10/01/2011

Economy in a game like Minecraft

The economy of a Minecraft world is pretty fascinating because everything about the world is fabricated players using resources mined from the same world, a feature not present in most games. There are no swords that enter the marketplace through some simulated marketplace, and there isn’t a strong need for such a thing either. Recently, I wrote about an hour’s worth of code for my small Minecraft server in order to allow players to setup shops from chests they owned. They’d place their items to sell in the chest and put a sign above declaring what they’d give for what they’d take. It made trading much easier and an entire trading district blossomed overnight (literally). Because each chest store could only sell up to two items (because two signs can fit above a double-width chest) and each chest took up physical space, it meant that there was a need for players to construct buildings (perhaps large in some cases) for their store. As there was not a “global” market that you could access from any in-game location, that meant that factors that you’d find in the real world such as location had an effect (it’s potentially profitable to start up a series of remote outposts to sell food and arrows). The area of the town at spawn doubled that day.

A shop with in stock and out of stock chests

But there was no currency. I deliberately avoided establishing currency because a number of friends were adamant about not having one, but their disdain for currency isn’t unreasonable. I’ve been around and how “economy” works on many Minecraft servers (as well as other in other games) is through a combination of periodical welfare payments, game-powered shops with rates set by the game, and in the case of roleplay servers, virtual employment. In the case of the shops, rates for multiple items were set by the server owner manually or through a list of item rarities (generated by finding the distribution of materials in a given world). I find the latter particularly farcical – value is very much not simply determined by rarity. On more than a few servers, it seemed as if everyone’s business was to farm sugar cane en-masse – and it worked, because sugar cane as bought by the server’s shops at a fixed price. I didn’t want that and I got the feeling that my server’s players didn’t want it either.

There was, of course, another choice – have algorithms dictate the exchange rate based on the volume of trades by players. A player had suggested this as well, but that meant that I’d have to dedicate time to researching and tweaking the algorithm (although the player said he had some experience with this), plus it’d be open to market manipulation due to the small volume of trades that happens when you only have a smaller server. If I made an error, it could significantly tip the balance the wrong way and I’d have to deal with the aftermath (and after taking a one or two week leave, as it tends to happen). Instead of all of this, I was anticipating that a currency might develop on its own (commodity money). Two different groups of people did setup currency exchanges, but their exchange ratios were not properly fair. One diamond-for-gold exchange ran out of diamond in an hour because the diamond was too cheap for the amount of gold. Beyond that, there wasn’t enough trust to be had for the exchanges and they didn’t catch on.

While bartering has been enjoyable, trading can be challenging because you may not have the item the seller seeks, and you’re also encouraged to delay trade until the real necessity arises. With bartering, some items are impossible to sell because the effort involved in trading for them (and calculating the right barter ratio) is significantly greater than crafting the item themselves, even if prices are as low as you can go. That leaves us with need for an official currency, and probably one that’s driven by money a la a credit card (to lubricate the process even further). We spent a bit of time discussing what to do about that, and I had considered giving everyone a set amount of credits (perhaps 10,000 per head) – something that I can do because it’s a computer game – but I think the currency would never come into use nor stabilize. What we probably will do is setup a certain number of one resource for a certain amount of money at a game-controlled exchange. It’d be a fixed currency backed by gold or something, mostly likely to be something like iron ingots or gold ingots. It seems no one wants fractions either (although decimals is merely a representation), so we’re thinking about having the exchange rate at a large whole number such as $32 for an iron ingot. It has to be high enough to make it possible to trade lower-value items – a great analogy for that, as a friend said, is if the lowest currency denomination suddenly had to be $20 USD, you could no longer trade a large number of objects unless it was in excessive bulk quantities. Another friend suggested using factors of $8, because most items have a stack size that’s 64 or a multiple of 8 – that’s an interesting idea. The question also arises whether we’d want a floating exchange rate in the future too.

One of the currency exchanges

Someone abusing the in-game 'tablet' image board app to advertise

Overall it’s been pretty fun trying to stimulate trade and there has been many analogies to history and real life. Because new versions of Minecraft also continue to come out, the value of items can change. Gold’s value may change in v1.9 because of new items added, and one could currently move money into or out of gold ingots in anticipation, depending on how they expect the value of gold to trend. There’s also been some clever people really working the market (perhaps quite in an evil manner), by, for example, buying out a shop and reselling  with higher markup. Some of the guys on there are younger too, and some of them have really sharpened lately.

23 Comments

Tags: ,


09/16/2011

Login under someone else’s Minecraft account

There’s this interesting exploit in Minecraft that lets you login under someone’s name without ever needing to know the person’s password. All the attacker needs to do is get you to join his/her server once. This client-side fix patches your game so that it won’t let your server tell you to authenticate against a “blank” server ID. Lymia and I reported it to Mojang a while ago, and while Jeb just put a fix in 1.8, there’s a mistake with the fix. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix:

A server-side fix has recently made it into a Bukkit, but your account can still be abused to join unpatched servers. This client-side patch prevents any server from exploiting your account. To understand how the exploit works, here’s a review of how Minecraft would authenticate for “Frank”:

  1. Client->Server: Your game tells the server that it wants to join as “Frank”
  2. Server->Client: The server responds with the ID “afe93b31c” (randomized)
  3. Your game tells Minecraft.net that “Frank” is joining “afe93b31c”
  4. Client->Server: The client tells the server that it’s ready
  5. The server asks Minecraft.net to see if “Frank” has joined “afe93b31c” (if not, then the real Frank never joined the server)

Here’s how the exploit works: You get your victim to join your custom server that sends a blank ID. Frank’s game tells Minecraft.net that Frank is joining “” (a blank ID). Frank joins your server, plays around, and has no clue about what’s going on. You then join Frank’s server where Frank is an administrator, but you immediately skip to step #4: You tell the server that you already did step #3 and you get in. Why does this work? On the server, the server ID is blank if you never complete step 1, so in step #5, Frank’s server asks Minecraft.net if “Frank” has joined “”, which Frank did earlier but on your server.

From a more technical perspective, the hacked client never sends the initial handshake packet. The server ID starts out as a blank string, and it’s only initialized if you send the handshake packet. If you skip the handshake packet and just jump to the login packet, then the server ID stays as a blank string. Before 1.8, your client would freely accept a blank server ID. 1.8 prevents a server from giving you a blank server ID, but Lymia noticed that the game doesn’t URL-escape the server ID, so a server ID of “&” is essentially blank. The patch makes the routine URL-escapes the ID.

Addendum: Someone mentioned a “man-in-the-middle” attack that allows for name spoofing, but that’s a different issue that can only be fixed with significant changes to how Minecraft handles authentication. (A MITM is also more difficult to pull off well.)

14 Comments

Tags: , ,


08/17/2011

“Embedding disabled” no more for PlayX

If you’ve been using PlayX for the past year, you know how often you have come across “Embedding disabled by request.” The good news is that 2.6 swaps the JW player for playing YouTube videos with YouTube’s own player, allowing you to play all YouTube videos, regardless if the owner would like to block the video from being embedded or not. Cross-domain security isn’t a concern for PlayX, so I was able to pull off some JavaScript trickery to reuse YouTube’s player and still have all the advantages of the original player. You can still adjust the player volume, seek to a certain point, and still view the data displayed on the radio display. The change also means that annotations will show for videos, for better or worse. I’m not sure about advertisements though — those may show up but I didn’t encounter them during testing. The only downside to the change was that there’s a higher chance now of the mechanism fatally breaking at some point in the future, but that might be a while from now.

If you are curious as to how it’s done, you can check the Git repository for the commit. I caution you that the code is pretty dirty — my proof of concept code tends to be that way. I dabbled in the fix a few months back, and I forgot its proof-of-concept status when I dropped it into PlayX the other day.

Another cool change is the addition of the “PlayX Navigator.” It allows you to browse video sites (presently only YouTube and /r/videos) to play them in PlayX. If you click on a YouTube URL, it will be redirected to PlayX instead, allowing you to use YouTube.com’s search page like normal. The browser can also visit any URL, and you can force a link to open a video in PlayX by using either of the following URIs:

  • playx://open/<uri>
  • playx://open-provider/<provider>/<id>

Find PlayX 2.6 in the usual repositories.

