...or why we shouldn't rely on security by obscurity.
The recent events sparked a controversy on whether to use PunkBuster or not. While some say we should keep using PunkBuster because it's better than using nothing or because there are no alternatives, others argue to get rid of Punkbuster due to its "track record" (read as: nuisance). In the moment I'm writing this column round about 61% would like to ditch Punkbuster.
This column is somewhat of a follow-up to Cash's column and unlike Tosspot I'm trying to argue against PunkBuster.
It's not a bug, it's a feature!
Some people seem to think that nC exploited a bug in PunkBuster. Let's get this right: this is by no means a bug. They're exploiting PunkBuster's flawed method of detecting cheats. While you're playing, PunkBuster is crawling through your PCs memory trying to find blacklisted strings. (Sounds a lot like an antivirus protection, however an antivirus does it different/ does more.)
Evenbalance relies a lot on the fact that hardly anyone knows how cheats were busted. This is called security by obscurity (or security through obscurity).
What does this imply?
(i) All a cheat coder needs to do, in order make his cheat undetected again, is search for the affected string in his code, change one char and possibly any reference to this string and (re-)compile the cheat. THAT'S IT! He got a working, undetected cheat again with hardly any effort.
(ii) False positives: like we see now anyone can get banned just for having a blacklisted string in his memory.
Think of these poor Evenbalance employees: after searching for cheats all day long, searching for strings to ban by and after they finally released a PunkBuster update after some days/weeks/months, the cheat is undetected again within a matter of minutes and all that's left are a lot of false positives, because some kid on the internet thinks it's fun to spam these blacklisted strings. Ouch. Sounds a lot like a Sisyphean task to me.
But what can Evenbalance do about this?
(iii) They could always pretend like nothing happened, but I doubt their customers would appreciate such a behaviour.
(iv) Remove these strings from the database or respectively replace them with new strings, rendering all work already done void.
(v) Change their method and start analyzing cheats (again), in order to ban the methods used to make cheating possible.
It doesn't take a genius to notice (v) is the only way to go since it is the most effective, however it's the most time consuming either. While Evenbalance's method is best compared to trying to find the needle in the haystack. For now Evenbalance went for (iv).
Correct me if I'm wrong, but I think (v) is basically what ETpro's IAC did back then when it was introduced. ETpro's IAC wasn't perfect either*, but seemingly it managed to get the game clean for a month. And I think, that's something PunkBuster will never manage to do.
*some programs, like Xfire or that Teamspeak overlay tool, caused false positives due to the way they interfered with the game.
Efficiency
Let me reiterate my reply to Tosspot's column.
In engineering, and of course in other disciplines as well, efficiency is crucial. One always tries to make a system as efficient as possible... at least within the ressources (blame economists ;).
Efficiency is the comparison of the power you put into a system and the power you get out of the system. It's the USE you have compared to the EFFORT you put into.
Efficiency is always compared against an optimal and usually purely theoretical system. In thermodynamics the most basic and optimum cycle is the Carnot cycle. It is pure theory and not usable in the real world. (You could try to at least get close, but the effort in terms of ressources would be too huge. There are always trade offs.) For different applications different cycles are used for comparison. E.g.: the Otto cycle for gasoline engines or the Rankine cycle (Clausius-Rankine in German literature) for steam power plants. Both mark the optimum, something one would like to achieve.
As written in the reply to Tosspot's column, I don't think the currently used method is really efficient. Two reasons why:
(vi) As pointed out in (i) there's not too much use in banning based on strings, while the effort is rather huge.
(vii) This puts a lot of stress on the PC, as some of you might have noticed *wink* (fps drops, lag, etc.). Therefore it isn't viable in an environment where performance is valued very high.
The optimum would obviously be the perfect anti-cheat program. An anti-cheat which gives us a cheat free environment. But just like the Carnot cycle this is theory. There will always be a new method to bypass the anti-cheat program. So don't waste your time waiting for perfect protection, leave that to the music industry.
