Hacker News new | past | comments | ask | show | jobs | submit login
When Random Isn't (orlp.net)
376 points by orlp 12 months ago | hide | past | favorite | 147 comments



A bit tangential, but a related fun story from many years ago during my time as a WoW GM.

There was a popular add-on (Titan Bar I think?) that had a bug in one of its versions where it would always call the API which showed the "write a ticket to a GM UI", if you tried to cancel it, then it would just pop up again, the only way to stop this dialog from being in the way (aside from uninstalling the problematic add-on) was to put something in the text box and press submit.

It was a very bad day or two for the GMs, many players didn't even know about GMs or that that you could submit tickets to them, and trying to explain to a customer that you're a customer service representative who's contacting them because they submitted a ticket likely due their one add-on was more often than not a tricky one.

Because it essentially destroyed the ability to perform reasonable customer service response times the developers put out a hotfix which also put that API call behind protection, making it impossible to be called except from Blizzard's own LUA code.


Titan Panel I think was the name? It was the one that kinda "unified" a lot of UI elements into one bar (total gold, repair percentage, stuff like that).


Weirdly, I answered almost exactly the same “invert the RNG” question on StackOverflow (https://stackoverflow.com/a/15237585/1204143) just a few months before you posted your question to Crypto.SE, except that I attacked the Java RNG instead of the MSVC RNG. They both use a simple LCG design where outputs are truncations of the internal state, so the attacks are very similar to each other.


I'm not very good at maths so I let Z3 work out some convenient seeds for me, leading to

    import java.util.Random;
    public class Hayley {
         public static void main(String... args) {
             byte[] b1 = new byte[4], b2 = new byte[2];
             (new Random(0x2effe2140e00L)).nextBytes(b1);
             (new Random(0xc2f0097)).nextBytes(b2);
             System.out.println(new String(b1) + new String(b2));
         }
    }


I wonder if there’s any chance that they were using the same RNG on the server. Seems like you could theoretically exploit it if so, given a very low usage server, low ping, ability to get a decently precise window into the current state of the rng, and ability to quickly generate another event with a high economic variance tied to rng.


Vanilla WoW used Mersenne Twister on the server, which has a number of problems but isn't so trivially broken. They posted a lot of the details how the server-side RNG worked in a (mostly unsuccessful) attempt at killing the rumors around "loot seeds" and such that superstitious players were utterly convinced were a thing.


Ah, the days of farming glowing brightwood staff.


The economics and incentives of RNGs are interesting. If nothing is materially at stake ,an imperfect RNG, even a bad one, suffices provided people cannot easily tell, such as games. But if money is at stake or security, like crypto wallets or online casinos, suddenly it matters A TON.


Even worse, the given linear congruential RNG yields only 12445 distinct numbers, then repeats itself. It would be sensible to simply use better parameters for this algorithm.


Engineering is a compromise, for simple tasks (eg motion of particle is smoke trail exhaust), you need a simple yet FAST rng. For cryptography, casino gaming etc, not only do you use a better Rng with at least 32 byte state, you also cycle the engine at random intervals to further prevent predicting the outcome.


An LCG with better parameters would be just as fast.


World of Warcraft is what started my interest in programming. I was 6 when it came out, and when private servers started popping up I became interested in how to make my own npcs, and that’s how I picked up Lua.

I still have a lot of posts on the forum for that stuff (MMOwned), and one of the people that helped me learn then still posts semi-actively.

Compiling my own private server core was how I learned about compiling things, SVN, and how to apply patches (there was a bug related to mage’s fireball, can’t remember what it was.)


> I still have a lot of posts on the forum for that stuff (MMOwned), and one of the people that helped me learn then still posts semi-actively.

Man, whenever I am reminded of the old forums I can't help but get nostalgic. Nowadays, it's like a good piece of the internet is replaced with dopamine-inducing social media apps and gated forums (e.g., Reddit).

I don't know why I still hang out here on HN, maybe mainly because it reminds me of the old forums...


HN threads die to quickly though. For the true old-forum feel we need fewer users with focused interest and threads that last for weeks.


>For the true old-forum feel we need fewer users with focused interest and threads that last for weeks.

There is 4chan.


threads can go for multiple years, if you do it right


Also, old forums didn't organize comments in tree structures, they were just flat chronological comments. This is technically inferior, but it helped keep everyone more focused on a single thread, as it were.


In most forums, one example being DPReview, the user can switch between threaded view and flat view. I choose flat view, because I usually read the whole topic if it interests me and I usually want to read the last updates without having to go trough multiple threads.

Also, flat view, mimics a real discussion between people.


You don't need to go to an unthreaded format, with all the attendant clutter and such, to do that. All you have to do is bubble up threads that have had recent messages to the top. That's why HN doesn't (or at least shouldn't) try something like that: it wouldn't be "Hacker News" anymore, so much as "Hacker Gossip" or whatev.


he's right tho — lack of notifs on HN means you won't know about replies to your comments or new comments in fav threads.


