In Team Fortress 2, there is a group of people who host multiple cheat-controlled aimbotting bots, which run around on servers, destroying everyone playing in the other team. These are called cat-bots.
To host these bots, you need to set up a Linux environment. Then you can use a script, which automatically prepares your system for hosting the bots. One of the things it does is it creates multiple users in Linux (to run multiple Steam instances), all of them starting with "catbot".
Precision is the ratio between correctly-identified cheaters and the total number of people matched by the signature.
Recall is the ratio between correctly-identified cheaters and the total number of cheaters in the system.
In this case, the signature had good recall but poor precision, as those threads describe cases that make it plausible to have a "catbot*" username without cheating.
(I said "had" because the recall rate is going to drop when the string gets changed by the cheat authors. So long-term, the signature is poor on both recall and precision.)
The most problematic issue I see for Valve is not the lack of measurement of precision and recall for their VAC ban signatures, but rather the inability to obsess over their customer experience and react properly when relevant issues in their products are reported.
How so? Of Steam's users that are running linux and have 'catbot' as part of a username on their system, what proportion do you think are running a cheat bot? 99%? 99.9%?
What level of precision would you say it not 'poor precision'? 99.999%?
That changes nothing. Every single anti-cheat mechanism will eventually be identified and worked around, it's a continuous game of cat and mouse. This is why bans are delayed and specific reasons are rarely given, to prevent identification of the specific mechanisms used.
It's like treating a disease with antibiotics, eventually the disease builds a tolerance and you need to find a new drug. By using multiple drugs you can hopefully kill it before it can resist any given drug, but in practice tolerance builds regardless of your best efforts.
These cheats are actually big business nowadays, people have a financial incentive to work around them as quickly as possible.
I don't know any other anti-cheat that has used a blacklisted username as a mechanism. Valve did not bother to obscure any part of this mechanism, they publicly confirmed that this mechanism was banning people due to their name. This is an open source cheat that has not generated any revenue, and it was worked around as soon as it was identified. Regardless, saying that this changes nothing is ridiculous, this mechanism was aimed mostly at cheaters, with some innocent in the crosshairs. Now, all cheaters have worked around this and only innocent are left in the crosshairs.
I was responding to a comment made when "the signature had good recall".
So whilst you have a reasonable point, it's not relevant to the point I was making, which is that the precision of the rule (after implementation, and before discovery) probably exceeded 4 nines, which doesn't seem like 'poor precision' to me, without further detail on the requirements.
And BTW I have no opinion about whether this was a good or bad move by Valve. I don't have sufficient context for that, and my comment was intentionally focused to try and understand what the person to whom I replied thought would be acceptable precision.
> those threads describe cases that make it plausible to have a "catbot" username without cheating.*
Plausible or possible? All heuristics have potential false positives (e.g. maybe someone puts the actual catbot binary in the blockchain, and now all Bitcoin users get banned??). I don't see any evidence in the GitHub thread of someone accidentally hit by this. And I see evidence of one person legitimately being hit by this (someone claiming that they are running the bot, just not with the same Steam account).
So I think this heuristic is working properly. (Whether to allow any theoretical risk of a false positive is another discussion, but, Valve is a business, it seems totally reasonable to me for them to risk it.)
The problem is that everything is wrong here. Username is not a signature of malware by itself. There could be a ton of reasons why someone could have an account like that on the machine - be it someone's name, maybe some AI project, perhaps a robotic feline, who knows.
Unfortunately, it seems that Valve's software doesn't bother to actually check whether the machine has any malware installed, it bans anyone who has any account on the machine that matches a regexp. Innocent or not, who cares, right?
How "effective" this approach is is very much documented by the fact that as soon as the botters caught wind of this they have changed the username they use and Valve can play a game of cat & mouse with them now.
It is not the first time Valve got caught by doing dumb/lazy stuff like this. E.g. Steam was known to erase your entire machine (or at least what your current user had access to - so most likely all you data) because of lazy programming and hardwired assumptions (see here: https://www.theregister.co.uk/2015/01/17/scary_code_of_the_w... ). Their response has been pretty similar too - "Works as intended, go away, we don't care".
> Username is not a signature of malware by itself
Devoid of all context, no it's not. When a malware is known to exclusively use a particular and uncommon pattern, yes it is.
If you remove all context then nothing is ever a signature of malware. Maybe there is a legitimate reason for a third-party program to be writing your memory or injecting DLLs, you never know! But in practice those are red-alert triggers for any anti-cheat.
