T=Machine

Reputation and ranking systems for online games and web games

adam — Tue, 01 Jul 2008 17:31:17 +0000

Yahoo recently posted a page listing and describing eight different design patterns for a reputation (or ranking, or achievement) system for a community - where community could be a web community, the players of a particular game, etc. For a long time now, I’ve been meaning to write a post on this stuff, and this finally poked me to do it…

EDIT: It’s Bryce, not Bruce. Argh. Sorry, Bryce - I was thinking about Bruce Schneier at the time, I think.

(thanks to Jeremy Liew for posting about an interview with the guy behind it, Yahoo’s Bruce Glass, which looks at some of the thinking behind it and his own views on what to do and what not to do)

Reputation systems - why?

For most game developers - and moreso most game publishers - the answer is “look at XBLA” (Microsoft’s Xbox Live Arcade). In the past 2 years, MS has put out a series of press releases and marketing pimping up the large amounts of money that they - and the publishers - have been making off the additional sales generated by this simple achievements/reputation system.

(I think that’s great, but also a bit sad, because XBLA does some other equally special stuff that hasn’t had quite so much explicit attention. Who’s talking about the GamerCard, and what *that* means for online communities? Plenty of people have, but it’s not achieved quite the same amount of attention. I think a lot of people have dismissed it as a gimmick in comparison to the reputation system - which is foolish of them, because the GC provides an excellent way for players to spread their Online Identity, and identity is a much bigger pie to be taking slices of than reptuation systems ever will be. But it’s harder to work with, and I’ll come back to that in another post sometime in the future.)

Or, as Joshua Porter puts it in the Bruce Glass interview:

“Reputation systems have driven the entire business at eBay.com, much of the business at Amazon.com, drives activity at Digg.com, powers the moderation system at Slashdot, etc…and yet for all the millions of words written about web design very few of them have been dedicated to this type of software.”

Choosing a rewards system

As an online game and MMO developer, and someone who focusses on social gaming and how to integrate it with mainstream games design, I’d say that the answer to “which form of reputation system for your social game?” is simply and clearly “all of them”. And at first I thought that was just me.

I’ve worked on games that have had a heavy social/web element, and adding additional parallel rewards/reputation systems has only ever helped both the community and the game. Nowadays, everything I see reinforces this, at least for games.

For instance, easy example - look at Kongregate. Kong has 5 independent, parallel rating systems for each game, and 7 (!) reputation systems for each user/player/developer on the site.

Looking at how those interact with each other, I would argue that a lot of the site’s success is precisely because it has these multiple *independent* forms of valuing user content; it allows you as a member of the community to say “this is nothing special in many ways, but in one aspect it’s the best thing I’ve ever seen” - essentially allowing for a multi-dimensional measure of “goodness”.

So, although I understand and by default agree with Y!’s suggestion that you should look at your community, assess your target market and your product aims, and pick one reputation system, I feel that you really shouldn’t do that with games.

Why one is never enough

Because only having one:

Limits self-expression: you CHOOSE to invest of yourself in various ways in a community. Bruce Glass mentions this. He doesn’t mention the knock-on implication: what you choose to invest says something about who you are and how you wish to be perceived. So, this is a part of your personal online identity.you can only be good at one thing, not a set of things, and there’s no way to show
Reduces learning opportunities: with multiple rep systems, a community can let a member know that “we think you are really awful at some things, but really good at others. Please do less of the bad stuff”, instead of just “we don’t value you”
Prevents the majority of people from being recognized: Go read about the Bartle types. Then read Erik Bethke’s presentations on what happened when he thought that some of them “didn’t apply” to his own MMO, GoPets, and what happened when he changed his mind on that. There is no MMO without all four player-types represented. One rep system can only satisfy one quarter of the traits that are present in all your audience. It may be the largest represented quarter, but it’s still artificially limiting your appeal as a game/product/experience/community
Assumes you actually know - and can control - what your community is, what it will become, and how it will grow to get there. That’s usually not the case. It seems (at least in MMO and online games) that good community management these days is not directive, it’s reactive. That’s not an excuse to abrogate responsibility for encouraging and supporting your community, it’s just saying that you need to give them more opportunity to tell you what they want, so that you can then modify your offering. And they will change what they want, they don’t remain static

And after saying all that, I wonder: how much of this is games-centric? Because although I’m no expert on online communities in general, that sounds pretty applicable to a wider set of online properties - not all, I’m sure, but many more than just “games”.

Which leads me to wonder whether the suggestion itself (that you should carefully choose just one) is a nice idea in theory, but perhaps not appropriate in the modern web world: perhaps communities now are sufficiently savvy, picky, and accustomed to being the ones to control success (e.g. youtube, where the community makes a video successful, not the site owners), that single-value measures of reputation are no longer what your community wants and needs.

Maybe?

And as for Kongregate … well, now I’m going to finally write up the post I’ve been meaning to for a long time about that.

Two factor security solves everything (”well done, Blizzard!”)

adam — Tue, 01 Jul 2008 16:46:52 +0000

Or so this blog on security says.

“Some experts claim that two-factor authentication won’t work. They are wrong, of course.”

The expert linked to is Bruce Schneier, and the main attack he points out that isn’t affected by TFS is … fake website asking for your credentials.

Funny. That was one of the main ways of stealing people’s MMO player accounts when I first got into MMO dev around ten years ago. And it’s still one of the main ways now (although there are plenty of other good ones, as noted in the linked post). It’s just … so easy!

Which would suggest that yes, actually, Bruce is right: TFS is going to do little to combat the *actual problems* being faced here.

Personally, I’ve always been on the side of security is pretty simple really: prevention is impossible, and anything that claims to provide great prevention is snake oil, and the reason security in practice is hard is because you have to find ways to deal with detection and response, and *that’s* where all the interesting stuff is.

