NetrunnerDB Exploit and How to Protect Yourself

I’m just surprised this happened but at least I have now an explanation of why half of WC2015 corp decks were Dan’s purplecoat clones more or less one card (if that hack is old enough).

My exact reaction is this smiley :confused: not this one :frowning: or this one :joy: or this one :sweat:
I’d were elite I’d be :sob:

In fact, I’m quite happy this finish and people have to rely on their own building skills.

I’d ask @Alsciende to punish the robot and send them my decks (or any fancy Johnny you know about) :slight_smile:

1 Like

Thanks, @bblum for working with Alsciende to close the hole and salt the URLs. And you should thank @d1en for being the voice of reason and talking you guys out of doing something shameful with the information. He saved you from the same vitriol that is going SF’s direction.


You might say they didn’t want to…

I’ll see myself out.


I appreciate the kudos, but to be frank Ben, Jason and Sam had already arrived to conclusions that it was ethically wrong way before I had a chance to catch up and contribute. They also were working towards fixing it as we finalized the decision. I’m very proud of these individuals through and through.


It’s the same reason everyone was on ctm last year. It was a good deck, and everyone knew that it existed. To suggest that half the community is scraping decks for 2 plus years is wrong. This wasn’t about net decking or stealing other people’s decks, it was about reading the field before the event at the time of the biggest change in netrunner history.


@leburgan I don’t really remember the deck existed before that tournament (link).

Foodcoats are quite defined by a few common things :

  • GFI
  • Caprices
  • Archived Mems (the nrdb’s search engine is broken by core 1 + 2 cards so I can’t search for that)
  • Ichi 1 (same)
  • Ichi 2 - which was at the time the only fat sentry HB had for competition (Sherlock idea is later).
  • Tollbouth (same)
  • Eli 1s
  • NAPD
  • Ash (same)

All of this living together before the MWL.

You can see one guy posting that kind of list before fall 2015, in summer 2015, then you’ve got magically 10 decks in november.

How strange is that ? (maybe that’s just me).

I have seen foodcoats quite a bit before worlds. In my opinion it was hardly a surprise and there were many different versions present at world’s, from all over the world.

1 Like

Data and destiny, for GFI, came out October 28, 2015.
WC happened November 8, 2015.

You may have seen “quite a bit” Foodcoat during these 10 days, and sure, these 2 weeks may have convinced half the corp pool that the whole meta was shifting Foodcoat because of 1 card in D&D, but please permit me to have a little doubt.

It’s not a matter of testing the proxys there, it’s a matter of flair seeing those proxy winning a WC. I quite don’t understand why so much random unkown guys had the same decks. We’re living obviously in a deckbuilding full of WC elite builders that all had the same genious idea, that hibernate during the year maybe ?

Seen from France I remember some saying “that’s SH hivemind pushing their meta”. Well, in regard of this event, I’m not sure this was intentional nor hivemind.

Red coats as a deck was around for a long time. The implications of GFI for the deck, and most corp decks were quite obvious in my opinion. Especially considering the discussions throughout the year if it was worthwhile playing 5/3s to reduce agenda density, but with the drawback of the possibility that your opponent would have to steal only 3 agendas. Same discussion was going on for RP where it was about a 4th 5/3 in addition the TFPs.

In regards to Ichi 2.0, there was an alternative which quite a few players preferred - Assassin.

Overall, I think that knowing which cards would be available in D&D a lot of good players around the world got to the same or similar conclusions. That’s why we saw so many different Foodcoats in the cut.


Also, it was even discussed here that Redcoats would probably be fantastic with Global Food. Afterwords, people tested and and found out that they were right. As the DLR decks got figured out, people realized that Turring was a way out of being siphon spammed on HQ using AIs. The massive econ of ETF as well as Broken Bay Grid + Sexbots also enabled people to stay afloat economically to continue scoring (or trashing) through DLRs gameplan.

Plus, Data and Destiny, while it technically only came out on October 28th, had been in a massive amount of player’s hands since Gencon, months before. People were playing with and testing these decks for quite a while.

Besides, Dan doesn’t use NetrunnerDB. He uses Meteor =P


7. Computers
b. to circumvent security and break into (a network, computer, file, etc.), usually with malicious intent: Criminals hacked the bank’s servers yesterday.[/quote]
‘Hacking’ involves getting access to something that you are not supposed to have access to. (‘Circumventing security’) If they were getting Private decklists, that would’ve been hacking. (If you didn’t have ‘share decklists’ checked and people were getting access to your unpublished lists, then you were hacked.) If you were able to authenticate yourself as someone else to gain access to their decklists, or if you were able to change the contents of someone else’s list, then you would’ve been hacking.

This is ‘scripting’, or ‘scraping’ taking a process and automating it to gather large amounts of data at once.

Neither term, technically, is strictly good or bad. Still. It’s not a hack, strictly speaking.

</pedantic grammar/definition discussion that doesn’t actually matter>

1 Like

King of servers was before worlds in 2015. Dan played hb in kos. He was pretty vocal about switching off harp which he was on previously. The etf deck builds itself lol.

I’m not sure why people are getting so pedantic about the word “hack”. The definition, which I believe you used, has 28 (!) different definitions. You would have to go through all of them to say that someone is not using the word correctly, but here is one that fits this situation (the first part of your definition):

to modify (a computer program or electronic device) or write (a program) in a skillful or clever way: Developers have hacked the app.
I hacked my tablet to do some very cool things.
(emphasis mine)

The Glass House team put together a script that did a clever thing, so it fits the definition. It also touches on the malicious theme of the other definitions, because they did it to get an advantage over (unsuspecting) players at Worlds.

