Welcome to Crestfall Gaming

Register now to Crestfall Gaming. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


Beta Tester
  • Content count

  • Joined

  • Last visited

Community Reputation

37 Excellent

About Soulson

  • Rank
  1. If you've grown to trust the developers little by little over the past 8+ months, with every statement of purpose, every announcement from Asura, and every Darkrasp update, are you truly ready to abandon that trust after one announcement you don't like while there's still so much that none of us know?
  2. Purge is intended to be able to affect soul link but only if you target the warlock's pet with purge. It works this way on most private servers I have played on.
  3. It does. My comment was meant to be mostly tongue-in-cheek. In America, most people use an absolutely ridiculous date format. That being said, yyyy-MM-dd is the format recommended by the International Organization for Standardization under spec ISO 8601. It's sort of like a metric date.
  4. Or in proper date formatting, 2017-03-01 to 2017-06-01. Sorry .. when I first read that I was like "wtf dis guy talkin' about?"
  5. Well by asking this question specifically in the warlock forum, I imagine your query might be subject to sampling bias. But uh, I like cool enslavey things. There were a few in TBC at least that I don't ever remember getting immune patched, and what a shame it would be if they were, since that's the demon expansion. Makazredon and his twin from SMV weren't ever patched, I don't think. Those were fun.
  6. My favorite weapon is actually a shield: [Force Reactive Disk] Its damage increases with the square of the number of things attacking you. What else in the game scales that well? I still used it in TBC. If I have to pick a real weapon? Let's go with... [Pendulum of Doom] Cool proc. Awesome name. Rare as hell. 4.0 swing timer. Requires level 39. And I farmed one myself. Seeing it finally drop was easily as exciting as any piece of raid gear I've ever won except for maybe 5pc nemesis (which happened to be the robe from Nefarian.)
  7. For the interested, here is an official post from Blizzard that I remember reading about the 400ms spell batch updates: https://web.archive.org/web/20141019021233/http://us.battle.net/wow/en/forum/topic/13087818929?page=6#114 It's not like what people mean when they say "CoD is a 60-tick server" or like actually having a 400ms ping. Your spells on other targets will still cast at your connection latency, but apply their effects at the next 400ms batch update. As others have stated, this causes neat pvp tricks like double blinds, SW:D/JoB polys, and gouged death coils. It may also add some of the mysterious "difficulty" to raids that some people are asking for, since healers will be spending more mana – they won't be able to charge-cancel their heals as much. Example: Healers Alice and Bob are both casting Holy Light at tank Tom, who has 60% HP. Alice started casting her heal 200 milliseconds before Bob. Under the instant (non-blizzlike) system: Alice completes her cast. Tom has full HP. Bob sees Tom at full HP, and cancels his heal with (up to) 200 milliseconds (- latency) remaining on his castbar, and saves mana. Under the batched updates (blizzlike) system: Alice completes her cast. Tom still has 60% HP until the next batch update, (up to) 400ms later. Bob sees Tom still at 60% HP and finishes his Holy Light 200ms after Alice. Tom still has 60% HP. Tom is healed to 100% HP (up to) 200ms later, when the batch update ticks. Alice and Bob have both spent mana. (edit: Against harder-hitting bosses, there's also a very real chance that Tom could die in that 400ms. Poor Tom.) I appreciate the attention to detail. Regarding the password security issue I raised: thanks for taking the time to fix that, Asura and Crogge. Like you alluded to in your post, security and network stability updates aren't the exciting bits of juicy server gossip that people are salivating over, but they're (at least in my opinion) even more important.
  8. Thanks for the insight! The bit about using NPCs as virtual players spamcasting spells and a massive load of client opcodes makes me giddy with excitement about what we'll see when you're ready to unveil your artwork. Regarding the authentication security, I appreciate that you're not storing passwords in cleartext. However, MaNGOS doesn't do that either, and that authentication scheme is still not secure. The problem is that they store the SHA-1 "identity:password" hash in their database. Twelve years later, SHA-1 isn't generally considered a secure hash algorithm anymore. There's nothing you can do about that, since that's what your target client uses, but here's the real problem: you don't even need to break the hash to break the auth scheme. SRP6 relies on the asymmetry in computational complexity of modular exponentiation against discrete logarithm for its security. A design specification for the algorithm is located here: http://srp.stanford.edu/design.html. Two of the critical steps are: Server: v = g^x % N Client: S = (B - kg^x) ^ (a + ux) Here, x is the salted password hash. N and g are usually constants known to both client and server. The server should only store the verifier (v) and salt (s, a nonce, not shown.) Since discrete logarithm is generally intractable, x cannot reasonably be computed from v, g, and N. However, if x is stored in your database—even in hashed form—then a malicious actor who can get read access to your accounts table can calculate the client's shared secret (S) without knowing the password. For every account in the table. Notice that x is not used anywhere in the server-side implementation after the verifier is computed and stored, because it is unnecessary. So it's pretty awesome that you're considering OTPs for account security, but I imagine a lot of people won't use them. Avoiding the storage of password hashes is a simple modification that everyone will benefit from – you, me, and every other adventurer who joins us. Please consider that my suggestion.
