Secunia, Techworld, Mac OS X, and various Reality Distortion Fields

Recently, a Danish (I am told) internet security firm named Secunia has gotten a lot of free publicity, largely by making the pronouncement that Mac OS X is no more secure than other operating systems, notably Windows XP and its variations, which it considers the most secure of all.

Apple has gotten quite a bit (not a huge amount) of bad press over this, all of it citing Secunia’s Press Release. The most vehement I have encountered is on Techworld.com: Apple Shames Itself Again Over Security.

Unlike some pro-Apple bigots I am not entirely immune to doubting the utter superiority of Mac OS X to all alternatives, so I decided to do a little research. Something, apparently, no-one at Techworld is required to do.

If you visit Secunia’s website, and I suggest you do, try looking at their archives of security alerts, under Apple: Mac OS X, and Microsoft: Windows XP Professional. I won’t link directly, since you should go find these things yourself to (a) prove how easy it is, and (b) demonstrate that I am not cherry-picking my results.

First of all, in their summary graphs and tables, Secunia reports fewer security alerts for Mac OS X (all versions including server) than one variant (Professional) of Windows XP. But, hold your horses, Windows XP Professional is reported as having no serious issues, none, zero percent (out of 67).

But, when you scroll down the page you discover several serious issues listed. Hmm, if there are several, how does this come out as 0%? So either Secunia are incompetent, or dishonest. Certainly, journalists can’t be bothered checking beyond press releases. Well, no surprise there.
What’s more, one of these serious issues has been unresolved for nine months!

And then, there’s the well-known gaping hole of ActiveX (an ActiveX control can do anything it likes to your machine). ActiveX issues are mentioned only once on Secunia’s XP Professional page and shown as having a single serious flaw which has been fixed. (It’s one of the 0%.) Well the fix is that the user has to magically know that this ActiveX control isn’t safe and click “No” while to get his/her daily work done he/she may have to magically know that other ActiveX controls ARE safe and click “Yes”. Whew. Glad that was “fixed”.

World of Warcraft. MMORPG* Suckage. And Other Stories

* Massive[ly] Multiplayer Online Roleplaying Games (i.e. games like EverQuest)

A while back I saw an interesting diatribe on brokentoys.org (Lum the Mad’s blog) about how it would be nice if there were a critical mass of gamers who wanted to play something other than mage / tank / healer games (pretty much every MMORPG out there, and any vaguely successful one, falls into this category) amd proposed some kind of amorphous global diplomacy thing which made no sense but had its heart in the right place.

I would actually settle for something far less ambitious — a mage / tank / healer game that didn’t suck.

(For those of you not accustomed to MMORPG jargon, a mage is someone who is fragile but does a lot of damage (usually from a distance); a tank is someone who can stand toe-to-toe with an enemy in a fight, not die, and be able to hold that enemy’s attention; a healer is someone who makes wounds go away… Every major MMORPG to date, including those featuring superheroes and “science fiction” settings, is essentially designed along these lines. If you think of these three archetypes as forming a triangular spectrum (like a color gamut) every character option more or less falls somewhere on the triangle).

WoW (World of Warcraft) is shiney and new and we haven’t started to comment on the suckage yet (aside from the obvious — lag, crashes, and downtime), but there’s still plenty of suckage to go around.

  1. As your level increases, content is doled out with a lot of hamburger’s helper, in the form of tedium. I.e. instead of “go kill 20 mobs, collect 15 items, and come back for a reward” it’s “go across the continent to fred, then go across to BFE, kill 200 mobs, collect 10 items, and then go to wilma (in BFE2) who sends you to barney (in BFE3) who gives you a not to take to betty (in BFE4) for your reward.”

    This isn’t clever. This isn’t fun (not the fifteenth time, anyway). This is just EQ with better graphics and dialog boxes instead of /hail.

  2. The reason for the hamburger’s helper is that if you gave people stuff at a decent rate, you’d run out of content. When you run out of content, people stop playing. When people stop playing, they eventually stop paying. Then you go broke.

Is there a solution to this dilemma?

I think there are several, and WoW intends to utilize one of them (by imitating DAoC) but not the others.

  • Make PvP a feature. Folks in my office still play Quake II because PvP never, in a sense, gets old. DAoC didn’t have an end game besides PvP, and WoW will probably be a solid implementation of ideas others have already demonstrated will work.

    But what about…

  • Making the world a little bit dynamic. Not a lot, but a little bit.

