Easy Anti-Cheat: We have investigated recent reports of a potential RCE issue within EAC. At this time - we are confident that there is no RCE vulnerability within EAC being exploited.

nanoUFO@sh.itjust.worksmod to Games@sh.itjust.works – 93 points –
twitter.com

13

"We have investigated ourselves and have found we have done nothing wrong."

That's exactly how i read that. It's so bizzare that they get kernel access to so many computers, and don't even do the thing that they are supposed to do.

It's really disturbing how popular the notion that rootkit-based anti-cheat is a good thing is on the internet at large.

I love it when a thread like this comes up on Lemmy every single comment condemns EAC's whole anti-cheat model.

Y'all are all right.

While I am sceptical of rootkit based anti-cheat as well, I am also not a fan of how quickly everyone has jumped to assuming this is EAC's problem and not a problem with Apex Legends, is there some solid evidence for that that I'm just unaware of?

Kernel level and root kit are two different things. Please don't confuse them.

Says the company that took three years to implement a shopping cart for their shitty store.

So if it isn't a RCE vulnerability, what vulnerability is it?

Their wording is actually quite deliberate. They say there isn't one being exploited, but they do not explicitly say that there isn't a RCE vulnerability.

It kinda stinks of ass coverage.

"I did not have sexual relations with that woman"

It stinks of lawyers checking the press release. They can't say "there is none" in the offchance that someone, sometime finds one. Then clients could point to this press release saying "SEE, YOU TOLD US THERE WAS NONE AND 25 YEARS LATER WE FOUND ONE". I bet they are telling the truth, just ran through a lawyer and PR team.

Yeah, it stood out to me.

It's always in what they don't say.

If they say it's not a RCE vulnerability, it could still be a privilege escalation vulnerability etc. They avoided saying their software isn't being exploited or "we have seen no evidence our software has been compromised", or "there is no clear signs...".

Which gives a little wriggle room.

I don't know much about anti-cheat development, but it can't possibly be that hard to at least implement something that checks whether a player even could have done something in a certain amount of time which would eliminate a lot of speed related cheats, and for the rest, why not look at data averages to try to weed out cheaters?

I know combing through the data is probably complicated, but so is installing kernel level anti cheat software that has to monitor every single process running on a person's computer.

It's cheaper to install malware.

That's all there is to it: cost.

Not how it works, and it is a huge science behind it all. First of all, you don't want false positives. People would ruin your game for it. The reviews would be awful and it would breed more cheaters (angry at a game that banned you for no reason? Make it ban you for a reason, ruining people's fun in the process and costing them money). Second, most of what you are talking about is already done on server side. Third, the concept of banwaves is a thing. You want to catch as many cheaters at once with a single detected cheat. If you ban someone at first sight, the cheatmaker will refund that first person and think up something worse immediately. If you ban 30k people, all of them flock to the cheatmaker asking for refunds. Which he can't obviously provide, since they already spent that money over the course of the time the cheat was active, etc. Fourth, lots of cheats are subtle enough to be "invisible" to any sort of detection. Guy has an overlay that shows people through walls. You can't ban overlays and the client needs to know where people are on the server, it just hides them. All you can see is what a human would see - a guy looking at people through walls, but trying to hide it. A guy with "incredible gamesense" basing their tactics on info he couldn't have gotten. A moderator that knows what to look for would see it. An admin that abuses power and bans everyone that's too highly skilled would also ban the cheater. But try writing anything that checks for the "averages" and you ban actually good players that use sound, etc. Same thing with aimbot - it's very obvious to someone looking at gameplay. But going off of statistics you ban everyone who "has a good day".

The way to do it, was how Valve handled it in CSGO. No idea if the system is still in. They basically tasked their community with being the judge and executioner. They would send you a replay in client, showing you 10 mins of the match. Sometimes they would send you a replay that they already know has a blatant cheater in it, to test if you actually say "ban" if you see one. They scored the judges, valuing better ones more and providing feedback saying "your case has banned a cheater". It was a slow process, but effective, or at least it would be if the game wasn't so incredibly popular and free. Obviously a live moderator would help a lot, but it's the next best thing.

1 more...