Rosio Pavoris

Christmas and all that.
I got an iPod Nano (though I didn’t ask for one; I just mentioned I needed a new MP3 player, since my old one is a Sony one, and Sony is getting on my nerves; Apple obviously isn’t any better in terms of principles, but at least I can install Linux on it), The Art of Computer Programming, Volume 1, Fascicle 1 (bought because my mom was under the impression it was volume 1, which was a fair guess since it doesn’t even say anywhere on the cover that this is just an update to a single chapter of volume 1, not the actual volume; I don’t know whose idea it was to not label it explicitly, but that person shouldn’t be in marketing), and something purporting to be a chemistry set. Its main feature seems to be “supersnot”, so I question its usability in the manufacturing of high explosives.

Anyway.
I wrote a Facebook application, both because I was bored and because I wanted to see what the Facebook API looks like. Somewhat odd but not terribly complicated, turns out.
Basically all this app does is display your Muffins name and ID and level and avatar in your profile (and optionally your title, equipment, and/or companion as well), and show you a list of friends who added the application and their Muffins names and IDs and levels and avatars.

It’s not terribly useful for Muffins, perhaps, since we only have forty or so active players, and to the best of my knowledge fewer than ten of those use Facebook, but I made it anyway. It would have been handy to have this for something like KoL, but I’m not going to write it, in large part because, to make things simpler, I wrote a script that just queries the game database directly and outputs neatly-formatted code, which the Facebook app interacts with, which I wouldn’t have been able to do without admin access.
For KoL, you’d need an active player session to view player profiles and something to log back in when the session dies because of time-outs or rollover and a parser to extract the needed information and another bit to format that information again and then the whole thing catches on fire and you cry yourself to sleep. So no, not going to do it.

Re: the issue with Muffins! passwords travelling over the network in plaintext: this has been fixed.
The solution involves a nonce, client-side MD5 hashing, and lots of stolen Javascript.

And through the magic of graceful degradation, it will automatically fall back on the old system for people who disabled Javascript. It will also warn these people they should fucking turn on Javascript, because nonces aren’t much fun to implement and if they’re not going to take advantage of them they should go play some other game.

Anyway, the upshot of this is that passwords no longer travel over the network in plaintext (except during registration, which I’m very probably not going to do anything about), so if they get guessed, it’s seriously not my fault.

(Next up, the bruteforce thing. Which is pretty straight-forward: failed log-in attempts are logged, and before it logs you in it checks if there are fewer than, say, three failed attempts in the past fifteen minutes from your IP. If not, it won’t log you in. Shouldn’t bother legitimate users (if it didn’t check IPs malicious users could use it as a denial-of-service attack on users; I guess they sometimes still can through the magic of braindead ISPs), but it makes bruteforce and dictionary attacks completely unfeasible, even for people with very dynamic IPs.
It’ll have to wait until tomorrow, though.)

(Long post! You probably won’t think this is very interesting unless you play Muffins! and have a passing interest in cryptography and/or network security.)

When I started working on Muffins! over two years ago, I was a Japanese language student with no experience in programming or security whatsoever. I had heard about things like packet sniffing, though, and had a vague idea how the internets worked, but my ability to design a log-in system was limited by my ignorance of both PHP and of the possible vectors for attack.
Consequently, when Muffins! was just a blank page with a note saying “Imagine there’s a map here!”, the authentication mechanism sucked. Passwords were stored as unsalted MD5 hashes, and logging in sent your username and password in plaintext to the server, where the password was hashed and compared to the stored hash for your username. The server would then set a cookie with two fields: one for your user ID, and one for your password hash.
With every pageload, the server would look at your cookie and compare it to the contents of the database. If there was something wrong, it’d destroy your cookie and kick you to the log-in page, and that was that.

Read the rest of this entry »

Muffins is back. Seemed right, since it’s two years ago today that it first went online.
Everyone’s been deleted, because I felt like deleting everyone. Development is expected to resume, though probably at a slower pace than two years ago. The only thing changed so far is that accounts are no longer deleted after two months of inactivity.

I took SWBHG down, and it’ll stay down. For “undisclosed vulnerabilities”, is all I’ll say.

(By which I mean, a retarded chimpanzee could code a more secure application.
At least we won’t be going over our allotted webspace as quickly in the future.)

Update: Alright, it should be patched now. I’ve brought it back provisionally, but I’ll be watching it closely.
Regarding the webspace, the SWBHG vulnerability wasn’t the cause of it, apparently, though it could have been used to do the exact same thing. Still, that was something else, and that, too, has been taken care of now.)

I wrote an RSS feed for the Muffins! updates thing for no particular reason, but for some reason, it doesn’t work.
I strongly suspect this isn’t my fault, since even the w3c validator thinks it’s completely valid, but since it refuses to work as either a Live bookmark (in Firefox) or a standard feed in Thunderbird, I can’t exactly leave it at that.

