The ultimate thread about Arma 3 anti-cheat discussion

[EvenLease 11]

Yawn... this is a boring thread, shame on the OP. Raging over an alpha.

[nodunit 397]

Unfortunately it's not that easy. Your "tighten the system" would actually mean "remove 70% of scripting functions", and nobody wants that, because the modding and scripting is what makes ArmA the game we want.

Using your example, the "teleporting":

A "setPos" command can be used to instantly move a unit from one place to another. You can't remove this command, because it's needed, it is used in almost every mission.

Would a standard 3D editor function be able to remove the reliance on setpos (if the script capability went poof with the introduction)? If you were able to pull a unit above or below ground to set up the mission rather than relying on the script itself or? I honestly don't know hence the asking.

[dnk 13]

Basically, the entire OFP/ArmA series is one in which active admins, whitelists, and passwords are absolutely necessary. You CAN fix hacking for the most part (see many DayZ servers - I play on servers that regularly see over 40 players at a time with very, very minimal hacking by any MP standard) even when hackers have a much larger incentive to hack (see DayZ) than in run-of-the-mill MP/COOP. Servers shouldn't be treated like "set it up as a totally open, public server and leave it alone". You need to build communities around good servers, and part of that is building a website and creating a whitelist. I think it's better this way as it does create a sense of community, especially when said websites have forums and plenty of communication between admins and players. And that's what sets ArmA apart from other FPSes, the far more active community.

This is somewhat of an excuse/apology for poor hacking controls, but most every MP game I've played has hacking issues. They are worse in ArmA due to the power the hackers can bring to bear through scripts, but since this is a game that has historically been geared towards COOPERATIVE play, giving power to mission makers and mod makers has trumped protecting PvP players (and they DO have the tools to protect their servers, but most choose to eschew them for weak reasoning). Generally, Domination, Insurgency, and single missions are the norm for MP servers (currently, A2 has a lot heavier PvP than normal over the last few years due to the influx of DayZ players), with Warfare and others traditionally taking a back seat - perhaps this is changing now with ArmA's higher status in the FPS community, but a lot of that PvP play is going to be channeled into the DayZ standalone likely, for which players would have much more cause for complaint over hacking.

A 3D editor would have no bearing. setpos and other commands are NEEDED for proper scripting. How can you dynamically create and move objects without such scripts? A 3D editor only would help in the original placement, and that can already be done in the 2D without scripting (usually).

[hellfire257 3]

You do realise that if it wasn't for the scripting, Wastelands wouldn't even exist for people to hack in the first place?

[Planetside 1]

How about admins are too ignorant to add VerifySignatures = 2 to their config?

[eddieck 10]

Some of the comments in this thread are ridiculous.

Basically, the problem with the engine is that it provides clients too much power. Clients can spawn vehicles/weapons, teleport anyone, attach things to people, execute arbitrary SQF scripts on all clients, etc. This has been the case with all RV games.

BIS can't simply remove these capabilities as basically all missions and mods rely on them. They would be breaking compatibility with over 10 years of user-generated content.

The solution for OA was BattlEye's server-side event filters. Although this isn't an ideal solution (more on that below), it's an effective one - and it doesn't break backwards compatibility at all. The filters can be configured to only block certain calls of such functions (for example, block any calls to createVehicle for vehicles not in the mission) or to block all calls. Obviously, without BattlEye this functionality isn't available in Arma 3 yet, but given its effectiveness in OA I see no reason it won't be ported.

With those BE filters, it's possible to make missions that don't call those functions from the client at all, which basically eliminates the whole issue as server admins could then filter all of them. Then, the only issues you'd have are client-side cheats - aimbots, wallhacks, self-teleport (not teleport of other players), etc. It brings the cheating issue more in line with what other games have experienced. (I should also add that BattlEye is extremely effective, despite what certain people who don't have the slightest clue what they're talking about will tell you.)

The ideal solution would be for BIS to, with the introduction of Java, remove the ability to call those functions from the client which would force mission makers to develop with these considerations in mind. (They would also need to automatically block calls of those functions when a Java mission is running; this could also pose complications with mods, so that will need to be resolved.) This is really the perfect solution - it doesn't break backwards compatibility with the huge amount of content already created, and it will improve the situation in the future. I've written about this before.

