Dominion Strategy Forum

Please login or register.

Login with username, password and session length

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Cave-o-sapien

Filter to certain boards:

Pages: 1 ... 30 31 [32] 33 34 35
776
Goko Dominion Online / Re: v2.0.33
« on: July 13, 2015, 11:42:32 am »
I haven't seen the deck count bug, but it's very possible I just haven't paid close enough attention.

Is it a display problem only or does it affect the game state? For example, does the game reshuffle when it shouldn't?

777
I found that drinking while playing decreased (slightly) my odds of winning.

Are we talking first or second glass? Because there's a critical difference and I will maintain that the first glass of beer/wine will make you a better dominion player 1000% of the time.

This is semi-anecdotal, but I found that a single beer had an adverse effect. I wouldn't otherwise feel any effects of having drunk the beer, but I would notice I was losing more.

778
I found that drinking while playing decreased (slightly) my odds of winning.

779
It looks like certain "clunky" UI actions weren't ever changed from early in the Goko days:

- Moneylender not auto-trashing (is there any good reason not to?)
- Dragging cards across the entire screen to top of deck (I forget which card made me do this, but it was very frustrating when playing full screen)

Are there plans to further streamline the UI?
There are edge cases where you wouldn't want to auto-trash a copper (for example you plan to play the copper with Storyteller, but you need to play Moneylender, that you got from Sender, to start your Conspirator chain), but there is no "you may" on the card, so therefore it should auto-trash.

Exactly. Trashing isn't an option with the card, so I was wondering if there was any good reason not to auto-trash.

780
Goko Dominion Online / Re: Latest Release
« on: June 30, 2015, 07:17:13 pm »
Level with me: what's the chance that the client will eventually run without making my computer's fans work overtime?

They say they fixed the memory leak. Only you can tell us if that's true.

That's on the server side. I can't imagine that fixing this.

It sure doesn't seem like it would, but I can come up with scenarios where bad back-end code would cause a client to spin out of control.

781
I for one appreciate that at least in some circumstances they allow you to protect your favorite Copper from their ruthless RNG to the detriment of the one you hate.

I just wish it then wouldn't randomly shift my favorite copper to a different spot in my hand. I was holding it second from left FOR A GOOD REASON.

782
It looks like certain "clunky" UI actions weren't ever changed from early in the Goko days:

- Moneylender not auto-trashing (is there any good reason not to?)
- Dragging cards across the entire screen to top of deck (I forget which card made me do this, but it was very frustrating when playing full screen)

Are there plans to further streamline the UI?

783
Wait, is the criticism that they are storing plaintext passwords on your computer, or plaintext passwords on your server?  The latter is completely unacceptable.  The former, which by my cursory reading appears to be the case, was considered acceptable even by Google as of fairly recently: https://news.ycombinator.com/item?id=6166731  There's a not-unreasonable argument to be made that encrypting locally stored passwords is mostly security theater.

One guy from Google says they don't want to do it, and then a bunch of people disagree with him for reasons that seem perfectly reasonable to me. This isn't an official announcement or anything.

I talk to many people every day who work in the computer security field. I've never heard any of them say it's OK to store passwords in plain text.
Except what MF has done is not the same as what Google does for Chrome. The Google Chrome passwords are still encrypted on your machine. It just that they use your computer account password as the encryption key. Chrome doesn't ask you to input your user account password when you want to see your passwords in plain text, but you have to be logged in to the user account that saved the password for that to work. Your account password can be accessed by other utilities though, so malware running on that account can access those passwords too.
Reference: http://www.howtogeek.com/70146/how-secure-are-your-saved-chrome-browser-passwords/

What MF has done is worse than that though. They literally save passwords in plain text to the program files folder. Last I checked, that's a shared folder across all users of the machine it's saved on. That means anyone on the guest account of that computer can look at the file and see your password. Please correct me if I'm wrong.

Let's be clear and precise about what they're doing:

1) I don't have any evidence that they're storing credentials for logon purposes in plain text anywhere on my machine.

2) What they ARE doing is writing username/password in plain text to a debug log in a shared location.

