Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Beyond Awesome]

Hi everyone,

There's some really good feedback in here for us so, first of all, thanks for everyone chipping in regardless of whether the feedback is "no way" or "maybe" or "hey, it's getting better!"  From our perspective it looks like the discussion you guys are having has been pretty fair.

A couple of specific points, because I didn't see any specific responses to these:

• Memory Leak -- we use a lot of 2d canvases in HTML5 and version 23 of Chrome had a memory leak bug (Google acknowledged this) where they weren't cleaning these up properly. We were not the only company effected, nor even the company yelling the loudest. Google fixed this issue in Chrome 24 beta, which is why we were recommending it. As of a few days ago Chrome 24 is now out of beta and is the standard release, so that 's good. In a future release we're also modifying the way we handle canvases to use less memory in any event.
• Firefox 17 slowness -- same deal here. Mozilla released Firefox 17 and we saw performance take a big hit (again, not only us). Firefox 18 is now released and it's really fast, so we're happy to be past Firefox 17.
• Card bugs -- we fix these as fast as we hear about them. We test fairly extensively with Donald X., then with the AI's, then on beta.goko.com, then we release. Sorry for not catching them all first time around but we're definitely trying to!
• Expansions -- Hinterlands: Faraway Lands is out to the people that pre-purchased. I expect we'll release in general in a day or two. We're testing Alchemy right now (but we still have a little work to do on Possession).
• Reconnect -- Also in a few days we'll be releasing a reconnect feature so that if someone loses their connection, it will reconnect seamlessly (note: this isn't re-join.... just reconnect). Obviously, there are *lots* of edge cases around this and some of them won't be covered but the majority cases will. As with any new feature like this there will be some hiccups but we'll be working to get those smoothed out asap.
• UI -- well, we even have disagreements internally about different pieces but overall the response has been positive. I get where the detractors are coming from but this tends to be a subjective topic. The UI of the game won't change much until the mobile version... the tablet version will be relatively the same.

On a larger topic -- Security. There were two major items we saw at launch back in August that we addressed shortly thereafter. In addition there were also a few of the "the client knows something it shouldn't about the other player's cards" that we addressed as well. These were definitely "Oh, s***" moments for us, we pulled back into closed beta, and we deservedly fell on our swords several times for not spotting these before launch. If you know of any security issues that weren't addressed since we opened up again, we would absolutely want to hear about them so email us directly at help@goko.com. As for "what's different than before" in this regard, the responsible parties were let go about a week after launch and we refocused our efforts after that.

As many of you know, to enable us to let players play cross-platform we needed to build our own platform (think Apple's GameCenter). In addition, we have built several games (including Dominion) and we built some developer modules to make creating a game easier (like the meeting room and a few other common items). The platform is the thing that handles transactions like buying stuff, who owns what cards, logging in, achievements, ratings, leaderboards, etc. The security issues that we saw on launch day in August were generally in the developer modules (which send information from the client to our servers) as opposed to our platform (which lives on our servers). The developer modules were created by a 3rd party under our direct supervision, so ultimately our responsibility no doubt and we've addressed this.

One item the platform did have an issue with on launch day was some lower level networking stuff that didn't show up in the type of load tests we were doing leading up to launch. That caused the unavailability on launch day and we addressed that and developed other types of load tests since then. Not to say we won't get overloaded again at some point but we're trying to ramp up in a manageable way.

To answer one person directly, the platform was definitely built from the ground up with security in mind, including security penetration tests by 3rd parties, and so far so good but email us directly if you have any questions or doubts about this and I'll answer the best I can. I also think I saw one person post about IE9 complaining about insecure content. We force IE9 over into HTTPS mode and if any links we include are not in HTTPS mode (like "http://www.goko.com/go-get-a-file") then IE9 complains that the overall page is not secure because that one link being included is not in HTTPS mode. To be honest, I personally have made that mistake a few times when patching something but generally it's just IE9 just trying to make sure everything matches.

As for payments, we don't see or save any credit card or paypal info... never have, never will. That all happens via 3rd party payment providers and we're not in the path at all (as is the case with most internet sites). Again, we've had security penetration testing on the interactions we do have with that 3rd party but we don't see any of that personal/credit card info.

