I think there was a place where Za-Chary* said something like:
“Sometimes we encourage people to report multiple times if the moderators haven't seen the report”
Actually I'm not that sure

ioton wrote:

I think there was a place where Za-Chary* said something like:
“Sometimes we encourage people to report multiple times if the moderators haven't seen the report”
Actually I'm not that sure

Please read the entire OP. You can report 2 times every 24 hours with one IP.

support

squarepoint wrote:

support

Be constructive and say why you support.

To the OP, i think this is a great idea! There will be less false reporting, and false reporting is bad for everyone (except for trolls). Sure, the guys who use a VPN and an email generator will always be there, but at least. There's. Less. False reporting. It would be very annoying if i got banned for an hour and have one of my projects taken down, this would definitly help!

Firstly, this is great.

Secondly, you can also track which computer is which even more reliably than IP addresses. Try https://amiunique.org/fp and you can see how much info about your computer is served to websites. They could use similar device fingerprinting to get bans working, and it is not at all easy to reset your device fingerprint, short of moving to a new laptop

Experienced web coders will know about HTTP headers, you can ask them in advanced topics.

woudln't that mean storing the ip of scratchers on their servers?

i dont know but that might be a bit iffy when it comes to GDPR

HTML-Fan wrote:

IP banning is also stupid. I was banned after I made those joke accounts - a quick router reset and the problem was solved.

That isn't true for all people. Whilst some have a Dynamic IP that changes with each reset, others have a Dynamic IP that only changes if they get a new router with a different MAC address. Whilst it won't stop all, it will stop some.

thr565ono wrote:

Firstly, this is great.

Secondly, you can also track which computer is which even more reliably than IP addresses. Try https://amiunique.org/fp and you can see how much info about your computer is served to websites. They could use similar device fingerprinting to get bans working, and it is not at all easy to reset your device fingerprint, short of moving to a new laptop

Experienced web coders will know about HTTP headers, you can ask them in advanced topics.

This will solve the reset the router issue.

Jeffalo wrote:

woudln't that mean storing the ip of scratchers on their servers?

i dont know but that might be a bit iffy when it comes to GDPR

That is fine according to GDPR, as it’s in their Privacy policy

DarthVader4Life wrote:

Basic88 wrote:

We all hate it when we get mass reported. Well, here is a solution: IP Checking! When reporting, it checks if that person has already reported the project with that IP address. If so, that person gets an alert saying “please don't mass report”. I think this will save the ST time from meaningless reports. As usual, please leave constructive feedback

what if there are multiple reasons that you need to report it for?

Just use contact-us

thr565ono wrote:

Firstly, this is great.

Secondly, you can also track which computer is which even more reliably than IP addresses. Try https://amiunique.org/fp and you can see how much info about your computer is served to websites. They could use similar device fingerprinting to get bans working, and it is not at all easy to reset your device fingerprint, short of moving to a new laptop

Experienced web coders will know about HTTP headers, you can ask them in advanced topics.

Browser's like Brave have anti-fingerprinting measures, while it still says “Unique”, Brave performs randomization to make it so the fingerprint is different (albeit Unique) every time. This would defeat the idea of using fingerprinting to identify users.

Additionally, it definitely isn't hard to bypass fingerprinting. I could change a few parameters for my Windows 10 VM and use a different browser and I'd appear to be completely unique.

Thirdly, bypassing fingerprinting doesn't require buying a new machine. Moving to a different browser - or even changing settings inside your normal browser, is sometimes enough to change your fingerprint. People who want to bypass it can, fingerprinting is usually only used for tracking users who don't know that it's a thing.

ElsieBreeze wrote:

thr565ono wrote:

Firstly, this is great.

Secondly, you can also track which computer is which even more reliably than IP addresses. Try https://amiunique.org/fp and you can see how much info about your computer is served to websites. They could use similar device fingerprinting to get bans working, and it is not at all easy to reset your device fingerprint, short of moving to a new laptop

Experienced web coders will know about HTTP headers, you can ask them in advanced topics.

(…)
Thirdly, bypassing fingerprinting doesn't require buying a new machine. Moving to a different browser - or even changing settings inside your normal browser, is sometimes enough to change your fingerprint. People who want to bypass it can, fingerprinting is usually only used for tracking users who don't know that it's a thing.

We're not discussing cookies though - we're discussing IPs, which are linked to your home network or “your computer” if you choose to use a VPN. And, to be frank, why would anyone want to use a VPN for a website used for children? The only need someone would use it for is to bypass the bans which are easily done (and makes me scream at users on my forum who are bypassing bans ).

Ok. Seeing as fingerprinting is a problem, I have shown a few other methods (including the almost impossible to remove evercookie) in my suggestion about changing IP bans: https://scratch.mit.edu/discuss/topic/427804/

No amount of IP rate limiting would work. Just reboot your router, use a VPN public or private, walk to the coffee shop, use a SOCKS proxy, use a HTTP(s) proxy, use TOR, or a whole slew of other things. Its always possible to evade IP restrictions

herohamp wrote:

No amount of IP rate limiting would work. Just reboot your router, use a VPN public or private, walk to the coffee shop, use a SOCKS proxy, use a HTTP(s) proxy, use TOR, or a whole slew of other things. Its always possible to evade IP restrictions

Except attempts to find who is using the computer, using info that is created by the user (accounts they attempt to log into, pages they visit, how fast they move the mouse (possibly), and other information not made by the computer, but by the user.

thr565ono wrote:

herohamp wrote:

No amount of IP rate limiting would work. Just reboot your router, use a VPN public or private, walk to the coffee shop, use a SOCKS proxy, use a HTTP(s) proxy, use TOR, or a whole slew of other things. Its always possible to evade IP restrictions

Except attempts to find who is using the computer, using info that is created by the user (accounts they attempt to log into, pages they visit, how fast they move the mouse (possibly), and other information not made by the computer, but by the user.

If this was not done carefully it would violate COPPA. This by itself is just super creepy and there is no way the ST would implement it.

herohamp wrote:

thr565ono wrote:

herohamp wrote:

No amount of IP rate limiting would work. Just reboot your router, use a VPN public or private, walk to the coffee shop, use a SOCKS proxy, use a HTTP(s) proxy, use TOR, or a whole slew of other things. Its always possible to evade IP restrictions

Except attempts to find who is using the computer, using info that is created by the user (accounts they attempt to log into, pages they visit, how fast they move the mouse (possibly), and other information not made by the computer, but by the user.

If this was not done carefully it would violate COPPA. This by itself is just super creepy and there is no way the ST would implement it.

I understand that this would probably be a bad idea, but if the ST want a fool proof ban method, it will work.
You can also try hashing and salting the data, to make it only be usable to verify which user is which.

Apparently, you can actually track someone by mouse movements, even in the Tor browser: https://www.zdnet.com/article/how-your-mouse-movements-can-be-used-to-track-you-on-the-tor-network/

DownsGameClub wrote:

ElsieBreeze wrote:

thr565ono wrote:

Firstly, this is great.

Secondly, you can also track which computer is which even more reliably than IP addresses. Try https://amiunique.org/fp and you can see how much info about your computer is served to websites. They could use similar device fingerprinting to get bans working, and it is not at all easy to reset your device fingerprint, short of moving to a new laptop

Experienced web coders will know about HTTP headers, you can ask them in advanced topics.

(…)
Thirdly, bypassing fingerprinting doesn't require buying a new machine. Moving to a different browser - or even changing settings inside your normal browser, is sometimes enough to change your fingerprint. People who want to bypass it can, fingerprinting is usually only used for tracking users who don't know that it's a thing.

We're not discussing cookies though - we're discussing IPs, which are linked to your home network or “your computer” if you choose to use a VPN. And, to be frank, why would anyone want to use a VPN for a website used for children? The only need someone would use it for is to bypass the bans which are easily done (and makes me scream at users on my forum who are bypassing bans ).

I wasn't discussing cookies either, I was responding to thr565ono about their suggestion to use fingerprinting to identify users.

thr565ono wrote:

herohamp wrote:

No amount of IP rate limiting would work. Just reboot your router, use a VPN public or private, walk to the coffee shop, use a SOCKS proxy, use a HTTP(s) proxy, use TOR, or a whole slew of other things. Its always possible to evade IP restrictions

Except attempts to find who is using the computer, using info that is created by the user (accounts they attempt to log into, pages they visit, how fast they move the mouse (possibly), and other information not made by the computer, but by the user.

If this were possible and accurate, don't you think other sites would be using it?

Scratch doesn't have the footprint to collect enough data to positively identify users.

But do you know who does? Google. Google probably operates the largest data collection operation to exist, for the purpose of targeted advertisements. Yet even with all that uniquely identifying data, they can't automagically detect users who are ban evading with it.

thr565ono wrote:

herohamp wrote:

thr565ono wrote:

herohamp wrote:

No amount of IP rate limiting would work. Just reboot your router, use a VPN public or private, walk to the coffee shop, use a SOCKS proxy, use a HTTP(s) proxy, use TOR, or a whole slew of other things. Its always possible to evade IP restrictions

Except attempts to find who is using the computer, using info that is created by the user (accounts they attempt to log into, pages they visit, how fast they move the mouse (possibly), and other information not made by the computer, but by the user.

If this was not done carefully it would violate COPPA. This by itself is just super creepy and there is no way the ST would implement it.

I understand that this would probably be a bad idea, but if the ST want a fool proof ban method, it will work.
You can also try hashing and salting the data, to make it only be usable to verify which user is which.

Apparently, you can actually track someone by mouse movements, even in the Tor browser: https://www.zdnet.com/article/how-your-mouse-movements-can-be-used-to-track-you-on-the-tor-network/

The article you linked says that even though it's possible to do this, using it effectively is still very challenging.

ZDNet wrote:

The utilized techniques seems to be used in a rather basic form, time and mouse movements analysis are known in the research community to differentiate between devices/users, it still poses a challenge to use them effectively.

ElsieBreeze wrote:

DownsGameClub wrote:

ElsieBreeze wrote:

thr565ono wrote:

Firstly, this is great.

Secondly, you can also track which computer is which even more reliably than IP addresses. Try https://amiunique.org/fp and you can see how much info about your computer is served to websites. They could use similar device fingerprinting to get bans working, and it is not at all easy to reset your device fingerprint, short of moving to a new laptop

Experienced web coders will know about HTTP headers, you can ask them in advanced topics.

(…)
Thirdly, bypassing fingerprinting doesn't require buying a new machine. Moving to a different browser - or even changing settings inside your normal browser, is sometimes enough to change your fingerprint. People who want to bypass it can, fingerprinting is usually only used for tracking users who don't know that it's a thing.

We're not discussing cookies though - we're discussing IPs, which are linked to your home network or “your computer” if you choose to use a VPN. And, to be frank, why would anyone want to use a VPN for a website used for children? The only need someone would use it for is to bypass the bans which are easily done (and makes me scream at users on my forum who are bypassing bans ).

I wasn't discussing cookies either, I was responding to thr565ono about their suggestion to use fingerprinting to identify users.

thr565ono wrote:

herohamp wrote:

No amount of IP rate limiting would work. Just reboot your router, use a VPN public or private, walk to the coffee shop, use a SOCKS proxy, use a HTTP(s) proxy, use TOR, or a whole slew of other things. Its always possible to evade IP restrictions

Except attempts to find who is using the computer, using info that is created by the user (accounts they attempt to log into, pages they visit, how fast they move the mouse (possibly), and other information not made by the computer, but by the user.

If this were possible and accurate, don't you think other sites would be using it?

Scratch doesn't have the footprint to collect enough data to positively identify users.

But do you know who does? Google. Google probably operates the largest data collection operation to exist, for the purpose of targeted advertisements. Yet even with all that uniquely identifying data, they can't automagically detect users who are ban evading with it.

I think that this would help, as almost everyone cannot bypass a fingerprint, HTTP cookie and a IP ban. (see my other topic for more info in Suggestions about Bans https://scratch.mit.edu/discuss/topic/427804

thr565ono wrote:

ElsieBreeze wrote:

-snip-

I think that this would help, as almost everyone cannot bypass a fingerprint, HTTP cookie and a IP ban. (see my other topic for more info in Suggestions about Bans https://scratch.mit.edu/discuss/topic/427804

No. Almost everyone definitely can bypass these things.

Own a phone? Connect with mobile data and make an account with your phone. You've just bypassed a fingerprint, cookie and IP ban. Even better, the IPs assigned to phones using mobile data are very short lived and change extremely often, meaning you cannot identify that user based on IP.