Script: "Reliant" + HTML Script Legality Discussion

[United Calanworie]

-snipped-

Point of clarity here. The only "Telegram Scripts" that can automatically send telegrams use the API, not the HTML site — which, last I checked, mods/admin weren't planning on banning the usage of any time soon. Addressing a few other things though...

I think that you'd still need an internet connection on 24/7

Yup... but if nobody in your region has one of those, I'd be shocked. And if you don't have that for financial reasons, I doubt you have the financial resources to be buying stamps.

(it only works when my computer is on.)

The response to this is "keep your computer turned on, then."

A look at some of the servers my NationStates friends have bought to run their stuff, and they're well within the range of hundreds to 2k dollars.

Then they're overbuying their capacity needs, or they use them for non-NS things in addition to whatever tools they run for NS.

Hmm.... What are you using that's only costing $35? Is it a Raspberry Pi tool?

Yes. Model 3B.

Anyway, your UCR is doing great with your TG script, but a GCR doesn't need that $35 setup that you have. For obvious reasons, GCRs are already getting so much, give some nerfs!

If you're only coming into this thread to advocate banning scripts for GCRs, I don't know what to tell you other than the potential banning of all HTML scripts doesn't only affect GCRs, it massively effects UCRs. Most likely on a much larger level than GCRs. Not to mention the metagame impacts, and the technological losses.

[Scottiesland]

So moderation has decided since it can't get admins to be able to be around - since RL > NS, always - they need to start banning scripts? These scripts don't exist for the funny haha moments they exist because this site is so poorly designed it needs them for most modern gameplayers to be able to keep up or otherwise for people like me to be able to have a band aid on connection issues and the like.

Admins arent around so you can't do anything tech related, all while so many technical people are in this thread right now. Appoint some people from defending, raiding, card farming, etc into some technical team then! Instead of removing a very common thing (HTML Scripts) that players use just because you don't have more admins, appoint people to look at these things. I think Roavin, Souls, United Calanworie, et all have proven that the playerbase typically knows what we're doing.

I'd also love to hear what is going to change behind the scenes with how moderators send out these punishments because the team caved to people talking about how long it took... so you handed out punishments for what wasn't rule breaking behavior. I know you're all volunteers and nobody is getting paid to use this site but I think we still deserve the respect of a little professionalism.

[Wymondham]

Speaking purely for myself (and I suppose as a player rather than member of staff), I'd love to see NS get to a point where scripts would no longer be needed, as the game itself can provide everything a player would need or want.

While I agree in principle CG, I'm personally struggling to see a universe in which that happens. NS++ features were meant to have been integrated into NS 5+ years ago, they haven't been. API requests as simple as switching a feature back on, are made for 4 months with no reply. We are now nearly a year into the development managers system which was meant to revolutionise feature development in NS by making it faster as admins wouldn't have to deal with feature requests and discussion. Instead the two main features that have been promised as part of the new system, frontiers/strongholds and a new forum, have an ETA of "idk" with even members of the moderation staff making jokes about how long the latter will take. All the development managers system has given us is the deletion of some code, TCALS, and declarations.

For years the adage has been "never doubt the ability of admin to do nothing", how can we truly expect that to change when the admin team won't even pick up the phone when moderation calls?

We would all like to live in the world you imagine, but as long as development times are measured in decades, scripts are the best solution the community has for making this game playable. To punish the community for devising a life support mechanism to keep this 20 year old tangle of code and files playable is a dubious proposition at best.

[Ikania]

Without commenting on the very legitimate grievances of my fellow defenders, it seems the obvious solution here to deal with long wait times for site features would simply be to bring on more admins. Elu is a hard worker but speeding things up would require more hands on deck. I’d recommend Roavin for the job if I weren’t sure he was too busy IRL to commit to something like that - a few good coders from the community could really make a difference, not just to developing more gadgets script-wise, but also in bridging the gap between admin and the player base.

[Vleerian]

I question how much of the gameplay community would remain around, interested, and active in the event that every script tool were made illegal.

Before I agree with you everywhere else, this is a proposed ban on only HTML-side scripts - and keeping that in mind makes your argument much stronger.

Such a change would also disproportionately affect defending, which has much less time (often less than two seconds) to respond to raider's jumps.

In BoM our HTML-Side raiding tools are Feather and Swarm, which purely are quality of life tools.

Because of the nature of defending, I understand that tools like Breeze, Reliant, and others are effectively necessities because of how fast they have to react. These are not quality of life tools.

Lily would be dead, chasing would be dead, pretty much everything but large-scale raids and liberations would be dead.