A legitimate signature would be a sequence of actions the client sends the server that are clearly not possible to have been performed by an actual user playing the game.
Like an incredibly improbable statistic or too fast actions or something else.
This is a poor solution: it's the equivalent of blocking spammers by IP address. It works but will also lock out legitimate users.
That's not the way this kind of thing works, not even in commercial AV. What you are asking for is for Valve to solve the halting problem before addressing ongoing actual cheating in it's games. That's ridiculous.
You take what clues you can get and you push the fix. This is what all their users not named catbot want.
Which is why commercial AV routinely throws up entirely bogus reports. Not a good example.
Comparing statistics (accuracy, reaction time, chat messages, what have you) server-side to a not cheating player population seems like a very promising solution, given it doesn't involve the game client (which is assumed compromised). I don't see how that has anything to do with the halting problem.
This particular detection seems very unlikely to ever have a false positive. The noise about false positives appears to be coming from the authors of the cheat software themselves.
all anti-cheat is fundamentally cat an mouse, when you can control the kernel (applies to both linux and windows) you can lie about anything anticheat tries to detect.
You're right but some statistics analysis on the gameplay by players would do a lot more to reveal bots than analyzing usernames, especially once the bots start using random diceware names
I'm guessing this is how they determined this was a valid metric, everybody with a catbot user statistically looked like a hacker, and nobody didn't look like a hacker.
catbot is exactly the sort of strange names I assign to hosts or projects.
...and also doesn't look too out-of-place as a gamer handle --- in other games I've seen players with variants of 'cat' and 'bot' in their names (catman, botman, catfish, fishbottom, etc.), which didn't seem to be cheating either.
If it was a name with more "entropy", like jH3bzKflAC5, then the case for it being a signature might be far clearer.
It's about the local Linux account name (which frankly Steam has no business touching or inspecting the contents of past pasting it into a path IMO), not the in chosen steam name (which can be anything) nor the unique steam name in profile link (which I think comes from the login, I'm not sure now).
In any case - both are all over the place and in online games there are often crazy names that look like the came from /dev/random. It'll also be easily circumvented now that it has been discovered and it was dumb in the first place.
Valve really dropped a ball, it's not like they don't know how crazy, meme fulled or troll-y usernames get on their platform.
Outright VAC ban (that's a big deal) for something like that is absolutely idiotic (extra inspection that doesn't affect anything for legitimate users - sure).
Valve can easily query who has the usernames catbot, and then correlate it with hack like activity, and draw the conclusion that false positives aren't an issue in the real world.
The interesting thing is that this "legitimate signature" will just change. Maybe to another basic name, maybe a random string, maybe diceware. No one is trolled.
I wouldn't be surprised if it starts using real names to avoid this particular detection - gather a few thousand real Steam usernames, and create variants of them at runtime.
Aimbots ruined TF2 for me a couple years ago. One of the things they used to do to make them harder to kick/ban was change their name to the name of a different real player on the server every second.
The mentality that drives the use of aimbots is a disgusting scourge on humanity.
One of the mechanisms to avoid a server ban (different from a VAC ban) is to rapidly switch between names of other players on the server (but with unprintable/non-breaking characters added). You need to use 'status' to tell them apart.
Their chat filters did not allow the string "cock" in chat...and then they put a bunch of nasty cockatrices in the Dreadlands and in the Overthere, along with quests that asked you to seek out their eggs, feathers, and beaks, thus giving you a reason to use the string "cock" when talking with others.
Who the heck is valve to say what usernames I can and cannot have on my system? I don't even play TF2.
What happens if the cheaters decide the change the 'triggering' username to something far more common? Guest, admin, local, user, etc. Now valve is allowed to ban everyone who has that username on their system?
No, the hack authors who filed the pull request are actually posting here in this thread.
eg this guy: https://github.com/Kr4ken-9/cathook is kr4ken on HN, there's probably others here who are smart enough not to link their black-hat identity with HN.
This is literally blackhats bitching that they got VAC-banned, 100% legitimately, and then concern-trolling us about what-if scenarios about some hypothetical innocent user who might have been swept up with their script-kiddie customers.
Can't say that such opinions really have any place here, IMO, considering that they are the ones who created the problem in the first place. Maybe it's not worth shutting them down, but they certainly shouldn't be celebrated or legitimized in any fashion.
