I wanted to talk about exactly what you can expect to see coming in the next few days.

First, users who currently have accounts (our staff members) will be receiving instructions out-of-band on how to connect up. Basic access will be available after OpenID authentication -- including making posts, working on tickets, etc. -- however administrative functions will require a second, hardware authentication mechanism. A number of mechanisms will be supported out of the gate, but I bought keys for us all. :) The keys will only be necessary in order to perform administrative functions, such as banning accounts, deleting posts or sending modules to the servers. You will, however, be able to opt-in to using the key for everything.

This will be in the form of an invitation, in order to test the invitations functionality, although I'm going to ask that people not invite tons of people just yet. :)

The first big change is going to be in URL's. Existing URLs will continue to work, and will redirect to the new pages -- however, the application is going to function more like GMail or Hotmail, where the application is basically a single HTML page and some scripts. When it needs to update itself, it's going to update the HTML -- versus reloading from the server. As a result, it will be highly interactive. The blogs and wiki will be modules.

There will be a tagging facility, which will be site-wide. Anything you can see, you can tag. You'll be able to create an RSS, ATOM or ActivityStream feed based off of any tag or tags, in order to watch all site activity related to those tags. Similarly, there will be a global, threaded comment facility that includes a "vote up" feature. Many items on the site will have a rating from 1 to 5 stars, as well. The blog will be expanded to support Youtube/Netflix style video streams from Amazon S3, Microsoft Azure and Cloud1. There will be an interactive messaging system -- which will also be accessible via XMPP, a standard instant messaging protocol. There will be API access to many parts of the system.

I've worked up a module that lets me create access control lists on properties in Mongo, so that I can produce filtered objects based on an OpenSocial ID -- a group or user. By default, properties are excluded, and are Owner/Staff view only. That means the owner of the item, and our on-duty staff can see them, but nobody else can. On a privacy screen, you can explicitly grant access to particular properties to groups -- including the "All Users" group and the "Entire Internet" group. The only fields required to be visible (that cannot be hidden) are the random object ID assigned to your record, and the display name.

We don't currently support most of OpenSocial, and probably never will. While I'm basing what I'm doing off of OpenSocial to a point, the way we are functioning is enough different that I don't want to try to implement their standard. For example, user records are always owner and staff only, and so having an OpenSocial endpoint for the user object would be rather futile. We have characters, which are kind of like OpenID people -- but it's not at all clear to me that it would be appropriate for a character to interact with other OpenSocial sites. More importantly and fundamentally, I am using jQuery templates instead of OpenSocial's Java-derived templates, and so I can't support OpenSocial modules in our container. However, I'm providing activity stream support -- among others -- in a fairly compatible way, because it is clear that being able to subscribe to a given character's activity stream might be useful.

Incidentally, the design is also such that all official NPCs in our current project and all future projects will get their own page, with a wall, info, etc. In some cases, game staff may respond on their behalf even. You never know.

There will be more coming in the next few days. Some of the concepts are based on what Microsoft is doing with Windows 8, and it should be the case that our site works quite nicely on Windows 8 devices. Our game will still work on older versions of Windows (as will the site), and I will be testing the game on Ubuntu and BSD as well. I am leaning strongly towards dropping Windows XP based on current timelines and when I expeect to get the thing out the door, but we'll see how it happens.

The important thing is this:

Part of the new site -- fundamentally -- is to let us start setting up game content in a format that the engine can already understand, with a convenient editing facility. The NPCs will have pages because that enables us to edit them, to make certain information public, and to have them interact with players inside and outside the game. One of the things that I want to push for, fundamentally different from other MMOs up there, is the concept that player actions influence the world.

To put it in Dungeons and Dragons sorts of terms...

The Orc Army may be attacking Greyhawk. If the players step up to the challenge, and fight the horde back -- it shouldn't show up again in ten minutes. While I really do like Rift's zone events, and do want to do some of the things they're doing (Ultima did them too) in terms of ongoing semi-dynamic content, the big thing that I want to do is make sure the game itself isn't static. That doesn't mean that there can be no static quests -- it doesn't mean that at all. It doesn't mean there can be no static instances or overworld areas. What it means is that in general, I would like the story to move along, and for there to be new things for newly created characters to do, over time.

Particularly, I want to focus on the feel of a character "fitting in" to the world, and contributing. One of the biggest issues that I have with some of the new games that are coming out is that the developers are giving lip-service to story, but then still piling newbies into an overland zone, where all 8000 of them get to be the first person in a thousand years to forge some weapon. We can have an overland zone with 8000 newbies, too -- that part isn't the problem. The problem is that the zones aren't designed, the stories aren't designed, for the reality of the fact that there are many, many players swarming around the zone.

If there are 20 players standing around newbie land, it is perfectly acceptable to have an army charge them at the gate -- to have them have to work through. I would argue, in fact, that's the ideal scenario if you're wanting to foster membership in player associations, if you're wanting to encourage roleplaying. It's just like having the skill chains be unlocked via trials, versus being unlocked via just levelling and paying some trainer. It is a much more personalized experience, it is a much more entertaining experience.

For example, what I'd like to do with some of the quests is similar to what some of the old hero background systems did (Mekton, CyberPunk had mini-versions of what I'm talking about, Heroes of Tomorrow was a book just about as thick that only did backgrounds), where there are interchangeable quest modules that get shuffled in at various points, to help keep the scenarios fresh, to help keep them enjoyable, to boost replay. The company that did Heroes of Tomorrow had these game decks (forget the name) that had plot elements, and you dealt cards out to the players at the start, and they played them to contribute to the plot in various ways -- it was kind of a "help you along on writing an adventure" sort of a thing. I want to be more like that, because players are going to spend dozens of hours a week (per player) playing the game, and are going to go through various parts of the content more than once.

While I've said I'm against rewarding players randomly -- against the great loot lottery -- on multiple occasions, and that I don't like randomness in combat (my opinion is that combat should be predictable, you should never lose just due to the random number generating deciding to have a run of low rolls), I'm very much for this idea of randomness in repetetive elements of the game. Having your fireball sometimes hit for 100 points and sometimes hit for 700 points isn't particularly fun, particularly if it is just random. Going into a dungeon, and not knowing what critters are going to spawn, etc. -- that part can be random, and if its done right, will greatly increase enjoyment of the game overall.

Which is my primary goal -- to create an enjoyable game, a fun game. There is no competition -- I don't aspire to be as huge as World of Warcraft or Rift, I don't believe we'll take on those major games and win. But I believe if we're a fun game, if people want to play it, that we don't have to compete with those bigger games to do it. All we need to do is to be the best game that we can be, to do things in the best way that we can, and most importantly to understand the users of MMO's and other games and to focus on being what they want, how they want.

I think once you have that -- the players, they'll come.

I was looking at two fake e-mails today -- one from someone proporting to be Trion (Rift) who spelled World with two V's, and another pretending to be Blizzard. While the e-mail was caught, I saw a heuristic that is so simple -- that I can't believe it's not already implemented.

So there's this link, right? And it's an anchor element in the HTML version of the message. Now here's the check:

Does whatever is inside the anchor look like a URL?

See what they're doing is putting the real URL as the text in the anchor (http://battlebazaar.net), but then putting a different URL (http://battlebazaar.net.x=some-other-site.someother-tld.fake/string-o-garbage) in the HREF of the URL. This makes it so the URL that it shows in the e-mail is the real one, and when you click, that's what's displayed in the leftmost. Now, I've previously stated the web browsers should provide a separate box for the host, domain and path -- because doing so would greatly help with the phishing problem (because most people don't understand how the hostname or path work -- those are just magic values -- and so split them off so that the part they *do* generally understand is visible).

But what I'm going to say is this. There should never be a time, ever, where there's a URL pattern as text in a link and clicking that URL takes you anywhere other than what the text says. And so any message that ever has that pattern (an anchor element where the text is a URL pattern, http://whatever, www.whatever, etc.) and where the href doesn't match, should be deleted automatically. That simple step would go a long way (and splitting the address bar into three pieces -- host, domain and path as three separate bars -- would help even more).

If you're going to do electronic delivery of products, always use a valid reply address -- or verify the e-mail address before you ship.  Send a "click here to activate" link, send an account key, generate and send a one time password, w/e.

But if you're going to just blindly send, you might be sending to the wrong person.  If you send to the wrong person, they might not even speak the language that you speak.  Going to your website and struggling through a 20 part reply form written by your marketing department isn't a good experience, and you almost certainly want to know that you've delivered a password and a bunch of CD keys to the wrong person so that when your customer calls and says "WTF," you have an answer for them.

I filter tons of spam every day, but I still am going to maintain the support, parental guidance, etc. mailboxes at easily identifiable and easily contactable addresses.  I mean, it's just the right thing to do -- what spam gets by SpamAssassin and the other filters, we can deal with that.  So what there's an e-mail for viagra sitting in there.  If we keep just one, single, solitary customer because they can e-mail us, that's worth it. 

Been busy, haven't had the time to work on it, but we've had a couple more crashes and so this is moving up on the list a little.

Once you enter the ready room to start a mission, your equipment is more-or-less fixed.  You’ve made your selections for what is available for the mission.  When you click ready, the system – at that moment – generates the encounters.  It scales the encounters based on a target skill level, but the content is not generated right up until you click ready.  That’s essential for game balance – and once you’ve committed to the mission, either the mission is a success or the mission is a failure.  From a storyline standpoint, a success can be a draw – but the mission itself has to be succeed or fail (either you achieve your objectives, or you don’t).

In D&D, you have a concept of a challenge level.  If you start with the players’ combined level, and you multiply it by a target challenge level, you get an encounter’s combined level to be a challenge.  Then you split those points between the targets.  You set the challenge level, and then from that, you determine what the mobs must be to compete.

For each of the three stat totals – ranged, support, melee – you split that in half into a defensive score (all available, with current skills and gear, defensive abilities) and an offensive score.  You multiply the defensive score by the challenge level, then rotate one position – and that’s the mobs offense.  The pool of points will be strong against what the player is weak against.

You do the same with the offensive score, but rotate the other way – and that’s the defense pool.

Then – from those numbers – you generate the encounters.  And so the mission ends up being the target challenge level, regardless of who attends it.

Gandalf didn’t make Gimli go taunt the Balrog.

Strider didn’t stand around looking for a tank.

Lina Inverse doesn’t have Gowry do all the tanking.

The running headlong into a group thing – and having the group try to take you down – is fine.  But it can’t be “let me hold all your attention while that archer over there skewers your friends one at a time” or “let me hold your attention while the guy in the flimsy silk dress hits you all at once with a huge honking ball of fire.”  Ideally, all three core skill sets would be capable of both taking and dishing out damage, so that the fights are more like the main event in a movie, and less of a seeing if you can hit 100 on the threat meter.

And defense doesn’t mean “stand and take damage without doing anything.”

Most – if not all – defense should require active participation.  That’s why we need the rock/scissors/paper – if you just stand there, one of the other offense types will always hurt you unless you’re actively dodging and countering.  That’s the point in a game – to play it, to be doing something – not to be standing there calling the mob names while some dude tripped up on acid yells “heal” over and over again, then you all sit around taking bong hits afterwards from some pusher before you head to the next mob to repeat the same pattern.

If that makes sense?

ServerBeach has added a cloud storage plan with better pricing than Azure (no per-transaction hit, just straight bandwidth), and so I've set that up as well.

http://www.peer1.com/hosting/cloudone-storage.php

The Cloud storage plan is $0.15/GB/mo for storage -- so a full, dual layer DVD for example would be around $15/mo.  Then there's a $0.10/GB transferred off network (to and from our web server is free).  The file system is also fully versioned.