On the other hand, I’ve now heard a couple of people suggest that the one-time-passwords thing from Blizzard isn’t about the passwords anyway: it’s about reducing credit-card chargebacks by shipping goods to the actual address first. In a way, it’s a basic form of TFS on the act of issuing a CC charge: you have to know the CC details and be able to intercept snailmail post, and until you succeed at both, the company doesn’t need to issue the CC charge.

Again … prevention? Nah, I can still intercept post, even on a large scale. But … detecting that interception is going to be somewhat easier, and responding to it (getting people fired from FedEx, or whichever company has been infiltrated and/or has a dodgy employee that’s been fired) is probably a lot easier than dealing with an unknown anonymous person from “somewhere” on the planet who bought 10,000 CC’s on the black market.

So, props to Blizzard. But not for making “a better form of password”. And a thumbs-down to Errata Security: sorry, but I’m not convinced by your analysis. I see what you’re saying, but I suspect you’re barking up the wrong tree. And I’m afraid I’m always suspicious of people who defend any preventative measure too closely - security doesn’t seem to work like that, sadly.

Scrum … and Production, Pre-Production in games

adam — Fri, 27 Jun 2008 15:04:07 +0000

So, here’s a question for Agile developers: when you’re using Scrum as your development process, and your game is in pre-production, at what point do you move to Production? And, more importantly, how can you tell (that you’ve moved)? Is Scrum in fact a permanent Pre-Production, right up until the moment you launch? And if that’s the case, how do you explain THAT to your publisher?

Traditional process

There are three stages: Concept, Pre-Production, and Production. Every game goes through those processes in that order. Typically the number of staff working on the project (and hence the amount of money being spent - and the risk being taken on!) goes up by a large factor from stage to stage.

Rather than bore you senseless here if you already know all this, I’ve written up a slightly more detailed explanation of games production stages and how they relate to each other. If you aren’t familiar with those stages, read that instead.

What is Pre-Production, anyway?

Well, as one of my colleagues, Mark, put it: the whole idea of a Pre-Production/Production split is merely an artifact of the developer/publisher split in responsibility, funding, project ownership, etc. It’s there because the developers can’t answer most of the questions until they’ve actually written most of the game, but the publishers are desperate to “reduce risks” by “eliminating unknowns”.

I did a quick google to see what other people have said about pre-prod for games, and one of the first hits included the quote “PreProduction has become the most important phase of the development cycle”. Actually, I think (like Mark) that Pre-Production has always been the most important phase, as far as the developers are concerned, although usually it’s never allowed to last long enough to be that important in the overall project. Despite being usually much shorter than Production, with much smaller resource (many fewer staff, etc), arguably it’s where the true art and craft of making fun games happens. Everything that follows is an attempt to fit the square peg of game development into a round hole, to curtail changes, to control spending arbitrarily, and to fulfil the vision that’s created during pre-production without allowing for the possibility of the team changing their mind on what’s going to make the game fun, or a success.

…which coincidentally brings us full circle, as this is one of the biggest reasons that game developers are trying to adopt Scrum in the first place. Scrum promises a large amount of “changing your mind” whilst keeping budgets and spending very efficient - even, magically, promising even tighter levels of control of the spend whilst granting much much more freedom of creativity. Yeah, you can have your cake and eat it! (unless the cake is a lie)

What about the movie industry?

Well, yeah, because the term “pre-production” comes from there first. I guess - just a wild guess here - that it got imported to the games industry by EA, probably around the time they imported the job title “Producer” to mean, a la movie-parlance, someone who combines organizational and creative responsibilities (a merged lead designer/project manager).

“In digital video, photography, television and film, pre-production refers to the tasks that must be completed or executed before filming or shooting begins. This includes tasks such as hiring actors or models, building sets, budgeting, planning, scheduling, renting equipment and tests, to name a few of the many pre-production tasks.”

Here’s the problem: whereas a movie starts with a FULLY WRITTEN script, the game design for a game is never complete until the day you ship. That means that where a movie has the luxury of looking at the script on day 1, and starting to do things like “building sets”, the game equivalent can only be guessed at for the majority of the project lifetime. Pre-production, in a movie industry sense, is impossible and nonsensical for the majority of computer games development. (leaving aside the exceptions of the few games, such as the infamously sequel-tastic EA Sports titles, where the game design doesn’t change and has very little innovative or new added during the course of the project. For anyone not in the industry, FYI: those are rare in the overall constellation of games developed each year).

Scrum and the effect on game production

With a Scrum project, you are ready to *ship* the product every single month (or fortnight, or even week, depending upon your sprint length). If you start by using Scrum at the concept stage, as we have for some of our projects, then … how do you decide when to transition to pre-production? And, more importantly, when to transition to Production?

Because Scrum, as far as I can see, is granting the development team an infinitely-long Concept stage (or, at the very least, an infinite Pre-Produtction stage): at every moment they are free to take any part of the product and throw it away and replace it with something better. One of the great mantras of Production is “thou shalt not throw anything away … unless there’s no way the game can ship with it in current state (and that usually doesn’t apply until you’re really close to shipping”. I’m not saying that’s a mantra anyone chose, I’m observing that de facto it seems to be how publishers and producers end up handling the Production phase. Maybe I’ve just seen a lot of bad examples - but I think not. I think this is an inevitable side-effect of the “avoid risk and avoid extra expense” strategy that the publishers have chosen as the purpose of Production.

So … if you’re permanently in pre-prod, how do you decide when to go to the publisher’s GreenLight committee (or whatever your publisher calls their equivalent)?

It occurred to me that the answer, with any publisher that understands Scrum, is: You don’t. They come to you.

The Power of … Scrum

Every time you finish a sprint, the publisher should have at least one representative turning up to the review meeting to see what’s happening and what’s been changed/completed/added/removed.

