Most active commenters
  • beeboobaa3(4)

←back to thread

We outsmarted CSGO cheaters with IdentityLogger

(mobeigi.com)
379 points mobeigi | 12 comments | 16 Oct 24 18:18 UTC | HN request time: 0.617s | source | bottom
1. beeboobaa3 ◴[16 Oct 24 19:13 UTC] No.41862701[source]
I hope they asked permissions for storing those cookies. Otherwise they're violating various EU laws.
replies(6): >>41862795 #>>41862897 #>>41862983 #>>41862995 #>>41863047 #>>41876533 #
2. latexr ◴[16 Oct 24 19:20 UTC] No.41862795[source]
Not every cookie requires consent.

https://commission.europa.eu/resources-partners/europa-web-g...

In this case, this one might fit:

> User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration

replies(1): >>41864097 #
3. unsnap_biceps ◴[16 Oct 24 19:30 UTC] No.41862897[source]
GDPR didn't take effect until May 2018, this only worked until October 2017.
replies(1): >>41863073 #
4. mobeigi ◴[16 Oct 24 19:38 UTC] No.41862983[source]
Great point!

This community is Australian & New Zealand based, we had 0 European players or visitors. And as @unsnap_biceps this predated GDPR compliance.

You are right though that you wouldn't be able to do this in Europe today because asking for fingerprinting consent defeats the purpose because the hacker would likely quickly figure out what is happing and circumvent it.

5. leoff ◴[16 Oct 24 19:39 UTC] No.41862995[source]
LOL
6. ketkev ◴[16 Oct 24 19:42 UTC] No.41863047[source]
I'm not a lawyer, but I think this actually has some interesting things to think about. Not all cookies require consent under the ePrivacy directive, there is an exception for cookies that are "strictly necessary for the delivery of a service requested by the user". I think that'd fit in this case, since providing a cheater free experience is part of the "service" the players are looking for. At the same time, the ePrivacy directive also mentions that the user should be provided with "clear and comprehensive information" about what is stored. Providing that would render the cookies useless.

I don't know how these would balance each other out legally, but it's fun to think about

replies(1): >>41864110 #
7. ketkev ◴[16 Oct 24 19:45 UTC] No.41863073[source]
GDPR is about the processing of personal data. Cookies (and such) are subject to 2002's ePrivacy directive
8. beeboobaa3 ◴[16 Oct 24 21:38 UTC] No.41864097[source]
It's clearly a tracking cookie.

> for a limited persistent duration

FTA:

> However, the VGUI browser had no issues saving cookies with expiry dates exceeding 10+ years!

So no, it doesn't even qualify.

replies(1): >>41866293 #
9. beeboobaa3 ◴[16 Oct 24 21:40 UTC] No.41864110[source]
No, that doesn't count. Companies have tried arguing that their ads' tracking cookies are strictly necessary otherwise they wouldn't be able to offer their services (ads pay the bills). And yet, they require consent.

Preventing cheaters is similar. And this is blatantly a tracking cookie.

replies(1): >>41864474 #
10. eqvinox ◴[16 Oct 24 22:26 UTC] No.41864474{3}[source]
You aren't considering that ad cookies/tracking are used to enable a service to someone else (ad buyers), while this anti-cheat tracking cookie is used to enable a service to the user themselves (a cheat-free gaming experience.) I think that may make the difference.

Also, all of this was in 2017. Anyone doing it in 2024 should indeed run it past a lawyer.

11. blahyawnblah ◴[17 Oct 24 04:00 UTC] No.41866293{3}[source]
10 years is a limited duration
replies(1): >>41869414 #
12. beeboobaa3 ◴[17 Oct 24 13:19 UTC] No.41869414{4}[source]
So is a million years. Not how it works.