On-site Hatchery

[Guillotine]

Don't be deliberately dense, an ON-SITE hatchery opens up the risk to DC being taken down due to a DDOS aimed at that hatchery among other threats, and there are always vulnerabilities that the programmer may not think of because programmers are human.

 

e: like, DC-the-site wasn't adversely affected by EATW because they're different sites, someone could easily take down the site if it had a hatchery directly attached to it.

Edited April 5, 2018 by Guillotine

[olympe]

As far as I understood it at the time, it wasn't the attack itself that took down EATW, but it was TJ who cut it off from DC and whatever data EATW needed from DC in order to function. (I guess it's obvious I don't speak Computerese...)

 

On 2.1.2018 at 8:47 AM, Ext3h said:

The API access to dragcave.net (required for accessing scrolls etc.) was already shut down by TJ09 during the attacks, and I have terminated the webspace and the domain. The domain will be up for grab soon, so it would be a good idea to remove it from all signatures and alike, as I will not take any responsibility if a future owner of the domain decides to abuse it.

(bolded by me; snipped)

 

It's also true (as Ext3h did the very thing) that it's possible to limit the amount of active auto-viewers on a site. However, incessant refreshing will have the same result as an open auto-viewer, so I don't know how much good it does overall. And, at the same time, it's also quite possible to orchestrate any kind of attack on DC itself instead of a fansite.

[HeatherMarie]

3 hours ago, Irabane said:

 

This is assuming an on-site hatchery would operate exactly like the fan-made ones that currently exist. The power of an on-site hatchery is that TJ would likely be able to set up ways to track who is viewing what (via IP or Dragon Cave account if one is logged in), in addition to all sorts of other information such as how often certain IPs/users are viewing things. This information could then be used to actually catch and punish viewbombers, or notice that an abnormally high number of views/connections are coming from a particular IP/user and automatically block their access to the hatchery or even the entire site until the situation can be investigated further (and action potentially taken if a perpetrator can be identified, either by their account having been logged in or via IP association). Of course this all depends on how an on-site hatchery would be implemented, however to say that an on-site hatchery doesn't even have the potential to eliminate viewbombing (or at least greatly minimize it) if thoughtfully constructed is simply wrong as far as I can tell.

 

For it to have this effect, as many have already said, an on-site hatchery would seemingly have to replace all of the current ones, which is honestly something I'm unsure about my position on (leaning towards not wanting to eliminate fan-made hatcheries though). I feel this could be remedied with the addition of an account option along the lines of "Allow views from external sites? <Yes/No>" as this would allow players to decide whether they wish to use external sites in addition to an on-site hatchery for growing their Dragons, instead of being assigned to one or the other.

 

Also @Fuzzbucket, you make a very valid point; new features will always have unintended consequences. I feel the best we can do though is to try to account for as many major ones as possible ahead of time, and deal with the unforeseen ones as they come.

 

I feel the need to point out that TJ most likely already *can* do those things, track where lots of views are coming from and stop it fairly quickly, as he said in the Transparency thread:

 

Quote

It's pretty easy to detect (and thus ban) sources of viewbombing, actually. The process will maybe probably be automated in the near future, but whatever happens, it's definitely on my radar.

 

Given what he said there, I'm not sure the argument that an on-site hatchery would make it possible to track viewbombers better is really a huge issue. And besides, all of that depends on shutting down viewbombing *after it's started*, which still doesn't help users/dragons that get viewbombed before the 'too many views from one user' mechanic kicks in. In order for something like that to really help stop death from viewbombing there would have to be a rather low cap on how many times an IP/user could view the hatchery within a short amount of time (when eggs can get sick with less then 100 views I'm really not sure how that would work?). 

 

My main issue with this on-site hatchery suggestion is that it seems like people want it primarily as an anti-viewbombing feature, and yet there are plenty of *much* simpler things that can be done to help stop viewbombing, and this suggestion seems to have so many loopholes/what-ifs that it doesn't seem like the best way to go about it (in order for it to actually work as an anti-viewbombing tool it would have to be the only way a dragon could gain views, it would have to be made in a way that wouldn't screw with the entire site when someone decides to attack it, etc etc).

 

I do like the idea of an account option that would let you choose whether or not your dragons would get views from external sources, though.

 

[Ribombee]

I can't speak for others, but I would like to see it put in place, not because it is anti-viewbombing, but because it doesn't rely on external sources. If more attacks happen, more hatcheries will go down. It will be more and more difficult to get enough views to hatch an egg.

