Dominion Strategy Forum
Dominion => Dominion Online at Shuffle iT => Dominion General Discussion => Goko Dominion Online => Topic started by: WanderingWinder on March 11, 2013, 04:23:27 pm
-
Title pretty much says it.
-
I don't think it is. But now that you can pay via PayPal, I'm willing to use it. Just use a throwaway Gmail account if you're concerned about their database security.
-
As of March 15, it will be the best online Dominion gaming spot on the whole web!
-
As of March 15, it will be the best online Dominion gaming spot on the whole web!
It will also be the least secure! ;)
-
Between lingering security concerns and the unmitigated disaster that was Goko's first roll out August-last, it would take a lot of convincing to get me to spend money on Goko. And good luck with that.
-
I don't think it is. But now that you can pay via PayPal, I'm willing to use it. Just use a throwaway Gmail account if you're concerned about their database security.
I'm not worried about information getting out really - I am paranoid enough to not push much of any useful info to them, as with most sites, so unless they're the grossest of negligent, or actually malignant - neither of which I see - I'm okay there.
As of March 15, it will be the best online Dominion gaming spot on the whole web!
Which isn't enough for me - nor what I'm asking for! Certainly the gameplay, while not as good for my pleasure as iso, was fine enough many months ago for me. But it's the security that is keeping me out for now.
-
What exactly are you asking for? How has it not been answered by LastFootnote? You are always complaining about security, but I've never understood what your complaint is.
-
As fast as I'm aware, noone has managed to infect my computer with any virus while I was playing on Goko so far.
If that's not enough, clarify what you want us to do?
-
its probably the same security wise as a lot of other sites you visit. Probably about as secure as Iso and Council Room? Dunno, but the money is all handled off site.
-
What exactly are you asking for? How has it not been answered by LastFootnote?
I am asking for some kind of assurance that the site is secure, that it's not particularly easy for people to do who knows what to my machine from the site. I am asking because the holes were there, were very clearly there, around the time of the failed launch, and while those holes were fixed, their reactions were 'it wasn't a major problem' and 'we have it fixed now - trust us'. I need something more concrete than this, at this point, which nobody (LF included) has given.
The reason the general 'it's as safe as any site' doesn't hold is because of the explanation above, which shows them to be a bit lest trustworthy (not in the lying sense, but in the competence sense).
-
And where do you expect us to get that assurance?
-
And where do you expect us to get that assurance?
We really only have our own experiences, and no one has been complaining about viruses or anysuch. The best you'll get is assurances from the company, which you've already said you don't trust.
-
And where do you expect us to get that assurance?
I actually don't. But if you can, I'd sure like to see it. It's something I'd like but am not expecting
-
Well, someone who is net-savvy could examine their code and determine this. Unfortunately, I have no hacking experience personally.
-
Well, I have played over 1000 games and others have as well. No one has hacked into my computer through Goko, and I have not heard of it happening to anyone else.
-
I suggest you ask on https://getsatisfaction.com/goko (https://getsatisfaction.com/goko) ; as far as I know, nobody who's posting here has any more information than you do, I think?
-
Is there a running list of the Top 50/100 or so and whether they've made the switch? I mean, WW has a lot of sway in the Dominion world (like Stef, Marin, Geronimoo, theory, etc., just to name a few off the top of my head) as far as Dominion celebs go, so it may be nice to see which celebrities have endorsed Goko and which haven't.
-
I just tried to buy in.
Tried the ToS link and got 404 error!
http://play.goko.com/games/terms_of_service
So I think I will not a paying yet.
-
Is there a running list of the Top 50/100 or so and whether they've made the switch? I mean, WW has a lot of sway in the Dominion world (like Stef, Marin, Geronimoo, theory, etc., just to name a few off the top of my head) as far as Dominion celebs go, so it may be nice to see which celebrities have endorsed Goko and which haven't.
That would be interesting. If you want a running list of the Middle 50/100 or so, you can start with me ::)
-
I just tried to buy in.
Tried the ToS link and got 404 error!
http://play.goko.com/games/terms_of_service
So I think I will not a paying yet.
Get rid of the play at the front of that link and it should work fine.
-
Thanks.
Main point is that the link fails to work just before I pay.
Basic errors like this don't give me confidence in the quality or security of the product.
So I will not be buying at this time.
-
Thanks.
Main point is that the link fails to work just before I pay.
Basic errors like this don't give me confidence in the quality or security of the product.
So I will not be buying at this time.
I was definitely thinking about it until I hit a similar error. The whole thing is so amateurish and out-of-tune from what people really want, I can scarcely believe they're asking money for it.
-
What similar evidence of security does dougz provide? And I'm not trying to be snarky, I really don't know what sort of reassurance you're looking for.
-
What similar evidence of security does dougz provide? And I'm not trying to be snarky, I really don't know what sort of reassurance you're looking for.
dougz hasn't had the enormous issues that this site did, and moreover, never said that these things weren't big deals.
I gave them equal benefit on that front until they had these problems, after which they did more of a band-aid than proper addressment of the issue.
-
Isotropic has a good security track record, as far as I know. The only hole I know of was the lack of server-side checking of affordability that allowed a Platinum/Platinum opening, and Goko had a similar problem but worse. I'm not aware of it ever having an XSS exploit or leaking expansion info, both problems that Goko has had.
-
Isotropic has a good security track record, as far as I know. The only hole I know of was the lack of server-side checking of affordability that allowed a Platinum/Platinum opening, and Goko had a similar problem but worse. I'm not aware of it ever having an XSS exploit or leaking expansion info, both problems that Goko has had.
Isotropic leaked Dark Ages what, two weeks ago?
-
Isotropic has a good security track record, as far as I know. The only hole I know of was the lack of server-side checking of affordability that allowed a Platinum/Platinum opening, and Goko had a similar problem but worse. I'm not aware of it ever having an XSS exploit or leaking expansion info, both problems that Goko has had.
Isotropic leaked Dark Ages what, two weeks ago?
By "expansion info" I meant information about the expansion. Everyone knows what the Dark Ages cards are now. I agree it was a slip-up but IMO not on the same scale as leaking cards before they are officially unveiled.
-
Isotropic has a good security track record, as far as I know. The only hole I know of was the lack of server-side checking of affordability that allowed a Platinum/Platinum opening, and Goko had a similar problem but worse. I'm not aware of it ever having an XSS exploit or leaking expansion info, both problems that Goko has had.
Isotropic leaked Dark Ages what, two weeks ago?
By "expansion info" I meant information about the expansion. Everyone knows what the Dark Ages cards are now. I agree it was a slip-up but IMO not on the same scale as leaking cards before they are officially unveiled.
Oh, I quite enjoyed that, actually. Especially with a such a large expansion - it was like Christmas.
-
Isotropic leaked Dark Ages what, two weeks ago?
this was not a site design issue though, it was a simple mistake by dougz. and fwiw, he commented that he hadn't updated the isotropic site at all since july. it has been (to my knowledge) almost entirely bug free in that span and has not had any known security issues.
-
I just tried to buy in.
Tried the ToS link and got 404 error!
http://play.goko.com/games/terms_of_service
So I think I will not a paying yet.
I reported this on getsatisfaction for you (https://getsatisfaction.com/goko/topics/_terms_apply_link_is_broken?rfm=1).
-
Is there a running list of the Top 50/100 or so and whether they've made the switch? I mean, WW has a lot of sway in the Dominion world (like Stef, Marin, Geronimoo, theory, etc., just to name a few off the top of my head) as far as Dominion celebs go, so it may be nice to see which celebrities have endorsed Goko and which haven't.
