I've updated the TLS certificates for BattleBazaar.net and BattleBazaar.com.  Sorry for taking so long, but just did the rekey and reinstall.  That means no more nasty warnings when viewing them about them being expired.

I am getting ready to post a beta version of the patcher and some other software.  Among other things, I'm experimenting with SIP (Session Initiation Protocol) which is what Sony is using for their voice chat, and what Microsoft uses in Exchange.  That would allow us to have voice chat without being "in the middle."  I'll update on that when I determine if it's something I want to go forward with or not.  SIP is the protocol used by most VOIP phones also, which makes it convenient to route to soft phones for support.  It's also used by most Internet PBX-equivalent phone systems.  It is almost certain that I will go that way in place of the XMPP support I had been working on, just because of the potential to support Voice in this way.

* Be aware: if you're on the development or staff mailing lists, you will be receiving a link soon.  That link will get you set up with the OpenID software on the server.  The invite will be on the TLS (HTTPS) site, and will be to the "GM-Developer" and/or "GM-Staff" player associations.  You should accept those invites, and fill out your profile as needed.  If you're using Yahoo's OpenID provider, they will not provide profile information.  If you are using MyOpenID.com, they'll ask you what fields you want to share and you should mark them.

When I get the new BattleBazaar.com website up and running, it will be using the new OpenID authentication.  It is not up right now (what’s there now is just a dummy site I was using for testing).  When that happens, I will post it here as well as to the front page of the Wiki.

When it happens, to gain access to either BattleBazaar.net or BattleBazaar.com, you will have to use your OpenID to log in.  The first time you attempt to log in, it’s going to go to a registration wizard.  It’s going to ask the other website for as much information as it can get, to automatically fill in the registration, but Yahoo won’t give it very much.  Once you’ve gotten it filled in, you’ll go into an “activated but unapproved” status, and it’s going to give a notification to the administrators network that there is an unapproved user.  I’m going to log in, and approve the account and assign you to the roles and groups you should be in.

From that point in, logins throughout the website are going to be using OpenID.

Yahoo doesn’t currently give much information at all when a site asks for it, but some other providers (myopenid.com, for example) do.

Just FYI, I’m in the process of getting the new BattleBazaar.com website I promised a long time ago up and running.  I have OpenID working with the providers that I have tested, so I believe that it ought to be working OK.  The way I am working it is similar to FaceBook or other social networking sites.  I believe that all of this is going to work pretty well, but I need to test it some more before I “throw the switch.”  I believe that I will also be able to run Marcus’ comic site with the same setup.

I am working on passing the login information from the browser into the application; I will probably use a launch ticket application (like Kesmai and Asheron’s Call used to) that passes the necessary information to the launcher, versus other potential approaches.  That means to launch a game, you’ll go to a site (tentatively my.battlebazaar.com), where your games will be listed.  You’ll pick a game off the list, and click it to launch it. 

That also means all the login is done via a web browser.  :)

The user will probably receive an open, save, or cancel dialog box (just like if they are downloading a file) for now, but I’ll get rid of that entirely later in the process.

I know it might seem like a good idea to whoever is designing your web page, but do not ever, for any reason, use the ubiquitous lock icon and put next to it “This site is secure.”  Think about it for a minute – if you don’t get “why shouldn’t I do this,” then keep reading.

Lets say I am a phisher, and pretend that I am trying to fake users into clicking your link.  Where is the one place they can safely look to be 99.97% sure that they have reached a secure site and, more importantly, have reached your site in particular?  The lock icon, built-into the browser.  On Internet Explorer 7 and 8, it’s shown up at the top of the window like this (many other browsers follow this same pattern as well):

That tells me that I am hitting gemoney.com.  It gives me an icon I can click on to see who thinks it is General Electric Company, like so:

Additionally, the bar changed color to tell me that it is an EV certificate, issued to corporation like banks, and that it met the requirements set forth for those kinds of certificates.

Now, here’s what you should never ever do coming up:

Just to show how safe it is:

“   This site is secure”

Instead what the should have there is, roughly:

“Look for the lock icon on your browser address or status bar, to be certain you are connected to our website.  On newer web browsers, the address bar should be green and should identify us as “General Electric Company.””

Do not duplicate browser UI that is going to identify if a site is secure or not in the web page.  When you do that, it makes it easier to lure users into submitting information to a fake website.  Instead, point them towards where the information appears on their browser, and have them look there.  Let the browser do its job and protect the user.

Also, I find it ironic that while PayPal Buyer Credit is run by GE Money Bank, you can’t pay it from your PayPal balance, and you can’t set up automatic transfers either way.  Just seems like if I were doing a credit service for PayPal, I would run the transfers both way.

The main paypal website links to Verisign instead of displaying this widget, and also includes the verisign site seal.  I don’t agree with the site seals either, incidentally, because they are also too easy to fake.

If you have an e-mail account, you should be able to access webmail using any of the following:

https://battlebazaar.com/MEWebMail

http://mail.battlebazaar.com

http://mail.battlebazaar.net

Take your pick -- also, if you have an account, the POP3, IMAP and HTTPMail servers should be working also, so you should be able to configure any common e-Mail application to work also..

The "Slow" computer is back among the living.

