NEaB Today

11 Dec, 2009

This week was a special week. Why? Because LadiC sent out some of her own performance and we placed it on our beloved game. It wasn't something I was expecting, and she proposed herself to send me the music. I must say I was impressed and the music is just perfect for the game. I hope she enjoy the fact that many many players will enjoy and listen to her performances.

5 Dec, 2009

From time to time I need to cool down, and this is one of those time. So for a little while (I believe until January) I will not work on the combat system and will quiet certainly not add new features to the game (beside a few tweaks here and there that's it).

Those down periods help me make up my mind, and regain all the mental energy which allow me to develop NEaB even after 5 years. Yes I know that some of you are really waiting on those changes, but well, allow me to be more lazy than usual at least from time to time.

On the other side, I do have a lot of side going project like the miniNEAB engine work and others... which means I'm not actually sleeping, but instead shifting my priorities for a little while.

30 Nov, 2009

As I described in my last article, there is ways to improve the login security, well guess what? I implemented it inside our game. However it's not just matter of changing the home page and all would work, sadly NEaB is a tiny bit more complex and I had to dig into a lot of files to replace the old login schema with a new improved function.

Part of that work has been done last week, and then I waited the new week such that I would be able to debug things during the week. We do now have a more secure login / cookie as we NEVER transfer the password in plain text over the network. Also on the database side we don't store the password as plain text either, and therefore even if we get some hackers to read the table (which I hope is not possible) they would still not see our passwords. I don't know the passwords either as the encryption used is called "one way encryption" which means there is no real way to get the data back, beside from a brute force attack.

As side work, I changed the password recovery tool and to help players to use it, we now allow all users to change their email directly from the option panel.

On another subject, the battle rework seems to please a vast majority of the players, and even if there was some glitches, and 1 or 2 players unhappy with the move, I still believe it was a good feature change. Let's hope the next "phases" of this rework will be as good as the previous ones.

25 Nov, 2009

Once more I will pick a question from a chat discussion as starting point for a little article. The question was how to use SHA256 in JavaScript. Of course you may wonder what SHA256 is, well to make a long story short, it's a replacement (more secure) version of the well known MD5 "digest" function or hash function. Basically MD5 or SHA256 are functions which take some string and produce a binary short identifier for it. That means, you can in theory have more than one initial string which produce the same identifier, but it practice it's very unlikely and it is certainly extremely difficult without doing a brute force attack (more on this later) to find a possible string out of those identifiers. Those functions are also called one way cryptography, as it allows you to encrypt something but you cannot normally go back to the original message.

 

You know now what those function are, but how useful is it? Well maybe you don't know it but all the communication between the browsers and the servers are PLAIN TEXT which means anybody between the browser and the server could see the data exchanged without any problem. This is valid for all the GET, POST parameters as well as for the cookies or anything else exchange. The only way to prevent this is to use the HTTPS (S for Secure) protocol instead of the normal HTTP one. However there is a few issue with the HTTPS, first of all it requires a server certificate, and if you don't purchase one you will force your users to go through some odd browser acknowledgment which basically says: "Yes I agree and understand that this certificate is not valid or unknown". There is some cheap certificate (look for Go Daddy for example, but normally an SSL certificate is expensive and needs to be re-installed every year. Another problem with HTTPS is that it requires some more CPU on the server as well as on the browser side.

 

So if you don't use HTTPS as most web sites out there, you are in the risk that somebody steal the passwords players or admins use to log in on your site. And here we can use those "digest" functions mentioned above.

 

The idea is that you take the password given by your player, encrypt it on the browser side via JavaScript, and then send the encrypted string over the network. The advantage is that if somebody is sniffing your traffic he/she will not be able to read / know the password used. However this is only a first step, as this person could use the exact same encrypted string to be able to log in as well. So the solution is to concatenate the IP of the client as well as the password together and then make the MD5 out of it, on the server, as you cannot decrypt you do the same job take the user password out of the DB, glue it to the browser IP, feed it to the MD5 function and see if it matches with what you got from the player. By doing so, you ensure the same encrypted string cannot be shared along other PC if they use different IP. You could further improve it by using a cookie or some other kind of session identification so that only that browser will be accepted for that session and not all browsers / pc sharing the same IP.

