Against anti-cheat

2023-07-09

Firstly I'll say I'm not against all types of anti-cheat, this post is specifically talking about invasive client-side anti-cheat that is common in games at the time of this post.

Anti-cheat is often a client-side kernel rootkit (i.e. malware) running at very high privileges and compromising the security of the player's computer, sometimes running even when they're not playing the game. Usually the game can't even be launched without it, and the anti-cheat almost never works on Linux. It is a very similar technology to DRM. I wouldn't recommend people to support such invasive measures.

Certainly if the client-side anti-cheat running at high privilege levels was open-source it would be easier to trust, but this still doesn't change it's invasive nature or the security implications of running it at such privileges and exposing yourself to risk. And I am sure many people would insist that open-sourcing it would make it useless because cheaters would read the code and learn how to circumvent the measures, but this is not necessarily the case. This so-called "security though obscurity" is generally inferior to "security by design", though it has some merit as a layer on top of it.

I acknowledge that the topic of anti-cheat and anti-cheating measures in multiplayer games is a complex topic that doesn't always have a simple solution. Sometimes the anti-cheat can be done server-side which saves players from invasive measures on their computer, but this is not always a possible solution. Another option (depending on the type of game) that is simple but effective and has been used often in games (older ones especially) is kicking/banning cheaters through votes by the players interacting with them. This doesn't require any invasive (or complex) technologies, so it is cheap and easy to implement by developers.

Back