What an interesting day when you see a site you've worked on for the past 2 (3?) years get posted to HN! Except I tried submitting this site years ago when I had just finished it, but it did not seem like HN was that interested at the time, and I don't blame them. It was very niche and video game related, and the site also looked a lot worse. It's come a long way to the point where there where I collaborated with someone else to do a redesign, which I think has done great for the project at large.
I originally created the site as a way to track which games would be supported on Linux, since at the time the Steam Deck was releasing, and some games were turning to support it. And it has since blossomed into a larger project, which some other tools even pull from! I would have never even imagined that when I first started making this.
I do want to address something I see being talked about in the comments, which is the fact people say that anti-cheats are snake oil, or useless. This is a big misunderstanding, and I feel like those more technically inclined should understand that anti-cheat is a "defense-in-depth" type of approach. Where it is just one of many lines of defense. Some anti-cheats are pretty useless, and don't do much, but some actually do try and protect the game you're playing. But, just like DRM, it can be cracked, and that's why it's more of a constant arms race, rather than a one and done thing.
I'm writing out a longer post about this for the future, but just know that without anti-cheat clientside, it would be far too easy for an attacker to cheat in these games. We're still ways out from letting AI (see VACnet [1] and and Anybrain [2]) determine if someone is cheating server-side, so for now we have to rely on heavier client-side techniques and server-side decision making.
Also if anyone has questions about the site (or for me), I'll try to answer them here when I see them. If not, have a nice day!
I disagree with the onclient kernel stuff. Just like with any website, any checking MUST be server side. Kernel stuff not only makes clients inherently less secure and stable, but also for cheat coders it's only a matter of finding vulnerable driver they can use to avoid being caught.
Empirically, it works. Look at Vanguard as an example. There's obviously a privacy tradeoff, but a lot of people would rather avoid cheaters than maintain tight control of their computers. It would be great if anticheat could all be serverside, but I'd love to hear a proposal for how to prevent aimhacking with serverside anticheat alone.
> There's obviously a privacy tradeoff, but a lot of people would rather avoid cheaters than maintain tight control of their computers.
I don’t agree. Instead, a lot of people allow the install because they have no say in the matter if they wish to continue playing the game. Even if it weren’t effective, I’m pretty sure most people would allow the installation of some form of not-yet-proven-to-be-dangerous malware if the alternative is cutting ties and accepting the sunk cost (be it in terms of in-game purchases, proprietary file format, etc).
Vanguard is good example of blocking even honest customers from playing. You basically need clean install of windows, clean drivers, no third party apps and modern hardware to even launch the game.
>This is a big misunderstanding, and I feel like those more technically inclined should understand that anti-cheat is a "defense-in-depth" type of approach. Where it is just one of many lines of defense. Some anti-cheats are pretty useless, and don't do much, but some actually do try and protect the game you're playing.
As a serious player of many multiplayer games I disagree. All it takes is one cheat to circumvent the protections and soon enough every cheater will use that circumvention.
Meanwhile, I, the legitimate player suffer from degraded performance, disconnections (looking at you Amazon Games - you've not been able to fix your (most likely) Easy Anticheat disconnection issue in 2 years!), or outright inability to play.
Perhaps the cheating situation would be worse without anticheats, but considering how rampant it seems to be in fast-paced or grindy games I play, I kind of doubt it.
Anti cheat is DRM. It's added specifically to make it so modifications are DRM circumvention and therefore copyright infringement. This isnt to protect the player, but forced by big suit investors to "protect their investment".
The best anti cheat is proper net code. Games rarely do this because it's expensive and difficult. Consumers will buy it anyways.
Anti cheat overtop is like calling an open window with a loud Weiner dog guarding it "defense in depth".
I don't think the point is to argue anti-cheat isn't effective, the point is to draw a line in the sand and say, this is where it stops.
Take the analogy of enabling better police work by granting unlimited access to our private communications. No one doubts it would be effective, but the cost and the threat is too much.
This is the line we draw in the sand: get out of the kernel, anti-cheat has no business being there. The cost and threat are too great.
This acceptance is the same situation that brought us the Crowdstrike incident. It's unacceptable.
We fail as an industry and as a society when we accept these compromises.
Putting a government monitored streaming video camera in every bedroom and bathroom in the country to detect sexual assault would also be "defense in depth". But it would be a terrible thing to do, both because it's easily evaded (do your rape someplace else) and because of the intrusion. Any kind of defense in depth argument has to consider how easily bypassed the defense is and the cost it comes at.