Post a comment or response

Tags: ,


07/20/2011

Looping jQuery animations indefinitely

A friend asked how to loop a jQuery animation after he had attempted to queue the animations using an unending while loop. That doesn’t work as JavaScript is not threaded and it’d only end up blocking forever, creating an ever growing queue of animations that would never be run. Two better ways to loop an animation are (1) to use a timer on an interval that re-queues the animations, or (2) to use a callback on the last animation in the sequence to re-queue the animations. The first solution isn’t the same as the latter, as the latter will fire immediately after the first run finishes.

However, I suggested that he queue a function as if it was an animation itself, and use that to fire off the animations each run. That is illustrated below.

$("#image").queue(function(next) {
    $(this).fadeIn(1000).delay(500).fadeOut(1000);
    $(this).queue(arguments.callee);
    next();
});

The snippet is simple —

  1. The list of animations is fired. These will be queued to be executed.
  2. Then the anonymous function itself (arguments.callee refers to the function being executed) is re-queued.
  3. next() progresses the queue. next is passed in as an argument.

4 Comments

Tags: ,


07/14/2011

Spotify now open to the US; it’s amazing

Now that Spotify is available in the US and I’ve gotten to use it, it’s amazing. It lets you stream any song from its growing music library on demand and instantly. Search is great, the interface is snappy and nice looking. It is social — right now I am collaborating on a playlist with another friend, but you can make read-only playlists that others can subscribe to. The “unlimited” account costs $5/month, while premium, which gives extras such as higher bitrate streams and offline play, is $10/month. Spotify has been available for parts of Europe for sometime now — the company is a Swedish one.

The nice things about Spotify are:

  • Songs load very quickly. Overall, just click a song or anything and it will be playing right away — no wait.
  • The program is fast and looks good. This seems to be a rarity these days.
  • The music selection is decent. I haven’t found some more obscure artists, but I’m satisfied.
  • The social elements are decent. As I mentioned, you can make playlists, including collaborative ones. A great feature is that you can send a song to a friend — just drag the song to the friend and it’ll show in his or her Spotify “inbox.”

Does it compare to Pandora? No, not really. Pandora doesn’t let you play songs on demand, but it does have a great music discovery service — one where you can just sit back and mind your own thing as it chooses songs for you. Spotify has “similar artists,” but that’s about the end of its music discovery service. There are some user-made tools for music discovery with Spotify, but they use Last.fm’s database, which is based on user contribution and not so much computer algorithms, so it’s not as “accurate” as Pandora. (On a related note, there’s a new Pandora interface, finally.) Edit: There’s a radio service outside the US for Spotify.

Grooveshark? Grooveshark’s qusai-legal database uses uploads from users, so songs are unorganized and the selection is very spotty. Grooveshark also loads songs fairly slowly. The main advantage of Grooveshark is that is more “free,” but otherwise Spotify blows Grooveshark out of the water.

What don’t I like?

  • Everything is excessively tied with Facebook . It doesn’t seem as if you can even use the social elements unless you’ve linked your account to Facebook.
  • The social features could use some work. To add someone to my friends list (not through Facebook), I had to enter spotify:user:<username> in the search, which was awkward. (If there’s a better way, do tell.)
  • Collaborative playlists can’t be shared publicly, probably because there’s no way to change individual editor rights for friends and whatnot. For the social features that are available, they are pretty barebones.
  • You can’t actually buy songs to “own.” Edit: You can do this outside the US.

Hoping to get into Spotify? Right now they’re invite only. If you have an internet presence, you can try getting an invitation through Klout.com (whenever it’s not closed off). No go? You can try registering an account from a UK internet address (note: this gets you a more restricted European account). If you can’t get in and don’t want to wait, you can purchase an unlimited account for $5 or go premium for $10 and get in instantly. If you don’t purchase a subscription, be aware that the “Free” version you get will eventually become as restricted as the “Open” version in Europe.

There’s only an official Android app, but I haven’t used it so I can’t comment on it. My friend has a (semi-old) review on Spotify for Android though.

Post a comment or response