Jump to content

Parcel level bot detection

Innula Zenovka
 Share
You are about to reply to a thread that has been inactive for 247 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Scylla Rhiadra

Scylla Rhiadra

Posted
Posted
1 hour ago, Coffee Pancake said:

Assuming ..

  • That LL will elect to do anything when an account is reported as a bot (it's not like we haven't been reporting them for years to no effect)
  • That we can ever know the conditions required to produce an actionable outcome.
  • That there even is an actionable outcome.
  • That Accounts will mixed uses or using the standard Linden client can ever be considered a bot.

 

 

Sure. But all of that can be said about anything related to governance in SL (and a great deal regarding the platform besides). We don't have any way of compelling LL to enforce its own rules: the best we can do is hope that they will.

In the meantime, though, LL has explicitly asked that we report unregistered bots. And they have now given us a tool that will help enable that.

They've also, at last, made it possible to enforce a ban on bots on mainland parcels. I expect that there will be new security systems, or updates to old ones, that will incorporate this. And that's a good thing, in that it empowers landowners.

As for "mixed use" accounts. Well, as the doctor proverbially says to the patient who tells her that it hurts when they "do that": "So, don't do that!"

  • Like 5
Link to comment
Share on other sites
  • Replies 244
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Eowyn Southmoor
Eowyn Southmoor

I've noticed in the past 4 to 5 weeks that many roadside parcels on several mainland continents are starting to use some "bot identifying device". Whilst that in itself isn't a problem, what is a

Innula Zenovka
Innula Zenovka

People have, rightly or wrongly, expressed dissatisfaction with not being able to detect and ban scripted agents from their land if they are allowed at the estate level.  Now LL given them a tool

Rowan Amore
Rowan Amore

So basically, aside from being a placebo to the actual scripted agent issue, this will be able to tell if that skybox full of 30 day old avatars in that top of the list escort place are NOT listed as

Posted Images

Gabriele Graves

Gabriele Graves

Posted
Posted (edited)

I've decided to make my simple scripted agent detector freely available to anyone from my Marketplace page (I don't sell anything there, all the items are free).  If anyone wants a copy, the link is here:

https://marketplace.secondlife.com/p/Graven-Hearts-Scripted-Agent-Detector/24957216

 

Edited by Gabriele Graves
  • Like 2
  • Thanks 3
Link to comment
Share on other sites
Gwin LeShelle

Gwin LeShelle

Posted
Posted
6 hours ago, Scylla Rhiadra said:

And they have now given us a tool that will help enable that.

Yay for LL finally doing that for us Mainlanders too...I mean such feature is YEARS OVERDUE. I agree with Scylla's post in general but...

(imagine quote here haha I hate mobile) Actually not... they have sadly only given us a way to detect registered bots, I wish they had a way to detect bots in general plus their status. 

I mean it's possible to detect the membership status of residents ...or the online status no matter how often we try to hide that...why is it not possible to detect the status of a bot as registered \ non registered is beyond me.

Bots kinda have more privacy than actual residents 😂

PS: @Scylla Rhiadra I hope you have a awesome day and please make sure to drink and rest enough during the hot days 💜

 

  • Thanks 1
Link to comment
Share on other sites
Scylla Rhiadra

Scylla Rhiadra

Posted
Posted
5 minutes ago, Gwin LeShelle said:

Yay for LL finally doing that for us Mainlanders too...I mean such feature is YEARS OVERDUE. I agree with Scylla's post in general but...

(imagine quote here haha I hate mobile) Actually not... they have sadly only given us a way to detect registered bots, I wish they had a way to detect bots in general plus their status. 

I mean it's possible to detect the membership status of residents ...or the online status no matter how often we try to hide that...why is it not possible to detect the status of a bot as registered \ non registered is beyond me.

Bots kinda have more privacy than actual residents 😂

PS: @Scylla Rhiadra I hope you have a awesome day and please make sure to drink and rest enough during the hot days 💜

 

The problem is that there really isn't any easy or foolproof method for detecting unregistered bots. Nothing really distinguishes them from ordinary accounts except their behaviour.