 

As this could be somewhat difficult to understand just like that, I prepared you a full script (PHP and JavaScript) to see how things works. The first (and biggest) part of the JavaScript as you will see is taken from internet, so if you use it, please leave the copyright. For the remaining parts you can use it as you want.

The script:

http://base.nowhere-else.org/tutorials/check_pass.zip

22 Nov, 2009

Some of you already knows it, I'm currently working heavily on the battle system and screen. There is multiple things which will change in a short/medium term. Changes varies from pure aesthetic changes, to rules rewrite and new features. Here is what is currently planned:

1) Should start from within the map (or look like it)
2) Should be a bit more compact, and have icons
3) Should display all options (like spells or whatever else) so new players knows you will be at some point be able to do it, even if currently you cannot use the option.
4) Allow weapon change (must be pre-configured)
5) Elemental rework (add or block some elemental effects and not like it's currently done like a multiplier)
6) Allow setup of shortcuts for spells or other as well.
7) Allow true PvP battles (clan wars)

As you can see, it's not a simple, "add new button" story here. It's more a complete rework than a simple upgrade even if I will keep a lot of the current code. Still for you players, it will look differently, you will have more options and some rules could change battles a bit (more likely in your favor). Due to the size of this project as well as the complexity it will not be a one shoot update, but instead I will work in steps (or milestones like we normally call them), therefore expect to see changes coming (not sure a which speed).

Once all this will be finished, we should have went through one of the biggest upgrade of the year, and hopefully add yet more fun and deep to the game. As always I'm open to all suggestions / comments, and as always the best way is to use the forums. But before complaining about something, wait to see how things will be, as I do have somewhat a clear idea in mind, but didn't explained here all the details.

12 Nov, 2009

We worked (quiet) secretly with MDShare to bring you a new tool to advertise your game, or actually make money out of it:

http://www.playerscorner.org/exchange

At first it looks like a banner exchange, and partially it is in deed, what we offer as first service is the following:
- You place banner slots on your web games or web games related web sites
- You upload your banners.
For each 4 banners displayed on your site you receive 3 credits for the same sized banners, which converts in automatically display your banners on other web sites. So far nothing that special, beside the fact we will monitor both the quality of the banners as well as the quality of the websites which means, no odd websites or annoying banners. Now the similarities with a banner exchange will stop as we will soon (likely next week or so) will allow our members to buy from each others credits for real money. That means, you show banners on your site but don't want to advertise yours? Fine, just collect credits and resell them to somebody which want to just advertise without having banners on his/her site. The price? Up to you, as it will be done in an auction like tool, you place your bundle of credits, set a start-up price, and hope somebody will purchase them.

Payment will be done via Paypal, both to fill in your account, or to get back money from your account. The fill-in will be automated, where the withdraw will be hand made.

As we are just starting up we will credit you free 1'000 credits as soon as you register your first slot and we may introduce other bonus on the way.

Our banner exchange is already up and running by the way, with already banners on rotation (not many yet), and all the tools you should need, even detailed statistics. Personally I think it's one easy and cheap way to get your game known so why not join? Yes I know some of you are scared of putting a banner of another game on your own, and now I will tell you why I do it myself: simply because players don't play only one game, so they will certainly not stop playing yours because they discover another one via the banners. Instead you may gain new players (for free) from other games. So for me it's a win / win situation.

Final note about why we choose an impression based system instead of the pay/reward per click as may others do: simply put, even if you will not click on a banner, you will still see it, and this increase the prestige of the game advertised, so maybe players don't click on the banner right away and then use Google to find it. It seems also more fair to us, for those which really works on showing banners but maybe don't get clicks as they are not forcing their players to do so.