I'll chime in here as a game developer: my upcoming release will be an NES cartridge[0] and probably a Steam app. I'll be adding no DRM, because I generally trust that folks that weren't going to pay aren't going to be converted by its presence, and that honest folks want to support my work. Whether the storefronts I release on add their own is up to them, and frankly I don't care.
Separately though, anti-cheat is another ball of wax entirely, and I have extremely mixed feelings in this field. Generally I favor "cheat detection should be serverside, don't trust the client" from a general security perspective, but... I can totally see a valid case in there, somewhere, for more rigorous clientside checks. Somewhere along that line though is rootkits and malware, and... well, no, please tell me up front that you loaded your game engine with these things so I can save my money and purchase something else, thanks.
[0] Using a custom mapper, which will help initially to discourage low-effort bootlegs at the very least. It's open source though, and will not be too difficult to add to emulators, at which point the dumped ROM should play fine on them.
> Generally I favor "cheat detection should be serverside, don't trust the client" from a general security perspective, but... I can totally see a valid case in there, somewhere, for more rigorous clientside checks.
Yeah...
The simple fact is, it's simply not possible to have completely server-side cheat detection simply because you'll be relying purely on heuristics which could very well be wrong. It's just not going to be possible to tell the difference between a cheater and a really good player.
For any cheat detection to work, it has to be client-side.
And the counter is fairly straightforward: any client-side cheat detection has been broken. You can't trust the client. It doesn't work, your server just thinks it works because it's lying to you now.
Client-side cheat detection can work for tournaments, but it's way simpler there: the tournament provides the hardware, and the players aren't permitted to install anything. This doesn't irritate me quite as much from a security perspective of course, because I am not about to log into my banking site on the presumably insecure tournament device. It's also imperfect: a sufficiently motivated pro player might bypass whatever locks you installed on the thing, especially if they get to spend any time with that device unmonitored.
Even better than that, tournaments have a way better cheat detection method anyway: point a camera at the player's hands. It's suddenly really, really obvious if they're cheating!
I think an overlooked approach is the snapchat model. Absolutely littered with client side integrity checks coupled with an automated obfuscation solution so that the checks in each binary end up being wildly different. Then you frequently push an updated binary and refuse to operate with out of date ones.
At least for competitive AAA titles I don't see why there couldn't be a daily update of the core binary. None of the assets would change so it wouldn't be a large update by any means. In effect it would prevent cheating by imposing impossible work and latency requirements on the tool authors.
The cost of doing this is employing at least one person with deep compiler knowledge who is capable of maintaining the automated system. Obviously that's far too much to ask of indie devs and is probably also out of reach for older titles in most cases.
This is of course all aside from the obvious and common sense but more expensive solution of player flagging, human review, and a binning algorithm (such as trust factor). Avoids needing to ban anyone in the first place and has the added benefit of being at least mildly effective against computer vision based botting solutions (for which there is fundamentally no solution).
Or just private servers and let the individual admins sort it out but god forbid players be permitted to run their own communities corporate might lose out on profit if that were a thing (can't risk another DotA after all).
Separately though, anti-cheat is another ball of wax entirely, and I have extremely mixed feelings in this field. Generally I favor "cheat detection should be serverside, don't trust the client" from a general security perspective, but... I can totally see a valid case in there, somewhere, for more rigorous clientside checks. Somewhere along that line though is rootkits and malware, and... well, no, please tell me up front that you loaded your game engine with these things so I can save my money and purchase something else, thanks.
[0] Using a custom mapper, which will help initially to discourage low-effort bootlegs at the very least. It's open source though, and will not be too difficult to add to emulators, at which point the dumped ROM should play fine on them.