IP bans are easy to workaround (just google change my public IP).
Why not use a device fingerprint as well as the IP?

Non-Technical version:
Use a unique code to identify devices that get banned, and also ban the IP, so it is almost impossible to work around, without getting a new device and router.

Technical version (you have to be a web developer to understand this):
Fingerprinting: Work out a unique ID for the device
Use the HTTP headers and other data served via various browser APIs to work out as much information as possible about the accessing machine (exclude time, battery and other things like that).

Store this data, and if a visitor is similar to this, you can presume they are exactly the same device, and this is device fingerprinting.
You can see if your device fingerprint is unique here: https://amiunique.org/

See https://en.wikipedia.org/wiki/Device_fingerprint for more info.

Evercookie: Ensure they can't just delete the cookie, and recreate it on their device after deletion

Also, use a cookie or two (and with a bit of the device fingerprint), and make a evercookie, making getting around the bans even harder. Also evercookie the IP.
See https://en.wikipedia.org/wiki/Evercookie for more info

If you create an evercookie with the ban info, it will be almost impossible to get around.

IP Ban
well, Scratch uses this already

Use all of these techniques for a almost impossible to workaround device ban.

Summary
Apart from the extra time this would take to implement, this would prevent people getting around bans.

NOTE: In the US, It is illegal to get around a IP ban on purpose.
Please don't comment saying I don't understand, please read the Non-Technical version, and then ask questions about it.

thr565ono wrote:

IP bans are easy to workaround (just google change my public IP).
Why not use a device fingerprint as well as the IP?

Non-Technical version:
Use a unique code to identify devices that get banned, and also ban the IP, so it is almost impossible to work around, without getting a new device and router.

Technical version (you have to be a web developer to understand this):
Fingerprinting: Work out a unique ID for the device
Use the HTTP headers and other data served via various browser APIs to work out as much information as possible about the accessing machine (exclude time, battery and other things like that).

Store this data, and if a visitor is similar to this, you can presume they are exactly the same device, and this is device fingerprinting.
You can see if your device fingerprint is unique here: https://amiunique.org/

See https://en.wikipedia.org/wiki/Device_fingerprint for more info.

Evercookie: Ensure they can't just delete the cookie, and recreate it on their device after deletion

Also, use a cookie or two (and with a bit of the device fingerprint), and make a evercookie, making getting around the bans even harder. Also evercookie the IP.
See https://en.wikipedia.org/wiki/Evercookie for more info

If you create an evercookie with the ban info, it will be almost impossible to get around.

IP Ban
well, Scratch uses this already

Use all of these techniques for a almost impossible to workaround device ban.

Summary
Apart from the extra time this would take to implement, this would prevent people getting around bans.

NOTE: In the US, It is illegal to get around a IP ban on purpose.
Please don't comment saying I don't understand, please read the Non-Technical version, and then ask questions about it.

Sure fingerprinting works in theory, but I can just go into a private tab with a User-Agent changer or in another browser. I remember reading about Evercookie in the past. From my understanding most of its methods no longer work and are simply avoided either by entering a private tab or clearing all browsering data. The thing is there really is no way to identify a computer in a way that you could ban it. These next ideas are not possible with normal HTTP requests and would require scratch to forcibly install software on our computers. If you decide to use MAC addresses, then I will just run the MAC changer that I use everytime I switch networks, if you look at the hardware IDs then I could just spinup a VM or use a container.

herohamp wrote:

thr565ono wrote:

IP bans are easy to workaround (just google change my public IP).
Why not use a device fingerprint as well as the IP?

Non-Technical version:
Use a unique code to identify devices that get banned, and also ban the IP, so it is almost impossible to work around, without getting a new device and router.

Technical version (you have to be a web developer to understand this):
Fingerprinting: Work out a unique ID for the device
Use the HTTP headers and other data served via various browser APIs to work out as much information as possible about the accessing machine (exclude time, battery and other things like that).

Store this data, and if a visitor is similar to this, you can presume they are exactly the same device, and this is device fingerprinting.
You can see if your device fingerprint is unique here: https://amiunique.org/

See https://en.wikipedia.org/wiki/Device_fingerprint for more info.