My impression is that a topic containing such a list would be locked in short order due to complaining. And in any case, if the top 100 decide not to make the switch, then that doesn't matter in the long run because there will be another 100 to replace them. I can't say for sure if the overall quality of the player base is going to keep improving or stagnate now that there are so many veterans leaving, but I'm almost certain that no one cares about that. At worst, it just means that Goko is going to make slightly less money.
-
Is there a running list of the Top 50/100 or so and whether they've made the switch? I mean, WW has a lot of sway in the Dominion world (like Stef, Marin, Geronimoo, theory, etc., just to name a few off the top of my head) as far as Dominion celebs go, so it may be nice to see which celebrities have endorsed Goko and which haven't.
My impression is that a topic containing such a list would be locked in short order due to complaining. And in any case, if the top 100 decide not to make the switch, then that doesn't matter in the long run because there will be another 100 to replace them. I can't say for sure if the overall quality of the player base is going to keep improving or stagnate now that there are so many veterans leaving, but I'm almost certain that no one cares about that. At worst, it just means that Goko is going to make slightly less money.
You can check the top 100 on the Goko Pro Leaderboard here (http://www.goko.com/games/Dominion/leaders). It doesn't say who pays or their records, though. There are some recognizable f.ds names.
I am waiting for the day Council Room starts pulling Goko basic stats. I for one want to know my stats against Andrew Iannaccone and Jonathan Shepherd. I have played them each quite a bit, and they are both friendly and very good.
-
I have the feeling like I'm playing all my games against Andrew^^
-
Bear in mind that it's currently quite easy to cheat your way up to the top 100 by quitting games you're going to lose. (I'm not accusing anyone here of doing that, but I know that there are those who do on the Goko leaderboard.)
EDIT: WanderingWinder, it's pretty clear that you want to be convinced that Goko is a relatively secure site. But in the end, you're going to have to convince yourself. Nothing we say is going to mean much. If I'd had the presence of mind when you first posted this thread, "Convince me that Goko is a good site, security-wise", I would have simply responded with, "No."
-
Bear in mind that it's currently quite easy to cheat your way up to the top 100 by quitting games you're going to lose. (I'm not accusing anyone here of doing that, but I know that there are those who do on the Goko leaderboard.)
EDIT: WanderingWinder, it's pretty clear that you want to be convinced that Goko is a relatively secure site. In the end, you're going to have to convince yourself. Nothing we say is going to mean anything. If I'd had the presence of mind when you first posted the thread, "Convince me that Goko is a good site, security-wise", I would have simply responded with, "No."
It hasn't been that hard for me to climb lately. (made it in the top 20 in a couple of days) There are several known cheaters perched near the top, though. Frustrating.
-
I am also in the top 20, and I know I did not cheat to get their either. But, yes, some of those players did cheat to get there. I know because I played against them.
-
EDIT: WanderingWinder, it's pretty clear that you want to be convinced that Goko is a relatively secure site. But in the end, you're going to have to convince yourself. Nothing we say is going to mean much. If I'd had the presence of mind when you first posted this thread, "Convince me that Goko is a good site, security-wise", I would have simply responded with, "No."
I'm not looking for a persuasive argument. I certainly doubt that there's just a framing of it that's going to change my mind.
I'm looking for new information. It's certainly possible that it's not out there. But I've looked as best I can. If someone else has something I haven't found, I'd like to see it here. If not, then the post doesn't particularly concern you - no response required.
-
EDIT: WanderingWinder, it's pretty clear that you want to be convinced that Goko is a relatively secure site. But in the end, you're going to have to convince yourself. Nothing we say is going to mean much. If I'd had the presence of mind when you first posted this thread, "Convince me that Goko is a good site, security-wise", I would have simply responded with, "No."
I'm not looking for a persuasive argument. I certainly doubt that there's just a framing of it that's going to change my mind.
I'm looking for new information. It's certainly possible that it's not out there. But I've looked as best I can. If someone else has something I haven't found, I'd like to see it here. If not, then the post doesn't particularly concern you - no response required.
But none of us know what you want to hear. I personally don't believe any information—new or otherwise—is going to convince you. News flash: every site can be hacked. No system is completely secure. If you want to know whether the site meets your arbitrary standards, do the legwork yourself. Learn how to hack and try to break the site's security.
-
EDIT: WanderingWinder, it's pretty clear that you want to be convinced that Goko is a relatively secure site. But in the end, you're going to have to convince yourself. Nothing we say is going to mean much. If I'd had the presence of mind when you first posted this thread, "Convince me that Goko is a good site, security-wise", I would have simply responded with, "No."
I'm not looking for a persuasive argument. I certainly doubt that there's just a framing of it that's going to change my mind.
I'm looking for new information. It's certainly possible that it's not out there. But I've looked as best I can. If someone else has something I haven't found, I'd like to see it here. If not, then the post doesn't particularly concern you - no response required.
But none of us know what you want to hear. I personally don't believe any information—new or otherwise—is going to convince you. News flash: every site can be hacked. No system is completely secure. If you want to know whether the site meets your arbitrary standards, do the legwork yourself. Learn how to hack and try to break the site's security.
I fully understand that any site can be hacked - I am not a bluthering idiot. My standards are relatively arbitrary, I grant, but not hugely high - I am looking for something that can be trusted about as much as your standard webpage. I have specific reasons, as laid out above, that this site seems sub-standard here. The clearest thing, for me, that would bring this to okay-ness is information that they've hired a specific group (someone who could be looked up, with some kind of reputation or track record). Again, I'm not expecting to be convinced here, but if someone can do it, I'd be thrilled. If you can't, why post?
Learning how to hack and trying to get in to the site is an absolutely terrible idea, for a number of reasons. The amount of time and effort it would take is not even close to being worth it; it's illegal; it actually exposes me to greater risk than just sitting and doing nothing; it would be incredibly arrogant to think I could know when I've done a reasonable job of learning hacking techniques - I don't have that great of this kind of intelligence; most of all, it's absolutely unethical.
-
I am looking for something that can be trusted about as much as your standard webpage.
Your average webpage is typically fairly insecure. In my opinion, just avoid giving Goko your credit card info directly, and then you aren't really exposing yourself any more than generally perusing the internet.
-
most of all, it's absolutely unethical.
Agree with everything else concerning hacking, but in how far is it unethical to learn how to recognize security risks and warn the people who are commiting them/that are exposed?
Was it unethically of $whoeveritwas to search for the XSS exploit in the chat during beta?
-
most of all, it's absolutely unethical.
Agree with everything else concerning hacking, but in how far is it unethical to learn how to recognize security risks and warn the people who are commiting them/that are exposed?
Was it unethically of $whoeveritwas to search for the XSS exploit in the chat during beta?
Learning and searching isn't. But the step that goes to actually trying to pull it of is.
-
I am looking for something that can be trusted about as much as your standard webpage.
Your average webpage is typically fairly insecure. In my opinion, just avoid giving Goko your credit card info directly, and then you aren't really exposing yourself any more than generally perusing the internet.
Well, depends on how you define average web-page. Yeah, the web is full of sites that are insecure, but I guess I am not counting things like that which banner ads point you to, or the enormous troves of pornography.
-
most of all, it's absolutely unethical.
Agree with everything else concerning hacking, but in how far is it unethical to learn how to recognize security risks and warn the people who are commiting them/that are exposed?
Was it unethically of $whoeveritwas to search for the XSS exploit in the chat during beta?
Learning and searching isn't. But the step that goes to actually trying to pull it of is.
Also if it is some harmless stuff like popping up some window or so? You don't have to install a trojan horse...
-
most of all, it's absolutely unethical.
Agree with everything else concerning hacking, but in how far is it unethical to learn how to recognize security risks and warn the people who are commiting them/that are exposed?
Was it unethically of $whoeveritwas to search for the XSS exploit in the chat during beta?
