RPG Vault – Online Worlds Roundtable #15

Inteviewed for RPG Vault’s latest Online Worlds Roundtable – http://rpgvault.ign.com/articles/817/817490p3.html

“Web 2.0 businesses compete directly with the games industry on multiple levels, and anyone who doesn’t spot that and act accordingly will suffer. If your game doesn’t embrace – or deliberately and carefully reject – Web 2.0, you’ll that your users have created the space you *didn’t*, and someone else is monetizing it. And they’re probably making more revenue than YOU are from providing the core service in the first place!” – Adam Martin

Entity Systems are the future of MMOG development – Part 1

A few years ago, entity systems (or component systems) were a hot topic. In particular, Scott Bilas gave a great GDC talk (http://scottbilas.com/files/2002/gdc_san_jose/game_objects_slides.pdf – updated link thanks to @junkdogAP) on using them in the development of Dungeon Siege. The main advantages to entity systems were:

  • No programmer required for designers to modify game logic
  • Circumvents the “impossible” problem of hard-coding all entity relationships at start of project
  • Allows for easy implementation of game-design ideas that cross-cut traditional OOP objects
  • Much faster compile/test/debug cycles
  • Much more agile way to develop code

Continue reading “Entity Systems are the future of MMOG development – Part 1”

How to really secure WordPress for a remote blog

EDIT: downloading the nice plugin recommended in this post will now break your blog if you’re using WordPress 2.5 – the wordpress authors have made some incompatible changes. But it’s OK – bengreen has fixed the plugin, and made a new version available (read here for some very basic information on what will break and idiot-proof instructions on how to fix it)

I had a nasty shock when I realised that wordpress by default has no security at all. Anyone in your office who doesn’t like you and has a basic knowledge of using google can potentially steal your admin password and take complete control of your blog. This is, really, pretty mind-blowingly stupid – I love wordpress, but “no HTTPS support out-of-the-box” is frankly irresponsible, especially for a product used by so very many people across the world. The only good part is that AFAICS on a quick glance there’s no easy way of taking control of the entire webserver if you’re the wordpress admin (plugins still have to be manually uploaded, so you’d need separate access to the server to manage that).

What follows is a discussion of how to fix this, along with links to step-by-step guides that worked well, and an extra note on how to complete the process without doing the “login once insecurely” that all the guides tell you to do at the end.
Continue reading “How to really secure WordPress for a remote blog”

AGDC 2007: Web 2.0 + Games meetup

I’m talking at Austin GDC on “Caching for Web 2.0”, and I’ll be having a small dig at the games industry and the obsession some people have with “game 1.0/2.0/3.0” on the side, but I’d really like to meet up with anyone interested in how best we can capitalize on the lessons from Web 2.0.

I think the vast majority of people in games still don’t “get it” when it comes to understanding web 2.0, and are going to make some really stupid egg-on-face mistakes and miss a few more big opportunities. But’s that just my opinion… :)

What’s yours?

Venue: Halcyon
Time: 19:00
Day: Wednesday 5th

UPDATE 2: a couple of photos here

Re-install complete; blog should be OK

Someone brute-forced their way into the server last week, my fault for not disabling all logins to the server.

Normally, this isn’t a problem, as the default firewall setup I always use prevents any remote logins except from known-good hosts. However, this server was accidentally provided with partially missing firewall code by the hosting company, and so I couldn’t run my firewall without first upgrading the kernel. And I’d been “too busy to get around to” doing that…
Continue reading “Re-install complete; blog should be OK”

How to Make Facebook Apps Using Java – part 2

In the first part, I covered a very high-level, idiot-guide to getting started with writing a Facebook app in java. This part will cover the details of how to architect your own code for basic Facebook authentication, and include code samples you can use to get up and running more quickly. It will also explain in more detail precisely how Facebook’s servers interact with your code, and what you can expect (and what their servers expect of you!).

NB: if the quoted source code is unreadable because it disappears off the edge of the screen, select it and copy/paste (or view source of the page to see it). The most useful stuff is put together into one class you can download here – source code for FacebookLoginServlet.java.
Continue reading “How to Make Facebook Apps Using Java – part 2”

Computer Games Industry Careers – Programmers

I’ve been in the games industry for some years now, and one of the things I find slightly annoying is that there’s very little discussion of “career progression”, and that what little there is typically focusses on “how to get your first job in the industry”.

Career Charts

Many years ago, I used to work at IBM’s R&D labs, and discovered that they had whole tables of “possible career paths” that you could download internally and consult when trying to decide what to do with yourself. They pressed hard on everyone to take some time out every 3-6 months to evaluate how their personal career was progressing, think about what they wanted to be doing in the future, and decide what long-term decisions they should be making in the present and near-future to help them get there.

The emphasis was on the individual, and of taking control of (and responsibility for!) your own future. The guides were there to help you find out what a potential future boss would expect of you if you wanted to apply for a job years in the future – when you’re a junior programmer, you may have no idea what a senior manager is supposed to do. No problem – except if you wanted to become one, in which case you wouldn’t know what to concentrate on learning for the next 10 years.

Big companies in the games industry, like EA, certainly do a similar thing internally. But I’ve so far failed to find any decent external, public, guides. So, for the benefit of anyone else who’s ever wondered what they should be doing to further their games-industry career, I’m going to start publishing my own take on this. I’d really really like input and feedback from other people, although there are big problems with conflicting definitions e.g. of what, exactly, a “development director” is. But at least I can start…

Chart 1: Programmers

Typical career progression for Programmers

This is a basic chart showing the main flow of career progression for programmers.

The most important thing to point out is that it only shows internal progression – later posts will show how you can easily move sideways from some of these positions into different disciplines, especially Design and Production. But I’ll be covering each core discipline in it’s “plain” form first, and showing the links between them later.

Programmer levels

Junior – recent graduates and/or people with no games industry experience and not enough years of hard-core C++ coding to jump straight to the Programmer level. Note that most Juniors pick up some specialism – not enough to become an expert, but enough that later they can re-specialise in that role as a Senior.

Programmer (normal) – anyone who’s passed their apprenticeship as a junior, typically with 1-3 years of experience programming on games projects, and credited on 1-2 published titles.

Senior – a programmer who has decided to specialize in an area of programming, becoming an “expert” over and above a normal programmer. Usually someone who chose to avoid a managerial position – although note that on larger teams most Senior’s end up managing Juniors in their area of expertise. However, the management is mostly mentoring, as opposed to Lead’s who do much more project-management-esque roles. Seniors typically start off as a Junior in the same area of expertise, and refine their skills and gain lots more experience whilst a normal Programmer.

Lead – a programmer who manages a team of programmers. There are two types of Lead: the mentoring lead who still programs day to day, who is an expert programmer who could have been a Senior, and the project-managing lead who hardly ever programs (if at all) and spends more time arranging the workload for all the other programmers and helping out the Project Manager(s) / Producer(s) with scheduling and delivery. Both types act primarily as go-between, interfacing between the entire programming team and the rest of the world (design team, art team, and producer). Most Leads are experimenting to see how much they like project management, and may switch to being a Producer or Project Manager later on.

Technical Director – ultra-experienced / skilled experts, usually troubleshooters floating amongst all dev teams, or attached to a particularly large team. They take on all the non-direct-programming tasks that require substantial technical expertise. This often means a big role in hiring, solving long-term problems, and architecting large systems for complex games.

Development Director – this one’s very vague, because more than any other Programming role there’s huge variety in the actual responsibilities of this role from company to company. I’m defining it here as “the person who is in overall charge of all direct creation of all games: programming, art, and design”. Their role is entirely strategic – they may be a skilled technical person (there are many other routes to this role – see upcoming charts in future posts), but they delegate ALL technical issues to their one or more Technical Directors. However, they typically make the final decision on anything affecting the development process or the overall studio and how it develops.

Next … Design (probably. Or maybe Production…)

How to Make Facebook Apps Using Java – part 1

I wrote a game last weekend, for Facebook. Writing the entire multiplayer persistent game took a day and a half; getting it to integrate with Facebook is taking several days. Mostly, the problem is that Facebook hasn’t – yet – provided user-guide documentation, and there are plenty of bugs in their system. Without docs, you have to guess whether a “nothing happens” is due to your mistaken guesswork, a bug in FB, or … a bug in your own code. That’s fine, but it takes time, lots of time.

Google kept giving me zero hits for any of the problems, or even any java-focussed docs (just one link to a FAQ on an issue that seems to be a bug that was fixed a while ago. That’s all). So, as I solve the various problems that come up, I’m writing about them.


First thing to be clear about: if you want to write FB apps using java, you’ll be using Enterprise Edition (J2EE). The way FB works *requires* you to provide a webserver for your app. Whilst its true that java can run in the web browser, that’s a completely different way of using java – for this, you’re going to have to find a server, and install J2EE (it’s the same as standard java, just has lots of extra libraries, only a few of which you’ll need to use).

Facebook Apps: how they work

This diagram shows a very simplistic summary of the different URL’s you are asked for when registering a Facebook application, or are used when serving an App. Note that FBML is served entirely internally in the FB server, it does NOT make a request to your web server.

NB: this image got deleted in the server crash last month; WordPress is rather badly designed with images, and doesnt save them. But it’s been stolen and copied widely all over the web, so you can probably find it relatively easily
Basic explanation of facebook servers

First step: Registering your Facebook Application

Assuming you can find yourself a webserver/J2EE server to run your app on, and have a domain name for it (or the hosting provider gives you a default domain-name – you don’t HAVE to buy one just for your app), the first thing to do is register the app with Facebook. This just reserves the name of your app, and gets you the login details you’ll need before you can do ANY testing or development.

This process is actually nicely documented (and is also very simple – although the huge scary forms they ask you to fill in are very poorly explained, there’s a only a few fields you actually *need* to fill in). Don’t follow the list of things on that page literally, see the differences below that you want to make.

For the URL’s you need to fill-in, you’ll be making a servlet for each. So, work out the URL for each of the servlets (depends on how you setup your J2EE server), and have them ready to give to FB.

So, to summarise:

  1. Create a Facebook account if you don’t have one, and login
  2. Add the “Developer” app to your account (link is here)
  3. Go to your Home page on FB
  4. Click on the Developer app in the sidebar to go to the main centre for all your Developer activity
  5. Make a new application, and fill in the form it presents you with (make sure you do at least:
    1. App name
    2. Callback URL (see the example app)
    3. Canvas page (see the example app)
    4. iFrame (not FBML)
    5. Post-add URL (see the example app)
  6. Save the api-key and the session-key that it now displays for the newly-created app – you’ll need them to do any coding

First test: Can Facebook display your Application?

Create the various servlets on your server (callback, postadd, and canvas) and make each of them return basic HTML that just says “callback servlet”, “postadd servlet”, or “canvas servlet”).

Open a new browser window, and type in the canvas page URL from FB, something like: http://apps.facebook.com/yourApplicationName

You might be asked some security stuff by FB, but once you’ve got past that you should then see a Facebook page with the navbars etc, but just a big empty space in the middle with the test “callback servlet”. If so, congratulations, you’ve got your app basically working. Now comes all the hard stuff…

If not, first check that your servlet is even working, by copy/pasting the callback URL from your FB application setttings (click Edit Settings to re-load the form you submitted) into a browser window, and seeing if you can get the page. You’ve probably got a typo in the URL you gave FB. If the “callback servlet” text doesn’t come up on its own, without all the FB stuff, then your J2EE server is misconfigured or broken. Time for you to go find some Tomcat / jBoss / etc tutorials and get your J2EE working…

Part two…

Now you can move on to part 2 of this series, covering the details of how to authenticate with Facebook and start doing interesting work, including sample source code.

