Discuss Scratch

sharkode
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

I don't really agree with 1
“destroying what real Scratchers have built”
Sometimes it's a part of the gameplay where you destroy each other's bases, even if that's not allowed the user shouldn't be banned from Scratch, instead, they can be banned from playing the game.
kriblo
Scratcher
100+ posts

Enable reporting of fraudulent cloud variable activity

sharkode wrote:

I don't really agree with 1
“destroying what real Scratchers have built”
Sometimes it's a part of the gameplay where you destroy each other's bases, even if that's not allowed the user shouldn't be banned from Scratch, instead, they can be banned from playing the game.
Gameplay? I really don't think messing up other Scratcher's projects should be a part of mainstream Scratch! If two willing Scratchers want to play this ‘game’, fine. In my suggestion, only the creator of a project can report suspicious cloud activity, so it's not going to be a problem for anyone hacking a willing creators project.

Either way, this seems like a marginal special interest.
ArnoHu
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

dhuls wrote:

ArnoHu wrote:

(#15)

dhuls wrote:

ArnoHu wrote:

Za-Chary wrote:

I'm not here to discount your suggestion, I'm just asking a genuine question.

How often does this sort of thing happen?

Much too often. Happened on my Pac Man project for the high scores, and I read about several other cases in project comments and forum postings, without particularly looking for it.

WebSocket authentication tokens / tickets should solve this IMHO.
What's stopping someone using Python from getting those tokens?

Because you only pass them to the projects on-the-fly, and they are for single-usage.
Still doesn't stop a python script from saying that it is a project.

Only solution is to run projects on the servers, but these servers are too weak.

The project comes from the server, that is what I meant with “on-the-fly”: Attach the single-usage-token to the project dynamically on the server-side, before it is downloaded. How should a python script mimic that?

Last edited by ArnoHu (May 11, 2022 13:04:01)

kriblo
Scratcher
100+ posts

Enable reporting of fraudulent cloud variable activity

Za-Chary wrote:

I'm not here to discount your suggestion, I'm just asking a genuine question.

How often does this sort of thing happen?

In response to your question, and to bump this thread, I will give yet another recent example of the consequences of cloud hacking.

From the Notes & Credit section of his project Appel v1.4: https://scratch.mit.edu/projects/60917032/

griffpatch wrote:

★★★ UPDATES ★★★
18 Aug 2022 - v1.4 - I have taken the sad decision to remove the high score feature because hackers are forcing the project to be reported. Nothing I can do

I previously wrote:

kriblo wrote:

It's happened to me every time I get a project (which uses cloud variables) on the Trending page or the front page. On my latest project, I've had to restore the cloud leaderboard several times every day after it was obviously ‘hacked’ (containing rude references, and names of famous Scratchers).

I know that many other Scratchers experience the same issues, and like me, are becoming reluctant to use cloud variables altogether.

And I gather this is what happened to Appel. The consequence… no more leaderboards. I concur with @griffpath, that this is a sad thing, as I feel leaderboards are community building.
Pigeon138
Scratcher
14 posts

Enable reporting of fraudulent cloud variable activity

I definitely like the idea, but practically, how could it be misuse-proof? A Scratcher could easily get another Scratcher banned by making a project, changing the code to allow players to get impossibly high scores, then asking the target user to play the project. Then, when the target user achieves very high scores, the creator changes the code back to normal, making those high scores impossible, and reports the target user for fraudulent cloud activity, getting them potentially banned. There is no way to fix this by recording project versions when the project was used because that would totally overload the servers and open another abuse point where trolls spam cloud projects to crash Scratch. I'm not sure if I'm reading this wrong or it's already been brought up, but I don't currently see a good way of preventing this…

Last edited by Pigeon138 (Aug. 19, 2022 10:38:46)

dhuls
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

ArnoHu wrote:

dhuls wrote:

ArnoHu wrote:

(#15)

dhuls wrote:

ArnoHu wrote:

Za-Chary wrote:

I'm not here to discount your suggestion, I'm just asking a genuine question.

How often does this sort of thing happen?

Much too often. Happened on my Pac Man project for the high scores, and I read about several other cases in project comments and forum postings, without particularly looking for it.

WebSocket authentication tokens / tickets should solve this IMHO.
What's stopping someone using Python from getting those tokens?

Because you only pass them to the projects on-the-fly, and they are for single-usage.
Still doesn't stop a python script from saying that it is a project.

Only solution is to run projects on the servers, but these servers are too weak.

The project comes from the server, that is what I meant with “on-the-fly”: Attach the single-usage-token to the project dynamically on the server-side, before it is downloaded. How should a python script mimic that?
By downloading the project?
kriblo
Scratcher
100+ posts

Enable reporting of fraudulent cloud variable activity

Pigeon138 wrote:

I definitely like the idea, but practically, how could it be misuse-proof? A Scratcher could easily get another Scratcher banned by making a project, changing the code to allow players to get impossibly high scores, then asking the target user to play the project. Then, when the target user achieves very high scores, the creator changes the code back to normal, making those high scores impossible, and reports the target user for fraudulent cloud activity, getting them potentially banned. There is no way to fix this by recording project versions when the project was used because that would totally overload the servers and open another abuse point where trolls spam cloud projects to crash Scratch. I'm not sure if I'm reading this wrong or it's already been brought up, but I don't currently see a good way of preventing this…
What you're describing could just as well be done with the current reporting system. What I hope to achieve with a report button associated with individual cloud updates, is to easily provide the moderators with enough detailed information to quickly be able to identify a pattern, which in turn might allow them to act. For instance, a certain user might make a lot of updates to several projects, and it's likely that they are fraudulent. I think that, even if moderators used this information with caution (to not ban users in error), we might get rid of the most abhorrent cloud hacking, like rude language on leaderboards.