[HeatherMarie]

2 hours ago, Ribombee said:

I can't speak for others, but I would like to see it put in place, not because it is anti-viewbombing, but because it doesn't rely on external sources. If more attacks happen, more hatcheries will go down. It will be more and more difficult to get enough views to hatch an egg.

 

I can understand not liking the whole 'must rely on external sources to grow dragons' thing, that's a pretty good reason for wanting an on-site hatchery. However, I would like to point out that hatcheries going down doesn't necessarily mean it would get more and more difficult to get enough views... Hatcheries weren't always around, after all. When I first started playing I didn't even know hatcheries existed (and many of the ones that exist now didn't exist then). I got enough views just fine by posting my eggs/hatchlings in my signature at a different forum. It may have taken a tad longer (though I don't actually remember it taking a whole lot longer) but it did work. Of course not everyone uses other forums (and I'm not sure if LiveJournal still has petsite-posting groups like it used to?) I'm just pointing out that hatcheries are not the only way to grow dragons.

[Fuzzbucket]

8 hours ago, olympe said:

I think this is utter nonsense. The attack on EATW didn't shut down DC, so an attack on an on-site hatchery wouldn't do that, either. And I'm reasonably sure that TJ is very capable of making sure that any attack on the (still hypothetical) DC hatchery could be stopped automatically, maybe by limiting the number of "people" (or bots, in case of an attack) viewing stuff through the hatchery. An algorithm that recognizes unusual spikes in "user" activity and puts a cap on it if necessary. I'm also reasonably sure that most programmers (who made their own hatcheries) would be able to do the same. EATW was only susceptible to the attack because it was the first of its kind, and thus far unheard of.

 

8 hours ago, Guillotine said:

D an ON-SITE hatchery opens up the risk to DC being taken down due to a DDOS aimed at that hatchery among other threats, and there are always vulnerabilities that the programmer may not think of because programmers are human

<>

DC-the-site wasn't adversely affected by EATW because they're different sites, someone could easily take down the site if it had a hatchery directly attached to it.

 

These two. It's not a matter of whether TJ is clever enough to set up wonderful things. It's that with just one site to go after, ALL that the Bad Guys would be working on would be that one site. And gifted though TJ is - so are very many Bad Guys. With multiple hatcheries, their efforts are at least to a degree diffused. Not to mention he would have a lot more work guarding against invasion.

[StormWizard212]

 

4 hours ago, HeatherMarie said:

Of course not everyone uses other forums (and I'm not sure if LiveJournal still has petsite-posting groups like it used to?) I'm just pointing out that hatcheries are not the only way to grow dragons.

 

Given the way the internet is changing, I'm not sure how many people would actually be able to get their dragons hatched without using hatcheries. I know that I personally wouldn't be able to. I'm only active on two forums these days including this one, and the other doesn't allow links to be shared off-site. I wouldn't know how to go about getting a dragon hatched without a hatchery.  

 

I saw someone mention on the previous page that an on-site hatchery would force other hatcheries to shut down and I don't think that's necessarily true. Fansites offer a variety of features and resources, not all of which could possibly be included in an on-site hatchery. They have different pull factors that make them appealing to users. There's no knowing how effective an on-site hatchery would end up being, but I know I personally enter my dragons into multiple and even with an on-site one I'd probably still enter them elsewhere to get their stats up quickly when they have low time. I don't think introducing a feature like this would automatically mean every other hatchery would shut down as a result. I don't think people would want that so users would keep using the sites that they trust and value in conjunction with whatever features are available on DC itself.

 

Before jumping to worst case scenarios in terms of viewbombing and attacks, I think it might be worthwhile to first consider the sorts of features we'd like to see and then consider the consequences/limitations of those particular features. An on-site hatchery wouldn't necessarily need to mirror the same format or style as existing hatcheries. Are there any different approaches an on-site hatchery could take that might be beneficial? Or are there specific features that people would like to either see or not see? 

Edited April 6, 2018 by StormWizard212

[JavaTigress]

10 hours ago, HeatherMarie said:

 

I can understand not liking the whole 'must rely on external sources to grow dragons' thing, that's a pretty good reason for wanting an on-site hatchery. However, I would like to point out that hatcheries going down doesn't necessarily mean it would get more and more difficult to get enough views... Hatcheries weren't always around, after all. When I first started playing I didn't even know hatcheries existed (and many of the ones that exist now didn't exist then). I got enough views just fine by posting my eggs/hatchlings in my signature at a different forum. It may have taken a tad longer (though I don't actually remember it taking a whole lot longer) but it did work. Of course not everyone uses other forums (and I'm not sure if LiveJournal still has petsite-posting groups like it used to?) I'm just pointing out that hatcheries are not the only way to grow dragons.