Learning and searching isn't. But the step that goes to actually trying to pull it of is.
Also if it is some harmless stuff like popping up some window or so? You don't have to install a trojan horse...
First, if I am trying to test for what I'm worried about, I would have to attempt to do what I'm worried about. Second, that's actually not relevant - it's unethical to steal a car even if you just go move it to the next parking spot over. But a big debate on this isn't so helpful either.
-
most of all, it's absolutely unethical.
Agree with everything else concerning hacking, but in how far is it unethical to learn how to recognize security risks and warn the people who are commiting them/that are exposed?
Was it unethically of $whoeveritwas to search for the XSS exploit in the chat during beta?
Learning and searching isn't. But the step that goes to actually trying to pull it of is.
Also if it is some harmless stuff like popping up some window or so? You don't have to install a trojan horse...
First, if I am trying to test for what I'm worried about, I would have to attempt to do what I'm worried about. Second, that's actually not relevant - it's unethical to steal a car even if you just go move it to the next parking spot over. But a big debate on this isn't so helpful either.
I more or less completely disagree on the first two statements, but the third one is probably true.
-
WW... I'm not on goko and not prejudiced in their favor, but I maintain an insurance company's website for a living. Couple observations...
1. It's not a fair question to ask if everything is "good security-wise". That's like asking your doctor if you're 100% healthy. What doctor can test you for every single possible disease and abnormality? What doctor is a specialist on every organ of the body? Especially if you don't have symptoms.
You can ask a doctor if this skin spot is cancer, or what it means to have a fever and chills... I.e. specific questions. And so too with goko... you can ask if credit card info is saved on their site, if it's encrypted, if players can hack to see their opponents' hands, if you can trick the game into buying platinums on turn 1, etc. Those are questions that can be answered. So I would encourage you to write out every specific thing you can think of that you are concerned about, so we/goko can go through them 1 by 1.
2. It sounded like you were concerned that somehow a hacker was going to punch through goko and take over your computer. This, frankly, is totally unrealistic in today's internet. You are vastly undermining the armies of security professionals who work for (a) internet servers (b) web browsers and (c) operating systems. (Not to mention firewalls and anti-virus companies.) All 3 are continually being patched/updated to deal threats that came out last week.
I'm not saying it's impossible to have your computer taken over... That is possible if you go to a site that is intentionally trying to do that... What I am saying is that there are multiple layers of security built in to the way the internet works in 2013. There are at least 3 levels of checks that stop websites from running code directly on your computer... And these checks are maintained by non-goko companies. In other words, even if goko was no more secure than a cardboard box, my browser, google chrome, itself prevents all websites from accessing any data or running code outside of the tab the site is in without my permission. They can't even access info from other tabs in chrome, let alone delete files off my hard drive or install a program.
3. Security and bug-fixing is very much like an immune system. You get the flu, body develops a response, then you're immune to that strain. Kids are sick all the time, developing immunity that serve them for the rest of their life.
Programming is the same way. New software is buggy, someone gripes about a bug, programmers fix it, never an issue again. Hell, StarCraft 2 Heart of the Swarm came out yesterday, and there was a patch for it today... And that's with one of the best game companies in the business. Even Blizzard couldn't catch everything before release day.
What goko can be criticized for is that they let the public (beta testers) see things too early. They launched with too many bugs. This was a marketing mistake.
But they have been fixing them. You can't buy platinum on turn 1. The "immune system" is working.
4. My sense is that this isn't really about specific security questions, but rather a much more esoteric issue... Reputation. For you, goko's reputation took a hit last summer. They've made a lot of fixes to their system, but you are unwilling to forgive them or even give them a fresh look as if you first heard about them today. I'm not saying you don't have your reasons or aren't justified, I just think you should at least recognize this thread for what it really is... "I'm WW, I don't trust goko (and you can't make me)"
No, we can't. All I can request is that you be fair. Last July 4, the company responsible for the San Diego firework show had a bug that simultaneously shot off all their $500,000 worth of fireworks in 20 seconds. You can YouTube the event. They investigated the cause and gave a detailed report about the problem. Now this year cities have two choices: they can use this company and assume that they worked the glitch out and their show is more robust for it... Or they can hire another company, because, you know, company b has never had a glitch, and company a had a big one.
My question is: Is it fair to boycott company a after they acknowledged and fixed their glitch?
Anyway, hope this helps.
All the best....
David
-
Fantastic post Doughnut. +1 does not seem enough.
-
What goko can be criticized for is that they let the public (beta testers) see things too early. They launched with too many bugs. This was a marketing mistake.
You mean like at the morning of release day?
-
What goko can be criticized for is that they let the public (beta testers) see things too early. They launched with too many bugs. This was a marketing mistake.
You mean like at the morning of release day?
Hell, StarCraft 2 Heart of the Swarm came out yesterday, and there was a patch for it today... And that's with one of the best game companies in the business. Even Blizzard couldn't catch everything before release day.
-
I don't want to get into hate-goko-mode again, but what they delivered on launch day was not some bugs, that was some demonstration of complete unawerness on any security concern, and was reason enough to shatter any believe in a safe product from their side.
Of course you can say they fixed it so it's probably fine, and nobody has proven the opposite, and of course it's impossible to prove that there are no bugs anymore, so it's unreasonable to expect such a proof. It's even unreasonable to expect there are no bugs anymore.
But, given the history, I think that it is reasonable to just not trust in the security and demand some strong evidence on the contrary to gain trust again, no matter how unlikely the existence of such an evidence is.
And this is how I understand WW's request here, and that's also more or less my stance on this topic.
The best I have heard on this topic is something like 'we have someone to review our code and a paying more attention while developing', which is not even 'we have hired $CompanyA to review our code and implemented policies $X,$Y and $Z' which would be a lot more concrete. Of course one could say usually companies don't publish these kind of things, but there again, companies usually also don't knowingly release a product with JS-injection in the chat.
-
Well, you *can* buy a Platinum turn 1 in the Adventures if you use enough zaps.
-
4. My sense is that this isn't really about specific security questions, but rather a much more esoteric issue... Reputation. For you, goko's reputation took a hit last summer. They've made a lot of fixes to their system, but you are unwilling to forgive them or even give them a fresh look as if you first heard about them today. I'm not saying you don't have your reasons or aren't justified, I just think you should at least recognize this thread for what it really is... "I'm WW, I don't trust goko (and you can't make me)"
No, we can't. All I can request is that you be fair. Last July 4, the company responsible for the San Diego firework show had a bug that simultaneously shot off all their $500,000 worth of fireworks in 20 seconds. You can YouTube the event. They investigated the cause and gave a detailed report about the problem. Now this year cities have two choices: they can use this company and assume that they worked the glitch out and their show is more robust for it... Or they can hire another company, because, you know, company b has never had a glitch, and company a had a big one.
My question is: Is it fair to boycott company a after they acknowledged and fixed their glitch?
I am so glad you mentioned reputation. It's such a big deal and I think you are right that there might be more of a reputation problem than a security problem. Customer perception matters. Because of it, companies who have built good reputations can weather a few storms (Google Buzz, anyone?) while new companies with no reputation can't, as easily.
-
4. My sense is that this isn't really about specific security questions, but rather a much more esoteric issue... Reputation. For you, goko's reputation took a hit last summer. They've made a lot of fixes to their system, but you are unwilling to forgive them or even give them a fresh look as if you first heard about them today. I'm not saying you don't have your reasons or aren't justified, I just think you should at least recognize this thread for what it really is... "I'm WW, I don't trust goko (and you can't make me)"
No, we can't. All I can request is that you be fair. Last July 4, the company responsible for the San Diego firework show had a bug that simultaneously shot off all their $500,000 worth of fireworks in 20 seconds. You can YouTube the event. They investigated the cause and gave a detailed report about the problem. Now this year cities have two choices: they can use this company and assume that they worked the glitch out and their show is more robust for it... Or they can hire another company, because, you know, company b has never had a glitch, and company a had a big one.
