It's been a long time coming. I wonder if the overhead of user space interacting with the kernel api is gonna be noticeable.
>Another big area of Windows that uses kernel-level drivers is anti-cheating engines for games. Microsoft has been speaking with game developers about how to reduce the amount of kernel usage, but it’s a more complicated use case as cheaters often have to purposefully tamper with their machine to disable protections and get cheating engines running.
>“A lot of [game developers] would love to not have to maintain kernel stuff, and they are very interested in how they do that,” Weston says. “We’ve been talking about the requirements there, and I think we’ll have more to say on that in the near future.” Riot Games told me last year that it’s willing to follow potential Windows security changes and “recede from the kernel space.”
I hope it spreads to anti cheats as well.
With anti-cheat the obvious (lazy, stupid) future is remote attestation. It's another way to kick the can down the road of actually going to "real" approaches to anti-cheat like less client trust, behavioral analysis, and statistics that you would have to do if you had no choice, like for online Chess games or something like that. Of course even for fast-paced games like FPS games, you can now cheat using a capture card, ML models and a fake HID keyboard/mouse device so I'm sure the arms race will evolve to include forced HDCP and signed, encrypted HID devices and other dumb bullshit before there is finally some realization that there is no longer any possible, reasonable way to shortcut anti-cheat anymore. The shortcuts are just too much cheaper and easier. (I'm sure we'll keep remote attestation anyways afterwards, because it's impossible to have nice things.)
I think a lot of these problems are exacerbated by the developers themselves. Dedicated servers were removed (so that games could be sunset-ed to avoid competing with sequels) erasing community and human moderation leaving players entirely dependent upon algorithms and spotty reporting. F2P games are pushed to get people on the micro-transaction treadmill which makes the cost of being cause nothing but also can create a financial incentive to cheat for items. Now everyone has to jump through a bunch of extra hoops because the control they demanded isn't enough to solve the problem they made worse with it. The answer is always to add more hoops.
Dedicated servers were mainly removed to balance matches with matchmaking IMO.
How do you do proper matchmaking with user-hosted dedicated servers?
Like what would an end-user dedicated server system look like for call of duty warzone, or Fortnite, battle royale games. A round lasts about 20 minutes and you want 150 players filled in right at the start and you don't want to wait more than a couple minutes to fill the server for each round.
The other popular types of FPS games are mostly like 5v5 modes, and you want really balanced teams based on an MMR system. I don't really see how you do that with dedicated servers.
> forced HDCP
Fly-by, but HDCP is already cracked. There's no shortage of HDCP strippers from AliExpress; although they use clever marketing terms to avoid spelling out the fact (presumably to avoid legal troubles)
Oh, I know. It's perfect for anti-cheat though: it doesn't fix the problem, it slightly increases the cost/entry barrier, and it's a pain in the ass for consumers. It's just like all of the other current anti-cheat technology!
Why do you think cheating is a fixable problem? Or am I misinterpreting your words?
Oh no, it's definitely not "fixable", it's hard enough to define cheating precisely less fix it.
Like there's obvious cheating. Playing online chess games using an engine to tell you every move is cheating, and thankfully if you really don't know what you are doing, you are likely to get caught.
Then there's less obvious cheating. It's pretty easy to cheat in speedrunning by passing off a carefully constructed "TAS" run as a regular speedrun; though just like with chess it's going to be obvious if you don't know what you are doing, but it's pretty hard to inspect in detail so you might get away with it as long as nobody pays too much attention.
Then there's things that may or may not be cheating in the first place. A good example is key binds in Source Engine games, like null-cancelling movement configurations. The game allows it and keybinds are not traditionally treated as cheating, so is it? (I think they may have changed this in newer games/updates but I'm behind on the times.) Or custom controllers for Super Smash Bros Melee. Merely emulating degraded analog sticks in a way that is advantageous is generally not considered to be cheating, but e.g. warping the stick movement depending on an internal state machine to make certain things easier to do is usually considered too far. I can think of many examples. "Calcing" and charting in PangYa is a nice obscure one.
But I do say this: If you took one aspect of cheating, like aimbots, you could attack it surgically. You could detect the current state-of-the-art, do your best to make it hard for aimbot developers to figure out how you're detecting them, ban players and make it hard for them to get new accounts. The problem is that this is not easy or cheap. People just want to throw some money at the problem and have it go away, they want something like Easy Anti-Cheat.