They should also be making a judgement every single sprint of: as a publisher, do WE want to “move this ahead” into pre-production, or from pre-production into production.

This is one of the explicit aims of Scrum, to give the person who’s commissioned the project (i.e. the publisher, who’s paying for all this development!) the ability to make extremely well-informed decisions about the project at any point. They are informed and empowered. So, they need to take that power and that information and decide for themselves what to do.

Fundamentally, the decision was never in the hands of the developer, and with Scrum, I think that maybe it doesn’t need to be something the developer is even all that aware of any more. Old-style, you have to explicitly make a special final build for the end of Pre-Production - but with Scrum, you’re doing that all the time anyway.

I could be completely wrong, of course…

I see this as one of the interesting unanswered questions with Scrum for games dev, of which there are many, all in the area of “Ok, sure, we can all see how it fits in with day-to-day development - but how the heck does it affect the traditional developer/publisher relationship, and how does it alter the traditional processes that exist in that area?”. Scrum, in its mainstream incarnation, doesn’t deal with a developer/publisher relationship - no surprise, really, because almost no other software development industry has such an odd dynamic as its centra driving force.

But what the heck. Here’s my stab in the dark at this small part of it. I’d love to know what you think.

Game process: what are Pre-production and Production?

adam — Fri, 27 Jun 2008 14:44:21 +0000

What is Pre-Production in games development? What is Production? What’s the difference?

I’ve just written a (draft) post that requires you to know those things well before it makes sense, and I started off by including a grossly over-simplified idiot’s-guide to these things. Then I looked back and saw it had become as long as the main post itself, and I didn’t want to cut it because it explains a lot of my (possibly wrong) assumptions. So, here it is. The other post - the one I really wanted to write, will be along shortly :).

Traditional process

Splits into 3 sections. I’m talking about all games here, not MMOs in particular (MMO’s add some extra stages, like “post-launch” and “beta” which have a LOT more special meaning that many mainstream game developers realise, but those are mostly handled by extra dev-teams, so that the main development process is still almost the same as with normal games)

Concept: Summary

Someone has an idea for a game, often a lead game designer, but also often NOT a designer (incidentally, it’s often an Exec Producer, since they will be the one who has to recruit the entire team, drive the project, and ensure it’s a profitable success). They get together some basic sketch of the game design, maybe only a few pages, plus some artwork to show what it might look like - look-and-feel stuff - and any other materials that help to explain the idea.

Concept: Output

They write a Powerpoint presentation, basically nothing more than that.

Concept: Gate to next stage

You “pitch” this to the publisher; if they give concept approval, and some money (or just free resource for an internal studio), the project goes ahead.

Pre-Production: Summary

A small team of people is assembled. For a simple flash-only casual game this could in fact be literally one person, or two people. For a AAA first person shooter, it’s likely to be around 5-10 people, an equal mix of artists, designers, and programmers.

Time-out for a moment here: a big point of variation exists here. On many projects / with many publishers, the artists produce most of the concept art in the Concept stage. On others, they produce most of it in the Pre-Production stag. Concept art doesn’t require ANY tools, engine, or game design - mostly it just comes out of the artist’s own fertile imagination. It’s usually “inspired by” the basic concept that the vision holder explained to them. Often, the vision holder and/or design team uses the concept art to help them refine their own ideas of what the game is going to be. It’s a highly mutually-supportive process. Doesn’t have to be, of course - depends how clear and how precise the original vision is.

Another time-out: some companies regularly have the programmers produce a working demo at the end of pre-production. IMHO, this is the first running leap along the slippery slope to destroying the developer: any working demo that’s held up as “illustrative” of the final game constitutes the majority chunk of development risk and spending for the entire game project. A publisher who asks for a demo at the end of pre-prod is being very wise - they’re asking for the majority of all the development risk to be removed before they fund the main game. But they’re also being incredibly greedy, and incredibly stupid - the demo either will have very little to do with the final game, or else it will push the developer towards going out of business, because there’s no way they can pay enough staff to get a demo done on the tiny budget that a publisher will unlock for pre-production. Publishers typically justify this with “it’s only pre-production; you don’t need much money”.

OTOH, many publishers have been operating massive pre-productions, which means that they can get that risk-stuff taken care of without being greedy/stupid. Pre-production periods lasting *multiple years* are happening a lot in the MMO industry these days. I did a double-take when I first saw that, but no-one else seems to be batting an eyelid at it. So, I’m not bashing all publishers here, just pointing out that it’s quite widespread to be naive about what’s reasonable, and that there’s a lot of bad contracts out there.

Pre-Production: Output

Enough of a game-design, enough of an art-direction, enough of a technical specification, enough of a project schedule / GANTT chart … that the leads (design, art, and code) and the Producer feel confident to state “yes, we can make this, for that much money, and it’s going to be a GOOD game”.

Pre-Production: Gate to next stage

Publisher listens to the arguments from the leads + publisher, either written or oral (usually a mixture of the two), then examines the evidence (should be plenty by this point, either as artwork, or as a series of small demos of different technologies, or demos of small aspects of gameplay, or as formal game-design documents detailing how the game will work), and a bunch of highly experienced and highly-paid senior people make a judgement call on whether this game is really going to work, whether it will be worth it, how much money it will make, how it fits into their ongoing sales plans as a publisher, and whether this development team can actually deliver on their promises. If they like it, they release the majority of the development budget and the game is “green lit” to go ahead in “full production”.

Production: Summary

Well, now the leads and the Producer go ahead and make the game they said they were going to.

Do you see a problem?

Has anyone yet written a predictive measure of “fun”, or worked out how you can “plan” for a game to be fun before you’ve actually written it and *played* it? Not really (though there are many good attempts out there…).

So, who is Pre Production for, and who is Production for anyway? I reckon the former is for the Developers, and the latter is for the Publishers. Certainly, it’s always the Publisher who makes the final call on whether a game moves into Production or not - although obviously the developer has to make a judgement call on when they think they are ready to submit themselves to that judgement. In practice, external dev teams often run out of pre-production budget and so the decision is forced upon them to a certain extent, whereas internal teams can - if they’re politically skilled enough - carry on coasting for quite a while longer.

Stupid article on “VideoGame Story Design”

adam — Wed, 25 Jun 2008 11:11:50 +0000

Someone at work forwarded around this article/manifesto about how “Great story is the Holy Grail of gaming”. I read it, and replied that I found every single paragraph had at least one stupid claim or ridiculous statement in it, and that overall the manifesto was basically a load of ****.

It was a Monday morning, maybe I overreacted. Maybe not. Anyway, someone asked me to explain more specifically what I was objecting to, so I write a quick analysis of the first three paragraphs. I was going to go through the whole first page, but realised that even after just one sub-section, it was clear the rest of the thing isn’t even worth reading (I did read the rest of it first time around, of coure). I thought it might be good to post here, mainly because I object to people spouting crap about game design. There’s also a blog post where you can comment about the article. This is all in my own humble opinion, of course, I expect you have your own opinion…

First section - “The Glorious Cause”

“Great story is the Holy Grail of gaming” - no, this is not and never has been the Holy Grail. If anything, “fun”, and especially “how to make things more fun”, is the Holy Grail.

“Story … separates the game world from the other narrative arts.” - IME, there are many many books and films that have story that would be bested by some of the weakest of games. Rather, it is “interactivity” that separates the game world from the other arts. This is possibly the single most important thing to understand about games compared to other narratives.

” it could very well be said there are only seven types of games.” - FPS, RTS, Monty-Haul RPG, SHMUP, platformer, puzzler, immersive world, adventure, battler/dueler, collectibles, world-sim, god-game, rhythm, … I have gone way over seven already, and each of those is clearly (I hope) separate. I can go to about 15 more I think, without trying too hard. In my own experience as a gamer, having played thousands of different games, I’d say that new genres are still appearing every couple of years with a satisfying regularity. I haven’t noticed a slowdown. I get the impression I play (and have played) a LOT more games than the author of that article.

” it’s clear the glory days of inventing entirely new genres are fading away” - please go visit http://kongregate.com, click on “badges”, and try playing the five most recently-added games. Ten times that many are added to the site every few days, so that’s only a tiny tiny sample, and yet among those 5 you are likely to see a kind of game you’ve never seen before.

” As the industry moves forward, great story will be the single unifying trait that will separate the good games from the great ones.” - no, the only unifying trait will be “fun”, and in reality the games industry is far too broad for there to truly be a “unifying trait” - we have to fallback to an extremely vague concept.

” the fantasy of integrating rich, complex stories with first-rate gameplay is now a reality.” - few people share this “fantasy” - indeed, it’s almost certainly going to cause an ugly mess of a product that is satisfying to almost no-one. Rich, complex stories capture the audience and forceably take them somewhere and make them experience something. First-rate gameplay is highly interactive and re-active, and usually allows each player to enjoy many unique experiences - even to create “stories” of their own. Whilst you *might* be able to create a game that has strong elements of both, it is very likely to be in a small niche where the two can come together, and the best you can achieve is almost certainly going to be less than the best you would achieve with a more pure “story” or more pure “game”.

That was all just in the first sub-section. I found the rest of the article to carry on in a similar vein, stuffed with naive claims and patently false statements, buiding them up to reach arbitrary conclusions.

Which is sad, because some of the final claims *can* be made on a basis of fact and understanding, instead of on the basis of … well, pretty much nothing … as they are in this article. IMHO there is value in merging good story with good gameplay, but it’s a heck of a lot harder and more complex than the author of that article would like to face up to.

Sysadmin help: exceptionally good quick guide to VI / VIM

adam — Thu, 19 Jun 2008 12:08:12 +0000

If you do much work administering linux servers - or, especially, if you DON’T do much, but occasionally need to - then it’s a massive time saver to be fluent in one of the text-based file editors that are found on all versions of Unix. As a developer working with game servers, I’ve found the effort invested in learning VI has paid off enormously over the years - I don’t use it as my editor of choice (I use a full fat GUI, either Visual Studio if doing C/C++ work, or Eclipse for Java/most other things), but when I’m stuck on an SSH connection needing to do some quick editing of local config files, or to fix a script on a remote server etc, it’s very very useful to be confident and effective with a text editor.

Unfortunately, as IDE’s moved on, the minimal set of features I found I can’t better to edit without got bigger and bigger. Fortunately, VI has morphed over the years (via VIM, which is the version of VI most widely used both on linux and windows it seems - it has a backwards-compatible mode that makes it work identical to VI) and adopted most of those. But … the documentation is so immensely huge that it’s a nightmare to find what you need unless you already know what you’re looking for.

So, I was delighted to find these powerpoint slides (found in this post) that give very detailed yet very easy to follow advice on using VIM, and tell you the keywords you’d need to search in the built-in help for vast amounts of extra info on each item, as well as pointers to the small subset of commands that it’s worth you learning for yourself and memorizing.

I hadn’t realised until now that VIM now has popup-autocomplete “just like in Visual Studio”, with a dialog box, method signatures, everything. Awesome! Not that I see it as any kind of replacement, of course - it’s just nice that a feature I use every few seconds in my normal programming environment (so that I’ve become accustomed to its presence) is mirrored into an editor that I occasionally have to use for short or not-so-short periods of time.

Wireless Security: Did you know?

adam — Sun, 15 Jun 2008 16:55:26 +0000

Based on my unscientific quick straw poll, the majority of computer-literate people have no idea how WLAN / wifi / wireless LAN security works and - worse - are actively exposing all their data and passwords to all services, having convinced themselves that they are “mostly” safe or secure.

