MadMarx wrote: ↑Sun Nov 25, 2018 5:27 am
jmo1121109 wrote: ↑Mon May 14, 2018 2:39 pm
there is still 1 vulnerability that makes breaking anon in non-gunboat games theoretically possible
Is that 1 vulnerability the .json site you posted as a player in the World Cup final public press game?
So, clearly this thread represents you, jmo, as the face of webDip’s altruistic efforts to make anonymity more difficult to break in anonymous press games. You solicit “top secret” info, privately (via PM), from the webDip community, on behalf of the webDip team, and use that privileged info to implement changes in the code for the benefit of all. In all your efforts, you say there is “1 vulnerability” to “theoretically” break anonymity, but as a member of the mod/admin/dev webDip team you admirably demonstrate restraint and do not reveal that 1 vulnerability... Until, as a player, in webDip’s most prominent anonymous full press tournament, you realize that the “top secret” info you have collected as a trusted and privledged member of the webDip team will give you an advantage (and will give your team an advantage, thus creating a disadvantage for the 100+ people that signed up for the tournament that are not on your team), then you feel it is appropriate to reveal exactly how to break anonymity in the global tab of your World Cup final game. How is that *not* a conflict of interest and/or an abuse of power?
Please note, nobody is accusing you of breaking the specific stated rules of the World Cup tournament.
While I respect your outlook, I find the accusations in it to be absurd, hypocritical, and untrue. So to address those points, lets get into it. I've known how to break anon for years. I found that link as a member over 5 years ago given to me by non mods who used it to break anon in gunboat tournaments. and unfortunately removing it proved to be impossible for me, ghug, and even Oli on vDip without also removing other key functionality. I'm also a technically skilled person so let me go through the "1 vulnerability".
That Vulnerability is that games with press have timestamps and notification flags. So anyone in the game can watch and see when a new message comes in. Then you can go use any 1 of a million different methods of seeing if someone is online at the time. Check that link, check the new forum online indicator status, check their accounts on vDip, Playdip, facebook, discord, and any other site they have. You can make a computer program in 5 minutes 100% independent of the site to accomplish trolling all these data points and theoretically break anon public press game on the site. And since the entire code base is open source anyone with development skill can do this. Unfortunately we just don't have a solution for this. If you have one, or any ideas around it I would love to hear them, but this is why we've never guaranteed that anonymous games are actually anonymous unless they are gunboat games. You'll note I was very clear about that in this thread, to only specify that gunboat games were 100% secure.
I didn't need anyone on this site to explain to me how to break anon. There were exactly 1 ways reported to me that I hadn't already thought of, and that 1 method was patched. But to be nice we gave members points anyway.
You'll also note that I specifically listed out what fixes were made, so the multiple people who were aware of that link would have known that this particular method was still available to break anon. We have documented proof that members have been using this link before and after the anon change. So if you want to make the counter argument that we should have posted the link here for everyone to see in order to be fair, then I would accept that argument as having some validity.
But as for people being at a disadvantage, I don't think so, in fact when I posted the link in that game you'll note at least 1 player replying saying they knew that was a risk and took measures to counter it. The teams in this tournament are actively engaging in anon breaking all across the board because it is common sense that timestamps mean non-ensured anon in a semi-anon tournament. In a random press game that is anon this risk really isn't a problem since there's so many people online at a given point the odds of narrowing down who's who declines drastically.
And then to your point that I abused my power by posting that link, that reasoning is backwards. If I had used that link and *not* posted it then arguing I'd been playing unfairly could have merit (it still wouldn't really because it's been used by non mods for years and I didn't learn it after I became a mod) but instead it went in a public press game where everyone in the tournament could equally access it. The hilarious part being, Balki always tries to hide his presence in anon games with stupid grammar errors and weird capitalization so I didn't even need to verify who he was. The link was posted so other people could. But I also could have said "hey everyone, go ahead and watch the online forum indicators and see who's online when Italy posts a message and repeat this a few times". Or whatever method your team used to break anonymity.
But to go more into your point that I have conflicts of interest in playing on things I've worked on, by that reasoning Kestas, myself, and A_Tin_Can should never be allowed to play a single game, because we've worked on nearly every part of the site and understand it better then most. We should also then record who goes to the github site which is public and begin banning people from playing games if they look at how the anon code works, because they might also find this link (at least 1 person has this way). But that's ultimately silly. You'll also note that I won the game because of rather noobish tactical mistakes made by the players in it, not because revealing identity gave me 5 extra builds.
Now all that said, you having concerns is perfectly fine. Everyone with concerns on this website has the option to submit them to the owners. Someone on your team did, and I was investigated as I should have been. Both owners issued me a variety of questions, had me submit proof that I did not collect any info I used in this tournament from the anon changes, and then after an extensive investigation I was cleared. Though they did inform me that my chainsaw/rude press to Balki did reflect poorly on the site. And for that I have already apologized to him in the game. And am happy to do again here. My apologizes if my rude press made him and your team uncomfortable. Just as I'm sure he's sorry for violating the rules with cheating accusations in the public press of that game.
But to continue with incorrect accusations about abuse of power when you don't have access to the facts, after you've been told those claims are wrong by the site owners, when you know other teams are breaking anon via a variety of methods, and when you know the Tournament Director gave his explicit permission to make the post I did in that game after quizzing me to make sure I hadn't abused my power, well it just comes off as odd and I question what purpose you're trying to serve with it that you feel the forum can give you that the owners investigation did not. (If you haven't seen that please check with your team to figure out who reported me and ask them to share the results with you).
Hope that helps clear up some of those misunderstandings and incorrect claims!