Discuss Scratch
- Discussion Forums
- » Suggestions
- » Enable reporting of fraudulent cloud variable activity
- sharkode
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
I don't really agree with 1
“destroying what real Scratchers have built”
Sometimes it's a part of the gameplay where you destroy each other's bases, even if that's not allowed the user shouldn't be banned from Scratch, instead, they can be banned from playing the game.
“destroying what real Scratchers have built”
Sometimes it's a part of the gameplay where you destroy each other's bases, even if that's not allowed the user shouldn't be banned from Scratch, instead, they can be banned from playing the game.
- kriblo
-
100+ posts
Enable reporting of fraudulent cloud variable activity
Gameplay? I really don't think messing up other Scratcher's projects should be a part of mainstream Scratch! If two willing Scratchers want to play this ‘game’, fine. In my suggestion, only the creator of a project can report suspicious cloud activity, so it's not going to be a problem for anyone hacking a willing creators project. I don't really agree with 1
“destroying what real Scratchers have built”
Sometimes it's a part of the gameplay where you destroy each other's bases, even if that's not allowed the user shouldn't be banned from Scratch, instead, they can be banned from playing the game.
Either way, this seems like a marginal special interest.
- ArnoHu
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
(#15)Still doesn't stop a python script from saying that it is a project.What's stopping someone using Python from getting those tokens?I'm not here to discount your suggestion, I'm just asking a genuine question.
How often does this sort of thing happen?
Much too often. Happened on my Pac Man project for the high scores, and I read about several other cases in project comments and forum postings, without particularly looking for it.
WebSocket authentication tokens / tickets should solve this IMHO.
Because you only pass them to the projects on-the-fly, and they are for single-usage.
Only solution is to run projects on the servers, but these servers are too weak.
The project comes from the server, that is what I meant with “on-the-fly”: Attach the single-usage-token to the project dynamically on the server-side, before it is downloaded. How should a python script mimic that?
Last edited by ArnoHu (May 11, 2022 13:04:01)
- kriblo
-
100+ posts
Enable reporting of fraudulent cloud variable activity
I'm not here to discount your suggestion, I'm just asking a genuine question.
How often does this sort of thing happen?
In response to your question, and to bump this thread, I will give yet another recent example of the consequences of cloud hacking.
From the Notes & Credit section of his project Appel v1.4: https://scratch.mit.edu/projects/60917032/
★★★ UPDATES ★★★
18 Aug 2022 - v1.4 - I have taken the sad decision to remove the high score feature because hackers are forcing the project to be reported. Nothing I can do
I previously wrote:
It's happened to me every time I get a project (which uses cloud variables) on the Trending page or the front page. On my latest project, I've had to restore the cloud leaderboard several times every day after it was obviously ‘hacked’ (containing rude references, and names of famous Scratchers).
I know that many other Scratchers experience the same issues, and like me, are becoming reluctant to use cloud variables altogether.
And I gather this is what happened to Appel. The consequence… no more leaderboards. I concur with @griffpath, that this is a sad thing, as I feel leaderboards are community building.
- Pigeon138
-
14 posts
Enable reporting of fraudulent cloud variable activity
I definitely like the idea, but practically, how could it be misuse-proof? A Scratcher could easily get another Scratcher banned by making a project, changing the code to allow players to get impossibly high scores, then asking the target user to play the project. Then, when the target user achieves very high scores, the creator changes the code back to normal, making those high scores impossible, and reports the target user for fraudulent cloud activity, getting them potentially banned. There is no way to fix this by recording project versions when the project was used because that would totally overload the servers and open another abuse point where trolls spam cloud projects to crash Scratch. I'm not sure if I'm reading this wrong or it's already been brought up, but I don't currently see a good way of preventing this…
Last edited by Pigeon138 (Aug. 19, 2022 10:38:46)
- dhuls
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
By downloading the project?(#15)Still doesn't stop a python script from saying that it is a project.What's stopping someone using Python from getting those tokens?I'm not here to discount your suggestion, I'm just asking a genuine question.
How often does this sort of thing happen?
Much too often. Happened on my Pac Man project for the high scores, and I read about several other cases in project comments and forum postings, without particularly looking for it.
WebSocket authentication tokens / tickets should solve this IMHO.
Because you only pass them to the projects on-the-fly, and they are for single-usage.
Only solution is to run projects on the servers, but these servers are too weak.
The project comes from the server, that is what I meant with “on-the-fly”: Attach the single-usage-token to the project dynamically on the server-side, before it is downloaded. How should a python script mimic that?