Spyware
Apparently the main reason why nC acted is the fact that Punkbuster, while doing its job, crawls through all your data. That includes private data.
Let's take a look at Punkbuster's End-User-License-Agreement (EULA):
They can "inspect" any file on your PC and report "information" to other connected computers. Sounds a lot like spyware with the only difference being: they tell you before installation. They even acknowledge that it "may be considered invasive".
But what is the benefit they are talking about for us? /shrug
But it's free!
Yes, it is free for us to use. But that doesn't mean we are not in a position to criticize them. If we were not allowed to criticize any free product, we wouldnt be paying money for any product, instead they would find another way to charge us.
We are Evenbalance's customer, they even force us to accept their EULA. They make business because of us, they need us. So yes, we are in a position to demand.
Wasn't the only reason PunkBuster was introduced in Call of Duty 2 that the gamers wanted it? Would they have demanded it, if they knew it wasn't any good? If the gamers don't want to use PunkBuster anymore, if they stop using it and publishers/developers stop using it, eventually replacing it with something better, Evenbalance's business will be hurt. So yes, they need to listen to us.
Conclusion
We should stop using PunkBuster. In it's current state it is useless, meaning we could as well use no protection and have the benefit of a better performance. When PunkBuster, or any other anti-cheat for that matter, becomes usable again, we can still reconsider using it.
I'm not trying to say that we shouldn't use an anti-cheat because there will never be an optimal, efficient one, but using one (PunkBuster) that is so flawed isn't really an option either.
The recent events sparked a controversy on whether to use PunkBuster or not. While some say we should keep using PunkBuster because it's better than using nothing or because there are no alternatives, others argue to get rid of Punkbuster due to its "track record" (read as: nuisance). In the moment I'm writing this column round about 61% would like to ditch Punkbuster.
This column is somewhat of a follow-up to Cash's column and unlike Tosspot I'm trying to argue against PunkBuster.
It's not a bug, it's a feature!
Some people seem to think that nC exploited a bug in PunkBuster. Let's get this right: this is by no means a bug. They're exploiting PunkBuster's flawed method of detecting cheats. While you're playing, PunkBuster is crawling through your PCs memory trying to find blacklisted strings. (Sounds a lot like an antivirus protection, however an antivirus does it different/ does more.)
Evenbalance relies a lot on the fact that hardly anyone knows how cheats were busted. This is called security by obscurity (or security through obscurity).
What does this imply?
(i) All a cheat coder needs to do, in order make his cheat undetected again, is search for the affected string in his code, change one char and possibly any reference to this string and (re-)compile the cheat. THAT'S IT! He got a working, undetected cheat again with hardly any effort.
(ii) False positives: like we see now anyone can get banned just for having a blacklisted string in his memory.
Think of these poor Evenbalance employees: after searching for cheats all day long, searching for strings to ban by and after they finally released a PunkBuster update after some days/weeks/months, the cheat is undetected again within a matter of minutes and all that's left are a lot of false positives, because some kid on the internet thinks it's fun to spam these blacklisted strings. Ouch. Sounds a lot like a Sisyphean task to me.
But what can Evenbalance do about this?
(iii) They could always pretend like nothing happened, but I doubt their customers would appreciate such a behaviour.
(iv) Remove these strings from the database or respectively replace them with new strings, rendering all work already done void.
(v) Change their method and start analyzing cheats (again), in order to ban the methods used to make cheating possible.
It doesn't take a genius to notice (v) is the only way to go since it is the most effective, however it's the most time consuming either. While Evenbalance's method is best compared to trying to find the needle in the haystack. For now Evenbalance went for (iv).
Correct me if I'm wrong, but I think (v) is basically what ETpro's IAC did back then when it was introduced. ETpro's IAC wasn't perfect either*, but seemingly it managed to get the game clean for a month. And I think, that's something PunkBuster will never manage to do.
*some programs, like Xfire or that Teamspeak overlay tool, caused false positives due to the way they interfered with the game.
Efficiency
Let me reiterate my reply to Tosspot's column.
In engineering, and of course in other disciplines as well, efficiency is crucial. One always tries to make a system as efficient as possible... at least within the ressources (blame economists ;).
Efficiency is the comparison of the power you put into a system and the power you get out of the system. It's the USE you have compared to the EFFORT you put into.
Efficiency is always compared against an optimal and usually purely theoretical system. In thermodynamics the most basic and optimum cycle is the Carnot cycle. It is pure theory and not usable in the real world. (You could try to at least get close, but the effort in terms of ressources would be too huge. There are always trade offs.) For different applications different cycles are used for comparison. E.g.: the Otto cycle for gasoline engines or the Rankine cycle (Clausius-Rankine in German literature) for steam power plants. Both mark the optimum, something one would like to achieve.
As written in the reply to Tosspot's column, I don't think the currently used method is really efficient. Two reasons why:
(vi) As pointed out in (i) there's not too much use in banning based on strings, while the effort is rather huge.
(vii) This puts a lot of stress on the PC, as some of you might have noticed *wink* (fps drops, lag, etc.). Therefore it isn't viable in an environment where performance is valued very high.
The optimum would obviously be the perfect anti-cheat program. An anti-cheat which gives us a cheat free environment. But just like the Carnot cycle this is theory. There will always be a new method to bypass the anti-cheat program. So don't waste your time waiting for perfect protection, leave that to the music industry.
Spyware
Apparently the main reason why nC acted is the fact that Punkbuster, while doing its job, crawls through all your data. That includes private data.
Let's take a look at Punkbuster's End-User-License-Agreement (EULA):
They can "inspect" any file on your PC and report "information" to other connected computers. Sounds a lot like spyware with the only difference being: they tell you before installation. They even acknowledge that it "may be considered invasive".
But what is the benefit they are talking about for us? /shrug
But it's free!
Yes, it is free for us to use. But that doesn't mean we are not in a position to criticize them. If we were not allowed to criticize any free product, we wouldnt be paying money for any product, instead they would find another way to charge us.
We are Evenbalance's customer, they even force us to accept their EULA. They make business because of us, they need us. So yes, we are in a position to demand.
Wasn't the only reason PunkBuster was introduced in Call of Duty 2 that the gamers wanted it? Would they have demanded it, if they knew it wasn't any good? If the gamers don't want to use PunkBuster anymore, if they stop using it and publishers/developers stop using it, eventually replacing it with something better, Evenbalance's business will be hurt. So yes, they need to listen to us.
Conclusion
We should stop using PunkBuster. In it's current state it is useless, meaning we could as well use no protection and have the benefit of a better performance. When PunkBuster, or any other anti-cheat for that matter, becomes usable again, we can still reconsider using it.
I'm not trying to say that we shouldn't use an anti-cheat because there will never be an optimal, efficient one, but using one (PunkBuster) that is so flawed isn't really an option either.
Exemple: What else can we use if we put PB away ?
private cheats, well even free ones to my knowledge is getting past PB, the only thing PB is offering atm is fps-lags...
i would rather play knowing there's is cheaters, than playing with fps-lags knowing that if there is cheaters they have to be updated with the latest version...
i don't know if it would be mayhem without PB, but atm it's chaos with PB...
Great logic!
get the point... otherwise here is the punchline: PB is hurting us right now!!!
Yes it has full access to your RAM, but so does every other application that you are running as admin (including your antivirus).
PB privacy policy:
http://www.evenbalance.com/index.php?page=privacy.php
Reminds me of personal firewalls and still they are easily circumvented as the CCC proved.
Maybe that's why they always said that ETPro IAC was a complement to PB, not a replacement. ETPro did run with the same privileges as PB back then though (before pbsvc).
okay maybe its not needed in competitions like EC but 3on3s etc would became unplayable i guess
and i love you for placing the fact, that its not a bug but a feature, because somehow everyone thinks else...
What would stop someone from using the most obvious public aimbot there is, in a random scrim or even in an official? CB doesn't ban people based upon avi's or screens (except for lio and alexl) and the ET community isn't exactly known for it rejection of (ex)-cheaters.
