Cheating & open source, revisited

by Aardappel_ on 04/27/2005 07:54, 218 messages, last message: 06/16/2006 17:23, 172924 views, last view: 05/18/2024 20:29

As you all know, cheating is a problem for Cube being Open Source. Noone likes the current solution of the incompatible binaries, and I am getting to the point where I see the usefulness of having other people continue to work on Cube whenever I don't have the time.. currently that is problematic and would be much easier if the source to the official game could be truely open.

Multiplayer continues to be an important aspect of Cube, so we can't ignore cheating and simply hope that people won't change 1 line of code to enable god mode or permanent octa-damage, because they will (tell me something about human nature and the people on the interweb).

The solution can't come in the form of "cheat protection", this simply isn't possible with the current cube, and even if the entire gameplay code was moved serverside, is still fragile. Don't even suggest it... make sure you understand the nature of the client/server gameplay code before commenting.

The solution for Cube I feel has to be a social one. As you may remember, I designed a solution before:
http://wouter.fov120.com/rants/trusted_communities.html
The problem with this particular design is that it is too complex to set up, and too centralized. I would like to come up with a solution that is simpler, less implementation work, and can work with any group of people, centralized or not.

This is the idea I came up with sofar:

Every player that wants to play in a cheat free environment, can use a command in Cube to generate a set of key files. A key file is simply a file of, say, 10000 random bytes. The player then hands out these files to players he trusts... or rather, players he wants to trust him. (why there are multiple files will become clear later).

A server can either be in untrusted mode (default, works as before), or trusted mode. It can be set to trusted mode by the server admin, or voted by the players until the server empties. It will show up in the server browser as trusted.

If a player A & B connect to a trusted server, A looks up B's nickname in his folder of key files. If he finds a corresponding key file, he chooses a few random file offsets and reads the bytes there. It now sends a packet to B asking it for the bytes at those offsets. If B really is B, it can simply read its own keyfile and return the values. A now compares the values, and if they match, it sends a "I trust B" packet to the server. The hud shows which clients you trust, and for each client how many clients trust him in total. You are now sure that B really is who he says he is.

On a trusted server, people that after exchange of trust packets have gained no trust, can be booted from the server automatically. This allows you to play games with trusted people in your community, and have external people unable to be join the game.

asking for random offsets guarantees that untrustworthy clients or even servers never get to sniff keys. "Trust" is evaluated locally and for you only, so can't be spoofed.

The one problem would be handing your key file to someone who later turns out to be untrustworthy. This person could now impersonate you and appear to be you to all your trusted friends. Hence the multiple key files, so you can give a different key file to different people (or groups of people). That way, if the person "goes bad", he can't impersonate you towards your friends, as he doesn't have the keyfile your friends have.

The system is not perfect of course. You can still have 2 cheaters join together and trust eachother. Luckily cheaters hardly ever come in groups, and there are more complicated ways to protect even against this.

The biggest issue is the inconvenience of having to exchange key files, and especially to require new players to find existing players on forums/irc before they can sensibly play. I think it is bearable though, as you only need to do it once, and Cube multiplayer is a fairly closed community. And if servers are by default untrusted, you can give newcomers the benefit of the doubt until they behave suspicious.

What do you all think? Please think it through thoroughly before commenting (I am talking to you, Jean Pierre! :). I am especially interested in "holes" in this system, i.e. ways that cheaters could abuse it if they really wanted to.

   Board Index   

#116: Re: What might work...

by tentus on 06/17/2005 23:26, refers to #115

mehhhh, can't type today.
>i've never used quad for multiplayer.

sorry about that.

reply to this message

#117: ..

by hungerburg on 06/17/2005 23:31

hello,

your simple solution fails in contact with reality/me: I want to stuff the machinegun as full as I can, from all available ammo (there may be more than one box in a map ;) I too see, there is an arms race to avoid! the cube way as of now, works quite well; on the servers I generally dont feel to be haunted by cheating lamers. there is some obscure algo in the network code and obviously nobody yet took the effort to crack it. map cheats seem to be rarer than engine bugs;)

aard opened this thread with suggesting that only people play each other, that trust each other. One problematic point in his implementation I think can easily be fixed by using public key cryptography - the one of impersonation by use of a "public secret") - altered suggestion:

At first, players create a public and private key pair using standard tools (think openssl, available for all platforms and bsd license - so can be embedded in cube/sauer!). to not make this depend on the nick, the public key is the global identifier of a specific, single player; lets call any two of them Alice and Bob (A and B, like in the original example.)

