Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

1

Dominion General Discussion / Re: How do you guys not get bored?

« on: May 02, 2013, 05:55:01 am »

We'll take a look at the logs and see what's going on with the type of exploit discussed.

Mischief -- sorry if we didn't respond earlier if you posted about another type of exploit. Please email me directly at support@goko.com with the subject "leaderboard exploit" with the one you didn't mention and I'll follow up on it personally.

Thanks!
John Q.

2

Goko Dominion Online / Re: Unable to log into GetSatisfaction forum

« on: April 30, 2013, 04:52:40 pm »

Hi,

One of the reasons this happens is if your G+ account doesn't send us your email address as part of the authentication. GetSatisafaction only works off of email addresses but Goko allows you to login via different methods (some of which don't give an email address to us).

I've spoken to the GetSatisfaction people about this and we're trying to figure out a work-around but it likely involves us having to figure out a way for you to provide an email address to GetSatisfaction even though you logged in via OAuth (facebook/G+/Twitter) where potentially no email address was provided.

Thanks,
John Q.

3

Goko Dominion Online / Re: Convince me that Goko is a good site, security-wise

« on: March 20, 2013, 07:15:49 pm »

Hi WW,

Yes, you contacted me by posting that thread on GetSatisfaction.   I decided to answer over here since instead since that one seemed to be more of a pointer to this one. I've been working fairly long hours on the reconnect code the last 5 days (it's multi-threaded on the server and you have to be painstaking to get these things right) so I haven't been posting on GetSatisfaction as much. I should be back to normal in a few days.

Thanks!
John Q.

4

Goko Dominion Online / Re: Convince me that Goko is a good site, security-wise

« on: March 16, 2013, 11:56:52 pm »

Ok, now Kraft is starting to nudge toward "cool" :  http://gizmodo.com/5748769/kraft-has-a-400000-sq-foot-underground-cheese-cave

5

Goko Dominion Online / Re: Convince me that Goko is a good site, security-wise

« on: March 16, 2013, 11:51:11 pm »

I was too busy out buying my Kraft Cheese Slices and forgot to address that part.

Yes, I have to agree that Kraft isn't my first choice...  a good Havarti or a Pecorino Romano, that's usually first in line. Even had "date and chevre" gelato one time... that was a lot better than I expected it to be.

So here I was just about to jump on the Kraft-singles-bashing bandwagon because of personal taste when I happened to run across this on Amazon:  http://www.amazon.com/Kraft-American-Cheese-Unit-Pack/product-reviews/B000Z7INM0/ref=cm_cr_pr_top_link_1?ie=UTF8&showViewpoints=0  ... thought it was going something along the lines of the comments in this one:  http://www.amazon.com/Hutzler-5717-571-Banana-Slicer/dp/B0047E0EII/ref=sr_1_1?ie=UTF8&qid=1363492131&sr=8-1&keywords=banana+slicer   ... but, lo and behold, apparently there is a very loyal following (albeit not for the slices, which I still will pass on).

6

Goko Dominion Online / Re: Convince me that Goko is a good site, security-wise

« on: March 16, 2013, 09:10:15 pm »

Hi everyone,

Arman and WW contacted me a few days ago after this thread popped up... sorry for the delay in responding I've just been busy with the latest release.

I read through everything so I have some answers for things I didn't see answered yet:

1) play.goko.com/games/terms_of_services
     this page never existed on play.goko.com and the URL was a mistake... the correct page (always been there) is: www.goko.com/games/terms_of_service . Thanks to the people that pointed that out to us.

2) Tablet play is difficult on some devices:
     the iOS and Android versions are in development. I've played them. Should be better once these are out. That said, when we first demo'd Dominion at Origins a ways back it was running in a browser on an iPad and people didn't have too much trouble. They had UI suggestions about the "buy" buttons in particular but for the most part it was playable fine. Once we have the native apps out for iOS/Android I'm sure we'll get a lot of feedback and we'll start adjusting those to suit.