My question is: Is it fair to boycott company a after they acknowledged and fixed their glitch?
I am so glad you mentioned reputation. It's such a big deal and I think you are right that there might be more of a reputation problem than a security problem. Customer perception matters. Because of it, companies who have built good reputations can weather a few storms (Google Buzz, anyone?) while new companies with no reputation can't, as easily.
I guess that's what it boils down to for me. No matter how well Goko manages to get their act together, I will always have that memory of the grade-A disastrous initial roll out. I love playing Dominion, but not enough to spend money on a product that was ever botched that badly.
-
How about this. Assume goko will get hacked. You want to play dominion on it anyway. What do you do? Use a linux live CD. If you are super paranoid, disconnect your hard drive (either physically, or via BIOS), and then boot into linux from the CD. Use goko, get hacked. All fine and good. There is no way to persist any information on your machine. Turn off your machine, reconnect the disk, reboot on your machine, and then laugh at all the poor infected suckers who didn't have your enlightened level of paranoia.
-
How about this. Assume goko will get hacked. You want to play dominion on it anyway. What do you do? Use a linux live CD. If you are super paranoid, disconnect your hard drive (either physically, or via BIOS), and then boot into linux from the CD. Use goko, get hacked. All fine and good. There is no way to persist any information on your machine. Turn off your machine, reconnect the disk, reboot on your machine, and then laugh at all the poor infected suckers who didn't have your enlightened level of paranoia.
I play Goko on a hand-written browser using a Difference Engine. No way for that to get a virus.
You may experience some lag while playing me.
-
I don't want to get into hate-goko-mode again, but what they delivered on launch day was not some bugs, that was some demonstration of complete unawerness on any security concern, and was reason enough to shatter any believe in a safe product from their side.
Of course you can say they fixed it so it's probably fine, and nobody has proven the opposite, and of course it's impossible to prove that there are no bugs anymore, so it's unreasonable to expect such a proof. It's even unreasonable to expect there are no bugs anymore.
But, given the history, I think that it is reasonable to just not trust in the security and demand some strong evidence on the contrary to gain trust again, no matter how unlikely the existence of such an evidence is.
And this is how I understand WW's request here, and that's also more or less my stance on this topic.
The best I have heard on this topic is something like 'we have someone to review our code and a paying more attention while developing', which is not even 'we have hired $CompanyA to review our code and implemented policies $X,$Y and $Z' which would be a lot more concrete. Of course one could say usually companies don't publish these kind of things, but there again, companies usually also don't knowingly release a product with JS-injection in the chat.
Very fair points. Question 1 is, of course, have they fixed the JS-injection issue? (Or are they working on it?) I honestly don't know... I'm not following the nuances of goko-development that closely. My goko issue is that on my 10" tablet, their site is (at most) 2.5". It is literally unplayable, as my finger cannot select the right card... and there's no option to zoom in or go full-screen. [And yes, it is strange to me that goko won the rights to make computer-Dominion because they promoted themselves as having the solution for tablets, phones, and all devices... and yet, as of today, it is much easier to play on iso with my tablet than goko... even though it's a pain to play on iso... so lately I've been just playing Androminion against the AI, which is 0/10 against me. :) ]
Maybe because I'm a video-game hobbyist (http://silicontornado.com/AlphaBlast/), I looked at the launch differently. When I first joined the goko beta, I was impressed with how much it could do. It's important to keep that in mind, because Dominion is a very complex game. 200+ unique cards... blue-dog scenarios (http://boardgamegeek.com/article/7743728#7743728)... as a programmer, that would not be a fun assignment. Making online Monopoly, for example, would be about 1000 times easier. Sitting here at my computer I can wrap my mind around Monopoly... what the basic classes would look like, the database of properties, etc. But when I think about Dominion, my brain quickly throws an out-of-RAM exception message. I mean, even Bridge and Highway... which have basically the same effect, have to be programmed independently, because, you know, you can't King's Court the highway for -3. And King's Court doesn't play like Throne Room (because King's Court may be used, and Throne Room must. And then we have Possession... and KC'ed Possession... Monopoly doesn't have anything like that, because the cards barely interact with one another. Monopoly sounds like a high school Intro to Computers assignment compared to Dominion.
So yes, I was impressed that goko wrote all that crazy code and the game basically worked in beta. (Also impressed with DougZ and the Androminion team. Kudos to all...)
I presume that the managers at goko were also similarly impressed that their coders tackled all this complexity, and in their giddyness, they wanted to show the world... "Look! We've got something!" Also bear in mind the public relations pressures they must have felt prior to beta... namely that our community knew that Rio Grande had made a deal with someone to make an official computer version, and yet we knew next-to-nothing about that company or that version. Thus to "prove" to us that they didn't screw up Dominion for its fans, they invited us into the beta to show us that the game basically worked. And then there was the PR pressure to release with Dark Ages (by far the most complex set to date) at the same time as print Dark Ages... and at the gaming convention. And come on... we were all dying to see Dark Ages... and play it against the world's top players (the iso community).
Yes, they rushed it. By rushing it, they didn't do due diligence on their server load capabilities or their JS-injection vulnerabilities. But I think it is understandable why they did so. There were lots of real-world pressures to show the community something cool... there was lots of crazy code to write for Dark Ages cards (which already had their programmers working double-shifts)... and they didn't have the resources to test every possible security angle (which even a major company like Heartland Payment Systems failed to do in 2009 (http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html?hpid=topnews)). They figured that they could iron out the bugs down the road... that users would understand. I mean Starcraft 2 players understand that Blizzard is going to patch their game about once a month... and this is for their own good.
[Side-note... maybe the patching process is hurting goko's reputation? I mean... when you update a stand-alone game like Starcraft, you get a log of the patch's fixes so you would see something like "JS-injections via chat fixed in version 1.2.1". Maybe that's the kind of concrete "implemented policies $X,$Y and $Z" that you're looking for? Websites don't (usually) have version logs, so you can't easily see if goko fixed something like that. When their PR guy comes on our forum and says "yeah we fixed that" maybe it doesn't seem as official as a patch log?]
It is unfortunate that so many companies are moving toward a release-early patch-in-production mentality (Skyrim on the PS3 anyone?). And a company's reputation is impacted by that. (http://www.amazon.com/Elder-Scrolls-V-Skyrim-Playstation-3/product-reviews/B004HYK8Y8/ref=cm_cr_pr_hist_1?ie=UTF8&filterBy=addOneStar&showViewpoints=0) Personally, I prefer to be a mid-to-late adopter, because I deal with computer bugs all day at work and when I'm at home I prefer not to QA someone else's product. So I didn't get Skyrim until a year after it was released, for half the price, loved the game immensely, and had none of the frustration over my PS3 crashing. I completely respect you or WW waiting to be a late-adopter.... especially if you're still having fun at iso. Let other people jump in and deal with the bugs and frustration first, I get that.
What I don't get is boycotting goko forever and ever... and refusing to give them a second chance after they've fixed the specific issues. If I had done that with Skyrim, I would have missed out on one of my all-time favorite games.
From one goko-hesitant to another...
David
-
I agree with the above.
Goko failed the initial relase, no doubt about that. You can go and punish them for that by not playing there now. But then you're also punishing yourself. Is that worth it? I don't think so.
-
Very fair points. Question 1 is, of course, have they fixed the JS-injection issue?
