this post was submitted on 22 Jul 2024
13 points (93.3% liked)

Asklemmy

43742 readers
1425 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
all 48 comments
sorted by: hot top controversial new old
[–] [email protected] 19 points 3 months ago (1 children)

Yup, kernel level "anti-cheat" is a rootkit spyware that "pinky swears" it's only spying for a good reason.

[–] [email protected] 7 points 3 months ago (1 children)
[–] [email protected] 10 points 3 months ago

I'm far from an expert, but Vanguard is a kernel-level program. If a kernel-level program crashed, the whole system crashes. So yes, any kernel-level program could do the same thing CrowdStrike did, intentionally or not.

Kernel-level programs can do whatever the hell they want.

[–] [email protected] 9 points 3 months ago (2 children)

It is a bit complicated. Any kernel level program that crashes will cause the entire operating system to crash. But it won't cause the system to continuously blue screen because it isn't a required program in the way that crowdstrike was.

Crowdstrike is basically an antivirus program so it has to run when the operating system starts up and if it isn't running then the operating system should not boot for safety reasons. The problem is that if it must be loaded, and it has a crash, then it loads and kills the system. So you get an infinite loop you cannot get out of.

Vanguard only has to run when you're playing online though, so it's not loaded when the system runs, or at least it doesn't have to be. So it won't cause a recurring boot loop. It might fail to load and you wouldn't be able to play online games that require it until they fix it, but it isn't going to prevent the computer from running.

[–] [email protected] 12 points 3 months ago (1 children)

I could be wrong but I think it runs on boot. So it would loop into bsod.

[–] [email protected] 2 points 3 months ago (1 children)

Wait, wasn’t Vanguard coming in form of a driver? I don’t use Windows and don’t play games with intrusive software requirements, but I believe I saw someone installing it and showing how it works on YouTube, and if I don’t misremember it, it was in fact a virtual device driver, not just a fully privileged process.

[–] [email protected] 1 points 3 months ago

Yup, I seem to remember the same thing and I also seem to remember it being loaded at boot. Iirc you can stop it when the system has started and you've logged in but then you have to reboot in order for it to load again so you can plain. But same, I also don't use windows and haven't played leaugh for many many years.

[–] [email protected] 7 points 3 months ago (2 children)

Yes, and I've seen it happening. Usually it doesn't instantly brick every PC, but it can sometimes brick certain PCs with specific configurations. Then it will be silently patched without acknowledgement for the bug.

I've seen it mess with (and crash) graphics and network drivers, rendering PCs useless until forced reboot. It can also mess up other games, processes, and even updates.

People have been warning gamers about kernel level anticheats since they were introduced, because no userland code should run with that level of privileges, period. However, people still installed those games not really understanding the threat, and that's why we have so many games with a kernel anticheat.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago)

Helldivers 2 fucked my PC up after one of their updates in May. Game literally became unplayable and corrupted my Steam database twice (causing me to have to reinstall Steam both times).

In PVP games, I can sort of understand the players' desire to have a cheat free experience, but in purely PvE coop games, it really feels so pointless and is such overkill. Regardless, there are better ways to accomplish anticheat that don't involve gaining kernel level access. The risk isn't worth it.

[–] [email protected] 1 points 3 months ago (2 children)

Because without the software, we can't play online. Full stop. Valve has tried to find another way without it and VAC2, but they keep winning and Valve gave up (seriously, play CS2, they're everywhere)

[–] [email protected] 1 points 3 months ago

Valve must be doing something right behind the scenes. I haven't encountered a hacker since May and play regularly. To be fair, back then the game was unplayable.

[–] [email protected] 0 points 3 months ago

You don't give your house keys to your home security system provider. Giving kernel access to anything, even if it's for your own good, is dumb. People don't understand the risks that come with it. People just think what the companies tell them to think. As a matter of fact, there are still cheaters in valorant. Vanguard isn't perfect, it can still be bypassed. VAC works fine for what it is, and it could still be refined. It bans more people monthly than Vanguard.

The biggest reason for kernel level anticheats is your sweet sweet data and more control of your computer. You don't need them. We have been playing online games since the 90s, and none used kernel anticheats. It was never necessary to sell your computer to Tencent in order to play a game which, again, still has cheaters.

[–] [email protected] 5 points 3 months ago (1 children)

Pro tip: don't install rootkits.

[–] [email protected] 1 points 3 months ago (1 children)

That unfortunately means, you can't play a lot of games. And for most people it's practically unknowable what the installer is doing, they don't expect a game to nuke their computer.

There needs to be accountability and a certain level of trust. Microsoft shouldn't allow kernel drivers for crap like anti cheat.

[–] [email protected] 1 points 3 months ago (1 children)

Yet another reason to use Linux. You don't have to know weather the installer comes with a root kit, the installer will just fail 😎

[–] [email protected] 1 points 3 months ago

That's... not remotely true? Linux can absolutely install kernel drivers. If you mean running windows games under wine then sure, but then we're no longer talking apples:apples. You could do the same thing on windows by running a game in a VM.