I’m posting this in the (possibly vain) hope that it might persuade some more people to stop being foolish and/or lazy and perpetrating embarassingly poor security with their own and other people’s systems. I’m going to (hopefully) blow apart a popular myth. And hopefully get a decent Google ranking for it, which I’ll explain in a moment.

So what? I’ve been going around gently advising friends, colleagues, and acquaintances that they should make some minor changes that make all the difference and left it at that.

But then I went to a conference run by Sony (of Playstation fame) where they were running an unsecured network right on London’s South Bank, within easy reach of a vast number of cafe-goers and laptop users.

Oh - but they weren’t just running it unsecured, they were pumping out it’s SSID to all and sundry, offering a blatant invitation: they’d named it “DevStation 08″, broadcasting from a large building with 6-foot-high letters and logos on the outside and inside proclaiming the same name and advertising that DevStation was the Sony PlayStation developer conference. Um. Maybe not such a good idea? (and this is far from the first or only conference I’ve been to that’s done this - I’m not criticising the organizers of that conference in particular, it’s just a great concrete example showing that even well-funded orgs are making these very basic mistakes)

The worst thing…

…is that if you google wireless security you find many many pages and sites that advise on it, the vast majority of which avoid telling people the one thing they need to know - how to secure a wireless network the easy way? - and many of which veer so far clear of telling the truth it’s clear that the people writing them don’t have a clue about wireless security.

I’m no expert in wireless security, but … I have spent some years in online security and especially server security, so I have a fairly good idea what to look for and what to expect. I used some of my standard tools and knowledge to test out what I thought was going on with with wifi networks, and it’s proved very helpful. I’ve proved some of my suspicions, without having to rely on the vast number of incorrect and misleading websites out there. I may have made some stupid mistakes in this post (I’d welcome corrections…) but I’ve waited several months until actually trying out the various obvious attacks before having the courage to post about it, so I’m reasonably confident I’m not talking crap here :). Hopefully no-one’s going to shoot me down in flames here :).

The first few times I encountered people claiming that their networks were “secure enough” in ways that I found suspicious, I tried googling to confirm/deny what I thought was going on. I must have looked at close to a hundred odd webpages on the topic, and not ever found a straight answer. Argh.

The most important thing you need to know: if you are not using ENCRYPTION KEYS then you are GIVING AWAY ALL YOUR PASSWORDS, no matter what you think you have in place that is making it “not as bad as that”. You’re wrong. Trust me.

Levels of wireless security

Level 1 - switch it on and see if it works

This is really important when you buy a new computer / laptop / wireless router and need to find out if the damn hardware actually works and is all “compatible” with each other. There are many websites talking about things to do to make this work.

Sadly, very few of them (actually, no more than one that I’ve seen so far IIRC), tell you the most important final step:

Immediately disable everything, and start again from scratch with it all encrypted

Level 2 - hide the SSID

This is a good move - it stops your router from actively telling every computer (and - incidentally - many mobile phones (!)) in the area that you have a wireless network, that it’s free, and that they are welcome to use it.

What is an “area”? Well, with modern computers, it’s about 200 metres. That should be long enough to reach the length of your garden, into the garden of the house behind you, and out into the next street over. Quite a long distance. In most cases we’re talking *considerably further* than you could shout or see from your home, far enough that it would take you the best part of a minute just to run to the most distant point your wifi is reaching.

Unfortunately, anyone who knows anything about computers and who wants to get a free network will require approximately 10 minutes with google to find various tools that will give away your network anyway. But … it was a good first step - well done!

For most people, it’s *not worth the effort* of hiding the SSID, because you need to do the other steps anyway, and those “other” steps make you so secure that it doesn’t matter whether people can see your SSID. Many home users keep the SSID on just because it’s a pain in the ass to have it turned off when a friend comes round and wants to use their laptop etc.

Level 3 - force people to use a username and password to “login” before using the network

This is what the Sony conference did. It’s what several other conferences I’ve been to in the last few years have done. It provides … no security at all.

Did you read that correctly? I’m going to repeat:

A webpage with username and password provides NO SECURITY AT ALL to a wireless network

I don’t mean “because someone could guess the username/password” (they’re usually the same as the SSID name, sob).

I also don’t mean “because someone could casually ask anyone at the conference and probably be told straight away the correct answer” (although I’ve noticed that ten times out of ten that works. Easy!)

I actually mean because I verifiably was able to read all the internet traffic of everyone at each of these conferences WITHOUT LOGGING IN. This is using basic tools which are so common and widely used that I have them installed on all machines in the office *automatically* as part of the basic software install for new employees - no-one who does any multiplayer game development or online development (even webserver development!) would go without these tools.

The most common of all is Wireshark, an excellent network diagnosis tool which shows you all the traffic on the local network. Automatically. And … it has a nice feature where you click on some interesting traffic, and if it’s using TCP (note: all web traffic uses TCP) then Wireshark decodes all the information and reconstructs the stream of web-page requests and responses - including ALL THE FORM DATA YOU FILLED OUT, etc. On these “password-protected” wireless networkgs I ran WS just long enough to see that someone was logging in to their webmail (without reading the username and password, I just checked those fields were present), and then shut it down and wiped the data - I don’t want to know anyone else’s passwords, and don’t want to see anyone else’s private data.

Level 4 - turn on MAC authentication: only specific laptops / computers / etc can use the network

OK, so this seems REALLY secure. Several friends of mine use this, believing themselves safe. Um. Ahem. No. Sorry! If the data is not encrypted, then you have a setup that is no better than the one above - your router is still happily broadcasting (that means “shouting at the top of its voice”) all traffic to every wireless device in the immediate vicinity.