3) This is pretty true:

"Yes, they rushed it.  By rushing it, they didn't do due diligence on their server load capabilities or their JS-injection vulnerabilities.  But I think it is understandable why they did so.  There were lots of real-world pressures to show the community something cool... there was lots of crazy code to write for Dark Ages cards (which already had their programmers working double-shifts)... "

That said, we were running load tests... just the person at the time had designed them in such a way that they didn't expose the platform networking problem we had... and so when we opened the doors, that's what went kaboom. As I'm sure you're all aware, before we opened up to the general public again we not only fixed the problem but also went back and redesigned how we were doing the load tests and then fixed anything that got exposed by the redesigned tests as quickly as humanly possible. Those were some hard days.

4) Security

I addressed this one in another thread here on DS but just to make sure... we fixed everything that the security consultant found. We had him poking specifically at passwords, XSS, javascript injection, and the payment systems (again, we don't participate in the credit card/paypal/etc payment flow... most web sites that take payment don't... they use 3rd parties). He didn't find any major holes after we went through it ourselves and the issues that he did find were more about tightening up our policies around "Allow-Origin" for certain types of files, etc. I would call those more "preventative tweaks" rather than fixes for anything being exploited (which he wasn't able to do). As I said in other places, though, even the large companies like Apple/MS/Google/banks who have dedicated security teams have issues.

So.... all that said, after we opened up again I've seen threads or comments suggesting there's still some problem. In each case I've asked the person for specific information so we can verify. If there's something out there with security, we'll fix it immediately. So far, though, I think most people are just echoing the concern they had from the problem at launch (understandable) and aren't able to give us information about any currently existing problems. If you do know of any such problem then by all means email us at support@goko.com .

Thanks!
John Q.

7

Goko Dominion Online / Re: Q & A with Ted Griggs (CEO) and John Smith (VP of Product) LIVE (until 4pm PT)

« on: January 29, 2013, 06:22:08 pm »

Could you provide us with full details of how the rating system works? As a community quite into the statistical side of things, we'd really like to know exactly what's going on 'under the bonnet', if you will.
Ted: We use a Elo-type rating system."

Will disconnections be penalised?

Yes. We needed to wait to release "reconnect" and have that feature settle in before we start doing this. We have a few other priorities first (FB release, iOS/Android versions) but as soon as we can we'll make it so that if you don't reconnect it will count as a loss. In addition, we track "quits" and we'll start displaying that as well (again, we needed to wait till we had a reliable reconnect so we didn't penalize people who legitimately got disconnected).

More on how ratings are calc'd coming from Trisha who is posting a previous reply about our ratings with more detail.

8

Goko Dominion Online / Re: Q & A with Ted Griggs (CEO) and John Smith (VP of Product) LIVE (until 4pm PT)

« on: January 29, 2013, 06:11:49 pm »

[Mobile beta testers] Yes, definitely. The way that would work is that you'd have to install a developer version of the game so those that are familiar with this process would be the ones we'd pick.

9

Goko Dominion Online / Re: Why aren't *you* playing on Goko?

« on: January 14, 2013, 05:36:41 pm »

We needed re-connect first before penalizing people for quitting... otherwise we could be dinging people who just got disconnected. Reconnect should be released shortly... then we can address a rating hit for quitting.

10

Goko Dominion Online / Re: Why aren't *you* playing on Goko?

« on: January 11, 2013, 11:14:26 pm »

Hi everyone,

There's some really good feedback in here for us so, first of all, thanks for everyone chipping in regardless of whether the feedback is "no way" or "maybe" or "hey, it's getting better!"  From our perspective it looks like the discussion you guys are having has been pretty fair.