Unfortunately, considering the delays so far, I don't see that as a likely solution at this point. :(

lol another one of those people who's comeback has something to do with the alpha. Enabling BattlEye has nothing to do with alpha. At any time can Bohemia enable it.

I doubt the BE integration is even completed yet. It's not a matter of BIS flipping a switch.

Unfortunately it's not that easy. Your "tighten the system" would actually mean "remove 70% of scripting functions", and nobody wants that, because the modding and scripting is what makes ArmA the game we want.

Using your example, the "teleporting":

A "setPos" command can be used to instantly move a unit from one place to another. You can't remove this command, because it's needed, it is used in almost every mission.

The only way would be to somehow restrict usage of this command, but there is no way without sacrificing scripting flexibility - sometimes you might need to run this command on server, sometimes on the client, and in both cases you may need to use it on various units, including other players.

Also, there is no way to tell whether any possible "teleporting" would be a legal part of the mission scenario, or a result of cheating - you could put together some decision making for a certain mission, where you know when is teleporting possible/desired, who can be teleported and where, and then you could check these constraints and possibly decide whether it is result of cheating or not, but it wouldnt work in other missions in general.

It isn't difficult to only use it on the server.

A very basic example (the same principle would apply in other situations): if you have an anti-teamkill script that teleports a player away after teamkilling X units, perform that TK check on the server, and have the server call setPos if necessary.

Another example for something like fast travel: instead of setPos on the client, PV an array with the player and the position it wants to fast travel to, and then the server, in a PVEH, can validate this (verify the player can fast travel, verify the location is one that can be traveled to, etc.) and perform it. This is still exploitable actually as a malicious script could send any player with that (DH ticket on that from a few months ago), but with publicVariableClient there are other ways to validate the sender of a PV.

Would a standard 3D editor function be able to remove the reliance on setpos (if the script capability went poof with the introduction)? If you were able to pull a unit above or below ground to set up the mission rather than relying on the script itself or? I honestly don't know hence the asking.

No need for the 3D editor (although it'd be nice!). It's possible to set NPC height on the server with setPos.

If setPos was blocked with the BE filters (which requires a mission developed with that in mind), clients could only call it on their own units (i.e. the player himself or local AI).

How about admins are too ignorant to add VerifySignatures = 2 to their config?

If it were that simple, don't you think everyone would have done it already? Signature checks (yes, even v2) have been broken for awhile. Also, nobody uses script cheats anymore.

[Planetside 1]

Some of the comments in this thread are ridiculous.

Basically, the problem with the engine is that it provides clients too much power. Clients can spawn vehicles/weapons, teleport anyone, attach things to people, execute arbitrary SQF scripts on all clients, etc. This has been the case with all RV games.

BIS can't simply remove these capabilities as basically all missions and mods rely on them. They would be breaking compatibility with over 10 years of user-generated content.

The solution for OA was BattlEye's server-side event filters. Although this isn't an ideal solution (more on that below), it's an effective one - and it doesn't break backwards compatibility at all. The filters can be configured to only block certain calls of such functions (for example, block any calls to createVehicle for vehicles not in the mission) or to block all calls. Obviously, without BattlEye this functionality isn't available in Arma 3 yet, but given its effectiveness in OA I see no reason it won't be ported.

With those BE filters, it's possible to make missions that don't call those functions from the client at all, which basically eliminates the whole issue as server admins could then filter all of them. Then, the only issues you'd have are client-side cheats - aimbots, wallhacks, self-teleport (not teleport of other players), etc. It brings the cheating issue more in line with what other games have experienced. (I should also add that BattlEye is extremely effective, despite what certain people who don't have the slightest clue what they're talking about will tell you.)

The ideal solution would be for BIS to, with the introduction of Java, remove the ability to call those functions from the client which would force mission makers to develop with these considerations in mind. (They would also need to automatically block calls of those functions when a Java mission is running; this could also pose complications with mods, so that will need to be resolved.) This is really the perfect solution - it doesn't break backwards compatibility with the huge amount of content already created, and it will improve the situation in the future. I've written about this before.

