Coders: Hacking, does locality of data matter?

[Hellop]

This is a Request for Information, a Brainstorm, an Informative Analysis of hack prevention useful to mission makers:


When coding an Arma mission, should we think about where we store game data in order to reduce hacking?

For example, your players have an attribute called "Money". You could:

1. Have a Money variable on the client only
2. Have a Money variable server that keeps track of all clients' money. Then when the player earns/transfers/uses money, his client must get or set the Money variable on the server.

Assume the hacker client has a "console" where they can run any scripting command. So, they can change any local variable, but can't directly change anything on another client or server. They can also publish Public Variables with any value. If the mission is designed in such a way that allows the clients to set data on other computers or the sever, then the hacker could alter other people's games. So, a good practice would be to only allow clients to run a limited number of scripts, or change a limited number of Public Variables. IOW, have a subset of your scripts that are only used for network communication. "PV functions".

Then as a mission designer, your could more easily monitor the communication and potentially detect cheating.

For Example: The hacker could run the script that deposits money in his Bank. The server keeps track of the players cash on hand, and the bank balance. So, if the player sends a command that deposits more money then he has on hand, you have detected a hacker.

Now, the createVehicle or setVehicleInit commands are able to bypass any such checks, so the whole idea of trying to stop hackers at all is pointless.

Unless, the Init eventhandler is executed before any type of object executes it's initline. Then the server could just monitor spawned vehicles checking for anomalies. It says it only fires on createVehicle, so we're probably SOL.

Now, assuming we could guarantee the clients can't improperly alter data on other computers. They could still run local commands that had global affect. Like, setPos, setVelocity, setDammage on any unit or object.

Well, after thinking about it, it seems hopeless to have a scripting defense from hackers.

Is there anything we can do to prevent or detect hackers?

[MattXR]

Use DooACS anticheat and it stops people with script consoles etc etc, then use BE to stop those running outside of the game cheat programs.

Happy GaMeInG

[brit~XR]

Doo acs is outdated man. It wont stop cheaters. Theres cheats that can bypass it but i wont name them ofcourse. Signed files is the best way to go vs pbo hacks. Battleye is best way to go vs memory hacks

[Hellop]

Doo acs is outdated man. It wont stop cheaters. Theres cheats that can bypass it but i wont name them ofcourse. Signed files is the best way to go vs pbo hacks. Battleye is best way to go vs memory hacks

Brit, I hope you will send those new cheats to Doolittle so he can update DooAcs.

[brit~XR]

He already knows about them. There listed on a well known cheat site. Doo acs which used to be called dacs was kept private and only released to centain people.

they got hold of the scripts from that cheat by captureing the packets server sent to clients from that dacs so he made it pubic. It wont stop cheaters. Maybe some noob cheaters but thats it. It was good anticheat tool for its time but not much use vs cheaters now.

Me and squadserver have our own way of detecting and dealing with cheaters.

[Dwarden]

only correct way is to validate all server side, if someone stores money into bank, counter check against what should he got in wallet etc.

in short never ever trust anything from client
ofc You need to trust his position, movement, speeds, fire etc.
but even that could be validated to some degree (e.g. if moved between locations faster than possible etc)

[Hellop]

Maybe a good way to stop cheaters would be to have some flags like you guys suggested... Some checks that determine that a client is doing something weird. That combined with player reporting, then:

-Have a script that allows an admin to camera/watch players for cheating....

[MadDogX]

Ideally, addon signatures + BattlEye should suffice to stop cheats like this, but it definitely won't do any harm to make sure such important variables are kept local to the server. Also make sure the server handles them as local ("_money" for example) instead of global. Otherwise it would be possible for clients to overwrite them using the publicVariable command.

[MattXR]

Doo acs is outdated man. It wont stop cheaters. Theres cheats that can bypass it but i wont name them ofcourse. Signed files is the best way to go vs pbo hacks. Battleye is best way to go vs memory hacks

We use DooACS and it hasnt once let a cheater into our server. Only the outside game hacks but they dont disrupt our games.

[Max Power]

If there are cheats that bypass dooacs, there are many more that don't. To say that an outdated cheat prevention software will not stop cheaters is overstating the point by a large margin. It's like saying there is no point to use outdated antivirus definitions. I think that some protection, say, 90% protection is better than 0%. Even 1% is better than 0, but there's a risk vs reward judgement you must make. If I had 1% virus protection, I wouldn't be on the internet. In terms of games, though, I think that if cheaters comprise 10% of arma gamers, and you stop 90% of those, then you're left with only 1% troublemakers- all but the most serious cheaters. These numbers I just pulled out of thin air, but in a situation like this, I don't think that even outdated anti cheat protection is not worth while.