Anti-Cheating mechanisms

[db0]

Very often a new feature request is making people concerned because they're worried about it being abused for chearing (I had this discussion about peek and different card backs by now)

I think it's time we had a discussion to figure out what mechanism OCTGN should have to prevent a sneaky bastard from modifying their own local .o8g to cheat.

My personal suggestion is this: OCTGN already stores each definition's hash. I'm not sure if that's the hash of the whole file or just the scrips within, but what we could do is compare the hashes of the host and clients to see if there's a mismatch. If there is, the lobby would put up a big ol' notice saying something like "Player so-so is using a different definition than the host. Player is using v.2.0.1", or something to that extent.

This will still allow the host to play with trusted members who, say, are using a translated plugin, while warning in case someone comes in the game with the same version which has somehow a different hash.

This could also be extended to the sets, so that both players know that the sets have not been tampered with.

[drilus]

We've been over this exact conversation many times. In the end it comes down to "cheaters gonna cheat" basically. The developers have a consensus that we aren't going to worry about it. We won't make it extremely easy to cheat, but we aren't going to add any new anti-cheat into octgn.

[db0]

Yes, but nevertheless "the cheating discussion" comes up with annoying frequency when new features are requested >_>

[kellyelton]

We actually don't hear it much, generally only from new developers. I don't think threw are any user submitted feature requests for better cheat prevention

[db0]

Hm, perhaps when OCTGN becomes more popular and people start thinking of organizeing tournaments, it might become more of a pressing issue.

[kellyelton]

I dunno. What you're asking really wouldn't be too difficult to implement. Simple hash check, since we already have the hashes stored...really the only problem with this, is if someone modified there client, they could send the other user any hash they wanted to make it succeed.

[db0]

True, and I did think of that, but that requires that they modify the actual source of OCTGN 3 and recompiled, and that is an order of difficulty greater than simply changing a .py file. I.e. it would take an extremely dedicated cheater to achieve, and unless we're at the level where people are organizing tournaments with rewards at the end, I doubt anyone would bother that much, as things stand. But even a small check but it would certainly alleviate some paranoia and also catch people trying to play with old versions by mistake.

Nevertheless, for the sake of discussion, that too can be combatted. One way would be to pgp sign the client's unique hash and refuse connection to the server to any client that does not have the right signature (I.e. the central server would be instumental in this kind of prevention).

[kellyelton]

but you still need to send that data to the server, so we would have to code in the part where that information is sent to the server, so it would easily be spoofable. Just comment it out and type in whatever the 'normal' client would send.

[db0]

What if you encrypted that part in the code and decrypted it server side?

[kellyelton]

It would still be trivial to bypass.

[db0]

Yeah, thinking about it more, you're right. None of my ideas can work given a sufficiently dedicated and untrusted second party.

The only other ideas I've getting involve just making it more difficult to spoof the hash (by requiring network sniffing and so on) but not impossible. :(

But then again, if it could be made impossible, most game online games would do it, and yet cheating is still rampart. Perhaps just making it less trivial to cheat might be enough for most ;)

[kellyelton]

Yeah it's finding the line you want to draw.

[brine]

I personally think that, as long as OCTGN remains detached from the games/sets you can install on it, we won't be able to find an adequate method to solve these sorts of issues. The game defs are sorta running in their own worlds, the best we can do at this point is create new features that aren't completely exploitable.

[Gravecorp]

Only way to effectively combat cheating is by going closed source so no one can see how we did the security and randomize the security with every update we push. Would also bar others from helping on the project due to possible leaks and leaving the current team forced to maintain this forever or until we all decide to go do something else leaving the project stranded again like with octgn 2 So only minor anti cheating stuff would be implemented as far as my 2 cents on the matter go.

[FenMiHuo]

What if you guys released a simple excecutable that "locked" the game defs? basically it could use some rar password that is not public but the octgn client knows, it wouldnt stop people with the source from being able to break it but its an easy start. Or implement a scan that checks if the game defs that each player loaded are identical? In that respect if you let the game designer upload an "official" game def to the server that could be used as a check whenever those games are played. Not on the design team so these may not make sense, just my 2 cents (since I actually am trying to run tournaments with prizes using octgn)

[db0]

The source of OCTGN is open and so are the game defs, so anyone who wanted could remove the code that locks the game defs and then use an game def which is not encrypted.

[drilus]

Locking a game def would simply create a huge "barrier to entry". We don't want that at all. We want it to be open so that anyone can create definitions or help work on OCTGN.

[db0]

That too ;)

[kellyelton]

What db0 said yeah, you could just modify the code that does the checks.