Tito Shivan の投稿を引用：

Anmheda の投稿を引用：

Are you saying all concerns gamers and devs/tech people have against kernel anticheat is FUD? That's ♥♥♥♥♥♥♥♥. Everything can be misused, and security and privacy is essential for consumers.

All? No.
But every anticheat controversy is generously sprinkled with FUD by interested parties to try smear the software instead of having to beat it at the coding field.

Maybe, but I disagree. And my starting point of this thread was that kernel anticheats are not needed in co op / pve games. Well, thats my view on it.

Tito Shivan の投稿を引用：

Anmheda の投稿を引用：

Tell me, why is Valve's Dota 2 doing so great without the need of any kernel anticheat installed on your system?

Depending on who you ask the situation seems to be the opposite.
https://steamcommunity.com/app/570/discussions/0/4418677198499184556/
https://steamcommunity.com/app/570/discussions/0/4418676821639671357/
https://steamcommunity.com/app/570/discussions/0/4418676236157024491/

Of course there will always be cheaters, there are even cheaters in games using kernel level anticheats, so whats the point then?

Crashed の投稿を引用：

Garbage の投稿を引用：

Better question: are you going to address the concern that the OP has?

OP's concern is speculation, and even Steam's VAC runs at a privilege level that can access the data of the entire drive and every process running on the system. The idea behind going kernel mode is to be able to get past possible rootkits that could be hiding cheat drivers and to reveal them.

But cheaters are still spotted in games also using kernel anticheats, so whats the point with kernel mode then? I rather install a game using normal privilege levels instead of kernel level anticheat.

BlackBloodRum の投稿を引用：

Crashed の投稿を引用：

OP's concern is speculation, and even Steam's VAC runs at a privilege level that can access the data of the entire drive and every process running on the system.

Not always, for example: On Linux Steam VAC works, however you can run Steam and all child processes (games) within a sandbox (such as Flatpak, being the easiest.) where it is only able to see the data and processes running within its sandbox. It cannot see/control processes outside the sandbox, nor files you revoke access to in that case.

EAC also can work in this environment if the developers configure it to allow this. (This is how I run my steam client. Steam cannot see any files outside of ones I permit it to.)

If it were kernel level, which would require me to allow it to load a module into my kernel (not happening) it could theoretically see the entire system and what it is doing, at any time.

Good points! This is a good example why kernel level anticheats are bad, imo.
Im thinking about going over to Linux in the near future. Or maybe buy a new PC where I install Linux and keep all my personal files and projects, and on my other PC I just install Windows and games only, without any personal stuff.

Crazy Tiger の投稿を引用：

Vote with your wallet, OP. Just don't be surprised that other people vote differently.

That doesn't work as well retroactively, unfortunately.

Lystent の投稿を引用：

Crazy Tiger の投稿を引用：

Vote with your wallet, OP. Just don't be surprised that other people vote differently.

That doesn't work as well retroactively, unfortunately.

You do realize not everyone falls for disinformation?

Crashed の投稿を引用：

Garbage の投稿を引用：

Better question: are you going to address the concern that the OP has?

OP's concern is speculation, and even Steam's VAC runs at a privilege level that can access the data of the entire drive and every process running on the system.

The privacy concern is a lesser concern wrt kernel modules.
There are greater problems with kernel modules, esp. poorly maintained ones.

Firstly, any programming error in kernel space can corrupt kernel memory and cause a kernel panic - the typical "Blue Screen of Death" (BSoD) on Windows. Over the years many anti-cheat and DRM kernel modules have been identified or indicted as causing such system crashes.

On top of that, the things anti-cheats are doing in kernel space: hooking into all kinds of other things to monitor, cloaking themselves from other software, etc. are all using very precarious techniques - none of which follow any kind of best practice or any kind of guarantee that they'll work correctly when paired with any other kernel modules present on the system, and often they'll be intentionally over-complicated by attempts to obfuscate what the anti-cheat is doing. All of this is brittle as all heck. And the tiniest of slip-ups can readily snowball into a full-on hard crash or system hang, along with causing data corruption on any live storage drives.

And of course the odds of such problems being patched out of older versions of an anti-cheat delivered with a certain older game, are basically zero - unless you're dealing with a centralized installation of an anti-cheat that keeps itself up-to-date. (In which case, you also have to ask yourself how it does that securely...)