If someone with more experience than I have could look at that and tell me what’s wrong with it, I’d be eternally grateful. ;.;

(It took me a while to figure out I needed header('Content-type: text/xml; charset=utf-8', true), and even longer to figure out what, exactly, an RFC-822 date format was (using D, d M Y H:i:s e), but at least those were troubleshootable problems.)

I added a quotefile, because I know people wanted that.

This is very much worth reading. It’s kind of long, but it’s an important point.

Also, apparently a disproportional number of people are finding this blog while googling for a Muffins! auto-adventure script. This would be what you’re looking for. It’s not incredibly well-written, and parts of it may not work anymore, but it’s adequate.

People tell me temperatures here have dropped by 15° (Celsius, not the Fahrenheit) in the past week. They’re still mostly above freezing, but still. Here are some penguins to celebrate.

We had fondue, finally. My dad wished me a happy birthday, but we always have fondue on Christmas Eve, so they still owe me my birthday fondue, really.
Fondue Bourguignonne, that is.

Then we opened presents. My sister wasn’t here for it, but I doubt anyone minded. I got a hat and a stuffed rat. I asked for a cat.
Oh, and monies. Not too many, but more gifts tomorrow, when my aunt comes to visit.

This amuses me.

I implemented some Christmas content in Muffins. Seven new items. I guess it’s better than last year’s rock.

I created a Best Of page. If there are posts you’d like to see on there (or if there are posts on there you don’t think should be), do tell.

Tween sloth.

I dislike writing assembly, especially on paper. Still finished test first, and I’m wiling to bet I was the only one who produced a working program.

Muffins is a year old today. It’s been dead for half of that, but still. I guess everything gets old if you wait long enough.
Anniversary code is working, AFAICT.

Also, midterm elections tomorrow. If you’re in a position to vote, do so.
If Santorum still has a job after this, I’m going to punch a random passer-by.

Also, yes, Saddam Hussein was sentenced to death. If you don’t have a problem with that, you’re probably a hypocrite.
Civilised countries should condemn the US for handing him over to Iraq. Europe has exceptions in its extradition treaties for countries that practice the death penalty. The fact that the US practices it itself doesn’t mean we should be okay with it.
He should’ve been tried before an international court. That’s what they’re for.

Remember this guy?
He changed his IP and made two new accounts, which is fine if you’re not going to bother anyone anymore, but then he managed to get one of those accounts disabled before I even realised it was the same person. Guess what happened.

Yup.

Note that last account. Again. Parents need to watch their kids more closely.
He also needs to get over the idea that we’re trying to be like KoL. Does he think he’s hurting my feelings by pointing out I’m not Jick?

Funny part is, shit like this isn’t even the reason Muffins is no longer in development.

One of our admins is Jewish and a girl. The other is black, asian, emo, and quite possibly a furry. I think “faggot” is maybe the only slur that doesn’t apply to any of us.
So why does it get thrown around so much?

Either way, Terru got to disable four accounts and I got to ban another IP. Great fun.

Edit: Oh, obviously. It’s amazing how many people suddenly have horrible friends when they get banned. Before you feel too sorry for him, though: hah.

(I agree with him as far as the badgers go, BTW. Which is why the reference to it points out it’s a tired pop culture reference. It’s been in the game since last November. This June, KoL implemented the astral badger.)

Northlands finally rolled out. The adventure areas could do with some more content, but that can easily be added later.

I need a nap.

I’m actually getting fair amounts of work done on Muffins. This is the first time in ages I’ve actually enjoyed working on content. I’m reasonably happy with most of the new content, though still vaguely stuck on some bits.

Heat is kind of making my drawerings suck, though.

Not a lot has been going on, as usual, but I haven’t updated properly in months, so the not a lot adds up to a fair bit. Let’s see.

My grandfather’s still in the hospital. Haven’t seen him in ages, but I hear he’s doing well. I guess he just likes it there.

Both my sister and my mom are done with exams now, so I expect a lot less peace and quiet from now on.
My sister already almost managed to throttle our bandwidth by going half a gig over the download limit, but I changed our internet provider plan thing to be less restrictive. I like knowing my parents’ passwords.
They didn’t freak out about when I told them, which vaguely surprised me. Maybe they didn’t know what I was talking about. Either way, monthly fees are the same.

Climate-wise, temperatures are more sane. Still vaguely too hot, but nothing pantslessness won’t solve.

Online drama-wise, I stopped going to #radio-kol because it’s gone to shit and complaints have pretty much been dismissed with “I don’t have a problem with it, therefore there is no problem; suck it up and deal, because clearly you’re just being childish”. Maintaining that the problem isn’t worth addressing when two people who have been regulars for, what, a year and a half now, think it’s serious enough to just leave entirely is a bit retarded. Just a tiny bit.
But yeah, that discussion is essentially over anyway.

Muffins is still up, though I haven’t updated in ages. Despite a fairly huge flood of new registrations a while ago, multi abuse is next to non-existant, which is good.
I guess I really should work on new content. I’m perfectly happy working on code, but thinking of, drawing, and writing new adventures and puzzles and whatnot is meh. The northlands have been on the verge of rolling out for a while now. They mostly need more adventures.