Both of the problems in (2) are easily addressed and don't seem like nearly the security design flaws some people are making them out to be. One is a lack of understanding of Windows file location best practices; the other is likely an artifact of a much earlier development step.

784
Goko Dominion Online / Re: Latest Release
« on: June 23, 2015, 11:14:10 pm »
On the one hand, this is the first release where I've successfully played a game. I guess that's something.

On the other hand: Ewww.

Even though I'd heard it from this thread, I didn't realize the animations could be so much worse than Goko while perfectly replicating all their flaws as well. Someone spent lots of effort on making the animations strictly worse than Goko. (Yes, I said strictly worse. Someone think of the edge case.)

When playing a chain of actions my screen is a blur of sparkles sparkling brightly. Everyone loves sparkles, right?

Also, the latest version disconnected me from the campaign due to inactivity. Is that new? Why? Why is this necessary?

Finally, while playing fullscreen on my display's default resolution (1920x1080) the card art seems somehow fuzzier than version 2.0.30. But hey, who doesn't love fuzziness.

tl;dr Fuzzy and sparkly.

785
Re: the password discussion:
I've seen contrary opinions on the password thing as I've followed this thread off and on. There's an outstanding ticket on this issue. The passwords are not being sent between server and client in plain text, and if someone's machine is compromised, it would seem that you're hosed regardless.

Granted, that's not my field, and my code skills don't go further than rudimentary html and css. Can someone summarize why the above is wrong, or how concerns persist despite the above so that I can add that to the ticket on this issue?

I think there are two related issues here:

1) The Windows application requires write permissions on C:\Program Files and writes the logs (which contain the password info) there. Logs should be written to the AppData folder for the user running the application.

2) I'm not sure I see a good reason to write the username and password to the logs at this point. What is the situation where that is needed?

786
Have the sparkly graphics been complained about adequately here or on the MF forums?

Because man, they're awful. The visual cue that something has changed shouldn't obscure what has actually changed.

I hate to keep comparing this to Isotropic, but a few lines of a text log >>> sparkly graphics for conveying information quickly and accurately.

They have been complained about since the start of the closed beta. (and they have improved since then, but are still annoying)  I am pretty sure they know it needs to be changed.

Ok, thanks. I tried poking around on the Making Fun forums but there were way too many threads and sub-forums to parse.

787
Have the sparkly graphics been complained about adequately here or on the MF forums?

Because man, they're awful. The visual cue that something has changed shouldn't obscure what has actually changed.

I hate to keep comparing this to Isotropic, but a few lines of a text log >>> sparkly graphics for conveying information quickly and accurately.

788
for what it's worth I don't believe that Chrome is saving passwords in plain text.

Go into "Settings". Click "Show advanced settings...". Click "Manage passwords". Mouse over the dots of one of your passwords and click "Show".

Chrome needs the plain text version of your password so it can submit it to a website. It can't separately negotiate with each website a way to store a hash that it will accept.
Oh sure. It can decrypt them and show them to you, but they don't exist on your hard drive unencrypted. That may or may not be a trivial difference depending on the OS level file permissions.

Let's say you and I share a computer. I log on to my user account and use Chrome and allow it to store passwords. It encrypts them and stores them in my user space with appropriate permissions. You can't get to the file where my passwords are stored, and even if you could you can't decrypt them without my user credentials.

Now consider Doninion writing usernames and passwords to a log in C:\program files (or the equivalent). If every user who uses this app is required to have permissions to that folder then every user will be able to see that log. So you or I could look in the logs and see the username and password of the other.

See the difference?

I mean, this is much less problematic (at least an order of magnitude so) than sending passwords in plain text, but it's still Not Good for certain use cases.

If you are physically sharing a computer with someone whom you don't trust with your passwords, then either (1) you're playing at work, stop slacking off, slacker, or (2) you have incredibly serious trust issues with your spouse, get counseling, or (3) tell your roommate to get their own damn computer, or (4) get your kid their own computer, they're old enough and smart enough to figure out how to get to your porn stash and not just your passwords.

Maybe I'm unimaginative but I can't think of other use cases.

There's the rather common case of a notebook/laptop/surface that goes between work and home, corporate and personal use. The laptop may or may not be a corporate asset; it might be owned by the individual but brought to work and allowed to join the corporate network in some way. If it's a corporate asset it may be okay to have Dominion installed on it depending on policies.