I'm quite sure they have done it already in August, that was a very severe bug where you could basically do everything JS can to everyone connected to the game, the game wouldn't be playable for one second now if they hadn't.
and they didn't have the resources to test every possible security angle
The problem was that it wasn't some obscure attack vector, it was writing '<script>document.write("")</script>' in the chat.
But then you're also punishing yourself. Is that worth it? I don't think so.
I usually feel quite happy punishing companies for behaviour I don't want to support...
-
I usually feel more happy playing Dominion, not saying this is through for everyone though. I just wanted to point out what the alternatives are.
-
WW... I'm not on goko and not prejudiced in their favor, but I maintain an insurance company's website for a living. Couple observations...
First of all, thanks for the thoughtful post.
1. It's not a fair question to ask if everything is "good security-wise". That's like asking your doctor if you're 100% healthy. What doctor can test you for every single possible disease and abnormality? What doctor is a specialist on every organ of the body? Especially if you don't have symptoms.
You can ask a doctor if this skin spot is cancer, or what it means to have a fever and chills... I.e. specific questions. And so too with goko... you can ask if credit card info is saved on their site, if it's encrypted, if players can hack to see their opponents' hands, if you can trick the game into buying platinums on turn 1, etc. Those are questions that can be answered. So I would encourage you to write out every specific thing you can think of that you are concerned about, so we/goko can go through them 1 by 1.
First, I maintain that it is fair; the big thing here is that I'm not asking them to be *perfect*, just reasonably good. I obviously don't expect perfection, which itself would also be "fair" to ask, though unfair to expect, as it isn't isn't going to happen.
If you want to continue with the doctor analogy, I am not looking for the doctor to be able to stop me from ever getting sick at all. But I would like physicals - which I don't get the impression are happening here.
2. It sounded like you were concerned that somehow a hacker was going to punch through goko and take over your computer. This, frankly, is totally unrealistic in today's internet. You are vastly undermining the armies of security professionals who work for (a) internet servers (b) web browsers and (c) operating systems. (Not to mention firewalls and anti-virus companies.) All 3 are continually being patched/updated to deal threats that came out last week.
I'm not saying it's impossible to have your computer taken over... That is possible if you go to a site that is intentionally trying to do that... What I am saying is that there are multiple layers of security built in to the way the internet works in 2013. There are at least 3 levels of checks that stop websites from running code directly on your computer... And these checks are maintained by non-goko companies. In other words, even if goko was no more secure than a cardboard box, my browser, google chrome, itself prevents all websites from accessing any data or running code outside of the tab the site is in without my permission. They can't even access info from other tabs in chrome, let alone delete files off my hard drive or install a program.
I am not sure exactly what you mean by 'take over'. On the other hand, stuff is able to go on, surely, with all the stories that are out there, even which we've been hearing about this very week. But the bigger point is that people were successfully able to run code on other people's machines off of goko last fall (sanitize your inputs!). It actually happened. And while nobody actually did anything particularly pernicious with that, and that particular hole is fixed now, it's mostly their response that shows a lack of concern and care that has me worried.
3. Security and bug-fixing is very much like an immune system. You get the flu, body develops a response, then you're immune to that strain. Kids are sick all the time, developing immunity that serve them for the rest of their life.
Programming is the same way. New software is buggy, someone gripes about a bug, programmers fix it, never an issue again. Hell, StarCraft 2 Heart of the Swarm came out yesterday, and there was a patch for it today... And that's with one of the best game companies in the business. Even Blizzard couldn't catch everything before release day.
What goko can be criticized for is that they let the public (beta testers) see things too early. They launched with too many bugs. This was a marketing mistake.
But they have been fixing them. You can't buy platinum on turn 1. The "immune system" is working.
I could care less about bugs, generally. Bugs will happen, they get fixed, I'm pretty satisfied with them there.
4. My sense is that this isn't really about specific security questions, but rather a much more esoteric issue... Reputation. For you, goko's reputation took a hit last summer. They've made a lot of fixes to their system, but you are unwilling to forgive them or even give them a fresh look as if you first heard about them today. I'm not saying you don't have your reasons or aren't justified, I just think you should at least recognize this thread for what it really is... "I'm WW, I don't trust goko (and you can't make me)"
That isn't what the thread is, because of what you put in parentheses. I don't get how this is about forgiveness - they didn't do anything purposefully wrong. If you get a locksmith to do the lock on your house, and it turns out you can pick it with a paperclip in 5 minutes, he doesn't need to be forgiven (it's not that he's undeserving, it's that he hasn't transgressed), but at the same time, even if he makes it un-paper-clip-pickable, you are going to lose confidence in his locksmithing abilities. Now, you can get them back, if he does something to show you signs of improvement - a course he completes, or some test he passes, some kind of check.
No, we can't. All I can request is that you be fair. Last July 4, the company responsible for the San Diego firework show had a bug that simultaneously shot off all their $500,000 worth of fireworks in 20 seconds. You can YouTube the event. They investigated the cause and gave a detailed report about the problem. Now this year cities have two choices: they can use this company and assume that they worked the glitch out and their show is more robust for it... Or they can hire another company, because, you know, company b has never had a glitch, and company a had a big one.
My question is: Is it fair to boycott company a after they acknowledged and fixed their glitch?
I mean, fixing the glitch is one thing, and that is good and fine. But when they say it wasn't a big deal, and the way we know they're good in this area, where they have admitted deficiencies in the past, is that they say so? Are you trying t suggest that we should pick the same firework company again if they say "it wasn't a serious problem" and "We're fireworks experts, and you can take our word for that." I mean, I am willing to believe that they believe that, but I'm a little in doubt as to whether they know what being experts means.
For the record - and not that it matters really - I actually like what I have seen with their implementation pretty well. There are some bugs, sure, but they get worked out; their implementation is perfectly reasonable - particularly when they get the last few rule things worked out, which I'm confident they will; their pricing is better than reasonable; they seem perfectly friendly they seem to be interested. Really, this is the only issue of note.
-
I don't want to get into hate-goko-mode again, but what they delivered on launch day was not some bugs, that was some demonstration of complete unawerness on any security concern, and was reason enough to shatter any believe in a safe product from their side.
Of course you can say they fixed it so it's probably fine, and nobody has proven the opposite, and of course it's impossible to prove that there are no bugs anymore, so it's unreasonable to expect such a proof. It's even unreasonable to expect there are no bugs anymore.
But, given the history, I think that it is reasonable to just not trust in the security and demand some strong evidence on the contrary to gain trust again, no matter how unlikely the existence of such an evidence is.
And this is how I understand WW's request here, and that's also more or less my stance on this topic.
The best I have heard on this topic is something like 'we have someone to review our code and a paying more attention while developing', which is not even 'we have hired $CompanyA to review our code and implemented policies $X,$Y and $Z' which would be a lot more concrete. Of course one could say usually companies don't publish these kind of things, but there again, companies usually also don't knowingly release a product with JS-injection in the chat.
I would actually just be fine with 'we hired CompanyA to review security on our code, they looked at it and it is fine' (assuming I can find anything about CompanyA, which shouldn't be a problem).
-
How about this. Assume goko will get hacked. You want to play dominion on it anyway. What do you do? Use a linux live CD. If you are super paranoid, disconnect your hard drive (either physically, or via BIOS), and then boot into linux from the CD. Use goko, get hacked. All fine and good. There is no way to persist any information on your machine. Turn off your machine, reconnect the disk, reboot on your machine, and then laugh at all the poor infected suckers who didn't have your enlightened level of paranoia.
Thanks for the suggestion. And this would be fine, except that it's too much hassle.
I'm sure there are ways I could feel safe enough, but the hassle (and cost) of doing them isn't worth the enjoyment for me. It's a hobby, but not THAT great of one.