Evercookie: Ensure they can't just delete the cookie, and recreate it on their device after deletion

Also, use a cookie or two (and with a bit of the device fingerprint), and make a evercookie, making getting around the bans even harder. Also evercookie the IP.
See https://en.wikipedia.org/wiki/Evercookie for more info

If you create an evercookie with the ban info, it will be almost impossible to get around.

IP Ban
well, Scratch uses this already

Use all of these techniques for a almost impossible to workaround device ban.

Summary
Apart from the extra time this would take to implement, this would prevent people getting around bans.

NOTE: In the US, It is illegal to get around a IP ban on purpose.
Please don't comment saying I don't understand, please read the Non-Technical version, and then ask questions about it.

Sure fingerprinting works in theory, but I can just go into a private tab with a User-Agent changer or in another browser. I remember reading about Evercookie in the past. From my understanding most of its methods no longer work and are simply avoided either by entering a private tab or clearing all browsering data. The thing is there really is no way to identify a computer in a way that you could ban it. These next ideas are not possible with normal HTTP requests and would require scratch to forcibly install software on our computers. If you decide to use MAC addresses, then I will just run the MAC changer that I use everytime I switch networks, if you look at the hardware IDs then I could just spinup a VM or use a container.

Yes, but is much harder to workaround than IP bans.

Via https://scratch.mit.edu/discuss/post/4279993/

ElsieBreeze wrote:

thr565ono wrote:

Firstly, this is great.

Secondly, you can also track which computer is which even more reliably than IP addresses. Try https://amiunique.org/fp and you can see how much info about your computer is served to websites. They could use similar device fingerprinting to get bans working, and it is not at all easy to reset your device fingerprint, short of moving to a new laptop

Experienced web coders will know about HTTP headers, you can ask them in advanced topics.

Browser's like Brave have anti-fingerprinting measures, while it still says “Unique”, Brave performs randomization to make it so the fingerprint is different (albeit Unique) every time. This would defeat the idea of using fingerprinting to identify users.

Additionally, it definitely isn't hard to bypass fingerprinting. I could change a few parameters for my Windows 10 VM and use a different browser and I'd appear to be completely unique.

Thirdly, bypassing fingerprinting doesn't require buying a new machine. Moving to a different browser - or even changing settings inside your normal browser, is sometimes enough to change your fingerprint. People who want to bypass it can, fingerprinting is usually only used for tracking users who don't know that it's a thing.

These are not impossible to get around. Never have been, never will be. If someone really wants to bypass a ban, they will. You won't stop them.

The only thing implementing heavy device fingerprinting and utilizing EverCookies does is put another level of tracking on users. Due to Scratch being targeted at those under 13, it has to be COPPA compliant, as it is operated in the US. Are these methods you suggest allowed under COPPA?

Bypassing these means will not require buying a new device, nor a new router. You likely wouldn't even need to use a VPN. Just a generic open HTTP proxy and a second browser. Voila, you've bypassed an IP ban and an evercookie, and likely many layers of fingerprinting.

It also might be worth noting that Incognito mode in some browsers may also be able to bypass evercookies.

herohamp wrote:

Sure fingerprinting works in theory, but I can just go into a private tab with a User-Agent changer or in another browser. I remember reading about Evercookie in the past. From my understanding most of its methods no longer work and are simply avoided either by entering a private tab or clearing all browsering data. The thing is there really is no way to identify a computer in a way that you could ban it. These next ideas are not possible with normal HTTP requests and would require scratch to forcibly install software on our computers. If you decide to use MAC addresses, then I will just run the MAC changer that I use everytime I switch networks, if you look at the hardware IDs then I could just spinup a VM or use a container.

But would anyone really do that just to evade a ban?

You can also use usage patterns to monitor it, and even certain things like emails and the city that they live in

herohamp wrote:

Sure fingerprinting works in theory, but I can just go into a private tab with a User-Agent changer or in another browser. I remember reading about Evercookie in the past. From my understanding most of its methods no longer work and are simply avoided either by entering a private tab or clearing all browsering data. The thing is there really is no way to identify a computer in a way that you could ban it. These next ideas are not possible with normal HTTP requests and would require scratch to forcibly install software on our computers. If you decide to use MAC addresses, then I will just run the MAC changer that I use everytime I switch networks, if you look at the hardware IDs then I could just spinup a VM or use a container.

