Skip to main content.
December 16th, 2007

mmo /played

How much time have I spent plugged in to virtual worlds over the years? Idunno. Can’t really track it very accurately because a lot of the numbers have been thrown away or were never recorded in the first place. I’ve been meaning to take this survey for a while now, and a few minutes of investigation have proven enlightening or at least vaguely entertaining (to me).

world of warcraft

I primarily play Allaryin, a dwarven hunter, my only lvl 70 char. I don’t raid and I burnt out on PvP a while ago. In fact, I hardly play any more. My account is currently pending cancellation (like the 4th or 5th time) as soon as my paid time runs out again.

Despite all of that, my total /played for all of my extant characters is about 53 days. 37 of those were spent on Al.

everquest 2

I’ve had 3 main characters over the years. That said, however, my total playtime on all remaining characters is barely 7.5 days. Half of that has been spent on my current ‘main’, Juvu, a lvl 35/31 sarnak shadowknight/armoursmith - my first serious attempt at playing a tank in any MMO in over 10 years.

city of heroes/villains

I don’t know what my CoH/CoV played time is. My subscription is not active. But I have two characters that I’ve spent the bulk of my time on, Tetris and Columns. I suspect Tetris’s /played time is 2x that of Columns’, despite their vast level differences.

ffxi

I have no idea how much time I spent on FFXI. I don’t even remember if that sort of data was easy to acquire or not. My main character, Kikichikki the Taru WHM hovered at the lvl 20 boundary off and on for months before we finally pulled the plug on our accounts for the last time.

three kingdoms

3K is the mud I played the most during college, and despite my lack of desire to continue playing there, I have hosted several sites for different guilds over the years. My character has hopped between just about every class available in the game, and is finally back in Priests where he started. He is 65 days old.

discworld

The Discworld mud is probably still my favorite text-based game of all time. I’ve put in a lot of time into every class in the game, but all of my alts appear to have been deleted over the years. The only character I have remaining is my main, the current incarnation of Allaryin of the Venerable Council of Seers - 14 days old.

walraven

I guess it’s not much surprise that I’ve spent more time on my own game than anything else. Since I first added character age tracking, Allaryin has logged in excess of 260 days of play/idle time.

Of course, in all of these games, I’ve had other characters that took time but were eventually deleted for one reason or another. And then there are all of the games I only demo’d or beta’d… and the numerous derivative faceless Diku clone MUD’s and cookie cutter Korean MMO’s…

It will take a LONG time for these newfangled graphical games to even come close to the time I’ve spent on MUD’s.

Posted by Ammon as mmorpg, play at 10:33 PM EST

No Comments »

December 13th, 2007

new flash security policies

So... I am not happy with Adobe right now. With the push of Flash Player 9,0,115,0 "moviestar", which included such awesome features as H.264 and AAC codec support and improvements to fullscreen mode, they kind of ambushed me with some sweeping changes to their security policy.

I'd been running pre-release nightly builds of the player since 9,0,60,x... and had noticed some strange warnings. Mysterious "Socket Security Error #2048" exceptions that were being thrown at random - even though I was serving an appropriate (for the time) crossdomain.xml file, unexplained timeouts attempting to talk to an xml socket server when I was very clearly not attempting to do any such thing, etc... My regularly repeated attempts to find documentation on what the warnings actually meant proved fruitless. I believe that is because the appropriate document was not actually released to the public until 9,0,115,0 was released.

Now, the bit where they improved the format for crossdomain.xml files doesn't really affect me one way or the other. I approve of the improvements but could really care less in this case. They don't really affect anything I'm doing.

The part that really chaps my hide is the fact that they've completely redone the way that socket security policies are handled. The important parts:

  • A SWF file may no longer make a socket connection to its own domain without a socket policy file. Prior to version 9,0,115,0, a SWF file was permitted to make socket connections to ports 1024 or greater in its own domain without a policy file.
  • HTTP policy files may no longer be used to authorize socket connections. Prior to version 9,0,115,0, an HTTP policy file, served from the master location of /crossdomain.xml on port 80, could be used to authorize a socket connection to any port 1024 or greater on the same host.

That's right. Your socket policy data can't live in the sitewide crossdomain.xml file that Apache serves any more.

Flash Player 9,0,115,0 introduces a concept of socket master policy files, which are served from the fixed TCP port number 843.

Socket policy files may be obtained from the same port as a main connection (the socket connection being made by ActionScript, which is authorized by a socket policy file), or from a different port, separate from the main connection. If you opt to serve a socket policy file from the same port as a main connection, the server listening on that port must understand socket policy file requests (which are indicated by a transmission of from Flash Player), and must respond differently for policy file requests and main connection requests.

  • When a SWF file attempts to make a socket connection, even to its own domain, Flash Player will first attempt to contact port 843 to see if the host is serving a socket master policy file.

