Anticheat - Alternate Accounts

Hello, and welcome to the sandbox™

Today I’d like to touch on a topic I feel is worthy of a serious discussion.

Sandbox has the potential to be the biggest game of this generation; in my opinion, if executed correctly, massive untapped, unrivaled potential, were talking “Ready Player One” type shit.

Listen, I could write for days about how good this game could be, but I’d like to get to the meat of this topic.

Over the course of history in Garry’s Mod, I have seen and heard just about everything you can imagine; I’ve seen countless communities succumb to the overwhelming unpleasantry’s of others, whether that be from cheaters using third party scripts for an advantage or malicious users consistently bypassing bans issued out by individual servers using nothing more than a new steam account.

And for whatever reason, these types of people don’t seem to get the picture that they are not welcome around the community.

From a historical standpoint, it has been left up to content creators to create systems of their own; however, the methods available for cheat detection, for example, haven’t been ideal. The same applies to detecting alt accounts of banned users, and sure we have simple family share checks, but nothing concrete. Outside of that, we really have to start digging to get an ideal way of detecting previously banned users. IP detection is virtually useless in most cases, especially with applications such as VPN’S or Gforce-now becoming more mainstream.

I don’t want to sound pessimistic but the fight against cheaters is a lost cause just like the war on drugs, especially in a sandbox game.
As far as banning people goes, I think Discord has a pretty good system that requires phone numbers, but there are many services that work as a workaround and I don’t think many people would be willing to give this information to server owners.
Best thing you can do is triple proof your networking as a content creator/server owner and making sure everything important goes through the server first.

EDIT: Holy crap, @Corvezeo you have about 30,000 hours of gameplay on your 5 year old account, that is an average of 16 hours every day, do you leave your PC on?

1 Like

Okay you definitely need to dial back your expectations a little because good lord.

As for whether sandbox is shipping with an anti-cheat or not: Garry’s mentioned on the discord that they’re not bothering with anything at first, though it shouldn’t be a burden server owners are expected to carry.

4 Likes

Nothing stops you from implementing mobile-phone 2FA in Garry’s Mod, even today.

3 Likes

Why would he have to dial his expectations back? I completely agree with him. From a VR perspective there’s nothing quite like this. It has the potential to push people into getting VR to fuck around with their friends in a physics synced world. Add complete addon support to that and you have the next Minecraft but way way way better.

4 Likes

image
seeing as he has all of the achievements and more hours of play than there are in 2 weeks (there are 336 hours in 2 weeks), cheats are definitely not out of the question, kind of hypocritical considering the topic of this thread.
image
:thinking: hmm, unlocked all at the same time?

Even then I think that’s a bit overkill, I can’t think of a reason on top of my head where you’d want to be 100% sure a user shouldn’t be able to join a server, and the things that do come to mind are ridiculous and bordering paranoid, a cheater joining and using an exploit to do some wacky stuff is the very least, and that would be exceedingly rare.

5 Likes

I understand him. There are sick, malicious people that I know and even was associated with. Simple bans won’t stop them, a mobile 2FA would make it much harder for them, either requiring money, or each alt would require much more effort to set up.

You say that with the assumption that everybody is well-minded. But I’ve personally had to deal with some sick fucks, their only source of joy is fucking with their target, and they’re really consistent at it.

1 Like

I guess it’s different between gamemodes, I haven’t experienced a real hacker that ruined the experience for everyone. The worst I’ve seen wasn’t even from cheaters, either someone was clipping the dome props causing extreme lag or some people would just DDos the server.
The gamemodes having it the easiest would be paid ones (If they exist in the future) where you pay to join the server and every time you get banned the server just makes more money if you rejoin, this is obviously not a good solution for anything else.

1 Like

Not just hackers. Just straight up people that harass you. Some people make it a point to alt and put it in your face “ha, your bans do nothing to me”. They keep showing up, doxxing you, harassing other users - getting banned and then coming back. I’d love for more fingerprint possibilities - ways to identify the user, but this is getting into the whole privacy grey-area.

The payment gate isn’t ideal, but could work - I think serious RP servers will have it mitigated if they operate behind a whitelist - Whitelist process is usually lengthy, but many servers allow to either skip it or be pushed up in the queue if someone pays for doing so.

1 Like

Damn those are some bad hombres, 2FA would mitigate some but from what I’m hearing it sounds like they’d just find ways to go around that.

Unfortunately, it seems that the best way to deal with these people is to hope you never meet them and at this point 2FA would be more of an annoyance for everyone else.