Believe it or not, most people don't play video games against strangers. Anti-cheat is not of any value to them. Even for people who do play video games against strangers even uncompromised anti-cheat doesn't stop many forms of cheating like macro-mouses. Especially now with all the success being shown at machine learning playing video games with nothing more than a video feed and the button inputs, the amount that anti-cheat can help is clearly quite bounded and getting worse over time.
And the cost? Anti-cheat comes at the cost of general purpose computing, at the cost of being able to control the computers with which you trust your most intimate secrets. It's a civil liberties nightmare, or at least a per-requisite technology for many such nightmares. Opposition to anti-cheat is opposition to RMS's Right to read dystopia (https://www.gnu.org/philosophy/right-to-read.en.html).
I don't think it's too far a leap that saying that anti-cheat or DRM technology that comes at the expense of the availability of general purpose computing is more of a problem for human rights than the farcical bedroom cameras I started with.
So when you advocate anti-cheating technology that locks users out of controlling their own computers, you're favoring an at-best incremental improvement which can still be evaded for a narrow application that most people don't care about... and this comes at the expense of imperiling the human rights of others.
Like with many things there is an asymmetry to the costs: Anti-cheat and DRM substantially fail if even a moderate amount of dedicated people still have a way to cheat. Yet the damage to people's freedom from the loss of general purpose computing is still substantial even when the lockdowns can be evaded.
If anti-cheat came at no meaningful cost the fact that it could be evaded wouldn't be a meaningful argument against it. But it's expensive to develop, intrusive, disruptive, and the more successful it is the more effective it'll be at being abused to deny people control of their computers in anti-social ways.
Could I persuade you to reconsider going over them? I'm not expecting an essay or anything but it would be interesting.
One thing that comes to mind for me is that most cheaters probably don't code the cheats themselves but buy them off telegram channels or whatever (just a guess), and probably wouldn't want to install a whole operating system for them
Cheating is a market, and most cheaters are not programmers themselves. But it goes deeper than that. Most players, and players who intend to cheat are already using Windows. Any portion of a game's player base that intends to cheat is usually small, any the portion of a game's player base that is also running Linux at the same time, is even smaller. So programming cheats for Linux (however easy it may be), is a nil-some game. Though I'm not going to claim it's never happen, there are cheats for CS2 on Linux for example, but this is an outlier and exception to the rule.
> Could I persuade you to reconsider going over them? I'm not expecting an essay or anything but it would be interesting.
Sorry, I didn't say that because I was trying to withhold this information, I just didn't want to spoil my future blog post. If you don't want to wait for the post and just want to hear it, I'm down to just giving a overview of the reasonings.
As Starz0r said, one of the main reasons is that the market is just very small. I think it was CSGO that had basically no protection on Linux for years, and the developers just ignored it because the small number of players didn't make much of an impact.
Another point I would bring up with the "community server" argument is that the argument is almost always volunteering others to be the admins because no one wants a 2nd job of moderating games. It's like any other internet forum moderator position, not usually taken because someone wants to, but because it's a necessity (or someone wants power).
That's why even community server owners want additional anti-cheat rather than spending their own time doing it. All those CS ones are examples too, running on community servers. I also remember back in the day community server ICCUP for Starcraft Brood War had their own anti-hack.
There's also the shift of games to the mainstream; more casual players who do not want to be mods. As well as the shift from 16v16 matches to smaller 5v5 matches, making more outliers to check.
There are DMA (direct memory access) cheats, and that's discussed in the article (under the section "Hardware cheats make this all moot, no?").
Not sure about KVM-like hardware cheats, specifically. You could obviously use an AI to simulate mouse movements, but I don't think that's particularly common.
DMA cheats are not detected. What happened is thousands of cheaters all bought firmware from the same guy, and Riot was able to determine via stats that this group of people with the same obscure "network card" had outlier stats, and they banned them all. DMA is by definition not detectable, but human idiocy is.
I imagine that having to buy special hardware means fewer people will do it, the types of dongles used for this are likely detectable in some way by kernel-level anticheat, and computer vision based cheats probably work better when you can inject contrasting color textures into the game.
I don’t think any system will stop someone truly dedicated, but the general idea is that each thing that adds a little more friction to cheating makes it less likely that the average player will encounter a cheater.
