Who’s to blame? The hazard of “0-day”.

[This was originally published on the OSVDB blog.]

This blog entry is probably worth many pages of ranting, examining and dissecting the anatomy of a 0-day panic and the resulting fallout. Since this tends to happen more often than some of us care to stomach, I’ll touch on the major points and be liberal in pointing fingers. If you receive the “wag of my finger“, stop being part of the problem and wise up.

I blinked and missed someone disclosing that there was a dreaded 0-day vulnerability in Adobe Flash Player and that it was a big threat. Apparently Symantec noticed that evil Chinese sites were exploiting Flash and the current could be successfully exploited. When pressed for details, Symantec backtracked and said that they were wrong and it appeared to be the same exploit as previously disclosed by Mark Dowd (CVE-2007-0071). Bad Symantec, poor research.

To make matters worse, Symantec then further claimed that even though it was an old issue, the “in-the-wild exploit was effective against stand-alone versions of Flash Player” and that not all versions had been patched correctly. Way to save face Ben Greenbaum of Symantec!! Oh wait, today he changed his mind and said that Symantec’s claims were based on erroneous conclusions and that the behavior of Flash on Linux they were observing was indeed intended by Adobe and not proof it was vulnerable. To make matters worse, Symantec researchers downloaded the “latest” Flash and found it “vulnerable”, which lead to their sky-is-falling panic. Shortly after, they realized that they didn’t download all of the security patches and had been exploiting a known vulnerable version of Flash. Oops?

Two rounds of hype-driven 0-day threat warnings, and no real new threat. Whew, hopefully Symantec raised their THREATCON to blood red or whatever is appropriate for such 0-day threats. You do monitor that don’t you?

This fiasco lead many news outlets and vendors to issue warnings about the new 0-day threat. Secunia, SecurityFocus/BID, SecurityTracker, CERT, and FrSIRT all released new warnings and created entries in their respective databases as a result. In the VDB world, this is a royal pain-in-the-ass to deal with. Secunia ‘revoked’ their entry, BID ‘retired’ their entry, SecurityTracker flaged theirs ‘duplicate entry’, FrSIRT ‘revoked’ their entry and CERT still has it listed.

Fortunately for OSVDB, we were a few hours behind the rest and noticed the discrepancies and waited for more information. Unfortunately, the rest of the world, including ALL of the VDBs and news outlets listed above (and others) failed miserably in using common sense and a government funded resource to better prevent this kind of problem. As of this posting, Secunia, BID, SecurityTracker, FrSIRT, CERT, Dancho, ComputerWorld and eWeek still don’t link to the CVE ID for the vulnerability. Only Adobe’s updated blog entry actually references CVE-2007-0071 (but doesn’t link to it). Secunia links to a previous ID that has seven CVEs associated with it. The original CVE was assigned 2007-01-04 and published around 2008-04-08, a month and a half prior to this mess.

VDBs, shame on you for adding to the confusion. Symantec, shame on you for crying 0-day when your own engineers screwed up badly. Shame on everyone for not clearing it up fully by linking to the correct CVE entry or their own previous entries.

Before any of you receiving a “wave of the finger” bitch, consider the real world impact of your actions. In this case, only 12 MILLION people ended up seeing a vague warning when they loaded their favorite game. Blizzard included the correct fix information which was the same as a month or more before, but the sudden ‘security alert’ (that is extremely rare) only prompted their customers to wonder, possibly panic and definitely kill some demons as a result.

Hey asshole business (Chase)

Ranting on behalf of a friend. We were out grabbing vegetables for the guinea pigs, a quick dinner and some wine for her. Trying to purchase wine, her debit card was declined. Figuring it was a fluke and the bad mojo of our local Wine Nazi rubbing off, she tried again at Wahoo’s and it got declined again. She figured maybe her balance dipped below 0 as she just bought a new computer and paid for three months of rent at the same time. Before heading back we swung by her bank’s ATM to let her deposit a few checks she never did, and her ATM refused to let her do any transactions. Thinking her balance was below 0, the ATM wouldn’t let her deposit money to cover the balance, how stupid is that? That seems like the bank just being dickish to help garner overdraft fees.

The next morning I get a call at 8:30AM from her bank’s fraud department. entirely automated, it ask if I am X or someone that can speak on behalf of X. I hit 1 in case I can fix the problem. The system proceeds to ask me two multiple guess questions to validate who I am, but never makes me enter the PIN associated with her debit card. It then asks me to confirm the last four transactions; “21 dollars at a liquor store, declined” (1 for yes), “8 dollars at a restaurant, declined” (1 for yes), “1100 dollars at a computer company, accepted” (1 for yes), “10 dollars at a marketing firm” (1 for yes). I have no clue what the last one is, but she is fond of buying small art and guinea pig supplies over the net, many of which show up on statements with odd names. Since it was clear the system categorized the transactions (liquor store, restaurant, computer company) I figured it was one of those. After all of that, “thank you, your card is ready for use”.

So she never dipped below the minimum balance at all, her card was put on hold for potential fraudulent purchase(s) and they found it important to wake me up before business hours to fix it. Hours later after I woke up (again) and thought about it, it occurred to me just how stupid the entire system is. Calling at 8:32 I assume is intended to reach the person before work, but I know many people who leave well before 8:30 for their 9 – 5 job. Even if the goal is to reach them, calling me outside business hours to clear up your stupidity is absurd, especially when she can’t use your ATM or online system to fix the problem outside business hours.

  1. There was ONE abnormal purchase on her card (the computer). The declined wine purchase was at the same store she frequents several times a week. The declined restaurant was Wahoo’s, where we eat as many as 4 times a week. That one purchase for 1100 was considerably smaller than another single item purchase she made in the last 9 months. That total was roughly the same amount as half a dozen purchases in a three day period in another state. Why did this one flag her account and the others didn’t?
  2. The card was locked for potential fraud, but the ATM would not allow her to go through the same routine I did? She could have entered the card, the PIN and answered those questions and fixed it without waiting a day.
  3. The only security offered in the validation process was calling the number on record. not asking for the PIN to be entered and asking two very trivially guessed questions instead is absurd.

So Chase Bank, eat a big bowl of dicks. Your policies and procedures are laughable and annoying.

Over Reliance on Social Network Friends in Zynga Games

Re-thinking Game Design for Character Advancement

Zynga is a commercial company that produces free games that are played via the Facebook social network. Per Zynga’s mission, they seek to “connect people through games”. This is readily apparent in their eagerness for you to play games with your friends through a number of game designs and technical mechanisms. In recent months however, the means for which they intend to connect with people via their ‘Virtual World’ games have become irritating and counterproductive to their enjoyment. This article will outline some of these game design problems and suggest alternative methods for achieving the same goal, while reducing the social burden on players.


Zynga offers several types of games via Facebook; Virtual World games, role-playing games, card games and puzzle games. For the purpose of this article, I only discuss their Virtual World games, focusing on Frontierville. These games are graphical in nature, involve building a landscape of some sort (e.g., frontier, city, farm) and focus on character progression via gaining experience and items. The games are designed to be short duration play, meaning that in most cases, game-play time is limited due to the mechanics of the game. Realistically, Frontierville can be played for roughly an hour a day as you slowly regenerate energy.

Activity in the game is regulated by the amount of energy you have. One energy will return every 5 minutes in Frontierville, regardless of activity or if the game is even loaded. This results in 12 energy every hour or 288 energy every day. Considering sleep, work and other times that one is not present at the computer or actively playing the game (e.g., checking e-mail, playing other games), there comes a point where the maximum energy is reached and you no longer regenerate it.

Using Frontierville as an example, a new player starts with 15 energy, and a long time player may have 35 energy. There are ways to increase the energy pool, but they are rare (completing a specific collection) or costly (purchasing an item for 27 “Horseshoes”, obtainable by spending roughly US $3.15 [0]). Aside from the natural regeneration, there are other methods for refilling energy but they are not unlimited or reliable. This series of game mechanics will regulate play time for the most part. Due to this limitation, a player will generally only play the game for 5 minutes or a couple hours at most. [1] [2]

In addition to using energy-based activities to progress or build a character, the game relies heavily on a form of social interaction. First, this is done by encouraging (some may argue pressuring) friends to play the game and become neighbors. Second, it is further relied on in the form of requesting items from friends that play the same game, and done via Facebook, not the game itself.

Social Pressure

To encourage you to find more friends to play the game, Zynga may limit access to specific resources such as animalstrees or buildings. Without a certain number of friends playing the game, you cannot access these resources. Even when a specific mission requires you to interact with the resource that you do not have access to, it will stay restricted.

As the screenshots indicate, there is an ‘easy’ way to bypass these restrictions. In each case, you have the option of spending varying levels of money to unlock the specific resource or mission item. This is a subtle form of social pressure from Zynga; either encourage / harass friends into playing our games, or spend money if you want to play and fully enjoy our free games. The pressure to get friends to play only begins here.

This game mechanism is a constant reminder that you “need more friends” to play the same game, so that you may advance. In addition, Zynga ensures there are additional reminders that you should add friends, delivered several times a game session. Some are harmless, a simple in-game popup asking you to send items to your friends. However, when the list of Facebook friends comes up, it defaults to your full list of friends or a list of ‘recommended friends’, rather than the third tab containing ‘Frontierville friends’ (the people you already know play). Other reminders to add friends are incredibly deceptive, challenging the idea that Zynga is a company based on integrity.

Even before loading the game, you are sometimes given an opportunity to add more friends:

“8 other Facebook friends already play Frontierville or other Zynga games” it reads, suggesting these friends are likely to join you in a new game. In reality, of the three pictured, one only plays Zynga poker, one plays only word games and the third plays absolutely no Zynga games according to the Facebook Games Page. The fact that these three ‘recommended’ friends do not play any Zynga Virtual World games means that they are unlikely to start if they receive a random request to play. In a social media culture where game requests are already seen as a burden by many, such an invite is more likely to annoy my friends, not make our friendship stronger.

Zynga should change the level of pressure they put on gamers to add friends. Further, they should add additional logic to avoid deceptive invites as outlined above. Rather than picking any friend who may or may not play a Zynga game, only recommend the friend for an invite if they already play a Virtual World game (e.g., Treasure Isle), but not the one you play (e.g., Frontierville).

Requests for Items

The second method Zynga uses for game advancement, requesting items from friends, comes in two forms. The first are “wall requests” (or “wall rewards”). These are the game-related posts you have likely seen (and complained about) all too often on your friend’s Facebook wall. This is a name I have designated, and it does not necessarily denote a person is requesting an item. In fact, many of the posts shared via this method are indications of success in the game, and offering to share a reward. In the example to the left, “Jared Richo” has begun work on a new objective in Frontierville and is offering to share food with you to celebrate. In recent months, wall requests are increasingly limited so that a specific request can only be made every 6 hours. Wall rewards, on the other hand, can be posted any time an objective is completed that has a corresponding shared reward. Due to the game design, this can occur a dozen times in a single play session.

With one friend able to generate wall requests and rewards with that level of frequency, it is clear how your Facebook feed can be polluted with dozens or sometimes hundreds of these posts. If even five of your friends actively play at least one game, the noise becomes unbearable. Fortunately, Facebook has a mechanism to hide all posts on a per-game basis. Despite this, the mechanism is required to complete missions and progress in Zynga’s games. For game players, they have to either filter messages on their main feed while periodically checking the ‘Games’ tab, or wade through all of these game-related posts as part of their main social feed.

The second type of request is a “direct request”. Again, this is a term that I use and it represents a request that is sent specifically via the Facebook ‘Games’ interface. Zynga games limit direct requests to one per game friend per day. If you have five friends that play Frontierville and you need “15 Gas Lamps” or “15 Horse Blankets” to complete a mission, you could only request them five times in a static 24 hour period (e.g., at a specific time of day, the requests are reset), one per friend. These direct requests and the timed throttling mechanism in place have recently become a burden on players and represent a shift in Zynga’s game design. These also represent a serious shortcoming of Zynga games and suggest that Zynga does not know their player base.

In the last few months, the number of missions or objectives requiring both wall and direct requests has increased dramatically. Where you may have had one mission and one building that required them last year, you may have three buildings and ten missions that require them now. Given the time-based throttling of such requests, game advancement hits a firm wall very quickly if you do not have many friends that play the game. Even with a small percentage of friends playing games, the direct requests can add up quickly. Due to the amount of content loaded even for a request, which does not load the full game, it can take five to ten minutes just to answer them if you have dozens. The fundamental problem is that Zynga is increasing the number of requirements that rely on requests (e.g., the ‘injured animals’), while not removing an equivalent amount. Rather than giving a majority of players time to complete missions, especially ones based on direct requests, they are systematically adding more every few days.

As previously stated, the alternative to relying on friends to obtain these items for advancement is to buy them with Horseshoes, a virtual currency maintained by Zynga. Each of Zynga’s games have their own unique currency; Horseshoes in Frontierville are of no value in Treasure Isle, Mafia Wars or Farmville. Given that Zynga provides all of these games for free to users, encouraging players to pay for virtual currency and in-game items is certainly a core part of the business model. However, the price for buyout as compared to the number of items required to progress becomes cost prohibitive to the average user.

Taking my current missions (not buildings) as an example, the buyout cost ranges from $3.40 to $96.84 ($20.27 average). While the $96 buyout price is a rare exception and drives the average up, removing it from the equation puts the range from $3.40 to $14.90 ($9.32 average). Based on the more rational average, with 14 missions or buildings that need completion, I would still be looking at a cost of $130.48 to complete them all. For 14 missions that have sprung up in the last 30 – 60 days, that is an extremely high price to pay. Compared to Blizzard’s World of Warcraft, Trion’s Rift or most other MMORPGs that charge approximately $15 a month for play, Zynga’s prices are not tenable.

If you factor in buying out the remaining buildings that are not completed (the kennel, upgraded Corral, upgraded storage shed, upgrade to Ponderosa Lodge, and forgetting about the 3 upgrades to the Beehive, upgrading any of the chicken coops or the wall requests related to any of these buildings), add another $107.35. If I want to free that stuck mule in the mud? Add another $5.68 for good measure. If these prices are not reasonable in your mind, consider the alternatives. Assuming Zynga adds no additional missions or buildings that require direct requests, and factoring that I have six friends who actively play the game, it would take 42 days to complete them all, as long as my friends answered those requests dutifully. During the course of writing this article, Zynga added two new missions requiring 25 direct request items and a new building requiring 45 direct request items.

This problem is not specific to Frontierville either. As an example, Zynga’s Cafe World game almost exclusively uses direct requests to obtain items as one part of progression. Most missions require cooking a specific dish a certain amount of times along with items obtained from friends. In most cases, the cooking can be done in a matter of hours or a day, while collecting the items could take several days if you have few friends that also play. At present for me, Cafe World requires 210 items obtained from direct requests to complete various missions and upgrade cooking equipment. With 4 active friends that play, that will take me 53 days to complete.

By the Numbers

As with all games, scaling them to meet the playstyle and expectations of every player is impossible. Designing a game should generally be based on pleasing the largest amount of the player base as possible, while giving additional options for players that choose to enjoy the game in different ways. For an MMORPG, this typically entails guild activities (raids), player-versus-environment (questing), player-versus-player (battle grounds) a wide variety of social interaction and more. For Zynga’s browser-based Virtual World games, this is more challenging as the games are simpler and there is no direct social interaction (e.g., chatting, questing together, fighting each other).

With a game such as Frontierville, the primary dynamic is mission progression, with additional emphasis on expanding the frontier (via missions) and adding buildings. This means that the mechanism for wall-post or direct requesting items is important, and the quantity of items required to progress is a throttling mechanism. For a player with 30 active friends, they can complete a building in two days or a two missions in a single day. For a player with considerably less, progression becomes increasingly frustrating.

According to Facebook, there are more than 500 million active users, 50% of those active users log on any given day and the average user has 130 friends. The statistics page on allfacebook.com shows a breakdown of games along with daily average users (DAU) and monthly average users (MAU). For Frontierville, 4,373,540 Facebook users play the game daily and 14,811,393 play the game at least once a month. Doing the math using the daily average users of Frontierville and average number of friends, each Frontierville player has an average of 1 friend that plays daily, 4 friends that play monthly.

Proposed Solutions

Zynga’s Virtual World games offer varying degrees of enjoyment for their immense player base. With consideration to revising fundamental game design choices, I believe that they could be made more enjoyable to a larger base of players. For those who have played and subsequently left, citing frustrations mentioned above, it would be a chance for Zynga to reclaim former players. Revamping the methods for attracting customers to purchase virtual currency would be a second welcome addition, potentially increasing revenue.

Social Pressure – The constant pressure and reminders to add more friends is frustrating. Zynga’s misleading banners suggesting that friends who do not play games be added should be removed completely and immediately. Zynga should also give consideration to changing the reward scheme regarding friend addition; rather than add friends to unlock resources, come up with additional distinct incentives for recruiting friends. Using a sliding reward ladder, each friend recruited could unlock better rewards that are not available through any other means. The ability to unlock resources with a relatively small amount of money is a good system for allowing progression while not having friends that play the game.

Wall Requests – The incredible number of Facebook wall posts generated by Zynga games has to be a significant burden on the social network. Not only have some people quit playing games as a result of the wall posts, others have blocked all Zynga games from appearing on their feed, likely preventing them from playing them at all. In a 24 hour period, an account with 4 active Frontierville friends generated 81 wall requests from the game (and additional 15 from other games). This is compared to the five non-game wall posts on the same account in the same time frame.

Moving to a system that used wall posts, but implemented time-based throttling in addition to lower numbers of requests required, would dramatically decrease the amount of traffic cluttering Facebook feeds. Scrapping wall requests completely and moving to all direct requests, with the ability to make the requests more frequently, would also help by consolidating all game traffic to the Facebook Games tab. This would have the immediate value of not creating an extremely negative opinion of Zynga games by those who do not play, and could result in more users trying a game out (rather than “I don’t want to pollute my own FB stream with Zynga crap”). Long term, this could lead to additional Facebook users playing Zynga games and potentially more revenue. Finally, make more mission-related items tradeable to encourage actual social interaction where friends can message each other asking for spare items.

Direct Requests – Zynga has the ability to use the Facebook API to determine which friends already play their games. Using this API and some basic logic, it should be trivial to determine if a player has five friends or fifty. Missions and buildings could then be weighted based on the person. Where a person with fifty active friends would get a building upgrade that required 100 direct request items, a person with five active friends would get the same upgrade but only require 10 direct request items. This scale would help level the playing field, and not force a player to wait ridiculous amounts of time to progress.

Buyout Prices – In lieu of adding additional friends or waiting over a month to complete objectives, the prices for buying your way out of a mission or building are currently ridiculous. Given the number of missions that require items via direct requests, paying to bypass creates a game that is more expensive than any other on the market. Revamping these prices so they are consistantly lower overall would likely encourage additional players to use it as a method of progression, while not alienating current players who purchase the virtual currency.

In addition to revamping the current buyout scheme, Zynga should consider adding additional methods for encouraging players to spend small amounts of money. Periodically offering special missions that are only obtainable via virtual currency and yielding special rewards not available anywhere else would be interesting. As limited edition items are available in the marketplace, not all players can immediately buy them. Extending the period they are available, or bringing back the old special items from time to time can only yield additional money for Zynga. For example, the fact that I cannot buy the special squirrel pet is a travesty that can be remedied easily and yield more revenue for Zynga.


Zynga makes several games that are fun to play, encourage social interaction via the Facebook social network and provide a nice break from more serious activities. With reconsideration of some game design weaknesses, many of their games could easily present a more rewarding experience for players, alienate less potential customers and generate more revenue.

[0] The in-game currency of Horseshoes are obtained one of three ways. First, new players start out with a token amount. Second, as you gain levels, you may receive a single Horseshoe as part of the reward for leveling. Third, spending real money to purchase the virtual currency. As the third method is the only reliable way to obtain them in the quantity needed to effect changes in game as discussed in this article, I refer to ‘money’ instead of ‘Horseshoes’.

[1] As with all games, there are some exceptions, but they account for a very small number of the player base. Players who advance to a certain point can generally adopt a play style that allows for more energy regeneration in game. This can be done via harvesting plants and animals for energy boosts, collecting food to purchase meals that refresh energy, etc.

[2] This model is considerably different than a Massive Multiplayer Online Role-Playing Game (MMORPG) such as World of Warcraft, where it is common for users to spend many hours playing the game. It is not uncommon for top level players to spend over 40 hours a week playing in order to advance their character or guild.

Hypersensitive Computer Displays

I’ve noticed this many times over the last decade. computerized display systems are often hypersensitive to the point of being silly and absurd. Years ago I noticed downloading files via some clients would show me the speed of the transfer to the Nth place, where N is totally ridiculous. I was getting 83.92384293842903k download and all but the first three numbers were a blur as they changed too quickly to read. Instead of updating the number every 1 second, it updated as fast as the computer could. What does that do for me exactly?

Along these lines are computerized estimates of time left. Microsoft Windows is well known for showing absurd times to complete a task. One minute it shows 4 minutes to copy that file, the next it shows 83 minutes. I’ve actually seen it show over 6,000,000 hours to finish a large file copy (that ended up finishing in about an hour). Some programs (names fail me right now) also have install progress meters that are totally worthless. as the bar reaches the right and you think it is finished installing, the bar resets and does it again. And again. And again. What is the purpose of the progress bar if there is no “overall % complete” or indication of how many bars we must suffer through?

Jump to today which triggered this. I’m driving through Atlanta in a PT Cruiser, feeling like a douchebag, I notice the readout showing me “291 miles until empty”. Yes, the car is so smart it can tell me how many miles I can drive before i have to refill the tank! Wait, it was 285 in the rental parking lot 15 miles ago. I pull in to my hotel some 8 miles later and it shows me 294 miles until empty. So apparently in the state of Georgia, driving the car actually fills the tank, not empties it. gas buyers rejoice!