Secondly, any programming error in kernel space opens up the possibility of exploitation. If communication from user space to the kernel module is not properly secured and authenticated, and if input from user space is not properly sanitized, it can give rise to all manner of scenarios where attackers can use specially crafted input to get the kernel module to execute arbitrary code in kernel space. This would bypass all protections including token split administrator rights offered by Windows' User Access Control (UAC) and basically gives them direct access to hook in a system-wide rootkit. Worse, already running in kernel space means they can use system calls to directly access UEFI and flash modified infected firmware, that's made capable of reinfecting an installed operating system with the same rootkit in perpetuum.

As anyone can tell you:
to prevent becoming a target for this kind of thing, you want to keep your software up-to-date and patched up against any discovered exploits. And as mentioned before, this is exactly what tends to not happen with anti-cheats and games - in particular older games.

Crashed の投稿を引用：

The idea behind going kernel mode is to be able to get past possible rootkits that could be hiding cheat drivers and to reveal them.

Which is worthless, because cheats can also reside one level further up in a hypervisor OS that is loading the real OS with a transparent passthrough.
Friendly reminder: Black Lotus exists and SecureBoot, which is supposed to provide a guarantee that the bootloader chain hasn't been tampered with, is already compromised and will never be fixed because doing so involves rotating cryptographic keys which would break SecureBoot and prevent booting up of any existing system already out there in the wild.

Anmheda の投稿を引用：

Crashed の投稿を引用：

OP's concern is speculation, and even Steam's VAC runs at a privilege level that can access the data of the entire drive and every process running on the system. The idea behind going kernel mode is to be able to get past possible rootkits that could be hiding cheat drivers and to reveal them.

But cheaters are still spotted in games also using kernel anticheats, so whats the point with kernel mode then?

It's security theater and selling snake-oil to big-wigs in suits-&-ties that don't understand technology for big money. It's basically a small step-up in how tough it is to work around, that's being sold as if it's the golden hammer to end all problems.

RiO の投稿を引用：

(wall of text)

Do you have any evidence that kernel-mode anticheats are cloaking themselves? Wouldn't that be grounds for their signatures to be revoked?

Or perhaps you use cheats that do rootkit behavior like that?

Crashed の投稿を引用：

RiO の投稿を引用：

(wall of text)

Do you have any evidence that kernel-mode anticheats are cloaking themselves? Wouldn't that be grounds for their signatures to be revoked?

Some will attempt to hide themselves and what they're doing on a system to frustrate and prevent reverse-engineering efforts. Others take a more ... pro-active stance, such as killing kernel-level debuggers outright if they spot any. Mostly though, nowadays they just refuse to start if the Windows options for unsigned drivers or kernel level debugging are enabled; or if SecureBoot is disabled on Windows 11. (Since Windows 11 formally is only supported on machines that support SecureBoot, they can take it as a requirement to have it enabled.)

Crashed の投稿を引用：

Or perhaps you use cheats that do rootkit behavior like that?

Classy. Can't bother to formulate a proper counter-argument in response, so let's resort to ad hominem and character assassination. Even using the classic "if you're not with us; you're against us" binary rhetoric.
Kindly keep your baseless slander to yourself.

Crashed の投稿を引用：

Do you use Linux for technical, usability, or political purposes?

From what I've seen, "political" has a rather broad coverage of potential reasons.

Crashed の投稿を引用：

Lystent の投稿を引用：

That doesn't work as well retroactively, unfortunately.

You do realize not everyone falls for disinformation?

It's not disinformation, even if it's overblown.

A program that runs in user-space has less access to your computer than a program that runs in kernel-space.

That doesn't matter for the anticheat itself. People are not worried (or at least should not be worried) about the anticheat destroying their computer.

What people should be worried about is that a piece of malware could use the anticheat kernel driver as a means to get more access to the system it normally wouldn't be able to get on its own.

It's the same reason that running some antivirus programs actually makes your system less secure. Now instead of the virus trying to infiltrate your system, they can try to infiltrate the antivirus software itself, which already has a very wide range of permissions to access things on your system.

There's also been documented cases where antivirus software introduced vulnerabilities or bugs into other software made by other companies. For example, Chromium wanted to give the browser's render processes less access to the computer to increase its safety. Certain antivirus software caused this reduced permission set to crash the browser because it was injecting code into the browser.

The reason you should be worried about giving a program you might partially trust increased access to your computer isn't that that program is going to try to hurt you. It's that some program that gets in through a vulnerability in some software will have more routes towards getting access it wouldn't normally have to mess with your stuff.

