I believe that in order to be good at defending your game against exploiters, you need to have good knowledge on how the exploits work also.
The majority of the exploits devs are currently dealing with in roblox are injector based, and the actual client stealing is done from the client side. Ie, all the stuff the game puts inside the local client.
Therefore, from my experience, by only putting the bare minimum (stuff which the client is ACTUALLY running at the time) into the client, you reduce the amount of stuff stolen. As exploiters cannot steal anything (at least to my knowledge) in the server. With this prerequisite in mind, I’ll evaluate your points.
- You are effectively ruining User Experience at a loss. This does not prevent interception through an injector and neither does it hinder it effectively. Your “RunService:IsStudio()” suggestion does not work either as this would not run during a studio session and if someone were to inspect your game within the game itself it would do no good either. Naming does nothing either as you can simply search for contents; but, what I mentioned earlier would make this useless anyways.
You’re not affecting user experience at all by having a script which checks the owner of the game. Since, if the owner is the right owner, then the script does nothing, meaning the user is not affected at all. “RunService:IsStudio()” is just a way for the script to make sure it doesn’t act up when bug testing during studio sessions, making it an extra hurdle for hackers to go past. This is similar to renaming.
Now I understand that good scripters will be able to find these immediately if they were to look for it, it still filters out a chunk of potential hackers. Again, this is a suggestion for how to REDUCE exploiting, not to completely prevent it.
- This also damages User Experience. The less reliance on the server you can have for the client the better. This should never be done and most things if used on the client should be in a container that replicates to the client. The more reliance you have on the server means the more likely that users with higher latencies will be stuck waiting for the assets to load for them.
Again, you miss the point of the post, that you ONLY spawn the models in when the players need them. Not that you keep spawning things in and out to lag the game. I am not saying you should completely ignore client side and have all coding done on the global. I am simply saying to not keep everything inside the client at all times, especially the things which the client does not need. I am suggesting to only put the bare minimum. For example, if a player is in a game, they don’t need to have access to a model 5000 studs away, so that model could be safely stored in serverstorage, replicated into rep storage when needed, and then cloned to client when the player gets close. This actually REDUCES lag as you reduce parts being rendered, though I have also acknowledged it could cause lag spikes as the player gets close.
- This is terrible for User Experience and here’s the situation in reality: If most exploiters won’t be able to steal the game because of the amount of instances, it’s not because they can’t download it but it’s because they can’t load it in the first place. If the exploiters can’t load the place than neither can your users. This is the best way to look at this point.
I did acknowledge in the original post the implications of lag, but it is a balancing act. I did also say that the instances would be loaded in after the player joins via scripts on the client. If they were put inside the replicated storage, they would not affect the playing of the game much, as they aren’t being rendered anyways. However, the moment that the game is about to be stolen, they would all cause the exploiter to lag trying to download it, increasing the filesize they need to download.
- Exploiters don’t publish the games they steal and when they do they don’t do it to make their own game. Plenty of exploiters steal off popular games because they contain contents that are valuable and that can be repurposed for other instances. Triple A Games also do NOT do this at all. Their security is just as good as Roblox’s. Also what you mentioned about Triple A Games being Open Sourced is for the most part to my knowledge - completely FALSE. They are not Open Sourced and if they were people would be taking valuable technologies from them left and right.
Again, this has been acknowledge in other points. The majority of devs facing this problem is exploiters stealing their models/ scripts, and selling it off as their own. If you’re untrusting of companies having open sourced projects, just take a scroll at Unreal where you could literally take any code and edit it as your own.
- This is by far the only valuable and reasonable listing here. You can submit a DMCA to an individual given that there is enough legal evidence that this infringes on some property. Now, I am not a lawyer so I cannot go further than what I am legally educated of - this applies to you as well. You can raise the option and its existence but do not go further as to act as if you are fully aware of the workings and meanings that define this.
I am assuming you’ve never filed a DMCA. DMCAs cause so much hassle, and they cost money that many developers simply don’t have or unwilling to afford. As well as this, the legal repercussions cause so much strife too. I acknowledge that Roblox does a great job at answering emails and taking these down. And that is why this last point is put last, because it is a last ditch if the exploiter did publish your full game. If they are just selling models, roblox can’t do anything.
Overall, I thank you for your reply, but such things aren’t as easy sometimes. DMCA’s are often advised by lawyers to only be used as a worst case scenario, due to the hassle they cause. Going against exploiters is very useful, and not useless. Just because there will always be that one person who can hack your game, it doesn’t mean you should do absolutely nothing to protect your game from hackers.
Similarly, just because exploiters can leak your game, it doesn’t mean you should make it easier for them to do so. Of course I am against protecting your game at your user’s expensive. However it is important to take an objective view to balance out the pros and cons of each method, and doing what suits your game.