On the other hand, essential raiding tools would be untouched. Spyglass and QuickDraw (target selection tools) use the Data Dumps pretty much exclusively. FattKATT uses the API exclusively.
Lily's tools like Buzzy Bee don't use the HTML side either - they might not be as quick, but they'll still be able to hit prolific numbers of targets - far from dead.

I'm not sure just how much I can stress how disproportionately defenders would get the short end of the stick here - and just how bad a ban on HTML scripts would be for R/D alone.

[Sweeze]

In BoM our HTML-Side raiding tools are Feather and Swarm, which purely are quality of life tools.

Because of the nature of defending, I understand that tools like Breeze, Reliant, and others are effectively necessities because of how fast they have to react. These are not quality of life tools.

saying feather is a quality of life tool but breeze isnt is just straight up disingenuous lol, breeze is alot simpler of a tool (no offense vinny <3) than you're giving it credit for
either neither of them are or both of them are

Lily would be dead, chasing would be dead, pretty much everything but large-scale raids and liberations would be dead.

Lily's tools like Buzzy Bee don't use the HTML side either - they might not be as quick, but they'll still be able to hit prolific numbers of targets - far from dead.

as convenient as buzzy bee is, i'd say tools like vogel (swarm's predecessor; lily tech) and swarm (when/if i finish the tagging feature, no idea if im gonna finish it knowing it might just be banned in a few months time) are much more important to the continued existence of lily; noone anywhere wants to manually put up 150+ tags after updates

[Vleerian]

saying feather is a quality of life tool but breeze isnt is just straight up disingenuous lol, breeze is alot simpler of a tool (no offense vinny <3) than you're giving it credit for
either neither of them are or both of them are

Largely a matter of my ignorance of defending. If I'm off the mark and the defender tools I mentioned aren't critical, I have no issue walking that back. I'm certain someone more knowledgeable on that front can provide better examples. The fact that the tools which actually enable raids won't be impacted anywhere doesn't change.

[Merni]

In BoM our HTML-Side raiding tools are Feather and Swarm, which purely are quality of life tools.

Because of the nature of defending, I understand that tools like Breeze, Reliant, and others are effectively necessities because of how fast they have to react. These are not quality of life tools.

saying feather is a quality of life tool but breeze isnt is just straight up disingenuous lol, breeze is alot simpler of a tool (no offense vinny <3) than you're giving it credit for
either neither of them are or both of them are

Largely a matter of my ignorance of defending. If I'm off the mark and the defender tools I mentioned aren't critical, I have no issue walking that back. I'm certain someone more knowledgeable on that front can provide better examples. The fact that the tools which actually enable raids won't be impacted anywhere doesn't change.

Note: This is all entirely my view on things, and does not represent anyone else.

As simple as Breeze is (and it is pretty simple), if we were deprived of Breeze or any other similar tool, and NS otherwise remained the same as it is today, most defenders would simply be unable to chase with any speed useful in the modern scenario. The few who have very good load times might be able to, but it'd be very tiresome.

I've never used Feather (or tag-raided at all), but it seems to be pretty similar to Breeze. But then, if raiders don't have a keybind tool, they can still open the target region and keep the mouse over the move button, ready to move. For defenders, it necessitates refreshing the reports (or happenings or whatever) page, moving the mouse (precisely to the right small link) to click on the region when the raider move appears, scrolling the region page once it loads, and moving the mouse again to the move button. The mouse movements in particular take up a lot of time, and are quite error-prone. I don't know how easy using the no-template pages is without Breeze either, and if those can't be used that adds a large slowdown to load times too.

(Edited because I messed up and put some of the reply inside the quote.)

[The Power Recruitment Officer SUA]

More illegal scripts? Moderators? Why all these illegal scripts EXIST?

[Wymondham]

Your questions, understandable as they are, are simply not ones us moderators can answer. We have requested an admin to please comment in this thread, and hoping they will to shed some light on the situation, as many of the moderators who have been dealing with this situation behind the scenes have been feeling completely out of their depth.

NB: I am not entirely aware of how the structure of the moderation team above Game Mod/Senior Game Mod works so please forgive my ignorance if my question is mind numbingly stupid.

Would it be possible for the resident Tech Modling, Blaat, to provide this information or could only Elu/[v] provide the sort of information that the moderation team is talking about here?

[The Blaatschapen]

Your questions, understandable as they are, are simply not ones us moderators can answer. We have requested an admin to please comment in this thread, and hoping they will to shed some light on the situation, as many of the moderators who have been dealing with this situation behind the scenes have been feeling completely out of their depth.

NB: I am not entirely aware of how the structure of the moderation team above Game Mod/Senior Game Mod works so please forgive my ignorance if my question is mind numbingly stupid.