Recruitment party photos

We didn’t quite get the sunny afternoon we were hoping for, but we did get some nice light

develop conference 2007

…so we had to move inside, but we still had a great turnout of peoplencsoft recruitment party 031

And it’s nice to have a games-industry recruitment event right on the beach, by the sea, for a change (instead of in the centre of a big city)

ncsoft recruitment party 035

NCsoft recruitment party – Thursday 26th July

NCsoft Europe, publisher of award winning online games such as City of Heroes and Guild Wars is searching for skilled individuals to join a growing internal development team. We offer competitive salaries, excellent benefits, a casual work environment and the seaside just 10 minutes walk from the office!

To coincide with the Develop Conference next week, NCsoft will be holding a joined recruitment party with Linden Lab. If you’d like to join us for an evening of food, drinks and the chance to chat to us about our current vacancies, then head over to this page for more details.

Please note: this is an industry only event, and numbers are strictly limited.

Now hiring … MMO developers in the UK

Senior Network Developer

“NCsoft is one of the world’s biggest online gaming companies, a major developer and publisher in Asia, America, and Europe. We need an expert in online games development – from low-level network programming to multithreaded server code.

This role is in our UK studio, in Brighton. The office is in the centre of this vibrant city, just a couple of minutes from the station and a five minute walk from the seafront.”


Junior Network Developer

NCsoft Europe – Brighton, UK


Gameplay Developer

NCsoft Europe – Brighton, UK


Austin GDC: Vote for your conference

AGDC is a small computer-games conference (about 1,000 attendees) with a particular focus on online and massively-multiplayer online games (MMOGs). In that context, it’s pretty big – with such a niche within a niche, it tends to have talks and representatives from most of the players in the space.

Every year, each of the games industry conferences have to pick between 100 and 300 talks and speakers, each of whom gets a free all-access ticket and usually free international travel, hotel, etc. The process is fairly straightforward: they put out a request for proposals about 6-9 months earlier, receive thousands of 1000-word abstracts, and select those that they think are interesting, novel, or will attract people enough to make them buy expensive tickets.

Democracy rules

Often, the choices made baffle, frustrate, or infuriate people in the industry. The most common complaint is that each year the conferences a higher proportion of worthless talks on subjects that everyone with any experience already knows about, and contain no information you couldn’t have got from home just by using google for a couple of hours. A lot of conferences have a few near-identical talks each year, so that if you’ve been to one you needn’t bother with the rest – one conference even got a reputation for just recycling the talks given at other conferences already that year, which killed it. There are always slightly bitter rumours about the best way to get a talk accepted – “pay for some advertising with the company that owns the conference”, or “offer a favour to someone on the advisory board”. Certainly, the biggest games industry conference (owned by the same people who this year bought-out AGDC) – GDC – has had a substantial number of talks in the last few years that either blatantly broke the conference rules on talks “not being an advert for a product”, or which were of an extremely low quality / low in any actual content.

So … it’s particularly interesting that for this year’s AGDC, the advisory board only chose the majority of the talks. For the rest, they took all the speaker proposals they had received, stuck them online, and invited the world to come and vote for which talks should fill up the remaining places. Even more interestingly, you can see how many people have voted for each talk, and what the average score is so far.

One man, one vote … maybe?

One problem – there’s no apparent rules restricting who votes. All you need is an email address (or gmail or mailinator) and a programmatic web browser, and you can choose who gets the free conference passes. I wouldn’t mind, but there’s a couple of talks I really want to go to myself which are on the voting list, and at least one of them isn’t going to get in – and I’ve little confidence right now that the ones that beat it will have done so by being the most popular with people who actually attend the conference.

And so onto the security angle here. This is the games industry, and this is a conference almost entirely dedicated to online games. It is immediately obvious that this voting system is open to rampant abuse (assuming they haven’t got silent back-end detection going on – I’m not criticising the conference organizers here, who probably have some good security measures in place, I’m merely using the visible details of the system as a starting point to talk about similar systems), and here’s a standard attack pattern:

“Write a program in a scripting language to automatically create accounts and vote for my talk”

  1. Use a free open-source library to make requests and post responses to the web server (libcurl)
  2. Use Firefox with the View Headers feature whilst surfing the site manually to see and record what you need to send and receive
  3. Create enough fake email addresses to swing the voting in your favour
  4. Don’t get detected