I think though that eventually, it might all just be futile. It depends. If machine learning continues to progress, eventually it will be pretty hard to distinguish human and machine inputs no matter how hard you try to. It's already not very easy looking at "state of the art" technology from 2022. I linked this elsewhere but it has a nice chart of people mostly failing to detect their ML-based aimbot:
https://arxiv.org/abs/2205.07060
I guess I'm just disappointed in these lazy approaches because they wind up being so vapidly anti-consumer. I know that they accept the temporary nature of these fixes since they don't really intend on these games running forever (which is also a sort of problem, though not related since obviously they really can't worry about and invest in anti-cheat forever) so they just need something that works for now. But it seems like no bridge is too far, and now we're nearly all the way to "you need to install this rootkit and enable secure boot and use Windows 11 and have TPM2" or whatever else.
edit: I really wish Hacker News pushed downvoters to leave a reply... If whoever did that comes across this post again I'm actually genuinely interested in hearing about whatever you disagreed with strongly enough in this post. Unfortunately I said so much that I can only guess what and that's a bummer because I bet it would be interesting.
> HDCP is already cracked
It's being 15 years already
Less client trust means some game designs are impossible. The latency caused by the speed of light leads to unacceptably bad player experiences if you don't trust the client, at least for shots from their p.o.v.
Personally I don't mind if fast-paced adversarial multiplayer FPS games stop existing, but that's a minority opinion.
To clarify I don't really mean "no client trust", I just mean less. There's a lot of ways to skin a cat when it comes to multiplayer architecture. (I realize you probably know this, but it's always worth repeating. I'm routinely surprised by what people manage to come up with.)
For something like a 2D fighting game it seems like they've landed on determinism + rollback most of the time. That basically only trusts inputs from any given client and nothing else is trusted. Totally possible for the server to "verify" a client's claims by running the replay if needed, though obviously that can be rather expensive. Either way, that eliminates a huge avenue of cheating; as long as the developers did it right, you're basically just left with cheating by botting and using macros.
For something like an FPS game life is hard. The client has to react "as if" there is no latency even though there is. If an arena "twitch" shooter (does... anybody still make these?) ever had a situation where the cross-hair lined up but it didn't count, that would basically break the game. Still, there are many more things that are typically client-controlled, and there should be ways to not give the client as much control without adding too much latency. Any situation where the client and the server or peers can both track something and the server or peers can verify the correctness of the state of the client after the fact, it's probably possible to make some improvements. Basically, make an effort to ensure as little of the information received from any given client is inherently "trusted".
I won't lie, the approach of using heuristics in an otherwise client-trusted environment is definitely "fraught with peril" to some degree; bad heuristics can be pretty damaging. Blizzard ran into a problem where they were accidentally banning Wine users at one point, and it took them a really long time to actually admit the bans were incorrect, and as far as I know they never bothered reversing any of them. Don't get me wrong, they can say "Wine is not supported" and call it a day, but even ignoring that you'll always have some false positives, due to bugs or even weirder issues like clients with bad DRAM.
FPS games are definitely in for a world of hurt though. It's one thing to combat rudimentary aim bots that read internal game data and move the mouse with exact precision, totally different ball game when you have vision models controlling HID mice and keyboards. A Raspberry Pi Pico and a second computer with a capture card isn't a non-zero expense... but, a lot of people already have these things lying around. No amount of not trusting the client can do anything for you with this. You would definitely have to get deeper into behavioral analysis.
Anti-cheat does not need to run real-time to be effective
So you put in the effort to share some nuanced opinion on a subject on a forum, and then you say you'd prefer if the whole subject did not exist.
I’ve worked in the games industry for long enough to understand why anti-cheat exists in the form that it does.
I also understand that there are many players that like adversarial FPS games and many companies that make money from that.
Just because I personally don’t think the trade-off is worth it doesn’t mean I expect the world to comply to my preference.
Game clients need to have zero trust. there has never been a truly working anticheat that doesn't punish the user in some way.
Be it you can't game on Linux (steam deck) or if you have some specific software installed you're flagged as a cheater (autohotkey) or other dumb things.
That said even in some AAA games it feels like the game cheats anyway either intentionally or unintentionally (read about how modern warfare basically decides the outcome of an encounter before it happens to keep your k/d ratio close to 1)
"Game clients need to have zero trust"
Good luck implementing anything fast this way.
Have you thought about a bit, what this means?
Only ever give the client what it can see?
With common real world ping times around 60 ms?
It would result in very slow shooters. Where you have to wait a bit to see what is around the corner after going there. Not that practical.