In such a case there's a big difference between a text file on disk that can be grepped by anyone with adequate permissions and an encrypted password store.

I mean, as I said earlier, this is a much, much less serious problem than transmitting passwords in the clear and/or storing them server side in plaintext, and no one should be using credentials for Dominion that they use anywhere important, but it's not ideal.

789
for what it's worth I don't believe that Chrome is saving passwords in plain text.

Go into "Settings". Click "Show advanced settings...". Click "Manage passwords". Mouse over the dots of one of your passwords and click "Show".

Chrome needs the plain text version of your password so it can submit it to a website. It can't separately negotiate with each website a way to store a hash that it will accept.
Oh sure. It can decrypt them and show them to you, but they don't exist on your hard drive unencrypted. That may or may not be a trivial difference depending on the OS level file permissions.

Let's say you and I share a computer. I log on to my user account and use Chrome and allow it to store passwords. It encrypts them and stores them in my user space with appropriate permissions. You can't get to the file where my passwords are stored, and even if you could you can't decrypt them without my user credentials.

Now consider Doninion writing usernames and passwords to a log in C:\program files (or the equivalent). If every user who uses this app is required to have permissions to that folder then every user will be able to see that log. So you or I could look in the logs and see the username and password of the other.

See the difference?

I mean, this is much less problematic (at least an order of magnitude so) than sending passwords in plain text, but it's still Not Good for certain use cases.

790
This may be technically true, except the bolded part could be argued. On the other hand, I'm not going to touch this app again until my password is never stored in plain text anywhere.

That's really not too much to ask, and I'm not going to RE their entire app just to verify that they aren't storing or sending that password in plain text ever.

Okay, but I disagree. I think it's clearly acceptable for them to be doing the same thing that Chrome and Firefox do with passwords. The only thing I'd want is to make sure the password isn't saved in the log.

And it may seem like "not too much to ask", but they're clearly overwhelmed, and I would prefer that they focus on features that affect basic playability. I think the only reason this password thing became a big deal is because it reminds people of the XSS bug that Goko launched with, and it's fun to blame Goko things on MF.

for what it's worth I don't believe that Chrome is saving passwords in plain text.

791
Goko Dominion Online / Re: Payment models
« on: June 18, 2015, 12:58:22 am »
The problem is that digital Dominion has two (potential) audiences. There's some overlap—people who would play both—but mostly it's pretty clean cut.

The first audience is casual mobile gamers. If you're trying to cater to that audience, you want an application that runs natively on iOS and Android. For this audience:

• Production values are important, including graphics, sound, animations, and other interface details.
• The expansions don't need to be released all at once.
• It's not important to have post-game logs (or even an always-visible side log), though a leaderboard might be nice.
• Offline play against an AI is a must.

The payment model that makes sense here would be a very cheap app ($0 to $5), and very cheap expansions ($1 for Guilds, $2 for Prosperity, $3 for Dark Ages). No subscription fee.

The second audience (that's us!) treats Dominion like chess. If you're trying to cater to that audience, you want a web-based application. For this audience:

• Production values are a very low priority.
• The expansions should all be available.
• Post-game logs and the ability to collect statistics is paramount.
• An AI need not exist at all.

The payment model that makes sense here is a monthly or yearly subscription that gives you access to all published cards.

Goko tried to satisfy both camps, but they couldn't get their app into the mobile marketplace and their payment system was the wrong one for the audience they did get. In a baffling turn of events, Making Fun is now attempting the same thing.

If I were Jay, I would partner with a company like Playdek to make the mobile version for casual players. Then I would partner with Doug to set up a subscription for isotropic Dominion ($1 or $2 per month). Or if that's too much hassle, just let isotropic be free again, financed by donations. It really poses zero financial threat when it comes to the audience that Dominion Online should be pursuing, which is casual gamers on mobile devices.

I'm sort of in both categories you describe. While I once played Dominion online like it was Chess, I'm not sure I can devote that much time to it any more. But I would certainly like to play it more than I'm currently able to face-to-face with my friends.