ALSO I would point out that even IF more hatcheries were attacked it doesn't mean we would lose them, for certain.

 

Admittedly the owner of EATW shutting down the site and quitting it DOES set a precedent for it ( And definitely a troubling one... though I ought to clarify HERE that I by no means BLAME them for their choice) BUT, remember... that is not a guaranteed outcome. Still a valid concern, of course, BUT as of yet NO more attacks of that kind on hatcheries...and, of course, as others said there MIGHT be simpler fixes for it. Myself, I am used to the idea of having to go offsite to raise my eggs and hatchies or to the forums if I wish to interact with other users, so that is a non-issue for ME, personally. I DO get the concern about view bombing and further attacks on hatcheries BUT I think as was said... trying to deal with a 'worst case scenario' when it isn't even clear it will come to pass seems to ME like it could create at least as many issues as it solves. Knee-jerk reactions are typically NOT helpful. IF The worst comes to pass then we may need to deal with that when it comes. That said, I am still not FULLY convinced that DC NEEDS to have its own hatchery at this time... much LESS that it should be forced as an EXCLUSIVE hatchery ( The form of this idea I like least, to be honest) and killing our already existing ones. I realize that viewbombing is a problem, BUT I feel there MUST be a better and less drastic solution?

 

As for saying we don't need hatcheries at all...I am agreed with @StormWizard212 on this one; I am unsure I would know HOW to hatch my eggs without a hatchery of some kind. I understand it can be done, BUT from what I understand, also a LOT more work? I would also comment that I agree with SW on one OTHER thing...we DO need to consider the possible consequences of features being considered also. FOR instance...the lag that has been mentioned AND the fact that someone could, THEORETICALLY, target an onsite hatchery as easily as an offsite one... as @Fuzzbucket pointed out. 

Edited April 6, 2018 by JavaTigress

[Fuzzbucket]

Nevertheless - a hatchery on the same site/server as the cave would leave the cave more at risk from people who go for hatcheries.

[Stromboli]

I'm not particularly seeing how having a hatchery on the website makes DC much more at risk of getting DoS's than the already established risk of having a website on the internet does?

[Fuzzbucket]

Simply because if (as some have suggested ) it ended up being the only one, that is where the Bad Guys would be targeting - but also - they DID to a degree target other hatcheries over Christmas, and an on-site one would be another one they would inevitably go for. And on cave is - where the GAME is.... If they changed their bot programming a bit they could damage more than the hatchery bits. And don't think they wouldn't think of that.

[JavaTigress]

10 minutes ago, Fuzzbucket said:

Simply because if (as some have suggested ) it ended up being the only one, that is where the Bad Guys would be targeting - but also - they DID to a degree target other hatcheries over Christmas, and an on-site one would be another one they would inevitably go for. And on cave is - where the GAME is.... If they changed their bot programming a bit they could damage more than the hatchery bits. And don't think they wouldn't think of that.

This... and while they could try to target the site itself even NOW; I think the theory is the mechanic for getting views inherent to a hatchery would make it easier for attackers to use up large amounts of 'bandwidth'? (Though not being a coder I dunno all that much about it?) 

Edited April 6, 2018 by JavaTigress

[olympe]

Well, I'm most assuredly not a coder, and I dare say that most of us who're discussing this aren't, either. I'd really like to see someone with actual experience weigh in and share some insights so we non-coders can get an idea of what's possible, what's likely and what's just rumor-mongering. So, any help on that front, @TJ09?

[Stromboli]

Yeah, I'm more saying that if someone decided they wanted to pull a DoS on the Cave, I'm not sure how having a hatchery makes that more or less possible.

 

Also having it be part of the cave doesn't necessarily mean having it on the same server as the cave. A DC-endorsed hatchery could be isolated as its own service under a "dragcave.net" domain. Someone tries to go after it, you can pause access to that service without having to kill the whole website.

 

But, y'know. I work on internal tools for my company, I don't do much of anything with security. There are probably better methods.

[HeatherMarie]

The biggest issue I see, that might *potentially* make viewbombing easier and/or more of an issue, is that some people really want an on-site DC hatchery to be the *only* hatchery, ie cutting off API access to all other hatcheries and users only able to use the official hatchery to grow their dragons. In *that* case, I definitely do think that viewbombing might be a huge issue to consider.... As I said before, right now if viewbombers attack one or two hatcheries it affects the percentage of users who actually use that hatchery. If the official DC hatchery was the *only* hatchery, then an attack would affect *everyone*, which means a concentrated attack on that one official hatchery would do a *lot* more widespread damage. 

