Hive ranking system hacked already?

M0RTM0RT Members Join Date: 2013-01-02 Member: 177140Posts: 3
So I was checking out the hive.naturalselection2.com skill rankings and I see it's already been hacked. [AnuNS2.org] has been playing for 84042 hours and teleporting cactus has a skill of 1337 and has 9000 hours?
«1

Comments

  • xen32xen32 Members, Reinforced - Supporter Join Date: 2012-10-18 Member: 162676Posts: 1,011 Advanced user
    I found myself there, it shows games I played, but avatar and link to steam profile are not mine...
  • Maxx11_v2.0Maxx11_v2.0 Members Join Date: 2012-11-18 Member: 172221Posts: 274
    xen32 wrote: »
    I found myself there, it shows games I played, but avatar and link to steam profile are not mine...

    Same here, the name is mine and the played games list and stats look about right, but the avatar and profile it links to have nothing to do with me.
  • RuntehRunteh Members, Reinforced - Shadow Join Date: 2010-06-26 Member: 72163Posts: 1,883
  • Ghosthree3Ghosthree3 Members, Reinforced - Supporter Join Date: 2010-02-13 Member: 70557Posts: 3,432 Advanced user
    Yeah, someone I know submitted false info lol...
    76561197996992409.png
  • ezekelezekel Members, NS2 Map Tester Join Date: 2012-11-29 Member: 173589Posts: 1,385 Advanced user
    It can be reset, but who really cares.. the purpose is to help people select servers with people more/less near their own skill level.. I'd just reset the guy and give him an official server ban
  • Ghosthree3Ghosthree3 Members, Reinforced - Supporter Join Date: 2010-02-13 Member: 70557Posts: 3,432 Advanced user
    The ID is fake, he won't be in any servers.
    76561197996992409.png
  • VetinariVetinari Members, Squad Five Blue, Reinforced - Shadow, WC 2013 - Silver Join Date: 2013-07-23 Member: 186325Posts: 3,468 Advanced user
    Anyway, you gotta remember that nickname for future use. It's awesome.
    formerly known as F0rdPrefect

    I am good Onos
  • RoobubbaRoobubba Who you gonna call?Members, Reinforced - Shadow, WC 2013 - Shadow Join Date: 2003-01-06 Member: 11930Posts: 3,191 Fully active user
    Had to have a rofl at that page earlier. Allegedly I'm #5 in the world (including teleporting cactus). LOL.
    For all your gorge busting needs.
    It is very strange how some1 who spend so much time makeing videos to help mans, can fall and take miror image of dark ages bourgeoisie, outdated set of belifs
    How True.
  • VetinariVetinari Members, Squad Five Blue, Reinforced - Shadow, WC 2013 - Silver Join Date: 2013-07-23 Member: 186325Posts: 3,468 Advanced user
    Roobubba wrote: »
    Had to have a rofl at that page earlier. Allegedly I'm #5 in the world (including teleporting cactus). LOL.

    @Roobubba After I saw you lerking in combat that's not hard to believe ;)
    formerly known as F0rdPrefect

    I am good Onos
  • RabidWeaselRabidWeasel Members Join Date: 2002-11-02 Member: 5337Posts: 955 Fully active user
    Is it just me or is the existence of this site not mentioned anywhere? It's pretty nifty, though scary to see how highly I'm ranked considering that I fuck up ALL THE TIME
  • Ghosthree3Ghosthree3 Members, Reinforced - Supporter Join Date: 2010-02-13 Member: 70557Posts: 3,432 Advanced user
    It's not officially released so it won't be mentioned anywhere. It's not officially released because there's still a lot of bugs and incomplete methods with it.
    76561197996992409.png
    NarfwakKuddlyKalli
  • GhoulofGSG9GhoulofGSG9 Members, Super Administrators, Forum Admins, Forum Moderators, NS2 Developer, NS2 Playtester, Squad Five Blue, Squad Five Silver, Reinforced - Supporter, WC 2013 - Supporter, Pistachionauts Join Date: 2013-03-31 Member: 184566Posts: 2,838 admin
    edited September 2013
    Its not really hacking, just send a manipulated json file to the web api. Of course they should add some kind of a controlling system to avoid that
    Developer, Modder and Server Admin of Survival of the Fattest - Ingame Nick: Ghoul
  • CCTEECCTEE Members, Reinforced - Shadow Join Date: 2013-06-20 Member: 185634Posts: 772 Advanced user
    1471 skillranked & PROUD.
    grrrr im beast
  • delta78delta78 Members Join Date: 2013-01-08 Member: 178131Posts: 102
    I can't find myself on the skill list T.T

