It’s been forever and people are still exploiting, why won’t the admins allow us developers to ban based on IP or MAC addresses?
Just giving the plain IP/MAC Addresses to game devs wouldn’t really be allowed, I get that.
However, it would be extremely simple to hash or encrypt the IP/MAC Address, give that hashed version to the game devs, so they can blacklist it in the case of a exploiter, or it could even be applied to using data-stores with Guest accounts, etc.
It can be done without the slightest breach of privacy and I haven’t really seen any examples of how it could cause more bad than good.
2 Likes
Congrats, you just banned an exploiter’s little sister.
I dunno if I’d be perma IP banning people, but this would still be very useful 
The first thing I’d use it for is saving guest data so they don’t need to redo stuff :DDD (although it would be nice to have an even more direct way to link a guest to a new player)
Are there privacy problems with this? being able to link people in the same household together?
1 Like
“Congrats, you just banned an exploiter’s little sister.”
Congrats, you just used the single most common excuse not to ban hackers.
Is one player’s happiness valued over many people’s happiness? I’m all for banning anyone on the associated identity, especially including the message “this computer/network has been banned from this game for hacking.” It puts pressure on the hacker by the siblings, which encourages them to stop.
3 Likes
You forgot dynamic IPs, and that changing a MAC address is trivial. You also forgot that the hash is still unique to the user’s machine, so it can be used to track users.
Those points, while affecting the ability of the intended use to perform, are not reasons why it should not be implemented.
Sorry, but I think this is a really bad idea, it will still give you the possibility to link people together based on the fact that the hashed values are equal, and like Anaminus said the addresses are really inconsistent to be used for this purpose. Besides, don’t you think IP banning is a bit harsh of a measure, even for exploiting?
Absolutely not. People have had their accounts deleted for repetitive exploiting. The assumption is that if it’s bad enough for an IP ban, it’s a repeat offender.
My thoughts on the matter:
Don’t even give a hash. Don’t give ANYTHING. Just add a method in Player that requires some sort of authentication to confirm that it’s the place owner who’s doing the banning. That way, NO information is given.
A better solution to banning exploiters using an ineffective/unreliable/privacy threatening method is just to prevent them from exploiting in the first place, which can be done with FilteringEnabled and proper remote object handling! 
It’s honestly harder to keep up with banning all the exploiters in your game than to port the game over to FilteringEnabled, imo. I have an old project that’s riddled with exploiters because it doesn’t use filtering, and it’d probably just be easier to rewrite the game with filtering compatibility than to try and ban all the cheaters from the game. It’s also extremely easy to spoof your IP address and bypass the ban anyway. The only effective use I could see for this would be saving guest’s data, like Tomarty said. However, even that can be unreliable if the player’s IP address isn’t static, and could be done by giving the guest a code that refers to their data profile that they can type in when they join the game for the first time on an account.
1 Like
Lilly’s solution is optimal. Something along the lines of player:SharedNetworkWith(userId) would do wonders. I’m fairly certain ROBLOX logs the IP addresses that log into accounts, so even if someone changed their IP address, if they ever – just even once – logged onto their main account with that new IP, all of their alternate accounts that had used that same IP would be banned once again.
“Players who have dynamic IPs could get past IP banning”
Not past the site logging system where they log into both accounts from the same new network and ROBLOX now has logged both of them as using the same network. You (Anaminus) also said something about a hash so maybe SharedNetworkWith(userID) could take that into account as well.
“I think this is a really bad idea, it will still give you the possibility to link people together based on the fact that the hashed values are equal”
Boo hoo. Welcome to the internet. You just complained about every website in existence, because they all have the capability of doing that. There is no privacy/security risk in knowing that someone has used the same network – all you can tell is that another computer was used on that network, and not who used it. It could be a parent, a sibling, or even their dog, but you’d have no reason to believe it was anyone other than the person you originally banned using a different computer.
“A better solution to banning exploiters using an ineffective/unreliable/privacy threatening method is just to prevent them from exploiting in the first place”
You don’t always ban someone for exploiting. You could ban them for harassing users constantly, and no amount of FE is going to stop that.
[quote]
“Players who have dynamic IPs could get past IP banning”
Not past the site logging system where they log into both accounts from the same new network and ROBLOX now has logged both of them as using the same network. You (Anaminus) also said something about a hash so maybe SharedNetworkWith(userID) could take that into account as well.[/quote]
If an exploiter gets IP banned, logs out of that account, changes his IP/MAC and creates a new account there isn’t a way you would be able to track that unless ROBLOX was somehow able to link the two accounts together as being used in the same browser session. (disclaimer: i know pretty much nothing about web-related technicalities.) I remember a long time ago they used some kind of “poison” to track new accounts being made by serious offenders of the ROBLOX website rules, but I don’t know if that was legit or is even still being used these days, and it’s definitely not something worth implementing for a feature like this.