Amazon and Microsoft are charging about that same fee, but also charge an additional per-transaction fee.  So this will work out better pricewise.  We may use Amazon as well, though, in that they'll seed bit-torrent and Peer1 won't. 

Added (with edit):

They're also doing servers like Amazon's EC2 as well, and that also appears to be at a better price point (and so we might well take advantage of that service as well).

I am in the process of upgrading the leased server from Server Beach.  As a result, mail may take a little longer than usual to arrive in the mailboxes this weekend.  Nobody should miss any e-mail messages, and there shouldn't be any actual downtime.

The new server is a Quad Core with 4GB of ram, and so performance should be generally better across the board for everything hosted.  Additionally, our current network connection is 10M, and the new one is 100M and so you may see an increase in performance.  If you have any questions, give me a call.

I'm anticipating getting everything up this week, but we have four weeks paid up on the old server and so if anything isn't completely smooth, I'll just put it on hold a week. 

OK -- so there's a problem with this no class system, and that is that you can't easily implement a consider system.  Traditionally in MUD, there was a consider command that you used on a mobile before fighting it to see if it would be too easy, too tough or just right.

The first thing is I've never seen a "con" system that actually works.  The one in EverQuest and EverQuest 2, for example, doesn't take into account archtype, class, subclass or AA trees -- all of which are factors in how difficult or easy a fight is going to be.  The one in WoW and the one in Warhammer are, similarly, broken.  It's difficult any time you allow player customization at all -- so we need another approach other than looking at a flat level.

First, we're going to keep three scores.  One is the number of wins or losses against easier oponents.  Each time you win against an easy con, we add a point (saying we were right to con it easy).  Each time you lose against an easy con, we subtract a point (saying we were wrong). 

The second number is the number of wins against a medium con.  Again, each win adds a point and each loss subtracts a point.

The third number is the number of wins against a hard con.  Again, each win adds a point -- and each loss subtracts a point.

This forms an index that tells us how to modify cons.  If you have a ton of points against hard con mobs, then we ramp down what we're conning the difficulty at.  If you have lost a ton of points against easy con mobs, then we ramp the con down.  If we're getting things perfect, we know it.  Ideally, medium would be at zero, easy would be positive and hard would be negative -- and so we adjust the cons to try to achieve that, so that things that con as "even" give you about a 50/50 chance.

But how do you determine the initial con?

The answer is we do things differently from everyone else.  Normally a stat -- lets call it strength -- feeds into a skill.  You determine the stat at character creation, and maybe there's a way to move it through game play (gear, etc.).  There's some magic stat that for your archtype you want to be maxed, and the other stats aren't so important.

So we flip the problem around -- the skills determine the stat, and the stat determines the archtype.  But that's not sufficient -- there's a world of difference between an item you get easily, and an item you have to work for.  Each item has skill requirements to equip.

Only skills that have the necessary gear are useable -- so you take the total of all those skills, and that's the "effective" stat.  You total the "effective" stats, and that gets you a general power level.  But again, that's not enough to get a good con.  Someone who had only support abilities would con the same as someone who could instantly kill anything, and that would be bad.  So the con has to be based on the rock, paper and scissors -- the strongest stat has to be compared to the stat it dominates, and the weakest stat needs to be compared to the stat it is dominated by.  That makes it so that if the mob is really good against, say, ranged then it will con a lot higher versus ranged players than versus melee players.

This, then, helps the LFG system.  A balanced group would have the stats equal, so that no one stat dominated.  So if you're looking for more, the system can try to balance out the stats.

The key is the consider system must consider more than just the character level, and the consider system must consider more than just the points.  Every single piece of equipment and the skill of the player sitting in the seat are factors, and if you're going to ramp the difficulty level to an appropriate level, you're going to have to take all of that into account.  Otherwise there is no way to achieve a balanced game.

I want to emphasize -- all this is in generalities because I don't have specifics yet.  But my personal opinion is that if you look at "Lord of the Rings" as an example -- each member of the Fellowship has their own way of doing things, but when they're fighting they are all equally successful.  It shouldn't be about one guy repeatedly mashing the taunt button, while the rest very carefully avoid grabbing the mobs off of him.  It should rarely be "just one guy," and boss fights should be relatively involved.

I have some more ideas -- some pulled from D&D -- that I'm going to share in a couple of days.  The basic thought is -- the basic buckets should be "ranged," "melee" and "support."  Stealth is applicable to all of those, but in different ways -- a melee stealth would be the backstabber, a ranged stealth a sniper, and a hacking stealth more of a spy.  But I'm pretty sure the three buckets should be ranged, melee and support -- the reason being I can see a clear way to set up the rock, scissors and paper there that is fair to all of them.  Obviously, certain choices will involve more strategy and thought, while other choices will be plow through -- but both choices should be equally effective.  And that's really the key.

Anyway, I'll talk about it some more in a couple of days. 

Just because people say Windows is the source of all spam:

Author information

Just to pass it along -- I've bought from Daz3D for a long time (since before they split off from Zygote), and this is one of the most interesting things to me:

http://developer.daz3d.com/i/3d_art_resource/developer_press

This is pretty freaking awesome, even if you don't know it yet.  First, Zygote was developing content for Poser and other 3D programs.  Daz broke off, and started doing 3D content heavy.  It acquired a few other products, including such heavyweights as Bryce and Cararra, and then they developed a clone of poser (more or less -- you can argue if its a clone or not).  I have a platinum membership and, with some lapses, have had one for a few years.  Their content is awesome, and they resell for many people.  It's a shame they can't integrate things more into Daz Studio (e.g. name the content files something like dazpack, and make them simple zips, so that double clicking them could allow automatic installation on both Windows and MacOS).

