|
I think I might take my ball and go home in that situation too. I really can't fault the server admin. Unfortunately, that's the weakness of the honor system. People, by nature, aren't honorable. Some shithead is always going to screw it up for everyone, and apparently this Dreemurr guy is that shithead today.
|
# ? Apr 11, 2016 23:46 |
|
|
# ? May 17, 2024 10:02 |
|
Fitzy Fitz posted:I was on rune 10 or 11, but whatever it's just a game. More like, you're the banker, and also the designer of the game, and the cheating kid is making fun of you for not having kept the other kid for being swindled, and also there's like half a dozen cheaters over the last several years of this game of monopoly, and they're all talking about how strained this metaphor is?
|
# ? Apr 11, 2016 23:51 |
|
Point is, I had a monopoly on those green ones and I was about to buy hotels.
|
# ? Apr 11, 2016 23:53 |
|
Fitzy Fitz posted:I was on rune 10 or 11, but whatever it's just a game. Fixed
|
# ? Apr 11, 2016 23:53 |
|
A more apt metaphor would be burglary. If the door is unlocked, you're not Breaking & Entering. It still doesn't entitle you to steal all you want from the building. I think most of us would say "gently caress this, I'm out" under those circumstances. Hopefully someone will step up and make a proper auth system, as that's the only real solution. But that is a different skillset from what it takes to code the game, and isn't exactly easy work. The simplest implementation from a "get something running" standpoint might be to have an "official" server where everybody makes their account, and the others just refer to that for the confirmation when you start a new game. That really just moves the griefing up to everybody having a mad rush to secure their name before a griefer steals it though.
|
# ? Apr 11, 2016 23:57 |
|
Offline tiles looks pretty good right now, you guys.
|
# ? Apr 12, 2016 00:03 |
|
Not nearly as good as just changing to a different server. Offline tiles will never be as good because it doesn't have a scoring page that compiles all your runs into something other people can look at and that you can get stats from
|
# ? Apr 12, 2016 00:04 |
|
HisMajestyBOB posted:I'm guessing it's really, really complicated? It seems a bit weird to me that scoring is shared but login information isn't, but I'm not a programmer. I'd be curious to know more about it, actually. So right now, all account credentials (username+email+hashed password) are local to a given server. The servers export a large logfile, containing all scores for games on that server. The central scoring system is manually configured to look at each of those logfiles for each 'official' server (official == we're looking at their logfile...), and compile them into a single scoring database, on http://crawl.akrasiac.org/ . I believe that Sequell has its own, separate database, drawing from the same sources. Designing a shared sign-on system would be significantly more complex. You need a new system that stores account names & credentials, and servers must phone home to this system (what happens when it falls over - it will fall over. does that disable all log-ins everywhere? do you have a local cache? now you have to worry about keeping that in-sync...) You need this system to be 'pluggable' - you want to be able to run unofficial servers still - and you need to organize getting existing server admins to switch to using it. We have over half a dozen server admins now, most in different time zones. Two of them have a very limited grasp of English. (One of them communicates mainly via Google Translate.) You also need to handle the transition process. If you just have everyone make fresh log-ins, then it's trivial for some to pull the same grief as we're talking about now on a much larger scale - just go around looking at recent players and registering their names before they can. Now you need an arbitration process. (And what about the very rare cases where you actually do have two people with the same name playing on different servers right now?) But of course this is still probably simpler than trying to merge the existing credentials databases... I think it probably needs to be done if we want to keep having cross-server scoring, just because the problems with not having a shared sign-in service are so glaring. But something being needed doesn't make it happen. Ideally we'd be able to recruit someone or someones from the community to help - you'd think we have a large enough, nerdy enough community! apple posted:That's sad to hear There's no verification for emails at present. You can register an account with someone else's name and email without any challenge, though you'd have to find their email somehow. A pretty thin layer of security. PleasingFungus fucked around with this message at 00:09 on Apr 12, 2016 |
# ? Apr 12, 2016 00:05 |
|
There is no system where you move from unathenticated to authenticated and don't require at least some arbitration or overview process during the cutover. The bitch is going to be letting people prove who they are corresponds with the original local account. The easiest arbitration is just "whichever copy of the account existed first is the rightful owner" makes the most sense, but unless you've got some kind of proper contact verification set up for those accounts in the first place you've got no proper way for people to verify their identity when moving to the new system.