[quote]“A better solution to banning exploiters using an ineffective/unreliable/privacy threatening method is just to prevent them from exploiting in the first place”
You don’t always ban someone for exploiting. You could ban them for harassing users constantly, and no amount of FE is going to stop that.[/quote]
Yeah, FE won’t stop that. That’s why ROBLOX has a moderation system and a report abuse function.
m2c: I would rather have ROBLOX staff working on something else than spending the time to create this big API that’s not really necessary. We have means to stop exploiting and banning exploiters isn’t a good solution to the problem; preventing them from exploiting in the first place is. :]
As we’ve been over previously, we don’t always ban someone for exploiting – even if we did, the general intelligence level of ROBLOX users is relatively low, and the number of people who would know how to do that is greatly dwarfed by the number of people who don’t. Apparently “Oh you can just change your IP address” is something people like to throw around as an excuse not to add any sort of IP banning, but something that requires a user to:
- Know how to use Google
- Have the patience to do research
- Have at least somewhat of an understanding of how networking works
instantly rules out over half of the ROBLOX population hands-down, and that’s being generous. “But they can just change their IP address” is not an appropriate excuse to disqualify a feature that would otherwise keep over half the ROBLOX population (which is in the millions, right?) in line with relative ease.
In case you’ve been living under a rock for the past couple of months, Josh and Rukiryo both had been attacked repeatedly by two individuals and no matter how many times they reported them nothing was done. The report system does not function properly for harassment, and even when it does, not at an acceptable speed.
As I stated on another thread to a different person, it is not up for you to decide what ROBLOX’s priorities should be. We provide ROBLOX with ideas for features we believe would help us, and it’s up to them to decide if it aligns with their vision of what ROBLOX should be and if they’ll follow through with it or not – not us. We are not even close to informed enough to make the decision on how important something is for ROBLOX, so unless you are providing examples of how a certain feature will break your game / tear down the very foundations of ROBLOX, nonconstructive conjecture on what ROBLOX’s priorities should be, much less baseless attacks on a feature, do not belong here.
MAC spoofing is a bit more difficult and nowhere near as widely known as changing IP addresses.
I’m also tired of the “convert your game to FilteringEnabled to stop exploits” card being used. That shouldn’t act as an on/off switch for exploits or be referenced as one, because that’s not entirely what it is and it isn’t completely foolproof either. It also takes quite a bit of work to convert your game to FilteringEnabled-compatible, variable depending on the game.
EDIT: Yeah, Report Abuse ingame doesn’t seem to do much of anything and doing so on the site seems pretty variable.
The difference being that instead of the first parties (those websites, ROBLOX corp), this feature would allow third parties (developers, exploiters, etc) to access that kind of data in a way. I don’t know about you, but I would refer to a website that shares that kind of data to third parties as shady.
The difference being that instead of the first parties (those websites, ROBLOX corp), this feature would allow third parties (developers, exploiters, etc) to access that kind of data in a way. I don’t know about you, but I would refer to a website that shares that kind of data to third parties as shady.[/quote]
There’s no data, and they’re not sharing anything other than the fact that “This computer is on the same network” – not that your brother used it, not that your computer was stolen last week by a cat on steroids and he’s trying to access your ROBLOX account, and not that your computer is from 2008 and needs a major upgrade. It doesn’t provide any of that information – there isn’t one shred of information given that could be traced back to you. All it is is a yes/no answer of if that computer used the same network as another person you banned.
What I said was regarding hashed IP/MAC addresses, not the option to ban a user without giving the developer extra information like Lilly suggested, which is a much better solution.
I guess we can just conclude that some people believe that the hashed IP/MAC addresses is a security threat and others think it’s not, I don’t really feel like discussing that any further due to the attitude of the responses that the first group of people get in this thread and a better solution has been suggested anyway by Lilly.
As we’ve been over previously, we don’t always ban someone for exploiting – even if we did, the general intelligence level of ROBLOX users is relatively low, and the number of people who would know how to do that is greatly dwarfed by the number of people who don’t. Apparently “Oh you can just change your IP address” is something people like to throw around as an excuse not to add any sort of IP banning, but something that requires a user to:
- Know how to use Google
- Have the patience to do research
- Have at least somewhat of an understanding of how networking works
instantly rules out over half of the ROBLOX population hands-down, and that’s being generous. “But they can just change their IP address” is not an appropriate excuse to disqualify a feature that would otherwise keep over half the ROBLOX population (which is in the millions, right?) in line with relative ease.