This is one of those things I googled extensively - at first, I thought surely routers wouldn’t be dumb enough to broadcast everything to all the EXPLICITLY DENIED wireless computers too? - and had no luck with finding simple answers (I didn’t want to try reading through the detailed hardware specs of wireless networking standards - there are too many of the things :( ).

Of course, unless they are implementing some key-exchange protocol, there’s no way they could stop themselves. And since I’m 99% certain that the MAC authenticated clients are using the same basic wireless protocol as the normal ones, which doesn’t include ANY key exchange, I’m pretty sure that MAC filtering is entirely pointless (from a “keeping your passwords private” point of view).

My friends are happily sending their hotmail passwords and all their private emails (you do realise, don’t you, that if you view an email in hotmail, your wireless router BROADCASTS that email to every wireless computer within a couple of hundred metres of you?) to their neighbours, their neighbours’ neighbours, and even to THEIR neighbours - and of course to every random person sitting in any cafe within a few hundred metres and who has randomly got their laptop out to do some work while they sip their coffee.

Level 5 - firewall

Some friends feel secure because they have a firewall. Windows Firewall now comes as standard on all Windows XP and Windows Vista machines. Apple computers running OS X have their own firewall built-in, and linux users generally know enough about networking to have implemented their own following one of the surprisingly easy-to-follow HOWTO documents on the web.

These all do … absolutely nothing.

As stated above…(sorry, going to repeat myself here)

if you view an email in hotmail, your wireless router BROADCASTS that email to every wireless computer within a couple of hundred metres of you

The firewall will stop some hacker/cracker from trying to break in to your computer. However, most crackers aren’t stupid enough to waste their time breaking in to your computer if you’ve already given them the password to every online service you ever use, especially your primary email address. Being able to SEND AND RECEIVE email from your inbox is normally enough for them to steal all the passwords to all your other online systems, including important ones like, oh, your bank account.

Worried yet? You should be.

Level 6 - WEP and WPA - encryption key-based, protected wireless network

Here’s the secret: security Levels 1 to 5 don’t really exist. They have practically nothing to do with wifi security. Some of them are very effective … at solving different problems. Unfortunately, too few people realise that there is more than one problem when it comes to security when using a wireless internet card - and that the main problem (can everyone else see your username and password? Can they read all your emails? etc) isn’t being solved by those other solutions.

If your wireless data is not encrypted, then it doesn’t matter whatever else you do - you’re giving away everything.

In case you were wondering how easy it is for people to find your non-secure network, think about this: All Windows and Apple computers automatically show the user which networks in range are secured, and which are unsecured. Yep. They make it *real easy* to find the ones that are crying out “please abuse me”.

What you should do next. Do it. Do it NOW.

Now, if you google, you can actually find many many websites / pages talking about the differences between WEP and WPA, and the comparitive advantage and disadvantages, and advice on how to get them working between, say, a Netgear router, a Linksys network card, a Windows PC, and a Mac Airport device. That’s fantastic - well done, teh interweb! (no seriously - I’m delighted).

Now, please, everyone STOP AVOIDING WEP/WPA. Actually, please just use WPA: it works on *everything*, and there’s a vast number of HOWTO’s, FAQ’s, and troubleshooting guides to get you up and running on every conceivable combination of hardware and software.

And if I’m wrong, if you can’t get it working, please feel free to comment here, and I’ll do my best to help you. Because, frankly, I don’t ever want to fire up OS X again and see in the list of nearby wireless networks any of them without that little padlock icon that tells me they’re using encryption.

Dr. Kawashima who?

adam — Wed, 11 Jun 2008 10:41:52 +0000

At the Casual Games conference at GDC 06, one of the audience stood up and asked the panel of Serious Games or Casual Games industry experts whether they thought that Brain Training was going to do similar numbers in the US as it had done in Japan, and how that might change the face of casual gaming.

The response from the panel was almost literally: “What? Never heard of it”, leading to shock and awe on the part of the questioner, and a collective shrug of “who cares?” from the panel. I was very surprised, but also highly amused at the ignorance of the US casual games people on the panel, and expected that sooner or later they’d get their comeuppance for not paying any attention to worldwide big trends like BT.

I noticed in this year’s roundup of Dev studios by Develop that Brain Training did approx $45 million revenue this past year in the UK *alone*, and the sequel added a further $30 million or so. In the UK. In the last 12 months. Alone. Yeah, think about that.

Maybe I should dig out the list of panels at GDC 06 and try to remember which panelists it was, and drop them a friendly email with the original question re-asked :) ? It would be cruel, perhaps - but if you’re going to organize a panel on the future of casual games and invite questions, then perhaps you’ve kind of committed to offering the audience some level of knowledge on what’s going on :).

NB: I’ve never sat on any “future of…” panel, and don’t intend to. As one of my esteemed colleagues puts it: if you have any confidence in your prediction, why are you telling all your competitors? (one obvious answer is, of course: because you’re going to start a company and you’re fishing for investors and partners - but that’s pretty narrow :))

Dr. Bartle: Three Views from 2018

adam — Wed, 11 Jun 2008 10:37:26 +0000

I just heard this talk at the MMOGfest academic mini-conference last week - apparently, it’s mostly the same as the talk he gave at the independent MMO conference earlier this year, but I think a lot of people didn’t manage to go to that one, so it seems worth reporting here.

Like all the other conference-talk writeups, any errors and ommissions are my fault, and my personal comments appear in square brackets throughout.

Summary

As noted in his Guardian article, “We’ve won”: games are here to stay. In the MMO space - despite all the threats and challenges - it looks like MMOs will continue to innovate and expand, and become better and better. A good, upbeat, keynote talk.