[–] [email protected] 5 points 3 months ago

Yes, works on the same layer.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (1 children)

It's also potentially a infiltration vector for malicious activity.

Genshin impacts anti-cheat has been used to enable ransomware taking over windows computers, and you don't even need to have Genshin installed.

It was a danger to all windows users just by existing, because the ransomware just came with the genshin anti-cheat, which it would install on its own. Because it was a "verified" piece of software windows would just go "oh ok seems cool, go right ahead" and the ransomware would gain complete control of the system through the anti-cheat.

[–] [email protected] 0 points 3 months ago (1 children)

I'm confused. If you don't install the game, how do you end up with the game specific anti cheat software on your system?

[–] [email protected] 1 points 3 months ago

The anti cheat software's code is in a separate file from the game files, which malware can ship themselves.

[–] [email protected] 2 points 3 months ago (1 children)
[–] [email protected] 2 points 3 months ago (1 children)

Yeah really not much else needed to be said here. What happened with Crowdstrike is exactly the sort of exploit Kernel Level Anti-Cheat in general has been critized for enabling on consumer hardware.

[–] [email protected] 2 points 3 months ago

And why most Linux users would rather not play these games than allow that garbage on our PCs.

[–] [email protected] 2 points 3 months ago (1 children)

I'm less worried about bugs causing boot loops with these kernel anti cheats and more worried about security holes.

I'm sure they test these things thoroughly though and take security extremely seriously.... right?

[–] [email protected] 1 points 3 months ago

Look up that one genshin fuck up on the internet. Their kernel anticheat was used by ransomware to completely take control of people's PCs. Best part? You didn't even need to have genshin installed, because the AC was bundled with the ransomware, and Windows would install it as it was "trusted software"

[–] [email protected] 2 points 3 months ago

Yes, the key difference being that nobody’s playing Valorant on airport displays. Just yesterday I installed a new early access game for two accounts at home and discovered that it just wouldn’t work with the non-admin account because of anti-cheat. All of this is making me consider going back to running games under flatpak.

[–] [email protected] 1 points 3 months ago (2 children)

Preface: I'm not an expert in this yet but I'm pretty interested in learning about systems-level topics so if I'm wrong please correct me!

Yes, the thing about anticheats and anti viruses is that they are only useful when they have access to the underlying resources that a virus or cheat engine might try to modify. In other words, if cheating software is going to use kernel-level access to modify the game, then an anticheat would also need kernel-level access to find that software. It very quickly became an arms race to the lowest level of your computer. It's the same with anti viruses.

IMO the better strategy would be to do verification on a server level, but that probably wouldn't be able to catch a lot of cheats like wall hacks or player outlines. At some point you just have to accept that some cheaters are going to get through and you'll have to rely on a user-reporting system to get cheaters because there will always be a way to get past the anticheats and installing a separate rootkit for each game isn't exactly a great idea.

[–] [email protected] 2 points 3 months ago (1 children)

They do do a lot of verification on the server side. Since unreal introduced their server-side-lagged-approval networking model, all local movement and most shooting can be retracted by the server.

But what a ring 0 level driver is looking for is other software, like aimbots, modified assets (transparent walls, custom shaders etc) etc. To be able to detect all that it needs to be level 0.

What I would trust more is if Microsoft acquired one of these companies and worked across the industry to root cheating out. Giving some random company ring 0 access feels completely off to me.

[–] [email protected] 1 points 3 months ago (1 children)

Couldn't aimbots be picked up as odd movement and be detectable on a server though? Kind of similar to how those "not a robot" checks can tell if a human is clicking on the box just by looking at the movements of the cursor.

In addition, things like textures and game-modifications could be picked up in part by things like checksum verification to make sure the client is unmodified (assuming the files are modified on the disk and not in memory)

I feel like most client-side changes like see-through walls or player highlighting make themselves pretty obvious when aggregated over multiple games. A good user-reporting system could probably catch most of these.

I definitely agree though, allowing multiple random companies to install ring 0 rootkits should not be the norm. Honestly, even a Windows-level anticheat would be problematic because it would only worsen the monopoly Microsoft has on competitive games as a platform. A new solution would need to be cross-platform or else it would only be marginally better than what already exists.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago)

Aimbots dont need to do a lot to provide advantage at the highest level. Moving β€œperfect aim” from 1x1 pixel to 3x3 pixels, but with 33% probability would provide a huge advantage and be undetectable.

Modified assets cannot be verified unless you lock the system down, like an Xbox. On a PC? No way. You can combat it by sitting in ring 0 (which is what anti cheat software does) but you couldn’t just check some checksums.

In terms of aggregating data and spotting something like see-through walls, there isn’t the statistical method to discern between great intution built over years of playing the same map and having see through assets.

I used to work in AAA game development, across most of low level (graphics, networking, memory, assets etc) so unfortunately I know this problem is nigh on impossible to solve unless you have a locked platform.