A couple of specific points, because I didn't see any specific responses to these:

• Memory Leak -- we use a lot of 2d canvases in HTML5 and version 23 of Chrome had a memory leak bug (Google acknowledged this) where they weren't cleaning these up properly. We were not the only company effected, nor even the company yelling the loudest. Google fixed this issue in Chrome 24 beta, which is why we were recommending it. As of a few days ago Chrome 24 is now out of beta and is the standard release, so that 's good. In a future release we're also modifying the way we handle canvases to use less memory in any event.
• Firefox 17 slowness -- same deal here. Mozilla released Firefox 17 and we saw performance take a big hit (again, not only us). Firefox 18 is now released and it's really fast, so we're happy to be past Firefox 17.
• Card bugs -- we fix these as fast as we hear about them. We test fairly extensively with Donald X., then with the AI's, then on beta.goko.com, then we release. Sorry for not catching them all first time around but we're definitely trying to!
• Expansions -- Hinterlands: Faraway Lands is out to the people that pre-purchased. I expect we'll release in general in a day or two. We're testing Alchemy right now (but we still have a little work to do on Possession).
• Reconnect -- Also in a few days we'll be releasing a reconnect feature so that if someone loses their connection, it will reconnect seamlessly (note: this isn't re-join.... just reconnect). Obviously, there are *lots* of edge cases around this and some of them won't be covered but the majority cases will. As with any new feature like this there will be some hiccups but we'll be working to get those smoothed out asap.
• UI -- well, we even have disagreements internally about different pieces but overall the response has been positive. I get where the detractors are coming from but this tends to be a subjective topic. The UI of the game won't change much until the mobile version... the tablet version will be relatively the same.

On a larger topic -- Security. There were two major items we saw at launch back in August that we addressed shortly thereafter. In addition there were also a few of the "the client knows something it shouldn't about the other player's cards" that we addressed as well. These were definitely "Oh, s***" moments for us, we pulled back into closed beta, and we deservedly fell on our swords several times for not spotting these before launch. If you know of any security issues that weren't addressed since we opened up again, we would absolutely want to hear about them so email us directly at help@goko.com. As for "what's different than before" in this regard, the responsible parties were let go about a week after launch and we refocused our efforts after that.

As many of you know, to enable us to let players play cross-platform we needed to build our own platform (think Apple's GameCenter). In addition, we have built several games (including Dominion) and we built some developer modules to make creating a game easier (like the meeting room and a few other common items). The platform is the thing that handles transactions like buying stuff, who owns what cards, logging in, achievements, ratings, leaderboards, etc. The security issues that we saw on launch day in August were generally in the developer modules (which send information from the client to our servers) as opposed to our platform (which lives on our servers). The developer modules were created by a 3rd party under our direct supervision, so ultimately our responsibility no doubt and we've addressed this.

One item the platform did have an issue with on launch day was some lower level networking stuff that didn't show up in the type of load tests we were doing leading up to launch. That caused the unavailability on launch day and we addressed that and developed other types of load tests since then. Not to say we won't get overloaded again at some point but we're trying to ramp up in a manageable way.

To answer one person directly, the platform was definitely built from the ground up with security in mind, including security penetration tests by 3rd parties, and so far so good but email us directly if you have any questions or doubts about this and I'll answer the best I can. I also think I saw one person post about IE9 complaining about insecure content. We force IE9 over into HTTPS mode and if any links we include are not in HTTPS mode (like "http://www.goko.com/go-get-a-file") then IE9 complains that the overall page is not secure because that one link being included is not in HTTPS mode. To be honest, I personally have made that mistake a few times when patching something but generally it's just IE9 just trying to make sure everything matches.

As for payments, we don't see or save any credit card or paypal info... never have, never will. That all happens via 3rd party payment providers and we're not in the path at all (as is the case with most internet sites). Again, we've had security penetration testing on the interactions we do have with that 3rd party but we don't see any of that personal/credit card info.

For personal info, we do save the email addresses you give us when you register using an email address... and we use those both for login (obviously) and to send you information about the games, like I did the other day when telling people who had pre-bought Hinterlands: Faraway Lands that it was available to them early.

Ok, that was longer than I intended it to be but I hope I addressed most of the questions out there.

August was a very difficult time for us and there wasn't a lot of sleep to be found but the last few months are starting to see things come around, as people have pointed out. As we launch on Facebook and then iOS/Android we'll probably have some more long nights but we're very committed to deliver on the original vision and give everyone a great online game.

Thanks,
John Q.