Two aspects of Mage: the Ascension; and general insights on gamers who use game concepts to trigger their personal neuroses

There were at least two aspects of Mage: the Ascension that really captivated me, and that also attracted a lot of contempt from other gamers.

1 – The game world was supposed to be a subjective reality with polycentric authority. There was supposed to be no one true reality. (I know a lot of gamers who initially agreed to this premise, then went berserk trying to deny it. Their neuroses were threatened, and they fought fiercely to defend them.)

2 – Quintessence and Tass were supposed to be interesting prizes, counterbalanced by temporary Paradox points. (I know a lot of gamers who turned every usage of these game elements into a fun-destroying battle of neurotic over-reactions.)

In my opinion, most groups never really got a handle on point (1). The notion of subjective reality would be hard enough for a philosophy class, and harder for a single-author artwork like a surreal movie. Trying to shoehorn such a weird concept into the ego-driven chaos of a role-playing game is far beyond the talents of most TRPG groups I’ve played with.

There are a lot of New Age self-improvement motivational speakers who are happy to talk about “subjective reality”, e.g.:

I don’t plan to turn this blog into a New Age buzzword festival: I just want current and former Mage players who feel frustrated by the treatment of subjective reality in Mage books to be advised that there are plenty of alternatives out there.

As for point (2) – well, we have had games like that since AD&D made us cut up monsters for potion components, and Ars Magica similarly had a lot of monsters that could be broken down for vis. The thing that makes Prime different from the five arts of Vis is that Vis was supposed to be magic-specific and Prime was supposed to apply to all of reality. But, as mentioned above, Mage didn’t really do a good job of getting its players on the same page about reality.

In practice, any TRPG is only as coherent as the team of participants that make it happen. If any members of your team annoy the rest of the team badly enough, that team will break up. TRPGs are vastly more fragile than e.g. a game of Skyrim. Your copy of Skyrim won’t stop executing even if you build your characters in ways that they designers would have considered distasteful. Even if the designers let some neurosis creep into the design, the computer program isn’t sophisticated enough to mimic a full-scale neurotic gamer breakdown.

You can easily make a game of Mage that would cause all your former gaming buddies to recoil in horror and add your cell phone number to their blocked lists. You could presumably make a game of Mage so disgusting that all the designers and players whom you had never met would join in solemn conclave and denounce you as a disgrace to the game. (Tabletop gamers love denouncing each other – check out some of the vitriol that gets thrown at the author of F.A.T.A.L. if you’re in the mood for internet drama.)

Whether or not a TRPG triggers your personal neuroses, you probably have several personal neuroses you don’t know about, and you probably find reasons to trigger them. Figuring out the reality of your mind is a big challenge. I can’t offer much advice on how to solve the challenge; I’m still working on my own neuroses.


Session Management for HTTP

Things To Do

All applications in your organization should be developed following these design goals:

All applications should share a well-debugged and trusted session management mechanism.
All session identifiers should be sufficiently randomized so as to not be guessable.
All session identifiers should use a key space of at least XXXX bits.
All session identifiers should use the largest character set available to it.
Sessions SHOULD timeout after 5 minutes for high-value applications, 10 minutes for medium value applications, and 20 minutes for low risk applications.
All session tokens in high value applications SHOULD be tied to a specific HTTP client instance (session identifier and IP address).
Application servers SHOULD use private temporary file areas per client/application to store session data.
All applications SHOULD use a cryptographically secure page or form nonce in a hidden form field.
Each form or page nonce SHOULD be removed from the active list as soon as it is submitted.
Session ID values submitted by the client should undergo the same validation checks as other request parameters.
High value applications SHOULD force users to re-authenticate before viewing high-value resources or complete high-value transactions.
Session tokens should be regenerated prior to any significant high value transaction.
In high-value applications, session tokens should be regenerated after a certain number of requests.
In high-value applications, session tokens should be regenerated after a certain period of time.
For all applications, session tokens should be regenerated after a change in user privilege.
Applications should log attempts to continue sessions based on invalid session identifiers.
Applications should, if possible, conduct all traffic over HTTPS.
If applications use both HTTP and HTTPS, they MUST regenerate the identifier or use an additional session identifier for HTTPS communications.

Things Not To Do

Applications should NOT use as variables any user personal information (user name, password, home address, etc.).
Highly protected applications should not implement mechanisms that make automated requests to prevent session timeouts.
Highly protected applications should not implement “remember me” functionality.
Highly protected applications should not use URL rewriting to maintain state when cookies are turned off on the client.
Applications should NOT use session identifiers for encrypted HTTPS transport that have once been used over HTTP.

Drinking from the firehose: A list of do-it-yourself resources that gets too huge automatically becomes silly

Here is a link to a giant list of teach-it-to-yourself Linux security resources:

This list is huge. It’s almost a joke to put everything into one list. It could easily take a normal person a year of 40-hour weeks to trudge through every resource on that list and really pay attention to each relevant detail.

I think this is what they call “drinking from the firehose.”

I feel bitter about BetterSurf

the BetterSurf Firefox extension … is malware. How it get’s onto your machine is still a mystery.

If you do run it, this is what happens: It starts servers listening on It steals private information from all local Internet browsers

But this is not the frightening part. There are several other things it does to your PC, including a TASK it schedules to run called AmiUpdXP, which you can find and delete from c:\windows\tasks\AmiUpdXp.job on windows 7.

Other things I have found: A folder is created in your appdata/local called SwvUpdater which is referenced by the Task to run Updater.exe – the frightening part, since it will be able to download and execute any future malware/virus/worm. Server data goes to: Update downloads from: hxxp:// (borked it so it doesn’t create clickable link)

What is the Seeks P2P pattern matching network?

What is Seeks ?

Seeks is a p2p pattern matching overlay network on top of existing search engines. It provides collaborative websearch capabilities by automatically regrouping users based on the similarity of their queries, and letting them reorganize and evaluate the search results together. Seeks implements a websearch proxy and a distributed hashtable for this purpose.

What does Seeks do again, I’m confused ?

Seeks proposes that users share their queries to the main websearch engines. By doing so, users who perform similar queries can be automatically connected together through a p2p network. The grouping of users is called a search group. Within a search group users and their machines interact to evaluate, organize and monitor results to their queries. Also, users will have the ability to connect to a search group, and publish their own work (i.e. website, comments, tweets) directly to the group.


Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies.

Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web.