Hive ranking system hacked already?

M0RTM0RT Join Date: 2013-01-02 Member: 177140Members
So I was checking out the hive.naturalselection2.com skill rankings and I see it's already been hacked. [AnuNS2.org] has been playing for 84042 hours and teleporting cactus has a skill of 1337 and has 9000 hours?
«1

Comments

  • xen32xen32 Join Date: 2012-10-18 Member: 162676Members, Reinforced - Supporter
    I found myself there, it shows games I played, but avatar and link to steam profile are not mine...
  • Maxx11_v2.0Maxx11_v2.0 Join Date: 2012-11-18 Member: 172221Members
    xen32 wrote: »
    I found myself there, it shows games I played, but avatar and link to steam profile are not mine...

    Same here, the name is mine and the played games list and stats look about right, but the avatar and profile it links to have nothing to do with me.
  • RuntehRunteh Join Date: 2010-06-26 Member: 72163Members, Reinforced - Shadow
  • Ghosthree3Ghosthree3 Join Date: 2010-02-13 Member: 70557Members, Reinforced - Supporter
    Yeah, someone I know submitted false info lol...
  • ezekelezekel Join Date: 2012-11-29 Member: 173589Members, NS2 Map Tester
    It can be reset, but who really cares.. the purpose is to help people select servers with people more/less near their own skill level.. I'd just reset the guy and give him an official server ban
  • Ghosthree3Ghosthree3 Join Date: 2010-02-13 Member: 70557Members, Reinforced - Supporter
    The ID is fake, he won't be in any servers.
  • VetinariVetinari Join Date: 2013-07-23 Member: 186325Members, Squad Five Blue, Reinforced - Shadow, WC 2013 - Silver
    Anyway, you gotta remember that nickname for future use. It's awesome.
  • RoobubbaRoobubba Who you gonna call? Join Date: 2003-01-06 Member: 11930Members, Reinforced - Shadow, WC 2013 - Shadow
    Had to have a rofl at that page earlier. Allegedly I'm #5 in the world (including teleporting cactus). LOL.
  • VetinariVetinari Join Date: 2013-07-23 Member: 186325Members, Squad Five Blue, Reinforced - Shadow, WC 2013 - Silver
    Roobubba wrote: »
    Had to have a rofl at that page earlier. Allegedly I'm #5 in the world (including teleporting cactus). LOL.

    @Roobubba After I saw you lerking in combat that's not hard to believe ;)
  • RabidWeaselRabidWeasel Join Date: 2002-11-02 Member: 5337Members
    Is it just me or is the existence of this site not mentioned anywhere? It's pretty nifty, though scary to see how highly I'm ranked considering that I fuck up ALL THE TIME
  • Ghosthree3Ghosthree3 Join Date: 2010-02-13 Member: 70557Members, Reinforced - Supporter
    It's not officially released so it won't be mentioned anywhere. It's not officially released because there's still a lot of bugs and incomplete methods with it.
  • GhoulofGSG9GhoulofGSG9 Join Date: 2013-03-31 Member: 184566Members, Super Administrators, Forum Admins, Forum Moderators, NS2 Developer, NS2 Playtester, Squad Five Blue, Squad Five Silver, Reinforced - Supporter, WC 2013 - Supporter, Pistachionauts
    edited September 2013
    Its not really hacking, just send a manipulated json file to the web api. Of course they should add some kind of a controlling system to avoid that
  • CCTEECCTEE Join Date: 2013-06-20 Member: 185634Members, Reinforced - Shadow
    1471 skillranked & PROUD.
  • delta78delta78 Join Date: 2013-01-08 Member: 178131Members
    I can't find myself on the skill list T.T

    Oh, I can search myself and see how God like good I am... WHAT! Skill level 300?! If only the game ran smoother, I'd show everypony a real killing! Maybe I should stop fooling around in the CC and start pew pew / bite bite or stab stab or gore gore or...

    Stat pad my way to the top *Evil grin*. Now I only need is to choose one of the rookie servers and start making the points! Ge thanks ranking system for showing me the right way!



    Now serious...

    Personally, I don't give two bits for the ranking system or any stats in any game. They do not say a thing for me and do not describe accurately who the player is. But you've got to love the joke 1337 and 9000 :P
  • CCTEECCTEE Join Date: 2013-06-20 Member: 185634Members, Reinforced - Shadow
    delta78 wrote: »
    Personally, I don't give two bits for the ranking system or any stats in any game. They do not say a thing for me and do not describe accurately who the player is.

    Mind if i farm you a few hours for a better ranking then?
  • lwflwf Join Date: 2006-11-03 Member: 58311Members, Constellation
    edited September 2013
    It's open source, so you can read how it works. I did, and I'm not sure you realize how ridiculously easy it would be to fake any stats for any player. Teleporting cactus proves this by having an obviously bogus SteamID; 13371337, the player does not even exist and the second highest ranked player doesn't own NS2.

    Because the game has the server software is freely available and stats is not restricted to UWE (and possibly trusted 3rd party servers) there is no way around this. The correctness of the stats is entirely up to the honesty of the community... or rather up to everyone with an Internet connection, because anyone could ruin all the stats if they wanted to. The source being open source and moddable isn't even an issue here, it wouldn't make any difference since anyone with a browser (really just the ability to open a TCP connection) can set any stat.