I think one could probably produce an algorithm that would detect behaviours consistent with a bot. Say, traveling rapidly to a number of apparently random regions, staying for a very short length of time -- just enough needed to run the scripts that are harvesting data. But monitoring for that kind of behaviour across the grid would be a Herculean task.

Age of the bot isn't necessarily a giveaway: there are some bots running around now that are several years old. Nor is an empty profile or a throwaway name, as someone who seriously wanted to hide their bot from detection could easily spoof a real account.

I assume, but don't know for a fact, that LL might also have a means of detecting what actual scripts an account runs: that would be the closest thing to "definitive" proof that I can think of. But even that might produce false positives. If you're using some form of scripted radar, for instance, or even the "What Is She Wearing" HUD, you're using LSL functions also often employed by bots. So any attempt to detect unregistered bots by script use would have to be fairly sophisticated to distinguish how the scripts were being used.

If LL had a means of identifying unregistered bots, they could simply sweep the grid clean of them. And because they don't, neither do we. On an individual basis, even I can probably determine with a reasonably high (but not definitive) degree of certainty that account Iamnotabot.resident probably is one, based on observation and deduction, but there's really no way to systematically detect them -- and so no means to program a script to boot or ban them.

And thank you, I had a lovely day, despite swimming through clouds of smoke from wildfires to the east and north of me! Keeping cool is less a problem at the moment than simply breathing without coughing, but this too will pass! I hope that conditions are a bit more comfortable where you are!

  • Like 2
Link to comment
Share on other sites
Qie Niangao

Qie Niangao

Posted
Posted
7 hours ago, Scylla Rhiadra said:

I expect that there will be new security systems, or updates to old ones, that will incorporate this. And that's a good thing, in that it empowers landowners.

I agree with your other point, that the feature is valuable for giving us better grounds to report obvious traffic-gaming bots, but that it "empowers landowners" won't necessarily have a positive outcome for those landowners.

Mostly, I expect it will cause bot-runners who previously complied and self-declared their scripted agents to instead take their chances running undeclared bots, or if that's too risky, make very sure the bot visits are so brief they'll go undetected. That makes it worse for everybody, including the landowners who think they're "empowered" by the feature. They'll get to see some "bots" so they can feel empowered, and even try to boot them from their parcel (always too late), and maybe even imagine they've reduced the number of bots when instead they merely made them harder to detect—and thus rendered their own bot situation substantially worse for having misunderstood and misused the feature.

That doesn't mean I won't use the feature on my own parcels, just out of interest about which bot swarms visit which regions. But I'm resigned to the fact it'll be crap data, though, because I'm not willing to lag other scripts on the sim with frequent enough sampling to detect many of them as they pass through.

  • Like 3
Link to comment
Share on other sites
Love Zhaoying

Love Zhaoying

Posted
Posted
10 minutes ago, Scylla Rhiadra said:

The problem is that there really isn't any easy or foolproof method for detecting unregistered bots. Nothing really distinguishes them from ordinary accounts except their behaviour.

As a programmer, I'm always full of ideas (and other things). If LL changed their system of trading credentials with viewers (official and TPV's) to include a "foolproof" identification that "this login is using a viewer", it would mean that any Bots which purely used API's (and not viewers controlled by automation software) would be automatically identified as, "this must be a Bot".

Bots controlled by viewers with automation software would still look like "normal users", until that next level were sorted.

Just one of hundreds of approaches. AI and automation software will make it more challenging to detect "AI Bots" in the future, but this is a "universal" problem not limited to Second Life.

  • Like 2
Link to comment
Share on other sites
Gwin LeShelle

Gwin LeShelle

Posted
Posted
19 minutes ago, Scylla Rhiadra said:

The problem is that there really isn't any easy or foolproof method for detecting unregistered bots. Nothing really distinguishes them from ordinary accounts except their behaviour.

I think one could probably produce an algorithm that would detect behaviours consistent with a bot. Say, traveling rapidly to a number of apparently random regions, staying for a very short length of time -- just enough needed to run the scripts that are harvesting data. But monitoring for that kind of behaviour across the grid would be a Herculean task.

Age of the bot isn't necessarily a giveaway: there are some bots running around now that are several years old. Nor is an empty profile or a throwaway name, as someone who seriously wanted to hide their bot from detection could easily spoof a real account.

