[MUD-Dev] Re: Trusting the Client (Re: Laws of Online World Design)

Steve Sparks ssparks at enigma.sss.org
Tue Oct 20 11:43:02 New Zealand Daylight Time 1998


> > 
> > Dynamic address information can be traced to a client. If you log the IP
> > you can track it to a USER ID. Just require valid non-anonymous email
> > information and if your a pay service you have a credit card. 
> 
> I'm not sure what you mean by "USER ID" in this context.  In a fairly standard
> ISP setup, the customer dials in to get a network connection and a single IP
> address, which will typically be different for every session.  Just logging
> the IP address doesn't help all that much, because the user will have a
> different address next time, and the same address may be used by someone else.

Userid = id used to access the pay system not the isp. It is suprising but
you can often find a link to people even with a dynamic ip. Try looking on
a related "chat board" / news group for the ip address.

You would be suprised but you can resolve and address and a person will
often be coming from a modem pool that gives you at least some confirming
information about who is cheating. It is hard to do this programatically 
but can be done manually if the problem is worth human intervention.

> 
> If you log something about the particular instance of the client software
> they're using, that's entirely different.  That serial number/email address/
> credit card number is the unique ID.  The IP address isn't.

The valid registered ID was what I was using as something unique and the
ip address information is confirming information for where the person
cheating might be located. 

> 
> > If there is some sort of security problem like someone crashing a service
> > you can use the ip to notify the ISP of the problem and since you have the
> > email or credit card info they can terminiate the account. 
> 
> The ISP can usually take an (IP address,time) pair and figure out which of
> their customers was responsible.  Most of the time you'll have to convince
> a human being that it's a real problem to get this, though.  It's not
> something you can automate to prevent in-game cheating.

If you do log ip address and time make sure you log it at each point of
cheating so you can have a bigger window of time to use with the ISP.

Yea, Automation would be impossible to fix problems like this other than
not allowing connections from "problem prone" domains. 

> 
> An email address or credit card number may not help with the ISP, either.
> Email accounts aren't hard to obtain from places like Hotmail, and the
> credit card used to pay for a game can be different than what's used to
> pay for network connectivity.
> 

If you ever get email from the "anonymous" service like hotmail check out
the extended header information. You can find IP address information in
the header. You then can at least resolve to a hostname. People using
hotmail and other services like this a sending mail from a work as well as
home so you might actually have better luck figuring out who is who.

> Having a credit card number allows an interesting extra twist, though.
> If the terms of service include a surcharge for detecting attempts at
> cheating, you may deter cheating, and make extra money when you do have
> to deal with it.
> 
A nice way to make a few bucks!

> > Before you say who is going to give out email, well most people do not
> > have negative reasons for wanting to play at the start so it should not be
> > a problem. If they do have a problem it is time to play on another system.
> 
> My experience has been that the most troublesome players are perfectly
> capable of coming up with new, unrelated email addresses, so registration
> is of limited value.  Some others on the list would know better, having
> run much bigger and more recent games.
> 

If you have a problem player giving out email information that is not
valid but coming from the same IP subnet it is a good chance that the
person is the same. I've seen this done and found the same person on the
end.

I hate to give out too many details and all my secrets, being as they are
not really a secret but just things people do not know is going on in the
background. I have traced down people using ip logs and CC information.

BTW: I just left UO as a DBA for the accounts system and have successfully
chased down many people cheating and causing problem using IP (even
dynamic). A person tends to leave tracks and traces of there identity
every time they login to the net.


Steve





More information about the MUD-Dev mailing list