Okay, now if you really want to impress me, pretend you work for reddit and write some code that would catch this kind of script and give it "cheater" flair.
People I think all these "cheater traps" are unimportant, because there's actually no "significant advantage" to using a robot. It isn't going to make you more likely to beat human players, only allow you to stay on there longer at lower cost to you.
This is because two things: 1) the userbase size, and 2) the userbase behaviour.
Because the userbase is so large, there's always going to be some people on there, meaning even with a robot you always have some competition.
So the only thing a robot will allow you to do is potentially have better reaction times than a human, however, this is also invalid when you consider that it's likely people are not trying "hit" a particular countdown number they're "aiming for" but rather simply pressing the button when their "threshold" for waiting any longer is exceeded.
Wit enough people this is probably well modelled by a random process, with clicks coming essentially randomly over time with some weighting to increase the closer you get to zero. So even a "reflex reaction" is not going to outbeat a horde of random clickers. The robot is really only competing with itself, how fast can it check and how fast can it click after determining the person it's working for's risk/reward utility threshold has been crossed?
So having a robot to play for you is not going to allow you to cheat, only to spend your time dong something more constructive for humanity than clicking a button :)
Maybe I'm missing something here, and I still don't see a way to cheat that actually has significant chance of beating others ! :)
> So having a robot to play for you is not going to allow you to cheat, only to spend your time dong something more constructive for humanity than clicking a button
In other words cheating since "normal" players need to spend their time doing that while you can have it on 24/7. I don't understand how you can say it doesn't make you more likely to beat human players. You increase your chances of getting the orange flair by magnitudes.
Consider this, if there's 10 human players you're competing against and they take turns occupying 2.4 hour spots, will those players essentially cover the entire space 24/7?
As far as you are concerned the rest of reddit may be either 10million human players, or 1 million robots, can you tell me who you are playing against? I'd say to you, it's the same.
Now, in a two player tournament, yes, using a robot gives you an advantage because the opponent probably has less stamina than your robot.
But in a competition involving thousands of people, there's really no advantage over any one person because the greatest force on any individual player is the sum of all other players against them, not one player with a robot. Do you think that sounds reasonable?
So the way I see it using a robot is really only a way to make things more comfortable for yourself, just like driving coast to coast is probably more comfortable and likely less time consuming than walking. It's not unfair to walkers, you're not stopping them from walking coast to coast. The only thing that might stop walkers is their stamina.
So while it's true that the reddit case does exhibit scarcity and competition for that (there's only so many click spots per reset), whether people are playing with robots or flesh doesn't make any difference to you, because wherever you are, at whatever time, there's always someone else there with you. It's somewhat ludicrous to think that you will have an advantage if it's all people because say at 2:14 am August 29th, 2015, all 2927 other people are all dozing off just at the same moment that the counter gets to 19 seconds and you push it. I mean, does that sound likely?
Not really, right, because there's always going to be people just alert as you. And robots don't really give you any more grief than people.
It's an interesting argument, and there's probably more to it. I'm sure I'm missing something, and thanks for giving me something to bounce off.
Hey, maybe you can try out a Chrome Ext robot yourself :)
Right, but also you can't try again, and only old accounts can do it. So once your bot fires the button, you're done, the bot isn't ruining it for anyone any more
Another way to think of it is this : there's no orange flair so far, because the pressers haven't let it get below 21. Getting orange is dependent on what the collective does, a robot isn't going to help you beat that, only let you be there when it finally goes down without having to neglect your life in the meantime.
Inside the click handler for the button use `new Error().stack`. You should be able to determine if it's a legitimate event from the stack trace.
Ultimately, though, someone could just use HTTP instead of monkeying about with scripting in the browser. You could only deter this by serving up a new JS file every day that has a new way to e.g. calculate a checksum on the button click. Ultimately people are going to find a way to cheat no matter what you do. If this is a social experiment that is a result, too.
What I'd probably do would be to have the JS in the button capture some user driven events such as mouse positions and click characteristics. If they had great foresight, they could have already been doing this for the previous 700k clicks.
With a reasonably sized observation pool, they could compare subsequent clicks and detect outliers.
I think it would be hard to circumvent since people attempting to reverse engineer wouldn't have the observation pool to know what signals Reddit admins were modeling. The biggest downside I can think of is that there would be some delay before calling out a cheater depending on the reliability of the model.
The client side JS could detect the lack of an event capture payload and warn legitimate users after they unlock but before they click so they wouldn't be flagged due to browser incompatibility or JS restrictions from a security policy or privacy extension.
Monkeypatch setInterval/setTimeout to mark people as cheaters. The more dedicated cheaters will hit the button API outside of the browser, which is pretty hard to stop.
The button presses are communicated over a websocket. You could make your own websocket client and communicate however you want to, such as listening to time updates and sending a click when it reaches a certain treshold.
Monkey patching setTimeout / setInterval would allow you to detect when people were running timers on the page. Use of timers could generally be considered "cheating."
It doesn't do anything to intercept people pushing the button.
window.setTimeout = function setTimeout(fn, ms) {
alert("No you don't, cheater!");
assign_button_color_of_shame();
original_setTimeout(fn, ms);
}
Which is very, very easily worked around by including another version of the original setTimeout in your console code.
The only real way to detect this is through usage pattern analysis and detection on the web socket side, because if you can write something in JS that catches people, someone can make minor modifications to their code to make it work again.
Just to be clear - this wasn't my original idea and nobody should ever put any security code into a client. Even if you could make this work someone could recompile Chrome to work around it.
I've found a way to get access to the original setTimeout again by embedding an iframe into the page and extracting it from there.
Would be interested in hearing other methods of getting a handle to the original setTimeout again.
I guess you could simulate it by using some other mechanism, say firing off an async request to a server that returns after a certain time and running a callback.
var cheaterFunc = function () {
console.error('cheater!');
// report cheater to server somehow...
};
$('*').each(function (i, el) {
if (el instanceof Object) {
Object.defineProperties(el, {
innerHTML: {get: cheaterFunc},
innerText: {get: cheaterFunc}
});
}
});
...and of course to defeat this, you could simply use a tampering proxy to prevent this javascript from making it to the browser.
(There are probably other ways to get the value of each digit with javascript, but you should be able to just add cheaterFunc to each of those. .childNode, change the style to use a custom font where each number has a different, predictable width and test .offsetWidth, etc.)
There isn't much you can do if the "cheating" happens client side, because the cheater has complete control there. At most you can obfuscate it by e.g. rendering the button in a canvas element and/or including a checksum and change the js files frequently like people here mention, but again, that will be just obfuscation, not real security.