I assume, but don't know for a fact, that LL might also have a means of detecting what actual scripts an account runs: that would be the closest thing to "definitive" proof that I can think of. But even that might produce false positives. If you're using some form of scripted radar, for instance, or even the "What Is She Wearing" HUD, you're using LSL functions also often employed by bots. So any attempt to detect unregistered bots by script use would have to be fairly sophisticated to distinguish how the scripts were being used.

If LL had a means of identifying unregistered bots, they could simply sweep the grid clean of them. And because they don't, neither do we. On an individual basis, even I can probably determine with a reasonably high (but not definitive) degree of certainty that account Iamnotabot.resident probably is one, based on observation and deduction, but there's really no way to systematically detect them -- and so no means to program a script to boot or ban them.

And thank you, I had a lovely day, despite swimming through clouds of smoke from wildfires to the east and north of me! Keeping cool is less a problem at the moment than simply breathing without coughing, but this too will pass! I hope that conditions are a bit more comfortable where you are!

Omg stay safe please, we have rainy season here in Tokyo now I wish I could send those clouds 🌨️ over to you 😢 here it's just hot and moist. 

And to your explanation I know it's hard or even impossible but I also learned from an old friend that you need some certain software? Web thing? (To control them and program them?) To login to SL as a bot I think LL should have or find a way to detect this. Maybe they can find a way otherwise I am afraid just everyone will unregister their bots x3 

  • Thanks 1
Link to comment
Share on other sites
Gwin LeShelle

Gwin LeShelle

Posted
Posted
9 minutes ago, Love Zhaoying said:

As a programmer, I'm always full of ideas (and other things). If LL changed their system of trading credentials with viewers (official and TPV's) to include a "foolproof" identification that "this login is using a viewer", it would mean that any Bots which purely used API's (and not viewers controlled by automation software) would be automatically identified as, "this must be a Bot".

Bots controlled by viewers with automation software would still look like "normal users", until that next level were sorted.

Just one of hundreds of approaches. AI and automation software will make it more challenging to detect "AI Bots" in the future, but this is a "universal" problem not limited to Second Life.

Lmao ok this here is what I meant x3 💜

  • Like 1
  • Thanks 1
Link to comment
Share on other sites
Scylla Rhiadra

Scylla Rhiadra

Posted
Posted
Just now, Qie Niangao said:

Mostly, I expect it will cause bot-runners who previously complied and self-declared their scripted agents to instead take their chances running undeclared bots, or if that's too risky, make very sure the bot visits are so brief they'll go undetected. That makes it worse for everybody, including the landowners who think they're "empowered" by the feature. They'll get to see some "bots" so they can feel empowered, and even try to boot them from their parcel (always too late), and maybe even imagine they've reduced the number of bots when instead they merely made them harder to detect—and thus rendered their own bot situation substantially worse for having misunderstood and misused the feature.

I suspect you're correct -- but isn't that the way this kind of thing always works? It's a sort of arms race, as each side responds to the latest chess move by the opponent. I suppose a good analogy would be the way that security software engineers "solve" a particular vulnerability, only to discover that hackers have found a new one, or even exploited the "solution."

The problem is, making no effort to control bots might indeed prevent some from going rogue and choosing to use unregistered agents instead, but then you're simply doing nothing to stop them anyway. To use another, admittedly extreme, analogy: it's like saying "we can't stop murders from happening, and when we try, the murderers simply become more clever and subtle at hiding their guilt." On that basis, would it make sense to stop pursuing and prosecuting murderers? At least then they wouldn't need to hide it so much, and we'd probably have a better idea of who the murderers were?

I have no definitive solution to this, because there is no definitive solution -- no real "end game" that will bring a permanent closure to the problem. It's going to be an ongoing issue, because the "opponent" will always be able to find another move to outflank our latest manoeuvre. And I share the weariness, and wariness, that I detect in your tone. I think this represents a small victory, but a victory notwithstanding.

  • Like 2
Link to comment
Share on other sites
Scylla Rhiadra

Scylla Rhiadra

Posted
Posted
11 minutes ago, Love Zhaoying said:

If LL changed their system of trading credentials with viewers (official and TPV's) to include a "foolproof" identification that "this login is using a viewer", it would mean that any Bots which purely used API's (and not viewers controlled by automation software) would be automatically identified as, "this must be a Bot".

That's a really interesting and, I think, excellent point. (And sorry, @Gwin LeShelle, I should have picked up what you were getting at, and not belaboured the obvious!)

I am not a programmer, and I don't have any idea how difficult it would be for LL to institute such a change in how it checks the credentials of viewers being used to log in -- do I remember someone saying previously that it wasn't that difficult to "spoof" a viewer? -- but if this is feasible and not too onerous a change, it might be worthwhile.

You note, though, that even this might be a temporary victory, as AI and automation software become more sophisticated. That's happening now, at a terrifyingly rapid pace.

As I said in my response to Qie above -- there's not ever going to be a "final victory" here.

  • Like 1
Link to comment
Share on other sites
Gwin LeShelle

Gwin LeShelle

Posted
Posted

Aww I don't need a final victory tho...at the end it's just a (although some Users might disagre x3 sorry) game. It's not war. It's just fun and free time for me...

But LL should have a way to detect that so they can and should monitor the grid and keep it neat I don't actually need that but I hope LL has a way to tell them apart when they need to.

  • Like 1
Link to comment
Share on other sites
Scylla Rhiadra

Scylla Rhiadra

Posted
Posted
5 minutes ago, Gwin LeShelle said:

Aww I don't need a final victory tho...at the end it's just a (although some Users might disagre x3 sorry) game. It's not war. It's just fun and free time for me...

But LL should have a way to detect that so they can and should monitor the grid and keep it neat I don't actually need that but I hope LL has a way to tell them apart when they need to.

Yeah. Oddly enough, although I've been fairly vocal on this issue here and elsewhere, I don't myself get terribly worked up about bots. I have no intention of banning them from my parcel, for instance. And I recognize that there are lots of "good" bots -- ones who collect and disseminate worthwhile and useful information that has been properly anonymized, and is securely stored.

But then, my parcel is public -- I might not feel the same way if they kept appearing in the middle of my dining room table. And, wow, they have been proliferating of late: they seem to be everywhere. The figures I've seen -- I don't know how accurate they are, tbh, show a HUGE surge in the sheer number of bots -- I assume registered ones -- since about January. May was, I think, the busiest month for bots on the grid ever.

However, their actual presence rarely bothers me much.

What I do worry about is the kind of data that bots collect, and what they do with it. But that's actually in some ways a different question than whether bots should be banned or not.

I assume that LL must have some means at their disposal that allows them to determine with a reasonable degree of certainty that "Account X" is a bot -- or it would be pointless to ask us to report them?

  • Like 1
Link to comment
Share on other sites
Qie Niangao

Qie Niangao

Posted
Posted
6 minutes ago, Scylla Rhiadra said:

To use another, admittedly extreme, analogy: it's like saying "we can't stop murders from happening, and when we try, the murderers simply become more clever and subtle at hiding their guilt." On that basis, would it make sense to stop pursuing and prosecuting murderers? At least then they wouldn't need to hide it so much, and we'd probably have a better idea of who the murderers were?

Equipping security orbs with scripted-agent detection is a bit like giving every homeowner a firearm to deter murderers: it has unintended consequences.

As you say, that analogy is extreme. Anyway, there is indeed an "arms race" here, and those have consequences. Bacteria evolve to super-bugs from escalating resistance to the antibiotics fed to farm animals. We're selecting for a new generation of super-bots and we can't claim to be surprised when they emerge.

Will that make them harder for Lindens to manage, though? You're right, it hardly matters as long as Governance never acted even when the bots weren't so super.

  • Like 4
Link to comment
Share on other sites
Scylla Rhiadra

Scylla Rhiadra

Posted
Posted
4 minutes ago, Qie Niangao said:

Equipping security orbs with scripted-agent detection is a bit like giving every homeowner a firearm to deter murderers: it has unintended consequences.