    Battlefield 3 for example which has ranks and all that doesn't allow anyone to run a server but selected game server hosting companies. They're the only ones that have it and they are strictly forbidden from publishing it. In my opinion, it's not worth it. Not for NS2.

    You could work against this attempting to sanity check stats and verify clients (and already some individuals has proven that would be needed...). For example by having all clients send the results of the match instead of the server with a cookie(-like) proving they own their account and select the result the majority of clients says is true... as well as moving all logic out of Lua code to disallow moddability and use custom protocols Lua can't access, or a server could just send out a mod which allows it to dictate what clients send. That would help, but it could never, ever be secure working this way.
  • SamusDroidSamusDroid Colorado Join Date: 2013-05-13 Member: 185219Members, Forum Moderators, NS2 Developer, NS2 Playtester, Squad Five Gold, Subnautica Playtester, NS2 Community Developer, Pistachionauts
    edited September 2013
    You could PW the file and have the game enter the PW when submitting, no?
    Probably not possible through code though.
  • VetinariVetinari Join Date: 2013-07-23 Member: 186325Members, Squad Five Blue, Reinforced - Shadow, WC 2013 - Silver
    Dynamically via algorithm created codes which will be verified by the server?
  • Ghosthree3Ghosthree3 Join Date: 2010-02-13 Member: 70557Members, Reinforced - Supporter
    The only way I see it being done is have the server send the info with a keycode unique to that server provider. That way it can be controlled which servers (or people) can send data, if you host a public server apply for a code.
  • NarfwakNarfwak Join Date: 2002-11-02 Member: 5258Members, Super Administrators, Forum Admins, NS1 Playtester, Playtest Lead, Forum Moderators, Constellation, NS2 Playtester, Squad Five Blue, Reinforced - Supporter, Reinforced - Silver, Reinforced - Gold, Reinforced - Diamond, Reinforced - Shadow, Subnautica PT Lead, NS2 Community Developer
    edited September 2013
    xen32 wrote: »
    I found myself there, it shows games I played, but avatar and link to steam profile are not mine...
    The stats data appears to be correct for most people (at least mine is) but it's linking to the wrong steam profiles for some people.
  • MrFangsMrFangs Join Date: 2013-03-27 Member: 184474Members, Reinforced - Shadow
    Well, each server registers with the UWE master server(s). It would be trivial to give each server a secret key that it needs to upload game results... I guess that's what @lwf meant with a "cookie-like" solution.

    The tricky part, of course, is that nothing prevents a malicious user from setting up a fake server, grab the key/cookie and send bogus data with that key. So the master server would have to verify that the server is legit. @Ghosthree3's approach might work, but I see the problem that each application would need to be checked manually, which creates human work on UWE's side. And you could still apply with a fake server and send bogus data, it would just take a bit longer. And if I understand correctly, creating throwaway Steam keys for servers is not a real constraint.

    So, like @lwf mentioned, the clients need to submit data as well, which would then be checked against the server's version of the story. This could become quite a headache to get right, considering that clients can enter and leave a match at any time, may lose connection to the server and/or steam and/or the master server, or may just crash at any time. With a local match result log for each client and server, which is uploaded to the stats server at the next possible time, this should be doable, though. There would have to be a grace period between the match and aggregating the "final" stats, though. Malicious clients could still send forged data, but as they need to authenticate via Steam, these could be identified over time as their data differs from the "rest of the world" too frequently.

    tl;dr: making the system secure is quite a bit of work, but should be possible
  • lwflwf Join Date: 2006-11-03 Member: 58311Members, Constellation
    edited September 2013
    SteveRock wrote: »
    Ghosthree3 wrote: »
    The only way I see it being done is have the server send the info with a keycode unique to that server provider. That way it can be controlled which servers (or people) can send data, if you host a public server apply for a code.

    I think this would be the only sure-fire way. We'd need to verify servers though - maybe the community could help with this some how? Like each server needs to get like.. 25 NS2 players to sign an online petition for them, with their steam IDs? Basically just to say, "Yes, this is a good server with good performance that I play on a lot, and they're not running totally game-changing mods, so I'd like my stats on this server to be tracked."

    Yup, probably only way it could be done that's not too intrusive or overly complex yet not very secure. UWE would still have to look out for faked stats, but when found the key for that community server could just be revoked. As it is now there's no way to really fight back.
  • VetinariVetinari Join Date: 2013-07-23 Member: 186325Members, Squad Five Blue, Reinforced - Shadow, WC 2013 - Silver
    So... we need 25 to start boosting? yay :D
  • Blarney_StoneBlarney_Stone Join Date: 2013-03-08 Member: 183808Members, Reinforced - Shadow
  • CuelCuel Join Date: 2013-01-22 Member: 181295Members, Reinforced - Shadow
    I feel like public/private key cryptography would be by far enough to secure the data sent
  • lwflwf Join Date: 2006-11-03 Member: 58311Members, Constellation
    Cuel wrote: »
    I feel like public/private key cryptography would be by far enough to secure the data sent

    What would that accomplish?
Sign In or Register to comment.