This has been tossed around before, but typically by people who haven’t thought it through and have no experience managing a service like this. I have gotten to the point where I’m willing to take this project on starting with a small group of servers and expanding as popularity and demand require. I have almost 15 years experience designing and developing software applications, managing servers and databases as well as creating and consuming API’s in various formats. However to be successful I need the help of seasoned mod developers who work with Steam and are familiar with the caveats to poke holes and help develop this idea to meet their needs. My ideal goal would to become a 3rd party service for hosting providers / individuals owners running steam based game servers that want to crowd source ban lists that can be easily imported/updated into existing tools.
Please keep in mind this is conceptual discussion, not technical design and assume best practices involving API’s would be used.
What this service is attempting to address is to provide the community with a list of SteamID’s that are associated to known repeat offenders. You cannot block by IP, but you can by SteamID. The paywall of $15 for the game prevents most from creating new steam accounts buying the game and coming back. Currently there are multiple hacks in the wild that are not caught by most programs and certainly not VAC. No service exists that allows an administrator to consume a constantly updating list of steamid’s that can be filtered based on that server admins tolerance.
- Two-way trust. Admins have to trust the data in the service, and the service has to trust the data coming in.
- Robustness. The service has to be able to mitigate the neverending attacks that will coming from those who will start to lose access to the game.
- Accessing the list must be easy to implement
- Entering data to the list must be easy to implement
- The service must pay for itself or it’s not sustainable
- SteamID’s can be spoofed leading to false ids even by the most trusted admins
HOW the service would address the challenges:
- Use of the service would have no barrier other than a fee
- Robustness is no problem as long as you use the right data center with appropriate counter measures against DDoS
- Accessing the list would be done via API
- Entering data would be done via API
The last two, SteamID Spoofing and Establishing Trust are a bit more complicated. SteamID Spoofing is a real concern because of the previous flaw in the authorization, and possible more. Supposedly it’s fixed from what I’ve read, but I’d like to explore this topic more. Establishing trust would require some thought as well.
HOW CONSUMING THE SERVICE WORKS
The foundation of the list would be based on aggregate numbers allowing server admins to set a threshold on request. A simple point system that increases as more reports come in, with the amount increased differing based on conditions. This allows for margin of error, and false reporting.
To extend this, each report will have a type that further allows an admin to set what kinds of people they want to exclude from their servers
Underage (under 18)
A sample request would be “Give me everyone with a threshold over 5pts (arbitrary number here)”. Another would be “Give me everyone with a threshold over 5pts, but ignore underage”.
I’d probably use World of Tanks API website as a good example of documentation / testing / methods of authentication http://na.wargaming.net/developers/api_reference/wot/account/list/
HOW SUBMITTING TO THE SERVICE WORKS
Whether through automated tasks or direct admin action, submissions to the API would require date/time (ISO format), User_IP, User_SteamID, User_Playername, Server_SteamID, Server_IP, Server_name, Server_AccountID (API related). The service would then take this line and apply it to a master list of steamid’s using an customer trust modifier (CTM). The CTM is based on time as a customer, server lifespan, as a few other things.
OTHER API FUNCTIONALITY BY CUSTOMER
- Query your entries (filter by date, etc)
- Delete entries
What are you thoughts on this? If I get enough support I could have a development version up within a week for those interested.