    Oh, I can search myself and see how God like good I am... WHAT! Skill level 300?! If only the game ran smoother, I'd show everypony a real killing! Maybe I should stop fooling around in the CC and start pew pew / bite bite or stab stab or gore gore or...

    Stat pad my way to the top *Evil grin*. Now I only need is to choose one of the rookie servers and start making the points! Ge thanks ranking system for showing me the right way!



    Now serious...

    Personally, I don't give two bits for the ranking system or any stats in any game. They do not say a thing for me and do not describe accurately who the player is. But you've got to love the joke 1337 and 9000 :P
  • CCTEECCTEE Members, Reinforced - Shadow Join Date: 2013-06-20 Member: 185634Posts: 772 Advanced user
    delta78 wrote: »
    Personally, I don't give two bits for the ranking system or any stats in any game. They do not say a thing for me and do not describe accurately who the player is.

    Mind if i farm you a few hours for a better ranking then?
    grrrr im beast
  • lwflwf Members, Constellation Join Date: 2006-11-03 Member: 58311Posts: 486 Fully active user
    edited September 2013
    It's open source, so you can read how it works. I did, and I'm not sure you realize how ridiculously easy it would be to fake any stats for any player. Teleporting cactus proves this by having an obviously bogus SteamID; 13371337, the player does not even exist and the second highest ranked player doesn't own NS2.

    Because the game has the server software is freely available and stats is not restricted to UWE (and possibly trusted 3rd party servers) there is no way around this. The correctness of the stats is entirely up to the honesty of the community... or rather up to everyone with an Internet connection, because anyone could ruin all the stats if they wanted to. The source being open source and moddable isn't even an issue here, it wouldn't make any difference since anyone with a browser (really just the ability to open a TCP connection) can set any stat.

    Battlefield 3 for example which has ranks and all that doesn't allow anyone to run a server but selected game server hosting companies. They're the only ones that have it and they are strictly forbidden from publishing it. In my opinion, it's not worth it. Not for NS2.

    You could work against this attempting to sanity check stats and verify clients (and already some individuals has proven that would be needed...). For example by having all clients send the results of the match instead of the server with a cookie(-like) proving they own their account and select the result the majority of clients says is true... as well as moving all logic out of Lua code to disallow moddability and use custom protocols Lua can't access, or a server could just send out a mod which allows it to dictate what clients send. That would help, but it could never, ever be secure working this way.
    Post edited by lwf on
    RedSwordGISP
  • SamusDroidSamusDroid ColoradoMembers, Forum Moderators, NS2 Developer, NS2 Playtester, Squad Five Gold, Subnautica Playtester, NS2 Community Developer, Pistachionauts Join Date: 2013-05-13 Member: 185219Posts: 2,155 mod
    edited September 2013
    You could PW the file and have the game enter the PW when submitting, no?
    Probably not possible through code though.
    My mods --- Watermod collaboration with Feha
    For some reason, the instant you ask players to behave differently to be successful, they associate that with bad mapping. - KungFuDiscoMonkey
    Z5UIr2s.png
  • VetinariVetinari Members, Squad Five Blue, Reinforced - Shadow, WC 2013 - Silver Join Date: 2013-07-23 Member: 186325Posts: 3,468 Advanced user
    Dynamically via algorithm created codes which will be verified by the server?
    formerly known as F0rdPrefect

