Developers are not equipped to deal with exploiters

Once again you are off-topic. You are only focusing on the wrong posts, which are, in a way, off-topic as well.

Statistics, testimonials, a list of features that would help the developers. We’re also voicing our concerns, because having people talk about the issues in a civilized way always helps more than not talking about it because “they know”.
I mean, everything you’re asking is answered in the original post, to be fully honest with you.

If you really want to talk about beginners mistakes relating to security, then as the OP said, please make your own thread in the Community Tutorials section. Link it here if you absolutely want to, but by all means, don’t hijack the thread please (as 90% of us are already knowledgeable about what you are talking about). [to add onto that, it’s a great point OP also mentioned: this shouldn’t belong in a community forum, it should belong on an official reference page made by Roblox]

12 Likes

You mention giving Roblox some ammo, let me tell you what it’s doing, as it’s quite simple.

It’s showing Roblox we are sick and tired of the lack of focus on security, the lack of competency in remediation, the lack of communication between us and them in terms of what they’re doing behind the scenes, the lack of support for devs, the lack of direct contact with roblox security engineers and the sheer frustration exploiters are causing to our dreams and aspirations, to our lives and the lives of our players.

Before anyone says it, I’m not being dramatic here, some developers go through burn out and consider quitting development because of exploiters.

Also, let me turn your attention to a famous quote that sums up our “ammo’s” purpose:

Rebellions are built on hope

  • Rogue One, A Star Wars Story
8 Likes

Nobody expects this “magic fix all tool”. The ask is quite literally for any tool(s) to help with (not solve) these issues. As you seem to understand:

There is no prerequisite for this “bring your own solution” take to making feature requests. If you go make a feature request the post template pretty clearly states that. The ask is literally for you to share your experience/issue and why Roblox addressing it would help. The implication is pretty clear that Roblox wants to internalize those experiences so they can create appropriate solutions, they don’t want developers doing it.

I don’t know how many times this has to be said. This post isn’t about the short comings of design decisions people make, they tech they’ve used or failed to use, or even about being an open forum to critique it. You are more than welcome to make your own post explaining these concepts rather than being condescending in replies in a thread targeted towards support systems and moderation.

Please check the cynicism and ego at the door. If you want Roblox to “focus on the internal detections and not on giving developers more tools”, due to what you said earlier, than make a separate thread about it and increase visibility on issues you clearly care about. Take part in the process, don’t nest awareness in the form of tone deaf off topic replies.

And yea I agree, they’re aware of it. I said so in the in closing section of the OP. Awareness doesn’t necessarily correlate or imply a sense of urgency. If people don’t talk about issues then those issues cannot be properly weighed against others when it comes to prioritizing solutions. It’s the job of Roblox to understand the importance of these issues to developers, and it’s our job as developers to make sure our problems are represented properly.

Making the original post is about representing issues. (At the time of writing) 436 likes, posts from big and small developers, and not insignificant social media interaction around this thread, is adding to that sense of urgency. I think there is a pretty clear demonstration of a desire for change. Referring to this/peoples interaction with this thread as:

is ignorantly nefarious.

This is a multifaceted issue, and this thread, as outlined multiple times now, only covers a few topics pertaining to it. I don’t understand your incessant need to ignore that fact and to continuously try and change the discourse of this thread. You can make your own to express these sentiments better without it coming across so abrasively. Nobody benefits from this behavior.

20 Likes

I’ll also add on top of that that the Wild West is a horrible example to give as “great anti cheat” cus it was an accelerator project with connections to people who could provide snippets of the internal logic and code behind their anti cheat. So far what they seem to imply is that you don’t deserve to have roblox enforce their ToS and help you secure your game unless you’re directly working with the company.

5 Likes

Even though you should be the one limiting exploits that can have effects on normal players, I do agree that an official ban method wouldn’t hurt.

It’s not as hard as one might think to code a ban system, but that’s also a bonus reason to encourage Roblox itself to take action.

With that said, no one should expect exploiting to go anywhere, client sided cheats will keep on existing.

Server sided exploits will remain predominant in games where developers aren’t being careful about security, that’s all about planning before you start a project.

