Francis Hwang on the everlasting race between hackers and developers
Feed
February 13, 2001
This is the face of video games in the age of near-ubiquitous connectivity: Tens of thousands of players forming guilds and hunting for treasure in Everquest and Ultima Online. Polygon-dense bodies zipping around Quake III and Unreal Tournament arenas, thirsty for one another's blood. Would-be generals pooling resources and massing attacks in Starcraft and Age of Empires. But multiplayer games bring a dark side: Some of those players are quietly rewriting the rules for themselves. Publicly downloadable cheat mods are hard to find. But most hard-core gamers will tell you they've been up against players who were enjoying an unfair advantage: first-person shooter mods that make walls transparent or opponents glow in the dark; real-time strategy hacks to expose the position of an opponent's armies; aiming proxies that intercept packets sent to the server and automatically aim shots fired at the nearest opponent.
Game developers take this problem seriously, for the sake of their reputations, their players, and their bottom line. In a Gamasutra article, developer Matt Pritchard lamented being unable to devote the time to foil the cheats coming out for Age of Empires: "We just had to endure our users turning their anger upon us -- probably the most personally painful thing I've experienced as a developer."
Pritchard's advice to fellow game developers? You can minimize the problem, but you cannot stop it. The dilemma is that since we are not yet at that blissful future of limitless bandwidth and zero latency, online games rely on dependable client software in order to run smoothly. Quake III servers can't send you a lush video feed of you walking down a dark, blood-stained hallway; it sends data to your Quake program, which renders that hallway for you. But maybe your program's been hacked to make all the walls transparent. In cryptographic circles, this is known as a trusted client problem: If you send data to a machine that somebody else controls, you can't reliably grant them just partial access to it, since a determined user can use that partial access to gain full access. As John Carmack pointed out in an often-quoted plan update written after the 1999 release of the Quake source code, "The problem theoretically cannot be solved. A talented hacker with a disassemble can eventually make a program that appears indistinguishable from a Quake client. All we can try to do is make it obnoxiously difficult, but unfortunately there are people that just take that as a challenge." Closed-source code can be reverse-engineered. Network traffic can be audited. Even encryption isn't impervious when used this way: A program that uses encrypted data has to store its keys somewhere where the user could theoretically find them. All these hacks have been performed on online games in the past, and there's little sign they'll abate in the future. One site, www.zeroping.com, has created a Wall of Shame for Counter-Strike cheaters; players get to check out screen shots and vote on whether or not the accused is, in fact, a cheat. Of course, discussions on guilt or innocence tend to sound like this: "Everyone who is posting these screen shots and accusing people of cheating are just cheating themselves! THEY ARE THE CHEATERS! The only way to see those spiked models and white walls are to be cheating! So go to hell all u damn cheaters ..."
Cheating is one thing in twitch games, where arguably, no one but the cheater and the person in his computer-aided crosshairs get hurt (although developers who've spent weekends building anti-cheat patches might disagree). But in massively multiplayer games like Diablo II and Ultima Online, it's another matter altogether. Recently, Diablo II made news when it was hit by hackers taking advantage of a server bug to kill most of the top players in the game. Afterwards, forums resounded with cries for vengeance; some even went so far as to ask for legal recourse against the "killers." After all, the reasoning goes, players spent hours building their characters and they have real cash value (Blizzard brought everybody back to life shortly after the "massacre"). From the developers side, when players cheat, game companies hemorrhage dollars -- not just from time lost to patching, but also from lost sales and subscriptions. As Greg Kostikyan pointed out in The Future of Online Games, with "Ultima Online, EA gets maybe ... $25 a copy. The rest goes to retailers and distributors. It gets $120 a year out of a player's monthly fee ... What's more important, $25 or $120? ... [T]hey aren't in the business of selling boxes any more. Selling boxes is a necessary evil; online subscriptions are where the money's at." But if the game experience is compromised by cheaters, consumers will hardly pay a subscription fee for it.
Needless to say, there are millions riding on the race between hackers and developers; in many ways, it's the equivalent of the ongoing contest between dopers and testers in big-time athletics. And as the online worlds grow, as more and more of our lives can be lived online, the stakes are only getting higher.