 

9 hours ago, StormWizard212 said:

Before jumping to worst case scenarios in terms of viewbombing and attacks, I think it might be worthwhile to first consider the sorts of features we'd like to see and then consider the consequences/limitations of those particular features. An on-site hatchery wouldn't necessarily need to mirror the same format or style as existing hatcheries. Are there any different approaches an on-site hatchery could take that might be beneficial? Or are there specific features that people would like to either see or not see? 

 

I honestly am unsure I would even want to use an on-site hatchery, so I'm not sure exactly what features I would and wouldn't want to see, except that I do *not* want it to be the *only* hatchery available. That's a big, huge No. Someone mentioned earlier a toggle/flag/whatever to either allow or disallow your dragons to get views from external sources, I would like that... that way if you do want to use the on-site hatchery exclusively then you can make sure that no one else is adding your things elsewhere (or that adding things elsewhere doesn't actually give them countable 'views', however TJ would want that to work...). Only other thing I can think to add is that I'm assuming an on-site hatchery would require confirmation, like your password, before allowing your dragons to be added? The way DragHatch does, sort of... I mean, if it's going to be an official on-site hatchery it seems logical it would require password confirmation, the same way many other actions do on-site.

[Stromboli]

Until TJ indicates that an on-site hatchery would only be implemented with permanently disabling the API, I'm not big on entertaining view-bombing/DoS nightmare scenarios.

 

So far I've seen cutting off the API brought up as something that could be done and that was done temporarily, but not something anyone's really in favor of, unless I'm missing something?

 

tbh, even with an on-site hatchery, cutting off fan sites would be a mistake. There's a reason there's so many of them. Everyone's got their preference, each has features that another might not. There's no way anything that's made as an "official" hatchery could be all things to everyone. I don't see why an on-site hatchery would have to come with killing all the others.

[Fuzzbucket]

Cutting off the API WOULD surely disable other hatcheries. Something which I absolutely don't support.

[Stromboli]

4 minutes ago, Fuzzbucket said:

Cutting off the API WOULD surely disable other hatcheries. Something which I absolutely don't support.

 

It would, and as I just said, nor do I support that. I skimmed the thread again, and am not seeing anyone say anything about the API except that it was cut off that one time to stop hatchery view-bombing, and that doing it permanently would be a bad idea? I'm confused why it keeps getting discussed like that's the likely outcome of having an on-site hatchery, is all.

[hazeh]

I would highly prefer an on-site hatchery. Exclusive or not doesn't matter to my style personally. I really am just tired of having to use different sites to hatch my eggs since I don't use any sort of forum that I could post my eggs in for the purpose of gaining views. Self-contained within DC itself would save a huge hassle for me, and generally be more enjoyable. I can definitely see the issues in it being an exclusive feature, as I know the fansites are popular for different reasons, and I would hate to see them closed down. 

So it comes down to personal preference again, which is where that "toggle" option would be super handy for internal/external permissions. 

 

And uh, @Stromboli, aren't you a coder? 

[HeatherMarie]

8 hours ago, Stromboli said:

 

It would, and as I just said, nor do I support that. I skimmed the thread again, and am not seeing anyone say anything about the API except that it was cut off that one time to stop hatchery view-bombing, and that doing it permanently would be a bad idea? I'm confused why it keeps getting discussed like that's the likely outcome of having an on-site hatchery, is all.

 

Multiple people in this thread brought up the idea of an on-site hatchery being the *only* hatchery, olympe mentioned it on page 1 (though it doesn't seem they actually want it that way) and on page 2 Alrexwolf posts at length about an on-site 'exclusive' hatchery (they said ' you could ONLY display your hatchies/eggs there') and how it would fix viewbombing. That's why it's being discussed, because it seems that some people may *want* it to be that way, while some of us don't. Of course it's not the definite outcome, but when people mention a way that it could be implemented that many of us are very much against, it's natural that it's going to be talked about. (And cutting off the API would most likely be the way that an on-site hatchery would be made 'exclusive'.)

Edited April 7, 2018 by HeatherMarie
clarification

[Stromboli]

Ah, that was the post I missed. From the first reply on this thread all I was seeing was people saying cutting off access to other hatcheries was a bad idea, so I was really confused why it kept coming up.

 

Anyway, as long as dragons' stats are affected just by viewing "dragcave.net/image/{code}" it's not like you can really... stop people making hatcheries. It might get a little more annoying, but not impossible. Unless TJ completely changes how those endpoints work as well, the "DC hatchery becomes the only hatchery" scenario seems very unlikely to come to pass.

 

side note: is there documentation somewhere for the API? I'm curious about it now.

Edited April 7, 2018 by Stromboli

[olympe]

12 hours ago, HeatherMarie said:

 

Multiple people in this thread brought up the idea of an on-site hatchery being the *only* hatchery, olympe mentioned it on page 1 (though it doesn't seem they actually want it that way) and on page 2 Alrexwolf posts at length about an on-site 'exclusive' hatchery (they said ' you could ONLY display your hatchies/eggs there') and how it would fix viewbombing. That's why it's being discussed, because it seems that some people may *want* it to be that way, while some of us don't. Of course it's not the definite outcome, but when people mention a way that it could be implemented that many of us are very much against, it's natural that it's going to be talked about. (And cutting off the API would most likely be the way that an on-site hatchery would be made 'exclusive'.)

 

Ineed. If an on-site hatchery is supposed to prevent viewbombing, the API would have to be cut for all other hatcheries, or viewbombing through other hatcheries could still happen. But, even if the other hatcheries get put down, there're still click-exchange sites like Yarold's which could be abused for viewbombing. It'd (probably) be a bit harder to do than with a normal hatchery, but it doesn't seem much of a hurdle. Which is why I don't see the viewbombing problem as a reason to implement an on-site hatchery, quite the contrary. Because I really like certain hatcheries, and I'd like to keep them. (RIP, EATW)

 

However, an on-site hatchery would feel a bit more inclusive, and as long as it doesn't turn into the one and only available DC hatchery, I'm fine with adding it.

[Ribombee]

On 4/5/2018 at 10:39 PM, HeatherMarie said:

 

I can understand not liking the whole 'must rely on external sources to grow dragons' thing, that's a pretty good reason for wanting an on-site hatchery. However, I would like to point out that hatcheries going down doesn't necessarily mean it would get more and more difficult to get enough views... Hatcheries weren't always around, after all. When I first started playing I didn't even know hatcheries existed (and many of the ones that exist now didn't exist then). I got enough views just fine by posting my eggs/hatchlings in my signature at a different forum. It may have taken a tad longer (though I don't actually remember it taking a whole lot longer) but it did work. Of course not everyone uses other forums (and I'm not sure if LiveJournal still has petsite-posting groups like it used to?) I'm just pointing out that hatcheries are not the only way to grow dragons.

 

The internet has changed a lot since DC started. Forums were much more popular. Plus, the reason DC is playable for a lot of adults as it is now, whereas other click games are not, is that we have hatcheries which don't require constant monitoring, promoting, and posting to get views. I cannot even imagine trying to get enough views/clicks on a prize, for example, as an adult with a ton of responsibilities. It would certainly be the end of my playing. 

[StormWizard212]

1 hour ago, Ribombee said:

 

The internet has changed a lot since DC started. Forums were much more popular. Plus, the reason DC is playable for a lot of adults as it is now, whereas other click games are not, is that we have hatcheries which don't require constant monitoring, promoting, and posting to get views. I cannot even imagine trying to get enough views/clicks on a prize, for example, as an adult with a ton of responsibilities. It would certainly be the end of my playing. 

 

That's part of what I really like about DC. During the periods where I've got plenty of time on my hands, there's a lot in the game to keep me occupied. But in those weeks that are just super busy with work or study, there are ways to still play and have a lot of fun on limited time. For those who are busy working and studying, I do think it's important that there are still ways to access the game and I feel that having an on-site hatchery would make it a bit easier for those who are busy and add some incentive to continue playing the game during hectic periods.

 

I know that adding your things to hatcheries now can be very quick, but I play this game every day, have URLs for hatcheries bookmarked and memorised, and they're the first results that come up when I type 'v' or 'a' into a new tab. For those casual players who come and go a bit and don't prioritise DC as much as I do, however, taking the few extra steps to find and get to a hatchery might be a bit of a turn off and make the game seem a bit too impractical, especially during busier periods. For the players in that situation, I do think having an on-site hatchery would make a significant difference to the way they play the game and potentially the frequency, too. 

Edited April 8, 2018 by StormWizard212

[Aalbiel]

Damn this blew up.

I don't personally particularly want an on-site hatchery bc the existing ones are great. I wouldn't *mind* an on-site hatchery..... as long as it didn't cause lag. And despite all assurances to the contrary...... I really don't see that happening.