The future of MMOs … if you’ve just stepped out of a law conference

Applying the laws wrongly

games and non-games have different legal sets: you’re allowed to beat the living daylights out of someone in a boxing ring
possible outcome: VWs get no special treatment
current signs: SL EULA being struck down in court

[too many people try to extrapolate blindly from "real world" laws into vw/online/games (which have few or no laws of their own ... yet). But I think we have to be careful not to mix that up with the specifics of things like the SL case, which *even with separate laws* probably would go against Linden. Laws generally reflect the prevailing culture (according to the lawyers), and in the prevailing culture Linden seemed to be acting unfairly]

Money laundering

[insert description of normal money laundering here]
[my only question is why govts haven't gone AWOL about this > 5 years ago?]

Income tax

- in-game assets are valuisable => legally, they come under the laws of income tax

Patents cost a pittance to file, but .. It costs the blood of 12 freshly-slain virgins to get a patent revoked [yes, he actually said this :)]

The future of MMOs … if you’ve just stepped out of a business OR education conference

This misfits: the MMO developers got left behind by the rest of the world

Too much reality being applied into MMOs destroys the fantasy aspect

advertising real-world products in MMOs intrudes the real world into the virtual world, blurring the boundary of the alternate reality
micro-payments allow real-world status (wealth) to shape virtual world status (economy; dominance of best character/weapons/etc) [that's simply illogical: it's the kind of thing that Economists present as infallible logical reasoning (Richard didn't, I'm just saying that other people do) and yet it has nothing logical or inevitable about it - it's simply a guess of an idea of a thing that might happen with a potential explanation for why that MIGHT happen which even so may not be the real underlying reason it did happen. i.e. it's nothing more than a guess and a groundless theory until/unless you add something - anything - that makes it more solid than that.]
games were used by non-gamer educators as education tools, undermining the idea that a game should be “fun”
educators want to use MMOs to paper over the cracks in the existing education system [there is a third way here: there are games being made that are exceptional teaching tools. Strangely, very few people are talking about this - I suspect it's because the smart money is already quietly investing in it]
in each case, MMOs are never regarded as being worthwhile in their own right, they’re only being seen as tools to achieve various unrelated things

At one conference I went to last year, some corporates literally couldn’t see any distinction between Facebook and Second Life. [this clearly annoys/depresses him - I'd be interested to know in what WAY they saw them as identical: were they just exceptionally ignorant and had no idea what either is actually like? or were they saying that, treated as a black box within wider processes / business models, the two are effectively indistinguishable? Or ... those two templates, done appropriately, would be effectively indistinguishable [I think that part is often true]]

The future of MMOs … if you’ve just come out of a game-developers conference

The good, the Bad, and the Ugly: Clint Eastwood won because he had the best weapon

MMOs are inevitable

in pure numbers terms, it’s no longer possible for govts and business to overcome / restrain / divert future MMO development: too many people already play the current variants, and any accidental poisoning of the concept, or attempt to shoehorn or co-opt for other uses, will simply get left behind and fade away into insignificance
MMO devkits and low-cost art/animation assets open up virtual world creation [there are several companies that could launch this now or in the near futurebut haven't / aren't, and IMHO really should]
most people cannot do IRL the things they do in MMOs, so MMOs have no alternative, unlike people like Richard Garriott who can afford to go into space like their Dad.

[shows a slide he put up at the very start, a photo of Blondie with lots of the Muppets]

My opinion? I already told you, subtly: the name of Clint’s character in Good, Bad, Ugly was Blondie.

MMOs will win because all that’s standing in the way is a bunch of muppets

Q: Why do you see Educators as being so negative?

Computer games in general are good at teaching two things: facts, and higher-order problem-solving skills

All the education money goes on something somewhere in-between, which is neither one nor the other.

Can you teach people to integrate using games? Well, sort of, but you can do that more effectively in other ways.

[Ha! I disagree completely. But ... it's hard, really hard, because practically all the good game design has ignored teaching to date, so we have almost no examples and almost no learning / knowledge to start from :( ]

Games abstract out details of things to improve gameplay, but that means they often teach incompletely, e.g. pirates games teach a lot about the economy of the carribean, but completely miss out the slave trade, despite that being an essential part of the economy, the history, etc.

Q: do you see a potential for developing a casual MMO?

Yes. Teenage boys are all playing Runescape, but the girls are largely unserviced as a market.

Many parents can happily play an MMO internsively for 2-3 hour sessions, IFF they can be interrupted unexpectedly for 5-10 minutes at a time. e.g. because a child needs some help with something. MMOs currently don’t allow them to do this - if you drop out AFK for a few mins, the raid fails.

Many retired people play poker and canasta online not because they like those games but because those are the only games that fit within their real-world requirements for commitment etc plus socialisation.

Q: do you play WoW?

I’m a designer, so I don’t get fun from playing them.

I get to see some wonderful design things, but I don’t need to play intensively to do that.

In the past, people used to interpret this as “you don’t REALLY know, do you? You just think you understand”. So, just for those people I got three characters up to level 70.

I’ll have to refresh my credentials when WotLK comes out, but I can say that nearly everything I learnt from WoW I learned by the time I reached level 10 - and the rest by level 20.

[I asked him afterwards "what about raiding, high-end PvP, Battlegrounds, etc?". He confirmed the above, and said that the details of PvP, raids, etc in WoW didn't matter, that it was the broad design decisions which mattered, and those he already knew without needing to participate in them. Personally, I think it's still critically important to understand the details, since so much of the success or failure of a game rests on the level of polish, and the polish is ONLY about these details]

Q: Are MMO’s evolving quickly enough, or just putting prettier front ends on the same old idea?

AoC is clearly a WoW clone. [and then he traced it back through EQ, DikuMUD etc, as per standard analysis]. It’s nicely done, but it looks soulless, no-one’s trying to say anything through that game. EVE has soul, UO had some soul, EQ tried to have soul but didn’t really have any.

Are you trying to say freedom or constraint? EQ et al offer freedom with one hand but take it away with the other, resulting in an inability to say very much really.