Tell HN: HN Replies is email notifications for comment replies, maintained by Dan Grossman.

https://hnreplies.com/

https://news.ycombinator.com/user?id=dangrossman


You can make a browser add-on or use a script to keep you in the loop.


Which is to say, always reply within two weeks.

Does anyone know of a thread on HN that survived multiple months?


I do wish more of the younger generation would be willing to hang out on forums/irc/etc. I would not install Facebook even if it cost me friends


Newer generation is on TikTok, not Facebook.


These are anything short videos, but not just the youth it's almost everyone and I have that damn problem


So far none in my social circles uses Tik-Tok, thanks $deity.


Never use Tiktok


We don’t know how old acheong08 is.


I am in the TikTok generation. I just forgot it existed


I was kinda hoping you would turn out to be >85 like my parents so would be saying "young kids like the baby boomers who use Facebook"!


"Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin. For, as has been pointed out several times, there is no such thing as a random number — there are only methods to produce random numbers, and a strict arithmetic procedure of course is not such a method." - John von Neumann


As a cryptographer I can't stand this quote. Nothing against Neumann, but the people who choose to spread it as sage wisdom really only manage to convey misinformation. In context it is a superfluous philosophy quip.

We have had fast reliable cryptographic random number generators for decades. They really do work with just a tiny seed and a bunch of arithmetic. The numbers produced are indistinguishable from any other proper random source, and they work for any purpose.

Too many people don't understand this, and entire companies are founded on selling snake oil true random.


I have to agree with this. It is a superfluous philosophy quip.

It's no secret that random numbers' cannot pop out of nowhere.

I see these "When Random Isn't" type articles every year or so. It's just poor implementations where the procedures to produce random numbers have been suboptimal for their intended outcomes.


A good example of a really terrible RNG is in Monster Hunter 3 Ultimate, and maybe others.

Not only it is completely exploitable for better loot, it also gave rise to "charm table". Some items have randomly generated statistics, and depending on your initial seed (stored in the game save!), there is a limited number of items you can get, and if you are unlucky, you may have a "cursed table", which is effectively a RNG with a really short period, meaning you will never get the best rolls. Not game breaking, but bad for high level play.


I wrote an AH script. It would scan every auction, buy under-priced items, and relist. If someone undercut me, it could cancel and relist just below them. I basically had unlimited gold.


When I explained how money works to my younger brother after having it explained to me by actual drunk guys who work at Goldman (it’s basically impossible to get the truth any other way as far as I know), his reply was:

“You mean to tell me that the IRS is a gold sink?!”

“Well, actually that’s a pretty good analogy, the difference is… well… that’s a pretty good analogy!”


Pretty good, but not complete because the money is gone in a game's sink, whereas in the economy it's more cyclic. In theory.

That said, video game economics are pretty fascinating. I love reading writeups on Eve Online economics. I play FFXIV myself which isn't as good as Eve when it comes to economy, but interesting in its own rights. I wish it had buy orders and the ability to buy individual items instead of whole stacks, lol.


Not in all theory - Modern Monetary Theory[1] posits that if you control a mint, your money is effectively infinite and cannot be meaningfully increased. As such, some taxation truly does serve only as a money sink (but a necessary one that prevents runaway inflation in the face of government spending, as well as being a vehicle for incentivization).

[1] https://www.investopedia.com/modern-monetary-theory-mmt-4588...


I upvoted your comment for being high-value even though I think I disagree with the first half: “Chicago” / “Fama” strong-form EMH economics have had only a few brushes with reality, so N equals “not enough”, but I’m partial to the 100% of the time it’s been a disaster, the best example of which is almost certainly Scholes’ tenure at LTCM (and “When Genius Fails” is a a drop everything, call in sick and read today book), but even that is really just an exclamation point on the whole post-Reagan world, the criminally, well, crime of the Greenspan clique.

How a group of people can be wrong every time about everything in stated ambition while acting in ways completely consistent with Randian Objectivist Naziism in practical terms, and not be hounded out of public life bewilders me. There is probably no moment as simultaneously classist and misogynistic and stupid as when Brinksley Born got knee-capped for being right about everything by Summers, Greenspan, and Ruben with the Ghost of Future Reich (Ayn Rand) looming ominously in the background.

The people running the show around here, the “effective altruism” crowd like SBF and Altman and shit? They still put Atlas Shrugged icons in their Mastodon chats long after everyone without an agenda realized they’re the new version of old fascism.


Maybe I don't understand what a gold sink is well enough, but I don't see how IRS can be considered a gold sink. Gold spend with NPCs are not returned to the economy. Taxes are returned to the economy.


Tax receipts are in no sense returned to the economy unless you really overload one of those words.

