I'm a long time lurker but not a frequent poster. I've been playing the game since day 1 and I still enjoy it (heck, I've stuck with it this long).
I used the IAP tool. I actually found it really handy (as others did) for smoothing out pain points in the client. It was super helpful for managing my duplicate crew and allowing me to delete them right in the app in bulk rather than having to remember who's in my active roster and who's in my freezer and then tapping them one by one to delete. The voyage functionality was also extremely helpful.
I suppose some are complaining that they think the tool is automation. Personally, I disagree. I think the IAP tool helped me make more informed and efficient decisions about the crew that I would send on voyages and the gauntlet. It was also very useful for helping me decide where to allocate my resources to most efficiently rank up my crew. I'd still have to make these decisions myself and interact with the IAP tool or the client to start the voyages, choose dilemmas or play the gauntlet. I might agree that it was a crutch but don't see it as a computer playing the game for me.
What's difficult for me is that I now know that I can easily get 8-9 hour voyages with the IAP app helping me select the best crew and ships. Going back to the old way of me eyeballing things and making a best guess as to what would work is now hard and quite frankly painful. I recently used the online voyage calculator to optimize my voyage and probably spent 15 minutes iterating and scrolling through crew to come up with something that would be reasonably worthwhile. It was painful and tedious which DB should be acutely aware of because if people find that playing the game isn't fun anymore they will go somewhere else.
It's been asserted that code from the IAP tool has been used to cheat in events. While I don't think anyone knows for sure, there's definitely a lot of smoke indicating that something was a bit off. That's a problem for DB - why would I or others spend $5 or $10 on a shuttle boost pack or an event crew pack if I know that a bunch people out there are probably going to exploit the API and blow me out of the water? I'm a little concerned that DB hasn't addressed this or explained anything to the community about what happened and what they are doing to ensure people are gaining unfair advantages. The silence is deafening.
Some are arguing that money is the biggest exploit of them all. Perhaps, but realistically it's what the keeps the lights on and ensures that we all have game to play.
I hope that DB can make some improvements to their inventory and crew management as well as to the voyages. Given how many people used the IAP tool, that should be a strong indication that some changes are needed so that people can spend their time doing the things they find fun in the game and not having to focus on the tedious stuff.
I'm not going to stop playing. I still enjoy collecting crew, ranking them up and competing in the events with my fleet. The only real fallout for me is that I might be a little more hesitant to spend money for events with this cloud of suspicion that people might be exploiting the game for an unfair advantage. I'm hoping that DB will put my fears at ease sometime in the near future.
My 2 cents anyways, for those who didn't see this and say tl;dr.
Frank and Roonis have shed some light on a couple aspects of IAP to which I had been entirely oblivious. I had no idea it could be used in any capacity for shuttles, for instance. The concerns they've highlighted are considerably more serious than the nebulous and often mischaracterized concerns previously voiced. I'm not clear enough on enough technical parts of all this to comment meaningfully on most of it, but I do withdraw my support for the app as it existed behind the curtain.
I want to believe that the app was created with benign intent and that most of us who did use it used it in that spirit. And I think that's a safe belief to hold, if only because if racking up 50k VP in a shuttle event had been known to be a thing, that would have been the rallying cry, not Gauntlet animations.
I also have no reason to dismiss claims of being treated to abuse privately, and I stand by my call for any appropriate disciplinary measures to be carried out against those parties, should DB be provided with enough for them to take action.
I want to believe that we as a community are above such vitriolic behavior. Yeah, there's hyperbole and friction from time to time, but I never worried that any of my fellow forum users might resort to doxxing. What's troubling is that even if that accusation should be unfounded, the plausibility has been introduced as a concern.
I forgot there is no way in this 'collection' game to search or sort inventory items, only scroll...
No way to see how many replications I have left ...
Hmm now I know I immortalised and froze a new 3* crew last night, and I got an obscure new 4* in the pull, but it was late and I forgot who I should add to my crew spreadsheet ...
