Money is power, you often hear, and yet for years Valve Corporation and all its billions was powerless to stop a $20 cheat called LMAOBOX from ruining the fun of Team Fortress 2 for thousands of players. Sometimes players would send in proof of cheats with video evidence, but careful players (often snipers) could use the cheat to show all enemy players on the map, force melee criticals, enable auto-aims and a host of other unsporting tactics with impunity.
When deliverance came in April 2016, it came not from the type of tech one might suppose Valve's billions could buy, but rather from a chance posting of LMAOBOX's source code on an obscure forum. A good Samaritan passed it on to Valve itself, which quickly incorporated it into its Valve Anti-Cheat System and soon after slapped hordes of players with bans. The sweep made some prime catches, including almost 200 players from Team Fortress 2's UGC esports league.
It was hardly an isolated incident, particularly in PC gaming. Cheating so thoroughly plagues gaming that it's long been common to type out "VAC" on Twitch in reference to Valve's cheat sniffer in jest or seriousness when a player scores a beautiful headshot in a game like Counter-Strike: Global Offensive. It made Tom Clancy's The Division near unplayable after launch. Aimbotters overran Star Wars Battlefront.
So what's the deal? Why's it so hard to stop all this with the piles of money big developers and publishers often have at their disposal? It's such a thorny issue that almost no one wants to talk about it. I'd always expected evasive answers when tackling this topic, but I was surprised by the number of blunt refusals I heard from virtually every developer I spoke with about cheating. Some, like Blizzard, hit me with a simple reply about how "it’s hard to get into detail." Others, like Valve, ignored my emails. I almost scored an interview with one of the publishers most affected by cheating, only to be told at the last minute that their intended spokesman was going on a long vacation. And then, naturally, he'd be busy after that.
But Eugen Harton, lead producer at Bohemia Interactive, bucked the trend and chose to talk. Bohemia Interactive makes for a good case study, as DayZ and Arma 3 have long been plagued by cheats, some of which Harton says go for as much as $500. Yet he and his comparatively small team continually crusade against them despite being confronted with death threats, the harassment of relatives, and the sharing of the team's personal information. At GDC earlier this year, Harton related how one angry player had started trying to amass $10,000 to physically confront Harton at the previous year's event, but had only managed to pull together around $300.
One of the main problems, he says, is that the openness we PC gamers love to celebrate makes it hard to control what's going on in PC games. Since most files required to run a game are on the player's PC and out of reach of the developer, that player can work with the game files to exploit bugs or flaws, automate systems that would normally require human input, or any number of other offensive actions.
"Because games are applications running in open and uncontrolled environments [ie, a customer's PC], we can only put barriers around them that are becoming harder and harder to solve, basically raising the skill ceiling needed to create such cheats."
For Harton, those barriers include what he calls "sanity checks," which monitor actions that always perform a certain way, such as bullet trajectory, and flag violations of those physics. Many cheat coders also use the same code variants in their works, and recognizing those patterns can help find the actual cheat. He says he and Bohemia Interactive operate under two rules in regards to cheating, that "anything on the client can be and will be hacked" and that "server side code is only as secure as the server."
"The best solution would be to run everything server side, which we cannot do for the most part," he says.
Having all the files for a game on the developer's server would prevent most cheats, although Harton cautions that this method still leaves open the "possibility of packet injection and manipulation." If there's nothing to detect the manipulation of the encrypted packet data moving between server and client in place, cheaters could trick the server into thinking the character on the client has more health than it actually does. Moving everything server-side also brings us into the thorny bounds of heavy Digital Rights Management, of course, but Harton seems to believe that players have a while before they have to worry about that, owing to the current limitations of internet latency and speed.
"Depending on the genre and speed of the game, it becomes a harder and harder issue to solve in general," he says.
The struggle to bridge the gap between client and server can lead developers down other controversial paths, as well. Harton only mentions Bohemia Interactive's preferred anticheat client, BattlEye, in passing, but earlier this year it raised an alarm in the ARK: Survival Evolved community after players reported that it was digging through their personal files. A BattlEye rep at the time didn't shy from admitting it was "very invasive" and that "it has to be so that it's able to fully do its job."