First of all, I’m not even sure that 4. above is an issue. Things to do:

  1. Use the US census data to programmatically make email addresses using believable REAL names with a wide variety of different names – and in the right proportion to be all US citizens
  2. Don’t have them all registered from a single domain name
  3. Don’t have them all from a single IP address (assuming they save your IP address when you vote, which most such sites don’t bother to do until too late)

In which case, the only question is “can we pass step 3?”. “But email providers have captchas, that stop automated account creation!” I hear you cry. Ahem. Even if they did (stop you automatically creating email addresses) the attack described only requires you to register enough email addresses to sway the voting. That may be as little as 50 or 100 emails – easily few enough that you could create them all yourself, manually. (in fact, right now, it would only take 20 or so votes to make sure your preferred talk was top).

Cheating better

If you’re still worried about the organizers getting suspicious of all those 5/5 votes for one talk, just look at it this way:

“Identify the major competitor talks, and vote them down, instead of just voting yours up”

Easy enough to hide your skewing of the results in the sea of all the other, genuine, untraceable voters voting one way or another based on personal preference…

Finally, I just want to briefly look at the expected outcome of this, because it touches on a real-life problem with games security: it’s unlikely any individual will cheat, so it may seem it’s “mostly” OK … but with some systems (such as this one) it only requires one cheater to destroy everything. As soon as one person starts cheating, others will notice and will feel “forced” to cheat also – this is what happened with Diablo, when cheaters found a way to make their character able to attack in towns, where no-one was allowed to attack. Non-cheaters were forced to cheat just in order to become able to defend themselves – there was no other defence that would work.

Some people started promoting their talks on their blog, and others have now followed suit. The voting contest has become a contest of who has the biggest blog :). I’m sure this was intentional by the conference organizers – it’s an excellent way of getting more free publicity that specifically targets and promotes the individual talks rather than just the generic conference itself. Even better, it has a natural tendency to give the most publicity to the most popular talks-to-be, whereas the conference organizers have to second guess what they think will make people pay to come and listen.

I wonder why they decided to let anyone vote, rather than restricting it to people who had booked tickets? They could even have just taken a refundable deposit, up to a certain date, to force only people who were willing to stump up some cash to take part in the voting. That could have filtered out most of the “no intention of going to the conference” people (although it certainly wouldn’t have made the system secure from determined cheating).

First Complaint

WordPress still has the worst UI for editing posts I’ve seen in years. It can’t even handle adding H3 tags! (you have to add them in source code, the visual editor doesn’t support them, and it’s got bugs if you try to then edit from the visual view afterwards)

What is Web 2.0?

This question keeps coming up, and most people just need a simple answer. This is the quick and dirty explanation I came up with for some colleagues with the added emphasis on concrete benefits rather than just theoretical ideas.

What is Web 2.0?

“Web 2.0 was the moment we stopped using computers and started using the internet” – frantic

…is a brilliant answer, I love it, and it sounds really short, but takes at least 10 minutes to explain properly. Probably more like an hour, if we’re being honest here. If you already know what Web 2.0 is, and know lots of examples and counter-examples, that sums it up neatly. But cryptically.

Theoretical definition

(my super short summary of: http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html)

  • Data is the most important thing in the world
  • Mass-market consumers are the most important business-partner in the world
  • Software that you can use today is more important in every single way than software that “works” or is “good”
  • Quantity (of consumers) beats quality: use Network Effect to get vast numbers of users very quickly
  • The internet is part of every platform. You are *always* selling stuff to the internet, *even when you think you aren’t*

Maybe explaining what the concrete benefits are will help.

Here goes…

OK, what does it actually do?

Web 2.0 has four main benefits:
1. A clever trick lets you use “the internet” as your development team, your sales team, your marketing team, or your support team. Increase your output by a factor of 100!

2. Make money out of other people’s data

3. Use other people’s development teams to build features for you

4. Provide a user-experience that is so many times better than anything you’ve ever done before that your sales increase substantially just because it’s so much more pleasant to use