressed by measuring the number of incidents? If someone is able to headshot or dodge at an abnormal/superhuman level, that can be detected server-side and the user banned (or flagged for human review).
> Maybe the client hijacks the UI to hide terrain and walls.
Someone mentioned a solution for this elsewhere in the thread: don't send positions of important resources to the client if it doesn't need them. Keep the client about as blind as the player.
And again, you should be able to detect this server-side. If somebody has an abnormally high kill-rate for enemies coming around a corner, flag them for review.
At that point, just make your own game, or easier yet, play another one.
> It involved a second computer, which man-in-the-middled all network data to the client computer.
Out of interest, was there no transport level encryption to deal with here? Or did you need to do something special to capture keys on the client?
Before CSGO moved to Steam Networking, the game itself encrypted the packets. I can't remember exactly when this was introduced, but it's still in place - see https://github.com/alliedmodders/hl2sdk/blob/acf932ae06b64b7...
[0] https://partner.steamgames.com/doc/features/multiplayer/netw...
As an example, for CSGO in the past, the server always sent all player positions from anywhere, so it was possible to create cheats to draw players anywhere in the map. They changed the way it's done, coordinates are only sent when other players are nearly visible, although distant, or close by. This limited the way that wallhacks work, it's not possible to see where players are from far away :)
What needs to be done is reverse engineer the communication protocol. If encryption is made, some kind of key to decrypt has to be somewhere in your game client. Then you can convert 3D coordinates to 2D and even draw a radar on your smartphone if you make an app.
I don't think it's a viable model because players are willing to do it for free, as CS:GO's Overwatch shows.
'Not invented here' is a blessing and a curse.
https://www.youtube.com/watch?v=ATkpqYmWt8k&feature=youtu.be
CS:GO has a lot more hackers than games with more intrusive anticheats like Overwatch in my experience. Only solution is an invasive anticheat, machine learning, and trust factor systems.
Now it uses ICE, a 64-bit block cipher from the DES era. The key is obtained from the Steam servers over the normal Steam encrypted channel.
All the stuff mentioned like not sending positions of people who aren’t visible are typically already done, but sometimes the position is needed for reasons you don’t understand. Like some gameplay ability to suddenly see through walls, etc.
This thread just has a lot of backseat programming.
I think I would find your post a little less irksome if you approached it from a neutral questioning tone as opposed to “what about these obvious things every junior engineer learns” :/
The problem is that I don't know what I don't know, so I can't directly ask it. The best thing I can do is to present the flawed results of my current understanding so that somebody more knowledgeable (such as yourself) can tear them apart and show me what it is that I'm missing.
> False positives are generally to be avoided
This sounds like the biggest difference to me. Generally in my limited experience in handling abuse on web platforms, the value of a single user is so low that a false positive doesn't really matter too much.
I suppose when it comes to games, each user represents a ~$60 investment and potentially a lot of time and emotional investment, so a false positive can't be so easily tolerated and there's an incentive to go to extreme ends (like intense client-side validation) that wouldn't make sense for say Twitter likes.
I know nothing about game engines, but I have always wondered why is that the case. The server could compute visibility and only send the opponent position if there is a chance the player might see it. Computing visibility server side is not cheap, but it would still be significantly cheaper than fully rendering a scene, right?
https://technology.riotgames.com/news/demolishing-wallhacks-...
Cheater effort and quantity scales roughly with game revenue and popularity. So the first tier of games, the most popular and long-term ones, like League of Legends, CS:GO, Overwatch, maybe Valorant, Apex Legends, Fortnite, can afford machine learning. The next tier down can afford to implement community review programs, where players earn in-game rewards and the satisfaction of improving game experience.
Also, thats not to say you cant have a second and third tier of support to escalate your case to if you think you were wrongly banned, which wouldnt go to the grunts.
Trying to review a replay to determine if a player is using wallhacks? This would take intimate knowledge of every game the SaaS reviews.
Maybe this can work out and I'll be like the one 2007 HN comment about Dropbox, but it takes an average of maybe 5-10 minutes per case to review if you're not being super thorough. It could be an open platform where players can sign up, but at that point I think game developers would just implement it in-house. The harder part of this technically is the replay functionality in the first place, which they'd have to do anyway.