"Yes, BattlEye has to be able to scan all memory (RAM) and all game- and system-related files on disk," a BattlEye dev wrote in a Steam forum post . "However, this does not mean that BE is looking through your personal files, credit card details or other such information and sends them to our servers."
Harton won't give me specifics on how much Bohemia Interactive spends on anti-cheat efforts, but he does tell me they involve "legal helping us, dedicated staff buying cheats, programmers fixing vulnerabilities, community members," and more.
Some cheats, like LMAOBOX, trumpet their availability with shameless websites, but Harton says it's the little, off-the-radar ones that Bohemia Interactive now finds the most troublesome.
"For now, [our troubles are] mostly limited to private communities making their own cheats and not releasing them to the public," he says. And most of the time, Bohemia Interactive's methods of getting rid of them involve figuring out how to use the cheats themselves, even to the point of hiring people to buy the cheats for them.
"Ninety-nine percent of the issues we encounter are usually solved by getting our hands on the cheat, and reverse engineering it to find what vulnerability is used and finding a way to put a sanity check on it, or moving it server side," he says.
Often Bohemia Interactive relies on the community to report offenders, but "most of the time" these are false flags in which the players weren't actually cheating, or it was effectively impossible to prove they were.
Cheating in video games wasn't always so scandalous: I'm old enough to have fond memories of swapping codes for Contra and Mike Tyson's Punch Out!! across '80s lunchroom tables, and there was even some sense then that cheats were the ‘right’ way to play some games. But that was an age when cheating was typically a private thing, often done before glowing screens in darkened rooms. It wasn't hurting anybody.
How strange and distant those days seem now, in this age where professional Dota 2 players battle in crowded arenas for and traditional sports teams like the NBA’s Philadelphia 76ers enlist official esports players to represent them. Modern cheating can be a low-stakes annoyance, such as when an army of botters camps dungeons in Elder Scrolls Online, but it becomes much more serious when you have popping up in games like Rainbow Six: Siege, where players compete for money. It's more important than ever top stamp out cheating, as the legitimacy of esports depends on it.
As Harton says, it's a "complex topic" and many of the offenders are "really hard to track down." That's lead some developers to try to intimidate players into playing by the rules, as Blizzard Entertainment did 10 days before Overwatch's launch when it announced, "full stop," that players who cheated would be slapped with permanent bans. And they've stayed true to their promise, leading to of digital teeth over the past few months. Ubisoft quickly followed suit not long after, announcing permabans for cheaters in both and for first-time offenses.
For those games, at least, it seems to be working. For all his dedicated battles, though, Harton seems willing to consider alternatives other than just banning everyone. He tells me he's had many discussions with other people in the field about designing around cheating (which includes the addition of implementing items that somewhat resemble cheats, much like the experience boosts you find in free-to-play games), so as to rehabilitate a game's social environment rather than "fester" it with permanent bans.
"It's much more effective to make a cheater a customer than fester the toxic behavior through permabans," he says.
Based on my chat with Harton, at least, such plans are still in the drafting phase. But it's a cause worth championing. Should developers get too cranky about cheating, it could lead to far more authoritarian approaches to stopping the issue than permabans and anti-tampering solutions like Denuvo, thus risking the very ‘openness’ we PC gamers so love.
Consider the news from South Korea, when the parliament there stepped into the cheating debate by passing an amendment to an existing law promoting the games industry. It's now strictly against the law to make or distribute programs there that aren't allowed by a game publisher's Terms of Service. That means that if you make or sell a program that enables aimbotting or other hacks in a game like Overwatch, you could be facing five years in jail and $43,000 in fines.
The law sets a worrisome precedent. The intention is noble, but too broad an interpretation could put modders and other parties who manipulate a game's files at risk, as it's sometimes tough to tell where one line ends and the other begins. Should other countries adopt similar stances, it could change the nature of PC gaming as we know it.
For more, read our 2014 investigation into the buyers and sellers of hacks.