Would it be possible for the resident Tech Modling, Blaat, to provide this information or could only Elu/[v] provide the sort of information that the moderation team is talking about here?

A small clarification. In the structure I'm equal to a game mod in terms of rank.

To answer the main question, no, I can't help much to provide more insight. I have no access to production servers and their logs.

[[violet]]

Hi all -- Sedge asked me to post some tech explanation here about why I initially flagged some user behavior as coming from an illegal script, in the interests of illumination. So here it is. Note that I have no opinion about Reliant in particular, as discussed below.

On Feb 14, our server logged a large volume of requests that looked like this:

Code: Select all

xxx.xxx.xxx.xxx - - [14/Feb/2022:16:48:01 -0800] "POST /cgi-bin/endorse.cgi/script=reliant_1.1/userclick=1644886078571 HTTP/1.1"

That's a script issuing an endorsement command to the HTML site. It was doing so at the rate of about 300 commands per minute, which caused it to bubble up in my reports, so I dug into it a little further. There I saw it had made 2,543 requests over the previous 24 hours, 91% of which were endorsement commands. Many of these were broken or buggy, e.g. attempting to endorse nations it had already endorsed moments before, which is a common signature of a bot gone wrong.

I posted this commentary for mods:

The script sends a "userclick=<timestamp>" parameter, which as per Elu's notes above mean that the script is trying to say it isn't acting on its own, but rather is passing on clicks performed by a human. If this is the case, then the script isn't bound by the "10 requests per minute" rule, but instead must simply ensure that it doesn't send simultaneous requests -- i.e. it must wait for the server to acknowledge that the first command has completed before it issues another one.

That means there are two questions to answer regarding legality: (1) Is this script really transmitting human clicks, or just pretending to? And (2) Is it abiding by the simultaneity rule?

#1 is hard to police because we don't really know exactly how fast-clicking a human can be. But several instances look implausible to me, as the requests aren't only fast but are also very evenly spaced -- for example, there's one sequence where a user sends 200 requests in a row that are each spaced apart by 0.3 to 0.5 seconds -- no more, no less. Some variation would be expected from network & system latency, so it seems pretty wild that a human could nail that many requests so uniformly. Another user sends long sequences of 20-ish requests spaced 0.15s apart, i.e. sustained bursts of clicking more than 6 times per second, which is verging on super-human.

#2 also seems unlikely because the server doesn't respond that fast. It takes about 0.23s to get a response from endorse.cgi even if you don't successfully execute an endorsement, so I don't think long sequences of 0.15s are possible. I would expect at least the occasional hiccup where one of the user's lightning-fast clicks come too soon for the script to relay them, but I don't see that in the logs.

Of the non-endo requests, most are commands to move regions. Curiously, I saw multiple different IP addresses issuing identical move requests at the exact same moment. Here are five different IP addresses all issuing commands to move regions (probably into "The Mystical Council") at the same time:

Code: Select all

aaa.aaa.aaa.aaa - - [15/Feb/2022:09:03:06 -0800] "POST /page=change_region/script=reliant_1.3/userclick=1644944584725 HTTP/1.1"
bbb.bbb.bbb.bbb - - [15/Feb/2022:09:03:07 -0800] "POST /page=change_region/script=reliant_1.3/userclick=1644944586686 HTTP/1.1"
ccc.ccc.ccc.ccc - - [15/Feb/2022:09:03:07 -0800] "POST /page=change_region/script=reliant_1.3/userclick=1644944585793 HTTP/1.1"
ddd.ddd.ddd.ddd - - [15/Feb/2022:09:03:07 -0800] "POST /page=change_region/script=reliant_1.1/userclick=1644944587468 HTTP/1.1"
eee.eee.eee.eee - - [15/Feb/2022:09:03:07 -0800] "POST /page=change_region/script=reliant_1.3/userclick=1644944587942 HTTP/1.1"

So either this is a co-ordinated effort by humans each using a copy of the script, or there is a master script controlling each script instance.

Mods then began to drill down into details, and came back with more questions. My response:

Incidentally, this is exactly why HTML bots are just the worst. It takes so much mod/admin time to figure out what's going on, and in the end, we're 95% sure it's flat-out illegal, but there's a slight possibility that there's a user with godlike reaction times using a special keybinding and they didn't write the script themselves.

<Question as to whether the script violated the simultaneity rule.>

This is 99% likely to be true, but to be sure, we'd need to see the source code.

<Question as to whether the script violated the rules by not setting a UserAgent.>

100% true, but yes, very mild, because the script did identify itself [in the URL], it just didn't provide contact info.