As you say, that analogy is extreme. Anyway, there is indeed an "arms race" here, and those have consequences. Bacteria evolve to super-bugs from escalating resistance to the antibiotics fed to farm animals. We're selecting for a new generation of super-bots and we can't claim to be surprised when they emerge.

Will that make them harder for Lindens to manage, though? You're right, it hardly matters as long as Governance never acted even when the bots weren't so super.

Good response, and good points.

Had Governance moved more strenuously against bots before the whole BB thing erupted and raised the profile of the issue, bot farms likely would have adopted new tactics anyway. We would just have been less aware of it.

Damned if you do, damned if you don't, really.

  • Like 3
Link to comment
Share on other sites
Love Zhaoying

Love Zhaoying

Posted
Posted
10 minutes ago, Scylla Rhiadra said:

Good response, and good points.

Had Governance moved more strenuously against bots before the whole BB thing erupted and raised the profile of the issue, bot farms likely would have adopted new tactics anyway. We would just have been less aware of it.

Damned if you do, damned if you don't, really.

Ain't it grand that BB has a nice presence at SLB20? Even those that "shake things up" have a chance, in Second Life!

Link to comment
Share on other sites
Phil Deakins

Phil Deakins

Posted
Posted (edited)
9 hours ago, Scylla Rhiadra said:

In the meantime, though, LL has explicitly asked that we report unregistered bots. And they have now given us a tool that will help enable that.

That is the big reason why I think that it is a very useful thing.

Another reason is that, judging by the posts in this forum through the years, some people object to bots that land on their parcels, and leave a few seconds later. Now they'll be able to recognise them, but it won't be any good because they are perfectly legal. They can auto-ban them individually, I suppose.

And yet another reason is that I now have some programming I can do - adding it to my security devices. I've been stuck for something to programme for a while now :D

Edited by Phil Deakins
  • Like 1
  • Thanks 1
Link to comment
Share on other sites
Aethelwine

Aethelwine

Posted
Posted
5 hours ago, Scylla Rhiadra said:

The problem is that there really isn't any easy or foolproof method for detecting unregistered bots. Nothing really distinguishes them from ordinary accounts except their behaviour.

I think one could probably produce an algorithm that would detect behaviours consistent with a bot. Say, traveling rapidly to a number of apparently random regions, staying for a very short length of time -- just enough needed to run the scripts that are harvesting data. But monitoring for that kind of behaviour across the grid would be a Herculean task.

I make several cruises a week, teleporting along the planned route to set waypoints, often 40 or more on a complex route. My behaviour when doing that would look very much like your indicators for identifying a Bot. I could make the route in a different way, but that would either take longer or if using a map run the risk of sending people in to impassable terrain, orbs or banlines.

Care does need to be taken identifying bots through looking at behaviour as an indicator.

Link to comment
Share on other sites
Innula Zenovka

Innula Zenovka

Posted
  • Author
Posted

People have, rightly or wrongly, expressed dissatisfaction with not being able to detect and ban scripted agents from their land if they are allowed at the estate level. 

Now LL given them a tool that gives them the ability to do just that.   

To my mind, people's fears about bots were overstated, and the only real difference between scripted agents and any other type of unwanted visitor (and it can be a significant difference, I agree) is that bots, once you're on their itinerary, turn up far more frequently and regularly than do regular wanderers, and I've always found the regular parcel tools perfectly adequate to remove them.   

Meanwhile if a bot is collecting data, it can do that from anywhere on the region, or even from your parcel before your scanner has a chance to detect and remove it, unless the scanner is on ridiculously fast timer, in which case its impact on region resources is likely to become an issue. 

However, that's beside the point. 

People had a problem -- unwanted scripted agents visiting their land -- and now they have a solution that makes them feel more in control.

As Nikita Khrushchev is said to have told Richard Nixon, "If the people believe there’s an imaginary river out there, you don’t tell them there’s no river there. You build an imaginary bridge over the imaginary river.”

  • Like 6
  • Sad 1
Link to comment
Share on other sites
Love Zhaoying

Love Zhaoying

Posted
Posted
17 minutes ago, Innula Zenovka said:

As Nikita Khrushchev is said to have told Richard Nixon, "If the people believe there’s an imaginary river out there, you don’t tell them there’s no river there. You build an imaginary bridge over the imaginary river.”

