• andyburke@fedia.io
    link
    fedilink
    arrow-up
    3
    ·
    8 months ago

    I think by the end of your message you were starting to arc around a little bit to the right way you need to think about clients: as outside your security envelope. (TPM is a joke in my mind, just like client side anti-cheat.)

    There are many ways to try to identify and stop cheating on the server side that have not been explored because executives have directed use of off-the-shelf anti-cheat because they do not understand why it is snake oil.

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      TPM is a joke in my mind

      I thought this at first as well, but they have an interesting property.

      They have a manufacturer signed private key. If you get the public key from the manufacturer of the TPM, you can actually verify that the TPM as it was designed by the manufacturer performed the work.

      That’s a really interesting property because for the first time there’s a way to verify what hardware is doing over the network via cryptography.

      • andyburke@fedia.io
        link
        fedilink
        arrow-up
        2
        ·
        8 months ago

        Or, if I can extract that key from the hardware, I can pretend to be that hardware whenever I want, right?

        • Dark Arc@social.packetloss.gg
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          Hmmm… I was going to say no because it’s asymmetric crypto, but you’re right if you are somehow able to extract the signed private key, you can still lie… Good point

          • yggstyle@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            8 months ago

            Got some bad news. They already can do that. It’s a very low effort attack too. Current TPM spits its key out in clear text. Funny right?