People buy dma cards and displayport/hdmi mergers to avoid hack detection. Another pc reads memory of your gaming machine through the dma card that creates your ESP overlay and then dp/hdmi is merged through a box. The dma card runs custom firmware that pretends to be some benign peripheral like an usb or soundcard.
There's also hardware aimbot/triggerbot that reads your video output then sends input to a device connected to your mouse.
Its not what your everyday cheater has in free to play games like cs or cod but there are games where it matters more if you're banned, and when cheat subscriptions can be $100-200 a month the hardware cost isn't much.
DMA cheats are not detected. What happened is thousands of cheaters all bought firmware from the same guy, and Riot was able to determine via stats that this group of people with the same obscure "network card" had outlier stats, and they banned them all. DMA is by definition not detectable, but human idiocy is.
If you just go and buy a card and use the normal firmware you're gonna get banned. Cheat creators make custom firmware to avoid that. It might be that Faceit is small enough to investigate cheaters thoroughly to get most of them, and with their reputation it might discourage most to even try. But I don't think that scales enough for big games unless you have Riot money.
Trying to force ever more restrictive and intrusive controls upon players won't solve cheating. The only way to "solve" cheating is with https://xkcd.com/810/. Use statistical analysis and server-side controls (fog of war, lockstep calculations) to force cheaters to play indistinguishable from top human players. If you can't tell the difference, does it even matter?
> the types of dongles used for this are likely detectable in some way by kernel-level anticheat, and computer vision based cheats probably work better when you can inject contrasting color textures into the game
If you've ever worked in broadcast or volunteered for conference, lecture or house of worship broadcasting, you'll know there's an entire industry of cheap undetectable HDCP-removing HDMI splitters and capture cards. It's an open secret that conference AV relies on shitty $10 chinese HDMI splitters to make HDCP "work".
Similarly, there's a countless number of devices that can present themselves as any other USB device. You can MitM e.g. a keyboard or controller and inject packets that are impossible to distinguish from the users' own inputs.
Some consoles only allow wireless controllers with encrypted protocols, but that can be circumvented too. Replacing the joysticks in controllers with hall-effect ones is a common mod. It's possible to attach another chip inbetween at this point to inject custom inputs.
You can use these injected inputs to e.g. compensate for recoil. But you can also run a simple classifier on the HDMI video to identify objects and players.
Now sure, an anti-cheat could use statistical analysis to measure how quickly a player reacts, which would allow detecting such cheats. At this point it won't matter whether you're using kernel, userland or server-side anticheat though, as they've all got the same information available to them.
> Trying to force ever more restrictive and intrusive controls upon players won't solve cheating.
I think it's not about "solving" cheating, so much as making it sufficiently annoying to maintain working cheats that fewer people try. Just as in cybersecurity, no individual security measure will "solve" hacking, but in concert they reduce the impact by making it more difficult: the "Swiss Cheese Method" / defense-in-depth.
Reading through game cheating boards, it seems many hardware devices have been detected over time. It's an arms race. Here's a discussion of how anticheat started to detect people using HID-emulating devices by forcing a disconnection event: https://www.unknowncheats.me/forum/valorant/615373-vanguard-...
> Reading through game cheating boards, it seems many hardware devices have been detected over time. It's an arms race. Here's a discussion of how anticheat started to detect people using HID-emulating devices by forcing a disconnection event
That's a hack which only works for some devices in some specific state. At that point you're playing whack-a-mole, and you'll always lose.
> I think it's not about "solving" cheating, so much as making it sufficiently annoying to maintain working cheats that fewer people try
Annoying? I don't think you understand the hacker mentality. Breaking anticheat or DRM tickles the same nerv as CTFs or puzzle games. What you consider "annoying" is an activity others do for fun.
It's fun to break a system that's intentionally trying to keep you out. That's why I reverse engineer proprietary, obfuscated file formats and protocols. Whether that's brother plotters, blackmagic's input devices (which also function as license dongles), apple video codecs (actually still WIP) or my landlord's wireless water meter so I can add homeassistant support for it.
When kernel-level anticheat became a thing, I actually built a custom hardware aimbot out of an HDMI capture card and a custom Sandisk wireless clone that I was working on at the time. I've only used it once or twice, as I'm not a competitive gamer and don't actually have any use for it. The entire fun was in breaking the system.
> At that point you're playing whack-a-mole, and you'll always lose.
