Leaving myGDC

To: every “friend” on the GDC08 myGDC system
Subject: Quitting this

myGDC sucks donkey. It keeps deleting my pasword, the system seems to be a hand-crafted proprietary nightmare, the usability is awful, many of the links are broken even months after the site went live.

And, of course, this is a CMP system – so you can guarantee they will delete it and start again from scratch next year. Just like they have done every year since I can remember :(.

So, I’m deleting my account on here. Bye-bye!

NB: yet-another-stupid-bug from the myGDC system: it is impossible to mail more than one person at once.

Even better, if you click “compose message”, you get taken to a compose screen with an empty to box and *no way* to select target friends.

Hey, CMP! – the 1990’s called; they want their pre-gmail user-interface-designer back.

Nothing to see here, unless you care about culture?

Too busy to write at the moment (if I weren’t, I’d be working on followups to the entity systems posts).

So, in the meantime, go listen to the ever-brilliant Lawrence Lessig. I’ve just been listening to his 2006 talk on Free Culture. There are too many memorable, insightful, or funny elements for me to be able to sum it up; I’ll just say it’s one of my favourite LL talks amongst those I’ve seen.

“This is not about (quote) “piracy”. If I thought this fight was about your right to get access to Britney Spears music for free, I’d be on the other side, because I don’t think you should get access to Britney Spears music … at any price”

Games industry conferences versus blogging

I’m not happy with the direction games industry conferences are going in; I specialize in online games, and I’ve worked at the forefront of monetizing online entertainment, I’ve actually *made money* out of Web 2.0 – so I have real expertise in making use of the internet – and I really think we (as an industry) are missing a trick with our conferences. There’s an opportunity to do something really valuable and re-invigorate the conferences.

The previous entry outlined what conferences profess to offer their speakers, and what it costs the speakers to attend. Now I’m going to talk about the real, untapped, value of conferences to the speakers, and what we as speakers should be demanding, and how in the end it benefits all of us, including the organizers just trying to turn a healthy profit.

Continue reading “Games industry conferences versus blogging”

Problems of speaking at games industry conferences

I go to GDC every year, and also to 2-3 other conferences, but apart from GDC I vary which exact ones from year to year. These days, I’m a speaker at nearly every conference I go to, and I’ve never yet been paid for speaking, so it’s fair to say I have a pretty big time investment in each of them. I don’t make the choice to go to a conference lightly (especially given how long I’m out of the office for a typical conference, and how exhausted I am by the learning, the networking, the partying, and the international travel).

But I’m getting increasingly dissatisfied with the conferences themselves, especially as a speaker. And it seems to be getting worse, not better – and that’s particularly worrying. The conferences are still great, but the problems are significant.

First up, the costs of speaking, and the ever shrinking advertised benefits…

Continue reading “Problems of speaking at games industry conferences”

How to really secure WordPress for a remote blog

EDIT: downloading the nice plugin recommended in this post will now break your blog if you’re using WordPress 2.5 – the wordpress authors have made some incompatible changes. But it’s OK – bengreen has fixed the plugin, and made a new version available (read here for some very basic information on what will break and idiot-proof instructions on how to fix it)

I had a nasty shock when I realised that wordpress by default has no security at all. Anyone in your office who doesn’t like you and has a basic knowledge of using google can potentially steal your admin password and take complete control of your blog. This is, really, pretty mind-blowingly stupid – I love wordpress, but “no HTTPS support out-of-the-box” is frankly irresponsible, especially for a product used by so very many people across the world. The only good part is that AFAICS on a quick glance there’s no easy way of taking control of the entire webserver if you’re the wordpress admin (plugins still have to be manually uploaded, so you’d need separate access to the server to manage that).

What follows is a discussion of how to fix this, along with links to step-by-step guides that worked well, and an extra note on how to complete the process without doing the “login once insecurely” that all the guides tell you to do at the end.
Continue reading “How to really secure WordPress for a remote blog”

AGDC 2007: Web 2.0 + Games meetup

I’m talking at Austin GDC on “Caching for Web 2.0”, and I’ll be having a small dig at the games industry and the obsession some people have with “game 1.0/2.0/3.0” on the side, but I’d really like to meet up with anyone interested in how best we can capitalize on the lessons from Web 2.0.

I think the vast majority of people in games still don’t “get it” when it comes to understanding web 2.0, and are going to make some really stupid egg-on-face mistakes and miss a few more big opportunities. But’s that just my opinion… :)

What’s yours?

UPDATE:
Venue: Halcyon
Time: 19:00
Day: Wednesday 5th

UPDATE 2: a couple of photos here

Recruitment party photos

We didn’t quite get the sunny afternoon we were hoping for, but we did get some nice light

develop conference 2007

…so we had to move inside, but we still had a great turnout of peoplencsoft recruitment party 031

And it’s nice to have a games-industry recruitment event right on the beach, by the sea, for a change (instead of in the centre of a big city)

ncsoft recruitment party 035

NCsoft recruitment party – Thursday 26th July

NCsoft Europe, publisher of award winning online games such as City of Heroes and Guild Wars is searching for skilled individuals to join a growing internal development team. We offer competitive salaries, excellent benefits, a casual work environment and the seaside just 10 minutes walk from the office!

To coincide with the Develop Conference next week, NCsoft will be holding a joined recruitment party with Linden Lab. If you’d like to join us for an evening of food, drinks and the chance to chat to us about our current vacancies, then head over to this page for more details.

