Being prepared for the future - cheating

Jabra

Concerns about failing to the documentation requirements of the future.

The preppers of speedrunning.

This is not my field, but I have some valid concerns. Many of you probably heard of the Trackmania Cheat Scandal.
The thing is. Speedrunning is "deterministic" - the track that you have to speedrun is static.
So you can create a sequence of inputs that always fit a track because the track is static, and then just play them automatically and cheat anything undetectable. And as far as these inputs are "too perfect",
you can just artificially put imperfection into the inputs.
I can't see how ANY anti-software is going to detect this. Does it seem like live-streaming can be the only way to target this? I don't know exactly know,
and I don't want to delve into what I don't know so much about, but ...

As we head into the future, as gaming becomes larger and larger, especially in the third world,
as the population of psychopaths and evil people increase (in absolute numbers), and as more and more time goes (so more and more time goes for the psychopaths to fulfill and carry out their devil wishes),
then the probability of people using the most insane strats to cheat will increase and practically become 100 %. And this input or macro cheating or w/e you will call it will definitely become a thing.
(we also have that issue regarding strafing with mouse only. btw, the Trackmania player Trabadia used macro)

And you developers will continuously take new means in use to combat the cheaters, as far as you are taking this game seriously at least.

As you do, you might increase the documentation requirements.
What will happen to all the runs that were submitted before the new documentation requirements?
Will they get cancelled?

Even if they won't get removed because you are believers, doubt will exist.
The legitimacy of those records that were submitted before the increased documentation requirements will maybe not "formally" fall (e.g. if you let them stand there officially, "official is official"),
but in actuality or socially, the legitimacy will fall. Especially if some of the runs belong to some person with a shady background. Often the psychopaths are charming people though.

So my question is now.

How can we prepare ourselves for the future? How can we catch the future? How can we beat the future?

I'm not necessarily asking the developers to make a solution that is decades ahead of our time because solutions will maybe better be developed in a gradual way through reforms.

But I'M ASKING

Can you give us some suggestions for documentation techniques that increase the legitimacy of our runs so we at least individually can beat the future?
I'm not asking for any of these suggestions (documentation techniques) to become official because maybe they will be very primitive and annoying to set up for the majority of people,
and decentivize players to play the game. So the perfect solutions are maybe found gradually? I don't know.

But can you give us some suggestions so that we at least individually can be prepared for the future?

You could call us preppers, the preppers of speedrunning. But I would say very realistic preppers.

hex

run validation will be (sometime before 1.0.0) expanded greatly. it's been touched on in the first qna stream but yes we will have ways to detect cheated runs besides a pov demo or livestream or whatever. being a standalone game lets us do a lot more than what a game server in css/tf2/etc would be able to do. i don't think that the people who are going to actually design those things want to talk about them publicly for obvious reasons

also, no legitimate runs are ever going to be removed after 1.0.0. people also aren't going to be required to record a demo or anything like that, the game will automatically take care of whatever has to happen behind the scenes for anticheat

Jabra But can you give us some suggestions so that we at least individually can be prepared for the future?

tl;dr no. just don't cheat and your runs will be ok regardless of whatever may happen

Superchuck

What an incredibly lengthy way of asking what safeguards could be implemented now/later to prevent TAS-like cheating.

Jabra

Superchuck

It's not what I'm saying even, or yes, partly, but more than that. I want to "prep" (https://www.google.dk/search?q=prepping+meaning&sxsrf=ALeKk03saBtNwRkib1wKOdb6K3PB4LGvPA%3A1622414179927&ei=YxO0YKOFOOfjrgTjg7PwAw&oq=prepping+meaning&gs_lcp=Cgdnd3Mtd2l6EAMyBwgAEEYQ-QEyAggAMgIIADICCAAyAggAMgIIADICCAAyAggAMgIIADICCAA6BAgjECc6BQgAEJECOgIILjoFCC4QkQI6BAgAEEM6BAguEEM6CAguEMcBEK8BOgUIABDLAToFCC4QywE6BwgAEAoQywFQ2PEKWPyIC2DTiQtoAHACeACAAaABiAGCDJIBBDEzLjOYAQCgAQGqAQdnd3Mtd2l6wAEB&sclient=gws-wiz&ved=0ahUKEwjjwv3mu_LwAhXnsYsKHePBDD4Q4dUDCA4&uact=5) for higher standards in the future, so I can be guaranteed that the validity of my runs will stay intact "eternally".

I'm asking Momentum or people for prepping techniques.

