“We Own You” – Confessions of an Anonymous Free to Play Producer
When it comes to discussions surrounding free to play, people often focus on monetization tactics based on their experiences as a player. Folks commonly get upset based on the disruption of the historical precedent that games should have a price tag, that you pay, then get the game. It’s understandable, as it’s hard to be a savvy consumer when the value proposition is often so heavily distorted, making it supremely unclear how large the air quotes around “free" really are. In actuality, that’s among the least gross things about giant free to play titles from huge developers who have turned game design into modern-day factory farming, harvesting user data more aggressively than the worst PC spyware of the early 2000’s, all to fuel the fires of selling as much IAP as possible.
The following article is from a game developer I’ve known for close to a decade now. To the best of my knowledge, from following iOS development since the launch of the App Store, it’s totally accurate. I’ve heard similar things from developers who have also gone through the ropes of hopping from one game studio to the next. This is the first time I’ve actually convinced someone to write about it.
I am a senior producer at a free to play games company. I have worked for several of the big name companies. It is almost certain you have or are playing a game I have produced or worked on in a major capacity.
Highway Signpost "Freemium"
This isn’t an article about the evils of free to play manipulation to get you to spend money. This is about how we can target you, because we (and our partners) know everything about you. We know where you live, we know your income level, we know your relationships, your favorite sports teams, your political preferences. We know when you go to work, and where you work. We can target an event to start for you when we know you have a long weekend coming up. We own you.
It didn’t start this way. I was originally a console game producer. Layoffs, mergers and what not eventually got me associated with mobile games. We were very early on the iPhone making what you would call traditional games. 99 cent arcade titles. These games did very well, they were reviewed nicely and players generally loved us. We started working on larger more ambitious projects, our team and department was doing great.
stars1We had a game that had a whole bunch of levels you could 1, 2 and 3 star (this was still at-least a year or two before Angry Birds). There was concern, both with the team and upper management that if the game was too hard, it would not be successful. The only UA channel we had was app ranking and user reviews (again this was 2008). One of our engineers came up with a rather simple solution that today would seem like a joke. We could have a JSON file online that contained all the level information. Then we could update the file to make a level easier (or harder). This way we could watch user reactions (mostly app store reviews, Twitter was still pretty basic at this time). This worked great, we were able to balance the game in the wild.
During a meeting about the game, the guy who ran our website brought up some interesting information. He started watching the web logs and seeing all the connections to the JSON file. Unbeknownst to him (or our team) he was getting us a DAU. For the engineering and production teams, this was just a neat thing to know, a feel good “look how many people love our game” statistic. The CEO saw something else. Pretty quickly we started getting more requests for what our users were doing. Upper management was disappointed by our lack of answers. I found a new service online called Pinch Media, they were an analytics tracker. I got the team to integrate Pinch into a few products and finally I had answers. Of course then more answers were asked. Around this time, free to play started happening. Suddenly, Marketing and our bosses demanded to know more than ever. In response to the pressure to explain our user base, I ended up building an event matrix. I had no schooling in this, so I was just making it up as I went along. My first matrix was awesome for a game developer. It was full of all those cool stats like “How far has the player run” or “How many bullets has he shot”. But this did not impress my bosses. They wanted to know how we could get the player to buy more stuff, tell his friends to play the game (and thus I learned about cohorts, all I wanted to do was make games).
Time passed, Free to Play became a thing. I went from company to company. Each time, every new project became less and less about how we can do cool things, and more about how we can track and target users to get the most whales possible, boost chart position and retain users to shove as many ads on them as possible.
facebook_like_thumbAll of this already seems bad. But along the way, a major thing happened. Facebook. I forget when I did my first Facebook required app, but it was a game changer. Facebook has changed how it has worked over the years. Today you can’t quite get as much information (easily) as you could with the first API, but you still get a lot. We collect as much information about a player as possible, thanks to Facebook we have a ton. Even users who don’t really use Facebook or fill it with “fake” data actually tell us a lot. You might not use Facebook, but your connections give you away. If you play with friends, or you have a significant other who plays, we can see the same IP address, and learn who you are playing with. When we don’t know information, we try to gather it in a game. Have you played a game with different country flags? We use those to not only appeal to your nationalistic pride, but to figure out where you are (or where you identify). Your IP address says you are in America, but you buy virtual items featuring the flag of another country, we can start to figure out if you are on vacation, or immigrated. Perhaps English is not your first language. We use all of this to send you personalized Push Notifications, and show you store specials and items we think you will want.
And if you are a whale, we take Facebook stalking to a whole new level. You spend enough money, we will friend you. Not officially, but with a fake account. Maybe it’s a hot girl who shows too much cleavage? That’s us. We learned as much before friending you, but once you let us in, we have the keys to the kingdom. We will use everything to figure out how to sell to you. I remember we had a whale in one game that loved American Football despite living in Saudi Arabia. We built several custom virtual items in both his favorite team colors and their opponents, just to sell to this one guy. You better believe he bought them. And these are just vanity items. We will flat out adjust a game to make it behave just like it did last time the person bought IAP. Was a level too hard? Well now they are all that same difficulty.
Moby-Dick-610
Every day we collect a ton of data. I don’t even know the size of what we collect anymore, we have entire divisions to instrument and analyze the data. These days I just send over a basic question, and the team pulls the data, and runs the query. No longer do we use off the shelf systems like Flurry. Now it is all in house. There was a game a while back that generated something like 20 gigs of player data a day. Right now another Producer is reading that number an laughing, as their game does 100 or 200 or 300 gigs a day. We keep everything we can. And we are not alone. Normally I implement 20 to 30 different 3rd party SDKs into a game. Some of these help us track events or crashes, some are ad networks, others more demographic data. All of these networks are gathering as much, if not more data on you. Worse yet, they are all networked. Let’s say your in some app that wants to know if you are Male or Female, and what age range you fall under. Well that app shares that data with it’s ad network. Guess who else uses that same ad network, we do! Now we have that data, without even asking for it.
Every time you play a free to play game, you just build this giant online database of who you are, who your friends are and what you like and don’t like. This data is sold, bought and traded between large companies I have worked for. You want to put a stop to this? Stop playing free games. Buy a game for 4.99 or 9.99. We don’t want to be making games like this, and we don’t want another meeting about retention, cohorts or churn.
Vérifiez la sécurité de votre compte Gmail
Wallpaper dynamics
WHAT IS RAINWALLPAPER
RainWallpaper is a powerful live wallpaper engine that allows you to use various types of customizable animated wallpapers on your Windows desktop, including 3D and 2D animations, websites, videos, with mouse interaction and cool effects, and with minimum cpu and ram usage. Choose an existing wallpaper or create your own and share it to our DeviantArt Group!
stickers linux geek admin network
Revolutionary tools for editing, color correction, audio post and now visual effects, all in a single application!
À propos de Downdetector
Nous aimons voir Downdetector comme le monsieur météo du monde numérique : nous détectons les moments où la technologie connaît des défaillances. Tout comme la météo, les interruptions et les pannes de service sont imprévisibles, et tout comme un météorologue, nous pouvons vous dire ce qui se passe.
Plus concrètement, Downdetector propose une vision d'ensemble en temps réel des informations en termes de statut et des pannes pour tous les types de services. Notre objectif est de surveiller tous les services que les utilisateurs considèrent comme vitaux dans leur vie quotidienne, y compris (mais sans s'y limiter) les fournisseurs d'accès internet, les opérateurs mobiles, les transports publics et les services en ligne.
Downdetector est une société détenue et exploitée de manière indépendante par Serinus42 BV.
Comment fonctionne Downdetector?
Downdetector collecte des rapports concernant des statuts à partir d'un ensemble de sources. Grâce à une analyse en temps réel de ces données, notre système est capable de détecter automatiquement des pannes et des interruptions de service à un stade très précoce. Les rapports sur Twitter constituent une des sources que nous analysons.
Notre système détecte des pannes lorsque le nombre de rapports augmente brutalement et de manière importante par rapport à la normale. Nous effectuons un suivi des rapports pour chaque société sur une page séparée et nous publierons une brève mise à jour une fois qu'un problème sera identifié. Les rapports plus anciens sont disponibles via le lien vers les archives ou vers la vue d'ensemble des problèmes.
UwAmp, un serveur Web sur votre clé USB et une alternative à WampServer
mysql PHP serveur wamp web windows apache Si vous êtes développeur Web, vous avez très certainement entendu parlé du logiciel WampServer. C'est un des principaux acteurs dans le monde des logiciels permettant d'avoir un serveur Apache, MySQL et PHP sur Windows. Découvrons une alternative intéressante : UwAmp.