Also please stop using automatic ban systems if you aren’t 100% sure it targets malicious users only (one example being a RemoteEvent with the sole purpose of luring exploiters), and I’m typing this last paragraph in an imperative manner because that’s simply what’s best for you.

5 Likes

It is impossible, as a developer, to create a ban system on Roblox that doesn’t allow someone to simply create a new account.

3 Likes

How would you go about limiting alt activity apart from kicking young accounts? What’s your ideas?

As said countless times in this thread, HWID/IP bans will put an extremely valuable speed bump in front of a lot of people. They are not bulletproof, but most people who exploit do not know how to get around them.

3 Likes

If we are going about the stereotypical script kiddie, a method to bypass such bans would spread the same way exploits spread.

Hashed ips would be a safe way to give developer access to ip bans.

1 Like

It only takes something as superficial as TorBrowser with a connection to bypass that.

Although, softwares like Discord are pretty good at cracking down the usage of Tor to bypass IP bans, so that’s something we can take into account.

script kiddies does not know this. also remember we need to prevent as much exploiters as possible? so atleast ip bans will confuse skiddies.

Yeah, but that doesn’t stop at one precise thing and works with the “throw methods at it until it suffocates”.

As much as I don’t want to say it, I feel like you are discrediting exploiters here.

I don’t know why you’re trying to nitpick on everything I said.
I simply got the idea that some replies are asking for the impossible so I cleared it up in my post. If it didn’t apply to you then it’s fine. You don’t need to come in and say that nobody thought in xxx way. It was just meant to clarify stuff in case anybody did (which was my impression).

I’m simply trying to help with the following:

  • making people whose flaws can already be fixed aware of it
  • comparing some people’s expectations with reality
  • coming up with straightforward suggestions for roblox instead of “do anything”, as they’re usually more effective and are better at conveying specific demands

and yet you proceed to attack my points, say that I’m cynic, and that I try to change the direction of the thread? Excuse me?
All concerns that I raised were with the intention to help. I could’ve just said that “exploiters cause harm, this needs to be fixed” etc, but instead I wanted to show what can actually be done about this.

3 Likes

it’s all temporary fixes. That would just be a mild inconvenience, and the accounts of the exploiters affected by it are still untouched. Roblox completely disavows exploiters, yet the more severe bans I’ve seen from ban-waves are a week long. Out of the millions of exploiters, only very few will actually be punished, and even less may get a termination. I will admit it’s not true to say they haven’t done anything since FE, but it’s entirely true to say they haven’t done anything impactful against exploiters since FE. It’s like catching a criminal in the middle of a crime, but instead of arresting him, you just take away the magazine from his gun, and then he just pulls out another one from his pocket

7 Likes

I believe that I have encountered more cheaters on the Roblox platform than any other game or platform by comparison. Remarkably, I’m convinced that simple additions such as controllable permission levels for the clients and HWID logging would help the exploiting situation considerably. Unfortunately, larger games outside of the Roblox platform that have decisively good anti-cheat systems still experience the occasional cheater- so it just proves that completely shutting cheaters out is an implausible task. With that said, it feels like Roblox could seriously afford to do more and actually make an effort to combat this problem.

4 Likes

Or… Roblox could have an API for that which does not expose the client’s IP address in any shape or form…? Something like Player:Ban(reason, duration, hwidBan, ipBan).
I am shocked by the fact that almost nobody seems to think about it and dismiss the idea of IP bans because “the developer would see the IP address and it’s bad urh durh”, when it’s not even mandatory.

I also agree with Kampfkarren in that HWID/IP bans are a non negligeable speed bump, and the fact that a fraction of the exploiters know how to bypass it is by no means an excuse to not implement that.
Otherwise, why even ban people in the first place?

8 Likes

Hashes are irreversible. But okay.

hashes can be decrypted.

I would recommend you see this video as it gives a good explanation:

I know what hashes are, but thanks for the sentiment. However you’re always gonna find people who are going to disagree with that, regardless of the truthness of that fact. (and that’s ignoring rainbow tables or any method that could reverse it)
Besides, my secondary point (which I haven’t stated explicitly I agree) is: why even bother exposing the hash, or any type of identifier to the experience developer if it can be made simpler via an API method?

1 Like