Efforts to curb botting that could impact Intel operators, maybe. Sill worth the read

Efforts to curb botting that could impact Intel operators, maybe. Sill worth the read

Originally shared by Gavin Treadgold (rediguana)

Botguard and Ingress
Some idle research and speculation for my own curiosity

For those that aren’t aware, some Intel website users have recently started receiving Opps… Something went wrong… error messages, and Intel fails to load any data. This has been linked back to the recently addition of some Google security and anti-bot code that has been added to the Ingress web site.

What is botguard?
Thought I'd do a little more searching for information just to find out what may be happening. Of note, botguard appears primarily designed to both track and prevent bot creation of Google accounts.

I first found a good Stackoverflow answer[1] that discusses botguard in some detail. A Google Engineer who worked on signup and login security, posted[1] on a bug ticket on Github for Zombie - a headless browser testing tool - and had this to say:

Please do not attempt to automate the Google signup form. This is not a good idea and you are analyzing a system that is specifically designed to stop you. There are no legitimate use cases for automating this form. If you do so and we detect you, the accounts you create with it will be immediately terminated. Accounts associated with the IPs you use (ie, your personal accounts) may also be terminated.

This same engineer, Mike Hearn, more recently posted[3] on the moderncrypto.org mailing list a little history about Google’s war against spammers with Gmail and fake accounts. 

Between about 2006 (open signups) and 2010 a lot of the anti-spam work involved building a spam filter for account signups. We did a pretty good job, even though I say so myself. You can see the prices of different kinds of "free" webmail accounts at http://buyaccs.com (a Russian account shop). Note that hotmail/outlook.com accounts cost $10 per thousand and gmails cost an order of magnitude more…

There's a significant amount of magic involved in preventing bulk signups. As an example, I created a system that randomly generates encrypted JavaScripts that are designed to resist reverse engineering attempts. These programs know how to detect automated signup scripts and entirely wiped them out

Of note in the spam war, is that Mike believes that a lot of the victory came down to assigning reputations to users/accounts - 100 being completely trusted, and 0 being completely untrusted.

So, we know that botguard was recently added to the Intel website. What possible benefits could this service provide to the world of Ingress?

Botguard was designed in Google to prevent scripted Google Account creation. Bot and throwaway accounts are, I think we’ll all agree, a significant problem in Ingress. Since Ingress uses Google Accounts, it has already been protecting us from even more bot accounts than we currently see.

Botguard is likely calculating a reputation for all of us now - we have an Ingress reputation score. This will likely be calculated by our actions using the Intel website (the more we do bot-like things, the lower our reputation becomes), is the account verified or not, and possibly even how many different Ingress accounts are accessing Intel from the same IP. 

Botguard also appears to be able to track associated accounts. This means that Ingress accounts that are levelled up to 8, and then sold, will be tracked back to the source, and likely ALL accounts associated with that source will be able to be quickly deleted and all of that persons Google Accounts blocked. It also means that it may get easier over time to identify multi-accounters using botguard. 

Let me repeat from Mike Hearn’s post[2] on zombie@github.

If you do so and we detect you, the accounts you create with it will be immediately terminated. Accounts associated with the IPs you use (ie, your personal accounts) may also be terminated.

Innocent Casualties - The Intel Operator
The biggest downside since botguard was enabled however, has been, what I assume is, the lowered reputation of agents that use Intel at levels greater than the average user. As an agent that has been on intel for operations, using both vanilla and IITC, I can completely sympathise with those operators that are getting the Opps… Something went wrong… message that I assume is botguard lowering agents reputation score for heavy Intel website use, and instituting a temporary cool down. 

I can only hope that this is false positive flagging of operators is temporary whilst botguard is trained for both good and bad intel behaviour. The challenging part is that some operator behaviour can closely mimic intel bots/scrapers.

Conclusions
It is interesting that most of this is occurring between anomalies, which is a good time to roll it out, test it, and hopefully tweak the reputation scoring for Intel use before we get too deep into Darsana. I don’t expect we’ll hear anything from Niantic on this issue, as they will be tweaking the dials behind the scenes, and as they have always communicated in the past, issues relating to bots, spoofing, multi-accounts and the like are not very rarely discussed publicly. I expect all we will see is that Intel operators will find that they hit the ‘botguard wall’ less and less frequently.

Botguard could provide (arguably already is) a lot of benefits to agents that play Ingress respecting the Agent Protocol, Community Guidelines and Terms of Service. 

These could include:

+ Botguard has for some time made it harder to script the creation of new Google Accounts - which is required for the bots we’ve all encountered. Anything that raises the barrier of entry to creating multiple Google Accounts, whether for bot’ing or multi-accounting, is a good thing.

+ Botguard will likely put an end to the many variety of scripts that are used to scrape and monitor aspects of the Ingress world via the Intel website. I expect that in the near future, those with Guardian tracking/hunting scripts will increasingly be blocked, and if they are foolish enough to have their scraping account in anyway associated with their actual Google Account (say by having the script Google Account created on the same IP address as your agent Google Account), then they could well face identification and bans.

+ If botguard is plugged into the actual Server that the Scanner interacts with then our agent reputation could also be scored based on Comm messages. This makes a lot of sense as we’ve all seen the traders spamming their wares in Comm. There may even be some nice side effects of lowering the reputation of agents that  lack positive communication skills in Comm that may eventually flag them for warning by Niantic support, and temporary or permanent bans.

+ The Scanner could even have a botguard handshake to help protect against modified/cracked clients - again attacking the GPS spoofers, and the bots that utilise cracked and modified clients.

+ Even the speed restriction (Hack acquired no items, XMP missed all resonators et al) could well be linked and may contribute towards the overall reputation of an Ingress account.

+ There are of course likely to be ways that could improve the reputation of accounts as well. Bro, do you even glyph? What about Missions? How shiny are your medals? Still slogging through the higher levels? Even minutiae of Agent statistics may end up giving positive bumps to your Agent reputation - anything that discerns valid Ingress accounts from bot farmers. This is where I’d love to see the ability to +1 other agents profiles directly in the scanner. Building up a web-of-trust, in the scanner, that could be used as one of many other factors in determining an accounts reputation would be a nice step.

So I guess, all things considered, the incorporation of botguard into Ingress potentially holds a significant number of benefits in the mid term for helping to deal with a number of problems that many of us have complained about for a very long time. I don’t expect it to be a panacea, but it could, and should, make life a lot harder for all those that are trying to game the system rather than play the game.

I do sympathise with the operators currently impacted and I expect this will come right sooner rather than later.

I think we need to be thanking Niantic though, as botguard has the potential to significantly raise the ‘costs’ associated with a lot of negative behaviours that we raise on a day-to-day basis here on G+.

So well done Niantic, I imagine I and many others look for to reaping the silent rewards we may reap in the not-to-distant future. Good work :)

#Ingress   #botguard   #OopsSomethingWentWrong   #IdleSpeculation   #Darsana  
Brian Rose Joe Philley Brandon Badger Anne Beuttenmüller John Hanke 

[1] http://stackoverflow.com/a/26006978
[2] https://github.com/assaf/zombie/issues/336#issuecomment-5820488
[3] https://moderncrypto.org/mail-archive/messaging/2014/000780.html?hn