WampServer, tout comme ses concurrents EasyPHP ou XAMPP, est assez lourd d'utilisation. Mettre à jour le logiciel est pénible, tout comme le fait de pouvoir utiliser plusieurs versions de PHP et notamment les plus récentes.
Les GAFAM (Google, Apple, Facebook, Amazon, Microsoft) nous font payer leurs services avec nos libertés.
Notre liberté de conscience, les laissant accéder aux détails de notre esprit pour nous manipuler de façon individualisée et automatisée. Notre vie privée et notre intimité, sans laquelle nous ne pouvons plus nous construire nous-mêmes.
Ce contrat est illicite : en démocratie, personne ne peut vendre ses libertés fondamentales. Ainsi, le droit interdit désormais qu'un service soit rémunéré par des données personnelles.
Pour récupérer nos libertés, le 25 mai, La Quadrature du Net engagera une action collective contre chacun des GAFAM.
Enter an Identity (Domain Name, Organization Name, etc),
a Certificate Fingerprint (SHA-1 or SHA-256) or a crt.sh ID:
AltDrag Icon
AltDrag
Easily drag windows when pressing the alt key
ScreenToGifScreen, webcam and sketchboard recorder with an integrated editor.
adding more icons soon, check out the full CSS ICON collection of 512 icons here.
HTML
<div class="search icon"></div>
CSS
.search.icon {
color: #000;
position: absolute;
margin-top: 2px;
margin-left: 3px;
width: 12px;
height: 12px;
border: solid 1px currentColor;
border-radius: 100%;
-webkit-transform: rotate(-45deg);
transform: rotate(-45deg);
}
.search.icon:before {
content: '';
position: absolute;
top: 12px;
left: 5px;
height: 6px;
width: 1px;
background-color: currentColor;
}
Vous aussi vous râlez parce que Facebook ne vous affiche plus qu’une fraction1 des publications de vos contacts ? Vous pestez contre Youtube qui a décidé de ne plus vous envoyer les notifications de vos vidéastes préférés alors que vous êtes abonnés à leurs chaines ?
Plus généralement, vous détestez louper des informations intéressantes parce qu’un algorithme abscons a décidé qu’il ne devait pas vous les montrer ?
La solution existe pour ne plus rien louper : c’est la syndication de contenu à l’aide de flux RSS ou Atom, et c’est ce dont on va parler ici !
Le plus ironique ? C’est que cette solution aux mauvais comportements des plateformes existe depuis 1999, bien avant les outils problématiques eux-mêmes…
Envoi d'un SMS lors de certains événements dans les logs
Je me sers de ce script pour "fliquer" un peu l'utilisation de ma machine personnelle qui est sous Linux. Je reçois donc un SMS quand l'un des événements suivants se produit:
- Ouverture de session d'un utilisateur.
- Fermeture de session d'un utilisateur.
- Échec d'ouverture de session (mauvais mot de passe)
C'est assez simple: On surveille le fichier ''/var/log/auth.log'' et quand certains événements sont détectés, on appelle l'API SMS FreeMobile.
Le script ci-dessous est vite bricolé, avec certaines choses codées en dur. Vous devrez sans doute l'adapter.
Je met le script suivant dans ''/opt/scripts/logs-sms.sh'' (sans oublier de faire mon chmod):
logs-sms.sh
#!/bin/bash
# Surveillance des logs, et envoi d'un SMS quand un utilisateur se connecte ou déconnecte.
logger "SMS: Démarrage script SMS connexions."
envoie_sms () {
chaine="Asus: `date +%Y-%m-%d_%Hh%M` $*"
logger "SMS: $chaine"
curl -G -d user=UTILISATEUR -d pass=MOTDEPASSE --data-urlencode msg="$chaine" 'https://smsapi.free-mobile.fr/sendmsg'
}
# Expressions régulières pour détecter certains évènements (ouverture session, fermeture session, mauvais mot de passe)
reg_open="pam_unix.*session opened for user (utilisateur1|utilisateur2|utilisateur3|utilisateur4)"
reg_close="pam_unix.*session closed for user (utilisateur1|utilisateur2|utilisateur3|utilisateur4)"
reg_failure="pam_unix.*authentication failure.*user=(.+)"
tail -fn0 /var/log/auth.log | \
while read line ; do
if [[ $line =~ $reg_open ]] ; then
envoie_sms "Ouverture session ${BASH_REMATCH[1]}"
fi
if [[ $line =~ $reg_close ]] ; then
envoie_sms "Fermeture session ${BASH_REMATCH[1]}"
fi
if [[ $line =~ $reg_failure ]] ; then
envoie_sms "Mauvais mot de passe utilisateur ${BASH_REMATCH[1]}"
fi
donePuis j'ai ajouté la ligne suivante avant le ''exit 0'' dans ''/etc/rc.local'' afin que ça démarre en même temps que la machine.