That's just sort of fundamental to society at some level though, we play whack a mole with all sorts of misbehavior until we reach some sort of acceptable equilibrium.
I totally get the hacker mentality, I have a fully disassembled HP printer under my desk with some bullshit DRM that I've been desperate to break for some time, but I think your last line is really the key: breaking the system is fun for a small portion of people who are able to do it, but it's their users/customers who will be annoyed when their accounts keep getting banned and they need to buy new hardware.
> fully disassembled HP printer under my desk with some bullshit DRM that I've been desperate to break for some time
With my brother printers it turned out I could just remove the chips from the genuine toner cartridges, reset the counters, and hot glue them to the refurbished toner. Maybe that works for HP ink as well?
This printer will simply refuse to print without an always-on connection to their cloud, it's diabolical. Thought I might be able to get root via its crappy web interface but no luck, and it seems to use properly implemented TLS when talking with the verification server, so I've taken it apart to poke at some interesting looking points on the PCB.
People buy all kinds of stuff online, why not this device? Unless the game uses HDCP the hdmi rip is not possible to detect. And the usb controller could even forward the properties of the connected device. These devices exist as we speak
I think just purely off of the additional effort—a cheat that requires a second PC and specialized hardware is simply going to have fewer users than something you can download and run. Some portion of people won't care enough or will have some sort of other issue with the hardware setup. I think generally these things aren't about making it impossible so much as reducing the frequency.
Glad that method works out for you. Fortunately for the rest of the world, technology has progressed far enough that Password Storage is a solved problem.
I think it's very typical to think of HN users to think of the average person as tech-savvy enough to do what you're doing, but they aren't. People are fallible, people forget things, people lose things. Some people would rather entrust a reputable service to handle the very menial task of managing their passwords for them, rather than go through the hassle of doing it themselves.
Not only do these services provide better convenience, they make you more secure! Many people reuse the same password, so when a site gets "owned", any site using that same password is now compromised as well. Some of these services will even automatically tell you when a site gets "owned" and offer to change that password for you retroactively.
Now, if you want to go ahead and use a local only method, be my guest. But please, don't ever suggest to anyone else that they should do the same, that's just bad security advice! By the way, getting hacked in the password manager does not mean all your passwords leaked. It just means some extra metadata about you may get discovered, which I'd argue is a reasonable trade-off.
There is no universe in which having a local encrypted key vault that is not online and not synced to the cloud is less secure than having a cloud synched version of the same thing.
There is literally no way that can possibly be less secure.
So if your argument is that the convenience of it makes it more secure … I dont know to say except:
you’re wrong.
> Not only do these services provide better convenience, they make you more secure!
Nope.
> By the way, getting hacked in the password manager does not mean all your passwords leaked.
Nope. That’s not what it means. It means your encrypted vault was leaked, which includes your passwords, if they bother to crack it.
> which I'd argue is a reasonable trade-off.
Well, at least it’s fair to say you saved that as an opinion; fair. Other people probably agree that the security risk of using an online password vault is worth the convenience of using it.
Fair.
…but, fundamentally less secure.
Anyone who chooses to manage their own passwords, offline, is choosing a more secure, less convenient alternative.
I think that’s fair too; and, given number of hacks to lastpass, okta, etc… not, perhaps, terrible advice.
You could get robbed of your physical key. simpler than an actual burglar. however they could not even do an autopsy of your brain to recover your cloud keys.
I don't feel too strongly about this, just replying since you were being an absolutist.
If they can rob you they can also use the 5$ wrench attack to force you to give up your cloud password manager master password. So even in that case having a local vault is at least as secure as a cloud vault.
>I think it's very typical to think of HN users to think of the average person as tech-savvy enough to do what you're doing, but they aren't. People are fallible, people forget things, people lose things.
this should be taught in schools if that is your concern. what i am doing with the "manual sync" for files is because i have 2 machines i want to get my passwords. there is a HUGE population who only have a phone. for them, keepassdroid or some other keepass app is the only thing that they should ever need or use. i know because i have set up the files for my family members, they only have their phones at hand and the file has served them well for years without any problem.
now they "whatsapp or email" the file to themselves or to me if they have to change their phone and get it back in a matter of minutes. this is not as big of a deal that you need to have online tied system and be a techie otherwise
If I only had a phone, I would definitely want live sync, so I had a chance of recovery if my phone was gone. Keepass isn't even something I'd consider.