2 Likes

Anyways it’s all futile if someone is really dedicated.
Keep track of IP, email, phone number, physical location, MAC address, sim card number, payment options, hardware, software configurations, all of that can be spoofed if you have enough time in your hands.
Hell, you could even just use a virtual machine every time and I doubt Facepunch or the server owners have the means to ban every single phone number that is on sale online, even Discord isn’t able to do that (Although it is slowly working its way).

That’s why I said it’s like the war on drugs, at this point you just gotta stay vigilant and ban as soon as you recognize the banned user to make it less worth it to come back. If you spend 2 hours making new accounts, restarting router, opening a new instance of virtual machine, firing up the vpn, getting your account verified etc… only to get banned within 5 seconds of joining, it’s just not worth it to go through that again.

1 Like

My point exactly, I’m not lost to the concept that anything you do is almost bypassable; I’m merely talking about creating a simple toolset that would help content creators identify users using applications such as this on their servers.

Think like how CSGO has its watchdog system. That’s all I am implying here, nothing intrusive.

And in terms of the alt detection systems, I’m merely suggesting giving us the tools to either make detection methods through premade functions or hooks. As it stands, in my opening statement, the current methods are less than favorable.

3 Likes

Any support from Facepunch on this front would be welcome in my opinion. We need to have safeguards to deter malicious users from cheating outside of user authentication. I’m all for extra steps to validate an account to a specific users to prevent alts, but we need some ways to thoroughly root out the inevitable cheaters via detection methods.

4 Likes

This is a very complicated topic. The thing is, as long as you have some fuckers around who are passionate about fucking up a particular server/community, there is no way to stop them without harming the ease of use of the game/your server.

The harder it gets for the hacker to set up an alt, the harder it is for a regular player as well, the more steps you have to accomplish just to start playing, the more users will not even bother and will quit.

I have seen overprotected servers and to me it looked like it made more bad to the server than good. Not that there weren’t any threats to take it seriously, it just got far away from easy and enjoyable for regular players.

As for more fingerprint data to collect, I don’t see much of a point in that either, it leads to privacy issues for regular users but a hacker can still spoof ANY of that data using cheats or other software.

I have no solution to the problem though, buy a beefy host that sustains ddos attacks just in case, try to avoid the community drama, ban annoying pricks by traditional means and hope for the best.

4 Likes

Because excessive hype is not a good thing.

In terms of VR support we only know at the moment that it’s going to exist, that’s it. We don’t know anything about performance, how difficult it’ll be to add support for VR or how feasible it’ll even be (Balancing VR for something like a simple shooter gamemode for example could be a nightmare in and of itself because of how much slower playing in VR is)

The same thing applies to the base game, while there’s nothing wrong with being excited (I’m probably just as excited as you are) there have been a lot of people that have been setting unreasonable expectations for the game and spreading it around. If you keep hyping yourself up or let other people hype you up like that you’re just going to be disappointed when the game comes out and it isn’t the best thing since sliced bread. I mean shit, look at Cyberpunk. I’m sure at least part of the issues surfacing with that have to do with people’s expectations being set way too high.

1 Like

Try banning people, just do it over and over again. They’ll realize that they won’t get the fun that they want and if they comeback under a new name then ban them again. I am highly against permanent bans as people will just bypass them. This is a sandbox game that will allow people to do whatever they want. Just get some moderators or something. It isn’t Facepunch’s problem to deal with your server issues with another player or community. There are simple solutions that work. Moderators/Admins/whatever you call them is one. Something that detects hours on an account and will prevent them from joining if they have less than a certain amount of hours. Or even make your server whitelist only.

But I’m guessing in this scenario you have a public server the best solution you can do is make an anti-cheat or have your staff or yourself ban this person over and over again until he gets bored. Humans are adaptable, they will change. Not much you can do other than to adapt yourself.

1 Like

We’ve had this discussion on the Discord once.
I had the idea to implement HWID bans.
But a lot of people were very angry about this.

It’s one of the most efficient ways to ban cheaters.
IP banning is stupid since most people have a dynamic IP or a VPN.

1 Like

The problem if developers allow some ways to “track” players on servers (e.g. HWID, IP, MAC address, etc.) this can open the way for abuse or malicious use. However, by removing almost all means of detecting them, makes server owners frustrated because it’s almost impossible to properly filter the players on their server. I think developers have to make a choice but restricting as much as Garry’s Mod is clearly not a good idea.

2 Likes

HWID Bans are bypassable too.
See Rust cheat providers are shipping hwid spoofer with thier cheats.
Reading all hw components id’s of players pc would be a useful function, dont understand me wrong.

1 Like

That might be the case but it’s not as easy as bypassing IP bans.

1 Like