Hacker News new | past | comments | ask | show | jobs | submit login

Monkeypatch setInterval/setTimeout to mark people as cheaters. The more dedicated cheaters will hit the button API outside of the browser, which is pretty hard to stop.



Easy options for this are plentiful.

[1] http://www.sikuli.org/


For someone with only limited HTTP/Javascript knowledge:

"The more dedicated cheaters will hit the button API outside of the browser, which is pretty hard to stop"

How this would be accomplished, I guess from the command line ?

EDIT: found what Monkeypatch means.


The button presses are communicated over a websocket. You could make your own websocket client and communicate however you want to, such as listening to time updates and sending a click when it reaches a certain treshold.


Umm... What?? If you did this, then surely EVERYONE would be flagged as a cheater! Clicking the button "legitimately" would call the same function!


Monkey patching setTimeout / setInterval would allow you to detect when people were running timers on the page. Use of timers could generally be considered "cheating."

It doesn't do anything to intercept people pushing the button.

    window.setTimeout = function setTimeout(fn, ms) {
        alert("No you don't, cheater!");
        assign_button_color_of_shame();
        original_setTimeout(fn, ms);
    }


Which is very, very easily worked around by including another version of the original setTimeout in your console code.

The only real way to detect this is through usage pattern analysis and detection on the web socket side, because if you can write something in JS that catches people, someone can make minor modifications to their code to make it work again.


Just to be clear - this wasn't my original idea and nobody should ever put any security code into a client. Even if you could make this work someone could recompile Chrome to work around it.

I've found a way to get access to the original setTimeout again by embedding an iframe into the page and extracting it from there.

Would be interested in hearing other methods of getting a handle to the original setTimeout again.

I guess you could simulate it by using some other mechanism, say firing off an async request to a server that returns after a certain time and running a callback.


Eh putting security into a client like FB did disabling the console -- it might help against people getting phished. Though I generally agree.


Ohh right, so your plan would be to essentially check for third-party javascript things running on the same page?

This would be a really easy "security" measure to circumvent, though - I could literally just delete your monkey patch, for a start!


It wasn't my idea so, no, that was never my plan :)

Though, you do raise a valid point, so let's see how it plays out.

    setTimeout = function(){...}
    delete setTimeout  // true - you've removed the patch

    window.setTimeout = function(){...}
    delete window.setTimeout  // true - you've removed the patch

    window.constructor.prototype.setTimeout = function(){...}
    delete window.constructor.prototype.setTimeout  // false - the patch is still there!
I don't know about the hierarchy of the prototype chain up at this level but it seems to work.

Maybe there's some other way of getting to the built-in setTimeout so you can create your own version to mask the one I added?

EDIT you can embed an iframe and rip the native setTimeout from there.


They could listen to the DOMSubtreeModified event in the 10s div.


Nice! There are probably clocks all over the place when you start looking around :)


reddit stops you from embedding it iirc


I tried that too - you can just use any old page that has CORs headers allowing it.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: