View Full Version : Linked GUID's: Article by: !AR!BlackHawk

07-24-2009, 01:22 PM
When Anti-Cheat enters the Unknown (Linked GUID's):
Article by: !AR!BlackHawk - SEO Admin Request Networks (http://www.adminrequest.com)

While the anti-cheat community was formed back in the old gaming days, nobody ever thought that the system itself could turn into a self destructing program. Something that might damage the reputation of many respected anti-cheat organizations currently available on the internet.

To understand the situation we need completely understand how the anti-cheat system has developed throughout time. Let we take the example of the well developed program "PunkBuster" produced by EvenBalance Inc. back in the year 2000.

PunkBuster was one of the first tools actually able to counter the growing amount of multiplayer cheats. It gave game server administrator and game developers a large amount of tools which enabled them to catch cheaters and set custom game rules.

The anti-cheat software itself automatically checks all the client side settings & files and compares them against a blacklist with known client side cheats. If a cheat got detected it automatically prevents the player from playing on the server and places them on a ban list managed by EvenBalance Inc.

While this worked for a long time (and still does), there have always been some technical issues which couldn't be solved. As the system was developed to detect cheats through a blacklist the system first requires the cheats to be processed by PunkBuster. This has one major drawback, because unknown (private cheats) do not get detected until the PunkBuster software’s is able to recognize the signature of the cheat file. Because of this, many people have felt left down by the software because new cheats don't get detected until EvenBalance decides to target the cheat that gets used. The frustration of this issue caused small groups to create their own system, using PunkBuster to spread a custom ban list to the game servers that have signed up.

This very clever idea functioned very well but had one issue. Many cheaters use more than 1 GUID to cheat on a game, or have different games. To satisfy the community some "smart" people came up with the idea to link all IP's to the GUID used by the players that enter the server protected by their ban list. This way if a user performs a GUID search on a users GUID, a list of all GUID's used on the clients IP will be displayed, including the ones that have been banned by the community.

On itself this is a very harmless tool, but if misused it could turn itself into a very dangerous snake. Because having a "linked GUID" to a GUID that has been banned, doesn't prove that the person also cheated on the other GUID's, and doesn't even prove if it was the same person. Many (if not nearly all) internet service providers (ISP) assign dynamic IP addresses to their clients. This means that there IP address can change every hour/day/week/month/year (depending on the ISP's wishes). This means that I could end up with the IP address of a user that cheated on a multiplayer game.

This would result in my VALID GUID being linked with the GUID of the cheater. Still, this doesn't say much yet, but if I change IP again and someone else was so unfortunately to end up with the IP of the old cheater, his GUID would end up linked to him too.

Repeating this process would end up with hundreds of IP's linked to GUID's of cheaters and non cheaters, destroying the accuracy of the whole system. And all of this, just because we want to know if a person has already been cheating before so we can "preban" or deny a user without valid proof.

So do we really want to go that far with the risk of destroying the accuracy & trust into the system?

(edit GB, typo and message:)
To learn more about Admin Request, go here: http://www.hackhunters.com/forum/index.php?topic=17.msg6448#msg6448

07-24-2009, 04:26 PM
Nice article BlackHawk. Hope you don't mind but I split it so people could discuss this issue.

I don't think any Anti Cheat Organization bans based on Linked GUIDs, that is GUIDs that are linked based on an IP address. The real danger is if individual Clan Administrators use available Linked GUID data to do a Pre-Ban, like you mention as one couldn't really warrant the accuracy of the research done on such a ban. But even in this case if an individual clan did pre-ban that is their prerogative as is banning for other offenses like glitching, language, etc. Still I think it's safe to say that everyone in the Anti Cheat community wouldn't want a clan to share that type of information to other clans without them doing their own research.

As you may be aware gCOP is working on a ban list that is directed to the administrator regarding common rule sets clans might employ like no foul language, that other clans can adopt or become part of a particular rule set and be alerted when one clan bans someone for an infraction, but even they say the clan who receives the info of a banned individual should only 'keep an eye on them' and not necessarily ban them immediately.