From my understanding, EverCookie exploited Adobe Flash Player / Microsoft SilverLight / Java Applets to store cookies in a way that the browser had no control over, and no way to isolate between sites.

Since all 3 of those things are dead, EverCookies rely on much easier to bypass means. They're essentially normal cookies now.

Also, i forgot to mention, but look at HTTP cookies for info on cookies that are stored at scratch, and therefore you can’t delete

I think this is allowed by COPPA, as this will be to prevent people from abusing Scratch and being unkind to other children via scratch.

So, it is to protect the scratch users, not to track them across the Scratch Website.

They use similar technologies to keep you logged into scratch

fdreerf wrote:

herohamp wrote:

Sure fingerprinting works in theory, but I can just go into a private tab with a User-Agent changer or in another browser. I remember reading about Evercookie in the past. From my understanding most of its methods no longer work and are simply avoided either by entering a private tab or clearing all browsering data. The thing is there really is no way to identify a computer in a way that you could ban it. These next ideas are not possible with normal HTTP requests and would require scratch to forcibly install software on our computers. If you decide to use MAC addresses, then I will just run the MAC changer that I use everytime I switch networks, if you look at the hardware IDs then I could just spinup a VM or use a container.

But would anyone really do that just to evade a ban?

Yes, I would definitly open a private tab to evade a ban… or install another browser, or just make another chrome profile with a different user-agent

fdreerf wrote:

herohamp wrote:

Sure fingerprinting works in theory, but I can just go into a private tab with a User-Agent changer or in another browser. I remember reading about Evercookie in the past. From my understanding most of its methods no longer work and are simply avoided either by entering a private tab or clearing all browsering data. The thing is there really is no way to identify a computer in a way that you could ban it. These next ideas are not possible with normal HTTP requests and would require scratch to forcibly install software on our computers. If you decide to use MAC addresses, then I will just run the MAC changer that I use everytime I switch networks, if you look at the hardware IDs then I could just spinup a VM or use a container.

But would anyone really do that just to evade a ban?

For the most part, EverCookies / Some amounts of Fingerprinting can be easily bypassed with a private tab or incognito tab, and IP bans can be bypassed with a HTTP proxy, or free VPN app. They aren't hard to get around.

There's a reason that the vast majority of sites don't use fingerprinting to ban users, they aren't the perfect method of identification that OP seems to think.

thr565ono wrote:

You can also use usage patterns to monitor it, and even certain things like emails and the city that they live in

Yes, you can get the rough geographic location of a user from their IP address, but that is also quite easy to hide.
And I'm pretty certain that Scratch does not allow you to use the email of a banned account to make a new one (and if they do, that's another issue), so tracking what emails are used probably won't help much.

thr565ono wrote:

herohamp wrote:

-snip-

Yes, but is much harder to workaround than IP bans.

Not necessarily.
Bypassing an IP ban requires getting a new IP. Or masking your IP with a VPN or proxy.
Bypassing an evercookie requires opening an incognito tab or clearing your cookies.
Bypassing fingerprinting is achievable by installing a new browser.

None of these are very hard to bypass.

ElsieBreeze wrote:

fdreerf wrote:

But would anyone really do that just to evade a ban?

For the most part, EverCookies / Some amounts of Fingerprinting can be easily bypassed with a private tab or incognito tab, and IP bans can be bypassed with a HTTP proxy, or free VPN app. They aren't hard to get around.

That doesn't answer my question. Would someone actually do this in the first place?

fdreerf wrote:

ElsieBreeze wrote:

fdreerf wrote:

But would anyone really do that just to evade a ban?

For the most part, EverCookies / Some amounts of Fingerprinting can be easily bypassed with a private tab or incognito tab, and IP bans can be bypassed with a HTTP proxy, or free VPN app. They aren't hard to get around.

That doesn't answer my question. Would someone actually do this in the first place?

Yes, I know someone who went through much further lengths to evade ban. Not to mention opening a private tab is litterally 2 clicks in chrome!

fdreerf wrote:

ElsieBreeze wrote:

fdreerf wrote:

But would anyone really do that just to evade a ban?

For the most part, EverCookies / Some amounts of Fingerprinting can be easily bypassed with a private tab or incognito tab, and IP bans can be bypassed with a HTTP proxy, or free VPN app. They aren't hard to get around.