When joining a game, along with her nick, Alice also hands out her public key. peers AND server use this one to encrypt some random string and send it to her; if she then can return the original, she has to have the private key, so it must be her! vice versa, alice also tests the other peers the same way. eg. this way she might get to know that the other player really is the person she used to know as "Bob" - because Alice, like any player, keeps a list of other keys (indicated by nicks, though that is just a convenience, as they might change). there has to be an interface in game to flag some of these as un/trusted (and to prune ones, that have not been seen for a year or so, etc...). if she knows that she trusts Bob, she can tell the server so.

PROS:
- a web forum was not at all necessary, as public key exchange between peers can be handled in game
- if keys were exchanged between each game, the server would not have to keep a log of keys seen, only client would
- there are no two equal public keys

CONS:
- the server still has to be trusted
- bummer! clients behind nat cannot be queried this way! (also in aards suggestion)


peter

reply to this message

#118: Re: Alternatives

by Gilt on 06/18/2005 01:41, refers to #112

re: ignore-world

godamn I really like this idea! I mean... it's just so... deadpaned crazy! A true five-bagger!

the more I think about it, the more I can't help but applaud with awe. The complete lateral thinking used here is incredibly inspired. I mean, it's essentially taking what attempts to be an objective reality and totally turning into a subjective experience. it'd be like playing in a completely disassociated-ostrich version of a world. I cannot even begin to fathom the inter-connected dark matter effects that would occur at the nexus of the storm of collapsing dimensionality that is this multi-verse. imagine a game where you can be intensely playing one-on-one with an opponent who is SIMULTANEOUSLY playing in a free for all with 3 other people who are each playing a game of CTF, 3v3 and lastman-standing respectively!!!!

I want to watch the movie based on this idea, written by philip k dick.

this is honestly one of the only truely innovative ideas I've read here. this is what life is all about. sometimes you've just got to bust out with a giant mutant rainbow ostrich and see what happens. Ofcourse, aard being the ruthless mother nature that he is ( :p ), would never let it live too long... but at least you get to see it strut it's stuff for a little while...

reply to this message

#119: Re: Alternatives

by Aardappel_ on 06/18/2005 10:56, refers to #118

I thought about it for a second, as it has many good properties. It is of course dead simple, no central administration, for one. The fact that people are playing potentially different games to me is not problematic, and would fit nicely with cube's thick client model.

One problem with it is that this costs the players more effort to combat cheaters than for the cheater to keep on annoying people. Cheater cheats, people recognise it, and slowly everyone on the server puts him on "ignore". He sees this, quits, reconnects with his isp, and rejoins the game with a different nick and ip. Players would have to give someone joining the game benefit of the doubt before they can ignore hims again. Repeat.

The problem is worse because of the kinds of cheat someone with full sourcecode can make. First of all you can make really annoying cheats, for example instantly kill everyone on a keypress. Second, you can make cheats that give you a huge advantage, but is almost indistinguishable from just a good player (such as radar, see through walls, stats showing enemy health, second countdown till next quad/armour, minor ammo/health cheat etc).

One way to make it harder to rejoin after being detected is to move to a "round" based system, where you have to spectate until the next round if you join a server. That way the penalty for being ignored maybe offset its cost.

reply to this message

#120: ..

by remouk= on 06/18/2005 12:13

/ignore ? What a pretty good idea ! Imagine, if you think a player is cheating, you just have to /ignore him ! Then you won't see him, and he won't see you anymore. In another case, it could be a way to cheat, so let's think about it. :)

reply to this message

#121: ..

by hungerburg on 06/18/2005 13:29

cheaters are just a nuisance - why are they so special? because everyone agrees on that they annoy! now how to kick all the cheaters?

if the goal was instead, to only play a select number of friends, whom I trust, a password on joining the server was just as useful as a trust scoring system! this of course depends on another channel to share the password - while the trust meter depends on a third party, to tabulate the score. there is always a third party to any game of cube - its the server. in my post 132 I tried to improve upon aards suggestion how to reliably tell who's who.

the "ignore" idea is indeed totally different: it works like in a chat - its one step before the "kick", ie. no consensus/vote needed. in a chat, there are no cheaters - though there may be nuisances. this is no longer about a closed group with external ties or a referee.

what remains: 1. also a very good player may annoy other players, 2. how to trust strangers (if not per default?)

reply to this message

#122: Re: General long-term strategy

by jean pierre on 06/18/2005 14:47, refers to #122

I am better skilled then mostly anyone in playing Cube mutliplayer and most say i have a hack that the aiming target automatically on the person thats not true im just Advanced in Cube/Sauer.

reply to this message

#123: Re: General long-term strategy

by makkE on 06/18/2005 14:57, refers to #122

Lol

reply to this message

#124: Re: Alternatives

by Gilt on 06/18/2005 15:22, refers to #119

Each client can have their own ban lists. Better yet, each client can assume that they don't want to play with most people, and have buddy/trust lists that function exactly like most IM services do.