Unfortunately, considering the delays so far, I don't see that as a likely solution at this point. :(

I doubt the BE integration is even completed yet. It's not a matter of BIS flipping a switch.

It isn't difficult to only use it on the server.

A very basic example (the same principle would apply in other situations): if you have an anti-teamkill script that teleports a player away after teamkilling X units, perform that TK check on the server, and have the server call setPos if necessary.

Another example for something like fast travel: instead of setPos on the client, PV an array with the player and the position it wants to fast travel to, and then the server, in a PVEH, can validate this (verify the player can fast travel, verify the location is one that can be traveled to, etc.) and perform it. This is still exploitable actually as a malicious script could send any player with that (DH ticket on that from a few months ago), but with publicVariableClient there are other ways to validate the sender of a PV.

No need for the 3D editor (although it'd be nice!). It's possible to set NPC height on the server with setPos.

If setPos was blocked with the BE filters (which requires a mission developed with that in mind), clients could only call it on their own units (i.e. the player himself or local AI).

If it were that simple, don't you think everyone would have done it already? Signature checks (yes, even v2) have been broken for awhile. Also, nobody uses script cheats anymore.

As for 'nobody uses addon cheats', go onto public cheat sites and you will be amazed how many are exploiting the lack of this single line in server configs right now.

[eddieck 10]

Then how come I am not able to join servers with sig checks in ArmA3? Surely it must work. As for 'nobody uses script cheats', go onto public cheat sites and you will be amazed how many are exploiting the lack of this single line in server configs right now.

Because they work as intended if all you're doing is changing the PBO. There are methods (that is, additional steps someone can take) to circumvent them. I'm not going to go into detail, for obvious reasons.

Also, you must be looking at something completely different as 99% of what gets released these days are external programs, which is BE's job to protect against (and it does, on games that have it enabled).

[Planetside 1]

Because they work as intended if all you're doing is changing the PBO. There are methods (that is, additional steps someone can take) to circumvent them. I'm not going to go into detail, for obvious reasons.

Also, you must be looking at something completely different as 99% of what gets released these days are external programs, which is BE's job to protect against (and it does, on games that have it enabled).

Oh I know, but might aswell kill the majority.

[eddieck 10]

Oh I know, but might aswell kill the majority.

I agree with that, and any server I host has had and will continue to have signature checks on the highest level possible/practical ("practical" being defined as doesn't interfere with BIS's own DLCs, as was the case when the v2 sigs came out).

Some of the most popular servers right now (on http://arma3.swec.se) have them disabled for some retarded reason, but besides those most I looked at had them enabled.

[nodunit 397]

No need for the 3D editor (although it'd be nice!). It's possible to set NPC height on the server with setPos.

If setPos was blocked with the BE filters (which requires a mission developed with that in mind), clients could only call it on their own units (i.e. the player himself or local AI).

Oh okay, thank you for clarifying that.

[qbert 10]

I know it's heresy to even mention DayZ next to the glorious Arma, but why don't they do what they did with DayZ hackers? Mass banning of detected hackers once BattleEye goes in. Let them feel safe for now, strike when the time is right :coop:

[Frankdatank1218 39]

Restrict CLIENT scripting, there ar no legitimate reason for CLIENTS to have SOO much scripting power. Servers and Admins fine, give them all the power they can get.

[tortuosit 485]

Do you understand what an Alpha means.

You're way off. The basic client-server concept will not be changed (not at this stage any more) and Arma is vulnerable to that kind of attacks because simply you can do things on a client which is the executed on a server. Remove all objects and shoot people, make an artificial lag and have players frozen and kill them while drinking a glass of wine. All possible with that basic concept...

Serious players prefer their own servers and clans, anyway.