|
# ? Apr 12, 2016 00:10 |
|
Zaodai posted:There is no system where you move from unathenticated to authenticated and don't require at least some arbitration or overview process during the cutover. The bitch is going to be letting people prove who they are corresponds with the original local account. The easiest arbitration is just "whichever copy of the account existed first is the rightful owner" makes the most sense, but unless you've got some kind of proper contact verification set up for those accounts in the first place you've got no proper way for people to verify their identity when moving to the new system. Yeah, exactly. There's e.g. known cases where someone started using a name years ago, played three games and then quit, and then someone else started using that same name (coincidentally) on another server for hundreds of games. Oldest-account-first is a decent default, but you do need some way to intervene in cases where that's wrong, and you're never going to be able to get everything right. There's inevitable pain here. I'm certain these are all known problems - this and the rest of the stuff I described in my last post - but I don't have the experience to know the solutions. That's the really frustrating part, for me!
|
# ? Apr 12, 2016 00:15 |
|
PleasingFungus posted:Yeah, exactly. There's e.g. known cases where someone started using a name years ago, played three games and then quit, and then someone else started using that same name (coincidentally) on another server for hundreds of games. Oldest-account-first is a decent default, but you do need some way to intervene in cases where that's wrong, and you're never going to be able to get everything right. There's inevitable pain here. The unfortunate solution in the modern world is that you pay for an out of the box auth solution in most cases. And that's way out of the price range for a project like this. Anything else is going to be a hack job. That said, maybe you could speak to the guys who did the home rolled auth for Goonswarm's page? You probably don't need it to be as hefty and secure as theirs, but they might have some pointers or ideas about scope of system.
|
# ? Apr 12, 2016 00:22 |
|
IronicDongz posted:Not nearly as good as just changing to a different server. Jokes on you because neither can do that right now
|
# ? Apr 12, 2016 00:26 |
|
Well, hopefully in a bit it'll work again There's no plans at all for something like that for offline tiles as far as I'm aware.
|
# ? Apr 12, 2016 00:49 |
|
So I made the tough decision to go Gozag over Pak on a Mummy Fighter with a heavy emphasis on evocations. Was it the right choice? The +12 gold dragon armour "Fal Diag" {-Cast rPois rF+ rC+ MR+ rCorr MP+9} the ring of Sloth (right hand) {Fragile +Blink +Fly Int+3 Slay+6} And two rods of clouds, a rod of iron, amulet of regen, cloak of magic resist, boots of flying all by the end of Lair. I am so dead. edit - oh and the +13 sword of the Doom Knight (weapon) {pain, -Cast MR+} Person Dyslexic fucked around with this message at 01:29 on Apr 12, 2016 |
# ? Apr 12, 2016 01:19 |
|
PleasingFungus - thanks, that's very informative and helps me better understand the problem.
|
# ? Apr 12, 2016 01:24 |
|
I've got some experience with user authentication, database, and web apps, as well as being in the mood for brainstorming. I'll try whipping up an ER diagram and rough design tonight and see if I can't come up with something that might work. I've only got experience with a central server style design, so it will be based on that (kind of theorizing a central auth hub out of the Akrasiac web site as a base); I don't know if that will work if you are afraid of bad actors taking down a central point, though.
|
# ? Apr 12, 2016 01:30 |
|
mitztronic posted:Jokes on you because neither can do that right now CAO score pages are working as of a few days ago, afaik?
|
# ? Apr 12, 2016 01:36 |
|
Floodkiller posted:I've got some experience with user authentication, database, and web apps, as well as being in the mood for brainstorming. I'll try whipping up an ER diagram and rough design tonight and see if I can't come up with something that might work. I've only got experience with a central server style design, so it will be based on that (kind of theorizing a central auth hub out of the Akrasiac web site as a base); I don't know if that will work if you are afraid of bad actors taking down a central point, though.
|
# ? Apr 12, 2016 01:39 |
|
Zaodai posted:The unfortunate solution in the modern world is that you pay for an out of the box auth solution in most cases. And that's way out of the price range for a project like this. Anything else is going to be a hack job. That said, maybe you could speak to the guys who did the home rolled auth for Goonswarm's page? You probably don't need it to be as hefty and secure as theirs, but they might have some pointers or ideas about scope of system. Who are the goonswarm people? Floodkiller posted:I've got some experience with user authentication, database, and web apps, as well as being in the mood for brainstorming. I'll try whipping up an ER diagram and rough design tonight and see if I can't come up with something that might work. I've only got experience with a central server style design, so it will be based on that (kind of theorizing a central auth hub out of the Akrasiac web site as a base); I don't know if that will work if you are afraid of bad actors taking down a central point, though. I'm not so much afraid of bad actors as entropy, tbh.