KoL-wise, I’m finishing up my HCO runs before NS 13. Just one more after this. Dunno if I’ll make it, but meh. Moving slowly, but not as slow as all that, really.
Also playing Cawd’s account for a few runs. Doing a lot better than I was on my own at that point. Technically the current run is the last one I’m supposed to do on his account, but I’m not sure he’ll be willing to pick it up again afterwards. I don’t mind either way.

Education-wise, I’m still trying to decide what to do next year. It looks like I’ll be sticking with the KUL, and doing something Computer Sciencey. A lot of the things that bothered me about the PHL don’t exist at the KUL (most importantly the fact that the PHL isn’t within walking distance of a train station, and the amateuristic approach to technology (”WI-FI means the antenna is built in.”), and the near uselessness of the diploma), but the KUL curriculum has some problems of its own (mainly the math bit — I like math in the “solve general problems using your extensive knowledge base and pure logic” sense, not so much in the “know these theorems by heart and be able to recite them hopping on one foot while writing with the pen shoved up your nose” one; granted, I have no idea what college-level math looks like).
Right now, the choice is basically between the Faculty of Science and the Faculty of Engineering. Engineering has less math but more bullshit.
I’ll probably end up flipping a coin for it, but right now, I’m leaning towards Science.

Finally, you know how someone can make you explode with joy just by existing? I didn’t, but I do now.
And I don’t mean that as a euphemysm for ejaculation, though she does that too.

tl;dr, I know. Sorry.
I should update more often.

Bandwidth use for May was more sane than April. Not that much more than March, even.

To compare, Muffins used 5.63 GB in March, and 8.13 GB in April.
The lack of new content is mostly responsible, I would guess. Personally, I’d have thought a lot fewer people would still be playing.

Anyway, as a side note, I’d like to know what people are using to read this blog. Are you just using a web browser and checking back every couple of days? Are you using the Livejournal syndication thing Haplo made? Are you using the WordPress RSS feed, and if you are, what program are you using to view it?

The thing about Muffins and new content there, I think, is partially that I lost the habit of working on the game every day after the nubflood, because I spent so much time going through transfer logs then, but also that because a lot more people are playing now, I hold new content to much higher standards.
I would say I want things to be as good as KoL, but between the Observatory and the new booze, I think my idea of KoL’s quality is way too idealised.

Anyway. I think I’m just going to care less about funny and more about game mechanics. I’ll add funny if I happen to come across something that works, but mostly I’m going to go for fun without trying too hard.
I’ve been saying Muffins is a spade’s game, but really, it’s a moron’s playground. Real spades would be, and have been, bored into quitting within days.

I hate Muffins. I really, really do.

The game isn’t very good. I don’t give a fuck if it rips off KoL if it’s good in its own right. It isn’t.
The players are worse. There are maybe five I like, and a dozen more I don’t feel very strongly about one way or the other. Everyone else needs to fuck off and stop using my bandwidth, and stop shitting up my IRC channel.

Blah. I should just give it to someone who still cares.

Boo nubflood.
KoL replaced their front page with a fake domain squatter, so the KoL forums were flooded with people too dense to get to KoL itself on their own. And Muffins got mentioned, because of this.

Results.

That screenshot does not accurately convey the amount of time and effort I spent sifting through transaction logs and warning multi-abusing nubholes (seven warnings sent, six of which were to new people; none of those to any of the disabled ones), cleaning up after trolls (lol spamming forums is fun lol), and just answering PMs and forum posts from people too brain-damaged to figure anything out on their own.
Also: gaspo! That’d actually be kind of funny if he were kidding.

Anyway. The thread got deleted (or at least removed from sight) along with the forum it was in, so I’m thinking the worst of it is over. I’m going back to playing N.

(On an unrelated note, people seem to be afraid to do that Nohari thing, so here’s a Johari thing instead.)

I don’t update this enough. This is because I have nothing interesting to say.
Still at home, doing nothing much besides working on Muffins. Lots of new content recently. Not getting any donations anymore, and new registrations are still low. *shrug*

In other news, I love Mai.
Maybe that’s not exactly new, but it’s still true.

Calling people by their real name on the internet. I mean, yes, it shows to other people who are listening in on the conversation that you’re close enough to that person that they’ve told you their real name (or that you’re an effective enough stalker that you found out on your own), but given a choice between calling someone by the name they were given and the name they chose for themselves (and thus, presumably, like better), why would you go for their real name?
That being said, I don’t particularly care about what people call me. It annoys me when nubs who never knew me as Xarn call me Xarn, and it annoys me when morons call me anything at all, but on the Koen/Cairnarvon thing, I don’t give a fuck. Just struck me as odd, is all.

Anyway.
I think I need to advertise Muffins more. Registrations are down quite dramatically, oddly since I rolled out the rabbit hole. Probably a coincidence.
Meh. I guess it buys us some time until we need to go dedicated.