This question also entails another question. Can earlier runs be invalidated due to increased documentation standards in the future? E.g., maybe you could imagine that all offline runs get removed in the future because maybe you figure out that they just can't be trusted.

A very relevant question here as well goes into: to which extent can we expect to have a right to keep our records eternally?

I can see Hex says that we (us who did not cheat) can expect to keep our records forever because they will with certainty know who cheated.

Well. I can see it is ofc. important to act like you have the cheaters under control, so recommending prepping techniques can send the wrong signals, so it's tough to talk about xD

Superchuck

Jabra Hex has already said that there will be anti-cheating measures in place, so I'm going to go out on a limb and say the only "prep" you need to do is to not cheat any runs. I'm also going to guess that if ever the dev team adds additional standards, all previous times will be kept unless they can be proven to have been cheated.

hex

superchuck is correct. if we change anything (which we do not want to, we will try to have everything 110% covered before 1.0.0 is even public) then we will try to make it as seamless as possible for current users. no prep is going to be necessary

Jabra

So you are innocent until otherwise is proved.
Okay, so that's the way you go.
But I'm almost certain that you cannot defend competitive integrity like that.
Are you really that confident that the current documentation standard (1.0.0 standards) will eternally be sufficient to reveal us enough information about every run?
It seems to me very naive (especially due to speedrunning's deterministic nature), and if you think so, then there will never be a reason to update the documentation standards I guess.

My point is also.
If you update the documentation standards, then you will send a signal.
Those records before the update will receive validity b, those records after the update will receive validity a.
It will work like that in the social world.
Especially those records that get very old from pre-update will become doubtful.
I just want you to be aware of that and how that can affect other people's reputations.
This is also a problem with courts, they don't prove you innocent but just prove that you couldn't be proved guilty ish.
So they don't fix your reputation.

But I can understand if you don't think that is any of your business to help us protect our reputation.

It's a weird topic to talk about. Maybe not possible to discuss publicly xD
So I don't think I will comment on it further.

I guess there is not really anything to do other than us preppers privately seeking information.
Just livestream our lives 24/7 xD until anti-cheat software is embedded into keyboards so they can confirm the inputs or w/e the future will do ...

The Riolu case frightened me. It is clear that he would have gotten away if he just had played with 95 % slow-motion. It is clear that those who have already done that have slipped away.

And I heard that the guy Mev making a living out of bypassing was not satisfied with Momentum's anti-cheat.

So yeah, I'm worried man. I guess we just have to hope that there were not clever enough cheaters around pre documentation requirement update - or that those cheaters will get beaten by players so that their times will not be significant enough to care about anyway.

hex

Jabra And I heard that the guy Mev making a living out of bypassing was not satisfied with Momentum's anti-cheat.

right now momentum has very bare-bones anticheat because it's not a current priority so yeah, i can guarantee there are currently exploits that exist and let you cheat times lol. but by the time 1.0.0 is public run security will be increased dramatically. we currently do but will not trust the client, have server-side anticheat, etc.

plus, one benefit we have over almost any server is active developers. if we find a new exploit someone is using we can actually patch it, which most server owners cant because of sourcemod limitations or being inactive

Enjoy

Scripting inputs would work on a server just as well so how is it such a massive problem now and was never before?

Ark_

Enjoy as valid as this argument sounds, its only not a problem till someone comes along and proves that it is. Only defending against attacks that have been proven to be used before is a terrible policy, it's like if a white hat hacker comes to you with a zero-day, and you choose to not patch it because 'its never been an issue before'.

You actually have to sit down and think if what is being presented presents a real risk or not, especially because as more effective cheats get guarded against people will move to less and less effective tools for advantage play as the better ones become unusable. You never need to ask if its being actively used, just if it provides an unfair advantage or not.

Jabra

Well, I didn't say a server was a solution either. Never brought server up actually in this conversation. I don't know anything about that. But, yeah, I heard about that subject. I heard experts criticizing Momentum because they believe in client-sided anti-cheat software.

It really set the situation in a perspective. Speedrunning is more than any game vulnerable for cheating, and then the impression is that you are NOT even combating cheating more efficiently than the server-sided cheats???
I mean speedrunning anti-cheat software has to take a step that is like FURTHER than that, but you are ironically a level that is more rudimentary than that? Are you taking this seriously enough? The deterministic nature of speedrunning is so dangerous :S

Gocnak

I urge those unfamiliar with our QnA stream to watch the first one, starting at the 1:12:38 mark. It goes over some of what I'll talk about.

To elaborate on this, and hopefully not give "too much" away of current plans, while satisfying the original concerns here & elsewhere about Momentum's Anticheat approach will be difficult, but I will try my best.

First and foremost: Momentum is not going to have Client-sided anticheat. In other words, Momentum will have Server-sided anticheat, and will heavily rely on it along with a multitude of other (server-sided) systems to determine run and player validity. This unfortunate rumor has been making its rounds in other communities for quite some time. While the current run submission does not have proper anticheat hooked up yet, it's coming, and will be battle tested before 1.0.0. We're not naive, and the first rule of all anticheat is to not trust the client. We will not be trusting the client.

All runs are going to require an internet connection to submit. Keep in mind our branding is that we don't require a multiplayer server connection to play. This is still 100% true. The data we will be collecting can be queued up for sending (within reasonable bounds), as the gameplay is not a multiplayer server simulating the gameplay and networking it back to you. The benefit of not requiring the player to be on a multiplayer server, however, is that if they do happen to drop internet, Momentum doesn't crash and kick them out of playing it. We just don't submit the time. Likewise, we will never be able to support submitting "offline runs" or runs where you lost a significant chunk of connectivity to our server.

Talked about in the QnA stream linked above, the overall system will have primarily 3 "pillars", each with varied subsections.

Validation / "Barrier to Entry"
Verification
Punishment

Two things from Validation that I can talk about (and did in that stream) were that we're going to require:

Players to have an unlimited Steam account, which entails spending at least ~$5 of their own money on anything on Steam to be able to even submit runs to the leaderboards. Those that have a limited account will be properly notified of that in various UI (upon boot, playing an official map, etc). This is considered the harsh "barrier to entry" where the game runs in a limited state (can only download maps and runs, no XP/rank/progress due to no submission) until you overcome that. As a free to play game, we have to do something like this, otherwise it'd just be pure chaos.
Players will need to obtain a specific cosmetic level (actual level yet to be determined) to have submitted runs show up on the leaderboards. We will still keep track of the runs, just they'll have a "pending" status until that level is met, allowing us to do more analysis if need be. This is considered a softer barrier to entry, but if you're serious about Momentum, you'll hit this no problem.

This would probably be your "prep" you're concerned about. You'll need to grind a bit on your account before it matters -- hopefully further entrenching you in just one account you care about and not alts. But there's always going to be black market systems prepping accounts that we can look out for, as best as we can, but still. For people serious about the game, Validation will be absolutely no problem.

As for Verification, this is where you can't really get the details, sorry. This is where we analyze all the (GDPR-compliant) details and information about players and determine whether or not they cheated a run. All of the info we collect will be relevant to the game. "Prep" work here is: just play the game normally and you'll have no problems. 🙂

As for Punishment, can't give too many details of what we have planned but I can divulge a thought process behind it: you really have to think, really hard, about "why would someone want to cheat in Momentum?" Like, really consider what they'd get out of it, and what we could do to minimize the outcome of cheating. Something to keep in mind: TAS will be allowed and have its own leaderboard, which will significantly help in this thought process if you decide to take it.

And I heard that the guy Mev making a living out of bypassing was not satisfied with Momentum's anti-cheat.

Yeah, he left the team while the version was still 0.7.X something. Doesn't surprise me, but the direction he was assured on was dedicated multiplayer servers were the only way to properly do anticheat, and never stuck around to find out what we have in store now. Unfortunate, but it is what it is. It's a gamble we're both making on it. We also have SlidyBat on the team, who is also making a great amount of money off of Valve from RCE-related activity, and he thinks the direction we're going with the anticheat can work. ¯\(ツ)/¯

Are you taking this seriously enough?

Absolutely. As seriously as a bunch of volunteers working to create a great platform can. Keep in mind we also don't have the budget to bug bounty out thousands of dollars for exploits, we're a free to play game (as we have to be) which means it's as easy as meeting the Validation requirements to be able to cause problems, and there can be hundreds of cheaters and cheat developers vs the limited effort of the Momentum dev team. Anticheat is always a depressing uphill cat-and-mouse-style battle, and we will do everything we can, but in the end of the day, it's just a game. We will fight as long as we can, which in most cases will be until the cheaters are demotivated enough to try anymore, or until the dev team moves on from the platform. Either way, it's a real concern that we're taking extremely seriously, because it's a core part of our platform.

While conversation around anticheat is good, discussing inner working of it and speculating how the game will function 7+ months from now is pretty moot. I will be locking the thread, if there's more concern around what I described in my previous message we can reopen and discuss, otherwise, it's just "wait and see".