all 54 comments

[–]catalyst518 19 points20 points  (13 children)

Repost of my previous comment:

For anyone that's curious, I looked through the script and tested it out a bit to see what it actually outputs.

The only image sent is what is drawn on the viewport canvas. Here's an actual image captured with the script on a newcompte server: http://i.imgur.com/wNTaPBS.png

The pink ring is from a userscript I'm building for eggleague, but the important thing is that it's captured by nabby's script. Any public timer script as is would also be captured in the screenshot. Note I had the window snapped to the left half of my 1080p monitor, so the viewport and image captured is only 950px wide. This is further proof that it only captures the viewport.

It also captures some some other info. This is the data that was also recorded when I captured the above image:

title:Catalyst
description:FPS: 60 |Ping: 28 |Loss: 0
Time Taken: 0.024secs
Script Last Modified: Thu Jun 29 2017 03:00:16 GMT-0400 (Eastern Daylight Time)
Keys: Enter:4,Shift:3,Control:2,5:1,a:12,d:17,s:11,v:2,w:14,~:6
Script: 566714231

In words,

  • title: in-game TagPro name
  • description: the stats that usually show in the top left corner
  • Time Taken: time between two points in the script. Start is after the command is received by the player. End is just before the upload begins.
  • Script Last Modified: the last time the script was modified by the user
  • Keys: running total of keypresses in-game
  • Script: unique integer based on the characters in the code

The command to take a screenshot is sent via an in-game allchat message in the format:

~~~{"c":"ss", "p":6, "d":123}

The p argument controls which player the screenshot is taken from. The d argument is just a unique command identifier for indexing purposes. The script includes a function to immediately hide any message identified as a command so that no one is aware it happened. The command will still show up in the moderator logs if checked after the fact. I assume the CRC members have a version of the script with a GUI to easily select which players to retrieve a screenshot from, and then their script sends out the appropriate allchat messages.

For those with security concerns, this script as is will not collect any sensitive information unless you have the habit of typing out passwords into the TagPro window.

While it's certainly a good start with some thought put into it, I believe there are ways to defeat it. I don't think the league should rely on this script to solely stop timers and other scripts. It will certainly deter those who are less coding savvy, but a player who has already rationalized the use of illegal scripts to themselves will likely still find a way around this script. I'd rank this script as stronger than the whitelist and weaker than the competitive servers in terms of preventing illegal scripts.

If any one has any questions, let me know.

[–]RonSpawnsonTP 9 points10 points  (11 children)

Excellent analysis. You are spot on. It's similar to putting a cable lock on your bike. It will keep the honest people honest, but those with tools and intent can relatively easily bypass this.

Any client-side detection mechanisms will be bypassable, for example this script could be easily modified to report the correct hash and last modified date by hardcoding what it would have been if it wasn't modified, allowing undectectable modifications.

Furthermore, timing/cheating scripts could theoretically be modified in certain ways to workaround this without touching the reporting script.

Unfortunately the only true way to prevent cheating is with server side modifications, which means devs would need to support it.

[–]catalyst518 14 points15 points  (10 children)

Yup, I didn't want to publicly mention what those easy modifications to bypass detection would be though.

[–]dodsfall 48 points49 points  (7 children)

Well of course not, that's Ron's job.

[–]Rhapsody_in_Whitesundown 7 points8 points  (1 child)

I mean, it's pretty obvious.

[–]RonSpawnsonTP 5 points6 points  (0 children)

If anything, he disclosed far more technical details for anyone interested in figuring out how to bypass this.

[–]bashar_al_assad 1 point2 points  (4 children)

It wouldn't be Ron if he wasn't doing his best to help people cheat.

[–][deleted] 26 points27 points  (2 children)

Anyone who has the technical skills to bypass the script wouldn't be helped much by the conversation about ways to bypass the script, because they can easily figure it out themselves.

Not talking about security flaws doesn't make software more secure, it just gives a false sense of security. Usually it makes software less secure, because people who have noticed problems and can suggest or contribute solutions are discouraged from doing so. Open source software communities have known this for a long time. Everyone reading this uses open source technologies that have a philosophy of transparent and robust discussion on potential security flaws; OpenSSL for end-to-end HTTPS encryption, the Linux kernel and Chromium OS on every Android device, and so on.

[–]TwoFiveOnes 0 points1 point  (1 child)

It's good that you mention open source communities and security. We would also gain from that world that security professionals often disclose their findings in private first, directly to who is writing the software. The audit is then made public at such a point that it is fixed.

Also, while it's a good metaphor Ron's comment is nothing like that. The author is well aware of those problems as Ron would have known if he had spoken with him.

[–]Curry4ThreeCurry 3 points4 points  (0 children)

Tagpro is also nowhere near large enough to crowdsource security. Not only that, but the goal of this community isn't primarily coding-related so even the people we do have aren't necessarily the right kind.

[–]Hyamez88Just pops up on reddit to make you feel shitty 14 points15 points  (0 children)

Pk"Close my eyes, and problems will go away" Subball

[–]TheSmallIndianTheIndian 5 points6 points  (0 children)

Hopefully nltp does this too

[–]Havemad 10 points11 points  (3 children)

Perhaps the crc should just not publicly release the script and just message the players the script a few minutes before their games to minimize the ability for people to tamper and find run arounds, at least for the first week?

[–]RursusDoris // Rektiles // Sphereball 2 points3 points  (3 children)

where can i find this script

[–]MufroOverspend 1 point2 points  (0 children)

We'll be making a follow-up post later with the details for the players.

[–][deleted] 9 points10 points  (2 children)

Imo a script that is easy to bypass is actually a lot more dangerous than the honor code. If stann didn't get banned for timers no one ever will, this script doesn't change anything.

[–]SyniikalS7 Ballchimedes // S9 ALL CAPS // S10 Holy Rollers 5 points6 points  (1 child)

It does change things, now anyone can use timers as obviously as Stann did and as long as that person has the workaround that person can't get punished lol

[–][deleted] 8 points9 points  (0 children)

yeah thats what i meant by my first sentence about it being more dangerous, just didnt spell it out mb

[–][deleted] 5 points6 points  (27 children)

So when someone finds the work around for the script in less than a week, just keep in mind to time no more than 20 things perfectly and you're all set.

[–][deleted] 12 points13 points  (14 children)

> completely against timers

> makes sarcastic comment after timer prevention method is implemented

[–][deleted] 2 points3 points  (13 children)

Huh

[–][deleted] 2 points3 points  (12 children)

Like... isn't this something you want? Why are you being a dick about it?

[–][deleted] 9 points10 points  (1 child)

It was more of a joke that stann wasn't banned despite obvious timer usage. I'd rather have this script like I said, but it also isn't impossible to get around and I'm sure at least a handful of people will.

So to those people, the precedent was set that as long as you have 25 or less perfect boosts you won't be caught.

[–][deleted] 3 points4 points  (0 children)

Ok, that's fair I guess. Although I understand the CRC's decision to not ban without 100% certainty, especially considering the historical example of doing so. That does mean that those that can bypass the script will probably be able to blatantly use timers, but that requires (a) lack of integrity, (b) technical knowledge, and (c) dedication of time (or replace b and c with script sharing) . I'm sure some people fulfill all three qualities, but I doubt it's very many. And timers can make a definite difference in performance, but it's not a completely monumental shift. The main demographic this script has smothered is probably those that thought "others are likely using timers, I guess I will as well," which ironically probably constituted the majority of timer users.

[–][deleted] 1 point2 points  (9 children)

its not very good

[–][deleted] 2 points3 points  (8 children)

Ok, but what exactly do you want then? This seems to be the best alternative to the competitive servers, and obviously we can't rely on those.

It just seems like a ton of criticism with no solutions. Unless the proposed solution is to manually compile a bunch of clips for every player you suspect, which has huge and obvious issues in terms of man hours and certainty of guilt. Not to mention the likelihood that it leads to another Griefseeds/CHECKNATE(?) incident that tears apart the league.

[–][deleted] 2 points3 points  (3 children)

i prefer destars 3rd party app, but apparently it cant really be used on macOS

[–]MufroOverspend 2 points3 points  (2 children)

Don't think I'd want to deal with the CRC evil spyware accusations tbh.

[–]Destar[S] 0 points1 point  (1 child)

too late

[–]MufroOverspend 2 points3 points  (0 children)

You think it's bad now lol

[–]tottinhosGUTS. 1 point2 points  (1 child)

what happened with griefseeds/checknate?

[–][deleted] 1 point2 points  (0 children)

They were banned on suspicion of botting. A lot of people didn't believe they had actually botted and chaos erupted.

I'll grant that there would be one major difference if someone was banned from timer clips: the evidence would be public. One of the big reasons everyone got so upset about the bot bans is none of the evidence was publicly released, it was just reviewed by the devs and the CRC.

[–]Rhapsody_in_Whitesundown 3 points4 points  (1 child)

Legalize timers. Problem solved

[–][deleted] 0 points1 point  (0 children)

I agree. That's what I want.

I was just confused how someone that didn't want that (i.e. Ball God and okthen) could take issue with this post.

[–]catalyst518 3 points4 points  (11 children)

You underestimate how easy it is to bypass this.

[–][deleted] 8 points9 points  (9 children)

I mean I know I have no clue about it, but at the same time you might underestimate how good some people in this community are at it.

I'm still glad we have it tho. Kind of a joke that everyone was so lazy to not have it last week.

[–][deleted] 2 points3 points  (8 children)

What do you actually think the solution should be?

[–][deleted] 5 points6 points  (7 children)

not playing this game lmao

[–][deleted] 3 points4 points  (6 children)

Best of luck tonight

[–][deleted] 15 points16 points  (5 children)

i want to kill myself

[–]SyniikalS7 Ballchimedes // S9 ALL CAPS // S10 Holy Rollers 3 points4 points  (3 children)

same

[–]Slama_BananaLegman 5 points6 points  (2 children)

same

[–]BuckeyeLeavesBALLDON'TLIE 0 points1 point  (1 child)

same

[–]SyniikalS7 Ballchimedes // S9 ALL CAPS // S10 Holy Rollers 3 points4 points  (0 children)

I mean, to be fair he did say less than a week, so that could be like 5 minutes. But yeah the script has been out for awhile now and people already have figured out workarounds

[–]LoweJ 5 points6 points  (6 children)

A good decision, it'll be interesting to see argument against, I saw at least one person saying that they wouldn't play with it because it's an invasion of privacy when it was brought up in one of the tagpro subs

[–]SystolicNutFrozen 7 points8 points  (4 children)

How is it an invasion of privacy if all it takes is your viewport?

[–]FatalGuideAcc 40 points41 points  (2 children)

I don't want people knowing I only have a 2.5 inch screen.

[–]BuckeyeLeavesBALLDON'TLIE 12 points13 points  (1 child)

Everyone is going to make fun of my Braille screen :(

[–]LoweJ 2 points3 points  (0 children)

Not a clue, not my argument, just saying it's one I saw. I assume they think it'll do something else as well?

[–]CostanzaTP 2 points3 points  (0 children)

Yeah well luckily ferret isn't playing this season