|
# ? Apr 12, 2016 01:39 |
|
Eh, I didn't know about s-z until just now. I was ten runes in on what would have been my tenth win for goodplayer status. Ah well, honestly, I'd kinda frozen up on playing that game any further and started feeling anxious I was going blow it in Pandemonium or a vanity zig after I'd already essentially won. I don't know how I feel now.
|
# ? Apr 12, 2016 01:49 |
|
My playing on cBro has finally payed off! Hahaha! drat that sucks about that though. Hopefully y'all can get some sort of authorization figured out and whoever was running cSzo will cool down and come back (though I can understand if they don't).
|
# ? Apr 12, 2016 01:56 |
|
I'm conflicted, Floodkiller could be the hero crawl needs, but Floodkiller has an Undertale Avatar and that 'Dreemurr' guy is also an Undertale reference. Could it be? Ok I'm done now for real
|
# ? Apr 12, 2016 02:01 |
|
I had twelve slaying. Twelve!
|
# ? Apr 12, 2016 02:53 |
|
Simple alternate solution: keep the server-side logins the same since it doesn't matter, and use an isolated tracker with its own separate login, which only lets a single account decide which other servers/accounts to attribute to a single user/account on the manual/opt-in scoreboard (which would let people track different names as well) Side effect is that it requires people to register a separate account for the scoreboard if they care about streaks or hiscores, and lets them not register one if they don't give a gently caress.
|
# ? Apr 12, 2016 03:37 |
|
That's the easy part, yeah. The hard part is dealing with bad operators. How do you prevent an account from snapping up names they don't play as? How do you arbitrate two users saying they own the same server/name? I'd suggest it would have to be done through the server/name because that's the only way we would know for certain the account belongs to the person who says it is theirs. They point that account to your centralized online scoreboard login while they are logged in to a Dungeon Crawl server.
|
# ? Apr 12, 2016 03:59 |
|
Sage Grimm posted:That's the easy part, yeah. The hard part is dealing with bad operators. How do you prevent an account from snapping up names they don't play as? How do you arbitrate two users saying they own the same server/name? How do you do those things on any site? Nobody ever has. I've had multiple people register ebay/xboxlive/instagram/etc accounts using my various username(s) which I had already used on other sites, and there's no real way I can claim to own the name even if I've had and used a gmail account with the username for 10 years. To my knowledge, silentsnack is my only moniker that hasn't gotten randomly used by someone else, and I just click the "no I didn't register this account" link, when I get a confirm-this-account email. For the most part, anyone can freely register any name on any site as long as that name isn't already in use on that site, because there is no central internet repository to say who is allowed to use which string of letters.
|
# ? Apr 12, 2016 04:32 |
|
silentsnack posted:Simple alternate solution: keep the server-side logins the same since it doesn't matter, and use an isolated tracker with its own separate login, which only lets a single account decide which other servers/accounts to attribute to a single user/account on the manual/opt-in scoreboard (which would let people track different names as well) That's pretty much what I've got so far in a couple hours, and I've reached the same downside: because you have to authenticate to prevent bad actors, it requires you to make an account on a central server for score purposes. This will most likely mean that the majority of scores will not be tracked unless a user feels compelled to register for the central scoreboard. Users is mostly self explanatory, with a unique email to tie to the UserID autogenerated primary key and a non-unique nickname (a player's individual score pages would be located under the UserID with this system instead of the Nickname). This would allow players to share a public facing nickname, as the UserID/Email in combination with the Authentications table is what would actually tie the individual server logfiles to an account (UserNickname refers to the nickname used on that specific server by the central server user, and is used for the purpose of logfile parsing). Role would be either User or Administrator (with admins being able to edit the list of servers and how to locate them/communicate with their logfiles, which I've abstracted as Name and Location as I've not yet fully read up on the process of how they are collected/parsed yet). Central server registration would require you to validate your email before activating to prevent identity theft just by faking the email. A couple different ways to do the authentications (brainstorming focusing on double confirmation due to needing to block bad actors): -User needs to login with local server username/password on the central site, which then verifies with the local server and ties that local server account to the central account if valid -The central server makes a pull for emails on local servers, then searches for the user with the matching email and adds unconfirmed accounts to the user's profile page which the user accepts or rejects as theirs -Local servers would require an email to exist on the