So... regardless of whether you're even using a custom port 843 client, the Flash Player is going to try to hit it. What if your firewall doesn't allow/route traffic to sub-1024 ports w/o special configuration? What if you don't have the access to bind to a sub-1024 port and can't rewrite your other server process to serve the policy data on its port?

  • Socket meta-policies can only be declared in a socket master policy file. The syntax is the same as for declaring a meta-policy in an URL master policy file, using the <site-control> tag. Socket meta-policies cannot be declared in HTTP response headers, as HTTP is not involved.

This implies that you can't even tell apache to listen to port 843 and serve up the data. You HAVE to either maintain a separate server process specifically for the purpose of serving this policy data, or you have to edit the process that SWF's are connecting to and make them serve the data..

As of the time of this writing (10 days after moviestar's release), they have yet to release promised help on how to deploy a solution to these new changes. Granted, the one article they did release explains what needs to be done in high level terms. It was sufficient to help me out. I wrote a server that simply listens on port 843 and spews the required xml. But... I'd have really appreciated specific examples, and I suspect plenty of people would appreciate drop-in solutions to the issue.

A 5-minute skeleton implementation (not recommended for production use by any means) written as a PHP cli script might look something like this:

#!/usr/bin/php
<?
/**
 * Ugly Flash socket policy file service. This script must be run as root from
 * the command line. It binds to port 843 on all interfaces and waits
 * indefinitely for connections. When a connection is detected, the script spits
 * out a chunk of xml and disconnects. It can only serve one request at a time,
 * but that shouldn't be much of a problem.
 *
 * One potential problem with this script is that you can easily lock port 843
 * up for an indeterminate amount of time if the script doesn't exit cleanly.
 * The OS should clear the port up for you eventually, but you could be stuck
 * playing the waiting game.
 *
 * This particular version of the script has only been tested very lightly.
 * Deploy at your own peril ;) YMMV.
 *
 * - Ammon Lauritzen [12/13/07]
 */

// define the xml policy "file"
$policy_file =
    '<'.'?xml version="1.0" encoding="UTF-8"?'.'>'.
    '<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFileSocket.xsd">'.
        '<allow-access-from domain="*" to-ports="*" secure="false" />'.
        '<site-control permitted-cross-domain-policies="master-only" />'.
    '</cross-domain-policy>';

// make sure everything launches correctly
if( posix_getuid() != 0 )
    die( "You must run this script as root.\n" );

$sock = @socket_create( AF_INET, SOCK_STREAM, SOL_TCP );
if( !$sock )
    die( "Unable to create socket.\n" );

$succ = @socket_bind( $sock, "0.0.0.0", 843 );
if( !$succ )
    die( "Unable to bind to port 843.\n" );

$succ = @socket_listen( $sock );
if( !$succ )
    die( "Unable to start listening.\n" );

// start serving policies
while( true ) {
    $r = $w = $e = array( $sock );
    if( @socket_select( $r, $w, $e, null ) !== false ) {
        $conn = @socket_accept( $sock );
        if( $conn !== false ) {
            // somebody connected, just dump the xml and close
            socket_write( $conn, $policy_file );
            socket_close( $conn );
        } else {
            echo "socket_accept() failed?\n";
            break;
        }
    } else {
        echo "socket_select() failed?\n";
        break;
    }
}// end: listen forever

// clean up
socket_close( $sock );
?>

I'll try to make my production version of this a bit more suitable for public consumption and release it as soon as I can.

The random #2048 security errors continue, despite having deployed my port 843 policy xml server. Granted, they happen less than before... but they still happen. And even when my policy server isn't running, the errors aren't thrown 100% of the time. This just baffles me. If they were consistent, that would be one thing. But when you get a security error 1 time in 20... that's not security, that's not even a lame deterrent. It's just incentive to hammer the same port over and over again until something finally gives.

Now, I admit that I could be wrong here... but I've re-re-read the documentation on these policies a few times now, and cannot find any reason for the behaviors I'm seeing.

update

On April 22nd, 2008, I released a much better, much more reliable version of this daemon. Head over there for more details and source code.

Posted by Ammon as flash, howto, programming, rant, security at 3:14 PM EST

13 Comments »

December 5th, 2007

quick recap

Well... it's been entirely too long since I've written. I love how two posts ago also started with this observation. Well, the half-written post count is up to 19 and the video game reviews I want to write are up to 4 :P

We're also still alive. I probably should have mentioned that when we came home from Troy's. The fire didn't directly affect anyone I know. It got within yards of one of my coworkers' place and burnt other buildings in his complex, but his was fine. Where I am was fine, fire didn't get much closer than 2.5-3 miles to our place. We got a thin dusting of ash, but barely enough to notice. The air was horrendous for a few days after we got back though.

