@Riot Lyte, @Others: Hardware hashes, keeping toxic players out, and more!

Comment below rating threshold, click here to show it.

str0nk

Senior Member

11-11-2012

Toxic players exist in this game, whether we'd like them to or not. With the Tribunal ever evolving, catching these troublesome individuals is improving. In my opinion, the game, at least at the higher levels, is getting better. However, this isn't to say that there aren't outstanding issues with the current system.

As of right now, there is an inherent problem that afflicts League of Legends and other similar free-to-play games. When a user gets his/her account banned, they can simply create a new one. There is no true repercussion for them. The only downside to being suspended is that a user must re-level his/her account, and re-acquire material (e.g. champions, runes, skins, and so forth) - there is a "time investment".

I believe that most players that get banned or suspended, just create a new account or play on their smurfs. This effectively circumvents their account action (they don't get the time out they deserve). There probably exists a subset of these individuals that, even after the numerous warnings and bans, don't improve their behavior.

This can cause problems for new players who might not be accustomed to this toxic behavior. Imagine the displeasure of playing one of your first League of Legends game with a toxic individual. The experience would portray League of Legends in a "bad light" to these new players. This could even cause a potential player to quit playing the game.

With that being said, why not create a system in place where you can issue hardware ID bans to individuals? No, I'm not proposing IP bans. IP bans are so 1990s. Everyone knows how to bypass them, and they cause more trouble than they are worth (e.g. sharing of IP addresses). I am proposing hardware ID style bans (similar to the way Microsoft did for Xbox 360 users to combat piracy). For this to be successful, you would need to design an algorithm to generate a unique hash. This hash would be a combination of certain characteristics of the individuals running hardware or operating system configuration. The goals of the hash: must be relatively static (doesn't change on reboot; doesn't change on installation/removal of software; (PREFERABLY) doesn't change on OS reinstall), and unique (avoids collisions).

Designing the algorithm for the hash would take some work. It's not impossible, nor is their too much time investment. An example of an archaic (and poor) implementation of such an algorithm:

Generating a SHA256 hash based on
Logged in user name (GetUserName) + Computer name (GetComputerName) + Maximum space available on the system drive + Volume Serial number of drive (GetVolumeInformation) = SIMPLE_HASH

Now, this obviously would not the best algorithm. Why?
It's way too easy to defeat. To generate a new hash, all the user would need to do is change their user name, change their computer name, alter their system drive configuration, or change their volume serial number. All these tasks are trivial to complete. This is just an example: I know there are better identifiers that are unique and static, but this should suffice to further the discussion.

SIMPLE_HASH will be associated with my machine's configuration. Regardless of what LoL account/IP address I log under to play, my computer's generated SIMPLE_HASH is always the same.

We can use this generated SIMPLE_HASH to prevent toxic individuals from playing League of Legends.

A hypothetical situation:
Let's say that I've been a terrible player. I have had countless warnings. Finally, I get banned by the Tribunal permanently.

What are my options?
1. I can quit playing the game,
2. or (the more likely of the 2) I make a new account.

To continue the discussion, let's say I choose to create a new account. I log in to the game service. SIMPLE_HASH can be computed as I log in (or, preferably, at random discrete times to make it more difficult to reverse engineer) to my new account. SIMPLE_HASH, because of the nature of the algorithm, should always generate the same hash for my machine. The login authentication module will then do a lookup in the accounts table (or perhaps to reduce the performance impact of such a large query, it would be wiser to check a small 'banned' table subset) that have my associated SIMPLE_HASH. If my SIMPLE_HASH has an account associated with it that has been previously banned, we can ban this newly created account and prevent the user from logging in. Ta-da! We stopped a toxic individual from creating a new account to play League of Legends. VICTORY IS OURS!

But, there might be problems. I'll try to address potential issues and offer solutions to them:

1. What if we wrongfully ban a user who hasn't done anything wrong?
Ideally multiple hashes (e.g. 2) would be generated using different criteria (and ideally a different cryptographic hash function). This would reduce the chances (to almost nil!) of collisions. This would greatly prevent banning an individual by accident.

2. What if the user decides to just play on a different computer?
Well, that's obviously a problem, but here is a solution that resolves most cases. Instead of immediately actioning an account, the smarter way would be to delay it. This would allow the service to collect multiple SIMPLE_HASHes (since they are logging in to their account with different computers, the hashes will be different). These multiple hashes can be associated with that account. Once that account is actioned, all the hashes associated with the account are blacklisted. Obviously, preventing corner cases is possible with a little insight (e.g. I log into my friends computer. His hash is then associated with my account. I do something stupid. I get banned. Because I logged into my friends account, he need not get banned also. To avoid this, one can look at other measures, e.g. how often I log in from that computer).

3. How does this stop me from purchasing a new computer/new hardware to play League of Legends after you banned me?
It won't! As long as this new machine generates a hash which is not associated with the banned account (which it will), you effectively beat the system. However, is it economically viable for you to purchase a new computer/new part (which may or may not be related to the hash calculation) just to play League of Legends again? Even if it was, would this repercussion at least make you think twice about what you are doing?

4. Reverse engineering: How would you prevent it?
Through smart programming practices: randomizing the times the algorithm is invoked, good use of delay, having consistency checks of the running image (scanning our own process memory to see if our function was patched), dynamically generating the algorithm (retrieving constraints from the server), etc...

5. What about my privacy?
No one will be nosing around your private data. For the most part, League of Legends already collects system hardware configuration.

Final words: Obviously, what you put into this is what you'll get out of this. If this is a small problem (which it might very well be), the solution shouldn't need to be extremely complex. This would undoubtedly make it easier to "break", but when this impacts such a small subset of the population, the likelihood of someone bypassing this greatly decreases. It should prevent most toxic players from rejoining the community, if not all.

Food for thought: There are SO MANY OTHER useful implementations of the aforementioned technology. In ADDITION to keeping toxic players out of the community, this could be used to better detect smurfs (improve the matchmaking system!), detect account intrusions, etc... THE SKY'S THE LIMIT.


Comment below rating threshold, click here to show it.

cornchowdar

Member

11-11-2012

Great informative post. Would be nice to get a reply, but I somehow doubt it..

The reason is the fact that they don't want to prevent users who have been banned from buying more RP... and to do that they have to be able to play,


Comment below rating threshold, click here to show it.

Settero

This user has referred a friend to League of Legends, click for more information

Senior Member

11-11-2012

Quote:
Originally Posted by str0nk View Post
Toxic players exist in this game, whether we'd like them to or not. With the Tribunal ever evolving, catching these troublesome individuals is improving. In my opinion, the game, at least at the higher levels, is getting better. However, this isn't to say that there aren't outstanding issues with the current system.

As of right now, there is an inherent problem that afflicts League of Legends and other similar free-to-play games. When a user gets his/her account banned, they can simply create a new one. There is no true repercussion for them. The only downside to being suspended is that a user must re-level his/her account, and re-acquire material (e.g. champions, runes, skins, and so forth) - there is a "time investment".

I believe that most players that get banned or suspended, just create a new account or play on their smurfs. This effectively circumvents their account action (they don't get the time out they deserve). There probably exists a subset of these individuals that, even after the numerous warnings and bans, don't improve their behavior.

This can cause problems for new players who might not be accustomed to this toxic behavior. Imagine the displeasure of playing one of your first League of Legends game with a toxic individual. The experience would portray League of Legends in a "bad light" to these new players. This could even cause a potential player to quit playing the game.

With that being said, why not create a system in place where you can issue hardware ID bans to individuals? No, I'm not proposing IP bans. IP bans are so 1990s. Everyone knows how to bypass them, and they cause more trouble than they are worth (e.g. sharing of IP addresses). I am proposing hardware ID style bans (similar to the way Microsoft did for Xbox 360 users to combat piracy). For this to be successful, you would need to design an algorithm to generate a unique hash. This hash would be a combination of certain characteristics of the individuals running hardware or operating system configuration. The goals of the hash: must be relatively static (doesn't change on reboot; doesn't change on installation/removal of software; (PREFERABLY) doesn't change on OS reinstall), and unique (avoids collisions).

Designing the algorithm for the hash would take some work. It's not impossible, nor is their too much time investment. An example of an archaic (and poor) implementation of such an algorithm:

Generating a SHA256 hash based on
Logged in user name (GetUserName) + Computer name (GetComputerName) + Maximum space available on the system drive + Volume Serial number of drive (GetVolumeInformation) = SIMPLE_HASH

Now, this obviously would not the best algorithm. Why?
It's way too easy to defeat. To generate a new hash, all the user would need to do is change their user name, change their computer name, alter their system drive configuration, or change their volume serial number. All these tasks are trivial to complete. This is just an example: I know there are better identifiers that are unique and static, but this should suffice to further the discussion.

SIMPLE_HASH will be associated with my machine's configuration. Regardless of what LoL account/IP address I log under to play, my computer's generated SIMPLE_HASH is always the same.

We can use this generated SIMPLE_HASH to prevent toxic individuals from playing League of Legends.

A hypothetical situation:
Let's say that I've been a terrible player. I have had countless warnings. Finally, I get banned by the Tribunal permanently.

What are my options?
1. I can quit playing the game,
2. or (the more likely of the 2) I make a new account.

To continue the discussion, let's say I choose to create a new account. I log in to the game service. SIMPLE_HASH can be computed as I log in (or, preferably, at random discrete times to make it more difficult to reverse engineer) to my new account. SIMPLE_HASH, because of the nature of the algorithm, should always generate the same hash for my machine. The login authentication module will then do a lookup in the accounts table (or perhaps to reduce the performance impact of such a large query, it would be wiser to check a small 'banned' table subset) that have my associated SIMPLE_HASH. If my SIMPLE_HASH has an account associated with it that has been previously banned, we can ban this newly created account and prevent the user from logging in. Ta-da! We stopped a toxic individual from creating a new account to play League of Legends. VICTORY IS OURS!

But, there might be problems. I'll try to address potential issues and offer solutions to them:

1. What if we wrongfully ban a user who hasn't done anything wrong?
Ideally multiple hashes (e.g. 2) would be generated using different criteria (and ideally a different cryptographic hash function). This would reduce the chances (to almost nil!) of collisions. This would greatly prevent banning an individual by accident.

2. What if the user decides to just play on a different computer?
Well, that's obviously a problem, but here is a solution that resolves most cases. Instead of immediately actioning an account, the smarter way would be to delay it. This would allow the service to collect multiple SIMPLE_HASHes (since they are logging in to their account with different computers, the hashes will be different). These multiple hashes can be associated with that account. Once that account is actioned, all the hashes associated with the account are blacklisted. Obviously, preventing corner cases is possible with a little insight (e.g. I log into my friends computer. His hash is then associated with my account. I do something stupid. I get banned. Because I logged into my friends account, he need not get banned also. To avoid this, one can look at other measures, e.g. how often I log in from that computer).

3. How does this stop me from purchasing a new computer/new hardware to play League of Legends after you banned me?
It won't! As long as this new machine generates a hash which is not associated with the banned account (which it will), you effectively beat the system. However, is it economically viable for you to purchase a new computer/new part (which may or may not be related to the hash calculation) just to play League of Legends again? Even if it was, would this repercussion at least make you think twice about what you are doing?

4. Reverse engineering: How would you prevent it?
Through smart programming practices: randomizing the times the algorithm is invoked, good use of delay, having consistency checks of the running image (scanning our own process memory to see if our function was patched), dynamically generating the algorithm (retrieving constraints from the server), etc...

5. What about my privacy?
No one will be nosing around your private data. For the most part, League of Legends already collects system hardware configuration.

Final words: Obviously, what you put into this is what you'll get out of this. If this is a small problem (which it might very well be), the solution shouldn't need to be extremely complex. This would undoubtedly make it easier to "break", but when this impacts such a small subset of the population, the likelihood of someone bypassing this greatly decreases. It should prevent most toxic players from rejoining the community, if not all.

Food for thought: There are SO MANY OTHER useful implementations of the aforementioned technology. In ADDITION to keeping toxic players out of the community, this could be used to better detect smurfs (improve the matchmaking system!), detect account intrusions, etc... THE SKY'S THE LIMIT.
have you considered the legality of this ? providing anything that can not be uninstalled/removed is illegal i do so belive.


Comment below rating threshold, click here to show it.

str0nk

Senior Member

11-11-2012

Quote:
Originally Posted by Settero View Post
have you considered the legality of this ? providing anything that can not be uninstalled/removed is illegal i do so belive.
Huh. I don't quite understand what you mean.

No one would be installing additional software on your computer.
League of Legends already collects information regarding your computer configuration (e.g. your video card, how much RAM you have, yadda yadda). It just doesn't utilize it in this way.

Basically, the information is there, it just isn't being used in this fashion.

Quote:
Originally Posted by cornchowdar View Post
Great informative post. Would be nice to get a reply, but I somehow doubt it..

The reason is the fact that they don't want to prevent users who have been banned from buying more RP... and to do that they have to be able to play,
Lyte did say this recently on the EUW forums:

Quote:
Actually, I remember you because I reviewed your case personally during the audit process. I'm sorry to say that we don't want you to keep playing League of Legends, you've damaged the community way too much during your time here.

You've received over 1200 reports with a whopping 28% reports/game ratio. Unlike other players, most of the reports against you are valid as well... with 54% of your total reports being valid Verbal Abuse, Offensive Language or Negative Attitude reports.

I absolutely hate it when I have to tell a player to leave the game, but we don't feel there's a place for you in League. I'm sorry.
Furthermore, I believe it hurts Riot more by letting extremely toxic players exist in League of Legends. You might be able to get that individual to buy RP, but what about the others who now have to deal with the displeasure of their company? The "victims" are probably less inclined to buy RP.


Comment below rating threshold, click here to show it.

Hemorrhagic

Recruiter

11-11-2012

I'm sure this has been kicked around at Riot more than a few times. The only reason why this isn't a reality already, and this is pure assumption, is that even people that get banned return and spend a few bucks to pick up a favorite champ or two from time to time.

I have no metrical data to support that but I would be surprised if it has never happened.


Comment below rating threshold, click here to show it.

Settero

This user has referred a friend to League of Legends, click for more information

Senior Member

11-11-2012

Quote:
Originally Posted by str0nk View Post
Huh. I don't quite understand what you mean.

No one would be installing additional software on your computer.
League of Legends already collects information regarding your computer configuration. It just doesn't utilize it in this way.

Basically, the information is all there, it just isn't being used in this fashion.
oh lol so your just saying to have the unique code on their end ?
how do you propose that they differentiate between two identical pcs ?


Comment below rating threshold, click here to show it.

Ada Wong

Senior Member

11-11-2012

Hardware bans are you kidding me.

I am a PC tech, I have been hardware banned from some games before, in fact I grief in these games for revenge on other griefers and get banned 20 times a day if I wish hardware banned, and I manage to bypass the bans each time why?

Because hardware bans do not work.

1. There are multiple ways to use software to spoof your hardware ID's.
2. Most games work by Hard Drive Volume ID, Serial Number, or MAC address, so changing some of your hardware you get around them, I can easily do this I have a box of network cards sitting here, my pc has 4 hard drives in it, and I haveo ver 20 other hard disks in a box, Plus a bunch of routers.

CPU ID's is an idea, but then again I have spare CPU's too, although I think this is going to the extreme and wouldn't work in the long run.

Now collection fo Volume ID, Hard disk space, memory, computer speeds, these are all easily changed too just for the record lol, and it wouldn't take too much to get a HACKER, or CODER to decompile the LOL client and leak a set of insturctions or patch to bypass bans now would it?

Sure it would stop a dummy however. Maybe a 10 year old kid if that hell I was doing computer hardware since like 9 years old though heh.


Comment below rating threshold, click here to show it.

str0nk

Senior Member

11-11-2012

Quote:
Originally Posted by Jayden Demonia View Post
Hardware bans are you kidding me.

I am a PC tech, I have been hardware banned from some games before, in fact I grief in these games for revenge on other griefers and get banned 20 times a day if I wish hardware banned, and I manage to bypass the bans each time why?

Because hardware bans do not work.

1. There are multiple ways to use software to spoof your hardware ID's.
2. Most games work by Hard Drive Volume ID, Serial Number, or MAC address, so changing some of your hardware you get around them, I can easily do this I have a box of network cards sitting here, my pc has 4 hard drives in it, and I haveo ver 20 other hard disks in a box, Plus a bunch of routers.

CPU ID's is an idea, but then again I have spare CPU's too, although I think this is going to the extreme and wouldn't work in the long run.

Now collection fo Volume ID, Hard disk space, memory, computer speeds, these are all easily changed too just for the record lol, and it wouldn't take too much to get a HACKER, or CODER to decompile the LOL client and leak a set of insturctions or patch to bypass bans now would it?

Sure it would stop a dummy however. Maybe a 10 year old kid if that hell I was doing computer hardware since like 9 years old though heh.
I already addressed your points in the OP.

I'm well aware that anything that exists on the client side can be spoofed. This could be done right or it could be done wrong - it depends on the implementer.
Furthermore, I never claimed it would stop everyone 100% of the time (because that's impossible), but it would stop the majority of people. That's still better than none.

Quote:
Originally Posted by Settero View Post
oh lol so your just saying to have the unique code on their end ?
how do you propose that they differentiate between two identical pcs ?
Nothing is 100% identical. There is always some difference.


Comment below rating threshold, click here to show it.

Estibou

This user has referred a friend to League of Legends, click for more information

Junior Member

11-11-2012

This would really hurt internet cafes/game shops....