Fun fact: This story is the source of the famous song, "Bridge Over Troubled Waters", and also the phrase "Cry me a river" (because a river in Crimea was used for the story).

(I just made this up!)

 

  • Haha 3
Link to comment
Share on other sites
Phil Deakins

Phil Deakins

Posted
Posted (edited)

First I'll repeat what I wrote in an earlier thread. It does NOT detect bots. It returns an account's 'scripted agent' status, and that's all. People set that status when they operate bots, but there are other reasons why it might be set.

Now the reason for this post:
The new system is not perfect. I have an avatar logged in right now that is not registered as a scripted agent. Its Scripted Agent page says, "The avatar associated with this account is identified as being controlled by a human", and yet its AGENT_AUTOMATED flag is set, so the script shows it as being a scripted agent.

Details:
I wrote a script that returns whether or not every agent in the parcel (or sim) is a scripted agent. I ran it and it correctly returned me (Phil Deakins) as not a scripted agent, but it returned the other avatar as a scripted agent. I checked the other's account and it is not registered as a scripted agent. It is logged in with Speedlight (me with the standard viewer). It has a GOLD Speedlight account, which was bestowed on it (i.e. it wasn't paid for. I posted about that in another thread). I tried other accounts with Speedlight, none of which are GOLD, and none of them were returned as scripted agents. I also logged a couple in with Radegast and they were the same - no scripted agents. So the only oddity I found is the one with the Speedlight GOLD account.

I don't have any other Speedlight GOLD accounts, and I'm not going to pay for any just to test them, so I can't check if the error is because of the GOLD Speedlight account so they would all return wrong data, or if it's something peculiar about that particular GOLD account being bestowed and not paid for. Perhaps someone who has a paid-for Speedlight GOLD account could check.

This Phil Deakins account was also bestowed with a GOLD account, so I relogged it to see if it stayed GOLD. It didn't, so I'm not going to relog the other as a test :) The thing is that Speedlight GOLD accounts are a perk of Premium+ accounts, so there may be many around, and this should be tested.

Edited by Phil Deakins
  • Like 1
Link to comment
Share on other sites
Phil Deakins

Phil Deakins

Posted
Posted (edited)
30 minutes ago, Love Zhaoying said:

Fun fact: This story is the source of the famous song, "Bridge Over Troubled Waters", and also the phrase "Cry me a river" (because a river in Crimea was used for the story).

(I just made this up!)

 

Another fun fact. Paul Simon didn't write a 3rd verse for Bridge Over Troubled Water, and he didn't think it needed one. But they persuaded him, and he wrote a verse that meant nothing. It was THE best verse in the song.

(I didn't just make that up)

Edited by Phil Deakins
  • Thanks 1
Link to comment
Share on other sites
Love Zhaoying

Love Zhaoying

Posted
Posted
17 minutes ago, Phil Deakins said:

Now the reason for this post:
The new system is not perfect. I have an avatar logged in right now that is not registered as a scripted agent. Its Scripted Agent page says, "The avatar associated with this account is identified as being controlled by a human", and yet its AGENT_AUTOMATED flag is set, so the script shows it as being a scripted agent.

Sorry, but your details were hard for me to digest.

- Is the point that with Speedlight Gold, the avatar shows as Scripted Agent but should not? The first few times I read your details, I thought you were saying that it showed up as NOT Scripted Agent but SHOULD.

Tagging @Glaznah Gassner

 

Link to comment
Share on other sites
Phil Deakins

Phil Deakins

Posted
Posted (edited)
4 minutes ago, Love Zhaoying said:

Sorry, but your details were hard for me to digest.

- Is the point that with Speedlight Gold, the avatar shows as Scripted Agent but should not? The first few times I read your details, I thought you were saying that it showed up as NOT Scripted Agent but SHOULD.

Tagging @Glaznah Gassner

 

The Speedlight GOLD avatar shows as a scripted agent but it shouldn't do.

All other avatars (standard viewer, Radegast, and non-GOLD Speedlight) correctly show as not scripted agents.

Edited by Phil Deakins
  • Like 3
Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 247 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...