    I am good Onos
  • Ghosthree3Ghosthree3 Members, Reinforced - Supporter Join Date: 2010-02-13 Member: 70557Posts: 3,432 Advanced user
    The only way I see it being done is have the server send the info with a keycode unique to that server provider. That way it can be controlled which servers (or people) can send data, if you host a public server apply for a code.
    76561197996992409.png
  • NarfwakNarfwak Members, Super Administrators, Forum Admins, NS1 Playtester, Playtest Lead, Forum Moderators, Constellation, NS2 Playtester, Squad Five Blue, Reinforced - Supporter, Reinforced - Silver, Reinforced - Gold, Reinforced - Diamond, Reinforced - Shadow, Subnautica PT Lead, NS2 Community Developer Join Date: 2002-11-02 Member: 5258Posts: 3,787 admin
    edited September 2013
    xen32 wrote: »
    I found myself there, it shows games I played, but avatar and link to steam profile are not mine...
    The stats data appears to be correct for most people (at least mine is) but it's linking to the wrong steam profiles for some people.
    UWE Playtest Lead
    Be the change you wish to see.
    Twitter
  • MrFangsMrFangs Members, Reinforced - Shadow Join Date: 2013-03-27 Member: 184474Posts: 313 Fully active user
    Well, each server registers with the UWE master server(s). It would be trivial to give each server a secret key that it needs to upload game results... I guess that's what @lwf meant with a "cookie-like" solution.

    The tricky part, of course, is that nothing prevents a malicious user from setting up a fake server, grab the key/cookie and send bogus data with that key. So the master server would have to verify that the server is legit. @Ghosthree3's approach might work, but I see the problem that each application would need to be checked manually, which creates human work on UWE's side. And you could still apply with a fake server and send bogus data, it would just take a bit longer. And if I understand correctly, creating throwaway Steam keys for servers is not a real constraint.

    So, like @lwf mentioned, the clients need to submit data as well, which would then be checked against the server's version of the story. This could become quite a headache to get right, considering that clients can enter and leave a match at any time, may lose connection to the server and/or steam and/or the master server, or may just crash at any time. With a local match result log for each client and server, which is uploaded to the stats server at the next possible time, this should be doable, though. There would have to be a grace period between the match and aggregating the "final" stats, though. Malicious clients could still send forged data, but as they need to authenticate via Steam, these could be identified over time as their data differs from the "rest of the world" too frequently.

    tl;dr: making the system secure is quite a bit of work, but should be possible
  • lwflwf Members, Constellation Join Date: 2006-11-03 Member: 58311Posts: 486 Fully active user
    edited September 2013
    SteveRock wrote: »
    Ghosthree3 wrote: »
    The only way I see it being done is have the server send the info with a keycode unique to that server provider. That way it can be controlled which servers (or people) can send data, if you host a public server apply for a code.

    I think this would be the only sure-fire way. We'd need to verify servers though - maybe the community could help with this some how? Like each server needs to get like.. 25 NS2 players to sign an online petition for them, with their steam IDs? Basically just to say, "Yes, this is a good server with good performance that I play on a lot, and they're not running totally game-changing mods, so I'd like my stats on this server to be tracked."

    Yup, probably only way it could be done that's not too intrusive or overly complex yet not very secure. UWE would still have to look out for faked stats, but when found the key for that community server could just be revoked. As it is now there's no way to really fight back.
    Ghosthree3
  • VetinariVetinari Members, Squad Five Blue, Reinforced - Shadow, WC 2013 - Silver Join Date: 2013-07-23 Member: 186325Posts: 3,468 Advanced user
    So... we need 25 to start boosting? yay :D
    formerly known as F0rdPrefect

    I am good Onos
  • Blarney_StoneBlarney_Stone Members, Reinforced - Shadow Join Date: 2013-03-08 Member: 183808Posts: 1,037
    best cactus eu
    if it keeps on raining the levee's going to break
  • CuelCuel Members, Reinforced - Shadow Join Date: 2013-01-22 Member: 181295Posts: 123 Fully active user
    I feel like public/private key cryptography would be by far enough to secure the data sent
  • lwflwf Members, Constellation Join Date: 2006-11-03 Member: 58311Posts: 486 Fully active user
    Cuel wrote: »
    I feel like public/private key cryptography would be by far enough to secure the data sent

    What would that accomplish?
Sign In or Register to comment.