<Question as to whether the script was automated.>

The likelihood at present is that this is a 3B violation (accidentally - or perhaps "carelessly" illegal in this case), but what Elu has discussed in the second part of this post leaves open there's a potential this is deliberately designed to be illegal (3C violation). It seems unlikely the script authors (and users) would be unaware that this script can make simultaneous requests. Additionally, if point 3 above is correct then this is definitely a 3C violation.

I'd say it's 90+% likely the tool is transmitting actions on its own, but it's impossible to know if it's deliberate without seeing its code. It may be ignoring the simultaneity rule and users are abusing this by combining it with a keybinding tool, so they just hold down a key and the script reads that as lots of inputs in a row.

And yes, I have trouble believing anyone endorse 6 nations per second and not realize they might be using an illegal tool. They're operating more than an order of magnitude faster than is normally possible.

This was essentially the end of my involvement. I avoid delving into third-party scripts to figure out who used what and where it might have gone wrong, since I see my role as identifying illegal script behavior, not performing triages on other people's code. It doesn't matter to me how the illegal behavior might have come about, just that it happened. It's not even correct to ask "Is this an illegal script," because the real question is whether a script was being used while illegal behavior occurred. This is my position because it's impossible, in many cases, to diagnose exactly how a series of requests might have come about, given changing network conditions, user browser environments, and more. So my normal operating procedure is to block or ban highly suspicious scripts directly myself, without involving mods.

I haven't really followed this incident since then, but I know there's some talk that admins just haven't had the time to investigate this case properly, which I don't think is really accurate. Just speaking for myself, I haven't investigated it further because I don't think that's possible. The reality is that the HTML Script Rules are hopelessly compromised, as they define illegal behavior in terms of something we can't see: the interaction between a script and a human user. As long as that's the case -- and increasingly so, as tools become more complex and interwoven -- NS admins can only assess logged behavior in terms of its likely legality. It's not practical to expect an admin to go beyond that, which would require rounding up the relevant third-party source code (which, if it's actually illegal, would never be shared), mocking the user's environment and network conditions, and reproducing the sequence of events that occurred -- and then, I guess, somehow proving it was intentional, too.

The HTML Script Rules exist because we haven't had the heart to force all script authors onto the API yet, even though this plainly needs to happen, and would save a lot of heartache for everyone. There are many third-party tools out there providing quality of life enhancements for users that probably wouldn't get ported, and we don't want to break them. Nevertheless, in my opinion it has to happen, and I would like to do this:

1. Enter a transition period where the rules are the same but HTML scripts are no longer supported. That's the same situation as now, but I can become more aggressive about blocking suspicious behavior. So if you're a script author or user, you can continue as normal without having to worry about punishment, but it becomes likely over time that it may stop working. During this period, I would probably write some new API endpoints to help script authors migrate their bot, if there's something they need that isn't there already.

2. Change the rules to ban scripts on the HTML site. We would ramp up slowly to this point, so that by the time we get here, there wouldn't be any major functional HTML bots left anyway. But there would now be an actual rule against using scripts, and for serious transgressions -- persistent, aware, creating significant in-game advantage -- I would throw to mods.

This would allow me to ban all bot activity on the HTML site without worrying about breaking someone's legal script. There would still be HTML bots that pop up now and again and try to do illegal things, but they would be infinitely easier to deal with, because I'd only need to identify them as bots -- as opposed to now, when I also need to figure out whether they're fully automated or just relaying instructions from a user who can click with machine-like precision.

[The Chariot]

Let me preface this by saying I am in no way related to Reliant aside from friendship with its author, and that generally I stand on the opposite side of the R/D spectrum from him.

#1 is hard to police because we don't really know exactly how fast-clicking a human can be. But several instances look implausible to me, as the requests aren't only fast but are also very evenly spaced -- for example, there's one sequence where a user sends 200 requests in a row that are each spaced apart by 0.3 to 0.5 seconds -- no more, no less. Some variation would be expected from network & system latency, so it seems pretty wild that a human could nail that many requests so uniformly. Another user sends long sequences of 20-ish requests spaced 0.15s apart, i.e. sustained bursts of clicking more than 6 times per second, which is verging on super-human.

Each and every asseriton in this paragraph shows a severe disconnect from reality. Evenly spaced requests happening as fast as NationStates can respond are a characteristic of scripts abiding by the rules nowadays. The open-source
Swarm being a dramatic example of this; I'm sure there are users who have sent thousands of requests in this exact fashion with this very legal script. Humans can, as it turns out, click over 7 times per second completely casually for over 100 sustained seconds, as demonstrated by me and sweeze.

And that's considered slow by that website's standards. I can achieve 15+ clicks per second in 3-5 second bursts, and doubtless most other people without crippling arthritis can at least manage 10 or so clicks per second. This point is not only out of touch with NS, but with being an average digital citizen.

#2 also seems unlikely because the server doesn't respond that fast. It takes about 0.23s to get a response from endorse.cgi even if you don't successfully execute an endorsement, so I don't think long sequences of 0.15s are possible. I would expect at least the occasional hiccup where one of the user's lightning-fast clicks come too soon for the script to relay them, but I don't see that in the logs.

Provided kindly by sweeze and her publicly accessible and open source cross helper that was posted earlier in this thread and has literally 120 lines of code.

Of the non-endo requests, most are commands to move regions. Curiously, I saw multiple different IP addresses issuing identical move requests at the exact same moment. Here are five different IP addresses all issuing commands to move regions (probably into "The Mystical Council") at the same time:

Code: Select all

aaa.aaa.aaa.aaa - - [15/Feb/2022:09:03:06 -0800] "POST /page=change_region/script=reliant_1.3/userclick=1644944584725 HTTP/1.1"
bbb.bbb.bbb.bbb - - [15/Feb/2022:09:03:07 -0800] "POST /page=change_region/script=reliant_1.3/userclick=1644944586686 HTTP/1.1"
ccc.ccc.ccc.ccc - - [15/Feb/2022:09:03:07 -0800] "POST /page=change_region/script=reliant_1.3/userclick=1644944585793 HTTP/1.1"
ddd.ddd.ddd.ddd - - [15/Feb/2022:09:03:07 -0800] "POST /page=change_region/script=reliant_1.1/userclick=1644944587468 HTTP/1.1"
eee.eee.eee.eee - - [15/Feb/2022:09:03:07 -0800] "POST /page=change_region/script=reliant_1.3/userclick=1644944587942 HTTP/1.1"

This bit is particularly notable since it reveals that the logs admin has access to are not precise enough to determine modern simultaneity violations. Raiding and defending has moved past into the millisecond — wins and losses are determined between the margins between seconds. Here me and sweeze demonstrate this using Koru, a script that has been previously properly investigated by Eluvatar to no results.

This is a regular occurrence; me and sweeze almost always jump on the same second, and many defenders often make it in on that exact second as well. This, in turn, completely discredits any possibility of ruling on simultaneity based on logs at this low level of precision. Previous posts indicate at least centisecond precision is possible; post logs like that and GP may be more convinced.

So either this is a co-ordinated effort by humans each using a copy of the script, or there is a master script controlling each script instance.

This is so painfully, hilariously ignorant I am having a difficult time determining whether this is satire or serious. It’s almost as if modern R/D revolves around coordinated humans using the same script.

Incidentally, this is exactly why HTML bots are just the worst. It takes so much mod/admin time to figure out what's going on, and in the end, we're 95% sure it's flat-out illegal, but there's a slight possibility that there's a user with godlike reaction times using a special keybinding and they didn't write the script themselves.

And this “95%” confidence comes from… where, exactly? When it seems nobody in the mod or tech team has any semblance of awareness of the standards modern R/D operates at, and when the accused happily provide the source code of their scripts, their github repos, and offer possible causes, even a 5% confidence level of illegality would be utterly unfounded. While you might excuse this by saying it’s a blanket statement, and not specifically about Reliant, the latter half of it is very much Reliant-specific.

<Question as to whether the script violated the simultaneity rule.>

This is 99% likely to be true, but to be sure, we'd need to see the source code.

Which… you could have.

<Question as to whether the script was automated.>

The likelihood at present is that this is a 3B violation (accidentally - or perhaps "carelessly" illegal in this case), but what Elu has discussed in the second part of this post leaves open there's a potential this is deliberately designed to be illegal (3C violation). It seems unlikely the script authors (and users) would be unaware that this script can make simultaneous requests. Additionally, if point 3 above is correct then this is definitely a 3C violation.

This assertion is completely at odds with the initial mod ruling, which claimed:

Three months ago we declared the script "Reliant" to be illegal. Since then we have established:

[list][*]We do not believe it is likely that the script was written with the intention of operating illegally.
[*]The players who have developed and used Reliant have, to the best of our knowledge, cooperated in good faith with us since our announcement.
[*]We do not believe it is likely that all usage of Reliant was illegal, and it is probable that it was only in some cases that it violated the rules.

This further is obfuscated by the fact that most Reliant users were not banned in the initial cursory mod ruling, which only doled out WA bans to, coincidentally, some of the fastest chasers with the very best connections to the NS servers. If Reliant was designed to violate simultaneity, why does it only allow those with fast connections to violate it?

