A Second OctoPrint Plugin Has Been Falsifying Stats

The ongoing story of bogus analytical data being submitted to the public OctoPrint usage statistics has taken a surprising turn with the news that a second plugin was being artificially pushed up the charts. At least this time, the developer of the plugin has admitted to doing the deed personally.

Just to recap, last week OctoPrint creator [Gina Häußge] found that somebody had been generating fictitious OctoPrint usage stats since 2022 in an effort to make the OctoEverywhere plugin appear to be more popular than it actually was. It was a clever attempt, and if it wasn’t for the fact that the fake data was reporting itself to be from a significantly out of date build of OctoPrint, there’s no telling how long it would have continued. When the developers of the plugin were confronted, they claimed it was an overzealous user operating under their own initiative, and denied any knowledge that the stats were being manipulated in their favor.

Presumably it was around this time that Obico creator [Kenneth Jiang] started sweating bullets. It turns out he’d been doing the same thing, for just about as long. When [Gina] contacted him about the suspicious data she was seeing regarding his plugin, he owned up to falsifying the data and published what strikes us as a fairly contrite apology on the Obico blog. While this doesn’t absolve him of making a very poor decision, we respect that he didn’t try to shift the blame elsewhere.

That said, there’s at least one part of his version of events that doesn’t quite pass the sniff test for us. According to [Kenneth], he first wrote the script that generated the fake data back in 2022 because he suspected (correctly, it turns out) that the developers of OctoEverywhere were doing something similar. But after that, he says he didn’t realize the script was still running until [Gina] confronted him about it.

Now admittedly, we’re not professional programmers here at Hackaday. But we’ve written enough code to be suspicious when somebody claims a script they whipped up on a lark was able to run unattended for two years and never once crashed or otherwise bailed out. We won’t even begin to speculate where said script could have been running since 2022 without anyone noticing…

But we won’t dwell on the minutiae here. [Gina] has once again purged the garbage data from the OctoPrint stats, and hopefully things are finally starting to reflect reality. We know she was already angry about the earlier attempts to manipulate the stats, so she’s got to be seething right about now. But as we said before, these unfortunate incidents are ultimately just bumps in the road. We don’t need any stat tracker to know that the community as a whole greatly appreciates the incredible work she’s put into OctoPrint.

34 thoughts on “A Second OctoPrint Plugin Has Been Falsifying Stats

      1. Basically, any reason you would want to be on a “top something” list becomes a reason to manipulate the results, and so people will start to game the metric. Any sort of listing where order matters gets gamed. See, why companies and businesses were named “Acme” in the 1920’s – you get to be on the first pages of the telephone directory.

        If there is no reason or consequence from being on such a list, the list wouldn’t even exist, ergo, all lists become manipulated at some point in time.

        1. Fun fact: someone did a lot of research and it turns out plumbers whose companies begin with “a” (or more precisely – companies who are willing to play games with their names to be listed higher) are worse than most.

          1. Likewise, the companies that are willing to spend the most to advertise and pay for search engine optimization, etc. aren’t the ones giving you the best value for the price.

            For starters, the price must include the cost to advertise, so you’re already paying extra for nothing. In essence, you should be looking at advertisement as information about who NOT to buy from.

    1. Both of these plugins have commercial subscription offerings so I’d say they are both poisoning the stats for monetary gain. If I were the creator of OctoPrint I’d outright ban the plugins and blacklist all known hashes.

  1. Dude, it’s those scripts you forget about that last forever.

    Sorry, I believe it. In my case it’s not been malicious, but I’ve discovered scripts I totally forgot about still doing their thing. See, the system itself might go down, and that I’ll notice and fix, but when did I last read my crontab?

    If the script had failed they might have noticed.

    1. I once debugged a whole day why my program stopped working…

      Forgot I added some date stop code to cease running after a certain date. no documentation, placed at an unusual place, /me so stupid.

      So. I would believe in all stupid explanations for any stuff.

    2. Have done similar, last one I found was a Windows 2000 desktop too which had been running, unattended for at least 12 years with Mercury/32 trying to connect to a long defunct ISP’s mail server, my scripts were still triggering and running perfectly, creating archive folders and indexes of received/sent emails.

    3. hm. I’ve lost a machine.. literally _lost_. it responds to ping, it works completely, I just can’t figure out where in my apartment it is.

      RIP bash.org

    4. It also depends a lot on how the script was setup. I have a web comic scraper build more 10 years ago. In php, it just scrapes some websites, gets the right image URL and stores that in a database. It was updating by just having cron open a certain URL that would do the scraping. And then a different URL where I can view the comic feed.

      Now, I’ve moved the whole server to a new machine, didn’t copy over the OS, but did copy over the database and the htdocs directory. And the scraper is still working. The cron job is gone, but somewhere, somehow, scraper bots picked up on the URL and are now polling it from time to time, causing my webcomic feed to be still updated.

  2. ” But we’ve written enough code to be suspicious when somebody claims a script they whipped up on a lark was able to run unattended for two years and never once crashed or otherwise bailed out. ”

    I have cron jobs running on a 7-year-old Orange Pi, most of which were written in anger. If you asked me what it all was, I would have no clue!