Anyway -- if you look here:

http://www.digimi.com/newsite/presite/home.jsp

That can give you an idea of kind of what is going on here.  What they've done is taken a large number of their 3D assets, and made them available for use in video games.  For example, Victoria and Michael are the most popular 3D models on the planet by most measures, because of their long standing use as upgrade to the built-in poser models.  You can now license those for use in video games -- you can take them, apply morphs, and export them and pull them into your game engine.

What they're doing on the digimi site is allowing fully personalized avatars.  You can import the AV from there, and use it in a game.  The game is able to exert some control over that.  I have a few concerns over that approach, but for sure will be buying the Daz3D plug in set they're selling and a few of the models.

Among other things, the license should make it possible to export a model like Aiko (their anime model) and then use Hexagon on the resultant files, for example. 

Anyway -- really excited by this, and whish I had noticed it right when it happened.

I am making progress with the new website that handles registrations, player associations, etc.  Currently, I am accepting logins via OpenID from any provider that supports SSL/TLS on the channel between our web server and it (e.g. Yahoo, AOL, Google, MyOpenID, most others), as well as via Windows Cardspace.  A single account can have as many OpenID and CardSpace cards associated with it as the user wants, and the CardSpace stuff should magically disappear for users that don't support it.

Groups, including groups with start/end times (e.g. subscriptions) are fully functional, and I have activation codes approximately 10% done.  I hope to get those done this weekend, but may/may not get to it and it may have to wait until next week.

When I get it done, we'll need to re-establish the accounts.  I'm going to do that by e-mailing activation codes, and letting people who should have access enter the code and activate.

Note: there is also support for OAuth, and that is how I will be providing third party websites with access.  OAuth works similarly to Facebook applications, when an app wants to use information from us, it asks.  You go to your profile here, and you approve it.  Until it's approved here, the app gets nothing.  From a control panel here, on the account management screen, you can control the access -- including revoking it.  OAuth is an open standard, and there are multiple available implementations, and so it should work well for this application.

Note: I also have an XMPP server close as well.

Forgot your password?  Since we don't have passwords, that can be an issue -- so keep the account key around.  The account key and information on the account can be used to re-establish with a new OpenID or CardSpace provider, in order to reconnect to the account. 

Cleared out another batch of the spam.  Yay!  Any real commentors can post again if i caught you by mistake.

I was looking at various implementations of the Message Bus pattern, but I was not liking what I was finding, and so I rolled my own. 

There are four significant differences between this implementation and the others that I've seen.

1.  Subscribing, Unsubscribing and Publishing are threadsafe.  This is important because I want publishers on multiple threads (specifically the ThreadPool, responding to XMPP events).

2.  There is a WeakSubscribe model that uses a WeakReference to help with Garbage Collection (the WeakSubscribe method cannot hold an object alive).

3.  Subscribing to a base class -- inclusive of object -- subscribes to all descendent classes as well.  If I subscribe to Message, I get events when anything derived from Message is raised as well.  If I subscribe to object, I get all events that are raised (because of how .NET operates).

4.  Subscribers are notified via BeginInvoke, on a ThreadPool thread.  This means that the delegate handling the event needs to be thread neutral.

Note:  Because Publish is thread safe, the subscribers have to be thread neutral anyway.  So the fact I'm using the pool is secondary.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading;

namespace Net.BattleBazaar.AppServices
{
    public class MessageBus
    {
        private ReaderWriterLockSlim _lock = new ReaderWriterLockSlim(LockRecursionPolicy.SupportsRecursion);
        private Dictionary<Type, List<object>> _subs = new Dictionary<Type,List<object>>();

        public void Subscribe<T>(MessageBusCallback<T> callback)
        {
            _lock.EnterWriteLock();
            try
            {
                List<object> Handlers;

                if (_subs.ContainsKey(typeof(T)))
                {
                    Handlers = _subs[typeof(T)];
                }
                else
                {
                    Handlers = new List<object>();
                    _subs.Add(typeof(T), Handlers);
                }

                Handlers.Add(callback);
            }
            finally
            {
                _lock.ExitWriteLock();
            }
        }

        public void WeakSubscribe<T>(MessageBusCallback<T> callback)
        {
            // no lock needed here.
            var x = new WeakMessageBusCallback<T>(callback);
            Subscribe<T>(x.Callback);
        }

        public void Unsubscribe<T>(MessageBusCallback<T> callback)
        {
            _lock.EnterUpgradeableReadLock();
            try
            {
                if (!_subs.ContainsKey(typeof(T)))
                    return;

                _lock.EnterWriteLock();
                try
                {
                    var Handlers = _subs[typeof(T)];
                    Handlers.Remove(callback);

                    if (Handlers.Count == 0)
                        _subs.Remove(typeof(T));
                }
                finally
                {
                    _lock.ExitWriteLock();
                }
            }
            finally
            {
                _lock.ExitUpgradeableReadLock();
            }
        }

        public void Publish<T>(T msg)
        {
            _lock.EnterReadLock();
            try
            {
                var Q = typeof(T);
                var done = false;
                while (!done)
                {
                    if (Q == typeof(object))
                        done = true;

                    if (_subs.ContainsKey(Q))
                    {
                        var Handlers = _subs[Q];
                        Handlers.ForEach(delegate(object h)
                        {
                            var i = h.GetType().GetMethod("BeginInvoke"); // , new Type[] { Q, typeof(WaitCallback), typeof(object) });
                            i.Invoke(h, new object[] { msg, null, null });
                        });
                    }

                    Q = Q.BaseType;
                }
            }
            finally
            {
                _lock.ExitReadLock();
            }
        }
    }

    public class WeakMessageBusCallback<T>
    {
        private WeakReference x;

        public WeakMessageBusCallback(MessageBusCallback<T> cb)
        {
            x = new WeakReference(cb, true);
        }

        public void Callback(T msg)
        {
            if (x.IsAlive)
            {
                ((MessageBusCallback<T>)x.Target)(msg);
            }
        }
    }

    public delegate void MessageBusCallback<T>(T msg);

}

So anyway -- that's my take on the problem.  You use this pattern when you have an event source (in my case a XMPP stream) that you want to be loosely coupled with some services (in my case, the MUC group chat object).