I’ve never been [able to be] a player - I was a designer before MUD’s existed, because I co-wrote the first one, so I never got to enjoy that sense of delight and discovery of playing a game without looking at it as a designer.

MMO patching: how it ought to be

adam — Mon, 09 Jun 2008 14:32:28 +0000

I’m seriously fed up with the mediocrity (you could use worse words; I’m being civil here) of most MMO publishers’ patching systems for MMOs. The very least you should expect as a player, even back in 2001, should have been something akin to the PS3 / 360 patching systems today: the most basic “fire and forget” - you try to play the game, it does a background download, then popsup to tell you when to click to finish the install. That’s *it*. No more.

So, how should it be? Well…

You might reasonably expect, certainly by around 2005 (that’s 3 years ago), a more fancy patcher that does things like:

lets you interact with the game while it’s patching (many games won’t allow you to access *anything* while patching sometimes not even the patch notes, which is amazing)
gives you a progress bar for how things are going, and an estimate of how long it will take
gives you an interactive list of all the features and changes in the patch, highlighting the ones that affect any of your current characters (e.g. big red text for if one of your characters has been nerfed)
read the forums without having to open a browser, surf past the adverts, etc

Actually, though, what I really want - and hey, it’s 2008, so I’m not being unreasonable here, is this:

chat to friends who are already in-game, especially those *waiting for you to finish patching so you can join them*
do something useful while you wait, like:
1. check your in-game message inbox
3. surf the auction channels to buy and sell stuff
create a new character (account creating usually doesnt require the main game client, it doesnt use any of the game world)
do some crafting, or any other of the in-game minigames that could be pulled out as a standalone minigame

And, of course, most things should be solveable without any of the above, and instead having:

do all the patch-downloading AND INSTALLING in the background while you’re playing

…although as far as I know only a very small number of MMO studios have architected their code design cleverly enough to be capable of doing this. It’s not rocket science, but most of them seem not to have decided it was worth the dev cost until way too late in the dev process to actually do it.

What it’s like today? Well, frankly, it’s crap. I could pull out many examples here (even the company I work for doesn’t have a patcher I’m satisfied with, even if it’s one of the good ones - it’s got good stuff like background automatic patching, but it’s missing a lot elsewhere), but one thing in particular wound me up today and inspired this post: Lord of the Rings Online patching.

I just got given the Gold edition of LOTRO. Took ten minutes to install completely from DVD. Finally get to the login screen, which tells me it cannot auto-update (huh? why not?), at which point it forwards me to a website with the following lovely instructions.

This is impressively bad :). To summarise:

It doesn’t do one-click updating
It doesn’t even download the patch file for you (sob)
It doesn’t even HAVE a patch file for you - you have to get multiple patch files, by hand
The patch files don’t check whether it’s “safe” to apply them yet - it’s up to you to install them in the right order
…but the order has three different versions, depending upon which boxed version you bought and what you’ve updated in the past (or not)

Sob. http://www.lotro-europe.com/newspage.php?id=1804 (copy/pasted below - mmo publishers often delete the patch note + install pages after a while, so I’ve learnt to archive the stuff from them. Just try finding the patch notes for the last 3 Anarchy Online builds on the web - broken links from every news site :( ).

“Book 13: Doom of the Last-king – EU Standalone Patch Instructions

VERY IMPORTANT NOTE: This patch will update LOTRO clients from Book 12 to Book 13. It is advised you only apply the Book 13 Standalone Patch if you are fully updated to the current live version of the game (Book 12).

IMPORTANT: If you are patching from the retail client of the game (i.e. you’ve just bought the game), before installing Book 13 you will first of all need to fully install the Book 9, Book 10, Book 11 and Book 12 Standalone patches.

If you are patching from the Gold Edition of the game you will need to first fully install the Book 11 and Book 12 Standalone patches and then log in / out of the game before beginning the Book 13 install.

To do this, please follow the instructions provided on the links below:

Book 9
Book 10
Book 11
Book 12

Please note that installing these standalone patches in an incorrect order may incur installation errors.

The downloadable patch for Book 13 is approximately ~715MB.”

EDIT: it gets better. The Book 11 patch (which seems to be equiavlent to 1.05 - different dialogs call it different names, oh joy!) finished patching, and then … started all over again from scratch. Huh? What gives? And just before the second patch, it showed the main launcher program which claimed “you are at version 1.05″ and popped up a dialog saying “do you want to upgrade to version 1.05?”.

Fortunately, I’d noticed a little DOS Prompt window lurking in the background, and I was suspicious enough not to do the obvious thing and cancel it, and checked the DOS box first. Inside that DOS prompt, it said:

Welcome to Codemasters Online.

Starting first part of the Lord of the Rings Online Book 11 patch!
Starting second part of the Lord of the Rings Online Book 11 patch!

Aha!

EDIT2: when you get to the LATEST latest patch - Book 13, a.k.a. version 1.07 (13 == 7, of course!) - things go pear-shaped again.

First of all, the main download site - gameshell.com - isn’t carrying the download for this patch. The easy way I downloaded the first few patches isn’t available this time around. Crap. And the primary download site requires installing some proprietary malware (* - I don’t know if it’s malware, I just know that when a website insists on “installing” a “downloader” in order to download the thing you REALLY want to install, and refuses to let you download the file you’re after … well, even as a developer, that’s not a path I’m going down).

And the next site down the list is member-only. And the remaining ones are very very very slow (2 hours to download the patch. ARGH!)

So, I tried the torrent. OMGWTFBBQ?! Codemasters knows about BitTorrent. Awesome!

Only … they broke the tracker. Doh. Still, at least it is downloading now. Finally. And there’s a 9.9 availability (i.e. almost ten complete copies of the patch in the network, which is good but definitely not great - depends how long Codemasters carries on seeding the torrents)