In my opinion most anti cheat is BS anyway and even if some gets banned, the main problem is, game companies seem happy with the solution of just selling new accounts to cheaters.
> It would result in very slow shooters. Where you have to wait a bit to see what is around the corner after going there. Not that practical.
I think ideally you'd send players only what they could possibly see before next the next packet comes in. If their ping is 60ms and the game's tickrate is 128Hz, each tick they'd be receiving everything visible from within 68ms walking/running/jumping/etc. of their position 60ms ago.
Could be combined with server-side behavior analysis to detect players seemingly using information their client was sent but they shouldn't have seen. Packets from the client of what they actually did in that 60ms should be half received by the server and half in flight to the server by that point, so the client can't retroactively lie.
Wouldn't eliminate the advantage of this kind of cheating entirely, but might make it small enough that for many current cheaters it no longer justifies the risk.
"I think ideally you'd send players only what they could possibly see before next the next packet comes in."
That still makes wallhacks possible if standing close to a corner.
And otherwise what you describe makes netcode way more complicated, than it already is. Resulting in a worse game experience.
I am annoyed by any lag or stuttering and find it immersion breaking.
> That still makes wallhacks possible if standing close to a corner.
That's what I'm thinking with the server-side behavior analysis to detect players seemingly using information their client was sent (in case they made a certain movement) but they shouldn't have actually seen (because they didn't make that movement). Though even without that, restricting wallhacks to corners that you could already almost immediately see around would already be a significant improvement.
> And otherwise what you describe makes netcode way more complicated, than it already is. Resulting in a worse game experience.
It's what I think is the ideal and would definitely take some work to implement in practice, but if implemented well I'd argue the measures would be invisible to players in almost all scenarios, and game experience would be superior to solutions that have rampant wallhackers and/or don't work on many machines due to invasive client-side anti-cheat.
Your last paragraph is spot on. From a players perspective, more than one MMO I played clearly had bot/script problems that the devs always addressed publicly but never took the easiest and obvious solutions.
Hard to not see it - esp in smaller games - as the bots and cheaters providing too much revenue to cut out completely.
Wait how does using a capture card let you cheat? Not disputing, very curious. Like a bot sits inbetween and makes the correct moves?
I don't play fps anymore not trying to cheat lol
In the future, you no longer need to spy on internal game data to make an aimbot.
Thanks, that's wild. I chuckled when I read that it was using deep neural network "YOLO".
I guess the ultimate "anticheat" would be to have a camera pointed at the user and their screen, and have some kind of super AI watch it.
And the ultimate "cheat" would be an android hooked up to the computer and indistinguishable from a meat-based person :)
Even that can be cheated by mimiking the device and feeding it a generated video stream.
How about sending a company droid to the user's premises? To monitor them in person
That's why the device is locked down like a payment card reader. Comes with a key already loaded; if the device is ever opened or the battery runs out, the key is erased.
Meanwhile my retirement account is with a financial services company that pushes voice match authentication, an authentication mechanism that was a joke in 1980s.
> I wonder if the overhead of user space interacting with the kernel api is gonna be noticeable.
‘Luckily’, the overhead of antivirus software already can be quite high at times [1]. So, if this API can keep the number of kernel-userspace transitions down, I think the relative impact could be barely noticeable.
[1] https://www.tomsguide.com/us/av-software-least-system-impact...:
“For example, McAfee Total Protection had a relatively light background impact, slowing down the Lenovo laptop by only 9% after installation”
Anecdotally, for some gaming friends of mine, the only reason they maintain a Windows install is for games that don't run on linux/proton due to anti-cheat kernel integration. So for that portion of the population, it seems in Microsoft's interests to keep it going.
It's really the last thing that keeps any trustworthy source from recommending switching to linux for gaming without reservation. As soon as you want to play any competitive online multiplayer games, which to my understanding is the vast majority of people, you're going to have problems with some anti-cheat not working on Linux sooner or later.
I'm not saying it's the only thing that stops mass adoption of Linux for gaming, but I think we'd see a massive uptick very quickly, if this problem went away.
I’ve mostly just stopped playing online games with the public as anti-social sociopath cheaters have ruined the fun.
There’s one “solution” to cheating that publishes seem loathe to offer these days: server executables so people can host their own servers.
When I played BF1942, we just banned anyone we thought was cheating. Having a reputation for being actively moderated and typically cheater-free meant the server was popular and often full. When I ran a Minecraft server, I used a whitelist so it was a complete non-issue.
