Johnny Freedomseed
12.1K posts
@FiredForEffect
Recovering fed. Full spectrum adversary emulation @ F50 Intentionally Left Blank. Your m̴̗̕a̶͎̿l̶̩̊w̷̥̕â̶͎r̶͈̿e̵̱͋ ̸͔̚ is my inspiration. #YoloSec
@DavidSacks Are people that review code but never write any still software engineers or simply quality control?
@FiredForEffect Whats it like being a welfare case that joined the military solely for a disability cheque? I wonder if that same attitude is what transfers to people like you who cheat?
Anti-cheats and the related detection research concepts aren't new. Predating your 2026 research, we've got notables such as DARPA, and droves of other researchers. We're going all the way back to anomaly detection research starting with 1987's "An Intrusion Detection Model". This laid the foundation for successors, and eventually "Detecting insider threats in a real corporate database of computer usage activity" in 2013. dl.acm.org/doi/10.1145/24… This is where we see modern techniques such as UEBA (User and Entity Behavior Analytics) take shape. From one such solution Exabeam's explanation verbatim, it typically includes: -Behavioral analysis: UEBA systems analyze user and entity behavior, including actions like login attempts, file access, network traffic, and application usage. -Anomaly detection: It establishes a baseline of normal behavior for each user and entity and then flags deviations from that baseline as potential threats. -Machine learning: UEBA leverages machine learning algorithms to identify subtle patterns and anomalies that might be missed by traditional security methods. For insider threats, this means that you're being observed for activity outside the norm, and importantly, outside your norm. Deviating is a signal, and subsequent signals can often indicate exactly what type of threat is taking shape. In many corporate organizations triggering this beast is a great way to land yourself an immediate emergency termination. We do them both immediately, and in bulk for a little less... full panic emergency worthy candidates. No access, at all. Badge? Done. AD? Locked and modified. Everything you have access to is immediately stripped, and you get a call bridged into HR. All of it is based on valid signals, and just like current anti-cheat, the only thing the end user knows is they're out. They don't know what, when, or why specifically. Some of it is fed by client data points, but a lot of it comes from other systems the user doesn't have direct access to. So what does this have to do with anti-cheat? It's the exact same sets of problems, systems, and failure conditions. The biggest difference here is that a player isn't an employee, and you cannot rely on them or their machine in the least. So, if we're applying a zero trust model, what do we examine? The data on the servers, which contains nearly everything to start modelling behavior. Here's the thing. The truth is what you have running on a client doesn't matter so long as it doesn't take them outside of a very specific set of rules. That specificity means you can observe, measure, evaluate, and train on it. In fact, the largest identified failure model here is that a cheating player very incrementally increases their low skill actions. Not that they're suddenly super human. No, they have to always act human, and ignore metagaming. If they have ESP, they cannot act on it. If they take 10 seconds to line up a shot, they can't use an aimbot to speed up to 9 seconds, much less 0.5s. If we're evaluating the scenario honestly, the difference is night and day. There are no people operating cheats at machine level skills. They may, over time, push them well beyond their complete lack of skill - but in doing so they're also introducing ever increased likelihood that their behavior becomes completely transparent. On the opposite side of the equation, you have an identical race to anti-virus and EDR. "We'll bypass your hooks by unhooking" "Oh, well how about we just use syscalls directly?" "Let's get a trampoline in there" "Let's work out the call stack." "Let me run this as shader code." Meanwhile vendors clamor for deeper and deeper access. It doesn't matter that bigger names than any anti-cheat dev, such as CrowdStrike, have accidentally crashed a not so insignificant part of the internet due to code issues. Anti-cheat developers still need you to give up more access. Which is ironic, because unlike CrowdStrike, the hardware and software configurations they need to test against to avoid hardware issues, BSODs, and CVEs is functionally infinite. They CANNOT test all possible combinations, so they don't. It's a small sample. They don't recognize a hardware controller you've got installed, or maybe just this one particular update for it? That sucks. A good AC client will self-terminate. A bad one will kill your hardware controller instead and you may or may not get to experience what happens when that hardware starts operating outside expected bounds. The point of that is to say, there's more for the game industry's EDR wannabes to mess up... but they don't care because people agree that they aren't liable for it. Funny sidenote, if they actually cause damages, they probably will be. Whether you run into a hardware failure, or a foreign crime syndicate exploiting your game client and AC to drain your account or add you to a bot net doesn't really matter in the grand scheme of things. Your client is a singular data point that generated them a meagre amount of cash. $50 if they're lucky and you bought it outright. Most players are generating $0 if you're on a F2P title. Let's also level set here. If you're on a F2P title, the only people that matter are the ones who are really spending. Cheaters, genuine detection, and ban waves (especially being announced) are for their benefit. So long as you keep people happy - not secure - everything is fine. A claim to be addressing the problem is often just as good, or even better, than actually doing it. So where does that leave us? Kernel AC will never work. There are two valid paths. Cloud only - you own nothing and get to be happy, and server-side UEBA - where cheats can technically function, but actually benefitting from them lands you a ban. The methodology is solid, and it goes back nearly FOURTY years. It hasn't been implemented because the game industry isn't a trend setter. They follow behind Hollywood's trends, and explicitly do the minimum safe bet because it's about extracting value, not doing it right. Games are bastard children, designed explicitly for kids - or at least that's how a lot of executives are looking at them. Good enough is good enough. When the model fails in a year, you're already buying next year's edition. If it's F2P, you're either being milked or you don't matter. So sure, do some research. Write papers. Do some dev work. But people are building out exploits to target games, game engines, and anti-cheats. So while they get system level access to your machine, so do those of us who live on the more lawless side of security. The best part though, is you'll have the extra benefit of being able to play games with hackers on both sides of the application. If you hate them in the game, just wait until they're sitting in your network too. Again though, it's kind of moot. We've got going on half a century's worth of research. We've got data. We've got methodology. We've got models. The only thing we don't have is buy-in because people care more about their escapism fix itself than fixing the problems they actually have with it. I'd say "now what," but honestly I'm just disappointed. If you don't understand what has come before you, or what is happening in parallel, you're really missing everything of consequence.