 However, I don't believe that it qualifies as a "slow" computer anymore.  We'll see after I can do some real testing on it...

 New Specs on the "Slow" Computer:

AMD Phenom x4 2.5ghz

Kingston "HyperX" DDR2 1066 x 4g

2x ATI Radeon 4650, with 1g of RAM each

SoundBlaster X-Fi PCIx

160g Seagate PATA

700g Seagate PATA

USB CD-ROM

We have completed the update at home to AT&T 6MBPS DSL and Internet-based cable.  Aside from getting local channels in high definition that were not included in Time Warner's channel line up, on the digital HD service, the image quality is just incredible.  The PVR is extremely cool, and allows downloading programming extremely easily

Sending out an email tonight to impacted users, however I activated webmail on battlebazaar.com on the secure site there (so that is now an option for mail users).  Should be able to guess what to change.

Didn't get the servers up tonight, will get them up tomorrow.  Sorry for the delay. :-)

Yeah!  You heard me, something is actually coming online. 

Master Accounts

Each account can be either a master account (parent is null) or a secondary account (parent is not null).  Secondary accounts share all contact information with primary accounts.  Secondary accounts are clearly indicated as such.  This is similar to what Turbine and NCSoft do, in that you only have to adjust billing information in one place. 

Characters

Since the character server is also going up, you will be able to create characters under a master or secondary account.  You will be able to specify the character's name and gender.  You will be able to obtain a signature block that can be embedded in most popular forum software for an avatar image, and you will be able to obtain a signature block that can be embedded as a signature.  The signature version will include online/offline status, and will link to a journal about your character.  It is up to you what events are automatically logged to the journal (completion of stories, etc.) and there will be a facility to log short messages to the journal as well (e.g. On vacation until 1/24).  People reading your profile will be able to instant message you in game, and chat with you in game, when those servers are finally up.

People on Jabber or Google will eventually be able to subscribe to presence notifications and also send IM in and out of the game.  I don't intend to support other chat networks at this time, but that is always subject to change.

Player Associations (Clans)

Master accounts will be able to create Player Associations.  These player associations may cross games and servers.  They will be able to create "subordinate" organizations, alliances and enemies.  There will be a membership roster and a guild events log (similar to the log in EQ2).  There will be the capability, as with characters, to add your own messages to the log as well.  The messages will be available as an RSS feed, filterable by game, server and unit. 

Characters applying for membership in a PA will have their character information added to an RSS feed as well.  Someone with add to clan permission will be able to view the feed, and click a link to allow the user to join. 

Services

The first round of externally accessible services will also be made available, surrounding these features.  As with the clan membership notifications, how this works is the remote site requests access to your character data (note: no personal data is available via this service, only character and clan information is available).  You will be allowed to select "allow this site to access my character" or "do not allow this site to access my character" (same with clans).  This is so that clans or fan web sites can pull data.

Game Cards

Support for game cards is also going up.  Staff accounts will be able to generate game codes for the "alpha test" group, and cards that add as-yet unnamed tokens to accounts.  These will be 25 digit alphanumeric codes that do not use the character 1, 0, I or O -- in upper case.  Note: generated codes won't work in master accounts for staff, and eventually this feature will probably be restricted to certain staff groups -- but for now, we don't have a mountain of staff so I won't lock it down. :-)

Profile Cards for Web Sites

In addition to all the above, there's also an option to generate profile cards for use on other web sites.  This is designed to be larger than a signature or profile box, and will eventually show much more information.  For now, it won't do a heck of a lot.  Player associations will be able to generate such cards.

Cardspace Login

Log in using a Windows Card Space or other information card provider will be supported.

You heard it hear first.  Instead of https://battlebazaar.net, you'll have to use https://battlebazaar.net:4343.  This change is so that I can activate https://battlebazaar.com on the server. 

This means the web site for accessing your e-mail will also change.  I'm sending that information out by e-mail in a couple minutes. 

For a long time, I have continued to keep dbacher@battlebazaar.com as a valid mail address.  This was because a significant number of people had the address.

 For the last several years, I have been using a different address.  The battlebazaar.com address gets, on average, between 100 and 120 spam e-mails a day (yes, one account, yes a day).  Most of these are eaten, these days, by the domain black list and the SPF verification.  I've said it before and I'll say it again, if you aren't using SPF -- turn it on.  If you're sending me statements or w/e, then send them digitally signed.

There is a domain keys module now for the mail server; I may install that, or I may not.  My personal opinion is that domain keys does not really bring anything to the table above SPF, while it does introduce a lot more processing.  The reason I say that is that if I'm not accepting mail from an unauthorized server in the first place, then domain keys buys me very little.  The domain key is stored in the DNS, same as the SPF.  The only thing that Domain Keys brings to the table is an additional check that an authorized server is also sending via an authorized process.  But thats not the issue with the spam I see -- I see the spam being sent via unauthorized computers.  And I see more spam than anyone.

 For now, I've split the dbacher@battlebazaar.com account off as a separate mailbox, instead of delivering messages to my primary mailbox.  Once I've confirmed who still is using the older address, I will disable that account (similar to my john@battlebazzaar.net and john@battlebazaar.com accounts, that just mark mail as spam)