Cleared out around 90 spam posts -- if yours wasn't spam, then reply to this one and I'll put it back.

Spammers are trolling now, that's probably a good tactic -- they probably think people will approve those comments and reply.  Still working on moving the blog, I'm making sure everything is in place first (note: the new one is excluding known bot nets, and will be using a different technique for nailing the spam that I'm hopeful will be more effective).

I've got some other information to pass along, but not tonight.

As part of testing with Windows Azure, I will be moving the blog from Blog Engine to Azure sometime this week most likely.  I will be bringing the account management services up around the same time.

The chicken vs. cow argument goes chickens aren't as valuable as cows, and so you need a way to trade chickens for cows, and so you pay so much per chicken, and pay so much per cow, and now you have a way of trading the two.

However -- this assumes there are people who want chickens, people who want cows, and that the central authority has a relatively fixed pool of money.  In reality, that is not how MMOs function.  Instead, nobody wants the chickens except NPCs who pay from an infinite pot, in order to remove the chickens from the game.  All anyone actually wants are the cows, and so you get infinite and uncontrollable inflation.

To deal with that, you turn the problem on its side.  Why are you giving the players chickens, if what they need are cows?

I see this as like boosters in a collectible card game/trading card game.  There are only certain cards that have value, the rest are garbage.  In order to get the cards that have value, you either buy an ungodly number of boosters or you buy/trade for the card that you want.  All the useless cards have no value, at all, and are just filler.  Once you have a few thousand basic land cards, you don't really benefit at all from obtaining additional basic land cards.  And that is very much how it actually goes.

In the MMO, to remove those useless drops, they use those NPCs with infinite pools of cash.  The issue with that is that if someone can afford to buy a lot of boosters, they can generate a lot of cash -- that is, someone who can play all the time can generate infinite cash, and so inflation runs completely out of control.

You deal with that by removing the booster mentality, and instead going to a redemption or ticket approach.  When you kill something, rather than drop a rare item randomly, it drops a common item all the time.  You trade the common item to a NPC to get a rare item.  You have only chickens (stackable), and there's only one place you can trade them for cows.  That follows a basic pattern, and allows the players to obtain the items that they want.

So how do you handle crafting, then?

Well, the goal behind the redemption system is to reward based on results -- if I run through a mission in record time, without getting hit, etc. then I get a bigger reward than if I wipe a thousand times  It seems like that same logic (to me) applies to crafting -- you don't get the reward from the player asking you to craft the item, the reward -- instead -- comes from the game itself, for doing well at playing it.

This also eliminates the "I'll do that for donations" versus "I want your first born child" problem as well.  :)

Due to continued spamming after I enabled comment moderation, I've installed a plug in to check against a shared database.  We'll see if that cuts it down a bit.

I have both the main computers that I use converted to Windows 7 x64 now.  On the one, I have an adaptec SCSI card that is not recognized, but both systems are working at this point in time.

After waiting for 7 days for the slow computer to do an upgrade from Vista x32 to Windows 7 x32, I just did a reload instead.  The reload completed successfully in under an hour and a half (I was patient because even after a week, the installer was still animating but -- there's a limit to how long I was going to give it, especially since the computer had not had a clean install for many, many, many releases of Windows).

It's up and happy on both of the computers here.

I updated the blog software over the last couple days to the latest version of Blog Engine.  Because I’m still working on the OpenID stuff, it’s using SQL Server for a couple days.  Everyone’s logins should still work.

Because of the number of spam comments, I’ve enabled moderation on comments.

Just FYI,

With Yahoo and several other providers, you can just enter the provider's address (yahoo.com, for example) as your OpenID, and it will redirect to Yahoo and prompt you for credentials.  This is a good feature if you want to use their long, obfuscated identifiers -- but don't want to remember them.  If you have multiple valid identifiers, it will let you pick which one to send back to the site.

The "patcher" in a traditional MMO generally, in some shape or form, requires an account that has administrative privleges.  This is solved in a variety of ways; for example, the new version of the Station Launcher installs a service, which allows it to apply patches using the Local System account.  We are taking a different route, however.

A common approach to loading game resources is to have a "Virtual File System."  Most games do this, at some level, just to manage resources.  Resources could be on a CD-ROM, could be downloaded from the server, and so forth.  The concept is fairly straightforward -- you have a path like: "/themes/systemFaction/systemFaction.jpg."  Under the covers, the system takes the specified path and maps it to "C:\ProgramData\BattleBazaar.net\Iron\themes\systemFaction\systemFaction.jpg."  You don't have to worry about where the ProgramData folder is located in the code, just one spot has to ask the operating system for it.

What we find is that most players spend most of their time in a small subset of the game world, with most MMO's.  Why patch 30 zones the player doesn't care about, to patch the 3 in which they are currently playing?  Now there's something -- obviously -- to maximize the use of zones.  Large, outdoor zones have to be constructed with a target level, and as expansions come out, etc. people are going to move outside that target level.  Using a skills centric system, like we are, doesn't change that -- if you have a large, outdoor zone the difficulty level can't really be scaled.

A strategy that helps with keeping the game footprint small, then, would be to download just what you need as you go along.  This increases load time a little, but you can cache the data and perform just a quick check when returning to the zone.  This removes the need to patch all the various files that go into making a zone, such as the themed textures and so forth.  Meanwhile, it means when you add new content, you just add the new content and immediately start referencing it.  That rules out dial up, but dial up is not a huge market segment anymore.

Now, extending this to the application itself -- if you trust the application using a digital signature, then the assembly can be read from the cache just as easily as from program files or some other, patch-friendly, location.  By trusting the application using a digital signature, you can give the application the level of access that it needs for things like OpenGL calls, but at the same time, you can load it cache-friendly from the web.

The way it works is that you mark some resources "retain," and they are always retained.  You allow the user to set a minimum and maximum cache size, potentially for multiple games.  Then once they download the client, everything routes through the VFS and so the assemblies are brought down automatically, and trusted as necessary via the signatures.  This is similar to how Final Fantasy XI operates, for example.

Tentative update to Minimum System Requirements:

Intel ATOM 1.6Ghz or faster.

1GB RAM

Windows XP Home for Ultra Lowcost Computing

 800x600 min resolution (the specific device I am targetting is 1024x600).  16bit or 32bit color.

*** I believe that 1.6ghz is probably a reasonable target clock speed.  If we can run successfully lower than that, that's great, but I think that the target clock should be right around that anyway.  Like I said, I have a specific device in mind.

*** The invite still will be coming soon for the staff player association.  I'm testing things now, and will send it off as soon as I am sure that it is working.  Long term, the Wiki and blogs will have a visible change as well (authentication will be for all of BattleBazaar.net/BattleBazaar.com, and not for individual pages). 

 *** Part of the delay is that I want to make sure the web features as they stand are "working right."

* Launcher requires the "Install Software" permission on Windows.

* Patcher requires no permissions on Windows.

* Content updates do not require patching (at all).

* Launcher requires root to install for all users on Unix-like operating systems.

* Patcher requires a setuid process on Unix-like operating systems.

OK, so I was working on getting crossfire working again after some update knocked it out, and having no luck.  Some sites suggested uninstalling Service Pack 1 -- let me tell you now, save yourself a lot of grief, do not uninstall service pack 1.  That turned out very badly, incredibly badly.  The argument is that a Windows component has been damaged, and maybe that fixes it.  However, sfc /scannow will have that same effect without costing you a couple hours of recovery -- and it won't actually fix the problem in all cases.

 So anyway, I decide I'm going to reinstall the drivers -- catalyst install manager doesn't work though, and so I look up and again I see crazy advice on the Internet, so here's what I try:

Start > Control Panel > Classic View > Problem Reports

Report a problem with Catalyst Install Manager

Voila, it tells me to go to KB961894 for a solution.  Here's the download page:

http://code.msdn.microsoft.com/KB961894/Release/ProjectReleases.aspx?ReleaseId=2067

This fixes it, but per the discussion, there might be other issues with using the hot fix.  I hope that this saves someone else some time.

I've updated the TLS certificates for BattleBazaar.net and BattleBazaar.com.  Sorry for taking so long, but just did the rekey and reinstall.  That means no more nasty warnings when viewing them about them being expired.

I am getting ready to post a beta version of the patcher and some other software.  Among other things, I'm experimenting with SIP (Session Initiation Protocol) which is what Sony is using for their voice chat, and what Microsoft uses in Exchange.  That would allow us to have voice chat without being "in the middle."  I'll update on that when I determine if it's something I want to go forward with or not.  SIP is the protocol used by most VOIP phones also, which makes it convenient to route to soft phones for support.  It's also used by most Internet PBX-equivalent phone systems.  It is almost certain that I will go that way in place of the XMPP support I had been working on, just because of the potential to support Voice in this way.

* Be aware: if you're on the development or staff mailing lists, you will be receiving a link soon.  That link will get you set up with the OpenID software on the server.  The invite will be on the TLS (HTTPS) site, and will be to the "GM-Developer" and/or "GM-Staff" player associations.  You should accept those invites, and fill out your profile as needed.  If you're using Yahoo's OpenID provider, they will not provide profile information.  If you are using MyOpenID.com, they'll ask you what fields you want to share and you should mark them.

Marcus' website for his web comic is now up at:

http://www.awakened-dream.net

When I get the new BattleBazaar.com website up and running, it will be using the new OpenID authentication.  It is not up right now (what’s there now is just a dummy site I was using for testing).  When that happens, I will post it here as well as to the front page of the Wiki.

When it happens, to gain access to either BattleBazaar.net or BattleBazaar.com, you will have to use your OpenID to log in.  The first time you attempt to log in, it’s going to go to a registration wizard.  It’s going to ask the other website for as much information as it can get, to automatically fill in the registration, but Yahoo won’t give it very much.  Once you’ve gotten it filled in, you’ll go into an “activated but unapproved” status, and it’s going to give a notification to the administrators network that there is an unapproved user.  I’m going to log in, and approve the account and assign you to the roles and groups you should be in.

From that point in, logins throughout the website are going to be using OpenID.

Yahoo doesn’t currently give much information at all when a site asks for it, but some other providers (myopenid.com, for example) do.

Just FYI, I’m in the process of getting the new BattleBazaar.com website I promised a long time ago up and running.  I have OpenID working with the providers that I have tested, so I believe that it ought to be working OK.  The way I am working it is similar to FaceBook or other social networking sites.  I believe that all of this is going to work pretty well, but I need to test it some more before I “throw the switch.”  I believe that I will also be able to run Marcus’ comic site with the same setup.

I am working on passing the login information from the browser into the application; I will probably use a launch ticket application (like Kesmai and Asheron’s Call used to) that passes the necessary information to the launcher, versus other potential approaches.  That means to launch a game, you’ll go to a site (tentatively my.battlebazaar.com), where your games will be listed.  You’ll pick a game off the list, and click it to launch it. 

That also means all the login is done via a web browser.  :)

The user will probably receive an open, save, or cancel dialog box (just like if they are downloading a file) for now, but I’ll get rid of that entirely later in the process.

I know it might seem like a good idea to whoever is designing your web page, but do not ever, for any reason, use the ubiquitous lock icon and put next to it “This site is secure.”  Think about it for a minute – if you don’t get “why shouldn’t I do this,” then keep reading.