Work... is awesome and mentally draining and terribly rewarding. Even though I can talk about the platform now, most of the things I would want to say (and haven't already just said on the forums) are about games and features that have yet to be unveiled, so shrug. A few of my partially written blog posts are on some of the problems I've solved at work, so those might wind up giving me an outlet to talk about Metaplace w/o actually talking about Metaplaces. :P

I've all but given up on doing any real anime reviews this season - I've not actually had time to watch anything new, even though I've been looking forward to 2 or 3 of the shows currently on. We'll see if I can watch some of the spring 2008 season in stead. Looks like Haruhi is coming back next year, so that'll be fun... yeah. I'm gonna be prepared this time next around ;)

I've beaten Folklore, Jeanne d'Arc, and Portal since October. I am currently really enjoying Lego Star Wars on the Wii (yay for silly games) and the new EQ2 expansion. My WoW chars are sitting on ice until the expansion, I think. I keep meaning to get back into Puzzle Quest and the FFT and Disgaea PSP remakes and and am also serving Dracula X and Super Mario Galaxy with a good long look...

While I'm here, I guess a few quick game observations are in order. I've got a separate mud-related post that I'll also try to finish tonight.

Portal (PC)

I offer no review for Portal, plenty of others already have. The game rocks. It's funny. It's innovative. I've played it through twice now, and am currently torturing myself with challenge maps ;)

Jeanne d'Arc (PSP)

Jeanne d'Arc is the reason I bought a PSP. It is the first tactical strategy RPG I've beaten in years. I really can't say enough good things about it.

The graphics are good, the anime cut sequences are well done. The silly Frenchy accents are a bit meh, but they don't detract from the story. I stayed up late many a night with the PSP plugged into the wall next to my bed in order to watch "just one more" story sequence.

The combat system is great. It's refreshing to see an RPG where the "fight" button is actually useful throughout the entire duration of the game - most games obsolete the generic attack option with specials that you can use with abandon. And, while it sometimes irked me as I played, I appreciated the built-in time limits on all battles. They prevented me from pulling a Disgaea or FFT and grinding skills during plot fights and becoming too supremely overpowered.

I guess my only real complaint about the game is that the story became more and more far-fetched as it progressed. That, and the combat quickly became easy and then trivial. I actually beat the game "by accident" while alternating between absentmindedly taking moves and watching news about the fire's progress on m3mnoch's couch. I don't even know which of my party members delivered the killing blow :P

I give the game a 9.5 out of 10. It is a definite must-have for fans of the genre. Just ignore the fantasy Europe and the talking animals and stuff.

They could have done better by giving me an adaptive difficulty setting where the AI responded intelligently to veteran players as the game progressed. As it is, the same tricks that one discovers before map 10 still work after map 30. None of the boss fights really taxed the neurons, they were all pretty much cases of "smash the boss before he eats you". Sometimes you had to do something trivial to enable said smashing... but that was usually as little as "get within attack range" :P

Folklore (PS3)

Folklore is one of the first exclusive PS3 titles worth playing. I loved the demo and waited for the launch like a man possessed because I was dumb enough not to pre-order for some bizarre reason. It took me several days until after the nominal launch to actually find a copy, which I then pretty much devoured.

The story is excellent, and the voice acting adds a lot. The characters are the sort you can get attached to. The humor is even occasionally pretty good. Unfortunately, the pseudo comic book cut sequences outweighed the fully rendered plot points by a large number, and they really take some getting used to so some people might miss the depth of the plot. I enjoyed the comic sequences near the end of the game, but always wished that they'd just taken the effort to do the story sequences right.

The gameplay is good. Not excellent, but it's enjoyable and intuitive. It does get a bit repetitive after a while, however. The first 3 levels enthralled me. The last few... I blew through the combat, just to get to the story points.

The sixaxis stuff isn't bad, either. There was some concern that it would take away from the game, but it was well done. However, I don't really think it added anything meaningful to the game and wouldn't have missed it if they hadn't included it. Like all early titles for any system with a new control scheme, Folklore suffers from the same desire to actually use all of the features. Remember how the PS2 controllers featured analog buttons? Early games obsessed with making button pressure matter. I hated that. Thankfully, most later games on the console that I am aware of ditched that idea as a core gameplay element.

All in all, It plays kind of like a cross between Castlevania: Dawn of Sorrow and Dark Cloud. I give the game an 7.5 out of 10.

It is certainly better than the average stuff to hit the console and is worth considering, despite a few rough spots. But it is essentially a launch title, so I cut them some slack there. They could have scored higher by giving me more content, making the distinction between Ellen and Keats's puzzles more pronounced (their boss fights really were 90% the same), and ditching the crummy plot sequence mechanics.

But the number one thing they could have done to improve the game was give me a blasted "New Game+" mode or even just let me continue running around in the netherworlds after beating the final boss. They give you this Pokemon system for catching several dozen creatures and then training them up... but when you finish the game, it's all over. No way to resume building up your guys just for the 100% completion type feeling.

Posted by Ammon as confession, eq2, games, play, ps3, psp, sleep at 1:11 AM EST

No Comments »