    I actually just checked, and it’s still turning the Christmas tree lights on and off.

    A forgotten script running since 2022? Amateur hour!

    1. I feel this whole “wow, a forgotten script ran unattended for 2 years!” thing is big red-herring to draw focus away from the shitty behavior. And it seems to be working (given what the comments are focusing on).

      They also say “I was quite sure the script had been long dead”, which implies they knew about it, likely all the time, with at least a nagging suspicion it was still inflating their ranking. Also funny that they started around the same time OE did. Why is the bar for shitty behavior so low with “having some suspicion that OE was doing that” being the justification? Did OE think the same thing about obico? How about reporting the suspicion to Gina instead of screwing her over?

      Ultimately, Quinn (OE) and Kenneth (obico) will get away without penalty, forfeit or any sort of accountability. All the while screwing over one of the most important 3D printing related projects in our community. I also can not ignore that it is two dudes committing fraud to amplifying their own projects by screwing over a prominent woman in our community.

      If you are a OE or obico user, I hope you can see your way to uninstalling those plugins and sending the authors a note about why….

      1. I agree that the behavior of the plug-in authors is deplorable and that they’ll likely face no real consequences, but I can’t see the gender connection your making.

        If the site owner was paying the top ranked plug-in authors based on their plug-in’s rank, then maybe you’d have something but the logic would still be pretty thin based on comments and coverage above. Would you have made the same comment if the two plug-in authors had been female and the site owner was a prominent male in our community?

        1. > If the site owner was paying

          Not sure, but I am guessing your caught up on the ‘fraud’ term because you think money should be directly involved? Ultimately they are defrauding their users by trying to make them think they are installing the most popular plug in (and making money from those subscriptions).

          Think, Twitter inflating their active user count by including bots. Fraud or no fraud?

          > pretty thin based on comments and coverage above.
          Not sure what comments and coverage you are referring to, or why it invalidates my comment. Any clues there?

          > if the two plug-in authors had been female and the site owner was a prominent male in our community?

          Sure, if males are in minority and historically subject to bias in our community, then yes, I would totally be making the same comment. Of course given that is likely a toxic environment to speak-out on the subject, I would also expect somebody to ask, “well, what if the two plug-in owners were male…. would you be making the same comment…”.

          1. No, I wasn’t hung up on the fraud term but rather ypur closing proposal. The target of the fraud was a system that is both well known and well regarded, i.e. a good target for fraudsters. It just happens to be owned by a woman but is not why it was targeted. I’m guessing that we’ll have to agree to disagree on this point.

          2. @bwmetz

            Thanks for your replies.

            No, I agree to not disagree!

            I get your point and agree that Quinn and Kenneth were not targeting Octoprint because it is ran by somebody who is in an underrepresented subgroup of our community which is often subject to bias.

            However that doesn’t change that Quinn’s and Kenneth’s toxic behavior caused harm, even if you want to describe it as collateral damage rather than targeted, to somebody in an underrepresented subgroup of our community. That has a negative effect on the underrepresented group and on the greater community as a whole.

            But, then if I ask myself, what if Octoprint was ran by a prominent male (e.g. Linus Torvalds, Mark Shuttleworth, Josef Prusa, etc, feel free to suggest better ones) would Quinn and Kenneth find it so easy to commit fraud, knowing that it would harm a project ran by a prominent male? Would they think twice about pissing off Linus Torvalds (who is a fairly toxic male in our community) and ending up in his cross hairs?

            Some how it feels like they may have behaved differently. Again not suggesting they intentionally targeted Gina’s project because of her gender, but there could easily be a component of unconscious bias involved.

  3. You’re *definitely* not a professional programmer (or a sysadmin). You don’t write something like that as a script that has to keep running in a single process forever. You have some OS function start it when it needs to run. That’s a reflex. It would be *really weird* to write something like that in a way that wouldn’t survive a reboot, let alone a random script failure.

    The whole “script” was probably “curl “, and in 2022 you’d use either a crontab entry or a systemd timer to start it every once in a while.

    I poked around on my systems, and the oldest cron job I could find uses code last changed in *2006*. It’s possible that I manually recreated the crontab entry for it when I ported it from an older server… which would have been in 2011. But it’s also possible that I just blindly copied the old crontab without knowing what was in it.

    I really need to translate a lot of that old stuff out of Perl…

    1. That’s a real bold and baseless assumption of how the telemetry in OctoPrint works, but then, I suppose we shouldn’t expect anything less in the HaD comments.

      1. If you’re going to send false install reports, you don’t use actual OctoPrint to do it… at least not if you have any clue what you’re doing. So how OctoPrint works inside is irrelevant.

        I know OctoPrint stays resident. That’s more reasonable for a big program that’s probably the main application on the machine than for a random script. And you *still* have to have something to start OctoPrint at boot.

  4. Fact that they both put in the effort to make the data seem legit, shows that it’s more then just a “toy attempt”.

    On the other hand, it’s great to see Gina still going strong with Octoprint. If you read this Gina: Job well done!

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.