A modern economy works by running a printing press a little faster than a furnace, with the coefficient being (under honest and competent management) a good estimate of next year being better than this year by such and such, a self-fulfilling prophecy in a good way until you like, burn the planet via carbon emissions or some hard constraint like that.

And it’s a perfectly good system… under honest and competent management. It’s just easier to corrupt than systems with much lower potential (which is the distance between gold bug and ignorant, those folks have a point, they just rarely make it).

This is where all the 1971 stuff comes in: no rich person does anything but advantage their less-capable kid or lover or whatever unless someone is pointing a gun at them. (e.g. Altman has a job let alone unfettered power). The gold standard has a lower maximum potential risk to the extent you can stop there being a de Beers of gold. You likewise accept 50 years from the transistor to a computer in your house even if you’re fucking loaded.

The unanswered question is: can we get competent and honest leadership (after a fashion) back without the bloodshed it has required 100% of the time before?

A lot of us hope so but don’t have an answer just yet, and the clock is ticking.


This post feels like recent movie trailers. The way you wrote it makes me believe you know what you are talking about but I have no idea. Care to give the curious reader pointers to the topics you mention? I mean the "printing press to furnace" analogy of the economy, or what you mean by 1971 or the gold bug or the 50 year transistor omg what?


I’m just a nerd whose nerd hobbies came to encompass finance when I moved to Manhattan. I was also a party monster back then (please don’t read the book) which for a childless bachelor is a pretty reasonable way to get the most knowledge NYC has to give in a year.

If you have particular questions about the monetary system, I know enough to either answer or know that I don’t know and refer you to someone who does.


> If you have particular questions

There were four fairly direct questions in the post you replied to, to which you might like to give a response:

>> [what do you] mean [by] the "printing press to furnace" analogy of the economy

>> what you mean by 1971

>> or the gold bug

>> or the 50 year transistor

The first of those I'm pretty sure I understand what you are meaning, though if I'm right about that I don't think it is a good analogy, but the others I have no context for.


1971 (and/or 1973) is a year people often point to as when we “went off the gold standard”. Neither year is particularly great as a signal example of the collapse of what is loosely called the “Bretton Woods” monetary system, but either is a pretty good nickname for it.

By “printing press” I mean the set of mechanisms in which fractional reserve deficit spending creates the money supply to notionally value future growth, and by “furnace” I mean the set of mechanisms by which we prevent arbitrary inflation as a result. You can measure the money supply in plenty of ways, but for someone who needs a glossary on my original comment, TLDR you want a number called “M2”.

A “gold bug” is someone who either does or advocates the strategy of holding “precious” metals as a uniquely good asset class (no one turns down a free pile of gold, many of us think the market is pricing gold as well as we are), in particular an asset class uniquely resistant to inflation and/or the “government”. I can assure you from painful experience that “the government” gives no fucks if you have gold in your back yard when they make a clerical error.

50 years is roughly the period of time it took for at least two separate inventions of “the transistor” by a bunch of Bell Labs people, but overwhelmingly associated to a guy called Shockley, to culminate in a useful computer that a middle class person could afford to have in their living room. I learned to code on an IBM PC my distinctly middle-class grandfather owned, and it is a substantially better computer than no computer, a harder claim to make about the Apple I for example.


> "printing press to furnace" analogy of the economy

Very roughly modern economies work by printing money in the form of government treasuries (government borrows $ to run the country) and destroys money by charging taxes (taxes go to IRS and are used to pay off the outstanding treasuries)


>A modern economy works by running a printing press a little faster than a furnace,

I think you are confusing Modern Monetary Theory with modern economics. What you are describing is MMT, not what actually happens (the government collects taxes then spends that money + prints more money)


I’m aware of both Modern Monetary Theory as well as behavioral economics. I’m aware of what bankers say “off tape” or “LDL”, (“let’s discuss live”). I’ve worked places where we said “he was with us at Goldman”, because I’ve worked at places and during times that were so elite that my last name, Reesman, which is Dutch, was overlooked for “sounding too Jewish”, which is an actual thing I’ve been tapped on the shoulder about but still to this day don’t understand. I’m not aware of what social dynamics are in play when sounding too Jewish is an issue. Bet your ass New York bankers say shit like that though.

You sir, like many, imply an academic knowledge of markets that would be tradable. If you know what’s wrong with my comment there’s serious money in it, and no one can buy the education you’re implying because the price would be the arb value of all the misprinted securities, trillions easily.

I’m asserting that actual guys called names like Cavendish, who get the actual spread by virtue of being in jobs where you need a name like that laugh in their beer, I’ve been there and I’ve seen it.

“You’ve never dealt with Harkonnens, I have, they’re not human they’re BRUTAL”.