For personal info, we do save the email addresses you give us when you register using an email address... and we use those both for login (obviously) and to send you information about the games, like I did the other day when telling people who had pre-bought Hinterlands: Faraway Lands that it was available to them early.

Ok, that was longer than I intended it to be but I hope I addressed most of the questions out there.

August was a very difficult time for us and there wasn't a lot of sleep to be found but the last few months are starting to see things come around, as people have pointed out. As we launch on Facebook and then iOS/Android we'll probably have some more long nights but we're very committed to deliver on the original vision and give everyone a great online game.

Thanks,
John Q.

Thanks John Q. for your post. It is very much appreciated.

[LastFootnote]

Seconded! Thanks for taking the time to explain all that!

[DStu]

Ok, that was longer than I intended it to be but I hope I addressed most of the questions out there.

Thanks for posting, I think one of the reasons I'm not on goko is that I have not seen posts like this before...

[kn1tt3r]

Regarding this reconnect feature - well, there seems to be such a thing, but it has never worked for me. Since yesterday LOTS of disconnects (and therefore exits from the running games) happened, so I've got some experience with it.

Btw, how are disconnects handled regarding ranking? Who lost the running game? Noone?

[cactus]

Ok, that was longer than I intended it to be but I hope I addressed most of the questions out there.

Thanks for posting, I think one of the reasons I'm not on goko is that I have not seen posts like this before...

I agree. Thanks for detailed and considered response. Direct and detailed information = increased confidence.

[Beyond Awesome]

Regarding this reconnect feature - well, there seems to be such a thing, but it has never worked for me. Since yesterday LOTS of disconnects (and therefore exits from the running games) happened, so I've got some experience with it.

Btw, how are disconnects handled regarding ranking? Who lost the running game? Noone?

That is correct. No ones score is affected. However, as a result, the leaderboard can easily be gamed because if you are about to lose, all you have to do is refresh your browser and that causes a disconnect. You don't lose points and you're opponent who was about to win doesn't gain any ranking points. However, Goko has acknowledged this, and they claim that soon they will fix this problem.

[WanderingWinder]

On a larger topic -- Security. There were two major items we saw at launch back in August that we addressed shortly thereafter. In addition there were also a few of the "the client knows something it shouldn't about the other player's cards" that we addressed as well. These were definitely "Oh, s***" moments for us, we pulled back into closed beta, and we deservedly fell on our swords several times for not spotting these before launch. If you know of any security issues that weren't addressed since we opened up again, we would absolutely want to hear about them so email us directly at help@goko.com. As for "what's different than before" in this regard, the responsible parties were let go about a week after launch and we refocused our efforts after that.

First of all, I would like to thank you deeply for posting all of this information here. Communication is really important, and hearing something is always and definitely helpful.

Let me try to explain why I find this explanation unsatisfactory. "The responsible parties were let go about a week after launch." This is actually indicative of the problem to me. This seems to imply that there are a few guys who are responsible for security, and since there was a security problem, they got the ax. But security should be a concern for *everyone*. If you are working at a summer camp, you shouldn't have one or two or ten guys whose responsibility is the kids' safety. EVERYONE's first responsibility is the kids' safety. Similarly, in every workplace (well, every one I have ever known), the number one responsibility is the safety of everyone. It should be the same way here - security is everyone's concern. Now, I am not suggesting you should fire everyone. Heck, I don't care if you got rid of *anyone*. I just want it to get done right. And much as I'd just like to take your word for it that things are safe, we unfortunately don't live in the kind of world where that is a practical decision to make. It really sucks that this is the case, but if we DID live in that kind of world, then of course we wouldn't need security measures at all. It doesn't help that you've had the big security issues in the past.
Ultimately, I'm not so concerned about the specific security problems you had. You've fixed those, that's fine. It's about the process, the process by which you didn't find them, or by which you knew about them and didn't communicate that to whoever made the decision to launch, or by which you did communicate and the guy making the launch decision launched anyway. Because I don't see indications that this is any less likely to happen on a problem in the future, and even if you have everything covered right now (certainly possible), new threats are coming out all the time.
It's analogous to going to a restaurant and being served chicken that, when you cut into it, is raw. This is a problem of any of a number of people, who didn't cook the thing properly, and who didn't get it checked properly. Now, you might say, I am pretty likely to be fine going there and getting chicken again later on, if this is just one incident anyway, so what's the problem? Well, why am I comfortable doing that? Well, there are a couple reasons. Number one is that it's really obvious whenever chicken is raw, and that is something I can't duplicate with these e-security issues. That would be more like using mold food, wiping it off and using it, I guess. But the real reason I can feel safe is that there are health inspectors. Basically, what I would like to see here, and what most tech companies do, is hire someone, someone independent of themselves, someone reputable, who from time to time basically does an audit on your system, from a security standpoint. You get this, and you have them give you a clean bill of health, I'll be fine with security, and I'll buy your product. Even if they show the occasional issue, that's okay, so long as they're minor enough anyway - you aren't going to get 100% coverage, and I realize that. I just want someone independent to look over things.

[LastFootnote]

Let me try to explain why I find this explanation unsatisfactory. "The responsible parties were let go about a week after launch." This is actually indicative of the problem to me. This seems to imply that there are a few guys who are responsible for security, and since there was a security problem, they got the ax. But security should be a concern for *everyone*. If you are working at a summer camp, you shouldn't have one or two or ten guys whose responsibility is the kids' safety. EVERYONE's first responsibility is the kids' safety.

I agree with most of your post, but this analogy is pretty bad. What you seem to be implying is that every single person at the company should review every single piece of code to make sure it doesn't create security holes. That's just not practical. I don't think the people fired were 'responsible for security'. I think they were responsible for coding the bits that had security holes.

If three kids die at a summer camp while they were doing activities under Bill and Ted's care, Bill and Ted are going to get fired due to negligence.

[WanderingWinder]

Let me try to explain why I find this explanation unsatisfactory. "The responsible parties were let go about a week after launch." This is actually indicative of the problem to me. This seems to imply that there are a few guys who are responsible for security, and since there was a security problem, they got the ax. But security should be a concern for *everyone*. If you are working at a summer camp, you shouldn't have one or two or ten guys whose responsibility is the kids' safety. EVERYONE's first responsibility is the kids' safety.

I agree with most of your post, but this analogy is pretty bad. What you seem to be implying is that every single person at the company should review every single piece of code to make sure it doesn't create security holes. That's just not practical. I don't think the people fired were 'responsible for security'. I think they were responsible for coding the bits that had security holes.

If three kids die at a summer camp while they were doing activities under Bill and Ted's care, Bill and Ted are going to get fired due to negligence.

I don't mean this, which is why I say later on that I wouldn't care if nobody were fired. Obviously not every person reviews every piece of code. More I mean, security is more of a positive thing than a negative thing. It shouldn't be person X's job to 'go and program security everywhere'. There's no way he can do it all, and if he didn't write the code somewhere, it's going to be difficult for him. And maybe the responsibility here was that people X and Y say that problem Z is fixed and are just lying, in which case what they did is fine. But the structure they ought to have is that there are programmers on different things, probably you want more than one programmer on different things but whatever, the big issue is that you should have the people programming it who should catch it, but you should also have people who are checking these kinds of things, multiple people checking these kinds of things, who should also catch it. Now, maybe they fired ALL these people, which seems like it would be an awful lot to me, but maybe they did. Anyway, you want redundancy. You don't need everyone to look at every piece, no, but you kneed more than one person looking at every piece, and everyone needs to be concerned about it. Everyone should be asking questions. And many probably were.
And if they did actually get rid of SO many people, then it eats into my confidence in their ability to hire qualified people, especially without them telling me that they have specifically people X or more likely and preferably company Y who is overseeing or at least testing things.

[cactus]

I've recently played a couple of games on Goko for the first time in quite a while (using my default browser, Safari).

Several things substantially improved - game play was quite brisk and the interface didn't seem too buggy (last time I played I wasn't able to see the art or text on a number of the cards and that is definitely fixed now).

However it crashed once straight after my first game and then again half way through my second - I probably need to get around to downloading another browser I guess.

There is a whole bunch of things about Goko that I still don't like but I can probably live with most of them - but if the game crashes twice in one and a half games it is still not ready to pay real money for IMO.