[/quote]
I think you’re underestimating the average ROBLOX user - if they’re smart enough to look up how to use cheats, they’re probably smart enough to google “how to change my IP” and then reset their router or something. Even when I was like, 11 years old I knew how to use google. As for your comment on the report system being ineffective, ask ROBLOX to improve it. Then you can get people banned from the entire platform instead of from one mere game.
Yeah, I live under the Himalayas, thank you! 
Were they only attacked while in a ROBLOX game? I thought somebody was harrassing Josh over Twitter or ROBLOX messaging or something, where IP banning them wouldn’t help anyway. The report system’s entire reason for existence is to report malicious behavior.
[quote]
As I stated on another thread to a different person, it is not up for you to decide what ROBLOX’s priorities should be. We provide ROBLOX with ideas for features we believe would help us, and it’s up to them to decide if it aligns with their vision of what ROBLOX should be and if they’ll follow through with it or not – not us. We are not even close to informed enough to make the decision on how important something is for ROBLOX, so unless you are providing examples of how a certain feature will break your game / tear down the very foundations of ROBLOX, nonconstructive conjecture on what ROBLOX’s priorities should be, much less baseless attacks on a feature, do not belong here.[/quote]
:shocked: I’m just providing my point of view, which I think I’ve explained reasonably and has some weight to it. “m2c” means “my two cents.” I wasn’t trying to speak for ROBLOX, I was merely giving my opinion on the issue - I firmly believe that this feature wouldn’t stop people from exploiting games. There’s a clear-cut solution to exploiting and IP banning somebody bent on harrassing you isn’t going to stop them.
Lilly: yeah, I’m not going to deny that porting a project over to FilteringEnabled is a daunting task, especially for less code-savvy developers, but it’s the only definitive solution to the problem. I haven’t seen any exploits get through it as long as you manage remotes properly and check physics fps to ensure users aren’t speedhacking (I’m actually not sure if the ROBLOX characters have any additional vulnerabilities now that I think about it; but if they do we should be asking that those get fixed.) 
@build: Dom’s feature request isn’t happening. ROBLOX shouldn’t and won’t give us access to users’ IP addresses. Sorry I didn’t clarify which feature request I was notioning towards. Dom’s feature is done though – not happening period. Any further discussion in this thread should be directed at Lilly’s ingenious feature request.
Even for the exploiters who actually did use Google, if they don’t know what IP addresses are then they can’t search how to change their IP address. And I thought we already established that we weren’t just talking about exploiters. It doesn’t take any sort of intelligence to harass another user – just because they do something to warrant a network-wide ban doesn’t mean they’re capable of figuring out how to change their IP address.
It was on multiple fronts. They were PMing him, but all he had to do was turn his PMs to friends-only to solve that, and you’re able to block people on Twitter and report them as well if I read a recent article about Twitter’s stance on cyber bullying correctly, so Twitter isn’t an issue either. The main issue IIRC was that he was going into Club Boates and mass-spamming the chat (apparently he was bypassing the .Chatted event according to Josh so he couldn’t detect spam and kick him). Banning him from the game was the only way to stop that, but he kept coming back on new accounts since there was no way to trace him to his original account.
That’s no more constructive than maliciously attacking the idea, and doesn’t contribute to the thread at all. ROBLOX ultimately makes the decision on whether to implement it or not and whether it’s important or not – it doesn’t matter what you personally feel towards a feature – unless it breaks your game or something along the lines of that claiming a feature won’t be useful to you personally is nonconstructive and doesn’t belong on feature request threads.
Actually I would prefer that they generated a GUID for each client instead of giving away valuable information. It would be a property under the player object called “ClientID” and would be read only.
Like how hard would that be.
Are you sure?
And, we did establish that, I’m just pointing out that the most dangerous type of player this feature was looking to solve was exploiters. I’ve also mentioned users with toxic behavior multiple times and I proposed my idea to help deter that, which would be a more efficient report abuse system.
