Wait how is a race having positive traits, but no negatives one "cheating"? A race has enough points to easily get positives and not need any negatives. Unless you mean people are changing point values to give their race EVERY positive trait.

The thing is, lots of other games try to prevent this type of cheat. You do it by having every client process the moves of every other client, so just editing values in memory on one client doesn't accomplish anything (the others won't get that edit and will know something's up). When they check state with each other and the states don't line up, you get a desync.



The problem of course is that for people who played Sins or any other game with desync problems is that they can be caused by totally innocuous things like using the wrong RNG* for a certain value in a certain state, causing two clients that aren't cheating at all to come up with different results for the same operation. Those problems are notoriously difficult to track down. I ran into deysncs with Civ 4, and that was playing coop with my best friend who I know wasn't cheating.



You can fix the issue of people manipulating save games by having both players require the same copy of the save to load the game. Shogun 2's MP coop campaign did this. Trouble is that if something happens to mess up the game, you may need to send the save from one player to another and put it in the right place to get the game to start back up (I've had that problem too).



The gold standard is to have an external server host the game. At that point players can only cheat by taking advantage of flaws in the input validation by the server, to pass in commands that the server thinks are allowed when they really shouldn't be (or aren't validated at all, such as movement in World of Warcraft). That is significantly more expensive to operate however, as Amplitude would have to create the server code and then pay to operate it. That can also go wrong really quickly and cripple the game, which is what happened to Simcity 5.



It's pick your poison, really.





(*Sins and a lot of other games use two RNGs: a deterministic one for when things need to come up with the same value every time for a given state, and a non-deterministic one for stuff like debris explosion patterns. If you use the non-deterministic one in a deterministic operation you get the wrong answer, obviously. But you also get the wrong answer if you use the deterministic one for non-deterministic things like showing explosion graphics, because now the deterministic one isn't in the same state on every client and the next time you intend to use it, bad things will happen.)

Preventing any and all types of cheats is in general, impossible. However, the game can coded in a way that makes it so difficult to cheat that it wouldn't be worth it.



Hashing is a beautiful technology in the world of computer security, and having all peers verify hashes of the save games on reloads is a potentially effective and simple measure that will make save game editing a very difficult avenue of cheating. There is no network used outside of transferring the saved game file because the hash is calculated on the local machine. In fact, I'm not quite sure as to why this isn't already done.



Memory editing is a little bit more difficult to defend against. For Windows clients, the developers can code the exe to request Windows turn on Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to make memory editing more difficult. Mac clients should have Apple's own version of ASLR forced on by the OS. Although this would require quite a bit of regression testing on the developer's part, as DEP and ASLR are responsible for incompatibilities in older software that weren't coded with those security measures in mind. DEP and ASLR won't prevent all memory editing, but it will make it more difficult.



In reality though, this is more of a operating system security concern. Windows and Mac OS should be responsible for protecting running exes, not just for the protection from memory editing, but also for protection from viruses and other forms of malware. It is my own belief that the OS should not allow any exterior modifications to a running program, and if it does, then the OS has a serious security hole that should be addressed.

Best article I have seen on coding multiplayer for about anything that could go wrong, and this was for a RTS - not something simpler like a TBS



http://www.gamasutra.com/view/feature/3094/1500_archers_on_a_288_network_.php

The network bandwidth is low enough that each client can retry until the host ACKs back too. UDP is fine.

Agreed, some sort of verification/matching process on our own side, receiving inputs from other player attributes would be interesting and ideal.

There is a way to design games to avoid this problem. For example, instead of messaging the other clients "I have a race with attributes x, y z" (when the combination x, y, and z are really illegal), the client messages "the user selected attributes a, b, and c" and the other clients build up the race from selected attributes (which are legitimate, because you're just replicating the user interface over the network connection). Instead of communicating location of pieces (again which can be violated) message with which pieces were moved and where to. Was it an illegal move? The UI doesn't let me move my ship after all my movement points are empty, and neither will the clients replicating my move command for that ship. So messages between clients are simply the UI events that took place.



I don't see any way someone could cheat with such a design.

This is another reason why I dont play multiplayer. I dont understand why people cheat at games.

FallenSeraph wrote:
That is exactly what is being discussed. People are either changing point values in the config or just only selecting positive traits without the game really paying attention to it's own +/- system.

Ah I see. However in the second point, a race by no means needs any negative traits. I don't think Amoeba has any - or -- traits at all. Of course, someone memory editing to get every single positive trait is an entirely different problem then just picking a race that doesn't need negatives.

adder wrote:
at the start of a multiplayer game, the custom factions traits should be send to all players their pc and the game should the check if all custom races are within the points limit.

This would be better then constantly checking if the faction is within the limits, as only once is this check needed.

much too complicated. just make the cancel button working as intended

at the start of a multiplayer game, the custom factions traits should be send to all players their pc and the game should the check if all custom races are within the points limit.

This would be better then constantly checking if the faction is within the limits, as only once is this check needed.

Trait exploit should be an easy fix, memory editing as with most games requires constant reference checking with some kind of server stored values.

Is there an ETA on the patch that will fix this...? Just played a game where two players were doing this, and noone noticed until turn 100. One of them had left about 70 turns earlier, and so was a bot. It was monstrous and terrible. A hard bot (FIDS Bonus) with EVERY POSITIVE TRAIT?

FML.



When we noticed, everyone quit, because none of us wanted to play anymore on such an unfair field. =\

krisslanza wrote:
Wait how is a race having positive traits, but no negatives one "cheating"? A race has enough points to easily get positives and not need any negatives. Unless you mean people are changing point values to give their race EVERY positive trait.

"Have all and only positive traits"

krisslanza wrote:
Wait how is a race having positive traits, but no negatives one "cheating"? A race has enough points to easily get positives and not need any negatives. Unless you mean people are changing point values to give their race EVERY positive trait.

That is exactly what is being discussed. People are either changing point values in the config or just only selecting positive traits without the game really paying attention to it's own +/- system.

Leonoux wrote:
Though all solutions are possible, none of them seem particularly practical. Having to reach out and touch the server every time a turn is ended sounds like a great way to eat up more time in between turns. Also, the most powerful of "cheats" is done through modification of a save file which would bypass any of the CE or UCE checks because the file its self is vulnerable. A review board could be set up like LoL and cases could be examined and then reported. But a fed faction could look abusive to someone. We aren't league play so I don't see people really pushing a constricting system.

My question to that would be as to why multiplayer save files would be able to be modified while they are in use by the program as is. If they merely unload and then load in, then you would be correct as to there being no real defense to it other than desynchronization in the stream. Otherwise, a CE or UCE would have to 'hook' into the client as the client launches, which makes it detectable to a degree.



Cheating will occur no matter what in multiplayer because there is no universal defense to an exploit or other 'cheat', but the biggest concern is that the multiplayer in this game could have ANYONE just download a file, modify data with a little 'cheat-sheet' beside them, and destroy any competition. As far as I know, there is also no way to prevent someone from changing their name and basically preying upon legitimate players.



As I mentioned earlier, you could have a server take over some of it, and it wouldn't necessarily lag as much as you might think. Consider Sins of a Solar Empire. It has a basic authentication server, and a checksum server that merely makes sure that the 'stream' of data is being hosted partly by all players while the client itself discreetly pings an encrypted and assembly coded message to the other clients to make sure that each of the clients is not only synched, but that there is no anomaly in data (i.e. suddenly enemy starbases/dreadnaught at your home world, or going from broke to rolling in all minerals.) With it being turn-based, it would actually lag LESS than Sins, which is a RTS that must calculate AI movement constantly rather than in bursts.

Actually i know 2 ways to cheat in multiplayer:



1. Custom races with all positiv traits



2. Instant Research / Building by Memory editing



both works in MULTIPLAYER !



Fix this ASAP pls.

FallenSeraph wrote:
There are a couple possible ways to prevent this from occuring actually. Set up a 'cloud' based server or two that would basically do the same thing as a steam file verification. It would check and see if all file types and sizes are correct for the process, and that nothing had 'hooked in' to the client such as a CE or UCE. This would limit modding significantly and that would be bad for the community, but would be a temporary fix until they release their own mod tools that could bypass this.



You could also use this type of server as a 'quicksave verification' type server. In this fashion, it would record a text sheet of the current economy and research values of the human players and compare them on a turn by turn basis. It should easily show discrepancies in gameplay and can both report it in-game and to administrators so they can take further notice. The down side would be that this could cause a very small latency increase because it's uploading a stat sheet, and that Amplitude would have to actually develop the system, AND host an additional server to do this... Unless they manage to do it through an internal server that runs through the initial verification server?

Though all solutions are possible, none of them seem particularly practical. Having to reach out and touch the server every time a turn is ended sounds like a great way to eat up more time in between turns. Also, the most powerful of "cheats" is done through modification of a save file which would bypass any of the CE or UCE checks because the file its self is vulnerable. A review board could be set up like LoL and cases could be examined and then reported. But a fed faction could look abusive to someone. We aren't league play so I don't see people really pushing a constricting system.

There are a couple possible ways to prevent this from occuring actually. Set up a 'cloud' based server or two that would basically do the same thing as a steam file verification. It would check and see if all file types and sizes are correct for the process, and that nothing had 'hooked in' to the client such as a CE or UCE. This would limit modding significantly and that would be bad for the community, but would be a temporary fix until they release their own mod tools that could bypass this.



You could also use this type of server as a 'quicksave verification' type server. In this fashion, it would record a text sheet of the current economy and research values of the human players and compare them on a turn by turn basis. It should easily show discrepancies in gameplay and can both report it in-game and to administrators so they can take further notice. The down side would be that this could cause a very small latency increase because it's uploading a stat sheet, and that Amplitude would have to actually develop the system, AND host an additional server to do this... Unless they manage to do it through an internal server that runs through the initial verification server?

Currently, modifying the game's dust and research time can all be handled through save or modifying the in game values...but in the long run it isn't exactly practical. FIDS are constant updates so if you have 100k dust yay, but if your economy is shit you won't have it for long. The true king would be unlock all research and that would be pretty obvious to see if the person is an idiot. Also Tech victory in under...idk 130 turns would be pretty damn suspicious hehe.

I was sadly expecting this as people seem to cheat in just about every game when given the chance. Hopefullyto be u those find using cheats will be banned and those cheats were be removed.

Mansen wrote:
You reversed what I wrote - the game has the players hosting the game themselves - it doesn't host a game for them on a company server.

Sorry misunderstood that

Think this goes to the Core network mechanics.



Maybe there is a way to See the Data as legit that the majority of Players has...



At least implement some Kind of Text popup that says something about the async value. So Players could Tell by simply Looking wether its a Hack to get an advantage or its anything Else.

DanteOne wrote:
Yeah u can manipulate a Running Game that u havent hosted.



BTW: if there isnt a Host, why does the game end if the "Host" leaves??



My iPhone makes a Lot of Capital letters...

You reversed what I wrote - the game has the players hosting the game themselves - it doesn't host a game for them on a company server.

Mansen wrote:
Basically you change values in the game while it is running, Strig. Depending on the value, it might just carry over to the other clients - they depend on the information being fed from the other players to be true. After all, why wouldn't they.



Player A changes his dust to 12000, (data gets sent to all other players), Player B's game only handles his own economy so it doesn't see any problems with the sudden change - it doesn't care.

This I didn't know. Okay, never mind then. I withdraw now ^^;;

Yeah u can manipulate a Running Game that u havent hosted.



BTW: if there isnt a Host, why does the game end if the "Host" leaves??



My iPhone makes a Lot of Capital letters...

Basically you change values in the game while it is running, Strig. Depending on the value, it might just carry over to the other clients - they depend on the information being fed from the other players to be true. After all, why wouldn't they.



Player A changes his dust to 12000, (data gets sent to all other players), Player B's game only handles his own economy so it doesn't see any problems with the sudden change - it doesn't care.

DanteOne wrote:
well but as long as memory editing works in multiplayer its an serious issue cause i dont know how to proof wether someone is cheating with that way. is there any possible fix?

I don't know about a fix (I don't know much about computers in general), but if you are concerned about people editing their multiplayer saves, try to make sure you're the one hosting the games. They wouldn't have any bonuses that they edited into their own save files, as the game would be picking up off of your own.

DanteOne wrote:
well but as long as memory editing works in multiplayer its an serious issue cause i dont know how to proof wether someone is cheating with that way. is there any possible fix?

Like I said (albeit not in detail), the game operates on a peer to peer basis. That means one of the players hosts the game - there is no "server" involved as you'd expect from MMOs and such games. This inherently allows for a lot of possible cheating that you wouldn't have with dedicated remote servers.



But - the game clients can try and keep check of each other. If one person suddenly gets a 8000 point production boost and the others don't see this happen naturally, they can inform the players of it. But this is all theory - I have no idea how/if the devs are going to handle all this.

well but as long as memory editing works in multiplayer its an serious issue cause i dont know how to proof wether someone is cheating with that way. is there any possible fix?

The first one should be fixed in the current/next patch.



As for the second one - memory editing is an all to familiar issue in Peer to Peer games. You can't really protect against it completely. But some consistency checking could probably fix most of it.