Scorn is an entirely appropriate community reaction here, and a mod tipping the scale in favor of black-hats is not really appropriate IMO.
I wasn't talking about that and am not taking any kind of side. If you think there's abuse going on, emailing hn@ycombinator.com is the thing to do, and then we can take a closer look.
My point is the orthogonal one that it's incongruent to snarkily diss HN when you're as much a part of the community as anyone else is. It makes no more sense to say "HN got trolled" than "HN debunked getting trolled". People don't do this to be informative, but rather to superciliously position themselves above others. That degrades the spirit of the community here, which is already so fragile. That's why I reply to such comments the way I did.
We may each be a part of HN but that doesn't mean we can't criticize what we perceive to be the gestalt of HN.
It's like saying "<Insert Community / Country / Organization Name>, goddammit!"
I personally don't mean that I'm better than everyone in said community, but that I'm disappointed with the prevailing sentiment, and so feel the need to signal my separation on the issue.
It's shorthand "I don't identify with <Community> on <Issue X>".
People do indeed abuse this rhetoric to feel superior to others, e.g., "Reddit is a hivemind!". But on issues where the community clearly falls prey to its biases, a little snark now should remind us to avoid those collective pitfalls in the future.
I agree. Implying that HN users aren't generally susceptible to blackhat trolling is naive.
Our community has its strengths but some subjects like politics provoke a suspension of critical thinking. In this case, small time hackers being punished by a big company in a seemingly overkill way for a seemingly innocuous slight.
Ideally, a moderator should be aware of the biases of the community and adjust the discussion accordingly. Or at least when the lies being perpetrated are as obvious as it is in this thread.
Anecdotally, the people who screech about and around VAC bans are the same people who will ruin online games with botting, scripting or just general douchebaggery.
Basically, no one notices VAC if they aren't trying to screw over other gamers.
Those who do so so repeatedly, often resort to comment threads like this one, venting vitriol on the off-chance the more-gullible will confuse it as signals of a larger problem.
Steam has many issues: poor customer service, a wash of bad content, a lack of focus on making games.
But being too hard on those poor, upstanding cheaters? Not an issue.
Then perhaps I should make a fork that uses your username to get you banned and then proceed spit in your face when it happens and tell you it's your fault.
Or reinstall my TF2 and get banned so then I can tell you to stick it.
It's VAC that's doing the trolling here. Person's OS (not even Steam) username is not a cheat (and Steam frankly has 0 reason to examine its name in any way for any purpose, for installing games just pasting will do and for everything else there is a Steam username).
This is bullshit, will be defeated now instantly that it came out and on the level of dumb antiviruses that delete exes (i.e. my compiled Pascal and C++ programs) and claim the reason was "unknown low spread program" (yes, that happened, because clearly, unknown program = virus).
VAC has sainthood status now, Valve social media staff often tells people it's 100% foolproof and bans are never appealed, people who claim they were unfairly banned are shitted on by the community and it's undisputable (although there were overturns i.e. when CoD players got banned by Steam's mistake[0]) but they do crap like that?
It's like Destiny 2 bans last year, they were all "hand made by staff and 100% confirmed cheaters" and then a couple hundred got overturned and claimed to be "software error".
What next? Banning everyone who has a GitHub account or knows git because the aimbot code is hosted on GitHub? Banning people from sites for having HN accounts because it's a "hackers" site?
> Good day, I've received word from the VAC team that this is intentional and not open for discussion on Github.
> In general VAC issues are not handled on Github in any capacity and further issue reports on this may result in being banned from the Valve Software issue trackers.
This is just incomprehensible from a PR standpoint, even for a company like Valve, especially since people on the thread have brought up legitimate concerns for users that might be caught in the flak.
Innocent users are the only ones that will get caught up by this anymore, the cheaters already worked around this(https://github.com/nullifiedcat/catbot-setup/commit/c2d22ee9...). Yes, cheaters were the first to report it because they were the first to experience it.
He/she didn't deem them hypothetical. They are hypothetical until a legitimate user that doesn't use bots makes the claim that they were banned for this. According to updates made to this, the username wasn't even the source of the ban so these "innocents" are definitely hypothetical.
Enough people will say that it's fine because of cheaters.
The gaming or software equivalent of justifying bad legislation because of criminals.
Based off of the previous DNS false banning debacle, they'll ignore any negativity about this unless it reaches critical mass, at which point they'll say that combatting cheating is hard so give them carte blanche.