I would love to be able to squeeze in an offline game here or there on my phone, if for no other reason than to explore the card combination space.

It's frustrating and quite honestly baffling that no one seems to believe enough in the untapped mobile market to develop a version of Dominion for it.

792
It seems ridiculous to pay $90 for a board game app, especially one that doesn't allow me to play offline.
Good news! This amazing game, that so many people have paid $45 for a physical copy of, that won so many awards around the world and spawned so many rip-offs, is available online for the low low price of $0. It's completely free. And if you don't believe me just go on now and play it. For sure it's not going to get cheaper than free (insert joke about how they'd have to pay you to play the beta).

It's popular to think that whatever you want should just be yours. It's popular to think that someone else's 10 years of work is worth exactly as much as their zero years of work. A board game with 5 expansions is worth exactly as much as a board game with 10 expansions; the expansions, they're something you're owed, not something you pay for. I hope your time hasn't been spent as worthlessly as mine has! I made all these expansions, as if they were worth buying, as if they weren't just hurting an existing product by making it more expensive to have everything.

I have given this speech before! The game is free; if you want to complain about price, there is only the price of individual expansions to complain about, and complaining about the total is like saying an author wrote too many books, a band put out too many albums.

You're missing the point. I'm not complaining about having to pay for Dominion. Nor am I complaining about having to pay per expansion. I'm just saying the pricing is more than I'm willing to pay given what the product offers.

I think that's a completely fair stance for a prospective customer to have and it seems odd for you to belittle it.
It's totally reasonable for you to say that the price for whatever it is you want is more than what you want to pay for it. But that's not what you said. I replied to what you actually said, not to what you are now saying you said.

You said, "It seems ridiculous to pay $90 for a board game app, especially one that doesn't allow me to play offline."

Dominion is free, not $90. Dominion plus all the expansions has a cost that depends on how many expansions there are; the total is not a meaningful number. If there were ten times as many expansions it would be ten times as much. If there were no expansions at all, it would be $0.

If you would like to communicate "I'm just saying the pricing is more than I'm willing to pay given what the product offers" then I recommend using those words, rather than "It seems ridiculous to pay $90 for a board game app, especially one that doesn't allow me to play offline."

Ok, let me try again.

It seems ridiculous to me that it costs $90 if I want the ability to play with all current Dominion cards (except Adventures), especially when I can't play it offline on a device.

This seems out of line with what I am used to paying for other board game apps. It is quite unlikely I will spend any money on this app, despite being a big fan of Dominion and owning every set on paper.

I would very likely pay some non-zero amount to be able to play the base set on an offline device; I would then very likely pay some amount for each expansion provided the app was good.


793
It seems ridiculous to pay $90 for a board game app, especially one that doesn't allow me to play offline.
Good news! This amazing game, that so many people have paid $45 for a physical copy of, that won so many awards around the world and spawned so many rip-offs, is available online for the low low price of $0. It's completely free. And if you don't believe me just go on now and play it. For sure it's not going to get cheaper than free (insert joke about how they'd have to pay you to play the beta).

It's popular to think that whatever you want should just be yours. It's popular to think that someone else's 10 years of work is worth exactly as much as their zero years of work. A board game with 5 expansions is worth exactly as much as a board game with 10 expansions; the expansions, they're something you're owed, not something you pay for. I hope your time hasn't been spent as worthlessly as mine has! I made all these expansions, as if they were worth buying, as if they weren't just hurting an existing product by making it more expensive to have everything.

I have given this speech before! The game is free; if you want to complain about price, there is only the price of individual expansions to complain about, and complaining about the total is like saying an author wrote too many books, a band put out too many albums.

You're missing the point. I'm not complaining about having to pay for Dominion. Nor am I complaining about having to pay per expansion. I'm just saying the pricing is more than I'm willing to pay given what the product offers.

I think that's a completely fair stance for a prospective customer to have and it seems odd for you to belittle it.

794
You and only a handful of other people. At that price a whole host of other board game apps, not to mention video games, becomes very attractive to me.

It seems ridiculous to pay $90 for a board game app, especially one that doesn't allow me to play offline.