[–] [email protected] 1 points 3 months ago (1 children)

One Minecraft server I played on installed a program for blocking x-ray hackers (a type of hack that lets you see valuable ores through walls so you know exactly where to mine).

The anti-xray mod worked by reporting to the user that the blocks behind a wall are a jumble of completely random blocks, preventing X-ray from revealing anything meaningful.

This mod resulted in massive lag, because when you are mining, every time you break a block, the server now needs to report that the blocks behind it are now something different. It basically made the game unplayable.

The server removed the mod and switched to having moderators use a different type of x-ray mod to look at the paths people mine in the ground. Those using x-ray hacks would have very suspicious looking mines, digging directly from one vein to another, resulting in erratic caves. Normal mining results in more regular patterns, like long straight lines or grids, where the strat is to reveal all blocks in an area while breaking as few as possible.

Once moderators started banning people with suspicious mining patterns, hacking basically stopped.

It’s possible to still hack and avoid the mods in this kind of system by making your mines deliberately look like legitimate patterns, but then the hacker is at best only slightly more efficient than a non-hacker would be.

[–] [email protected] 1 points 3 months ago

That's kind of my point with hacks like player highlighting, I feel like a good user-reporting system would get us a lot of the way there. E.g. If someone is using see through wall hacks in an FPS I feel like it would be pretty obvious for other players to tell in a lot of cases. Other times things like erratic movements from aimbots could probably be detected by the server.

[–] [email protected] 1 points 3 months ago (2 children)

Helldivers 2 does the same thing. If this continues it will be extremely advisable to move any non-gaming use-cases to a different computer as you have no idea what the "anti-cheat" is doing with that level of authority over your computer.

[–] [email protected] 1 points 3 months ago (1 children)

Or just dont buy those games.

[–] [email protected] 0 points 3 months ago (1 children)

That works until all* games come with root level anti cheat. It was the same with micro transactions which people still defend despite being utter shit.

  • Realistically this will never be 100% but it will be enough of the mass market AAA games like CoD etc to mean that if you functionally want to play a game made in the last X number of years you will need to accept this or stop playing games altogether. I think most people will continue to play games. Most people will continue to install root level anti cheat, knowingly or otherwise, and all of them will get fucked by an exploit of that software. They may never even know about it.
[–] [email protected] 1 points 3 months ago

That's why piracy must continue, pirates cracking can just extend to pulling those pesky anticheats out of the single player games.

[–] [email protected] 0 points 3 months ago (1 children)

I play HD2 under proton. Even if there is a rootkit, it's sandboxed.

[–] [email protected] 1 points 3 months ago (1 children)

Proton is not actually sandboxed the way an actual container is.

A) if the program running in proton was given root access in some way, say by tricking people into entering their root password for a claimed update, it would have complete normal control of your entire system just like normal.

B)apps running in proton still have access to the regular file system.

Wine isn't an emulator or a vm.

[–] [email protected] 1 points 3 months ago

Wait. WINE is not an emulator?! Why didn't anyone try to tell me? πŸ˜‚

[–] [email protected] 0 points 3 months ago* (last edited 3 months ago) (1 children)

Theoretically it should only be running during gameplay, and that's probably true as I'm sure security researchers would've pointed it out if games installed a persistently running rootkit. So it's different than Crowdstrike which was running immediately from boot.

So there is that, if it caused your PC to crash it should be fine after reboot. The driver has God power though as far as your PC goes so if it was the point of entry for a malicious attack you could be really screwed.

Edit: apparently I'm wrong and it runs all the time what the fuck

[–] [email protected] 1 points 3 months ago

Vanguard is always running at all times.

Honestly no idea why it isn't considered malware.

[–] [email protected] 0 points 3 months ago* (last edited 3 months ago) (1 children)

It has comparable access, yes, ~~but assuming no malicious intentions, it's extremely unlikely that they achieve something as catastrophic.~~

~~If they fucked up in a similar fashion, that would cause your PC to bluescreen, too, but since League does not start up during boot, you could still use your PC, just not League.~~

Nope.

[–] [email protected] 1 points 3 months ago (1 children)

Vanguard doesn't care if LoL or valorant or any other game is running. Vanguard is in your kernel and will be starting regardless.

[–] [email protected] 0 points 3 months ago (1 children)

This is correct, as in windows a driver is the most straightforward method to runlevel0 access. It absolutely could at any time do exactly what crowdstrike did. But also so could Nvidia/amd with GPU drivers, your motherboard manufacturer with chipset and RGB drivers, etc. it's not quite the smoking gun people make it out to be, as there are a lot of legitimate reasons to have this kind of system access.

The egregious part was that crowdstrike users agreed to allow a vendor to bypass canary channels and deploy straight to their endpoints.

[–] [email protected] -1 points 3 months ago

Of course it's not a smoking gun. That's the wrong metaphor. It's an extra stick of dynamite that isn't needed, just waiting to explode at the flip of a coin. That there are other sticks of dynamite doesn't negate the risk posed by this one.