That’s a false dichotomy though. There are ways to prevent cheating that don’t rely on the security of the client against the owner of the device on which the client runs (which is what both of what your ‘ways’ are).
For one thing, it has long been a principle of good security to validate things on the server in a client-server application (which most multi-player games are). If they followed the principle of not sending data to a client that the user is not allowed to see, and not trusting the client (for example, by doing server-side validation, even after the fact, for things which are not allowed according to the rules of the game), they could make it so it is impossible to cheat by modifying the client, even if the client was F/L/OSS.
If they really can’t do that (because their game design relies on low latency revelation of information, and their content distribution strategy doesn’t cut it), they can also use statistical server-side cheat detection. For example, suppose that a player shoots within less than the realistic human reaction time of turning the corner when an enemy is present X out of Y times, but only A out of B times when no enemy is present. It is possible to calculate a p-value for X/Y - A/B (i.e. the probability of such an extreme difference given the player is not cheating). After correcting for multiple comparisons (due to multiple tests over time), it is possible to block cheaters without an unacceptable chance of false positives.
Effectively doing that server-side would substantially increase the bandwidth requirements though.
If we take wallhacks as an example, that takes place entirely in the local rendering pipeline. In a game like Battlefield or Counter Strike, smoke and foliage are used for tactical purposes.
Aimbots read player location data sent from the server and send input commands to the OS to automate headshots.
Preventing local memory from being read and modified outright prevents (well, substantially raises the skill ceiling) for performing these kinds of hacks.
I have a hard time envisioning a server-side solution to those.
That’s a false dichotomy though. There are ways to prevent cheating that don’t rely on the security of the client against the owner of the device on which the client runs (which is what both of what your ‘ways’ are).
For one thing, it has long been a principle of good security to validate things on the server in a client-server application (which most multi-player games are). If they followed the principle of not sending data to a client that the user is not allowed to see, and not trusting the client (for example, by doing server-side validation, even after the fact, for things which are not allowed according to the rules of the game), they could make it so it is impossible to cheat by modifying the client, even if the client was F/L/OSS.
If they really can’t do that (because their game design relies on low latency revelation of information, and their content distribution strategy doesn’t cut it), they can also use statistical server-side cheat detection. For example, suppose that a player shoots within less than the realistic human reaction time of turning the corner when an enemy is present X out of Y times, but only A out of B times when no enemy is present. It is possible to calculate a p-value for
X/Y - A/B(i.e. the probability of such an extreme difference given the player is not cheating). After correcting for multiple comparisons (due to multiple tests over time), it is possible to block cheaters without an unacceptable chance of false positives.Effectively doing that server-side would substantially increase the bandwidth requirements though.
If we take wallhacks as an example, that takes place entirely in the local rendering pipeline. In a game like Battlefield or Counter Strike, smoke and foliage are used for tactical purposes.
Aimbots read player location data sent from the server and send input commands to the OS to automate headshots.
Preventing local memory from being read and modified outright prevents (well, substantially raises the skill ceiling) for performing these kinds of hacks. I have a hard time envisioning a server-side solution to those.