• SavvyWolf@pawb.social
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    3
    ·
    9 months ago

    each game client will blindly trust each other.

    In my spare time I work on some networked applications, and so have had to look into security and all that. The one thing they tell you is to NEVER FUCKING TRUST ANYTHING AT THE OTHER END OF A NETWORK CONNECTION. No, anticheat rootkits doesn’t allow you to ignore this, and it’s massively irresponsible to rely on anticheat as your main way of ensuring security.

    If someone gets past rootkit anticheat on a “normal” game where it is being used as a replacement for proper server side anticheat, it’s no big deal. Just have a reporting system in place, and ban them. The worst you’ll get is people on Reddit complaining about “rampant cheating” or whatever.

    If someone gets past rootkit anticheat on a game where it is used as a replacement for network security fundamentals, you’re suddenly going to have to find a way to explain to all your customers (and possibly lawyers) that due to your negligence, other people have had full access to their computers.

    • a lil bee 🐝@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      9 months ago

      I’m a DevOps engineer by trade, and do a lot of work with network security. “Never trust anything on the other side of a connection” is fine and all as a rule of thumb, but real solutions have more nuance than that. What is “trust”? Should I just never connect to anything? Obviously we have to, so we’re already assuming some level of “trust”. There are always degrees of trust, and a peer to peer game server is a higher degree than browsing a site hosted by a server, is what I think the developer meant.

      Now, I agree with you, this shouldn’t be some full substitute for proper network security or whatever, but I don’t think they’ve given any indication that’s the case. I can also speak from experience that certain choices in tooling are thrust upon dev teams at times, for cost or “political” reasons. It’s also fully possible it’s just a bad call from a techie who worked on a prior project with it or something.