Eressea: How shit happened, and what to do about it From: "Enno Rehling" <schick.mir.spam@gmx.de> Date: Mon, 22 Jan 2001 21:38:04 +0000 Hi, I think we've got some story to tell, which might help others not fall into the same traps. This week, Eressea will undergo a repeat-of-turn, because someone sent in a turn for another player and killed of his faction with it. Why? Apparently, he gave his password to his allies (vactaion or whatever reason), who imported it in their client and then unwittingly exported it with their map, and from there on, who knows where it went. So we'll have to surgically remove the orders, redo the whole turn, and send out another 400 MB batch of reports after we rerun the turn. What can be learned from this? 1. Having Passwords is important. That's a given, but make sure you stress this with your players. All the normal rules for passwords apply for pbem-passwords as well. 2. Try sending the password as little as possible. We're sending the password with the weekly turn template, which is attacked to the report. We also have a mail interface that allows you to fetch your report by giving your password and id in the subject line, which is used by players who lose their email accounts, whose providers lost the report mail, etc - a lot less hassle, really. but it can also be used to get the report for everyone whose password you know. We'll switch to not giving out the password in the future, and having a mail interface that'll do something like the "send me my password" on many web sites, but only send it to the associated address for the faction, not the sender of the request. We'll remove the report from all data files except turns that the player sends to the server, so they cannot accidentally be given to other players. 3. If you can, use public key cryptography for signed email. This one is hard to implement, because cryptography is not in widespread use. In germany, there's a web-based freemail service (www.web.de) that will offer postcard-verified signed public keys to residents in germany, austria and switzerland - and that one is really simple. On the server side, we'd have to implement a lot of stuff, so we've shyed away from it so far. 4. Don't trust your players. I'm sorry to have to say this, but since this is the second time something like this has happened, there's no other conclusions: Some players will cheat by all means they can find. When in doubt, don't accept a player rather than have one that'll wreck your game. Today, everyone can hide ehind a million email addresses, use an anonimizing proxy to send it, and in general, you can't get them. 5. Design your game so it handles catastrophes. If you write a computer-moderated game like Eressea, build your design so that you can rerun individual areas without having to rerun the whole turn. In Eressea, a change in one region can trigger a change in another, and so forth, with no reasonable waay of finding out what waas affected (armies will flee into different regions, for example). Once you can keep those changes local, make sure you can find out which PLAYERS are affected, and only send out turns to those. If we could do that, we'd be a lot happier, but it's hard to code this into the game at a later stage. The whole thing was a real PITA. It's amazing how much a single shithead can make the world seem to be a much more unfriendly place for 1400 players and a few GMs with a single email. Enno. -- Enno Rehling http://eressea.upb.de/~enno/ Programmer, Anarchy Online http://www.anarchy-online.com/ Funcom Oslo A/S http://www.funcom.com/ Referenced By Up