I'd say it's 90+% likely the tool is transmitting actions on its own, but it's impossible to know if it's deliberate without seeing its code. It may be ignoring the simultaneity rule and users are abusing this by combining it with a keybinding tool, so they just hold down a key and the script reads that as lots of inputs in a row.

Crazy how the code was provided to you, eh?

And yes, I have trouble believing anyone endorse 6 nations per second and not realize they might be using an illegal tool. They're operating more than an order of magnitude faster than is normally possible.

Depending on the date of this original post, it was either written while completely out of touch with modern day standards or so completely out of touch you did not read this very thread.

This was essentially the end of my involvement. I avoid delving into third-party scripts to figure out who used what and where it might have gone wrong, since I see my role as identifying illegal script behavior, not performing triages on other people's code. It doesn't matter to me how the illegal behavior might have come about, just that it happened. It's not even correct to ask "Is this an illegal script," because the real question is whether a script was being used while illegal behavior occurred. This is my position because it's impossible, in many cases, to diagnose exactly how a series of requests might have come about, given changing network conditions, user browser environments, and more. So my normal operating procedure is to block or ban highly suspicious scripts directly myself, without involving mods.

The rest, for the most part, I won’t comment on. Haku is completely out of the loop in terms of how his script could be definitively ruled as illegal. Neither does Roavin. Both are extremely trusted, well-respected members of the community who have gone to great lengths to ensure they follow scripting rules, even in one-off instances such as N-Day. And, clearly, most people trust their integrity more than they trust the admins’ competence. While it isn’t my place to comment on how you should conduct your job, we, as players, at least deserve to know why we are being punished.

[Wallenburg]

So, [v]'s post reads, essentially, as an admission that site staff have done absolutely jack shit to genuinely investigate Reliant and just handed out bans to a couple recognizable names in order to appear to be doing something. This is a whole three-act circus.

[[violet]]

So, [v]'s post reads, essentially, as an admission that site staff have done absolutely jack shit to genuinely investigate Reliant and just handed out bans to a couple recognizable names in order to appear to be doing something. This is a whole three-act circus.

Please read it again. I personally haven't been involved since the beginning. Others have.

[Roavin]

Hi [v], thank you so much for the explanation, this all makes much more sense to me now.

Three quick questions:
(1) endorse.cgi responds with a 302 to the endorsed nation; do you see that in the access logs and if so, do you see the superhuman user above following the 302 target?
(2) Can you reveal to the most goated user who they are, so I can dig a bit deeper with their particular access patterns?
(3) Have you considered adding %D to access logs so you can see at a glance if simultaneously is violated or not?

[Wallenburg]

So, [v]'s post reads, essentially, as an admission that site staff have done absolutely jack shit to genuinely investigate Reliant and just handed out bans to a couple recognizable names in order to appear to be doing something. This is a whole three-act circus.

Please read it again. I personally haven't been involved since the beginning. Others have.

I would think that, as the seniormost member of site staff, you would not provide such a bad representation of this investigation and the knowledge that went into it if the individuals involved had produced better findings. We're rapidly concluding 4 whole months of this nonsense without an actual answer on what is illegal about Reliant.

[[violet]]

Humans can, as it turns out, click over 7 times per second completely casually for over 100 sustained seconds, as demonstrated by me and sweeze.

Yes, this was the point I was making. It is extremely machine-like behavior, but because we can't definitively conclude that it was performed by a script rather than a human, under the current ruleset we can only deal with likelihoods.

So either this is a co-ordinated effort by humans each using a copy of the script, or there is a master script controlling each script instance.

This is so painfully, hilariously ignorant I am having a difficult time determining whether this is satire or serious. It’s almost as if modern R/D revolves around coordinated humans using the same script.

Which is why I mentioned it?

And this “95%” confidence comes from… where, exactly? When it seems nobody in the mod or tech team has any semblance of awareness of the standards modern R/D operates at

I have a pretty good familiarity with what user and bot traffic looks like on NationStates, having done this for more than a decade.

<Question as to whether the script violated the simultaneity rule.>

This is 99% likely to be true, but to be sure, we'd need to see the source code.

Which… you could have.

I already covered why it's not practical for admin to hunt down the source code to third-party tools and identify the line that caused illegal behavior, but to restate: (1) authors of illegal code won't share true code with us, and we can't know whether we've been given true code or not; (2) you are describing a role that can only be performed by someone who is expert-level qualified in multiple computing fields, has lots of free time, and is willing to spend it debugging code that doesn't even belong to the site.

Crazy how the code was provided to you, eh?

See above, and please also note that what you're quoting was written before this thread existed, and before any code was shared.

[[violet]]

Hi [v], thank you so much for the explanation, this all makes much more sense to me now.