- kriblo
-
100+ posts
Enable reporting of fraudulent cloud variable activity
What you're describing could just as well be done with the current reporting system. What I hope to achieve with a report button associated with individual cloud updates, is to easily provide the moderators with enough detailed information to quickly be able to identify a pattern, which in turn might allow them to act. For instance, a certain user might make a lot of updates to several projects, and it's likely that they are fraudulent. I think that, even if moderators used this information with caution (to not ban users in error), we might get rid of the most abhorrent cloud hacking, like rude language on leaderboards. I definitely like the idea, but practically, how could it be misuse-proof? A Scratcher could easily get another Scratcher banned by making a project, changing the code to allow players to get impossibly high scores, then asking the target user to play the project. Then, when the target user achieves very high scores, the creator changes the code back to normal, making those high scores impossible, and reports the target user for fraudulent cloud activity, getting them potentially banned. There is no way to fix this by recording project versions when the project was used because that would totally overload the servers and open another abuse point where trolls spam cloud projects to crash Scratch. I'm not sure if I'm reading this wrong or it's already been brought up, but I don't currently see a good way of preventing this…
Furthermore, these hackers are attention seekers and tend to target high profile projects, and I believe it to be unlikely that users with projects on the top of Trending would go to the lengths you descibe.
- ArnoHu
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
By downloading the project?(#15)Still doesn't stop a python script from saying that it is a project.What's stopping someone using Python from getting those tokens?I'm not here to discount your suggestion, I'm just asking a genuine question.
How often does this sort of thing happen?
Much too often. Happened on my Pac Man project for the high scores, and I read about several other cases in project comments and forum postings, without particularly looking for it.
WebSocket authentication tokens / tickets should solve this IMHO.
Because you only pass them to the projects on-the-fly, and they are for single-usage.
Only solution is to run projects on the servers, but these servers are too weak.
The project comes from the server, that is what I meant with “on-the-fly”: Attach the single-usage-token to the project dynamically on the server-side, before it is downloaded. How should a python script mimic that?
The token would not necessarily have to be part of the project binary, there are other ways to pass it (or obfuscate how it is embedded in the binary). But in general, while it is true that one cannot control the client 100%, one can make it a lot more difficult for creators of malicious scripts. E.g. bind the websocket connection to the rest of the Scratch website user flow (token creation based on user login / HTTP session and subsequent project invocation, check if token matches on websocket connect, ensure one-time usage, limit token lifetime), obfuscate JavaScript code for receiving and applying the token, etc. One can also detect suspicious websocket traffic patterns on the server side. A malicious script would basically need simulate (or run) the Scratch web client and inject its own code for manipulation.
- NanoRook
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
i remember it happening on some sort of game where you had to jump over spikes (it was featured). the hacked score was the funny number but lots of timesI've seen it happen numerous times. It's not I'm not here to discount your suggestion, I'm just asking a genuine question.super often, but it's still a problem
How often does this sort of thing happen?
Can confirm I've seen this happen. Griffpatch had to take down one of his cloud game projects because of the amount of variable hacking going on.
- banana439monkey
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
you might need to also enter the correct scripts/blocks for decoding cloud vars for this to work
Banana
Banana
- kriblo
-
100+ posts
Enable reporting of fraudulent cloud variable activity
you might need to also enter the correct scripts/blocks for decoding cloud vars for this to work
You're right, it's not always obvious. But many of these hacks use accounts with New Scratcher status, which obviously can't update cloud variables without cheating.
- colinmacc
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
Something has to be done because this cloud vulnerability is getting completely out of order.
- Pigeon138
-
14 posts
Enable reporting of fraudulent cloud variable activity
How? I'm not sure I understand… What you're describing could just as well be done with the current reporting system.
- QuantumScratcher
-
100+ posts
Enable reporting of fraudulent cloud variable activity
Maybe when you hover over an item in the log a “Report” quote-unquote button (sort of like the one for comments) would appear?
- k7e
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
Most of this would be encoded, and I don't know if the Scratch Team would go figure out how to decode it, decode it, and then take it down (if inappropriate) for every report.
- blablablahello
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
ST could simply revert the project to the version in which the cloud variable was sent on, then run the project. (Since unless the variable shows a clear impact, it wouldn't be a problem anyways, and if it does show an impact, running the project on the correct version with the variable should decode and show the impact) Most of this would be encoded, and I don't know if the Scratch Team would go figure out how to decode it, decode it, and then take it down (if inappropriate) for every report.
- Elijah999999
-
1000+ posts
Enable reporting of fraudulent cloud variable activity
I haven't seen it I'm not here to discount your suggestion, I'm just asking a genuine question.incredibly often, but I have seen almost impossible high scores in projects, and Griffpatch recently released a new Online game and, being Griffpatch, was an obvious target. Hackers started trapping other people in bedrock, and writing messages with it. However, until this suggestion is implemented, (I hope it is,) I think we'll need to make do with the current reporting system.
How often does this sort of thing happen?
Last edited by Elijah999999 (April 18, 2023 23:07:21)
- _Draco_Malfoy_1234
-
15 posts
Enable reporting of fraudulent cloud variable activity
A way to stop this could be by crashing the project when a see inside detector is triggered, but I doubt Scratch supports this.
- Discussion Forums
- » Suggestions
-
» Enable reporting of fraudulent cloud variable activity