Hive ranking system hacked already?
M0RT
Join Date: 2013-01-02 Member: 177140Members
Join Date: 2013-01-02 Member: 177140Members
Comments
Vegeta what does the scouter say
Same here, the name is mine and the played games list and stats look about right, but the avatar and profile it links to have nothing to do with me.
@Roobubba After I saw you lerking in combat that's not hard to believe
Oh, I can search myself and see how God like good I am... WHAT! Skill level 300?! If only the game ran smoother, I'd show everypony a real killing! Maybe I should stop fooling around in the CC and start pew pew / bite bite or stab stab or gore gore or...
Stat pad my way to the top *Evil grin*. Now I only need is to choose one of the rookie servers and start making the points! Ge thanks ranking system for showing me the right way!
Now serious...
Personally, I don't give two bits for the ranking system or any stats in any game. They do not say a thing for me and do not describe accurately who the player is. But you've got to love the joke 1337 and 9000 :P
Mind if i farm you a few hours for a better ranking then?
Because the game has the server software is freely available and stats is not restricted to UWE (and possibly trusted 3rd party servers) there is no way around this. The correctness of the stats is entirely up to the honesty of the community... or rather up to everyone with an Internet connection, because anyone could ruin all the stats if they wanted to. The source being open source and moddable isn't even an issue here, it wouldn't make any difference since anyone with a browser (really just the ability to open a TCP connection) can set any stat.
Battlefield 3 for example which has ranks and all that doesn't allow anyone to run a server but selected game server hosting companies. They're the only ones that have it and they are strictly forbidden from publishing it. In my opinion, it's not worth it. Not for NS2.
You could work against this attempting to sanity check stats and verify clients (and already some individuals has proven that would be needed...). For example by having all clients send the results of the match instead of the server with a cookie(-like) proving they own their account and select the result the majority of clients says is true... as well as moving all logic out of Lua code to disallow moddability and use custom protocols Lua can't access, or a server could just send out a mod which allows it to dictate what clients send. That would help, but it could never, ever be secure working this way.
Probably not possible through code though.
The tricky part, of course, is that nothing prevents a malicious user from setting up a fake server, grab the key/cookie and send bogus data with that key. So the master server would have to verify that the server is legit. @Ghosthree3's approach might work, but I see the problem that each application would need to be checked manually, which creates human work on UWE's side. And you could still apply with a fake server and send bogus data, it would just take a bit longer. And if I understand correctly, creating throwaway Steam keys for servers is not a real constraint.
So, like @lwf mentioned, the clients need to submit data as well, which would then be checked against the server's version of the story. This could become quite a headache to get right, considering that clients can enter and leave a match at any time, may lose connection to the server and/or steam and/or the master server, or may just crash at any time. With a local match result log for each client and server, which is uploaded to the stats server at the next possible time, this should be doable, though. There would have to be a grace period between the match and aggregating the "final" stats, though. Malicious clients could still send forged data, but as they need to authenticate via Steam, these could be identified over time as their data differs from the "rest of the world" too frequently.
tl;dr: making the system secure is quite a bit of work, but should be possible
I think this would be the only sure-fire way. We'd need to verify servers though - maybe the community could help with this some how? Like each server needs to get like.. 25 NS2 players to sign an online petition for them, with their steam IDs? Basically just to say, "Yes, this is a good server with good performance that I play on a lot, and they're not running totally game-changing mods, so I'd like my stats on this server to be tracked."
Yup, probably only way it could be done that's not too intrusive or overly complex yet not very secure. UWE would still have to look out for faked stats, but when found the key for that community server could just be revoked. As it is now there's no way to really fight back.
What would that accomplish?
Sure as mentioned above you could use public private keys. Generate them here on the website assign them to a server and encrypt and secure the easy exploits. But still, the server itself can be modified and altered to push wrong data to your system. And if you once got wrong data within a elo based environment, everything gets useless because the error spreads around the system.
Not to talk about privacy at all... I for my part did not buy NS2 to be "tracked" on all servers when playing. I do not want my online time published on a public website, where I can not hide them. The Mod called "NS2Stats" is the same thing... there you can hide data a bit. But still you not always see it on the mod list of a server (you can install it hidden as far as I know) so you do not see that you got recorded.
And finally, probably most important: elo, kills per death and stuff like that are most likely destroying gameplay. I have seen it in so many other games, people avoid fighting, leave, let you go first into a battle, only leech kills and run away, and crap like that. Just because they wanna keep elo and kills per death high. Such a system will never highlight a good team player, this system provides only a list for people that needs to be the best somewhere... You will not provide a rooky friendly envrioment if everyone looks for his elo and stats.
Please really think about what impact it will have if you track stats and people start playing for their own stats. And think about privacy too.
If you wanna do something, showing some kind of process into that game. Then add achievements, that's the way to go.