One of the main tenants of the open source philosophy is that security by obscurity (i.e thinking that something is secure because the source code for that thing isn't available) is a flawed concept. If you code something "openly" to be secure then you can't leave security holes in there- they will be spotted and patched out by the open source community. If your source code is closed security holes can go unspotted for years until some whiley cracked figures them out and exploits them.

This is all well and good, but think about this from an online gaming point of view. When the source code for QuakeWorld was open-sourced by ID Software the QW community was devastated by a huge influx in cheaters, using hacks derived from the now-available source code. The very nature of online games (where lag prediction needs to be taken into account) means that it is essential for the PC to "know" more about the game world than it passes on to the player. Unfortunately this means that a code modification can make this information available as a cheat. Take for example the infamous "see through walls" hacks. The computer needs to know the position of other players within the gameworld without the player knowing about them in order to keep the screen updated should a network problem temporarily break the stream of information. Unforunately this means that security by obscurity is a necesity in order to prevent the player from illegally acessing this information.

Another example: The Asus cheat drivers. The discussion on slashdot about these brought up a great deal of support from the open source community for the drivers - anything that gives you more control over your underlying hardware is a good thing. One person even pointed out that the fact that the drivers can show you tstuff "through walls" is an indication that the graphics engine code is flawed, in that it is rendering polygons and then covering them up with other polygons to make them invisible.

My point? I'm not sure that I've got one. I suppose the big question is "Is it possible to create an open source multiplayer FPS game engine without making it incredibly easy for cheaters to 'hack' the engine and give themselves an unfair advantage?"

References:
Slashdot Topic (http://slashdot.org/article.pl?sid=01/05/16/2125257&mode=thread)
Eric Raymond spiel on open source Quake (http://www.tuxedo.org/~esr/writings/quake-cheats.html)

Some random thoughts:

If you are building a server-based multi-player
game, you can choose to trust the client, of you
can choose to not trust the client. If you are
giving the client any information that you would
not give the user, or if you are trusting the
client to give you information that you would
not accept from the user, then you are trusting
the client. This trust can be of differing
extents: you could be trusting the client to
tell you when the user has killed another
player (high level of trust) or you could
simply be telling the client that a certain set
of polygons are all part of the same object
(a much smaller level of trust).

Most FPS/action games trust the client to some
extent, for technical reasons. Doing all of the
rendering on the server and sending every frame
over the network is technically unfeasible at
the moment.

If you are trusting the client at all, then that
trust can be broken. Technical measures can make
it difficult, but not impossible. At the most
extreme end, the user's hardware could be
secure. This would be non-trivial to achieve.
Movements are being made in this direction
(Windows XP), but more with the aim of
controlling digital content (hey, now you can
pay every time you play a music track, not just
once!), and is a Very Bad Thing. And to
reiterate, it would only make things more
difficult (and possibly illegal under DMCA-like
legislation). People will still cheat.

Even if you are not trusting the client, there
is no information-theoretical way to tell if
you're talking to a player at a computer, or
a player using a computer to help them control
their character, or just a computer. Reducing
trust of the client can help (aiming proxies
know where another player is because the server
tells them) but even that only makes cheating
more difficult (even if all rendering is done
server-side, image recognition technology will
advance and aiming proxies will use that
instead).

Solutions? Gaming tournaments for real money
will have to take place in carefully controlled
environments. Computers will aid players in on-
line games. You can either try to make that as
hard as possible, or you can allow it in the
same way that F1 teams can build their cars as
well as the can to help the driver get around
the track (I'm not saying that this would
necessarily work in gaming). Perhaps Internet
cafes will povide controlled gaming
environments, so that if you can be
(cryptographically) sure that another player is
playing from a McInternet Cafe (or whatever),
then you can know they're not cheating.

"Making it difficult" might be enough to reduce
instances of cheating to tolerable levels, but I
wouldn't want to bet too much on it.

On a personal note, I find the ability to cheat
reduces my enjoyment of a game even if no-one is
cheating. The engineer in me sees that there is a
more efficient/effective way of playing and not
using it leave me feeling somehow unsatisfied :(

AEF

ROFL @ "The engineer in me sees that there is a more efficient/effective way of playing and not using it leave me feeling somehow unsatisfied :(" :D - Thank goodness my fledgling hacker instincts haven't nearly got that far yet...

You make some excellent points about trusting the client. I suppose that's really the focal point of the whole issue - you have to trust the client, but trusting the client is in itself an inherent security flaw.

The Cyberathletes Professional League has taken off in such a big way based solidly on the fact that their tournaments are all in controlled LAN environments where cheating is just not a possibility. The idea of the ccomputer being able to control information to the point where the client can be trusted (as in your Windows XP example) is truly horrifying, but with the rise of the Open Source movement I honestly don't see it happening - at least not to intelligent computer users ;)

On a completely off-topic note - do you post on usenet a lot? You add a line break at the end of every line which is something I've never managed to do without thinking about, so I presume this comes from habitual posting on newsgroups and the like?