The only online game I still occasionally play is WoW where cheating is mostly non-existent and what cheating that does exist doesn’t typically affect the gameplay experience of normal players.
I wonder how long until those anti-cheats start fighting and false?-positiving each other due on how they operate.
Excited for this and the anti-cheat systems moving out of the kernel. This should/would make it easier to emulate them on systems like Proton on Linux and thus push the world one step closer to having cross-platform (Windows, Linux, macOS?) multiplayer gaming. But maybe I'm too optimistic :)
Many of the more sophisticated video game cheats (not anti-cheats) run at the kernel level or lower (hypervisor, or even external hardware). So yes, I would say you are being too optimistic.
Following this with cautious but sizeable optimism. Great progress has been made in the printer and WiFi driver departments before, if they could actually deliver on this, that'd be ecstatic.
I remember old setup wizards on Windows 9x that would commonly advise disabling any antivirus software before proceeding with an installation. Even back then, we knew those programs could break basic functionality like app installations, yet the platform owner never truly intervened.
This whole situation now feels like too little, too late. We currently have a vast market of "security" software built on top of their platform, and everyone is compelled to use it, often due to compliance requirements. Now, Microsoft has to walk on thin ice by restricting these "snake oil" vendors without getting into trouble for anticompetitive behavior by restricting a market on top of their platform that should have never existed in the first place.
Given my experience with the scammy, spammy, parasitic mess that have been the vast majority of antivirus software providers I've tried here and there, good riddance. Good to see this. Now what to do about the spammy, scammy, parasitic mess that is called Windows 11?
Crowdstrike deserved to go bankrupt for this nonsense, they weren't testing properly, and they rolled their crap update out to the whole world without a staged rollout or canary system: https://x.com/cyb3rops/status/1821096079372251203
Just googled their share price and they are 34% higher than they were before the shitstorm they caused.
Just like other security software that's big right now, I'm sure the news that it took down most of the IT systems on earth was great news to shareholders that the software had solid market penetration and most of all that even perhaps one of the biggest outages didn't cause people to leave.
The same with Zscaler - people about as far from tech I'm friends with complain to me about how much they hate it so you know /it's everywhere/
If all software engineering businesses and engineers that do not test properly went bankrupt then this website wouldn't exist.
Oh come on, we all know and expect bugs, but this was something spectacularly bad. They caused the very thing people were paying them to try and defend from. This incident had very real and serious consequences. https://en.wikipedia.org/wiki/2024_CrowdStrike-related_IT_ou...
So let the market sort it out. Turns out their clients don’t think the consequences were that serious.
Turns out their clients don’t think the consequences were that serious.
Yeah, thats an interesting point. I'd be interested to read analysis on that. Maybe being seen to pay for something that claims to make things more secure is more important than actually being more secure.
Delta Airlines thinks its serious.
https://www.theregister.com/2025/05/07/delta_crowdstrike_cla...
The lawsuit appears to be about the lack of refunds, and even mentions Delta explicitly declined help from Microsoft and CrowdStrike. So how does that indicate Delta thinks "it's" serious? And what is "it"?
They want compliance not security. Maybe if it's enough for compliance but not enough really then whoever makes compliance standards should be fired
More like let the market litigate it out.
They didn't really argue otherwise, just remarked that they think it was.
What's your point?
My point is that the first post says that Crowdstrike deserved to go bankrupt, but that is up to their clients to decide. Standards for software are very low, and we all profit from that, so better not rock the boat.
and that would be a bad thing?
Not only them, unfortunely proper liability is yet to become as regular as in other industries.
You have to, because attackers aren't using canary systems. What good is it, if someone finds a new unauthenticated RCE in Windows, and you have to wait a week to make sure your detection method works correctly? By the time the week is over, every computer in the world already has the virus. And then you have to wait another week to test your removal tool.
I installed Avira Free Antivirus for a day around three months ago, just to check something. When I uninstalled it, it left three browser extensions hidden somewhere on my system. I have several browser profiles, several user-data-dirs, and every time I create a new profile or install a new browser like Vivaldi, I get a popup pressuring me grant permission to those extensions.
Fuck these AntiVirus software vendors, they are just as much scum as the baddies are. What once was just Norton, today is everyone.
I'm glad that they're getting less access to the system, even if it's for another reason.
Thirty years too late, but welcome nevertheless
They tried doing this before but ran into anti-trust issues over it.