[Donald X.]

Goko is running very smoothly for me under Chrome 24. Now Chrome isn't changing the color of links I've already clicked on, but well nothing to do with Goko.

[Polk5440]

I tried Goko again today. Goko does not lag for me with Firefox 18 like it did with 17. So I am happy the performance issues were taken care of there. It still crashed once when I was playing Adventures (out of 5 games) and once when loading a multiplayer game (out of 2 games), though.

[cactus]

Played 12 games of the adventure mode last night (still using safari). No crashes, no lag.... if it performs like that in multiplayer I might be able to get away without downloading chrome (nothing in particular against chrome, I'm just a bit of a minimalist).

Only weird thing I noticed in the whole 12 games was the name of one of the cards (woodcutter I think it was) had a black bar across it so you couldn't read the name of the card. Apart from that it worked very well.... definitely a big improvement over the last time I played.

[Beyond Awesome]

They are getting better, and we are seeing results much faster these days.

[werothegreat]

I have a new reason not to play - there's no way to force the other player to resign.

http://www.youtube.com/watch?v=Iq2chTK9lZI

[Kirian]

I have a new reason not to play - there's no way to force the other player to resign.

http://www.youtube.com/watch?v=Iq2chTK9lZI

Oh wow.  That's pretty bad.

[jsh357]

I have a new reason not to play - there's no way to force the other player to resign.

http://www.youtube.com/watch?v=Iq2chTK9lZI

Oh wow.  That's pretty bad.

There are several users using this to game the leaderboard, apparently.  If you close the tab or something (I'm not precisely sure how) you can exit with no penalty and leave your opponent hanging.

[Beyond Awesome]

I have a new reason not to play - there's no way to force the other player to resign.

http://www.youtube.com/watch?v=Iq2chTK9lZI

Oh wow.  That's pretty bad.

There are several users using this to game the leaderboard, apparently.  If you close the tab or something (I'm not precisely sure how) you can exit with no penalty and leave your opponent hanging.

Actually, all you have to do is refresh your browser and you are exited from the game and don't gain a loss. Although, Goko says it is on their radar of things to take care of soon.

[jqs]

We needed re-connect first before penalizing people for quitting... otherwise we could be dinging people who just got disconnected. Reconnect should be released shortly... then we can address a rating hit for quitting.

[charlequin]

UI -- well, we even have disagreements internally about different pieces but overall the response has been positive. I get where the detractors are coming from but this tends to be a subjective topic. The UI of the game won't change much until the mobile version... the tablet version will be relatively the same.

The only real absolute stopper on the UI side (at least in my opinion) is the inability to display a text log inside the game window. Are there any plans to implement some form of this?

[ftl]

UI -- well, we even have disagreements internally about different pieces but overall the response has been positive. I get where the detractors are coming from but this tends to be a subjective topic. The UI of the game won't change much until the mobile version... the tablet version will be relatively the same.

The only real absolute stopper on the UI side (at least in my opinion) is the inability to display a text log inside the game window. Are there any plans to implement some form of this?

+1 to that.

It would be so convenient.

[werothegreat]

We needed re-connect first before penalizing people for quitting... otherwise we could be dinging people who just got disconnected. Reconnect should be released shortly... then we can address a rating hit for quitting.

I don't care about a penalty - I really just want a way to make someone resign if they're taking 10 minutes to do something.

[Beyond Awesome]

We needed re-connect first before penalizing people for quitting... otherwise we could be dinging people who just got disconnected. Reconnect should be released shortly... then we can address a rating hit for quitting.

I don't care about a penalty - I really just want a way to make someone resign if they're taking 10 minutes to do something.

I think there needs to be both a penalty and a way to make them resign, and well before 10 minutes, 5 minutes at most.

[Stealth Tomato]

We needed re-connect first before penalizing people for quitting... otherwise we could be dinging people who just got disconnected. Reconnect should be released shortly... then we can address a rating hit for quitting.

This is why it's great that you guys are actively interacting with the community now--this is strong logic and I'm looking forward to seeing those improvements get rolled out.

[Hunting Party of One]

Sorry, didn't know where else to post this question:  On Goko, which rooms are casual, which are pro, etc.?  Thanks for any help here.