central server for the account to be created/able to be played, and an email validation must be performed. New accounts require a central server login first, old accounts would be locked out of their account until a central account is created and validated, and the local account is revalidated. Finally, it could be decided as to whether you would require local servers to have players log in using a central server's account, or if you would want to continue with all servers maintaining their own account lists. The former has the issue that, if the central server goes down, there is no playing. However, it would allow the authentications table to essentially remain as archive information instead of needing to be actively changed, and it would also ensure new players have scores registered to the scoreboard. I need to get to sleep, so I'll work more on this tomorrow. Feel free to give feedback/criticism on this so far, as this is a very rough draft. Edit: at the griefer who started this. Floodkiller fucked around with this message at 04:59 on Apr 12, 2016 |
# ? Apr 12, 2016 04:52 |
|
It's more that how does your proposal fix the problems with the current system in place where it quietly links accounts based on their names? It doesn't, it's essentially the same system except it's an opt-in solution. The same problems can still occur. To use your example, you're proposing a system where your email address is the central operator and is telling ebay/xboxlive/instagram/etc that it is the owner of various usernames of those sites.That's completely opposite of what really happens where you register an account on ebay/xboxlive/instagram/etc and give them your email address. That account gets linked to that email address and it is safe from bad operators trying to spoof that you're you so long as your authentication is secure. It might be confusion on my part but that's what it sounded like it on my end. EDIT: ^^^ You might want to consider having those unregistered accounts still part of the system but indicated as unregistered. That way scores can still be compared against as if they were individual players with the same name, only on different servers (ie. cszo/Grimm is different than akrasiac/Grimm) Sage Grimm fucked around with this message at 05:03 on Apr 12, 2016 |
# ? Apr 12, 2016 04:59 |
|
Sage Grimm posted:It's more that how does your proposal fix the problems with the current system in place where it quietly links accounts based on their names? It doesn't, it's essentially the same system except it's an opt-in solution. The same problems can still occur. Er, what I mean for that particular part of the example is that I have an account "default_example" on gmail (just made that up) and several other services... At some point someone else registers "default_example" at hotmail and uses that default_example@hotmail.com as their email address and on multiple sites (sites/services I don't use and never registered on) but occasionally on one account they mistakenly put their email as default_example@gmail.com so I get the confirmation email for someone else's account, in which case they can't use a password reset or several of the other things that require access to the account's associated email. Hopefully that was even more confusing.
|
# ? Apr 12, 2016 05:11 |
|
Sage Grimm posted:EDIT: ^^^ You might want to consider having those unregistered accounts still part of the system but indicated as unregistered. That way scores can still be compared against as if they were individual players with the same name, only on different servers (ie. cszo/Grimm is different than akrasiac/Grimm) Revised the ER quick because I couldn't get to sleep right away and this would be good to preserve unregistered data:
|
# ? Apr 12, 2016 05:29 |
|
I honestly think when it comes down to it, the big decision is how much people are willing to give up to have a more secure system in place. I would wager not much, until someone shits on them. You're going to have to set a time limit (like 60 or 90 days), and tell people they've got to centralize. If you support local accounts (beyond untracked "Guest" accounts assigned a random ID or something for one off games) on the individual servers, you're going to have to put exceptions for them in the central system or you get conflicts when someone tries to register them at central. At that point, you're in the same boat, so just make someone register it. The whole thing is going to come down to how much time devs and server admins are willing to set aside to arbitrate disputes in that 60/90 day window. Once your initial conflcits are resolved, everything is fine because a new account will be centralized and any old account past that limit gets told to gently caress off. The weak point is obviously that auths will all go through the central server and if central goes down the whole thing goes down, but if you're only dealing with authenticating for the initial sign on per session that's not that big a hurdle.
|
# ? Apr 12, 2016 06:03 |
|
Also, the troll trying to defend himself is hilarious. He's trying to spin it as if the BIG BAD ADMIN is taking away everybody's fun over a "harmless" prank. Guy is a cowardly prick. gently caress him. If you're going to grief and troll people, at least be man enough to accept you're an rear end in a top hat. What kind of reaction did he expect?