Three quick questions:
(1) endorse.cgi responds with a 302 to the endorsed nation; do you see that in the access logs and if so, do you see the superhuman user above following the 302 target?

I did a quick sample of logs and the 302 was followed in all the cases I looked at.

(2) Can you reveal to the most goated user who they are, so I can dig a bit deeper with their particular access patterns?

I'm not sure what you mean by "most goated."

(3) Have you considered adding %D to access logs so you can see at a glance if simultaneously is violated or not?

I had not, but that looks helpful, thank you.

Incidentally the script spams (or spammed) requests like this at the rate of ~10 reqs/second -- I don't know what it's doing, but it looks to be requesting the exact same data over and over, which is behavior I usually interpret as a broken bot and block via CloudFlare.

Code: Select all

xxx.xxx.xxx.xxx - - [06/Feb/2022:22:25:39 -0800] "GET /template-overall=none/page=reports/script=reliant_1.3/userclick=1644215140121 HTTP/1.1" 200 772 "https://www.nationstates.net/template-overall=none/page=blank/reliant=main" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"

[Wallenburg]

(1) authors of illegal code won't share true code with us, and we can't know whether we've been given true code or not;

Blaming the ineptitude of this investigation on paranoid theories about the Reliant authors not sharing the real code with you is a strange mix of comedy and insult.

(2) you are describing a role that can only be performed by someone who is expert-level qualified in multiple computing fields, has lots of free time, and is willing to spend it debugging code that doesn't even belong to the site.

This is not true. Reading HTML scripts does not require an "expert in multiple computing fields".

[Roavin]

(2) Can you reveal to the most goated user who they are, so I can dig a bit deeper with their particular access patterns?

I'm not sure what you mean by "most goated."

Sorry, I hang out with too many zoomers. What I mean is the super human user endorsing 5-6 nations per second.

Incidentally the script spams (or spammed) requests like this at the rate of ~10 reqs/second -- I don't know what it's doing, but it looks to be requesting the exact same data over and over, which is behavior I usually interpret as a broken bot and block via CloudFlare.

Code: Select all

xxx.xxx.xxx.xxx - - [06/Feb/2022:22:25:39 -0800] "GET /template-overall=none/page=reports/script=reliant_1.3/userclick=1644215140121 HTTP/1.1" 200 772 "https://www.nationstates.net/template-overall=none/page=blank/reliant=main" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"

That's normal behavior; the difference here is that usually it's R/Ders just manually F5 the normal reports page, and this is Reliant doing it through a keybind and parsing the result for presentation to the user.

[[violet]]

Blaming the ineptitude of this investigation on paranoid theories about the Reliant authors not sharing the real code with you is a strange mix of comedy and insult.

Well I'm not sure what to tell you. We have in the past tried to get source code from a third party author and been given dummy code. Some people here probably remember, since it was public.

This is not true. Reading HTML scripts does not require an "expert in multiple computing fields".

I'm not sure what you think "HTML scripts" are, but I assure you, there's a reason I refuse to do this. It's not just reading code and looking for bugs; it requires reproducing a specific traffic pattern.

[Sedgistan]

Wallenburg, this is a thread in which people have been begging for admin input from the start. When that finally comes, you responding with outright hostility and rudeness does not help anyone's case. Dial it back, or let someone more reasonable post on your behalf.

[The Chariot]

Yes, this was the point I was making. It is extremely machine-like behavior, but because we can't definitively conclude that it was performed by a script rather than a human, under the current ruleset we can only deal with likelihoods.

Why would this be considered machine-like at all? This type of speed and optimisation can be see at essentially all of high-level gaming; Starcraft pros regularly crest 6 actions per second, a metric notably more difficult than clicking; Minecraft PVP players consider 6cps to be slow, with their more competent clickers ranging anywhere from 15-100+cps depending on the technique used; Valorant’s slow firing semiauto weapon, the guardian, fires just under 6 times per second. Even outside of gaming, it’s to be expected. I can almost certainly play more than 8 notes per second per hand as an amateur pianist playing scales, which take considerably more coordination and skill than just clicking. The record for the highest frequency of a single piano note (as recorded by Guinness, which probably means it’s dramatically lower than the real record) is nearly 14 times per second over a one minute period, also requiring significantly heavier note presses than a mouse or keyboard might take. One might argue that NS players don’t deserve to be compared to pros in other games, but considering some of these chasers have almost definitely spend over ten thousand hours purely chasing in this game, I’d say they do. You can’t be sure any of this NS stuff wasn’t performed by a bot, sure, but I’m 100% confident any competent warden could sustain over 6cps for at least 30 seconds and certainly burst more, meaning machine input would be a competitive disadvantage if it were set to go off 6 times a second.