nohup /bin/bash /opt/scripts/logs-sms.sh > /dev/null 2>&1 &Notes:
- Cela fonctionne aussi bien avec l'ouverture de sessions graphique (mdm/lightdm) que pour un ''su'' dans un terminal.
- Je fais ''utilisateur1|utilisateur2|utilisateur3|utilisateur4'' car je ne veux surveiller que les évènements pour ces utilisateurs.
- Vous devrez sans doute adapter les expressions régulières dans les lignes ''reg_...'' en fonction de votre système.
- J'ai mis en dur le nom de la machine (''Asus:'')
- Vous devrez remplacer ''UTILISATEUR'' et ''MOTDEPASSE'' par vos propres identifiants SMS API FreeMobile (connectez-vous sur votre [[https://mobile.free.fr/moncompte/|espace abonné FreeMobile]] et activez l'option pour les obtenir).
- L'API SMS FreeMobile est gratuite et fonctionne sur tous les forfaits FreeMobile. Elle ne peut servir qu'à vous envoyer un SMS à vous-même, pas à d'autres personnes.
- Le même genre de chose aurait pu être réalisé en modifiant la configuration de pam afin qu'il exécute le script sur certains événements d'authentification. L'avantage du script ci-dessus est qu'il peut être étendu à d'autres logs/événements que l'authentification.
- J'aurais pu utiliser cron, mais je voulais du temps réel.
Taipan - Web Application Security Scanner
https://github.com/taipan-scanner/Taipan/releases/latest
Taipan is a an automated web application scanner which allows to identify web vulnerabilities in an automatic fashion. This project is the core engine of a broader project which include other components, like a web dashboard where you can manage your scan or download a PDF report and a scanner agent to run on specific host. Below are some screenshots of the Taipan dashboard:
If you are interested in trying the full product, you can contact me at: aparata[AT]gmail.com
Release Download
Download Build Release
If you want to try the dev version of Taipan without to wait for an official release, you can download the build version. This version is built every time that a commit is done and the build process is not broken.
You can download it from the Artifacts Directory.
Using Taipan
Taipan can run on both Windows (natively) and Linux (with mono). To run it in Linux you have to install mono in version >= 4.8.0. You can track the implementation of the new features in the related <a href="https://github.com/taipan-scanner/Taipan/projects/1">Kanban board</a>.
Scan Profile
Taipan allow to scan the given web site by specify different kind of profiles. Each profile enable or disable a specific scan feature, to show all the available profile just run Taipan with the --show-profiles_ option.
Scan/Stop/Pause a scan
During a scan you can interact with it by set the scan in Pause or Stop it if necessary. In order to do so you have to press:
- P: pause the scan
- S: stop the scan
- R: resume a paused scan
The state change is not immediate and you have to wait until all threads have reached the desider state.
Launch a scan
To launch a new scan you have to provide the url and the profile which must be used. It is not necessary to specify the full profile name, a prefix is enough.
Taipan.exe -p Full -u http://127.0.0.1/Below an example of execution:
<a href="https://asciinema.org/a/166362" target="_blank"><img src="https://asciinema.org/a/166362.png" /></a>
Taipan Components
Taipan is composed of four main components:
- Web Application fingerprinter: it inspects the given application in order to identify if it is a COTS application. If so, it extracts the identified version.
- Hidden Resource Discovery: this component scans the application in order to identify resources that are not directly navigable or that shouldn't be accessed, like secret pages or test pages.
- Crawler: This component navigates the web site in order to provide to the other components a list of pages to analyze. It allows to mutate the request in order to find not so common pathes.
- Vulnerability Scanner: this component probes the web application and tries to identify possible vulnerabilities. It is composed of various AddOn in order to easily expand its Knowledge Base.
License
.NET Core (including the coreclr repo) is licensed under the MIT license.
License: GNU General Public License, version 2 or later; see LICENSE included in this archive for details.