Lets say I am a phisher, and pretend that I am trying to fake users into clicking your link.  Where is the one place they can safely look to be 99.97% sure that they have reached a secure site and, more importantly, have reached your site in particular?  The lock icon, built-into the browser.  On Internet Explorer 7 and 8, it’s shown up at the top of the window like this (many other browsers follow this same pattern as well):

That tells me that I am hitting gemoney.com.  It gives me an icon I can click on to see who thinks it is General Electric Company, like so:

Additionally, the bar changed color to tell me that it is an EV certificate, issued to corporation like banks, and that it met the requirements set forth for those kinds of certificates.

Now, here’s what you should never ever do coming up:

Just to show how safe it is:

“   This site is secure”

Instead what the should have there is, roughly:

“Look for the lock icon on your browser address or status bar, to be certain you are connected to our website.  On newer web browsers, the address bar should be green and should identify us as “General Electric Company.””

Do not duplicate browser UI that is going to identify if a site is secure or not in the web page.  When you do that, it makes it easier to lure users into submitting information to a fake website.  Instead, point them towards where the information appears on their browser, and have them look there.  Let the browser do its job and protect the user.

Also, I find it ironic that while PayPal Buyer Credit is run by GE Money Bank, you can’t pay it from your PayPal balance, and you can’t set up automatic transfers either way.  Just seems like if I were doing a credit service for PayPal, I would run the transfers both way.

The main paypal website links to Verisign instead of displaying this widget, and also includes the verisign site seal.  I don’t agree with the site seals either, incidentally, because they are also too easy to fake.

I was going to post here a sample VB project using DirectX, but I remembered there's an easier solution.

 Download #Develop from http://icsharpcode.net/OpenSource/SD/Default.aspx -- it has a template for DirectX already set up.  To use it, you need three things:

1.  Either Microsoft's .NET Runtime 2.0 or Mono 2.0

2.  DirectX 9 (XP) or DirectX 10 (Vista) from http://www.microsoft.com/downloads/browse.aspx?displaylang=en&productID=9C954C37-1ED1-4846-8A7D-85FC422D1388 (the SDK and/or REDIST will install the support -- better to install the SDK, so you can get help if you need it)

3. #Develop or Visual Studio -- #Develop has a template, Visual Studio does not.  The two use interchangeable project formats.

Alternatively, with the Microsoft toolset go here:

http://microsoft.com/xna

That will give you the XNA toolset, which allows you to write code in any managed language (including C#, VB.NET, Python, PHP, C++, Delphi -- whatever language floats your boat and is applicable to the target) and deploy to the following devices:

1.  Windows Computers

2.  XBox 360

3.  Zune MP3 Player

The XBox 360 support requires whoever owns the XBox to pay an extra premium to play "Creator's Club" games.  Zune currently doesn't require this extra premium.

Alternatively, if you're writing a new engine from scratch, TAO from the Mono project is a good option.  TAO uses SDL, a highly portable 2D graphics platform, and has bindings for OpenGL and a large number of other highly portable libraries.  As a result, code in any .NET programming language compiled against TAO is itself highly portable -- it will run, from the same executable, on MacOS X, Linux and Windows.

If it is desired to run against Mono on non-Microsoft OS, then avoid DirectX -- DirectX is a Microsoft proprietary technology, not supported on non-Microsoft platforms.  OpenGL is widely supported and, additionally, offers the entire DirectX 10.1 feature set on Windows XP with nVidia and ATI drivers.  OpenGL is driven by the video card companies in conjunction with industry partners from CAD-CAM and video game companies, not by Microsoft.  It is easier to introduce proprietary extensions, it is easier to introduce agreed-upon standard extensions, and generally the video card companies are fully supporting their chipsets features on that side.

On Windows Vista and later -- as well as all Linux distros and MacOSX -- you should use OpenAL in some form for audio.  Either directly via C++, TAO's OpenAL support (from .NET languages) or via a library like fmod.  Pure and simple, on Windows Vista the driver natively speaks OpenAL.  DirectSound goes through a compatibility library that invokes OpenAL.  On Windows XP, you should install Creative Labs OpenAL driver (which works with all sound cards), and on Creative Labs cards, that card will bypass DirectSound and talk straight to the hardware.  On non-Creative Labs cards, it will route through DirectSound.

If you have an e-mail account, you should be able to access webmail using any of the following:

https://battlebazaar.com/MEWebMail

http://mail.battlebazaar.com

http://mail.battlebazaar.net

Take your pick -- also, if you have an account, the POP3, IMAP and HTTPMail servers should be working also, so you should be able to configure any common e-Mail application to work also..

The "Slow" computer is back among the living.

 However, I don't believe that it qualifies as a "slow" computer anymore.  We'll see after I can do some real testing on it...

 New Specs on the "Slow" Computer:

AMD Phenom x4 2.5ghz

Kingston "HyperX" DDR2 1066 x 4g

2x ATI Radeon 4650, with 1g of RAM each

SoundBlaster X-Fi PCIx

160g Seagate PATA

700g Seagate PATA

USB CD-ROM

We have completed the update at home to AT&T 6MBPS DSL and Internet-based cable.  Aside from getting local channels in high definition that were not included in Time Warner's channel line up, on the digital HD service, the image quality is just incredible.  The PVR is extremely cool, and allows downloading programming extremely easily

Sending out an email tonight to impacted users, however I activated webmail on battlebazaar.com on the secure site there (so that is now an option for mail users).  Should be able to guess what to change.

Didn't get the servers up tonight, will get them up tomorrow.  Sorry for the delay. :-)

Yeah!  You heard me, something is actually coming online. 