That doesn't answer my question. Would someone actually do this in the first place?

I don't think they would, unless they see this, and used it to help. I think only another experienced web developer would be able to remove this banning mechanism.

herohamp wrote:

fdreerf wrote:

ElsieBreeze wrote:

fdreerf wrote:

But would anyone really do that just to evade a ban?

For the most part, EverCookies / Some amounts of Fingerprinting can be easily bypassed with a private tab or incognito tab, and IP bans can be bypassed with a HTTP proxy, or free VPN app. They aren't hard to get around.

That doesn't answer my question. Would someone actually do this in the first place?

Yes, I know someone who went through much further lengths to evade ban. Not to mention opening a private tab is litterally 2 clicks in chrome!

It would be combined with IP bans. Also, you can track someone by mouse movements without javascript. See https://www.zdnet.com/article/how-your-mouse-movements-can-be-used-to-track-you-on-the-tor-network/ for info

thr565ono wrote:

fdreerf wrote:

ElsieBreeze wrote:

fdreerf wrote:

But would anyone really do that just to evade a ban?

For the most part, EverCookies / Some amounts of Fingerprinting can be easily bypassed with a private tab or incognito tab, and IP bans can be bypassed with a HTTP proxy, or free VPN app. They aren't hard to get around.

That doesn't answer my question. Would someone actually do this in the first place?

I don't think they would, unless they see this, and used it to help. I think only another experienced web developer would be able to remove this banning mechanism.

No anyone who has ever used a private tab

thr565ono wrote:

herohamp wrote:

fdreerf wrote:

ElsieBreeze wrote:

fdreerf wrote:

But would anyone really do that just to evade a ban?

For the most part, EverCookies / Some amounts of Fingerprinting can be easily bypassed with a private tab or incognito tab, and IP bans can be bypassed with a HTTP proxy, or free VPN app. They aren't hard to get around.

That doesn't answer my question. Would someone actually do this in the first place?

Yes, I know someone who went through much further lengths to evade ban. Not to mention opening a private tab is litterally 2 clicks in chrome!

It would be combined with IP bans. Also, you can track someone by mouse movements without javascript. See https://www.zdnet.com/article/how-your-mouse-movements-can-be-used-to-track-you-on-the-tor-network/ for info

Without Javascript: kek
“As most browsers, including the Tor browser, enable JavaScript by default, the code is able to begin tracking mouse wheel movements.”
And as previously discussed IP bans are just a reboot of the router or even just waiting a couple days for your home IP to change. Even better if youre behind a CGNat where it might change every couple hours as you cycle between the IP pool

herohamp wrote:

thr565ono wrote:

fdreerf wrote:

ElsieBreeze wrote:

fdreerf wrote:

But would anyone really do that just to evade a ban?

For the most part, EverCookies / Some amounts of Fingerprinting can be easily bypassed with a private tab or incognito tab, and IP bans can be bypassed with a HTTP proxy, or free VPN app. They aren't hard to get around.

That doesn't answer my question. Would someone actually do this in the first place?

I don't think they would, unless they see this, and used it to help. I think only another experienced web developer would be able to remove this banning mechanism.

No anyone who has ever used a private tab

The IP and HTTP cookies work, even in private tabs

fdreerf wrote:

ElsieBreeze wrote:

fdreerf wrote:

But would anyone really do that just to evade a ban?

For the most part, EverCookies / Some amounts of Fingerprinting can be easily bypassed with a private tab or incognito tab, and IP bans can be bypassed with a HTTP proxy, or free VPN app. They aren't hard to get around.

That doesn't answer my question. Would someone actually do this in the first place?

The vast majority of people wouldn't bypass a normal IP ban in the first place, those I know who have bypassed Scratch bans and Scratch Network Bans multiple times would absolutely go through more lengths to bypass a ban even with more measures in place to try stop it.

I imagine the vast majority of people don't get permanently IP banned from Scratch in the first place.

thr565ono wrote:

herohamp wrote:

-snip-

The IP and HTTP cookies work, even in private tabs

What do you mean by “HTTP cookies”? I assume you mean cookies that are set via HTTP headers, like the ones responsible for CSRF and login sessions, but those are still verified against what's stored client side. If there is no data client side, they have no data to check against what's stored on the server.