I'm not sure what you're referring to that should be taught in schools. The problem of forgetting things is often "human error" not "pilot error", a random packet loss of the mind rather than lack of skill.
There's strategies to mitigate it, like always leaving the house with the same set of items and never changing it up, and avoiding situations where you rely on memory, but live sync is going to prevent a lot of mistakes.
The threat model of storing passwords in an encrypted file with live sync is gonna be smaller than only keeping it in one device. Yeah you are at more risk of getting pwnd but at almost no risk of losing your passwords. Your phone dies and you lose everything. And if you send your passfile through a convenient service like whatsapp or telegram you risk your data also getting leaked through them without the benefit of live sync.
But doing password saving and live sync through a third party service it's pretty crazy to me. Why not split the threat? One program to store your passwords and one service to sync them. I use keepass2android and keepassxc with my own file sync server as sync method. If you don't want your own server you can use a multitude of third party ones.
What should be taught in school is to store your passwords in a secure way just like any other important real life skills like doing your taxes, basic eating and physical health, etc.
The trouble is losing a phone is probably just as common or more common than getting hacked, and keepass sync is purely manual.
I suspect the most secure way to store passwords is in your Google account, because they have a far higher budget than almost anyone else. They will spy on you, but they also keep random hackers out.
I use BitWarden (with gmail as the 2FA) instead because I wanted the ability to try different browsers, and I like being able to store other bits of critical info in my vault.
You generally can't get hacked on anything important unless you already lost your phone, even if they have your password, because of 2FA.
You also don't lose your account if you lose your phone if you use SMS 2FA like most people do even though it's not perfectly secure, because your cell carrier can recover your number.
How? I'll debate FSF ethics as much as the next guy, but they clearly state they want end user freedoms such as the freedom to modify the application you use. Apple clearly doesn't want that if you use specific GPL versions.
Love how people are claiming they are going to close down Windows for gaming back in the GFWL days and it never happened.
Now we have the Microsoft Store, whille substantially better, Windows hasn't even attempted to close down the system and yet again everyone is claiming they will. They aren't, and they won't, the Microsoft Store still hasn't urserped Azure or regular Windows keys in sales or profit. So why would any company close off their system potentially losing more sales on Windows keys, it just makes no sense.
It's certainly something they might do. It wouldn't be totally out of character for MS. But there's no evidence that they're "trying to push their own store and close down Windows gaming for themselves".
I get that Electron is undesirable, but what do you mean by unsecure? Also, can you list some alternatives if you don't want them building a desktop app in Electron?
I remember having this same issue trying to do the same thing! Although my setup is different, the base problem was the same. Tried to reimage from Ubuntu to Debian only to realize their hypervisors are not setup to handle this as it came with all the same issues you mentioned.
You are in luck, Valve has SteamCMD[1] for users just like yourself! It is a command line version of the Steam client and can do most of what you need like downloading, updating, even verifying game integrity from the command line! I only wish it was open source, maybe someone can reverse engineer it?
Playnite [1]. Open source, lightning fast, and light on resources. You can even combine different platforms such as Steam + Battle.net. Saves you running each of these. Though you lose things like downloads and social. Heck, it even has support for emulators.
I originally created the site as a way to track which games would be supported on Linux, since at the time the Steam Deck was releasing, and some games were turning to support it. And it has since blossomed into a larger project, which some other tools even pull from! I would have never even imagined that when I first started making this.
I do want to address something I see being talked about in the comments, which is the fact people say that anti-cheats are snake oil, or useless. This is a big misunderstanding, and I feel like those more technically inclined should understand that anti-cheat is a "defense-in-depth" type of approach. Where it is just one of many lines of defense. Some anti-cheats are pretty useless, and don't do much, but some actually do try and protect the game you're playing. But, just like DRM, it can be cracked, and that's why it's more of a constant arms race, rather than a one and done thing.
I'm writing out a longer post about this for the future, but just know that without anti-cheat clientside, it would be far too easy for an attacker to cheat in these games. We're still ways out from letting AI (see VACnet [1] and and Anybrain [2]) determine if someone is cheating server-side, so for now we have to rely on heavier client-side techniques and server-side decision making.
Also if anyone has questions about the site (or for me), I'll try to answer them here when I see them. If not, have a nice day!
[1] https://youtu.be/kTiP0zKF9bc
[2] https://www.anybrain.gg/