795
After playing few games, the login screen started freezing for me. So I decided to investigate a little. Apparently the program tries to write into C:\Program Files (x86)\Dominion\Dominion_Data. Great. Let's run it as administrator. Probably the first program launch after the instalation was done with the administrator privileges. Now the screen doesn't freeze, just nothing happens after clicking the "Sign in" button.
What's in the logs?
Quote
WebSocketException: A timeout has occurred while reading an HTTP request/response
Nothing new. Just like with 1.0, the servers can't handle the traffic.

What's more interesting is that in the logs I can find password in plain text. The whole network communication is also logged. :-\
Quote
LogWeb: Send Controller: {"message":"login", "clientVersion":"2.0.29", "name":"matste", "password":"********"}

Goko was better.

As someone who often wears a Sys Admin hat, I reserve a special kind of disdain for developers who ignore OS best practices when it comes to file locations and permissions. There's just no excuse in 2015 for an end-user Windows application that writes to C:\Program Files.

The password stuff doesn't look good but I'll reserve judgment on that until someone shows that they are being transmitted in plain text.

I finally got the app to work last night and played through a bit of the campaign. I must say it was much better than the last iteration of Goko that I used. It was nice to be able to install it tonight on a different machine and pick up where I left off, but then it started getting really laggy until it crashed altogether 30 or so minutes ago. Is this regular periodic downtime?

I seriously doubt I'll ever pay for this. On the other hand the price I'd be willing to pay to have Isotropic back just keeps going up.

796
Hi all.

I haven't logged on here in ages; I think the last time I was here was during one of the Goko betas/launches. Goko just wasn't for me. When I heard this "new" version was in open beta I thought I'd give it a go.

I downloaded and installed it but I have yet to be able to sign up or sign in; it just sits and spins. While waiting for that to (not) work I've been perusing this thread and listening to the title music and let me tell you: both of those activities have convinced me to hit "snooze" on this thing for another month or two at least.

797
Dominion General Discussion / Re: D-Vault app updated for Dark Ages
« on: August 28, 2012, 06:07:25 pm »
The App Store has glowing reviews for Dominion Vault, but is this the only randomizer app that supports Dark Ages?

I've been using Dominion Adept for the longest time, but I don't know when that app will be updated for Dark Ages cards.

Currently it is, I have 5 different dominion randomizers and this is the only one I will use. The exclamation point at the bottom right does indeed give you the additional set up info. For platinum colonies it also turns the border silver if your too lazy to click it but you pretty much have to now because of shelters.

I have 3 different (free) randomizer apps for Android with Dark Ages (Doug Z's, Dominion Shuffle, and Dominion Selector).  Very surprised there's no free ios one.

I was happy to pay $0.99 for Dominion Vault.  It's a very nice randomizer and he keeps it updated.  I was using a free one before that was good, but the lack of updates killed it off.

798
Dominion General Discussion / Re: Opening Village
« on: August 27, 2012, 07:18:10 pm »
Here's a potential one - a 4-player game in which there's an engine deck to be made and the only Village is a vanilla Village. But the other components are not going to run out. I'd consider opening Remake/Village in some case like that.

This is the case I was thinking of.  I've run into situations in 3-4 player games where the only village was Village and I didn't get enough of them to make the engine work.

799
I'm pretty sure you would have to do more than just change the names of the cards to avoid legal problems.

Yes, you'd need a new name and new art.
But you can't copyright something like "+2 cards +1 action", and copyright law specifically excludes game rules.
This is half the reason RGG has been so "cool" about unauthorized apps.

I always found it funny how WotC patented "tapping"/"tap" so every other game that uses  that mechanic (and many do) just rename it to things like "kneel", "exhaust" etc.

 ;D

Thanks to them we have the scenario of a Game of Thrones "Brothel" card that allows you to "Kneel" another player's character.  Priceless.

800
Dominion General Discussion / Re: CouncilRoom (.com) is trashed?
« on: August 25, 2012, 12:45:23 pm »
I smell a business opportunity for Goko:

Announcing GokoStats, our brand new site with PREMIUM access to game logs, statistics and detailed player information!  All for a low monthly access fee of 100 Gokoins.

Pages: 1 ... 30 31 [32] 33 34 35

Page created in 0.058 seconds with 18 queries.