I have a pretty good familiarity with what user and bot traffic looks like on NationStates, having done this for more than a decade.

So… you just feel like it looks like bot traffic? Okay, sure. Great explanation.

I already covered why it's not practical for admin to hunt down the source code to third-party tools and identify the line that caused illegal behavior, but to restate: (1) authors of illegal code won't share true code with us, and we can't know whether we've been given true code or not; (2) you are describing a role that can only be performed by someone who is expert-level qualified in multiple computing fields, has lots of free time, and is willing to spend it debugging code that doesn't even belong to the site.

This… drastically overestimates the complexity of NS scripting code. It has been common practice since Predator to annotate every script we R/Ders use to explicitly explain how each step follows the site rules. It is simple to the point where relative laymen (like me) and literal children (like sweeze) can easily read, comprehend, and manipulate the code of the most advanced scripts on the raider side of things (Koru and Buzzy Bee). It does not take a professional-level coder to determine whether a script follows scripting rules or not. It takes one amicable defender with Wireshark. It takes 3 or 4 people in the Black Hawks’ code review council. The first point is, to an extent, fair, but Reliant’s source code was shared with admin multiple times independently, its GitHub repository was sent (and, might I add, not even viewed by the admins), and Reliant hasn’t even provided some incredible advantage. Many chasers had been able to perform at that high of a level even before its release, and to put in so much effort to make an illegal script that doesn’t even afford an advantage a very competent manual chaser can’t train to is just… silly. It’s already been demonstrated in this thread that Roavin maintains a literal disadvantage by crossing with
Reliant, since its endo function doesn’t allow for the simultaneity-breaking that manually crossing allows you to do.

[Vincent Drake]

[violet] wrote:
I'd say it's 90+% likely the tool is transmitting actions on its own, but it's impossible to know if it's deliberate without seeing its code. It may be ignoring the simultaneity rule and users are abusing this by combining it with a keybinding tool, so they just hold down a key and the script reads that as lots of inputs in a row.

This is not even how keybinding works on NS / is not physically possible because NS users are very aware that keydown() is illegal and we don't use that method. Breeze++ and every derivative of it use keyup(), which only fires once, when the user raises the key. Holding down a key will do nothing at all! Instead of making wild assumptions about how users are doing illegal things, you should read code and stick to facts.

I haven't really followed this incident since then, but I know there's some talk that admins just haven't had the time to investigate this case properly, which I don't think is really accurate.

We gave Elu access to the Git repo for Reliant. It tells you when someone logs in. He never did. You would think that at least looking at the master source code would be important for such an investigation?

The reality is that the HTML Script Rules are hopelessly compromised, as they define illegal behavior in terms of something we can't see: the interaction between a script and a human user.

The HTML script rules are fine and we've been complying with them faithfully for years. What's hopelessly compromised is admin and mod willingness to conduct proper investigations and act on facts rather than knee-jerk conjecture. I was an admin of a game with 1.1 million players in 2007. When I couldn't give that game the attention it deserved, you know what I was told? Resign, so a more active admin could replace me. And so I did that rather than be inactive. If NS staff can't give this game the full attention it deserves, that is a path that should be considered.

2. Change the rules to ban scripts on the HTML site. We would ramp up slowly to this point, so that by the time we get here, there wouldn't be any major functional HTML bots left anyway. But there would now be an actual rule against using scripts, and for serious transgressions -- persistent, aware, creating significant in-game advantage -- I would throw to mods.

You are very well aware that means the end of the defending faction in the R/D metagame, or at least, the end of chasing, the most fun part about defending. Have you ever tried defending manually against the speeds raiders are capable of these days? And the way the NS UI is structured, they don't even need scripts to achieve the fastest speeds possible. I implore you to re-familiarize yourself with your own game and how it's changed in 2022 and see for yourself just how difficult it is to defend without using a script that interacts with the HTML site.

It's also worth noting that such scripts aren't just for speed necessities - things like Breeze are for quality of life, too. As mentioned in the past, I am a video editor with painful carpal tunnel and spend 10+ hours a night in front of a computer. Thus, I limit mouse usage whenever possible in favor of keybinds that let me do stuff while keeping my wrists elevated and off surfaces. But, a thing like Breeze can't be ported to the API. Ideally, NS itself would let us set keybinds. However, we interact with the site in ways you didn't even comprehend last time it was a discussion, like real humans interacting with the AJAX2 feed simply cause it actually loads fast, and thus native keybinds wouldn't cover our needs.

There's also another obvious problem with banning HTML scripts that use keybinds - you can bind keys to gaming mice, floor pedals, even steering wheels. Would that now be illegal, too? How would you even detect that?