  9. Hi there Crestfall team, I've been following your adventures for some time now and I've enjoyed how candid you've been with your developer updates, but one topic I haven't seen much focus on is stress testing. This interests me especially because you've taken the challenging route of (very nearly) developing your own server software. Are any of you willing to provide some insight on how you have, or plan to, put your product under pressure? If you've decided to go the clustering route, it's clear you've given it some thought. But as I'm sure you're aware, distributed computing comes with a really great set of challenges—database isolation is one of my perennial favorites—and you're not likely to encounter a large percentage of possible issues with only a small group of developers and alpha/beta testers logged in at once. Do you have any sort of automated client implementation that you use for simulating heavy stress? Another concern of mine is how you'll be handling authentication. As much as I appreciate the work that the MaNGOS team has done to advance the art, I don't like that they store password hashes in their auth database. That is an insecure implementation of SRP6, since no discrete logarithm would be required to break into an account if the auth database was ever compromised. Only the salt and verifier should ever be stored. However, I can at least review the MaNGOS source code to see what they're doing with my password. I've got no idea at all what you're going to do with it. I can only review the open source forks of Ascent, and this snippet of SQL just worries me even further: CREATE TABLE `accounts` ( `acct` int(10) unsigned NOT NULL auto_increment COMMENT 'Unique ID', `login` varchar(32) collate utf8_unicode_ci NOT NULL COMMENT 'Login username', `password` varchar(32) collate utf8_unicode_ci NOT NULL COMMENT 'Login password', `gm` varchar(32) collate utf8_unicode_ci NOT NULL default '' COMMENT 'Game permissions', `banned` tinyint(3) unsigned NOT NULL default '0' COMMENT 'Account Standing', `lastlogin` timestamp NOT NULL default '0000-00-00 00:00:00' COMMENT 'Last login timestamp', `lastip` varchar(16) collate utf8_unicode_ci NOT NULL default '' COMMENT 'Last remote address', `email` varchar(64) collate utf8_unicode_ci NOT NULL default '' COMMENT 'Contact e-mail address', `flags` tinyint(3) unsigned NOT NULL default '0' COMMENT 'Client flags', `forceLanguage` varchar(5) collate utf8_unicode_ci NOT NULL default 'enUS', PRIMARY KEY (`acct`), UNIQUE KEY `login` (`login`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Account Information'; Any chance you can allay my concern? If not, I'd be happy to help you remove this vulnerability! Thanks for your time!
  10. I tend to swap back and forth between warlock and paladin. Was a paladin most recently, so I'll be a warlock here. PvP server for sure. I've got no hatred for carebears, but one of my favorite parts about WoW is the adrenaline rush from a spontaneous world 1v1. (I'm not the only one, right?) Undecided on alliance vs horde. There are thirty gameplay-based reasons for me to play an orc, but the most important reason to pick a side is the set of people you wanna roll with, and I lost touch with my pals from Nost. Hopefully some of them will start to show up here, or I'll find some like-minded folks on the forums, and that will influence my faction choice more than anything else. p.s. holla at me <Last Stand> brothers and sisters if you see this
  11. Respectfully disagree that engineering is equally useful for all classes. I main warlocks and paladins, and I find it to be much more valuable on paladins than warlocks, for a variety of reasons: Engineering stuns break on dot ticks — this means they frequently don't last as long for warlocks as they do for paladins. Still good for fearing pets off you, though. Engineering stuns also increase judgment of command damage. Warlocks don't get any sort of damage increase from stuns. Engineering provides paladins with a few options for engaging at range. Warlocks don't benefit as much from this, since they have several naturally. Engineering is the only way to access the coolest paladin shield in the game (in my opinion.) Warlocks can look at it.
  12. Should have thrown in an "at noon GMT+1" somewhere for good measure
  13. You're not doomed by WOTF; it has a few counters you can utilize as a warlock: Death Coil Grenades Tidal Charm Goblin Rocket Helmet Inferal summoning stun ...Having 10,000 effective health Note that howl of terror will not save you from WOTF. It has a 2 second cast time in vanilla, and is considered a fear effect, which means WOTF will immunize a player from it. In my experience, if you're playing soul link spec, the only classes that will generally give you any trouble as a warlock are other soul link warlocks and well-geared rogues. Naturally, there are always exceptional players, and an exceptional player of any class may provide a challenge...
  14. This video inspired me to roll a paladin back around 2006: https://www.youtube.com/watch?v=QIiq8Qu8UAE (ZalPalaPvP 3) I found it generally more interesting than the typical 2h reckbomb fests or the films of highly-geared deep ret players. The video shows a lot of ungeared solo combat against several (admittedly bad) players at once, but when you go 1v5 and win while using unimpressive gear, regardless of how bad the other players are, I find it entertaining. There are a few 1v1s against competent players as well, which are almost as amusing, but there are other vanilla paladin videos out there with better 1v1s. The key takeaway I have for you is to take engineering. Iron grenades are immeasurably helpful when PvPing as a paladin, as the stun can give you enough time to clinch an extra holy light—and holy light heals for a lot in vanilla, no matter what spec you're playing—or to catch a runner. The shadow reflector gives you a brief reprieve from the classes that have given me the most trouble in my paladin career – warlocks and priests. The goblin rocket helmet gives you another "heal to full" chance and a much-needed gap closer. A secondary takeaway is to heal early and heal often. My final advice for you is to be prepared to be frustrated by how easily someone can just run away from you if they feel that they're starting to lose the advantage. That's my #1 pet peeve about vanilla paladin pvp.