The GitHub response is merely the "stop pointing out the Emperor's lack of clothes" aspect of the first part.
I'm not exactly fine with it, but my understanding[0] is that it did a local check and only send the "bad" domains remotely. Still a privacy leak, but in a different class as bulk-uploading your entire DNS record.
And my understanding is that Gabe Newell who runs this circus just happens to have claimed so when the milk was already long split.
If he is so concerned that Valve will be associated with spyware then he shouldn't have let VAC team create a literal piece of (definition fitting) spyware. Somehow the examples on VAC page say it looks for third party modifications to game files, not rummages through your entire machine. As if they knew it sounds sketchy to users. Even if they are working in good faith they might screw up during one of these raids against my machine (like they did with rm -rf on Linux in the uninstall script) and leak something or save it to some temporary file that something else might pick up.
This is still very out of line. I buy games via a proprietary platform that doubles as a DRM while pirates have no DRM, open source torrent clients and verified cracker teams and I'm the one having privacy worries here?
False bans is hard to prove - you always have people claiming it, especially the cheaters themselves - but IIRC they came out and said they were scanning user DNS cache entries and using them as a basis for VAC actions.
Gabe's response more or less boiled down to "cheating is a hard problem".
I hope I'm not misremembering or being uncharitable.
EDIT - I called it a false ban debacle because they was one half of the issue; the privacy implications were equally important.
I believe you are misremembering: what Valve said within their statement on /r/games is that the DNS entries were being used after the detection of the cheats.
Here's a quotation from Gabe's post:
>VAC checked for the presence of these cheats. If they were detected VAC then checked to see which cheat DRM server was being contacted. This second check was done by looking for a partial match to those (non-web) cheat DRM servers in the DNS cache. If found, then hashes of the matching DNS entries were sent to the VAC servers. The match was double checked on our servers and then that client was marked for a future ban. Less than a tenth of one percent of clients triggered the second check. 570 cheaters are being banned as a result. [1]
Valve is well known for being immune to the normal repercussions of having awful PR. For some reason, the market forgives them despite having downright hostile interaction with the community on a regular basis.
It's not forgiveness; Valve et al know that if they simply ignore the bad PR, people will forget and protesting becomes repetitive and tiresome. This is the insidious power of silence, and why actual change only happens when people refuse to go away until the problem is actually fixed. Without this continuous push back, silence transforms bad behavior into the new normal.
Jim Sterling has a great video[1] that explains this problem in greater detail.
Maybe because none of this is relevant and everyone in this thread is getting upset over nothing. No real users have been harmed as a result of this measure (most people in the github issues thread have repos where they own or contribute to cheating software) and it seems to have worked to ban a number of cheaters. Seems like good engineering to me on their part when such a simple solution turns out to be so effective.
If they had, they wouldn't know why. That's one of the major parts of the problem - the entire ban system (and appeals process, or rather, the letter memory hole valve deigns to call a process) is opaque, a black box.
You don't know why you're banned beyond "cheating/hacking" or "cheating in game X" in the best case.
There's then the self-fulfilling silliness with the proclamations of perfection of VAC; you need such a high standard to prove the negative, that you did not cheat, and a ton of luck for them to even consider the possibility.
There is no such thing as too far for Valve, as the community for their games knows well. It's become something of a meme at this point. You are familiar with Gabe calling the host of a tournament out publicly on Reddit, yes?
As Nickodell and PlutoIsAPlanet pointed out, this "issue" was raised by a group of banned Team Fortress 2 cheaters, who are developing obfuscated aimbots.
In all likelihood, VAC's detection is premised on other factors in combination with the username. Like, for example, botting in online multiplayer games.
This may come as a surprise to half the users in these comments, but, for the 99% of gamers who are not malware enthusiasts, banning bad actors is a feature, not a bug.
Seemingly heavy handed features wouldn't be so readily despised if:
* Valve didn't shut the discussion down altogether. If the GitHub page wasn't the right place, then suggesting a forum where feedback would be appropriate and actually prompt a response would be the way to go.
* Valve (or rather, their support staff) didn't have a history of extolling the perfection of VAC while dealing with some false bans in private.
* Bans didn't have such large implications, or:
* The support and appeal process wasn't so obtuse, seemingly useless and blackboxed.
I think they'd be encouraged to take more chances with their Anti-cheat ideas if the process for fixing false positives wasn't so genetically corporate and so user-hostile.