Steam's Windows service (that's a much smaller attack space than a driver already) will only respond to commands it knows are really from game developers who uploaded those commands to the game's depots. That's why you need to be online the first time you start a lot of games. It can't verify that the signature is valid without talking to Steam's servers that are provably run by Steam because they have a cryptographic certificate from a globally trusted certificate authority saying so.

There's a lot of very complicated stuff going on and most of it is going on specifically to try to keep you safe. When a program has more access to your computer, that means there's more of a risk of it letting something else have a dangerous amount of access by accident.

This isn't just a problem for people who already have a virus on their computer - you can run Steam commands from a website - for example, accessing steam://run/480 in your browser will start SpaceWar on your computer. If there was some vulnerability in SpaceWar, that could be an entry point for a virus to get into your system.

Crashed の投稿を引用：

Lystent の投稿を引用：

That doesn't work as well retroactively, unfortunately.

You do realize not everyone falls for disinformation?

What is false about a game getting new DRM applied well after it was launched?

Ben Lubar の投稿を引用：

People are not worried (or at least should not be worried) about the anticheat destroying their computer.

What people should be worried about is that a piece of malware could use the anticheat kernel driver as a means to get more access to the system it normally wouldn't be able to get on its own.

Precisely.
Well -- with the added note that while people shouldn't be worried about anti-cheat outright destroying their computer, they should be aware that any time a kernel module fails, it's not like a normal program which fails. A normal program will just crash back to desktop. A kernel module failing might, and more often than desired actually does, result in the entire system hanging, requiring a hard reboot and suffering potential data loss and data corruption on hard drives.

RiO の投稿を引用：

Crashed の投稿を引用：

Do you have any evidence that kernel-mode anticheats are cloaking themselves? Wouldn't that be grounds for their signatures to be revoked?

Some will attempt to hide themselves and what they're doing on a system to frustrate and prevent reverse-engineering efforts. Others take a more ... pro-active stance, such as killing kernel-level debuggers outright if they spot any.

Crashed の投稿を引用：

Or perhaps you use cheats that do rootkit behavior like that?

Classy. Can't bother to formulate a proper counter-argument in response, so let's resort to ad hominem and character assassination. Even using the classic "if you're not with us; you're against us" binary rhetoric.
Kindly keep your baseless slander to yourself.

So no evidence?

Ben Lubar の投稿を引用：

Crashed の投稿を引用：

You do realize not everyone falls for disinformation?

It's not disinformation, even if it's overblown.

A program that runs in user-space has less access to your computer than a program that runs in kernel-space.

That doesn't matter for the anticheat itself. People are not worried (or at least should not be worried) about the anticheat destroying their computer.

What people should be worried about is that a piece of malware could use the anticheat kernel driver as a means to get more access to the system it normally wouldn't be able to get on its own.

It's the same reason that running some antivirus programs actually makes your system less secure. Now instead of the virus trying to infiltrate your system, they can try to infiltrate the antivirus software itself, which already has a very wide range of permissions to access things on your system.

There's also been documented cases where antivirus software introduced vulnerabilities or bugs into other software made by other companies. For example, Chromium wanted to give the browser's render processes less access to the computer to increase its safety. Certain antivirus software caused this reduced permission set to crash the browser because it was injecting code into the browser.

The reason you should be worried about giving a program you might partially trust increased access to your computer isn't that that program is going to try to hurt you. It's that some program that gets in through a vulnerability in some software will have more routes towards getting access it wouldn't normally have to mess with your stuff.

Steam's Windows service (that's a much smaller attack space than a driver already) will only respond to commands it knows are really from game developers who uploaded those commands to the game's depots. That's why you need to be online the first time you start a lot of games. It can't verify that the signature is valid without talking to Steam's servers that are provably run by Steam because they have a cryptographic certificate from a globally trusted certificate authority saying so.

There's a lot of very complicated stuff going on and most of it is going on specifically to try to keep you safe. When a program has more access to your computer, that means there's more of a risk of it letting something else have a dangerous amount of access by accident.

This isn't just a problem for people who already have a virus on their computer - you can run Steam commands from a website - for example, accessing steam://run/480 in your browser will start SpaceWar on your computer. If there was some vulnerability in SpaceWar, that could be an entry point for a virus to get into your system.

Is it worth however pushing for massive, aggressive, and rude boycotts of any and all games that use anti-cheat?