Master Accounts

Each account can be either a master account (parent is null) or a secondary account (parent is not null).  Secondary accounts share all contact information with primary accounts.  Secondary accounts are clearly indicated as such.  This is similar to what Turbine and NCSoft do, in that you only have to adjust billing information in one place. 

Characters

Since the character server is also going up, you will be able to create characters under a master or secondary account.  You will be able to specify the character's name and gender.  You will be able to obtain a signature block that can be embedded in most popular forum software for an avatar image, and you will be able to obtain a signature block that can be embedded as a signature.  The signature version will include online/offline status, and will link to a journal about your character.  It is up to you what events are automatically logged to the journal (completion of stories, etc.) and there will be a facility to log short messages to the journal as well (e.g. On vacation until 1/24).  People reading your profile will be able to instant message you in game, and chat with you in game, when those servers are finally up.

People on Jabber or Google will eventually be able to subscribe to presence notifications and also send IM in and out of the game.  I don't intend to support other chat networks at this time, but that is always subject to change.

Player Associations (Clans)

Master accounts will be able to create Player Associations.  These player associations may cross games and servers.  They will be able to create "subordinate" organizations, alliances and enemies.  There will be a membership roster and a guild events log (similar to the log in EQ2).  There will be the capability, as with characters, to add your own messages to the log as well.  The messages will be available as an RSS feed, filterable by game, server and unit. 

Characters applying for membership in a PA will have their character information added to an RSS feed as well.  Someone with add to clan permission will be able to view the feed, and click a link to allow the user to join. 

Services

The first round of externally accessible services will also be made available, surrounding these features.  As with the clan membership notifications, how this works is the remote site requests access to your character data (note: no personal data is available via this service, only character and clan information is available).  You will be allowed to select "allow this site to access my character" or "do not allow this site to access my character" (same with clans).  This is so that clans or fan web sites can pull data.

Game Cards

Support for game cards is also going up.  Staff accounts will be able to generate game codes for the "alpha test" group, and cards that add as-yet unnamed tokens to accounts.  These will be 25 digit alphanumeric codes that do not use the character 1, 0, I or O -- in upper case.  Note: generated codes won't work in master accounts for staff, and eventually this feature will probably be restricted to certain staff groups -- but for now, we don't have a mountain of staff so I won't lock it down. :-)

Profile Cards for Web Sites

In addition to all the above, there's also an option to generate profile cards for use on other web sites.  This is designed to be larger than a signature or profile box, and will eventually show much more information.  For now, it won't do a heck of a lot.  Player associations will be able to generate such cards.

Cardspace Login

Log in using a Windows Card Space or other information card provider will be supported.

You heard it hear first.  Instead of https://battlebazaar.net, you'll have to use https://battlebazaar.net:4343.  This change is so that I can activate https://battlebazaar.com on the server. 

This means the web site for accessing your e-mail will also change.  I'm sending that information out by e-mail in a couple minutes. 

For a long time, I have continued to keep dbacher@battlebazaar.com as a valid mail address.  This was because a significant number of people had the address.

 For the last several years, I have been using a different address.  The battlebazaar.com address gets, on average, between 100 and 120 spam e-mails a day (yes, one account, yes a day).  Most of these are eaten, these days, by the domain black list and the SPF verification.  I've said it before and I'll say it again, if you aren't using SPF -- turn it on.  If you're sending me statements or w/e, then send them digitally signed.

There is a domain keys module now for the mail server; I may install that, or I may not.  My personal opinion is that domain keys does not really bring anything to the table above SPF, while it does introduce a lot more processing.  The reason I say that is that if I'm not accepting mail from an unauthorized server in the first place, then domain keys buys me very little.  The domain key is stored in the DNS, same as the SPF.  The only thing that Domain Keys brings to the table is an additional check that an authorized server is also sending via an authorized process.  But thats not the issue with the spam I see -- I see the spam being sent via unauthorized computers.  And I see more spam than anyone.

 For now, I've split the dbacher@battlebazaar.com account off as a separate mailbox, instead of delivering messages to my primary mailbox.  Once I've confirmed who still is using the older address, I will disable that account (similar to my john@battlebazzaar.net and john@battlebazaar.com accounts, that just mark mail as spam)

http://blogs.msdn.com/andrewarnottms/archive/2007/10/29/what-do-you-think-of-the-new-wcf-store-and-forward-mail-transport.aspx

I can't speak for the mail transport in WCF, because I've not yet used it, however I've used other mail transports with .NET before.  The nice thing about the mail transports is that it is a technology that crosses firewalls easily.  If you have a client outside the firewall, it is almost never a problem for it to e-mail someone inside the firewall.  It is usually easy to get an e-mail account (regardless of the server software involved).

E-mail transports are also useful because Microsoft Message Queue requires a domain controller for some distributed scenarios, but you are sometimes on leased servers that aren't domain controllers.  In those scenarios, e-mail transport provides most of the same benefits as message queues, but without the need for a PDC.  That is huge for some setups.

The other really nice thing about e-mail transports is that given backup MX service (something that only costs around $20/year from companies like no-ip and the like), servers can go offline -- even for a week or more -- and the messages will recover when it comes back up.

The big drawback to e-mail is that it is very high latency.  The messages might get there in 10 seconds.  The messages might get there in an hour.  The messages might get there in a week.  This usually isn't a problem on internal e-mail, but it is a big problem for system domain boundaries. 

Also, you have to watch for filtering as well.  For example, is the remote system allowed to send mail by the SPF?  I am a huge advocate of SPF -- I have it set up on my servers, I enforce it on inbound mail, and you should too.  SPF blocks more than 300 messages a day on battlebazaar.com, and around twenty to thirty a day on battlebazaar.net, and we don't have a ton of users (but battlebazaar.com was used in several discussion lists and newsgroups, and so the spammers came).

Many anti-spam programs will trigger off of message headers, and off of receiving many similar messages.  You have to be certain whatever anti-spam you have server-side is able to handle the messages reliably also.