No, it's clearly not. There are people in the linked issue saying they had no cheats and just the username and got banned and the last comment is a Valve employee stating this is all intentional and forbidding any further discussion of it. This is an incredibly dumb way to catch "cheaters" and now that they know they will easily defeat it.
This is absolute bullshit and like saying "issue of rape in prison was raised by criminals who are evil so it's a feature for society they get raped".
And here's a money quote (guess whose):
> When the truth of one issue goes against a person's political leanings, that person will generally say whatever they can to avoid feeling guilt or shame.
Valve didn't comment. They could have more information, like checking that multiple users are called catbot.
If you look at the history, you will find that there were a handful of ban waves that were reverted or adjusted after they were found to be false positives.
It seems that the discussion was opened and driven by the developers and users of the bot. Not expecting too much for them.
Kisak, a Valve Employee, confirms that VAC bans are being handed out for usernames matching catbot. Yes, it was open and driven by the people that were banned because of a username.
The person you're replying to is attempting to claim that Valve has confirmed a blanket username ban.
Instead, Kisak's exact words were:
> Good day, I've received word from the VAC team that this is intentional and not open for discussion on Github.
In context of the cheaters and their sockpuppets, "this" probably refers to Valve going after the catbot malware makers and not banning based on one username specifically.
What confirmation? I am neither a user or a developer of the bot. I also have not been banned by Valve's decision to ban usernames either. My affiliation is to the extent of creating an issue on their github repository. Why are you making such unfounded accusations?
As someone who plays a lot of games, I can't wait for the day when Steam gets replaced by something better. And given Steam's current state, "something better" is a really low bar to go by. At this point I would prefer individual installers for each game, without any "platform" whatsoever.
I'd love for GOG to be better competition for Steam, and they've made wonderful strides - I actually prefer their Galaxy client over Steam, though I also think UPlay is nicer than Steam since Steam has so much going on that I don't need. But like sibling commenter points out it's a numbers game and GOG's stock just doesn't compare yet. You can't get many AAA releases on GOG even after some time has passed since release - publishers are simply allergic to their strong no-DRM policy and see no reason to be there when people will happily buy it on Steam.
Where GOG is deftly competing is the AA market - games from smaller developers/publishers such as CD Projekt Red (CDPR is owned by the same company as GOG but they are a titan in the AA/AAA field), THQ Nordic, Paradox Interactive, and so on. Many of the games from these companies are released day and date on GOG.
I agree, unfortunately the number of titles is an order of magnitude less on GOG. Still, I have over 50 games from GOG and just over 100 from Steam. Anecdotal I know, but I find the GOG lineup more curated and less filler than Steam.
> Anecdotal I know, but I find the GOG lineup more curated and less filler than Steam.
There's a reason for that: It's harder to get your game on GOG, they are still deciding on a case-by-case basis. While on Steam every game which pays a fee (~$100) gets accepted IIRC.
Standalone installers are the only acceptable solution, any middleman, no matter how many promises they make, will eventually do something you don't like and break your games. Any game, any software, made exclusively for systems that require some sort of activation before allowing access to the software you want to run, even if the software itself is DRM-free, means that software has a gatekeeper you'll eventually have an issue with.
GOG supports this in a limited way. If you link your Steam account in your GOG account, it'll pull in games to your GOG account which are listed on GOG.
I was fortunate enough to have Steam screw me over the first week I signed up for their service. On top of that, it took 2 weeks to resolve the issue which really let it sink in that I should never use them. Since then, I've only bought through GOG, Humble or directly from the creators.
Given that all the accounts claiming to have been banned are somehow linked back to CSGO cheating on their GitHub profiles, gonna say this is just cheaters trying to get unbanned.
The Valve employee only confirmed that the bans were correct and that GitHub was not the correct place to dispute the bans. A different employee on Reddit has already confirmed that the "issue" reported on GitHub is incorrect and that the bans were instituted based on multiple criteria. They can't go into it any further without risking compromising their detection systems.
Do you have evidence to support your accusation of affiliation with the people involved with "catbot"[1]? Or is this libel?
> criminal
Writing unauthorized software modifications for commercial software is not illegal, making your accusation of criminal activity doesn't make sense. Unless the bot also made copies of the software, this is a civil matter and probably at worst a breech of contract.
However, even if someone authored the bot, unsubstantiated accusations have no place in civilized society. If accusations are being made, you need to provide evidence 0of the actual bot, not hearsay based on merely an account name. That evidence needs to be presented with at lest some amount of due process where the accused has the opportunity to face their accuser and rebut the claim.
[1] Or any other unauthorized 3rd-party utility software for games published on Steam.
Yes, I commented on the issue. No, I am not affiliated with the bot. I'm not pretending to be anything, I never claimed anything. If I wanted to hide anything I wouldn't use my main github account. I just thought that Valve banning based on usernames was an interesting subject, so I commented on it. You're commenting on a thread about cheaters, why would you do so? You're a living case of a criminal trying to pretend he's not a criminal after he's caught hands in!
Let's be fair here: It's an easy pivot where they keep paying the DOTA artists already on the payroll with a minimum staff of software and game design devs in order to milk the plump microtransaction teat.
Yes, it's a game. But barring the DOTA IP and existing graphics assets it will not be particularly different from any given other offering in this specific market space.
And that's the unspoken thing in the post you're replying to: "new". Valve hasn't made any truly new game since Left 4 Dead, and i'm sure it could easily be argued that even that wasn't particularly ground-breaking.
Remember when Valve's official stance about VAC was that it will only ever detect cheats, that it doesn't make mistakes, and that if you got a VAC ban, you had it coming?
And then they had a number of false positives over the years where they had to rescind the bans?
And now they're detecting things that aren't cheats. A username on the local machine is not a cheat, end of fucking discussion.
Why would expect users to know the names of all known cheats though? If someone created a bot called, say, "VerseC", I doubt you'd be thrilled if that resulted in you being banned.
I also suspect the crossover between cheat names and gamer user names is high - "catbot" would not look at all out of place in a list of user name.
Anyone who's still playing TF2 at this point has a pretty good idea of the names of the various bots at this point, because they spam them in chat while they're running.
GET GOOD GET LMAOBOX has ruined many a session for me, and I would never think of using 'lmaobox' as a username. Even if you aren't actually hacking, that's a quick route to the other denizens of the server votebanning you. Nor would I ever dream of using it as a system user.
I think the context you and most other people are missing here is that these bots are a fucking plague on what remains of the TF2 community and we're more than willing to have zero tolerance for anything connected to them.
A) The cheat may post-date your choice of username. Even if you're aware of the name (and thus avoid using it in-game), you probably wouldn't change (or even think to change) a long standing system username.
B) Non-TF2 players probably _aren't_ going to be aware of TF2 cheat names. A CS:Source player may not know of them, as it's not their game, but the same VAC ban covers both CS:S and TF2 (FWIW I play CS:S occasionally and have never seen such ads. there).
I understand that it is a major issue (it's one of the reasons I haven't returned to TF2 in a while), but that's not a great reason to accept a poor solution that could effect innocent users.
There's nothing special about the name root, it's just a convention that it maps to uid 0. You can change it to something else and then rename an account with a uid != 0 to root. Whether this breaks anything is largely distribution dependant.
Whether or not that would result in the check being changed to see if "root" is uid 0 is another step in an arms race. Because with containerization or virtualization you can run as root with much more acceptable levels of risk than usual.
You're already running the code locally, unless you're in an incredibly hardened environment it is going to make precisely zero difference whether you run it as root or not.
So if I'm understanding this right, you can get permanently banned from all of these games (http://store.steampowered.com/search/?category2=8) just for having a certain username? That's crazy, no matter what the username is.
You're understanding the way they described it right. The reality, however, is not correct. You cannot get banned from those games just for having a certain username. You would have to have that username and also trigger other detection parameters.
This is by far one of the strangest things I have seen HN get mad about. The commenters on the linked issue seem to be mostly aimbot users. Wouldn't be surprised if they're here too.
> Good day, I've received word from the VAC team that this is intentional and not open for discussion on Github.
> In general VAC issues are not handled on Github in any capacity and further issue reports on this may result in being banned from the Valve Software issue trackers.
This is not the way to address a paying customer. These people truly are a bunch of clowns.
To host these bots, you need to set up a Linux environment. Then you can use a script, which automatically prepares your system for hosting the bots. One of the things it does is it creates multiple users in Linux (to run multiple Steam instances), all of them starting with "catbot".
https://github.com/nullifiedcat/catbot-setup
And the script creators already changed every mention of "catbot" to "kisak" (name of the Github moderator for Valve)
https://github.com/nullifiedcat/catbot-setup/commit/58582f81...