Doom Eternal recently got its first major update, and it brought some awkward baggage along for the ride. Yes, everybody’s favorite privacy popper, Denuvo, is back!
Denuvo Anti-Cheat is different from the usual Denuvo Anti-Tamper that you’re used to hearing about, but in terms of security risks and privacy concerns the two share very common ground.
As a result, fans are furious. They’ve review bombed the game hard as they protest the anti-cheat measures, but neither Bethesda nor id Software look like they’re going to back down. Still, if Denuvo is a deal breaker for you and it suddenly appears in a game weeks later, I can understand the upset.
#DoomEternal #Doom #Bethesda #idSoftware #Denuvo #DRM #AntiCheat #Cheating #Online #Multiplayer #PC #Controversy #JimSterling #IndustryBS #Steam #Reviews
As always, awesome alliteration astounds your audience.
Fun fact, Linux users can’t play the game anymore because of this. Also, this has shades of Starforce all over it.
PIRACY: Where your illegal download is less dangerous to your computer security than the official release!
honestly, this is more like encouraging people to pirate the game LOL
This is why I can’t ever truly condemn pirates.
When sailing the high seas gives you a better experience than the actual bought product you know you are dealing with the games industry.
i came here specifically for that ‘bethesda is naughty’ dance. i was not disappointed.
After I updated doom I immediately started having blue screen crashes and had to do a full system restore. Not saying it was Denuvo… But it was Denuvo .
Remember, Developers don’t think you own their games. They believe you are just enjoying the “experience” so can, and will, do whatever the hell they want to their “product”, damn your concerns…
This is why we need a return to consumer advocacy. If you pay for something you should own it and have a say in how it affects your property, say like a very expensive PC.
Denuvo has more access to your computer than you. That’s how messed up it is.
If a game gets review bombed for adding something to the game that its players don’t like that’s the player-base expressing their opinion. Last I checked reviews were meant for you to express your opinion on the game.
It’s actually illegal to do this in Australia under consumer laws
I’m a cyber security professional, working at a senior level and giving conference talks on security matters to technical and non-technical audiences. I’ve had friends ask me what I think about Valorant and Doom Eternal / Denuvo implementing kernel level drivers for detecting cheaters. There’s a tension between gamers, game developers and security professionals, and I wrote the following over on Twitter, discussing the issue, and what i think can be done going forward.
Firstly, let’s look at the three sides at play here:
Gamers want to be treated fairly, but generally also generally want to be sure that any competitive online play is actually fair for all. The problem is that once a cheat starts to be used, it becomes rapidly adopted as that’s seen as the new fair playing field.
Game developers need a healthy online community around their game in order to be able to promote it and run events and support any further development. They need to be able to detect and securely react to the presence of any cheat engine.
Security professionals, including operating system developers, need all developers to follow best practices. Applications only should have high level system access if they absolutely need it, and as a rule, games don’t.
So what is it that concerns us security professionals about these anti-cheat systems?
There’s three big risks from the kernel level access required by Valorant or games using Denuvo anti-cheat (like Doom Eternal). Firstly, there’s a huge risk to player privacy. By definition, anti-cheat programs have to invade player privacy to try & spot cheat apps.
By going for full kernel level access, they now though can freely access any file they want, without asking for the player’s permission. This potentially includes a user’s passwords if they’re not using any secure means to store them (like a password manager). It also allows full snooping of all network traffic, and arguably needs to in order to detect certain forms of cheating. It also allows reading of other programs’ memory, so even encrypted network traffic could be intercepted. No private discussions over discord any more!
The second issue with a kernel level anti-cheat system is that it can make changes without the user’s permission. If the system believes that an open source application is actually cheater software, it could close the program or delete the files. Or if a developer decided to play dirty, it could corrupt your installation of a competitor’s game. As a developer, this is a big reason why you should be avoiding this level of access – it’s not a good look to ask for permission to potentially do this.
All of these changes or snooping could be made without the user knowing they’ve been performed, so it’s a big risk. The third issue, however, is the one that most concerns me – hijacking of the anti-cheat system. Game developers know about the above issues, and generally go to great lengths to ensure that their anti-cheat system doesn’t do anything improper. But malware developers are actively looking for the next undefended way to gain exactly that sort of access for themselves. The big concern a lot of us in the security community have over Valorant & Doom Eternal’s kernel level anti-cheat protections is that these systems will be used as ways to infect user’s machines. Where ways to gain access exist, the bad guys will do anything to abuse them. Competitive online games have been big business for decades now, and back in 2002 and earlier we were dealing with phishing campaigns and malware associated with them. Now it’s even worse. And even for malware not aimed at gamers, some malware families use a suite of different attacks. Denuvo anti-cheat will be common enough to be a tempting target for home users.
Almost by definition, these anti-cheat programs will be heavily attacked by the bad guys out there. People will want to use cheats or remove the invasive anti-cheat system, so any weaknesses they have will be found, sooner or later. This means when you use a game that has such a system, you are placing huge trust in the developer to be able to write super secure safe code that can’t be abused by an attacker. You’ve played games, right – are they always bug-free?
But as I said above, anti-cheat systems are here to stay. Developers and gamers alike need them. So what can we do about this situation? I have two ideas, both of which I think should be followed. Firstly, game and anti-cheat developers need an industry agreed code of practice. Where possible they should open source, be transparent about the functioning & build chain used, have requirements for security testing, and bug bounties put in place. As a long time follower of Jim, I too have little faith in the industry to have meaningful standards and do the right thing, but it’s better than nothing, and they could ask cyber security bodies to actually write and review the standard.
Secondly, the real solution to this is for game developers to shift the weight of the problem to the people who are best placed to address it – Operating system and Antivirus developers. Rather than stealing kernel level access, they should be given safe windows in. AV vendors could agree a standard API, or Microsoft could implement a DirectX library for cheat detection & a means for the OS to prevent games from working properly if a cheat is detected. Valve & Epic could also offer similar tools for games running from their platforms.
Sidenote: turns out that anti-cheat systems have been cheating the system themselves, reading kernel memory to try and discover undocumented Windows features. This is extremely against proper coding practices for Microsoft systems, and is why anti-cheat systems often cause system crashes.
The worst part is that the online mode is such a small part of the game but you need Denuvo anti-cheat to even play singleplayer. The moment you launch the game it asks you if Denuvo can make changes to your computer, if you say no you can’t play untill you say yes. That feels like hostaging your purchase.
You should be able to request a refund when something like this is dumped on a game after release without any prior warning. What you bought isn’t what you bought anymore. It’s anti-consumer and fraudulent.
Imagine you buy a can of mayonnaise, you put it in your fridge, and then someone breaks into your house, pisses into it, and leaves the door open.
As always the pirates get the superior product.
Jim opened my eyes years ago. My hard earned money is precious, game has to earn my purchase, especially AAA.
Time passed, my approach evolved, due to personal circumstances (“f. That bruv, just wait for GotY”); once sorted, didn’t feel like going back to the old ways; post launch/post review fudgery with games (especially after review period), has proved me right. Time & patience only empowers you 🙂
Thank you Jim and greedy publishers/devs, for making me a smart customer. Have to give credit where it is due
Why does everything have to be “live service” these days? (I know, because money). What annoys me the most isn’t even “live service” games that were designed to be that way. It’s how they shove this bullshit system into single player games that have nothing to do with it, like they’re doing with Doom Eternal. Fuck off with your “events” and your “double xp” bullshits.
They tend to say “Anti-Pirate” or “Anti-Cheater”, yet it always boils down to Anti-Gamer. Always.