|
# ? Apr 12, 2016 06:08 |
|
So after reading about the changes that the Circus Animal branch does to DCSS I decided to fire up a game because holy poo poo look at this laundry list of ridiculousness:
This is absolutely bonkers. code:
Can Of Worms fucked around with this message at 07:17 on Apr 12, 2016 |
# ? Apr 12, 2016 07:14 |
|
Can Of Worms posted:So after reading about the changes that the Circus Animal branch does to DCSS I decided to fire up a game because holy poo poo look at this laundry list of ridiculousness:
|
# ? Apr 12, 2016 08:03 |
|
Sage Grimm posted:You might want to consider having those unregistered accounts still part of the system but indicated as unregistered. That way scores can still be compared against as if they were individual players with the same name, only on different servers (ie. cszo/Grimm is different than akrasiac/Grimm) If someone later wants to claim an account stolen by a griefer (say, cdo/Grimm), then that's only possible with some admin actually looking into the history. It'll be a slow and painful process. But having some more secure way to bundle accounts across servers is the important first step. Hopefully, someone can help here. Otherwise, we need to ask for donations (for the first time), and buy someone
|
# ? Apr 12, 2016 11:36 |
|
Sucks about CSZO For anyone in europe, crawl.xtahua.com seems to have almost nonexistent lag compared to underhound.eu.
|
# ? Apr 12, 2016 11:54 |
|
Zaodai posted:I honestly think when it comes down to it, the big decision is how much people are willing to give up to have a more secure system in place. I would wager not much, until someone shits on them. Nick sharing isn't a concern with that database, as the unique identifier would be UserID (and Email). Although players could share identical public facing nicknames across different servers and even the same Nickname on the central auth server, the UserID is how the system would tie authorizatons for the score aggregation. This would keep people with commonly shared nicks happy as well. The issue with a central server account being required to connect to online Crawl is that it makes a central point that is vulnerable to traffic overload or DDoS if it doesn't have a good enough server/network security setup. After sleeping on it, requiring central server accounts to play would be bad, as it leads to only unofficial (unscored) servers being able to be played on during blackout periods (kinda like bad DRM systems). Even in the case of only verifying during initial login, a dedicated attack that only occurs during peak times would be enough to effectively shut down Scored Online Crawl. I think the central auth server would work better as a standalone score aggregator that groups auth'd accounts under a single user account than an actual auth server. It would be more passive, meaning only the auth connections (+scoreboard if hosted on the same server) would go down due to downtime/an attack. Anyway, I saw on the crawl-dev IRC logs from last night about another method that could be adapted for use in double proof authentication: have local servers generate a unique auth key (preferably something like a 12-16 long randomized alphanumeric string) to tie to accounts (in addition to the current username/email/password). Only a person who is logged into that local account can view the string (maybe a pop-up triggered by a button next to the login bit at the top or something so it isn't vulnerable to stream sniping). On the central auth server, the user would be able to tie an authorized account by selecting the server of the account and entering/pasting the string. It would verify the strings match, then tie the account. This would definitely be much less server intensive (on either the central or local servers) than the brainstorms I had last night, as well as more user friendly. To expand on this more from last night, Accounts would hold all accounts from each server. When aggregating score pages, you would need to check if an account has an auth (comparing with the Authorizations table). If it doesn't, that account's score page would be displayed as an individual (URL would query server name and server nick). If it does, aggregate that with an other auth'd accounts from other servers on a central user page (URL would query the UserID). Under this system, it would also be easy to show which accounts a user has linked to them and view each individually (which also makes it easier for others to track down the user for watching their games), as well as remain flexible in case server names change. Floodkiller fucked around with this message at 13:34 on Apr 12, 2016 |
# ? Apr 12, 2016 12:49 |
|
Solution is to replace streaks with new game +, new game ++ etc that multiplies damage dealt by enemies
|
# ? Apr 12, 2016 13:50 |
|
Can Of Worms posted:So after reading about the changes that the Circus Animal branch does to DCSS I decided to fire up a game because holy poo poo look at this laundry list of ridiculousness: Whoa, crawl for people who realize single player games don't need to be perfectly balanced?!?! Changes that aren't just 'subtracted 1 from vampire's necromancy, the xp curve was too different than before after rebalancing.'? It's like someone added the words 'fun' and 'interesting' to a crawl dev's dictionary when he wasn't looking!
|
# ? Apr 12, 2016 13:57 |
|
|
# ? May 17, 2024 10:02 |
|
I've been playing with pakellas a bit and I have come to the conclusion that people saying mummy of pak is easy mode are liars. Pak is something of a slow starter, he doesn't provide a lot of value for you until that first rod gift. Which isn't the end of the world (though it does make DD pak starts a little rough) but he also stops your mana regen which means you can't start as a mummy necromancer, aka one of the only starts that makes mummys kinda bearable. Any mummy plan that involves picking a lousy background (most of them, because you are a mummy) is not a fun time.
|
# ? Apr 12, 2016 14:05 |