It really is as simple as “don’t trust the client.” Just assume that everyone is trying to cheat and go from there.
Servers should know what valid inputs from clients look like, and aggressively validate and profile those inputs for cheating. Meanwhile, the server should only send data to the client that is needed to render a display. Everything else stays server-side.
The key is to build a profile of invalid activity, like inhumanly fast mouse velocity coupled with accurate kills. There’s an art to this, but for things like FPS games, the general envelope of valid user activity should be straightforward to define. The finer points get caught during QA, and then further refined post-release. Someone might even come up with a library for this if there isn’t one already.
As a bonus, this also catches situations where people are using kernel circumvention like external hardware, in order to cheat. The behavior as seen by the server is what ultimately gets flagged.
You are imagining cheats must be superhuman, rather than merely better than the player making use of them. It’s perfectly possible to create a cheat which doesn’t move the mouse impossibly-fast or impossibly-accurately; it just moves it as quickly and accurately as a top-1% player. The bottom-10% player doesn’t care that he can’t beat the world champion, because he can still pwn some noobs.
You are ignoring cheats which display extra information on the screen, which the server can never tell. Did the player shoot someone too soon as they came around the corner, or did they just react quickly? Or did someone on their team warn them? The server doesn’t know.
But that doesn’t matter, if they have to play so carefully, they will be placed into an ELO where their “skill” matches, so they won’t be any more effective than a real player at that level, then they will be forced to be more suspicious and better players sniff out cheaters a lot better than others. So they wouldn’t even last long. This is basically what happens in CS now.
Smurfs can “pwn some noobs” just the same and get called cheaters all the time. Like I said in the other comment chain, we dont need to prevent people from cheating (endless game of cat and mouse), just make it ineffective.
There are “good” cheaters today, that are less skilled players and rely on cheats to be better. They fly under the radar, not making their cheating obvious. The end experience to others is that could have been a good skilled player and not a cheater.
If someone has any sort of cheat that makes it obvious, then that would be dealt with. If cheaters have to disguise themselves as real players, then it severely limits what they can do. And to other players, it makes no difference at that point.
It really is as simple as “don’t trust the client.” Just assume that everyone is trying to cheat and go from there.
Servers should know what valid inputs from clients look like, and aggressively validate and profile those inputs for cheating. Meanwhile, the server should only send data to the client that is needed to render a display. Everything else stays server-side.
The key is to build a profile of invalid activity, like inhumanly fast mouse velocity coupled with accurate kills. There’s an art to this, but for things like FPS games, the general envelope of valid user activity should be straightforward to define. The finer points get caught during QA, and then further refined post-release. Someone might even come up with a library for this if there isn’t one already.
As a bonus, this also catches situations where people are using kernel circumvention like external hardware, in order to cheat. The behavior as seen by the server is what ultimately gets flagged.
It really isn’t.
You are imagining cheats must be superhuman, rather than merely better than the player making use of them. It’s perfectly possible to create a cheat which doesn’t move the mouse impossibly-fast or impossibly-accurately; it just moves it as quickly and accurately as a top-1% player. The bottom-10% player doesn’t care that he can’t beat the world champion, because he can still pwn some noobs.
You are ignoring cheats which display extra information on the screen, which the server can never tell. Did the player shoot someone too soon as they came around the corner, or did they just react quickly? Or did someone on their team warn them? The server doesn’t know.
But that doesn’t matter, if they have to play so carefully, they will be placed into an ELO where their “skill” matches, so they won’t be any more effective than a real player at that level, then they will be forced to be more suspicious and better players sniff out cheaters a lot better than others. So they wouldn’t even last long. This is basically what happens in CS now.
Smurfs can “pwn some noobs” just the same and get called cheaters all the time. Like I said in the other comment chain, we dont need to prevent people from cheating (endless game of cat and mouse), just make it ineffective.
Doesn’t the same logic apply to any sort of cheating that isn’t literally granting immunity or unlimited ammo?
Blatant cheaters are what cause the problems.
There are “good” cheaters today, that are less skilled players and rely on cheats to be better. They fly under the radar, not making their cheating obvious. The end experience to others is that could have been a good skilled player and not a cheater.
If someone has any sort of cheat that makes it obvious, then that would be dealt with. If cheaters have to disguise themselves as real players, then it severely limits what they can do. And to other players, it makes no difference at that point.