Edited March 16, 2013 by tortuosit

[boriscat1 10]

Oh well another potentially great PC game screwed by hacking... the question I ask is why buy a PC to play games on when you cant even get a decent round in.! And yes we will get the "there will be anti hack in the full game etc" but I feel this wont even come near to addressing the problem. Is PC gaming dead in the water due to the prevalent "kiddie scripting" that is rife on our platform of choice and the inability of devs to address the problem. I must add that its not just this game but every online multi. Devs on every production team must up their game as this is a platform killer.

[Dwarden 1124]

we know about it and as I posted already several times, there is no protection in Alpha yet, you need to be patient ... it's work in progress

[almanzo 144]

Understandable but they could try to tighten the system up so people can't do the things they can do with a simple script, no one should be able to teleport everyone and kill everyone I don't see why they dont just take those scripting commands out or something.

I have played ARMA in a community since 2009, and we use a mod called mission control center (MCC). That mod requires a login, and only one player is able to be logged in at any given time. That player is assigned as a mission maker, and are able to move whoever he likes, set a start location, spawn units, gear, enemies, vehicles, artillery and so forth and at the same time be able to play along with the rest of us. MCC along with ACRE and ACE are one of the key mods that have kept ARMA alive for me and so many others. MCC offers diversity, new missions and mission adjustments on the fly, and we as a group and many others are 100% dependent on the mod to operate as we do. Because of it, we have better missions, more variety, more control and a good overview of every mission.

It's totaly dependant on the fact that clients are able to spawn stuff, move stuff and kill stuff. If you limit the scripting possibilites in ARMA, you limit alot of game play. The arma community have never been plagued by hacking before DayZ came along. And again, remember, Wasteland, the current most popular custom mission in ARMA is also dependant on how scripting works in the engine.

There will be tools to enable good PvP in ARMA III, and from my experience with Wasteland in ARMA II, it's not a big problem either. The only place I've experienced hacking is in DayZ. The standalone will fix this, because the stand alone is focused on PvP. ARMA isn't, but allows for it. It's totally out of the question to limit the possibilities mod makers and mission makers have, as it will take away ARMA's best feature, it's openness to tweaking and moding.

To make it very, very clear... DayZ would never have come to life if it wasn't for how the engine works. People need to understand this. By limiting scripting in the future, we are possibly killing the next big thing after DayZ. I wouldn't like that to happen, now would you? ARMA III might be the one game that saves PC gaming how it's meant to be. Be patient, and you'll have your anti-hack tools, just don't expect to be able to put up a server and forget about maintanence. White lists is a great idea.

[Ethnod 1]

Poll options explained

1) Implement Battlenet, regardless of things not being exactly ready

This could mean that people who do not deserve to get a ban get one and also that while the teething problems are being resolved you might be locked out of your game as Battlenet is kicking you. This could mean that you would not be able to play until issues are resolved, however it will most likely mean that hackers and people who have pirated the game wont be able to play.

2) Focus on getting Battlenet at the cost of slowing other progress

This could mean Battlenet is tested as a priority by Bohemia and that other projects they are working on (projects within Arma 3 that is) are not worked on as fast. So they might pull programmers from net code optimisation which would mean that net code is not optimised for another month or maybe even two. However it would mean that Battlenet is implemented much quicker and without all the issues possibly created by just turning it on now without testing properly.

3) I'm happy to see Bohemia stay on their timetable

Yes, its frustrating when I am playing on line and a hacker comes in, kills everyone and ruins the server to the point where I log out or are forced to move server but I'm happy to let Bohemia do their thing on their own time table. I'll just have to live with them for the moment.

4) Leave things as they are, I'm not being affected

I have no idea what you are talking about, I have yet to come across any hackers at all. No issues, I'm fine. Oh, and no I am have not just being playing on passworded and white listed servers. I'm gaming just like you, on random servers.

================================================

So yea, I wanted to explain what I meant by the poll options first so people knew what they were voting for.

So I'm getting tired of this, I log on to play (but also test) and within 10-15 mins a hacker logs on and starts killing everyone off, taking over the server and making the server impossible to play on.

I am frustrated so I log off of that server, change to another one and again, same issue but this time I might get 45 mins without issues.