-
But then you're also punishing yourself. Is that worth it? I don't think so.
I usually feel quite happy punishing companies for behaviour I don't want to support...
Is it worth it? Absolutely - I don't need to have this hobby near as much as I need security.
Having said that, I'm not intending to punish them at all - I am merely looking out for myself. Is it punishing Kraft that I don't buy their cheese because I can't stand cheese, and ergo have insufficient interest in their product to be worth my money? If you have such a broad definition, then sure, I am punishing them, but at that point, the word also loses a huge part of its meaning.
-
WW, have you contacted Goko and asked if they hired Security Firm A to look at their code? You've told me multiple times now that if I have no additional information, there's no need for me to post, but then why the hell did you start this thread in the first place? If it's Goko you want info about, ask Goko.
-
WW, have you contacted Goko and asked if they hired Security Firm A to look at their code? You've told me multiple times now that if I have no additional information, there's no need for me to post, but then why the hell did you start this thread in the first place? If it's Goko you want info about, ask Goko.
Oh, gee, that hadn't occurred to me...
-
But then you're also punishing yourself. Is that worth it? I don't think so.
I usually feel quite happy punishing companies for behaviour I don't want to support...
Is it worth it? Absolutely - I don't need to have this hobby near as much as I need security.
Having said that, I'm not intending to punish them at all - I am merely looking out for myself. Is it punishing Kraft that I don't buy their cheese because I can't stand cheese, and ergo have insufficient interest in their product to be worth my money? If you have such a broad definition, then sure, I am punishing them, but at that point, the word also loses a huge part of its meaning.
YOU DON'T LIKE CHEESE?!
-
WW, have you contacted Goko and asked if they hired Security Firm A to look at their code? You've told me multiple times now that if I have no additional information, there's no need for me to post, but then why the hell did you start this thread in the first place? If it's Goko you want info about, ask Goko.
Oh, gee, that hadn't occurred to me...
I legitimately can't tell if you're being sarcastic here. I…think you are? Maybe?
For what it's worth, I don't like cheese either.
-
I can't eat cheese. I'm allergic.
Anyway, Goko did state they hired an outside firm. They mentioned this in one of their Q&As. You can always email Goko and asked what exact firm it was and what tests they did and the reason you are asking is to put your mind at ease as a potential paying customer. Their email is support@goko.com At lest, I am pretty sure that is their email.
-
Anyway, Goko did state they hired an outside firm. They mentioned this in one of their Q&As.
When was this?
-
I don't like cheese either.
Anyway, I wasn't really addressing you with that comment, WW.
-
http://forum.dominionstrategy.com/index.php?topic=6707.0
there it was said that they would have periodic reviews, which is kinda vague.
-
Anyway, Goko did state they hired an outside firm. They mentioned this in one of their Q&As.
When was this?
We also hired a security consultant who evaluated the site and attempted to break our security. We’ve made changes he recommended and will update you once he’s completely done with his analysis.
-
How about this. Assume goko will get hacked. You want to play dominion on it anyway. What do you do? Use a linux live CD. If you are super paranoid, disconnect your hard drive (either physically, or via BIOS), and then boot into linux from the CD. Use goko, get hacked. All fine and good. There is no way to persist any information on your machine. Turn off your machine, reconnect the disk, reboot on your machine, and then laugh at all the poor infected suckers who didn't have your enlightened level of paranoia.
A bad enough virus can do actual damage to your other hardware like the processor.
-
Anyway, Goko did state they hired an outside firm. They mentioned this in one of their Q&As.
When was this?
We also hired a security consultant who evaluated the site and attempted to break our security. We’ve made changes he recommended and will update you once he’s completely done with his analysis.
Thank you. This is the exact kind of thing I was hoping to find from the thread!
Now, did they ever update us on that, as she says they plan on doing here? If so, then I'm good.
-
Goko Dominion: Connectivity, Security, and Platforms
Can you provide us some assurance that you are staying ahead of new security concerns? For instance, do you have a third party doing periodic checks on things?
JQS: We believe we’re up to speed and respond to anything that looks like a security issue quickly. So far we’re doing well. As mentioned in the thread, we don’t touch anything to do with credit cards or payment systems (most web sites don’t). We will have periodic reviews but that doesn’t really mean nothing will happen in the future... even large entities like Yahoo/Google/Microsoft despite their large dedicated security teams still have to address problems when they arise.
-
How about this. Assume goko will get hacked. You want to play dominion on it anyway. What do you do? Use a linux live CD. If you are super paranoid, disconnect your hard drive (either physically, or via BIOS), and then boot into linux from the CD. Use goko, get hacked. All fine and good. There is no way to persist any information on your machine. Turn off your machine, reconnect the disk, reboot on your machine, and then laugh at all the poor infected suckers who didn't have your enlightened level of paranoia.
A bad enough virus can do actual damage to your other hardware like the processor.
Realistically, if you worry about things like this, you probably don't use the Internet.
-
How about this. Assume goko will get hacked. You want to play dominion on it anyway. What do you do? Use a linux live CD. If you are super paranoid, disconnect your hard drive (either physically, or via BIOS), and then boot into linux from the CD. Use goko, get hacked. All fine and good. There is no way to persist any information on your machine. Turn off your machine, reconnect the disk, reboot on your machine, and then laugh at all the poor infected suckers who didn't have your enlightened level of paranoia.
A bad enough virus can do actual damage to your other hardware like the processor.
Realistically, if you worry about things like this, you probably don't use the Internet.
It makes me glad I don't use the Internet at all!
-
Anyway, Goko did state they hired an outside firm. They mentioned this in one of their Q&As.
When was this?
We also hired a security consultant who evaluated the site and attempted to break our security. We’ve made changes he recommended and will update you once he’s completely done with his analysis.
Thank you. This is the exact kind of thing I was hoping to find from the thread!
Now, did they ever update us on that, as she says they plan on doing here? If so, then I'm good.
I don't think so, at least Trisha didn't. Just send them an email or go to getsatisfaction and ask what happened to that.
-
Anyway, Goko did state they hired an outside firm. They mentioned this in one of their Q&As.
When was this?
We also hired a security consultant who evaluated the site and attempted to break our security. We’ve made changes he recommended and will update you once he’s completely done with his analysis.
Thank you. This is the exact kind of thing I was hoping to find from the thread!
Now, did they ever update us on that, as she says they plan on doing here? If so, then I'm good.
I don't think so, at least Trisha didn't. Just send them an email or go to getsatisfaction and ask what happened to that.
Of these two options, I think I'd try email. They've been pretty slow to respond to GetSatisfaction posts since they lost Trisha.
-
I agree with the above.
Goko failed the initial relase, no doubt about that. You can go and punish them for that by not playing there now. But then you're also punishing yourself. Is that worth it? I don't think so.
I'm punishing myself only if I'm doing something I don't want to do, or if I'm not doing something I really want to do. Since I have no interest in playing on Goko (I have all extant expansions and the base set already to play tabletop), I am neither punishing them or myself. I am declining to spend money on an inferior product that won't run on two of the three computers that I own and attempted a gold release at least six months before it was anywhere near ready. Goko doesn't need punishment.
I can just about guaran-damn-tee you they hurt themselves to this very day by their disastrous roll out. Their numbers will never be as high as they could have been had they just waited six months. They may be a viable, nay, successful company in the long-run, but some (including myself) will always have that sour taste left in our mouths.
And by the by, if Goko is such an upstanding company and they have their ducks all supposedly in a row, how come only three games have been released so far? What about all those other wonderful properties they all tied up in the exclusive contracts? There's hardly any indication of what they had planned on the site now. Just three paltry (compared to the hype) games that they are STILL working on six months after that disastrous roll out.
