SteamID Banlist Service: A discussion on handling repeat violators (aimed at Server Admins)

This has been tossed around before, but typically by people who haven’t thought it through and have no experience managing a service like this. I have gotten to the point where I’m willing to take this project on starting with a small group of servers and expanding as popularity and demand require. I have almost 15 years experience designing and developing software applications, managing servers and databases as well as creating and consuming API’s in various formats. However to be successful I need the help of seasoned mod developers who work with Steam and are familiar with the caveats to poke holes and help develop this idea to meet their needs. My ideal goal would to become a 3rd party service for hosting providers / individuals owners running steam based game servers that want to crowd source ban lists that can be easily imported/updated into existing tools.

Please keep in mind this is conceptual discussion, not technical design and assume best practices involving API’s would be used.

PROBLEM:
What this service is attempting to address is to provide the community with a list of SteamID’s that are associated to known repeat offenders. You cannot block by IP, but you can by SteamID. The paywall of $15 for the game prevents most from creating new steam accounts buying the game and coming back. Currently there are multiple hacks in the wild that are not caught by most programs and certainly not VAC. No service exists that allows an administrator to consume a constantly updating list of steamid’s that can be filtered based on that server admins tolerance.

CHALLENGES:

  • Two-way trust. Admins have to trust the data in the service, and the service has to trust the data coming in.
  • Robustness. The service has to be able to mitigate the neverending attacks that will coming from those who will start to lose access to the game.
  • Accessing the list must be easy to implement
  • Entering data to the list must be easy to implement
  • The service must pay for itself or it’s not sustainable
  • SteamID’s can be spoofed leading to false ids even by the most trusted admins

HOW the service would address the challenges:

  1. Use of the service would have no barrier other than a fee
  2. Robustness is no problem as long as you use the right data center with appropriate counter measures against DDoS
  3. Accessing the list would be done via API
  4. Entering data would be done via API

The last two, SteamID Spoofing and Establishing Trust are a bit more complicated. SteamID Spoofing is a real concern because of the previous flaw in the authorization, and possible more. Supposedly it’s fixed from what I’ve read, but I’d like to explore this topic more. Establishing trust would require some thought as well.

HOW CONSUMING THE SERVICE WORKS
The foundation of the list would be based on aggregate numbers allowing server admins to set a threshold on request. A simple point system that increases as more reports come in, with the amount increased differing based on conditions. This allows for margin of error, and false reporting.

To extend this, each report will have a type that further allows an admin to set what kinds of people they want to exclude from their servers
Hack/Exploit
Racism/Harassment
Underage (under 18)
Spamming
etc

A sample request would be “Give me everyone with a threshold over 5pts (arbitrary number here)”. Another would be “Give me everyone with a threshold over 5pts, but ignore underage”.

I’d probably use World of Tanks API website as a good example of documentation / testing / methods of authentication http://na.wargaming.net/developers/api_reference/wot/account/list/

HOW SUBMITTING TO THE SERVICE WORKS
Whether through automated tasks or direct admin action, submissions to the API would require date/time (ISO format), User_IP, User_SteamID, User_Playername, Server_SteamID, Server_IP, Server_name, Server_AccountID (API related). The service would then take this line and apply it to a master list of steamid’s using an customer trust modifier (CTM). The CTM is based on time as a customer, server lifespan, as a few other things.

OTHER API FUNCTIONALITY BY CUSTOMER

  • Query your entries (filter by date, etc)
  • Delete entries

What are you thoughts on this? If I get enough support I could have a development version up within a week for those interested.

Public ban lists are just dumb and whoever is running it can fuck everyone they don’t like over.

Please don’t ever make a system that bans people from playing on servers they’ve done nothing wrong on. This is what admins are for; to weed out the bad players and stop them from interfering with other people’s fun. 9 times out of 10 the system will be used by a lazy server owner who’ll just trust other people’s judgements since it probably won’t affect them. Since you can attribute “lazy” to the vast majority of GMod server owners, this can seriously screw up someone if they’re wrongly banned. It’s always a huge hassle to try to get unbanned from systems like this since I imagine most systems like this would degrade to the point where your moderators will dismiss all appeals, meaning a ban, regardless of where it’s from, or how “right” it was, will stop you from playing on most servers.
Most of all, you can’t trust server admins, especially not on GMod. All it would take is an admin with a grudge against a particular player to abuse their access to your system and that player would be unable to play on many servers (as I’ve explained above) for no reason in particular, especially since it’s almost impossible to prove each ban is valid.
Please no global bans - keep it to specific communities.

@Rotor2: Yes, public ban lists run by one individual are, but crowd sourced are not.

@Internet1001: I completely agree that many admins are “lazy” and a poorly designed system can easily allow 1 or 2 admins to unfairly label individuals incorrectly. Part of the design of the system will be to prevent a submitter from influencing the ban list beyond a certain point thus negating “angry admin” syndrome. Additionally, the design creates a way for each admin to decide for themselves what the threshold of activity and types of activity they want to avoid.

While you disagree with global bans, this is an opt in service that helps the gaming community isolate the problems that are completely out of control right now. Many servers don’t have admins that can be on all the time and would much rather prevent the problem before they occur. Games such a Rust which have a continually developing environment and require large amounts of time be invested can be destroyed in an instant by this kind of individual. These individuals rarely keep their activity to one game and cause problems in almost every game they play.

You do bring up a good point though. With any ban system there should be a reasonable removal process. Most systems like these use time as their auto-removal process. It also makes systems like these more manageable as you get to kill off records after a while.

If you look at SpamHaus (email spam list), you have to be a good boy for a while to get off it. That’s how I’d like this system to work, but I need input as to what the appropriate time would be.

Would it make more sense to generate 7 day, 30 day, 90 day, and lifetime behavior scores and let time do it’s work?

[editline]24th October 2014[/editline]

@Internet1001: Additionally, we could add another field for Game, so that admins could decide to limit the results to only the specific game but again it would be their choice.

I’m a strong proponent that your reputation should follow you online. Sure you can have a bad night but how many bad nights should admins have to deal with the aftermath of?

I’m already working on a Global Banlist API with Riekelt cause you know, I totally shouldn’t be working on EuRoleplay right now. If you want to join in give me a PM.

You could do something along the lines of what FraudRecord for hosting providers does, it’s basically a central database that webhost’s can submit data to regarding customers, without breaking privacy policies and such.

Maybe make a service that when you ban someone you have the option of anonymously submitting their data to the service and letting other admins pull that data out when dealing with someone? Sounds like a better option than just a flat out blacklist (to me anyway).