The part that can be debated is whether the sharing link feature is supposed to make all your private decks be public. Most users don’t think so, and as far as I can tell, neither did the creator (from his comments and changes he’s made when it was report last year). It just seems like a poorly implemented security through obscurity, which fits the other related definitions. As far as I can tell the creator was trying to convey the risks with this type of security in a concise and general way when they wrote the description for the checkbox.


Definition argument here, look for the break for my on-topic comments…

As a developer, I dislike that definition. Whenever a developer talks about ‘hacking’ some code, it’s nearly always pejorative in context: ‘It’s an ugly hack, but it works. Technically. Don’t ask me to revisit it again, though.’ There are ‘hack-a-thons’ where a group of coders get together to try and make something interesting.

I suppose the definition depends on the object of the sentence. ‘Hack’ is a verb. If you use it to refer to something you did to code, then yes, the definition fits ‘They hacked together a script to read all decklists and attach names to them.’ is an accurate statement. The other definition is something you do to security systems, and that definition doesn’t fit. ‘They hacked to get access to private decklists’ is not an accurate statement or use of the word ‘hacked’, in a purely technical sense of the word.

We can chalk it up to English being really bad at specific meanings and using the same word for different meanings.

As to why I’m being pedantic? I dunno, it feels like it’s part of my industry’s jargon is being misused. Shrug. Also it’s easier to argue meaning of words than to properly convey how I feel about this occurrence :wink:

Yes and no. Security was a secondary concern to ease of sharing decklists with others. (From an outside viewpoint.) I don’t feel this script bypassed any security of NRDB. That doesn’t mean I endorse it, of course… I don’t feel it was looked at as a security feature at all, instead being viewed as a Quality of Life improvement. Before, you couldn’t share decklists without specifically publishing them. Now, you can poke a hole into your account and allow NRDB to show people your list if they give the appropriate deck ID number. (The main reason I feel this wasn’t looked at as a security feature? You still can’t look at decklists of people who don’t have that box checked. The security wasn’t broken.)

I’m honestly pretty sure that if NRDB didn’t show name of author along with the list and the ID number wasn’t sequential (someone else noted that a salt should be used), that this scraping would actually be viewed as a net positive, because it would more easily facilitate deck analytics. The issue is using it to associate decklists with specific names, which is Not Good.

1 Like

That’s… a little disingenuous, as usage depends on context. Those calling it a hack aren’t doing so to denote the cleverness of the implementation. To say someone’s not using a word incorrectly because an entirely different definition fits bypasses the entire reason why words have multiple definitions.

The implications for private and public data, and to a wider degree the different understanding by technical and non-technical users, are exactly why the word is a point of contention here.

The technical aspects, especially as they regard whatever particular phrasing of the feature on NRDB, are really sidestepping the issue though. A lot of people (and I’m not implying you are, obviously) seem to be getting caught up in technical and semantic arguments because it’s an avenue to imply whether or not people should be upset, and to what degree.

People obviously are. And it should have been trivial to expect that they would be.

1 Like

No, it would still be bad. Seriously, it’s private info and nobody should make it public without consent. Removing the names does not make it less of a breach of privacy.

There’s no need to be pendantic here. Obtaining and releasing public information without consent is a dick move and not justified by “deck analytics”.


You mean like a checkbox stating that the decklists can be viewed by everyone, maybe?

Snark aside, this is one of the things that does feel weird to me, and I am in agreement.

Philosophically, I have no problem with this. I also have no personal stake in the game. With those disclaimers out of the way, I still can’t endorse this behavior. To me, this smells of people learning that something put online is not private, ever. BUT, that’s my personal philosophy and viewpoint, and I don’t feel others should feel the same, and understand that the majority don’t feel the same way. I suspect my opinion in this is colored by the hard knowledge that there’s no such thing as perfect encryption or perfect security. Everything is breakable by someone determined enough. That doesn’t make breaking something right, but it does mean that you shouldn’t depend on your security being perfect.

Bringing this back to Netrunner… I personally believe that the best overall deck is a deck that you could provide the list to your opponent without it hurting your chances of victory. I also believe there are decks that are dependent upon their list’s secrecy. Thus, I believe both that real harm was inflicted by this scraping, and that the harm done was minimal in scope. But, again, I don’t have a horse in this race. Any of my decks were probably immediately deleted before they contaminated the rest of the lists with awfulness. :slight_smile:

I’m not trying to ignore the context (or be disingenuous). My point was that the word has many many meanings, some fit the situation better than others and I can’t say (even though I understand the technical aspects of the scraping), that it was used incorrectly. And I’m not sure why many different people keep bringing up that it’s not hack (technically) because the data was not strictly private when the checkbox was checked, especially since the technical aspect is a bit in the question (i.e. is this a case of security through obscurity).

From the same context point, the security definition would also hold. Because, while technically the address to their decklist was added to a public list sequentially, what the user feels is that their data, that they thought was protected, was exposed by someone that put together a program/script. So from that person’s (maybe limited understanding of the technical aspect of how it was done), the word “hack” is a very accurate description. And saying it’s not, is not the most helpful.

I do agree that arguing about the definition seems to try to avoid the real impact of the action. (But, I’m not pointing a finger at Crush because he clearly stated he was being pedantic).

[Don’t get me started on the nth person that points out how meta/thematic/flavorful it is that something like this happened to a game about hacking.]

EDIT: Also, maybe not raise my comment to the level of hate speech?


I think we’re in broad agreement, but I took issue with assuming all usages of a word are equivalent independent of context.

And you’re right that it was a needlessly extreme example, apologies.


No problem. Thanks for saying.

I have seen and had conversations with people that understand the technical aspect that did appreciate how it was done and didn’t think it was a problem.