You wanna play Dominion online badly enough to play at Goko? Fine. I won't judge you for it. But I don't plan on spending money there, so I hope I'm not judged too harshly for my misgivings, fair or unfair.
-
I was talking to people who said they aren't playing at Goko now because out was bad at initial release. If you're bit playing at goko now because you think it's bad, I think that's reasonable, though I disagree about the fact that Goko is still bad.
-
How about this. Assume goko will get hacked. You want to play dominion on it anyway. What do you do? Use a linux live CD. If you are super paranoid, disconnect your hard drive (either physically, or via BIOS), and then boot into linux from the CD. Use goko, get hacked. All fine and good. There is no way to persist any information on your machine. Turn off your machine, reconnect the disk, reboot on your machine, and then laugh at all the poor infected suckers who didn't have your enlightened level of paranoia.
A bad enough virus can do actual damage to your other hardware like the processor.
Realistically, if you worry about things like this, you probably don't use the Internet.
/thread
-
But then you're also punishing yourself. Is that worth it? I don't think so.
I usually feel quite happy punishing companies for behaviour I don't want to support...
Is it worth it? Absolutely - I don't need to have this hobby near as much as I need security.
Having said that, I'm not intending to punish them at all - I am merely looking out for myself. Is it punishing Kraft that I don't buy their cheese because I can't stand cheese, and ergo have insufficient interest in their product to be worth my money? If you have such a broad definition, then sure, I am punishing them, but at that point, the word also loses a huge part of its meaning.
YOU DON'T LIKE CHEESE?!
The stuff Kraft makes is not cheese.
-
But then you're also punishing yourself. Is that worth it? I don't think so.
I usually feel quite happy punishing companies for behaviour I don't want to support...
Is it worth it? Absolutely - I don't need to have this hobby near as much as I need security.
Having said that, I'm not intending to punish them at all - I am merely looking out for myself. Is it punishing Kraft that I don't buy their cheese because I can't stand cheese, and ergo have insufficient interest in their product to be worth my money? If you have such a broad definition, then sure, I am punishing them, but at that point, the word also loses a huge part of its meaning.
YOU DON'T LIKE CHEESE?!
The stuff Kraft makes is not cheese.
I believe they label the non-cheese stuff as "cheese product" and, unfortunately (appropriately? ironically?), it is all too often preceded with "American".
-
But then you're also punishing yourself. Is that worth it? I don't think so.
I usually feel quite happy punishing companies for behaviour I don't want to support...
Is it worth it? Absolutely - I don't need to have this hobby near as much as I need security.
Having said that, I'm not intending to punish them at all - I am merely looking out for myself. Is it punishing Kraft that I don't buy their cheese because I can't stand cheese, and ergo have insufficient interest in their product to be worth my money? If you have such a broad definition, then sure, I am punishing them, but at that point, the word also loses a huge part of its meaning.
YOU DON'T LIKE CHEESE?!
The stuff Kraft makes is not cheese.
I believe they label the non-cheese stuff as "cheese product" and, unfortunately (appropriately? ironically?), it is all too often preceded with "American".
Certainly Kraft makes both cheese and cheese-like non-cheese substances. The thing is, if you actually like cheese, Kraft is really the bottom rung. Start with Tillamook and then go up.
-
As someone who considers cheese to be an immoral and exploitative product, I really don't see a moral difference between what Kraft sells and what others are offering.
-
But then you're also punishing yourself. Is that worth it? I don't think so.
I usually feel quite happy punishing companies for behaviour I don't want to support...
Is it worth it? Absolutely - I don't need to have this hobby near as much as I need security.
Having said that, I'm not intending to punish them at all - I am merely looking out for myself. Is it punishing Kraft that I don't buy their cheese because I can't stand cheese, and ergo have insufficient interest in their product to be worth my money? If you have such a broad definition, then sure, I am punishing them, but at that point, the word also loses a huge part of its meaning.
YOU DON'T LIKE CHEESE?!
The stuff Kraft makes is not cheese.
I believe they label the non-cheese stuff as "cheese product" and, unfortunately (appropriately? ironically?), it is all too often preceded with "American".
Certainly Kraft makes both cheese and cheese-like non-cheese substances. The thing is, if you actually like cheese, Kraft is really the bottom rung. Start with Tillamook and then go up.
Tillamook is local for me! They make terrific ice cream too.
Thread successfully derailed. ;D
-
As someone who considers cheese to be an immoral and exploitative product, I really don't see a moral difference between what Kraft sells and what others are offering.
If this is because of animal abuses, etc, then you may be pleased to know that they offer something that is made strictly from plant oils.
Tillamook is local for me! They make terrific ice cream too.
I toured their factory last summer - that was a very delicious part of our vacation!
-
If this is because of animal abuses, etc, then you may be pleased to know that they offer something that is made strictly from plant oils.
Kraft? what product is this? It contains no casein?
-
But then you're also punishing yourself. Is that worth it? I don't think so.
I usually feel quite happy punishing companies for behaviour I don't want to support...
Is it worth it? Absolutely - I don't need to have this hobby near as much as I need security.
Having said that, I'm not intending to punish them at all - I am merely looking out for myself. Is it punishing Kraft that I don't buy their cheese because I can't stand cheese, and ergo have insufficient interest in their product to be worth my money? If you have such a broad definition, then sure, I am punishing them, but at that point, the word also loses a huge part of its meaning.
YOU DON'T LIKE CHEESE?!
The stuff Kraft makes is not cheese.
I believe they label the non-cheese stuff as "cheese product" and, unfortunately (appropriately? ironically?), it is all too often preceded with "American".
Certainly Kraft makes both cheese and cheese-like non-cheese substances. The thing is, if you actually like cheese, Kraft is really the bottom rung. Start with Tillamook and then go up.
This frustrates me sometimes. See, there's real cheese, like Swiss, Cheddar, Provelone, what have you. Then there's American cheese, which is made from cheese, but is called a "cheese product." Then there's Kraft, which has no relation to cheese whatsoever and I'm guessing is actually made from colored plastic.
-
But then you're also punishing yourself. Is that worth it? I don't think so.
I usually feel quite happy punishing companies for behaviour I don't want to support...
Is it worth it? Absolutely - I don't need to have this hobby near as much as I need security.
Having said that, I'm not intending to punish them at all - I am merely looking out for myself. Is it punishing Kraft that I don't buy their cheese because I can't stand cheese, and ergo have insufficient interest in their product to be worth my money? If you have such a broad definition, then sure, I am punishing them, but at that point, the word also loses a huge part of its meaning.
YOU DON'T LIKE CHEESE?!
The stuff Kraft makes is not cheese.
I believe they label the non-cheese stuff as "cheese product" and, unfortunately (appropriately? ironically?), it is all too often preceded with "American".
Certainly Kraft makes both cheese and cheese-like non-cheese substances. The thing is, if you actually like cheese, Kraft is really the bottom rung. Start with Tillamook and then go up.
This frustrates me sometimes. See, there's real cheese, like Swiss, Cheddar, Provelone, what have you. Then there's American cheese, which is made from cheese, but is called a "cheese product." Then there's Kraft, which has no relation to cheese whatsoever and I'm guessing is actually made from colored plastic.
How dare you besmirch the good name of Plastic!
;)
-
Hi everyone,
Arman and WW contacted me a few days ago after this thread popped up... sorry for the delay in responding I've just been busy with the latest release.
I read through everything so I have some answers for things I didn't see answered yet:
1) play.goko.com/games/terms_of_services
this page never existed on play.goko.com and the URL was a mistake... the correct page (always been there) is: www.goko.com/games/terms_of_service . Thanks to the people that pointed that out to us.