Your conclusion is to ditch PB but you fail to give a decent alternative and without a decent alternative there's no reason to ditch PB.
except the fact that it's PB that is kicking everybody atm, because of ppl posting specific strings yes, but still PB...
well that's a nice thought isn't it ?
and with PBs current detections, we can eliminate all detection done by scanning the memory for a specific string... right ?
if you have a list over detected / undetected cheats, pls post it, i would like to see it :)
off too bed, nice discussion - to be continued
It wouldn't surprise me that by removing PB you'll see a 25% increase of people cheating at least once.
No, I seriously can't see why you want to ditch PB without a decent alternative. What's so difficult about understanding that it would majorly increase cheaters?
I would like to know how many of PBs detections are based on this method, cause they basically have to remove them all now... will there be anything left of PB with this method removed, or is PB totally based on string-detection ?
(i dont know im just firing off questions)
cause then they'll have to go :/
are these detected public cheats also detected by a string?
if that is so PB has to remove the detection anyway...
and is the source for these cheats accessible to the public? cause then people could just compile their own...
i dont see wipeout writing that he wants to ditch PB forever, just until they get their shit together... i would rather see too few kicks (as im used too) than too many, as it is the case right now...
if they just replace the strings with others signatures from the cheats, nC's "trick" could just be redone...
if they simply remove the strings (the whole method of scanning for signatures), how many cheats will PB then actually detect ?
I guess they started searching for strings because it enabled them to churn out updates faster, thus reacting faster to cheat coders, while analyzing hacks and actually stuffing the holes the hacks use takes a lot more time. And that is most likely the reason why it took EB so much time to release new updates in the past (prior to pnkbstra/b).
Also, he made his point very clear about the ease with which nC can update their cheats to make them undetectable again for PB. So even the most obvious public aimbots take only 5 minutes to be made undetectable, which is why so many people can use them, over and over again. I think, seeing the information given by him here and now, cheaters have already long lost any fear of cheating and being busted.
*whether they removed all isn't really clear, but let's just assume they did.
Yes, no, maybe.
nice read
Do you thing any other anticheat company would pick et? no revenues and even the best(AFAIK) anticheat system for FPS games have failed there.
never heared it before (atleast not that much like nowadays...)
but if we remove pb.. everyone could hack.. the only way to play´pracc´s is to play against enemys u know.. but still that doesn´t mean that someone fakes the irc nick.. and playes with hack. but tbh.. if its no 90hs per round and überknowledge skills i dont care that much if he hacks or not.. since he just playes like a rly good enemy then.
1 kill the pusher. How? remove pb and everyone will stop giving money to nC to buy private bots cause they will use the free ones. NC will die...
2 get the naabs. After some times, re-enable pb and get all the cheats users.
gg :)
If pb is gone, nc get no more business for et/cod2/cod4, doesnt seem that bright too me!
Keep up the good work. :-)
I think the one thing you are missing in your collumn is the stupidity of the average internet user. Although punkbuster only kicks for outdated cheats and its protection is lacking in several ways, this is enough to catch most beginning cheaters.
Imho 6v6 with ETTV should disable punkbuster (bb lag) but we should keep punkbuster as for now we dont have any decent alternative. Cheaters are known for their stupidity and one way or the other they get busted eventually. Most noobs usually get busted by not backing up / deleting their etkey leaving traces. Or they play like retards but have perfect gamesense, etc
Imho the best protection versus cheaters is community building. Force people to register their etkey. Dont play with unknown people. Dont play vs cheaters. Thats how we do it in #TAG.et (hi kenta, connecting to a random cybergames again? O, sorry wrong ip. What trickjumpserver? I'm sure its the right ip. What? No, the ip is right. Shit, you are right. Here's the right one. Server pwd wrong? Lets use another server => return to beginning and give cybergames ip :P)
The ET community is making me think about switching to ETQW
PB's attitude of "We think we unbanned most innocent players, for the rest of you UNLUCKY!" is pretty shocking.
There is no easy solution to the problem we have atm though