Still, regarding clean GUIDs that are linked via IP addresses to GUIDs that are banned. there is a way to increase the probability that the GUIDs linked are linked to the same person or different people. I discuss this concept somewhere around here :-\ but really haven't carried the topic further. To take only the GUID and IP and assume guilt is certainly not enough 'evidence' to go on to pre-ban anyone, just as it really isn't enough to use someone's alias. But if you look at all of the data that is currently available, including IP, GUID, Alias's, Servers, Dates, etc., etc., etc., one can increase the probability that you are looking at either the same person or a completely different person. In court, one weighs the evidence to see which way the balance tips. In some cases their needs to be an overwhelming amount of tilt while other cases there only needs to be a probability. I know in our Gaming world that up to now the expectation is that a ban must be based on Black & White evidence, either innocent or guilty period. I find it odd that in the real world the standard isn't as strict, but understandable when considering credibility of the ACO to begin with. I do feel though that if we increase the sophistication what is searched one can begin to consider probabilities as a factor to weigh the evidence, but only with an app that can analyze the data in a black & white way.

Ultimately such a system would be verifiable when enevitably the 'so called clean GUIDs' of individuals with a high probability of being a cheater eventually get those GUIDs banned too, once PB updates their stream with info on new cheats.

This whole discussion points out another flaw with PunkBuster (and this is an assumption), that older games are forgotten or less scrutinized leaving them even more flooded with cheaters who are able to run amok for years without detection.

BTW, thanks for the article, great discussion and points to many of the issues and hurdles we'll have to overcome.

07-24-2009, 09:01 PM
No worries, wasn't sure where to post it as it fits both places hehe.

There are indeed nearly no AC(O)'s using linked guid's to ban clients (apart from Respected Admins (but they do a fine job on checking the info).

The main issue is that people see Linked GUID's as valid proof... and tbh, We at Admin Request also recieved staff application with people linked to a ban, which at the end also puts you on "alert mode" without 100% proof that it's the same person.

The question really is: "Do we want these kind of tools" because these tools make innocent players look like cheaters without any 100% proof.

07-25-2009, 11:02 PM
well this is like when someone has the same name as someone on a terrorist watch list... I've heard of cases where a 7 year old has the same name as a terrorist and was detained at airports. It's kind of funny that a mistake like that could be made and at the same time sad. People who behave in criminal ways create conditions in life that put constraints on all of us, but it is something that civilized society accepts for the good of the whole society, like having security cameras in public places. Essentially the general public accepts almost whatever tools are available to keep those who would abuse others away from our lives. The criminal, who is generally self-absorbed doesn't care about the ramifications on all of us due to their activities and perhaps that in itself only adds fuel to people's determination to put them away, in order to keep them from harming others.

Like terrorists watch lists, linked GUIDs are only a starting point in an investigation. With a little investigation it becomes very obvious who is a cheater and who is not, like identifying that a potential terrorist is actually only a 7 year old with the same name.

At the same time I understand your apprehension of having an old IP that is linked to your good name. Why would anyone who lives in a good way want to be associated with someone who has no common sense or at the very least no consideration of others.

This brings up a notion I have been considering, that is for those who will never cheat ever, having them accept only one GUID for their entire gaming history for all games that they buy in the future. That is, one would somehow register on a Universal GUID Registration Site recognized by game manufacturers, and when you buy a game, before you play it, you somehow register it's GUID and substitute your own individual Universal GUID. This would limit any question of linked GUIDs or confusion with other players, I believe. The problem as you point out with the current system is in another 10 years the system will be flooded with identities, IP's, GUIDs, etc., making research very difficult and perhaps impossible.

As far as having the existing tools, I say yes personally, keep them all and add additional cross-checks, but there is more work to be done to help separate one identity from another. I've notice PBBans has added GameTracker and I think GameMonitor links to their database.

As far as IP's changing, I know some do it for security reasons, but do IP service providers do it for the same reason, to protect their customers? My own IP hasn't changed except only once when I bought a router, do people really feel that vulnerable? Considering I live in NYC using TimeWarner one would think they'd do the same... so what's the deal here with IP's anyway?