2) Tablet play is difficult on some devices:
the iOS and Android versions are in development. I've played them. Should be better once these are out. That said, when we first demo'd Dominion at Origins a ways back it was running in a browser on an iPad and people didn't have too much trouble. They had UI suggestions about the "buy" buttons in particular but for the most part it was playable fine. Once we have the native apps out for iOS/Android I'm sure we'll get a lot of feedback and we'll start adjusting those to suit.
3) This is pretty true:
"Yes, they rushed it. By rushing it, they didn't do due diligence on their server load capabilities or their JS-injection vulnerabilities. But I think it is understandable why they did so. There were lots of real-world pressures to show the community something cool... there was lots of crazy code to write for Dark Ages cards (which already had their programmers working double-shifts)... "
That said, we were running load tests... just the person at the time had designed them in such a way that they didn't expose the platform networking problem we had... and so when we opened the doors, that's what went kaboom. As I'm sure you're all aware, before we opened up to the general public again we not only fixed the problem but also went back and redesigned how we were doing the load tests and then fixed anything that got exposed by the redesigned tests as quickly as humanly possible. Those were some hard days.
4) Security
I addressed this one in another thread here on DS but just to make sure... we fixed everything that the security consultant found. We had him poking specifically at passwords, XSS, javascript injection, and the payment systems (again, we don't participate in the credit card/paypal/etc payment flow... most web sites that take payment don't... they use 3rd parties). He didn't find any major holes after we went through it ourselves and the issues that he did find were more about tightening up our policies around "Allow-Origin" for certain types of files, etc. I would call those more "preventative tweaks" rather than fixes for anything being exploited (which he wasn't able to do). As I said in other places, though, even the large companies like Apple/MS/Google/banks who have dedicated security teams have issues.
So.... all that said, after we opened up again I've seen threads or comments suggesting there's still some problem. In each case I've asked the person for specific information so we can verify. If there's something out there with security, we'll fix it immediately. So far, though, I think most people are just echoing the concern they had from the problem at launch (understandable) and aren't able to give us information about any currently existing problems. If you do know of any such problem then by all means email us at support@goko.com .
Thanks!
John Q.
-
Hi everyone,
Arman and WW contacted me a few days ago after this thread popped up... sorry for the delay in responding I've just been busy with the latest release.
I read through everything so I have some answers for things I didn't see get answered yet:
1) play.goko.com/games/terms_of_services
this page never existed on play.goko.com and the URL was a mistake... the correct page (always been there) is: www.goko.com/games/terms_of_service . Thanks to the people that pointed that out to us.
2) Tablet play is difficult on some devices:
the iOS and Android versions are in development. I've played them. Should be better once these are out. That said, when we first demo'd Dominion at Origins a ways back it was running in a browser on an iPad and people didn't have too much trouble. They had UI suggestions about the "buy" buttons in particular but for the most part it was playable fine. Once we have the native apps out for iOS/Android I'm sure we'll get a lot of feedback and we'll start adjusting those to suit.
3) This is pretty true:
"Yes, they rushed it. By rushing it, they didn't do due diligence on their server load capabilities or their JS-injection vulnerabilities. But I think it is understandable why they did so. There were lots of real-world pressures to show the community something cool... there was lots of crazy code to write for Dark Ages cards (which already had their programmers working double-shifts)... "
That said, we were running load tests... just the person at the time had designed them in such a way that they didn't expose the platform networking problem we had... and so when we opened the doors, that's what went kaboom. As I'm sure you're all aware, before we opened up to the general public again we not only fixed the problem but also went back and redesigned how we were doing the load tests and then fixed anything that got exposed by the redesigned tests as quickly as humanly possible. Those were some hard days.
4) Security
I addressed this one in another thread here on DS but just to make sure... we fixed everything that the security consultant found. We had him poking specifically at passwords, XSS, javascript injection, and the payment systems (again, we don't participate in the credit card/paypal/etc payment flow... most web sites that take payment don't... they use 3rd parties). He didn't find any major holes after we went through it ourselves and the issues that he did find were more about tightening up our policies around "Allow-Origin" for certain types of files, etc. I would call those more "preventative tweaks" rather than fixes for anything being exploited (which he wasn't able to do). As I said in other places, though, even the large companies like Apple/MS/Google/banks who have dedicated security teams have issues.
So.... all that said, after we opened up again I've seen threads or comments suggesting there's still some problem. In each case I've asked the person for specific information so we can verify. If there's something out there with security, we'll fix it immediately. So far, though, I think most people are just echoing the concern they had from the problem at launch (understandable) and aren't able to give us information about any currently existing problems. If you do know of any such problem then by all means email us at support@goko.com .
Thanks!
John Q.
Yes, this is all well and good, but what is your opinion on Kraft 'Cheese' Slices?
-
Honestly, I was sort of expecting him to comment on the "cheese" debate, if only as a joke. Maybe it's better not to joke in an official post about security though.
-
I was too busy out buying my Kraft Cheese Slices and forgot to address that part.
Yes, I have to agree that Kraft isn't my first choice... a good Havarti or a Pecorino Romano, that's usually first in line. Even had "date and chevre" gelato one time... that was a lot better than I expected it to be.
So here I was just about to jump on the Kraft-singles-bashing bandwagon because of personal taste when I happened to run across this on Amazon: http://www.amazon.com/Kraft-American-Cheese-Unit-Pack/product-reviews/B000Z7INM0/ref=cm_cr_pr_top_link_1?ie=UTF8&showViewpoints=0 ... thought it was going something along the lines of the comments in this one: http://www.amazon.com/Hutzler-5717-571-Banana-Slicer/dp/B0047E0EII/ref=sr_1_1?ie=UTF8&qid=1363492131&sr=8-1&keywords=banana+slicer ... but, lo and behold, apparently there is a very loyal following (albeit not for the slices, which I still will pass on).
-
Ok, now Kraft is starting to nudge toward "cool" : http://gizmodo.com/5748769/kraft-has-a-400000-sq-foot-underground-cheese-cave
-
Eurgh, Velveeta isn't even not-really-cheese - I'm sure even touching it probably gives you cancer.
-
I like Velveeta! I have some of the pasteurized prepared cheese product in my fridge right now!
-
It's really good to hear that you guys did this. Makes me personally feel better about Goko. Thanks!
-
Is there a running list of the Top 50/100 or so and whether they've made the switch? I mean, WW has a lot of sway in the Dominion world (like Stef, Marin, Geronimoo, theory, etc., just to name a few off the top of my head) as far as Dominion celebs go, so it may be nice to see which celebrities have endorsed Goko and which haven't.
Yeah I know I'm a little late to the party, but I thought I'd weigh in here. I make Dominion videos and I'm otherwise pretty amazing, so I figure that puts me in the top 100, yes? Right before I got Dark Ages IRL I cracked top 100 on the leaderboard (L35).
I switched to Goko once Iso went down. I don't play that much, only pre-arranged stuff with friends, etc. because the matchmaking is non-existent, but I'm sure I'll be on a lot more once that happens.
-
we fixed everything that the security consultant found
was all I ever wanted to hear!
I'm a little interested to hear that I contacted him, though, because this either means someone else did as me, or he's simply basing this off of a getsatisfaction post I made six days ago which hasn't been responded to (am putting something there now). Well, not a big deal either way.
Will be giving Goko another spin next time I have time for Dominion!
-
Dominion isn't dead!
-
Hi WW,
Yes, you contacted me by posting that thread on GetSatisfaction. :) I decided to answer over here since instead since that one seemed to be more of a pointer to this one. I've been working fairly long hours on the reconnect code the last 5 days (it's multi-threaded on the server and you have to be painstaking to get these things right) so I haven't been posting on GetSatisfaction as much. I should be back to normal in a few days. :)
Thanks!
John Q.