You’re free to disagree, and free to do so under a pseudonym. But if you know anything I don’t about markets generally and US sovereign debt markets in particular I don’t: fuck this HN shit and go trade it. You’ll own HN by the close of business tomorrow, and I will be the least of your worries.


> Taxes are returned to the economy.

I hope we don't start dropping bombs on our own cities....


The money isn't stuffed inside the bombs. The money is still returned to the economy for the most part even if the bombs are "spent" elsewhere.


> The money isn't stuffed inside the bombs.

I thought that was the only explanation for their prices.


Paying for the construction of a bomb, is participating in the economy (as opposed to outright burning the money)


Kind of a broken window fallacy (the bomb isn’t necessary in the first place) but also kind of not (the tech developed for military hardware does eventually get used for good).


Doesn't matter much when money can be printed by FED (which is owned by banks, not by stste) or just made up out of thin air by banks and financial institutions.

The gold in online games is fabbed the same way.

The only two reasons that makes it hold value is that is the only sanctioned way to exchange goods and services and the players trust it. Once one of the two reasons does not exist, gold will not have any value, just like money in real life.


As you note, the Fed lending policies do act as a money source (when increasing supply) and also as a money sink (when decreasing supply). That doesn't invalidate the parent point that taxes have nothing in common with a money sink, since that mechanism (unlike Fed) doesn't affect money supply but rather simply moves it to specific purchases/institutions.


The Federal Reserve system is a quasi-public, quasi-private system. It’s a public/private partnership, which is actually a pretty sane default for how governments should interact with banks.

Sloppy, leaky Venn diagrams are a fact of real life.

Let’s try to avoid “Jews vote for Likud” or “nine eleven was an inside job” type oversimplification?

It’s complicated but for a good set of reasons.


Can you share with us what you did explain to your brother?


I’ll do my best to be useful, with the caveat that “monetary policy” is like, a PhD at a good school and industry experience and stuff, it’s a big field.

To address the particular point that he was replying to: the government (especially the US government) has only one money problem: does anyone lend them money (buy their bonds) when they’re picky about terms (floor on auction optionally) at an acceptable overall outcome (you still believe I can invade your country if you fuck around on USD).

So it’s simpler and faster and the math is easier to just burn all the checks the IRS gets and make new ones at the Fed.

Which is the same solution as all the games landed on.


Well, money printing is taxation.


Only if it isn't offset by raw economic growth.


Technically incorrect in nitpick ways but substantially the best intuition: the job of politicians and regulators rounds to: “match the growth of the money supply to people using skills to generate yet another round of speculative but self-fulfilling growth projections with the least amount of dumb rich kids having important jobs”.

To me at least, this sounds like a hard job in Athens with the Bundesbank pardon the ECB breathing down your neck, and a trivially easy job in Washington DC where you can physically destroy anyone who disagrees with your assertions about the value of anything.

Unfortunately the actual job has become: “maximize class solidarity at any cost up to and including arbitrary bloodshed”.


No, a thousand times no.

Inflation wipes out the notional value of debts and therefore favors the 80-90% of people whose finances are dominated by a debt term. At the low end of being lucky that debt term is unsecured dollar-valued debt like a credit card. At the high end misguided boomers acting against their own interest owe that debt as a 30 fixed secured by a home.

The subset of boomers (or wannabe YC insiders) who suffer at the hands of inflation are fucking vocal but statistically irrelevant. The ratio of actual financialization of actual asset classes to people who whinge about “inflation” is maybe the stupidest thing said stupidly constantly.


This is basically what high frequency trading is in real life.


Only with a lot more regulation, and the competition is very sharp.


Wait, did you write Auctioneer? or was this something similar to Auctioneer but you decided to not use the "industry standard" tooling?


I used Auctioneer, found it very helpful. But it couldn't (at the time) do the things I wanted to do. My scripts didn't have any UI or fancy graphics, just outputting text to the console.


I very much doubt it. There's a lot more functionality to Auctioneer then what was mentioned. Also, there are other popular auction add-ons, I think they would have just said it if they created Auctioneer.


How did you determine what was under-priced?


After playing the AH manually for a long time, I'd know that a stack of ore would sell for 20g. I was manually buying when under 20g and relisting. My script just reduced the tedium. I'd manually add in checks for each high-volume item. It was super-hacky, but so effective, I didn't need to improve it.

One script would iterate over every item in my inventory. If it matched a hard-coded list, it would auto-list it at the hard-coded price. Another script would scan every item on the AH, and if matched another hard coded list, it would buy them.

Another story, pre-script. WOW had the inscription update incoming, which used flowers to make glyphs. I correctly assumed the demand for Peacebloom (tier 1 ingredient) would skyrocket once the patch hit. I spent three weeks buying everything on the AH, using multiple characters to store it all. The night before the update, I listed it all for 20x the normal price. The next morning, everything sold out completely. I remember it being 200 stacks @ 5g each, sold for 100g each.


I recall when Pandaria hit there was some resource where you could get only like one a day but they could be sold. The power gamers and the server first people were buying all they could to craft gear to ratchet up the Raid ladder ASAP. I convinced a couple of my friends to sell all theirs at the prevailing price, which was just stupid high, and on about the day we would have been able to craft our first item, the price had crashed so much we bought them back at a lower price. If you waited a few more days, you could buy enough for two items.

Getting 70% of the way to a goal has 0 value. You can often sell your patience to other people in that game.


> Getting 70% of the way to a goal has 0 value.

Well, apart from the fun of playing the game?


No, games are only fun if you get all the achivements and 100% the game and buy every item ever relased in the shop and complete all battle pass levels because FOMO because gaming is not about having fun anymore, its about reaching artificially set goals and collecting cosmetics.


At which point, you rather quit gaming and use your time and energy in the real life. That way you can touch your achievements because they aren't just numbers in a SQL database.


> just numbers in a SQL database

This is what breaks most games for me. Once I see the gameplay loop, I know I'm just playing spreadsheet optimizer behind the scenes.


If you make lots of money, and keep it at the bank, your achievement might very well be recorded as a number in a database.

(But with the distinction that you can withdraw and spend that money.)


When you play a game you trade your time to make other people rich. When you work you trade your time to make you rich. That is the most important distinction.

Would you buy you a Lexus or help someone else buy their second yacht?


You can play games without committing any sum of money though.


But your presence in game attracts others who will do some spending.


That argument only works in multiplayer games.


> gaming is not about having fun anymore, its about reaching artificially set goals and collecting cosmetics

I.e. it became indistinguishable from normal adult life.


:(


I’ve talked friends out of getting back into WowW because I know if they start I’ll start, and I always take it more seriously until it turns into a part time job, which I will continue after they quit again. Touching grass is much more enjoyable.

Gamification has gone too far, circled back onto games themselves and made them into chores. Everything is gacha or tamagotchi or both now.


I wrote more than I intended but I've had these thoughts for awhile.

I have a few genres I will play now because you can avoid that loop. Big fan of idle / incremental games like universal paperclips, kittens game, etc. I find bringing the numbers to the forefront and more obvious helps. Plus most those games can be played passively or semi-passively with only a few check-ins a day if at all to buy the next update, etc.

Otherwise I do still enjoy the short-duration multiplayer match modes that now exist with battle royals or other battle pass games like Fortnite, Apex, Warzone, etc. I don't give two shits about the cosmetics or any battlepass, barely even open those screens, I ignore daily challenges or other lures too. I like that most rounds can be played in 5-15 minutes depending on your skill, low commitment, no tutorial or nonsense quests to complete. Get some good moments with other people either via in-game actions or voice comms.

I recently got into the online casino's in my state. Its pretty crazy how similar they are to mobile games or even console games. Login daily, daily rewards, gotta check 15 places for all the bonuses and free stuff, half the "fun" and "addition" is just doing the daily or hourly ritual of getting all these "gifts" or rewards. The gacha or tamagotchi comaparison is spot on.


Universal Paperclips is great, but I doubt you spend more than a day or two with it, interacting sporadically.


You don’t get the shiny or the achievement until you hit that milestone. If I wasn’t clear, I wasn’t meaning “completionism” by 100%, I just meant the milestone.


Spent some time with this kind of system in WoW, TradeSkillMaster. Figuring out an accurate valuation was difficult and one of the biggest differentiators of how successful you were.

This would vary by item, but was most commonly some combination of recent minimum buyouts (usually over the last two weeks) historically value (several months), and much more. Common items would usually be mostly recent value driven, whereas lower-supply items might have a larger component of historical weighed in, as there might be quite a bit of fluctuation day to day and you care much more just about the general trend.

All sorts of nuance to it. You can do more complex stuff like only doing your price estimations off items that actually sold, set values based on a percentage of any other value, and much, much more. It gets really complex but is really cool at scale.


Ingredients were always pretty stable.

I think a lot of sales came down to people trading time for money. I just hit a critical level and I want some cheap blues to power level faster and got shitty drops. Or Buddy wants to play and he’s laughing at my gear, oh there’s a reasonable purple.

I found a lot less stress looking for cheap blues and greens to disenchant for ingredients. That could suck up an hour a day easy. Which is why people just dumped them. Not worth their time.


Ingrediants can be stable but are still subject to manipulation. I made a killing by having a lot on hand, pushing bids down during busier periods, which would work synergistically with the lil goblins on during this time who list everything they sell at an undercut. This can cause the ass to fall out of pricing. You then buy up the cheap mats as fast as you can, but also alchemists will start making potions for cheap looking to undercut other potion makers with their zero time investment potion making for cheap. You buy those as well when they get cheap. Then you delist the series of sales you made that pushed prices down and buy the undercuts that helped get you there. Suddenly theres a big rift between current price and the bulk of items and most sellers stop undercutting and cheap supply runs out. relist regular small batches at 1s under market and make bank.


Just like in real world. But you have to own at least half of the market to pull that. Or some else can short you.


WoW was fully sharded at the time, so you had to control a fraction of a fraction in order to use these strategies. And you generally became expert in one or two and ignored the rest except for slow days.

Probably more like a third, or the plurality instead of a simple majority. The price most players saw was slightly above what the market would bear. During peak times everything else would disappear.


Much like real world, but unlike real world - Ok in a game. It's totally cool to murder in a game, but morally and ethically deplorable to do IRL.


I've also spent some time playing with TSM. I would login to WoW multiple times a day only to play on the AH.

I don't quite recall where from, but I had some price data, where I filtered the top X products that made the most volume (price * amount sold).

I then simply did something like "if the price is lower than Y% of the average, buy it. Don't sell the product for less than you bought it for."

Surprisingly this simple formula works very well and I made more gold than I've ever had. It was more than enough to pay for the monthly subscription and I even bought Overwatch using the I credits I got from it.


You can learn more about economy from these threads than following a course at Stanford.


You’re the creator of the Auctioneer addon? That’s got to be one of the most popular WoW addons for a decade or more at this point.


A lot of us have been using Auctioneer, which has this functionality, since Vanilla. How was the experience of writing your own?


I used Auctioneer. But it couldn't do what I needed at the time, or maybe I didn't investigate enough (TBC/WoTLK timeframe). My scripts were no UI, no graphics, it would just output console commands. The Blizzard API was very easy to work with. Maybe 20 lines of LUA for iterating over every item listed on the AH.


Except that there is a deposit fee in WoW AH.


This is correct, but I think for a lot of items the non-refundable listing fee is a trivial amount of currency that you're happy to pay in exchange for faster execution, because it's based on the vendor sale price.


Its a multiple of vendor price. So for a few items it is quite hefty. For pets, its always 1s flat so pet pricing can be quite volatile.


The deposits mostly just stop people from overloading the system, and put a tiny bit of friction into the economy.

I always made the most money when I half heartedly farmed on one or two characters and traded about five times as much material as I brought in.

It’s a commodities market. Figure out what the weekly and daily average is, try to anticipate drop off in demand (eg, post launch), if anyone undercuts you by too big a margin, buy them out and relist. If a little, either drop your price or wait.


When Variables Don't and Constants Aren't


Interesting. Seems to be a meme with a deep history.

https://www.theregister.com/2006/07/26/constants_are_not/

> I first read the lament to the capricity of programming [in the title of this piece, "Variables Won't Constants Aren't"] in Creative Computing, years before C was devised.

If there's a particular document you feel is canonical to this meme, I'd be interested to read it.


I suspect it's a math thing, because in math it actually describes the normal state of affairs. Anyway, here it is in a compilation of such sayings dated 1979: https://www.cse.unr.edu/~sushil/quotes.html


That document is a gem worth it's own submission. I'm sure many of it's constituents have been on HN but I took a glance and don't think it's ever been on HN[1], though it appears a dead mirror was once posted with 0 interaction [2].

Feel free to submit it if you want, otherwise I'd like to.

[1a] https://news.ycombinator.com/from?site=www.cse.unr.edu

[1b] https://news.ycombinator.com/from?site=unr.edu

[1c] https://hn.algolia.com/?query=Murphy%27s%20laws%20and%20coro...

[2] https://news.ycombinator.com/item?id=2863516


Go ahead.


FYI your link color is almost unrecognizable. its basically a (very) dark blue against black.


You might be using a setting to force dark mode which has no guarantees to be correct.

The site has white background with black text in normal and darkmode. Could probably use a better stylesheet for darkmode but disabling whatever you have on would probably also fix it.


> link color


What?

If the link colors stay the color they were designed to be, but you automatically convert the foreground and background colors, you're gonna have a bad time.

If the site is black on white, with dark links, and you change it to white on dark with dark links, the links are gonna be hard to see.

That has nothing to do with the links, the issue is you changed the primary colors without changing the link color!


you keep assuming I am using dark mode, I am not. I am using the default browser settings. WITH THAT, the link color is almost unrecognizable. it almost the exact color of the surrounding text:

http://0x0.st/HU7r.png

compare with Wikipedia:

http://0x0.st/HU7s.png


Sorry, I misread your original comment.

To me "very dark blue against a black" sounds like you are talking about foreground and background colors.



See also that time when hacker news was hacked, due to weak random numbers:

How I Hacked Hacker News (with arc security advisory):

https://news.ycombinator.com/item?id=639976


While I never played WoW, I have heard that many addons used a private chat as a means of inter-... whatever communication. If there is a way, people will eventually find and use it.


Not just private chat, almost any chat channel can be used[1]. It's quite common for certain addons to quietly share their versions upon e.g. joining a group, so that you get a notification if a new version is out. It's a bit of a longer explanation, but another fun example of out-of-band privileged information in World of Warcraft:

The "fight" between Blizzard's boss design and addon creators trivializing said encounters is long and not worth going deeply into. But, for example, if the strategy of a boss is "if you get a glowing glyph over your head, run over there and stand in a square formation with the other guys with glowing glyphs", an addon could use hard-to-ignore sounds and visuals to tell you that a) you have to run now, and b) exactly which corner of the square formation to run to.

I believe that in the latest raid, the developers tried restricted certain information from the API (e.g. "there is a glyph over the player's head") in an attempt to reduce that kind of strategy automation. The players then proceeded to manually feed this information (e.g. "i have a glyph over my head") into their addons using buttons mapped to API calls like this, allowing for partial automation (e.g. "your corner in the formation is top-left"). This stirred quite the drama, but the that's besides the point.

[1] https://wowpedia.fandom.com/wiki/API_C_ChatInfo.SendAddonMes...


I think a lot of roleplaying addons exchanged information by just having a public chat channel that just wasn't made visible in the user interface. You could actually make it visible and see the addon sending information to other users there.


I don't recall the name of the company but I read about a startup who's product added chat features to a client's website. They noticed a developer using it for IPC, and ended up pivoting into making a product to enable IPC for web apps. (Or inter-something, like you point out it's not an OS process, it's an application-level process. Intertask communication if your prefer.)


Sounds like the story of Firebase? https://en.wikipedia.org/wiki/Firebase


I didn't find that specific story after searching for a few minutes with Firebase as a keyword, but it does seem plausible based on the summary on Wikipedia, at least if I misremembered some details (which could well be).


Whose*


You're right, and I do appreciate it, I ought to know that.


As a means of what?


Like, sockets. (Addon instances are not processes, so it is not exactly interprocess communication...)


Interprocess communication?


    x = x * 69069 + 1;


yep, and I'm aware of a data encryption product that was hacked by utilizing exactly the same technique. As dumb as it could be: they promised billions of years an attacker need to decipher data, but were using a dead simple LCG to make a key and a salt. And the salt was stored in a crypto container in open form (b/c it's a salt). :facepalm: Don't implement data encryption on your own, kids...


>security

I will be forever appalled that Blizzard rolled out two factor authentication before stock trading services like E*Trade managed it.

Bravo for Blizzard, shame on the rest of ‘em. A game company.


I worked with someone who was a Blizzard GM around when they rolled this out. Recovering stolen accounts was some absurdly large % of their customer service tickets. People would use the same email & password on WoW as on various shady / insecure sites. Bots would try any stolen credentials en masse in WoW. When they succeeded, not only would customer service need to restore a user's access, they would need to roll back their character to restore lost items and gold.

According to my coworker, adding 2FA was primarily about reducing this customer service workload. Eventually they encouraged it by adding in-game benefits, like additional bag space for your character. Not sure they ever went as far as mandating it.


So, what happened after they implemented it? Did CS tickets actually go down a lot? Did it save them a ton of money and hassle? You left off the best part of the story :-)

As for mandating it, I could see not requiring people who'd already set up accounts to jump through this extra hoop to play the game. I'm sure even a small percentage might not be able to jump through that hoop. I doubt it's a significant percentage, but I could see it becoming a PR hassle, and those are the worst kinds of hassle from the POV of a technical employee lol...

But for a new game? If the CS metrics reflected a big drop relative to the number of people using 2FA, then I'd be sold on requiring it.


As a former GM, as at the time I left in 2012 I had never encountered a case of a 2FA secured account getting hacked and account compromises were easily >50% of our workload.

The problem had become that most players wouldn't add 2FA to their accounts until AFTER they got hacked, so any in-game incentive to add it was in our eyes a good one.


From what I understand it went down for a long time, but what people did was if they managed to get into your account the first thing they would do is remove the authenticator. That involved entering a couple sequential values. But if you set up the keylogger right, you could trick users into failing the credential check 3 times at login and get their account.


Currently you cannot customize your group in group finder without 2FA, so you cannot list a group for your friend's keystone or specify what sorts of characters you would like to join. It's quite annoying!


As a former Blizzard CS rep (I left in 2012), I can see why they'd do things like this to convince people to add 2FA to their accounts as most people wouldn't do so until AFTER they were hacked for the first time.

Based on many players saying to me "I don't know why they chose me", it seems that a lot of people don't realize that account compromising is a drag-net operation, it's like a fish thinking that there's no reason for them to be targeted specifically by a fisher, without realizing that fishing is such a large scale and impersonal activity.


As a former GM myself, can confirm all the above.


It doesn’t seem that surprising to me. In the olden days, video game companies served a slightly more technical user base, so it makes sense that they’d be more willing to deal with 2FA. Also, I don’t think the legal system will help you recover your SoJs.


Not only that, but they had dedicated hardware for it since smartphones weren't ubiquitous yet. I still remember the first time I saw a friend use one, and how mystified I was by this mysterious "authenticator". It's still absolutely wild to me to think about how ahead of the game Blizzard was on the 2FA front.

They only recently replaced their dedicated smartphone app for 2FA by rolling it into the existing Battle.net app. The 2FA codes they use are longer than 6 digits, which I assume is why they don't support something that can be used by more "mainstream" 2FA apps; by the time those become established enough to support third parties, I suspect their infrastructure had been around long enough that it just wouldn't be worth rewriting it. I do sometimes wonder if someday apps like Google Authenticator will support a wider variety of TOTP configurations; I think Steam also uses something non-standard, which means the only mobile option is a dedicated app, and I'd much rather not have to install extra apps just for 2FA support.


They handed them out at Blizzcon one year, but only one per person, which I think was a mistake. Should have sent people home to entice their friends.


Did they?

I found an article from March 2005 stating that ETrade will soon launch 2fa [1]. And a similar article about Blizzard launching 2fa from July 2008 [2]. Maaaybe ETrade took 3 years from anouncement to launch, but I'm pretty sure I saw ETrade branded RSA tokens around 2005, and Blizzard tokens later.

[1] https://www.computerworld.com/article/2569503/etrade-touts-t...

[2] https://www.zdnet.com/article/blizzard-introducing-two-facto...


Maybe introduced is the wrong word. Pushed might be closer.

At some point Blizzard was trying to make it sound like 2FA was mandatory, and ETrade definitely had made a bit more noise about them at that point, but Blizzard campaigned to get everyone on smart phone 2FA and E*trade did not.

Someone else said it might be demographics and I’m not inclined to argue with them. But I think too, a lot of early movers had those key fobs, and because they weren’t on atomic clock time they tended to drift and cause support nightmares. I had 2FA at work a little before I had it in WoW and one of us was having a problem practically every other week. That was only dozens of people.

The smart phone answer was so, so much better. But it you invested in fobs, it’s like public infrastructure. Boston has a shitty sewer system because it got firefighters before Chicago and Seattle, which burned down after modern plumbing more or less settled. See also Internet service in late adopter towns versus early. Ripping out cost more than green field.


Summary in simpler terms?

So it's just because the actions in game where functions which were assigned an id and callable by id.

Then because OP was able to reverse engineer that id generator, OP was able to call whatever he wanted once he tested what id was doing what.

Didn't read the math in the middle, I could get it but takes too much time at my age nowadays.


The IDs are arbitrary and chosen by the author.

Outside the secure context they had the information to select which (arbitrary) ID they wanted to pass into the secure context. So they call `random()` until they know the next call to it will produce the desired ID. Then they pass control to the secure context which calls `random()` and uses the result as a the ID to lookup what action to take in the same arbitary ID<->action mapping table.


Ahem, They are only chosen by the author for the goal of reverse engineering and finding valid ids.

But he doesn't assign ids manually when writing the scripts.

As far as I understand.


It doesn’t really make a difference either way. You could wait for a number to come up that would match the game’s ID for the action you want to take, or an arbitrary one from a table you hardcoded in the secure function call.

As long as you have a method for knowing the next outcome of the random call, that’s all you need.


I don't understand what you're saying.

The way I understand it, he managed to find a way to retrieve ids assigned to functions that have an action in game.

By trial and error and because the ids are generated by a PRNG which he knows. He just needs to retrieve the starting state and then boom.

It matters to know whether an in-game action/function is mapped to a given id, contrary to what you're claiming. Otherwise, what's the point? These ones can't not just arbitrary. That's what he is looking for.

(Why these unnecessarily complex explanations is my question though.)


The ids for the actions are not secret. Everyone knows them. I can go on wowhead.com right now and tell you the spell ID for any ability in the game. If I want to cast Fireball it’s spell id 133 https://www.wowhead.com/spell=133/fireball

It’s right there in the URL, even.

The whole point was predicting the next result of random call so that it could be used to smuggle in data. He just called random until the next value was one he wanted.

The secure context did not have access to the information necessary to make a good decision. However you could call random and get a number back, so if you could predict the next value then you can call it from the insecure context until the next value matches the data you want to send, then you pass control to the secure context where it calls random and assumes the the return value is the id to cast or lookup in a table for the actual id.

If the return value range of random() includes 133, then no mapping is necessary. If it doesn’t, then you just hard code a mapping in the secure context function that is keyed with values it can return. It makes no difference either way.


Securzd actions have a known id but actions defined in the insecure environment have a randomly attributed id no?

Anyway, that doesn't matter too much. :o) My understanding is still a bit fuzzy.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: