I disagree with the premise that it doesn't matter as long as users can't tell. Say you're running a Counterstrike tournament with a 10k purse... Integrity matters there. And a smart cheater is running 'stealth' in that situation. Think a basic radar or a verrrrrry light aimbot, etc.
The problem is that traditional cheats (aimbot, wallhack, etc.) give users such a huge edge that they are multiple standard deviations from the norm on key metrics. I agree with you on that and there are anticheats that look for that exact thing.
I've also seen anticheats where flagged users have a session reviewed. EG you review a session with "cheats enabled" and try to determine whether you think the user is cheating. This works decently well in a game like CS where you can be reasonably confident over a larger sample size whether a user is playing corners correctly, etc.
The issue with probing for game world entities is that at some point, you have to resolve it in the client. EG "this is a fake player, store it in memory next to the other player entities but don't render this one on screen." This exact thing has happened in multiple games, and has worked as a temporary solution. End of the day, it ends up being a cat and mouse game. Cheat developers detect this and use the same resolution logic as the game client does. Memory addresses change, etc. and the users are blocked from using it for a few hours or a few days, but the developer patches and boom, off to the races.
These days game hacks are a huge business. Cheats often are offered as a subscription and can rank from anywhere from 10-hundreds of dollars a month. It's big money and some of the larger hack manufacturers are full blown companies which can have tens of thousands of customers. It's a huge business.
I think you're realistically left with two options. Require in-person LAN matches with hardware provided by the tournament which is tamper-resistant. Or run on a system so locked down that cheats don't exist.
Both have their own problems... In-person eliminates most of that risk but it's always possible to exploit. Running on a system which is super locked down (say, the most recent playstation) probably works, until someone has a 0day tucked away that they hoard specifically for their advantage. An unlikely scenario but with the money involved in some esports... Anything is possible.
> End of the day, it ends up being a cat and mouse game. Cheat developers detect this and use the same resolution logic as the game client does.
This is not well done. Only the server should be able to tell what the honeypot is. The point is to spawn an entity for one or more clients which will be 100% real for them but would not matter because without cheats it has no impact on them whatsoever. When the world evolves such that an impact becomes more likely then you de-spawn it.
This will only be possible if the server makes an effort to send incomplete entity information (I believe this is common), this way the cheats cannot filter out the honeypots. The cheats will need to become very sophisticated to try and anticipate the logic the server may use in its honeypots, but the honeypot method is able to theoretically approach parity with real behavior while the cheat mitigations cannot do that with their discrimination methods (false positives will degrade cheater performance and may even leak signal as well).
For example you can use a player entity that the client hasn't seen yet (or one that exited entity broadcast/logic range for some time) as a fake player that's camping an invisible corner, then as the player approaches it you de-spawn it. A regular player will never even know it was there.
Another vector to push is netcode optimizations for anti-cheating measures. To send as little information as possible to the client, decouple the audio system from the entity information - this will allow the honeypot methods to provide alternative interpretations for the audio such as a firefights between ghosts only cheaters will react to. This will of course be very complex to implement.
The greatest complexity in the honeypot methods will no doubt be how to ensure no impact on regular players.
For my classical music use case, listening to new releases, Spotify works very well, particularly with the help of 3rd-party services.
I follow several thousand composers and musicians. I then get daily playlist creation by crabhands.com of any new releases by those I follow. I then export the crabhand playlist into my own local database via exportify.net. I then create Spotify playlists of music I haven't heard that I may like as well as the released works I like best. Then I score the works I've listened to and feed that back into the system. So I get a deluge of new releases but play it in an organized fashion.
Bought it as an intern dirt cheap off of some dude at my company who posted it in a email group. He upgraded to the latest and greatest and just wanted it hauled out. Picture quality (for the time) was incredible!
It also doubled as the worlds best space heater. My god it was power hungry.
If it has no access to your filesystem or network services that's better, but you're still giving input from an unknown party to an interpreter, with the extra bonus of that interpreter being non-deterministic by design.
But then again people today will also pipe curl to bash, so I may have lost this battle a while ago...
> "Hey Claude, summarize, this document I downloaded from the Internet"
I think you've created confusion with this example due to its ambiguity. Let's be clear about the difference between a chatbot and an agent: Asking a chatbot (e.g. vanilla Claude) to summarize an unknown document is not risky, since all it can do is generate text. Asking an agent (e.g. Claude Code) to summarize an unknown document could indeed be risky for the reason you state.
> I’d agree for a home computer Linux or macOS are the only sane choices now.
Unless you care about gaming at all. Sure you have the Linux evangelists who talk about how much better support has gotten (it has!) but there are still huge glaring holes.
I run MacOS for everything except gaming. I'm not even that big of a gamer but it's the only sane option there.
For quite a few years, it has gone from "unless you care about gaming at all" to "unless you care about an extremely specific type of game". You don't have to be an evangelist to see the value linux has for gaming now.
> There would also be a requirement for all playback to actually properly check the private keys
I don't think that's true. Only for someone who wanted to prove authenticity to grab the signature. No private keys would be exposed (except those which were hacked.)
If Netflix and Amazon can't keep their 4k HDR webrips from being leaked (supposedly via extracted licenses from Nvidia Shields), I have no idea how we'd expect all camera manufacturers to do it. Maybe iPhones and flagship Apple devices, but even then we'd find vulns in older devices over time.
I was thinking more about the spread of disinformation at large - but yea, that playback requirement would only be necessary for anything that wanted to be considered a potential source and trying to protect against disinformation platforms is a much larger problem then technology can solve on its own.
The problem is that traditional cheats (aimbot, wallhack, etc.) give users such a huge edge that they are multiple standard deviations from the norm on key metrics. I agree with you on that and there are anticheats that look for that exact thing.
I've also seen anticheats where flagged users have a session reviewed. EG you review a session with "cheats enabled" and try to determine whether you think the user is cheating. This works decently well in a game like CS where you can be reasonably confident over a larger sample size whether a user is playing corners correctly, etc.
The issue with probing for game world entities is that at some point, you have to resolve it in the client. EG "this is a fake player, store it in memory next to the other player entities but don't render this one on screen." This exact thing has happened in multiple games, and has worked as a temporary solution. End of the day, it ends up being a cat and mouse game. Cheat developers detect this and use the same resolution logic as the game client does. Memory addresses change, etc. and the users are blocked from using it for a few hours or a few days, but the developer patches and boom, off to the races.
These days game hacks are a huge business. Cheats often are offered as a subscription and can rank from anywhere from 10-hundreds of dollars a month. It's big money and some of the larger hack manufacturers are full blown companies which can have tens of thousands of customers. It's a huge business.
I think you're realistically left with two options. Require in-person LAN matches with hardware provided by the tournament which is tamper-resistant. Or run on a system so locked down that cheats don't exist.
Both have their own problems... In-person eliminates most of that risk but it's always possible to exploit. Running on a system which is super locked down (say, the most recent playstation) probably works, until someone has a 0day tucked away that they hoard specifically for their advantage. An unlikely scenario but with the money involved in some esports... Anything is possible.
https://www.documentcloud.org/documents/24698335-la22cv00051...
reply