    E.g. if everyone is killing monsters of type X, maybe make them scarce. Have quests impact the world in non-trivial ways. Put a tiny bit of state in the world Not a lot, but a little bit. Just a tiny amount would make the world SO much more interesting. God forbid, one server might seem a little different from another.

  • Make quests a little bit dynamic. Not a lot, but a little bit.

    Imagine if all newbie quests weren’t identical. Suppose player A goes to NPC B and asks for a quest and then gets a “slaughter 10 pigs” quest. But player C comes up and gets a “collect 8 eggs” quest. OMG! This could even interact with the oh-so-slightly dynamic world. (When pigs get scarce, more hungry bears and wolves and bandits appear.)

  • Maybe design it as a multiplayer game.It’s amazing to think that after all this time and effort has gone into designing competing MMORPGs, that they’re still fundamentally single-player games.

    E.g. if you are assigned to go kill Fred Bloggs, so are fifty other people. Since there’s only one Fred Bloggs, he/she just “respawns” and can be killed over and over again. Why kill him? He just comes back? Why rescue the princess? She can just kill herself and respawn back safe in the castle? In any event, killing Fred Bloggs does not rid the world of him, so why bother?

    It’s about time someone actually designed one of these games so that this kind of idiocy didn’t exist. Random name generators aren’t that hard to write…

Marketing a non-D20 RPG

Well it looks like ForeSight Second Edition might just be published soon, and my thoughts are turning to the, perhaps unenviable, job of marketing a game firmly based on percentile dice (also known as D100): i.e. a pair of dice which when rolled give you a random number from 1 to 100.

The D20 juggernaut is basically a D&D thing. It’s not clear whether it’s an effort to keep third-party dice manufacturers happy, or a plot to convince people that the morasse of special cases, tables, and bizarre rules that constitute D&D is in fact a “system”. In any event, my reasons for eschewing D20s are technical, much as my reasons for eschewing 3D6 (as discussed earlier).

In any role-playing game there tend to die roll ranges for which exceptional outcomes are assigned. For D20-games these are rolls of 1 and 20. In other words, 10% of all resolution rolls (cases where a die is cast to determine what happens in a situation) result in something outlandish occurring (e.g. an automatic success or failure regardless of the odds).

Shit happens. But should it happen 10% of the time?

Now, in action movies and similar genres from which RPGs tend to take their cures, shit does indeed happen 10% of the time. But unfortunately, the 10% of the time we’re talking about is actually a gross understatement.

For example, a mid-level warrior in D&D will swing his/her sword three times in a single round of combat, which means he/she has three chances to have shit happen. If he/she is fighting a similarly capable opponent, that’s another three chances to have shit happen.

(For the statistically inclined, that’s a 1 – (0.9 ^ 6) probability of shit occurring in a single round — a few seconds — of combat, or roughly 47%. Most fights last several rounds. If this were a movie, this would be like half of fights having something ridiculous happen, such as someone trip over their feet or hit someone in the eye with a lucky shot, the moment a fight started.)

In RuneQuest 2nd Edition, a D100-based system, there were various tiny percentage chances of shit — things like a warrior slicing his own head off — happening every time someone did something. Of course when you did the math (and an article along these lines was posted to Murphy’s rules) you ended up with ridiculous results: in a battle of 1000 warriors lasting five minutes, some insane number would decapitate themselves, some far larger number would chop off their own limb, and so on. In each case the results were simply constructed by taking (1 – probability of ridiculous outcome) and raising it to the power of the number of times the dice would be rolled (50 for ten minutes of RuneQuest combat) — and that’s the probability that you will escape that ridiculous outcome.

When the probability of an extraordinary outcome is 10%, you know you’re in big trouble.

Of course, the extraordinary outcomes in D20 can’t be too ridiculous or the system would seem obviously broken. Instead they’re just low key enough to have lots of silly effects (e.g. because armor does not block damage but instead reduces hit probability, and because a roll of 20 is always a hit, a huge number of tiny attacks will automatically kill someone in plate armor) while not giving the feel of “critical hits” (the finest archer cannot kill a healthy 10th level paladin with a single ordinary shot) while neither implementing any concept of “degree of success” nor producing genuinely unexpected results to create drama.

Before I start rambling too far, I will mention one funny thing. D20 system is in fact D20 + D12 + D10 + D8 + D6 + D4 system. The D20 games rely on a ridiculous set of dice and use them to achieve an unnecessary level of granularity (a weapon either does D6 or D8 damage, nothing in-between).