Hell at this point, pretty much EVERYTHING can be client side... the only thing that the clients need to agree upon is which map they are playing... and even that is debatable! That means you don't even need servers... you could totally set this up as a kind of peer-to-peer deal. Clients simply send out their actions/position to anyone who wants to listen, and recieving clients can use that info however they want. This opens up the selection of players you can play with to the full network instead of being limited to individual servers, which makes it easier to collect all the people you trust into your game. it also implies an upfront passive ignore, since you choose who you want to listen to, as you can't very well connect to everybody.

reply to this message

#125: Honestly

by enigma_0Z on 06/18/2005 15:39

Honestly, I don't really think that there's any way that we can _really_ trust anyone online...

It would probably be better to have a scheme like Cube where the netcode is known to a specific few, and the opensource version has a different network module...

Then Aard could have people work on the game engine without revealing the netcode to them...

Basically, make the netcode a super-secret black box that only aard and his circle of coders knows about.

reply to this message

#126: Re: p2p

by hungerburg on 06/18/2005 16:30, refers to #124

original doom's network mode had no servers, but instead ports for multiple games.

reply to this message

#127: Re: p2p

by jean pierre on 06/18/2005 16:38, refers to #126

Nah i love server lists better and dont compare Doom with this

Look at Doom 3 it is said it has server lists(well my bro told me)
But i never and probably never wants to play Doom 3*scissor fingers/changes mind when see it*

reply to this message

#128: Re: Alternatives

by Gilt on 06/18/2005 19:11, refers to #125

yes, this is basically what I meant when I wrote:

> it's essentially taking what attempts to be an objective reality and totally turning it into a subjective experience.

The major conceptual point here is the empowerment of the clients to ultimately control their own reality. Ignoring the exisitence of unwanted players is just a manifistation of this.


anyway, p2p is just one off-hand implementation I mentioned, and isn't really important. you could have servers where clients send their current actions/gamemode/map/etc, and then other clients can pick and choose which client-streams to download and how it will be used. This is not too far from the current model... the important difference being that in this "subjective" model there is no objective authority on what the current game situation or score is.

So while clients could support various degraded modes of play like perhaps not acknowledging suspicious actions from players you only half-trust, or temporarily ignoring players you believe to be dead but who refuse to respawn, fully-open-and-shared play would again come down to playing with those you trust.

Iris Murdoch once said, "Love is the extremely difficult realization that something other than oneself is real." Unlike other models that are based on the hate and fear of cheaters, this model is focused on playing in a shared reality with those you love! It's so beautiful... I think I'm going to cry....

reply to this message

#129: Re: General long-term strategy

by kernowyon on 06/18/2005 23:50, refers to #122

Whats your nick on the games jean pierre? - so I can keep an eye out for you?

reply to this message

#130: Re: Alternatives

by Aardappel_ on 06/19/2005 05:03, refers to #124

ban lists can't work without identity. it takes a simple reconnect for a cheater to show up with a new ip and nickname, and bypass your ban list.

buddy lists work because it requires central registration. without, people could impersonate your buddies. If we required registration and/or some other form of identity, and we rely on "trust" as opposed to "banning", then we are getting very close to my orginal idea again. One problem with that which the ignore idea fixes is that its a lot more work to make sure new players get trusted and are able to play.

reply to this message

#131: Re: General long-term strategy

by jean pierre on 06/19/2005 09:29, refers to #129

And what would you do Curse me and offend!
I removed Cube due to its old and boring so i no longer am in there.

reply to this message

#132: jp

by >driAn<. on 06/19/2005 11:46

> I removed Cube due to its old and boring so i no longer am in there.

Great

reply to this message

#133: Re: jp

by jean pierre on 06/19/2005 12:11, refers to #132

Cool isnt it cause i hell dont like participating in competitions with Morons and N00B'S!

reply to this message

#134: ..

by makkE on 06/19/2005 13:21

Yes! Thank you very much, Jean Pierre !!:D
We don´t like it either...

reply to this message

#135: Re: ..

by jean pierre on 06/19/2005 13:36, refers to #134

Bah end this we're getting off-topic!

reply to this message

   Board Index