I'll chime in here as a game developer: my upcoming release will be an NES cartridge[0] and probably a Steam app. I'll be adding no DRM, because I generally trust that folks that weren't going to pay aren't going to be converted by its presence, and that honest folks want to support my work. Whether the storefronts I release on add their own is up to them, and frankly I don't care.

Separately though, anti-cheat is another ball of wax entirely, and I have extremely mixed feelings in this field. Generally I favor "cheat detection should be serverside, don't trust the client" from a general security perspective, but... I can totally see a valid case in there, somewhere, for more rigorous clientside checks. Somewhere along that line though is rootkits and malware, and... well, no, please tell me up front that you loaded your game engine with these things so I can save my money and purchase something else, thanks.

[0] Using a custom mapper, which will help initially to discourage low-effort bootlegs at the very least. It's open source though, and will not be too difficult to add to emulators, at which point the dumped ROM should play fine on them.

> Generally I favor "cheat detection should be serverside, don't trust the client" from a general security perspective, but... I can totally see a valid case in there, somewhere, for more rigorous clientside checks.

Yeah...

The simple fact is, it's simply not possible to have completely server-side cheat detection simply because you'll be relying purely on heuristics which could very well be wrong. It's just not going to be possible to tell the difference between a cheater and a really good player.

For any cheat detection to work, it has to be client-side.

And the counter is fairly straightforward: any client-side cheat detection has been broken. You can't trust the client. It doesn't work, your server just thinks it works because it's lying to you now.

Client-side cheat detection can work for tournaments, but it's way simpler there: the tournament provides the hardware, and the players aren't permitted to install anything. This doesn't irritate me quite as much from a security perspective of course, because I am not about to log into my banking site on the presumably insecure tournament device. It's also imperfect: a sufficiently motivated pro player might bypass whatever locks you installed on the thing, especially if they get to spend any time with that device unmonitored.

Even better than that, tournaments have a way better cheat detection method anyway: point a camera at the player's hands. It's suddenly really, really obvious if they're cheating!

I think an overlooked approach is the snapchat model. Absolutely littered with client side integrity checks coupled with an automated obfuscation solution so that the checks in each binary end up being wildly different. Then you frequently push an updated binary and refuse to operate with out of date ones.

At least for competitive AAA titles I don't see why there couldn't be a daily update of the core binary. None of the assets would change so it wouldn't be a large update by any means. In effect it would prevent cheating by imposing impossible work and latency requirements on the tool authors.

The cost of doing this is employing at least one person with deep compiler knowledge who is capable of maintaining the automated system. Obviously that's far too much to ask of indie devs and is probably also out of reach for older titles in most cases.

This is of course all aside from the obvious and common sense but more expensive solution of player flagging, human review, and a binning algorithm (such as trust factor). Avoids needing to ban anyone in the first place and has the added benefit of being at least mildly effective against computer vision based botting solutions (for which there is fundamentally no solution).

Or just private servers and let the individual admins sort it out but god forbid players be permitted to run their own communities corporate might lose out on profit if that were a thing (can't risk another DotA after all).

that's where you turn and say: well, the game developer executives however...

In all seriousness, DRM/anti-cheats => rootkits/rats. Don't fall for it. Demand better.

Can't say for DRM, but there's much bigger demand to play a multiplayer action game without experiencing cheating than demand for a similar game that's not a rootkit. Cheaters are nasty. Devs make rootkit anti-cheats simply because there's no better alternative, not because they're evil.

We need to define nebulous terms like 'better'... to a company that's synonymous with what is 'cheapest' to their bottom line. To a player, that's a more effective anti-cheat.

To my understanding, the latter is much more effectively solved server-side, but is more costly for the company to run.

I'd rather play a game with server-side anti-cheat than player-side-anti-cheat.

All games are different, and for some game, this may be true, but what I, personally, have in my mind in a discussion about intrusive anti-cheats is a fast shooter with lag compensation like CS or CoD, and for them, this problem is not solvable only server-side.

CS:GO actually have heuristics and ML to flag cheaters server-side, but that's only another line of defense - the majority of defense is on the client-side anti-cheat. It's called VACnet, and its bans are temporary - most likely because of false positives.

It's unfortunate, but it is how it is.

There are countries that believed farming should not be profit oriented and curiously they happen to be the ones to have breadlines.

It is no coincidence that America and Japan, the two countries with the most draconian copyright protections, continue to be the dominant player in the game industry.

Profit motive and the ability to reinvest previous profits into future products is the greatest force multiplier in our planet’s history bar none. You can either suck it up like China did in the 90s and convert to a capitalist economy, or stay in the breadline forever. Oh, in this case, I mean play tux racer forever :P

Oh, I've heard this one before! Steve Ballmer, is that you? I thought we were past the 'open-source is communism' and 'cancer on intellectual property' times...