[quote]dude
It was on multiple fronts. They were PMing him, but all he had to do was turn his PMs to friends-only to solve that, and you’re able to block people on Twitter and report them as well if I read a recent article about Twitter’s stance on cyber bullying correctly, so Twitter isn’t an issue either. The main issue IIRC was that he was going into Club Boates and mass-spamming the chat (apparently he was bypassing the .Chatted event according to Josh so he couldn’t detect spam and kick him). Banning him from the game was the only way to stop that, but he kept coming back on new accounts since there was no way to trace him to his original account.
[/quote]
So, like I’ve been saying, even if you IP banned him he could still get around it. Whether or not he WOULD isn’t something I can say, but the possibility is still there. If he was bypassing the .Chatted event then that’s an issue we could look into having fixed, so that he could then detect if he was spamming and boot him from the game or mute him if the game is using a custom chat GUI, giving us a reliable solution that would work 100% of the time instead of hoping he doesn’t know how to change his IP address.
[quote]
That’s no more constructive than maliciously attacking the idea, and doesn’t contribute to the thread at all. ROBLOX ultimately makes the decision on whether to implement it or not and whether it’s important or not – it doesn’t matter what you personally feel towards a feature – unless it breaks your game or something along the lines of that claiming a feature won’t be useful to you personally is nonconstructive and doesn’t belong on feature request threads.[/quote]
I disagree. I’m pretty sure ROBLOX gauges the demand for features based on developer feedback on the threads on which they’re suggested. By posting my opinion on the suggestion, they can take into consideration the fact that there is opposition to the idea, and I can explain why I think that to give my opinion some weight. That’s what this forum is for.
You’re telling me that someone who doesn’t know what an IP address is can Google “How to change IP address”? Explain that logic to me.
There cannot be a more efficient report abuse system unless they: hire more moderators or start ignoring every xth report (if they don’t already) – the first isn’t likely to happen and the latter isn’t a good thing. There are only a select number of moderators and they can’t be everywhere at one time. Giving a developer the ability to remove someone from their game (as they did with :Kick()) speeds up the process tremendously by allowing unwanted users to be removed before they cause any real damage which would otherwise be reviewed by a moderator hours, days, or weeks later. The ability to ban someone regardless of if they are on an alternate account, guest, or their main account falls under that same principle that users can moderate their own games faster than the actual ROBLOX moderators and create a safer, more peaceful environment .
[quote=Imaginaerum]
So, like I’ve been saying, even if you IP banned him he could still get around it. Whether or not he WOULD isn’t something I can say, but the possibility is still there. If he was bypassing the .Chatted event then that’s an issue we could look into having fixed, so that he could then detect if he was spamming and boot him from the game/mute him if the chat GUI is custom, giving us a reliable solution that would work 100% of the time instead of hoping he doesn’t know how to change his IP address.[/quote]
Just because he knows how to exploit does not mean that he knows currently/can find out how to change his IP address. Have you ever heard of V3rmillion? Nasty little forum with exploiters and leeches all over the place. Surely since everyone there is an exploiter of some sort that IP banning would be next to useless because they all can figure out how to bypass it! After I took over the account of someone impersonating me there, they IP banned me from the site. They wouldn’t IP ban people if it wasn’t effective, and if it’s effective on a forum of exploiters, I’m relatively sure it’d be effective on ROBLOX. Not to mention that the account I took over was that of caca22 which apparently is one of their most valued members. Do you know how I took over his account? I got his IP address from Skype and emailed the site owner saying I needed a password reset and provided caca’s IP. When caca found out he asked me “HOW?! I WAS USING A PROXY!” – he wasn’t using the proxy correctly. If one of the most renown exploiters on V3rmiliinon can’t use a proxy correctly, I don’t have much faith for the average exploiter. You assume that anyone who is using an exploit on ROBLOX is capable of changing their IP address, but that simply isn’t the case. People get exploits from their friends and by clicking links on forums – there’s no effort nor skill required to acquire an exploit that way. Just because someone is exploiting a game doesn’t mean they’re capable of figuring out how to change their IP address.
[quote=Imaginaerum]
I disagree. I’m pretty sure ROBLOX gauges the demand for features based on developer feedback on the threads on which they’re suggested. By posting my opinion on the suggestion, they can take into consideration the fact that there is opposition to the idea, and I can explain why I think that to give my opinion some weight. That’s what this forum is for.[/quote]
They gauge the idea based on how many people want it added. If you want to point out “Hey this will negatively impact ROBLOX in X way” that’s perfectly fine. “Oh me personally well I don’t like this feature and I think others are important” is nonconstructive – if you like other features better then go bump back those threads or post a new feature request if there isn’t an existing thread. Expressing your distaste for a feature because you like other features better is not appropriate behavior.
1 Like