They try their best to isolate cheaters with a "trust factor" system but the reality is, unless you pay an external service with their own anti-cheat software (that's probably as bad as Valorant's) you will get a high amount of cheaters.
Given they have zero transparency on the trust factor system, I could have a lower factor than you (I definitely rage too much), so because of it I see them more often. But there's no way to know if I'm in the cheater bubble, or you're in the no-cheater bubble.
I don't agree with that.
It's clear the US has backdoors. That doesn't mean it's wise to invite China to add backdoors as well.
I just find it tedious and irrational to see people up in arms about this contrived and unlikely scenario (a video game company is going to spy on you - a random nobody - for a big bad foreign power), while not being up in arms about the much bigger and more likely vectors of compromise they are exposed to constantly (like your operating system or cell phone).
But of course protecting yourself from those possibilities would require real sacrifice and inconvenience, so let's not talk about it.
1. "Nobody playing this game is important enough to be spied upon."
It might surprise you to learn that some people in the military, congress, the DoD, and even important individuals in significant companies play video games.
2. "Some vulnerabilities exist, therefore any new vulnerabilities should be ignored or not discussed."
All vulnerabilities should be considered, especially new ones that will affect 10s or 100s of millions of people. That's why we're discussing it. Since you find it tedious, you're free not to participate.
But if we're talking about plausibility, then it's much more likely that your underlying operating system, regardless of vendor - Microsoft and Apple are the major players - has been compromised in some manner, or contains the hooks for on-demand compromise if compelled by a state actor.
See https://en.pkulaw.cn/display.aspx?cgid=313975&lib=law
A US agency may put pressure on a US company, but the company would be perfectly within its rights to refuse to comply. The only exceptions are well documented and go through the judiciary which is separate from the executive branch of government.
A Chinese company has by law no choice but to comply.
I don't consider myself a tin-foil-hat wearing type, but even I don't believe that our (western/NATO/5-Eyes etc) governments don't have their own secret powers they can use to compel businesses to comply with information gathering requests without divulging that they did so.
Also, I did this around 3-4 years ago. It works, but once you have it set up its basically the same as if you had two computers effectively on your desk with a kvm switch in software. It also has a tendency to be unstable as all sin and some iommu isolated hardware may misbehave when assigned to a virtual machine.
It's much simpler to just have a second PC/laptop or dual-boot (less secure).
Maybe a viable option is to hot swap your drives, and use something with firmware you can sign personally and verify on boot.
IOMMU also grants the guest hardware access to the CPU, although it does have to be shared between the host and guests.
There shouldn't be any risks to that if your main OS is encrypted and the keys are sealed by a TPM.
It's a hassle, mostly because you need to disable the GPU from the linux host; before passing through; which means you need a second GPU to power the linux host (integrated GPU is fine).
Then there's a bunch of config regarding IOMMU groups and other shit to make sure it picks it up fine, and when it finally does you get 90-95% of the performance for average FPS and then 60-70% min-fps (spikes are way worse).
Also, it helps to use a recent AMD card and the in-tree amdgpu driver instead of the out-of-tree nvidia driver.
Overall, you trade software problems for hardware problems (UEFI firmware versions can break the setup), but if you get it working it works great.
> It might surprise you to learn that some people in the military, congress, the DoD, and even important individuals in significant companies play video games.
Anyone in this scenario who is using the same computer to run any untrusted software (like all games) as they are using for their national security work is already compromising themselves.
> "Some vulnerabilities exist, therefore any new vulnerabilities should be ignored or not discussed."
This would be a more productive conversation if you addressed my points at face value, and made your own without twisting my words into whatever convenient position you want to argue against. That's the part I find tedious.
Everything is degrees.. you seem to only be willing to consider extremes.
Of course if you work in a sensitive position or are a likely target of foreign spying, you should take many more precautions. But that's not most people, in fact that's almost no one, statistically speaking. So if we're going to discuss likely compromise scenarios, the risk-reward on using a high-profile video game company as a vehicle for APT state-level actions starts to fall into "movie plot" territory, in my opinion.
And I never said that new vulnerabilities should be ignored or not discussed . Again, possible <> plausible.
In fact, you are basically contradicting yourself at this point because I first brought up way more plausible vulnerability scenarios (your underlying operating system being compromised) and you dismissed that in favour of some narrow and much more implausible scenario (a US-based video game company as a deep-state plant for a foreign government).
Keep moving those goal posts..