Please note: this is an industry only event, and numbers are strictly limited.

Austin GDC: Vote for your conference

AGDC is a small computer-games conference (about 1,000 attendees) with a particular focus on online and massively-multiplayer online games (MMOGs). In that context, it’s pretty big – with such a niche within a niche, it tends to have talks and representatives from most of the players in the space.

Every year, each of the games industry conferences have to pick between 100 and 300 talks and speakers, each of whom gets a free all-access ticket and usually free international travel, hotel, etc. The process is fairly straightforward: they put out a request for proposals about 6-9 months earlier, receive thousands of 1000-word abstracts, and select those that they think are interesting, novel, or will attract people enough to make them buy expensive tickets.

Democracy rules

Often, the choices made baffle, frustrate, or infuriate people in the industry. The most common complaint is that each year the conferences a higher proportion of worthless talks on subjects that everyone with any experience already knows about, and contain no information you couldn’t have got from home just by using google for a couple of hours. A lot of conferences have a few near-identical talks each year, so that if you’ve been to one you needn’t bother with the rest – one conference even got a reputation for just recycling the talks given at other conferences already that year, which killed it. There are always slightly bitter rumours about the best way to get a talk accepted – “pay for some advertising with the company that owns the conference”, or “offer a favour to someone on the advisory board”. Certainly, the biggest games industry conference (owned by the same people who this year bought-out AGDC) – GDC – has had a substantial number of talks in the last few years that either blatantly broke the conference rules on talks “not being an advert for a product”, or which were of an extremely low quality / low in any actual content.

So … it’s particularly interesting that for this year’s AGDC, the advisory board only chose the majority of the talks. For the rest, they took all the speaker proposals they had received, stuck them online, and invited the world to come and vote for which talks should fill up the remaining places. Even more interestingly, you can see how many people have voted for each talk, and what the average score is so far.

One man, one vote … maybe?

One problem – there’s no apparent rules restricting who votes. All you need is an email address (or gmail or mailinator) and a programmatic web browser, and you can choose who gets the free conference passes. I wouldn’t mind, but there’s a couple of talks I really want to go to myself which are on the voting list, and at least one of them isn’t going to get in – and I’ve little confidence right now that the ones that beat it will have done so by being the most popular with people who actually attend the conference.

And so onto the security angle here. This is the games industry, and this is a conference almost entirely dedicated to online games. It is immediately obvious that this voting system is open to rampant abuse (assuming they haven’t got silent back-end detection going on – I’m not criticising the conference organizers here, who probably have some good security measures in place, I’m merely using the visible details of the system as a starting point to talk about similar systems), and here’s a standard attack pattern:

“Write a program in a scripting language to automatically create accounts and vote for my talk”

  1. Use a free open-source library to make requests and post responses to the web server (libcurl)
  2. Use Firefox with the View Headers feature whilst surfing the site manually to see and record what you need to send and receive
  3. Create enough fake email addresses to swing the voting in your favour
  4. Don’t get detected

First of all, I’m not even sure that 4. above is an issue. Things to do:

  1. Use the US census data to programmatically make email addresses using believable REAL names with a wide variety of different names – and in the right proportion to be all US citizens
  2. Don’t have them all registered from a single domain name
  3. Don’t have them all from a single IP address (assuming they save your IP address when you vote, which most such sites don’t bother to do until too late)

In which case, the only question is “can we pass step 3?”. “But email providers have captchas, that stop automated account creation!” I hear you cry. Ahem. Even if they did (stop you automatically creating email addresses) the attack described only requires you to register enough email addresses to sway the voting. That may be as little as 50 or 100 emails – easily few enough that you could create them all yourself, manually. (in fact, right now, it would only take 20 or so votes to make sure your preferred talk was top).

Cheating better

If you’re still worried about the organizers getting suspicious of all those 5/5 votes for one talk, just look at it this way:

“Identify the major competitor talks, and vote them down, instead of just voting yours up”

Easy enough to hide your skewing of the results in the sea of all the other, genuine, untraceable voters voting one way or another based on personal preference…

Finally, I just want to briefly look at the expected outcome of this, because it touches on a real-life problem with games security: it’s unlikely any individual will cheat, so it may seem it’s “mostly” OK … but with some systems (such as this one) it only requires one cheater to destroy everything. As soon as one person starts cheating, others will notice and will feel “forced” to cheat also – this is what happened with Diablo, when cheaters found a way to make their character able to attack in towns, where no-one was allowed to attack. Non-cheaters were forced to cheat just in order to become able to defend themselves – there was no other defence that would work.

Some people started promoting their talks on their blog, and others have now followed suit. The voting contest has become a contest of who has the biggest blog :). I’m sure this was intentional by the conference organizers – it’s an excellent way of getting more free publicity that specifically targets and promotes the individual talks rather than just the generic conference itself. Even better, it has a natural tendency to give the most publicity to the most popular talks-to-be, whereas the conference organizers have to second guess what they think will make people pay to come and listen.

I wonder why they decided to let anyone vote, rather than restricting it to people who had booked tickets? They could even have just taken a refundable deposit, up to a certain date, to force only people who were willing to stump up some cash to take part in the voting. That could have filtered out most of the “no intention of going to the conference” people (although it certainly wouldn’t have made the system secure from determined cheating).