The Reading Room
What we read, in plain words
Vera is built on the public record: security research, vendor advisories, incident write-ups, and the standards bodies. We read them so you don't have to, and we write what we find in language a player can actually use. Here is what we study, the words to read it by, and how it shapes the product.
Field noteEverything here was true before you looked. The light only makes it visible.
We translate the experts into plain words, and we never claim more than the record shows.
Lines of inquiry
The questions Vera is built on. Some are technical, some are about people. Each is grounded in the public record, never in our own assertion.
Why is an accusation so cheap, and proof so expensive?
A suspicion costs a sentence. Disproving it asks a person to demonstrate the absence of something, in public, after the fact, in front of a crowd that already treats doubt as the smart default. We study how that asymmetry forms, and what actually closes it.
What does a code signature really certify?
That a publisher paid for a certificate and proved their identity once. Not that the software is safe. We study the gap between those two facts, and why a signed driver keeps loading on every machine long after the world learns what it can do.
A signature is a receipt, not a verdictHow does unsigned code get into the kernel anyway?
Bring-your-own-vulnerable-driver: an attacker drops an older, still-signed driver the system already trusts, and rides its flaw down to the kernel. It is the dominant technique in recent years, documented across the major security research shops and catalogued on a public list.
Every BYOVD driver, in the Field GuideHow deep does software reach, and who decided?
System integrity posture: Secure Boot, HVCI, test-signing, and the kernel access an anti-cheat asks for. We study what each layer actually protects, and what it costs the player whose machine it runs on.
What each game asks of your systemCan detection win the arms race on its own?
Cheats are getting harder to see: hardware-assisted, AI-shaped, run from a second machine no scanner can reach. Meanwhile detection leans harder on behaviour and statistics, which quietly turns being too good into evidence against you. We study why escalation alone never settles trust.
Why do people accept an outcome as fair?
Procedural justice is an established field finding that people accept decisions, even ones they lose, when the process is transparent, applied consistently, and lets them be heard. It is the reason Vera shows the record and refuses to hand down a verdict.
Can a record prove when it was made?
Provenance and contemporaneity: emerging standards like C2PA for attaching verifiable origin and time to a digital artifact. We study where they genuinely help at the edges, and where they cannot honestly be the whole foundation.
The lexicon
The words the experts use, in plain ones. Where a term has its own plate in the Field Guide, the entry links to it.
Software that runs at the deepest, most-trusted level of Windows, with full access to the machine. The thing that reads your GPU temperature and the thing an attacker abuses live at the same depth.
See it in the Field Guide →The privilege level the kernel runs at. Code here can see and change anything. "Ring 3" is normal user space, where your apps live.
Bring-your-own-vulnerable-driver. Loading unsigned kernel code by dropping an older, still-signed driver that has a known flaw, rather than writing a fresh exploit.
See it in the Field Guide →A paid credential that lets a publisher cryptographically stamp their software so Windows stops warning about it. It proves who signed the bytes, not that the bytes are safe.
Cancelling a signature after the fact. In practice Windows still loads many revoked or vulnerable drivers at boot, because checking revocation there is fragile and would break too much.
A UEFI feature that lets only signed bootloaders start the operating system, so nothing unsigned slips in before Windows even loads.
Hypervisor-protected Code Integrity. Uses virtualization to keep unsigned code from running in the kernel, even if something already got onto the machine.
A Windows mode that allows unsigned or self-signed drivers to load. Legitimate for developers, and a common prerequisite for loading cheats.
Software a game runs to detect cheating. Some sits in normal user space; some loads a kernel driver while you play; some keeps one running at boot. The Field Guide shows how deep each one reaches.
See it in the Field Guide →You cannot prove a negative. But you can show that during the time you were playing, the specific categories of software that would indicate cheating were not present. That is a record, not a claim.
The finding that people accept an outcome as legitimate based on how fair the process was, not only whether they won. Transparency, consistency, and being heard are what earn that acceptance.
A verifiable trail of where a digital artifact came from and when. Standards like C2PA attach it at the edges; it helps establish origin, but it cannot by itself prove a record is complete or honest.
A stretch of time where Vera observed gameplay or streaming activity on a device. The unit a record is built from.
How the homework shapes the product
Research is upstream of everything Vera ships. It sets which drivers the Field Guide curates and how plainly a plate is written. It decides which integrity signals the collector reads, and which it deliberately leaves alone. And it is the reason Vera shows evidence instead of issuing a verdict, because the research on legitimacy says the process is what earns trust.
None of it is private. Every claim on a Field Guide plate points at something already on the public record, and where we cannot vouch for something, we say so. Ground truth or silence.
Where this comes from
We do not run our own studies and ask you to take our word for it. We read the public record and point you back at it.
- The public driver record
LOLDrivers, the open catalogue of living-off-the-land drivers the Field Guide is built from.
www.loldrivers.io ↗ - Vendor and platform security
Microsoft's driver-security and code-integrity documentation, and vendor advisories for specific drivers.
learn.microsoft.com/windows-hardware/drivers ↗ - Independent security research
The named write-ups from the major research shops (Cisco Talos, Mandiant, Trend Micro, SentinelOne and others), cited on the relevant Field Guide plates.
- Provenance standards
The C2PA coalition's open specification for content provenance and authenticity.
c2pa.org ↗ - Legitimacy and procedural justice
The established academic field on why people accept outcomes as fair, including Tom R. Tyler's foundational work.