Anyway, here are two possible slogans for D100 System games.

D100 System. Shit happens, but not 10% of the time.

D100 System. You already have the dice.

Software: The Disservice Model

Note: the author’s copy of Adobe Illustrator 10.0.3 hung twice while being launchd during the writing of this piece, which may explain a few things.

A friend of mine has a theory that if Microsoft ever produced a version of Word that actually worked, it would go out of business. (A lot of Macintosh users think that as of version 5.1 they did, and have never upgraded since, hence the theory.)

New versions of Word are usually notable for additional “functionality” that most users don’t want and can’t figure out how to turn off which slow it down to the speed of the previous version on much faster hardware. Recent versions do “helpful” things like prevent you from making points (a), (b), and (c) … because (c) must be a copyright symbol, or superscripting the “th” in “4th” whether you want it to or not. By far the majority of Word users do not want these features and cannot switch them off.

Meanwhile, Adobe has incorporated some kind of dynamic update service for its various flagship programs (such as Photoshop and Illustrator) which is presumably intended to make sure that if Adobe finds and fixes a bug, it can be seamlessly fixed before you necessarily notice it. Of course, the dynamic update service is the single worst bug in their software, and they don’t seem to be interested in fixing it.

Beyond this, there is a general trend towards switching from software licenses (which work kind of like ownership) to software subscriptions (which don’t). It all started going “pear-shaped” when Microsoft (for example) decided to refer to versions of its software by model year (like cars and evening gowns) rather than significant revision.

The software “service” model wanted to make software products less like appliances (such as your telephone) and more like services (such as your telephone service). Most people I know are happy with most or all of their appliances and loath and despise most or all of their services. E.g. wireless phone services and cable TV services are the two most despised classes of business in the USA (according to consumerreports.com).

It may not seem so bad to only have to pay for Word when you want to use it (which is probably what Microsoft realised when it stepped back from the brink). After all, most people get a version of Office with their computer and then don’t use most of it (how many businesses pay to put a copy of Access on every PC?), and forget they own it when they give the computer away or drop it into landfill. But imagine getting a monthly “Office Service” bill and having all your documents deleted (or just inaccessible) should you fail to pay it; this is the kind of “service” such companies would like to provide.

It’s funny how language evolves. Imagine what the word “service” will mean in a few decades.

The March of Folly, continued

The government policy which immediately sprang to my mind as I read “The March of Folly” was (obviously, I think) the US invasion (or, if you prefer, liberation) of Iraq. In fact, I often felt as I read the section on Vietnam that entire paragraphs and pages might be taken as accurately describing Iraq if only the word Vietnam were replaced with Iraq throughout.

After finishing the book, however, I second-guessed myself. Was the invasion so clearly a folly in hindsight? Was not the war justified solely on the grounds of removing Saddam from power? Were we clearly going to fail? (After all, a correct policy incompetently pursued is not a folly at all, either by Tuchman’s definition or in common parlance.)

I was quite staggered, however, to read the latest Atlantic Monthly feature story, “Blind into Baghdad”. The upshot: almost every problem encountered by the US in its occupation of Iraq was predicted (and in many cases workable solutions proposed) by organisations inside the US government (e.g. the State Department, USAID) and NGOs before the invasion took place. Their advice was wilfully ignored by the Office of the Secretary of Defence, which went so far as to forbid the participation of Pentagon officials in crucial meetings.

It is important to point out that critics of the war — especially politicians — have focussed almost solely on (a) the way the US went into it alone without gathering allies, and (b) the fact that Weapons of Mass Destruction (the ostensible justification for the war) were not found. The first is not an argument of justification but of means — if the war was just then the US’s lack of allies does not make it unjust and vice versa. (French and German participation in a war are hardly indicators of its being just, and yet almost all such criticism would have been squelched had they been involved.) The second is not as important as you think: many wars are not fought for their stated reason. E.g. we did not fight WWII simply because of Pearl Harbour or the Civil War simply because of Fort Sumter.

Neither of these criticisms (if they were accurate) would qualify this war as folly. The real questions we should be asking are: (a) was the war in our interest? and (b) has the war been conducted competently? Unless the occupation turns into an absolute fiaco of Vietnam proportions or another vicious tyrant takes over Iraq as soon as the US leaves it may never be possible to answer the first question definitively. As to the second, it seems quite clear that the rift between the Bush II administration and the State Department (or indeed any sources of information not wholly in agreement with its wishful thinking) has seriously degraded the quality of US policy.