Furthermore, these hackers are attention seekers and tend to target high profile projects, and I believe it to be unlikely that users with projects on the top of Trending would go to the lengths you descibe.
ArnoHu
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

dhuls wrote:

ArnoHu wrote:

dhuls wrote:

ArnoHu wrote:

(#15)

dhuls wrote:

ArnoHu wrote:

Za-Chary wrote:

I'm not here to discount your suggestion, I'm just asking a genuine question.

How often does this sort of thing happen?

Much too often. Happened on my Pac Man project for the high scores, and I read about several other cases in project comments and forum postings, without particularly looking for it.

WebSocket authentication tokens / tickets should solve this IMHO.
What's stopping someone using Python from getting those tokens?

Because you only pass them to the projects on-the-fly, and they are for single-usage.
Still doesn't stop a python script from saying that it is a project.

Only solution is to run projects on the servers, but these servers are too weak.

The project comes from the server, that is what I meant with “on-the-fly”: Attach the single-usage-token to the project dynamically on the server-side, before it is downloaded. How should a python script mimic that?
By downloading the project?

The token would not necessarily have to be part of the project binary, there are other ways to pass it (or obfuscate how it is embedded in the binary). But in general, while it is true that one cannot control the client 100%, one can make it a lot more difficult for creators of malicious scripts. E.g. bind the websocket connection to the rest of the Scratch website user flow (token creation based on user login / HTTP session and subsequent project invocation, check if token matches on websocket connect, ensure one-time usage, limit token lifetime), obfuscate JavaScript code for receiving and applying the token, etc. One can also detect suspicious websocket traffic patterns on the server side. A malicious script would basically need simulate (or run) the Scratch web client and inject its own code for manipulation.
NanoRook
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

ThatCoder77471 wrote:

historical_supa wrote:

Za-Chary wrote:

I'm not here to discount your suggestion, I'm just asking a genuine question.

How often does this sort of thing happen?
I've seen it happen numerous times. It's not super often, but it's still a problem
i remember it happening on some sort of game where you had to jump over spikes (it was featured). the hacked score was the funny number but lots of times

Can confirm I've seen this happen. Griffpatch had to take down one of his cloud game projects because of the amount of variable hacking going on.
banana439monkey
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

you might need to also enter the correct scripts/blocks for decoding cloud vars for this to work

Banana
kriblo
Scratcher
100+ posts

Enable reporting of fraudulent cloud variable activity

banana439monkey wrote:

you might need to also enter the correct scripts/blocks for decoding cloud vars for this to work

You're right, it's not always obvious. But many of these hacks use accounts with New Scratcher status, which obviously can't update cloud variables without cheating.
colinmacc
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

Something has to be done because this cloud vulnerability is getting completely out of order.
Pigeon138
Scratcher
14 posts

Enable reporting of fraudulent cloud variable activity

kriblo wrote:

What you're describing could just as well be done with the current reporting system.
How? I'm not sure I understand…
QuantumScratcher
Scratcher
100+ posts

Enable reporting of fraudulent cloud variable activity

Maybe when you hover over an item in the log a “Report” quote-unquote button (sort of like the one for comments) would appear?
k7e
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

Most of this would be encoded, and I don't know if the Scratch Team would go figure out how to decode it, decode it, and then take it down (if inappropriate) for every report.
blablablahello
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

k7e wrote:

Most of this would be encoded, and I don't know if the Scratch Team would go figure out how to decode it, decode it, and then take it down (if inappropriate) for every report.
ST could simply revert the project to the version in which the cloud variable was sent on, then run the project. (Since unless the variable shows a clear impact, it wouldn't be a problem anyways, and if it does show an impact, running the project on the correct version with the variable should decode and show the impact)
Elijah999999
Scratcher
1000+ posts

Enable reporting of fraudulent cloud variable activity

Za-Chary wrote:

I'm not here to discount your suggestion, I'm just asking a genuine question.

How often does this sort of thing happen?
I haven't seen it incredibly often, but I have seen almost impossible high scores in projects, and Griffpatch recently released a new Online game and, being Griffpatch, was an obvious target. Hackers started trapping other people in bedrock, and writing messages with it. However, until this suggestion is implemented, (I hope it is,) I think we'll need to make do with the current reporting system.

Last edited by Elijah999999 (April 18, 2023 23:07:21)

_Draco_Malfoy_1234
Scratcher
15 posts

Enable reporting of fraudulent cloud variable activity

A way to stop this could be by crashing the project when a see inside detector is triggered, but I doubt Scratch supports this.

Powered by DjangoBB