NetrunnerDB Exploit and How to Protect Yourself

It’s not, at least not under traditional U.S. definitions—lists of things, like recipes, address and telephone books, etc, are not protected. The jokey meme-laden writeup next to the list? That’s afforded protection, though, so knock yourself out!

Agreed :slight_smile:

1 Like

As another participant in the West Coast team, I want to repeat that this was a Wrong Thing to do.

I have had a hard time finding the right words for this. I’m not particularly active on public fora, so I keep wanting to present myself well. I keep wanting to explain how it happened. But explanations sound like excuses, and our behaviour is not to be excused. I don’t think I can make things whole again, but I’d like to do what I can to make amends. I’ve started with donating to NRDB; it’s the least I can do, for all the crap we’ve burdened @Alsciende with.

For my part, I want to admit to my failure to take this matter seriously. My actions and inactions were inconsiderate and damaging, and for that I apologize.

22 Likes

I personally think that’s enough of a safeguard. After all, the objective of the scraping was to snipe specific players’ deck tech. Not knowing whether the deck belongs to Dan who won 2 Worlds or me who won two 8-person tournaments makes ALL the difference!

Thanks for your swift response and all your hard work! :slight_smile:

Yeah, I’d forgotten that there’s names attached to the decklists. I’d never noticed it before…

I’m not sure if I think decklists should be public in the default, since I’ve come from MtG where decklists are published and pushed as a sort of gamble that the list will be correct and win the tournament(s). Those who publish correct lists gain esteem and can command more attention for future writings they have about the game.

But Netrunner cares very much about the specific contents of the list. I believe this is because of two main reasons: Bluffing is a core part of the Corp’s game, and a lack of Sideboards or ‘best of X’ matches. Neither of these are realistically changing any time soon, so having secret decklists is probably where we’re going to be for the discernible future. (If you know the Corp has zero non-Agenda installables, you can literally run everything they install in a remote. Sideboards add mystery ‘Did they bring this in…?’ for any particular match, but honestly we take long enough with just two games.)

Bringing this back to OP… I’m against the scraping of non-Published decklists. I think that doing it without having knowledge of who or when the decklist was posted probably doesn’t give any real insight or advantage, but just Not Doing It is probably the best course of action.

I’ll change my stance on this if the community becomes incredibly secretive and it becomes difficult to find decklists for major tournaments, because I feel those are incredibly useful. Still, scraping things for Future Tournaments is pretty much always going to be Not Good.

The amount of complaint here is insane - the whole point of the feature is to make something easily accessibly by whatever person is given the link - that means that by default its going to be parse able…

Also… “damaging to the community” and accusations of this being “cheating” are stupidly hyperbolic. Its a game. No money is on the line. Scouting decks is a known thing - we turn in decklists before events, so people will know what your “secret tech” is. Take it down a notch - its a game.

@vampire0 - Have you read the comments by those who were actively involved in executing this above?

5 Likes

4 Likes

I’m more than comfortable saying that “having player’s privacy violated” should not be part of Android: Netrunner. In fact, I firmly believe it should not be part of any game.

[quote=“Arthur_Barnhouse, post:62, topic:9305”]No one is arguing that this is a violation of FFGOP policy or something.
[/quote]
It is indeed a violation of FFG Organized Play rules and, if not, should be.

Unsporting Conduct

Unsporting conduct is not limited to occurrences which happen during an event. It can extend to the time before and after the event, as well as digital spaces. Unsporting behavior includes:

• Collusion

Encroaching on a participant’s personal privacy or safety

I truly appreciate your apology and bowing out of the tournament, phette23.

7 Likes

lol.
Netdecking canibalizing itself.

I couldn’t even imagine ppl attending worlds lacked the skill to throw a medium list from c2rb to now. This is pathetic.

To those guys, why are you going there. You take player slots bringing clone draft decks to what should be the tournament with the most innovations the game ever had :confused:

1 Like

Movie making is not a game of hidden information, that’s quite the opposite.

Copying a movie doesn’t remove anything from anyone.
Copying a private list removes exclusivity from the author and steals credit if the list goes far.

There is stopping your analogy.

A better analogy I think, is doping in sports. Take a champ, feed him with strengths he shouldn’t have, and have him run in a competition.

Since when this happens ?

With regard to not only this latest little shitshow but the ones that happened before, I really appreciate how this is a community in which people who cross lines are a) called out on their behavior, and b) tend to take responsibility for their actions and are sincerely contrite.

The way that netrunner players behave is excellent even when they’ve behaved poorly. Thanks to everyone for making it a mature and positive community come what may.