And yes that is frustrating but over the last few nights I have been talking to people on line and discovered that there are no checks to play online. So anyone can just torrent the game, log on to any server and there are no consequences. From what we have been figuring out most of the hackers are coming in that way. They are not even paying for the game. This means that even if there are IP logs, CD key logs they will amount to nothing when Battlenet is finally implemented. Personally I feel that there is no point in me putting up with this if there is no long term benefit at all.

Yes I am aware that Battlenet may need to be prepared for the game and that its quite likely that turning it on may mean that I am unable to play for a while even though I have paid for my copy but it would also mean that those who are able to play can do so in peace which in the long run will mean better testing results.

Guys, its getting to the point where I am not able to play and without being able to play I cant test. So far this week I have between 20-30 hours of Arma 3 and I have not had more than 2 hours of game play without coming across a hacker. I am quite sure that personally I am on the low end of the scale of people who are reporting bugs and crashes but I do report and I am quite interested in doing so. I have always loved your work, all the way back to Operation Flashpoint, and I am very happy to spend my time testing your game as the more its tested the better it will be. You guys build amazing games but, probably because you are a small studio, they are never tested enough in my personal opinion. Here we have an opportunity to do that, mass testing for you guys to use the info and perfect the game and its being ruined by hackers who have not even paid for the game.

[k3lt 3]

+1 for Battlenet, i like the idea to be in touch with my friends in SC II / Diablo 3.

:pc:

[TSAndrey 1]

Arma 3 will later on probably use Steamworks, which means that you can't pirate the MP.

As for hacking, you will need to wait until BE is implemented. They obviously can't implement it now, as they need to finish other stuff before adding it.

Don't rush it... It's an Alpha for a reason!

[Ethnod 1]

Arma 3 will later on probably use Steamworks, which means that you can't pirate the MP.

As for hacking, you will need to wait until BE is implemented. They obviously can't implement it now, as they need to finish other stuff before adding it.

Don't rush it... It's an Alpha for a reason!

Oh, dont get me wrong, I am well aware its an Alpha. I actually used to work for Havas Interactive (later to change to Vivendi Universal) as an in-house tester, so I get what an Alpha is and what to expect but if we cant effectively test the game as we are unable to play the game then imo something should be done.

And let me explain what I mean by unable to play for those who are not sure what I am on about or have yet to experience this joy. Most hacking I have come across starts off with someone in God mode killing people for a while, then devolves into team killing for another while (which so far is not an issue really) but later when they get bored (normally less than 30 mins in) everyone gets teleported to a location and then killed. After that happens all vehicles are destroyed and spawn areas are bombarded constantly with 100's on grenades at a time covering large areas so no one can escape. Things then devolve in to some sort of constant killing, teleporting or some combination of that or some of the above. When things get to THAT stage its when it becomes unplayable. I have seen that part of the experience last more than 30 mins. Eventually the server empties and they move to another server and they rinse and repeat.

[heruon 1]

Isn't DayZ standalone supposed to have a new online security system where every client action needs to be approved of by the server? Perhaps this will make it into Arma3? If so, couldn't be up to the server admin to say what's allowed and what is not?

[gossamersolid 155]

Isn't DayZ standalone supposed to have a new online security system where every client action needs to be approved of by the server? Perhaps this will make it into Arma3? If so, couldn't be up to the server admin to say what's allowed and what is not?

This won't make it to ArmA 3 because that would effectively cripple a lot of scripting features.

The reason DayZ can do this is because DayZ won't be open like ArmA is.

[iBroTuber 10]

The game is in alpha so except some hackers till they make a good anti cheat.

[Fight3R 1]

Well i too have come across some stupid lil hackers but ... First off all even those people that torrented the game can contribute by reporting bugs (dont start saying that if u dled the game u dont care cause its not true)(i for example dled the game and after 2 hours of gameplay i went on and bought it cause i loved it) ... Secondly hackers are gonna exist for as long as some anticheat engine gets implanted to the game but dont forget that we are still in Alpha so i dont think that the devs have it as top priority... And last but not least there are clan and group servers that are password protected with healthy communities where u can join and test the game out at its full (plus u can do it localy via lan gameplay).