19 Likes

One of the more troublesome parts of this issue is that a propable outcome (if FFG does something because of this) is another crackdown on other deckbuilders. This is why I hope that people don’t go directly to FFG-OP, even if they feel that they want them to know. This is in no way a justification for what’s done, which I feel falls on the deep end on Unsportsmanlike Conduct.

1 Like

What about the magnanminty of those willing to let people play in KOS, despite their crimes?

15 Likes

You’re okay.

5 Likes

This statement is on behalf of my KOS team, the rest of whom are @d1en, @jdeng, and @samrs.

First of all, people are calling this a “hack” or an “exploit”, which is more sensational than it needs to be. The trick is simply that you can take the deck ID number in the URL of an unpublished deck and increment or decrement it to find other unpublished decks created near the same time. The truth is that we are not innocent of this trick, so I want to share exactly what we did.

We 4 became aware of the trick last friday and learned that other teams were using it for playtesting purposes, and immediately agreed that that was unsporting, although a gray area whether outright cheating. Sam spent 20 minutes trying various deck ID URLs by hand and found 5 decklists. I then wrote a 20 line script to do that automatically and print the author names, and ran it long enough to find 18 deck IDs from players I recognized. I looked at the decklists long enough to confirm the script worked, but didn’t study them, and don’t remember any of the contents now. Jason read my script to see how easy the trick was, at which point we realized we should absolutely not use these results for playtesting. Dien in particular steered us to the right path here and it’s largely to his credit that we stopped short of studying the decklists. Basically, we decided that rather than complicitly entering the world of “well other teams are doing it so we should too”, we should instead level the playing field by trying to fix the vulnerability.

Jason and I then discussed what kind of change to NRDB would prevent decklist scraping. The simple answer is to “salt” the URLs; i.e., append a random string of digits to the deck ID that can’t just be guessed by incrementing a number. Sam began warning other deckbuilders who were likely affected to make their decklists private, and Jason told Alsciende about the trick, who implemented a temporary fix to at least hide the author names on unpublished decks. Jason then wrote a pull request to salt the URLs, which should be applied soon (the remaining issue is to decide whether it should apply to all decklists and break old links, or to future decklists only).

I watched the conversations on slack in the aftermath and some people seem to be under the impression that we scraped decklists as a proof-of-concept that was a necessary step in diagnosing and fixing the vulnerability. That is totally wrong – as I said in the first paragraph, it’s just basic addition at the heart of the trick, and a little bit of web security knowledge to decide how to fix it. There was no need to actually scrape decklists. I wrote our proof-of-concept script for no reason other than thoughtless curiosity. I want to stress that we did not study any decklists we scraped for playtesting purposes, but I still absolutely regret that we violated people’s expectation of privacy by running the script at all, and for that I apologize. I hope we can make things right by collaborating with Alsciende to make NRDB more secure in the future.

21 Likes

decklist espionage? How exciting. It’s almost like Netrunner is a real card game.

How did all this come to light in the first place? I’ve heard mentions that “someone” put something in their decklist that let them see if people viewed it, but no details about why they would do that.

Sensational or not, this little trick is indeed a hack. Most hacking is looking at what someone didn’t bother to secure, be it unknown urls, weak passwords, or asking users to reveal their login credentials.

Hacking isn’t like movies where mystical tricks and high-powered computers are used to ‘crack’ equally magical cyber-defenses. Usually the most sophisticated program that is needed is one that queries for information repeatedly to quickly logs and identifies the contents to find what may be a target of interest to the attacker, which is exactly what your script did. There are no Ichi’s or Mimics involved, just knowledge or an assumptions of how a system works and how it may allow access to information that you would not normally be privileged to.

Being a hack doesn’t make the activity nefarious, the morality is more tied to your intentions and how you acted with the data. But at the end of the day, this was a hack, no more and no less. In a low-security system there isn’t anything more to it than this. A common problem we face in wider society is that a lot of high-value information is often stored in a low-security system.

I don’t want to make this sound better or worse than you said it was, I just wanted to point out that this is everything that a hack typically is.

12 Likes

I’m just surprised this happened but at least I have now an explanation of why half of WC2015 corp decks were Dan’s purplecoat clones more or less one card (if that hack is old enough).

My exact reaction is this smiley :confused: not this one :frowning: or this one :joy: or this one :sweat:
I’d were elite I’d be :sob:

In fact, I’m quite happy this finish and people have to rely on their own building skills.

I’d ask @Alsciende to punish the robot and send them my decks (or any fancy Johnny you know about) :slight_smile:

1 Like

Thanks, @bblum for working with Alsciende to close the hole and salt the URLs. And you should thank @d1en for being the voice of reason and talking you guys out of doing something shameful with the information. He saved you from the same vitriol that is going SF’s direction.

5 Likes