Then the voyage I set up now, I do not mind so much the crew selection, but is there an actual order to the voyage ship selection... I guess I could count how many tapps to get to my favourite maxed enterprise... then I must something maxed with a transwarp drive for the bonus...
As much as I loathe that people were able to use the app to cheat, cheats will always find a way if there is no punishment, and I could get over them if I could just sort and search in my collection game again...
The video is basically a portion about the function that handles the resolution of dilemmas in IamPicard ("_chooseDilemma"), and a interpretation (that I don't agree with) that is intended as malicious multitapper (and that is activated by the user by multitapping, wich I'm 100% sure is incorrect)
Then, a similar code in the shuttles section, regarding claiming shuttles, with similar conclusions. And a chart showing a regular player in an event, getting points in constant amounts, and a top player, getting a lot of points suddenly (this is not impossible, there are legit in game ways of doing it, it is acknoledged on the video but it still is show as "suspicious")
And then there are a lot of chats captures that I didn't really paid attention. If I recall, it was all people talking about IamPicard, asking the author via PM about the code, with no answarers.
The "exploit" in question was programmed, in the IamPicard app, in July, for a bug in the server that (observation sugests) didn't exist until last week, and don't exists anymore. That's a big hole in the "the app was created to cheat" theory.
Both the IaP develop and DB would have a case to answer for a multitapping exploit.
First tap should place the users account into a transactional state and return a 409 for any follow up requests until said transaction was complete or rolled back.
But yeah, if the IaP was even trying to use an exploit, that's not good. But, as you say, could be the code there is an artefact - need some kind of evidence that it was an exploit rather than dubious coding.
However, a year or so back I debated automating galaxies just to the threshold, but I didn't trust myself to not dream up justifications for using it beyond that, so decided against it. Not every developer has that self control, and it's taken years for me to get to that point, so I wouldn't be too shocked if someone gave in to temptation.
I watched Roonis and Frank’s video and enjoyed it a lot. I wish more of this stuff was on YouTube.
I’ve since ruminated a lot and continued to follow the debate. I’m not a member of a court of law and have no ability to punish anyone and as such do not need the level of evidence that a court would and so I’m fairly convinced that the app was being used for cheating, probably with the app designers consent.
The webpage did have the ability to collect shuttles. And if it was possible to multi tap those, well there’s the route to event cheating.
So it is appropriate that the app be removed as we obviously could not continue with it out there.
However, the app should be replaced with something more benign. The code is out there and will be used for nefarious purposes anyway, most likely. That’s something that DB needs to address.
They should also address the fact that the official app is inadequate to the task and either adopt some of the ideas in the 3rd party apps or create a genuine public API that uses a DB generated token that allows read only access to accounts. EVE online has done this for over a decade.
The way this works is that DB generates an API key for each account, which you can only get by logging into their website and you share that with 3rd party apps instead of your username and password.
It works well. I’d love to be able to help fleet members prioritise their levelling etc, having had a look at what they had. And yes inventory management is a big deal and needs to be addressed in some form by DB.
Even though the API is public facing, no where did DB state is was for public use. My college has an API exposed to the internet for use by 3rd party integration services. It is exposed to the public, but it is not a public API. There is a difference.
How did your college moderate third-party access to the API? Was it through some form of authenticating that the third party client was allowed access perchance?
Then that is a private API.
If you don't have it locked down then it is, by default and definition, public.
Here's a cheat sheet:
Not accessible directly via the internet - private API
Accessible via the internet, with client access authentication - private API
Accessible via the internet, without client access authentication - public API
There is no need to state that it is public, its attributes define that, and the defining attribute is client access authentication.
Just like the ducks near me don't have placards informing all and sundry of their inherent duck-ness, people can determine that from the walking and quacking.
FWIW, for those way back in these threads worried about Gauntlet advantages, I've now pretty much convinced myself of what many asserted anecdotally: that the IAP Gauntlet crew-population recommendations (using the default parameters) were not optimal (and hence they frequently overrode them).
As a partial example, here is my calculation on the MVPs for the current Gauntlet I'm in (DIP + Klingon, Investigator, Cultural Figure):
With my crew, the "correct" crew available to populate, in order, and assuming no game theory applied to strategy, would be:
Caretaker
Klingon Bride Jadzia
Gary Seven
Romulan Picard
Armus
The utility score shown is, over all 15 skill pairs, sum( P(skill pair) * avg proficiency of that skill pair * crit bonus).
I ran the IAP recommender enough to know that I had to beat it (its adjustable parameters) with several sticks for it to recommend (using my crew) anything other than Gary Seven, Armus, Defensive Phlox, Seven of Nine, and then a variable crew member, often Captain Beverly. I.e., just plunk the heavies in all the time. In this case, I'm certain I would have had to crank "featured skill" WAY up and/or crit bonus WAY up (down, in the tool) for KBJ or Romulan Picard to show up as a recommend.
I believe what was going on is that the default parameter settings significantly undervalued the utility of the featured skill in "unlocking" medium-strength crew's points to be available, or "blocking" strong but non-featured skill crew's points in being unavailable. The tool allowed you to set a variable for this which started at "10", but there was no description of what "10" meant, and allowed you to adjust it in increments of 1. From messing with it I believe you would have had to crank it up to ~30+ to have the featured skills' impact correctly (statistically) accounted for. I seriously doubt any users felt comfortable in doing that, I certainly didn't. So many went with what they instinctively felt were the best choices.
The "throw the heavies at the wall" recommendations worked adequately, I regularly ended up somewhere in top 25 which is all I wanted. So far, using my optimized crew, I'm ending up in the same rank range. The question would be how many more rounds might my optimized crew have bought me (which I didn't record), and then, did the one-on-one IAP matchup recommendations provide an offsetting edge (they may have). Either way, I'm very confident for myself now that IAP did not provide a deterministic, optimal advantage to users who left it at the default parameter settings. YMMV may vary based on your gauntlet strategy.
Interesting note: using this approach, Abe Lincoln should be equivalent to Klingon Bride Jadzia in utility for this round, but I have not once seen him in matchups this Gauntlet. KBJ has done admirably for me, regularly knocking down wall heavies when I need to. I suspect there's some human bias that Abe is now a middling / aging Gauntlet crew who has lost his value due to skill creep. Or just that he's an icky card that isn't pursued, so fewer have him to play. Dunno, but he should have been able to hold his own this round.
FWIW, for those way back in these threads worried about Gauntlet advantages, I've now pretty much convinced myself of what many asserted anecdotally: that the IAP Gauntlet crew-population recommendations (using the default parameters) were not optimal (and hence they frequently overrode them).
As a partial example, here is my calculation on the MVPs for the current Gauntlet I'm in (DIP + Klingon, Investigator, Cultural Figure):
With my crew, the "correct" crew available to populate, in order, and assuming no game theory applied to strategy, would be:
Caretaker
Klingon Bride Jadzia
Gary Seven
Romulan Picard
Armus
The utility score shown is, over all 15 skill pairs, sum( P(skill pair) * avg proficiency of that skill pair * crit bonus).
I ran the IAP recommender enough to know that I had to beat it (its adjustable parameters) with several sticks for it to recommend (using my crew) anything other than Gary Seven, Armus, Defensive Phlox, Seven of Nine, and then a variable crew member, often Captain Beverly. I.e., just plunk the heavies in all the time. In this case, I'm certain I would have had to crank "featured skill" WAY up and/or crit bonus WAY up (down, in the tool) for KBJ or Romulan Picard to show up as a recommend.
I believe what was going on is that the default parameter settings significantly undervalued the utility of the featured skill in "unlocking" medium-strength crew's points to be available, or "blocking" strong but non-featured skill crew's points in being unavailable. The tool allowed you to set a variable for this which started at "10", but there was no description of what "10" meant, and allowed you to adjust it in increments of 1. From messing with it I believe you would have had to crank it up to ~30+ to have the featured skills' impact correctly (statistically) accounted for. I seriously doubt any users felt comfortable in doing that, I certainly didn't. So many went with what they instinctively felt were the best choices.
The "throw the heavies at the wall" recommendations worked adequately, I regularly ended up somewhere in top 25 which is all I wanted. So far, using my optimized crew, I'm ending up in the same rank range. The question would be how many more rounds might my optimized crew have bought me (which I didn't record), and then, did the one-on-one IAP matchup recommendations provide an offsetting edge (they may have). Either way, I'm very confident for myself now that IAP did not provide a deterministic, optimal advantage to users who left it at the default parameter settings. YMMV may vary based on your gauntlet strategy.
Interesting note: using this approach, Abe Lincoln should be equivalent to Klingon Bride Jadzia in utility for this round, but I have not once seen him in matchups this Gauntlet. KBJ has done admirably for me, regularly knocking down wall heavies when I need to. I suspect there's some human bias that Abe is now a middling / aging Gauntlet crew who has lost his value due to skill creep. Or just that he's an icky card that isn't pursued, so fewer have him to play. Dunno, but he should have been able to hold his own this round.
I always set the trait modifier to somewhere around 0.8 instead of 3, though I never adjusted the featured skill thing because my non-rigorous analysis of skill pairs didn’t suggest it came up as often as you have shown. Result: ending up pretty much where I did before using IAP (and since), depending on RNG and my own availability more than anything else.
I definitely enjoyed Roonis and Frank breaking it all down. You gained a new fan, and I’ll be looking forward to new episodes.
Even if, as some say, all the answers weren’t there, or weren’t clear-cut, I think there was enough to warrant the removal of the tool. I said somewhere about 900 comments ago that I reserved the right to be wrong about IAP, and I will claim that right now. 95% of the tool was great and should be replicated in-game as soon as possible, unfortunately the other 5% was completely game-breaking, whether by design or unintended consequence. It simply could not continue to exist as it was.
Whelp, we're not going to get too involved here. Just suffice it to say it's too bad we've let a couple of self-righteous people with no understanding of programming completely reframe things for their own self interest using histrionics and selective snippets, all the while assaulting others and proving such assaults that they "denounce" have taken place.
Well, if you are referring to the Roonis / Frank video, did you watch it? They showed a screenshot of dilemma results from executing the code attached to the "Random" button. It was a lot more
Even though the API is public facing, no where did DB state is was for public use. My college has an API exposed to the internet for use by 3rd party integration services. It is exposed to the public, but it is not a public API. There is a difference.
How did your college moderate third-party access to the API? Was it through some form of authenticating that the third party client was allowed access perchance?
Then that is a private API.
If you don't have it locked down then it is, by default and definition, public.
Here's a cheat sheet:
Not accessible directly via the internet - private API
Accessible via the internet, with client access authentication - private API
Accessible via the internet, without client access authentication - public API
There is no need to state that it is public, its attributes define that, and the defining attribute is client access authentication.
Just like the ducks near me don't have placards informing all and sundry of their inherent duck-ness, people can determine that from the walking and quacking.
On of my favorite lines from "A Secret to my Success" is "There is no right or wrong. There is only opinion." Here's another way to put this:
By my definition, a public API is public facing, with the author publishing documentation and giving people permission to access it. Access controls do not play into this definition.
By your definition, a public API is any API that can be discovered by the public and accessed with or without the permission of the authors, as long as you do not have to authenticate (providing an identity) to do so. Whether or not the author intended for it to be public does not matter. As long as you can access it, it is public and you have the rights to access it.
Whelp, we're not going to get too involved here. Just suffice it to say it's too bad we've let a couple of self-righteous people with no understanding of programming completely reframe things for their own self interest using histrionics and selective snippets, all the while assaulting others and proving such assaults that they "denounce" have taken place.
Well, if you are referring to the Roonis / Frank video, did you watch it? They showed a screenshot of dilemma results from executing the code attached to the "Random" button. It was a lot more
But the analysis was flawd. It lacked expertise to assert that the claims about the functionality was correct, and resulted in multiple rewards. And can't explain the behaviour of the code in all the time it was (is, actually) live.
A summary:
If what the video says is correct (The code is designed as a auto multi tapper, the code exist since July), everyone (every user of IamPicard, web and desktop), since July should have gotten multiple rewards (from the random choice button). WITH JUST ONE CLICK, NO NEED TO MULTIPLE PRESSES BY THE USER (as the video says)
The only way to link that code with the multiple rewards reported, is to consider a change in the server (DB server, nothing to do with IaP) that allowed multiple requests for the same dilemma. That change could have been introduced in 7.0.9. This would explain reports in week of the update, and why it didn't happen before, and is not happening now (the change, a bug in the server, has been patched).
It would explain why DB is ultra silent about this.
On of my favorite lines from "A Secret to my Success" is "There is no right or wrong. There is only opinion." Here's another way to put this:
By my definition, a public API is public facing, with the author publishing documentation and giving people permission to access it. Access controls do not play into this definition.
By your definition, a public API is any API that can be discovered by the public and accessed with or without the permission of the authors, as long as you do not have to authenticate (providing an identity) to do so. Whether or not the author intended for it to be public does not matter. As long as you can access it, it is public and you have the rights to access it.
You understand that my definition is how the internet actually works?
A Web API is just an endpoint that emits a subset of media types and directly supports a richer set of verbs.
You go to https://www.google.com, that's a GET request that serves an text/html response.
You go to https://api.github.com, that's a GET request that serves an application/json response.
Now GitHub does have a brief TOS for using their API, however that is for their private one where they can revoke access as needed. They can't really do that for the public root beyond the usual anti-DDOS mechanisms, so... Use as you wish. Not much you can do, but then they're smarter than DB.
Every website is effectively a Web API serving text and media, and when you see a login page, that is where you are moving from a public domain into a private one where access and account are combined into one mechanism.
Now when doing my VAT returns I sometimes make use of http://www.vatcalculator.co.uk/ - it has no terms of service. Should I not be using it? Is it a private website because there is no explicit consent given?
Or is consent implicit?
And, remember, the only functional difference between that page and a API endpoint is the content-type. Nothing else.
Edit: Oh, and hands up who diligently goes through Google TOS - yup, they have some - when searching for something. Bueller?
Nobody in the history of computing has ever read any TOS document or EULA. Just lie and click the button...it’s how that one game developer a few years ago got the rights to the eternal souls of all of their customers.
I'm not a JS/Angular developer, so I can't be sure either of exactly how it behaves in those async call, nor I have the big picture to see wich layer of the app is invoking,
The Guardians of Tomorrow Protecting the Galaxy's Future from Itself
Fleet Admiral
I'm not a JS/Angular developer, so I can't be sure either of exactly how it behaves in those async call, nor I have the big picture to see wich layer of the app is invoking,
You can do as you want. You can also keep reading, and see that at the time of the post all I had seen was the snippet in the video, since then I have checked the code in the context of the app (so I can assert that the code doesn't trigger by accident or in weird, hidden situation) and even tested it. I also watched the rest of the video, with the statement that the code is live since July.
I said I'm not a developer in that particular technology, to honor the truth. But I'm a software developer of 15 years experience, in several techonolgies (including limited knowledge of the ones in question), and while I can't assert with 100% precision what the code does (if there is someone who can come here and do it, please, do), I'm 100% sure the analysis in the video is incorrect, and with all the information available, I have no doubt about my opinion.
But please, don't take my word. If we can have someone here with a better understanding, to challenge any opinion, I'm all for it.
Nobody in the history of computing has ever read any TOS document or EULA. Just lie and click the button...it’s how that one game developer a few years ago got the rights to the eternal souls of all of their customers.
It's also how one tech support guy received a cash bounty from a software company. They had a line in there that said if someone contacts the company referencing that line in their TOS they would receive monetary compensation for reading the TOS
---- The Guardians of Tomorrow Protecting the Galaxy's Future from itself
so basically the issue people have is the rand function that exploits the multi tap (news to me, never tried random, but ok), DB doesn't even know how to fix, and are still scratching their heads about how it happens. (hem hem, bad coding loop holes).
the IAP App still has a lot of positive parts that enhance and aliviate a lot of the issues that DB has continued to ignore for an extended duration (at least the 1.5 years i played).
so remove the Rand function from those parts, eliminates the issue.
it wont stop hackers and cheats from being hackers and cheats, bad peeps will still be bad peeps.
unless DB is willing to start fixxing the issues that the AIPs address, then what else can be done. because with out some kind of fix the game has become little more than money hungry add generator. a great many of us have obviously been paying for it, and DB keeps pushing the problems aside or completely ignoring them.
i dont see the point in playing a game i no longer have fun at. the way DB has set up events, you practically have to make it a full time job just to keep up, with out the IAP its even worse. i for one, am so disheartened, that i have practically stopped playing. i log in collect my daily from my monthly card, because i had all ready paid for it. but other wise, i have bailed.
DB needs to fire the Ferrengi and higher more Engineers, Rom doesn't count. [FSC] Peace Keepers
Gryphon [****] Adm
so basically the issue people have is the rand function that exploits the multi tap (news to me, never tried random, but ok), DB doesn't even know how to fix, and are still scratching their heads about how it happens. (hem hem, bad coding loop holes).
the IAP App still has a lot of positive parts that enhance and aliviate a lot of the issues that DB has continued to ignore for an extended duration (at least the 1.5 years i played).
so remove the Rand function from those parts, eliminates the issue.
it wont stop hackers and cheats from being hackers and cheats, bad peeps will still be bad peeps.
unless DB is willing to start fixxing the issues that the AIPs address, then what else can be done. because with out some kind of fix the game has become little more than money hungry add generator. a great many of us have obviously been paying for it, and DB keeps pushing the problems aside or completely ignoring them.
i dont see the point in playing a game i no longer have fun at. the way DB has set up events, you practically have to make it a full time job just to keep up, with out the IAP its even worse. i for one, am so disheartened, that i have practically stopped playing. i log in collect my daily from my monthly card, because i had all ready paid for it. but other wise, i have bailed.
The random choice exploit was caused by a bug created and then fixed by DB (server side) as Kanon has shown. Like you, I did not know the real multi tap exploit, but the "Section 31" of the players knew about it and used it as an excuse to kill the tool. They managed to complete what they had started 3 months ago, thanks also to DB that in the meantime acted as Pontius Pilate.
The random choice exploit was caused by a bug created and then fixed by DB (server side) as Kanon has shown. Like you, I did not know the real multi tap exploit, but the "Section 31" of the players knew about it and used it as an excuse to kill the tool. They managed to complete what they had started 3 months ago, thanks also to DB that in the meantime acted as Pontius Pilate.
This reaction is precisely why there are so few people willing to be a whistle-blower. The blame is put on them instead of on the cheaters. The "Section 31" of the players are the cheaters, and their cheating has managed to kill the tool.
Most anticipated character not in the game: Mr. Homn
The demise of the tool seems to have been precipitated by a general disenchantment with the game/community by the designer of the tool himself. Whether he cheated is a semi-open question, but the facts remain that he took down the tool.
It’s a shame it took a video by Frank and Roonis to shed some light on the situation. It was only after the publication of that video that we got a statement from Shan.
This suggests that DB didn’t know what was going on or didn’t (and doesn’t) want to communicate with us about bugs in the game code.
I suspect that DB often finds itself in the predicament where it doesn’t know how to fix the situation quickly and doesn’t want to draw attention to their failures and so wants to pretend like there is no problem. Whilst I understand this sentiment I do feel like this leads to an unfair advantage for people who are happy to indulge in exploits over many of the rest of us.
Has the voyage multi-tap been fixed or is it expected that we should all be trying to do it now?
Has the voyage multi-tap been fixed or is it expected that we should all be trying to do it now?
It is fixed. There is no way to be sure, but it seems that it only worked during a small window of time after the release of 7.0.9 (probably the weekend, or less, until it was patched back)
The voyage multi-tap (aka "the claw method") is still a functioning bug/exploit
It still works in the game app. What Kanon is saying here is that hitting the random choice inside the voyage section of the IAP desktop app does not work.
Has the voyage multi-tap been fixed or is it expected that we should all be trying to do it now?
It is fixed. There is no way to be sure, but it seems that it only worked during a small window of time after the release of 7.0.9 (probably the weekend, or less, until it was patched back)
I’m breaking my self imposed ban from these forums just to post to you.
I’m afraid I have some bad news for you. This was done via 0.8.3 desktop client, today.
Has the voyage multi-tap been fixed or is it expected that we should all be trying to do it now?
It is fixed. There is no way to be sure, but it seems that it only worked during a small window of time after the release of 7.0.9 (probably the weekend, or less, until it was patched back)
I’m breaking my self imposed ban from these forums just to post to you.
I’m afraid I have some bad news for you. This was done via 0.8.3 desktop client, today.
I don't know what to tell you. I can't seem to duplicate that behavior, and I'm using the game app, and IamPicard. Did you do that yourself or someone sent you the screenshot?
Has the voyage multi-tap been fixed or is it expected that we should all be trying to do it now?
It is fixed. There is no way to be sure, but it seems that it only worked during a small window of time after the release of 7.0.9 (probably the weekend, or less, until it was patched back)
I’m breaking my self imposed ban from these forums just to post to you.
I’m afraid I have some bad news for you. This was done via 0.8.3 desktop client, today.
I don't know what to tell you. I can't seem to duplicate that behavior, and I'm using the game app, and IamPicard. Did you do that yourself or someone sent you the screenshot?
Yeah, doesn't happen to me either. I'm dubious how one person can supposedly reproduce it ad infinitum, but nobody else can.
There has to be something different assuming first hand undoctored information.
Comments
I used the IAP tool. I actually found it really handy (as others did) for smoothing out pain points in the client. It was super helpful for managing my duplicate crew and allowing me to delete them right in the app in bulk rather than having to remember who's in my active roster and who's in my freezer and then tapping them one by one to delete. The voyage functionality was also extremely helpful.
I suppose some are complaining that they think the tool is automation. Personally, I disagree. I think the IAP tool helped me make more informed and efficient decisions about the crew that I would send on voyages and the gauntlet. It was also very useful for helping me decide where to allocate my resources to most efficiently rank up my crew. I'd still have to make these decisions myself and interact with the IAP tool or the client to start the voyages, choose dilemmas or play the gauntlet. I might agree that it was a crutch but don't see it as a computer playing the game for me.
What's difficult for me is that I now know that I can easily get 8-9 hour voyages with the IAP app helping me select the best crew and ships. Going back to the old way of me eyeballing things and making a best guess as to what would work is now hard and quite frankly painful. I recently used the online voyage calculator to optimize my voyage and probably spent 15 minutes iterating and scrolling through crew to come up with something that would be reasonably worthwhile. It was painful and tedious which DB should be acutely aware of because if people find that playing the game isn't fun anymore they will go somewhere else.
It's been asserted that code from the IAP tool has been used to cheat in events. While I don't think anyone knows for sure, there's definitely a lot of smoke indicating that something was a bit off. That's a problem for DB - why would I or others spend $5 or $10 on a shuttle boost pack or an event crew pack if I know that a bunch people out there are probably going to exploit the API and blow me out of the water? I'm a little concerned that DB hasn't addressed this or explained anything to the community about what happened and what they are doing to ensure people are gaining unfair advantages. The silence is deafening.
Some are arguing that money is the biggest exploit of them all. Perhaps, but realistically it's what the keeps the lights on and ensures that we all have game to play.
I hope that DB can make some improvements to their inventory and crew management as well as to the voyages. Given how many people used the IAP tool, that should be a strong indication that some changes are needed so that people can spend their time doing the things they find fun in the game and not having to focus on the tedious stuff.
I'm not going to stop playing. I still enjoy collecting crew, ranking them up and competing in the events with my fleet. The only real fallout for me is that I might be a little more hesitant to spend money for events with this cloud of suspicion that people might be exploiting the game for an unfair advantage. I'm hoping that DB will put my fears at ease sometime in the near future.
My 2 cents anyways, for those who didn't see this and say tl;dr.
I have some bad news about books....
I want to believe that the app was created with benign intent and that most of us who did use it used it in that spirit. And I think that's a safe belief to hold, if only because if racking up 50k VP in a shuttle event had been known to be a thing, that would have been the rallying cry, not Gauntlet animations.
I also have no reason to dismiss claims of being treated to abuse privately, and I stand by my call for any appropriate disciplinary measures to be carried out against those parties, should DB be provided with enough for them to take action.
I want to believe that we as a community are above such vitriolic behavior. Yeah, there's hyperbole and friction from time to time, but I never worried that any of my fellow forum users might resort to doxxing. What's troubling is that even if that accusation should be unfounded, the plausibility has been introduced as a concern.
I forgot there is no way in this 'collection' game to search or sort inventory items, only scroll...
No way to see how many replications I have left ...
Hmm now I know I immortalised and froze a new 3* crew last night, and I got an obscure new 4* in the pull, but it was late and I forgot who I should add to my crew spreadsheet ...
Then the voyage I set up now, I do not mind so much the crew selection, but is there an actual order to the voyage ship selection... I guess I could count how many tapps to get to my favourite maxed enterprise... then I must something maxed with a transwarp drive for the bonus...
As much as I loathe that people were able to use the app to cheat, cheats will always find a way if there is no punishment, and I could get over them if I could just sort and search in my collection game again...
Both the IaP develop and DB would have a case to answer for a multitapping exploit.
First tap should place the users account into a transactional state and return a 409 for any follow up requests until said transaction was complete or rolled back.
But yeah, if the IaP was even trying to use an exploit, that's not good. But, as you say, could be the code there is an artefact - need some kind of evidence that it was an exploit rather than dubious coding.
However, a year or so back I debated automating galaxies just to the threshold, but I didn't trust myself to not dream up justifications for using it beyond that, so decided against it. Not every developer has that self control, and it's taken years for me to get to that point, so I wouldn't be too shocked if someone gave in to temptation.
I’ve since ruminated a lot and continued to follow the debate. I’m not a member of a court of law and have no ability to punish anyone and as such do not need the level of evidence that a court would and so I’m fairly convinced that the app was being used for cheating, probably with the app designers consent.
The webpage did have the ability to collect shuttles. And if it was possible to multi tap those, well there’s the route to event cheating.
So it is appropriate that the app be removed as we obviously could not continue with it out there.
However, the app should be replaced with something more benign. The code is out there and will be used for nefarious purposes anyway, most likely. That’s something that DB needs to address.
They should also address the fact that the official app is inadequate to the task and either adopt some of the ideas in the 3rd party apps or create a genuine public API that uses a DB generated token that allows read only access to accounts. EVE online has done this for over a decade.
The way this works is that DB generates an API key for each account, which you can only get by logging into their website and you share that with 3rd party apps instead of your username and password.
It works well. I’d love to be able to help fleet members prioritise their levelling etc, having had a look at what they had. And yes inventory management is a big deal and needs to be addressed in some form by DB.
How did your college moderate third-party access to the API? Was it through some form of authenticating that the third party client was allowed access perchance?
Then that is a private API.
If you don't have it locked down then it is, by default and definition, public.
Here's a cheat sheet:
Not accessible directly via the internet - private API
Accessible via the internet, with client access authentication - private API
Accessible via the internet, without client access authentication - public API
There is no need to state that it is public, its attributes define that, and the defining attribute is client access authentication.
Just like the ducks near me don't have placards informing all and sundry of their inherent duck-ness, people can determine that from the walking and quacking.
As a partial example, here is my calculation on the MVPs for the current Gauntlet I'm in (DIP + Klingon, Investigator, Cultural Figure):
With my crew, the "correct" crew available to populate, in order, and assuming no game theory applied to strategy, would be:
The utility score shown is, over all 15 skill pairs, sum( P(skill pair) * avg proficiency of that skill pair * crit bonus).
I ran the IAP recommender enough to know that I had to beat it (its adjustable parameters) with several sticks for it to recommend (using my crew) anything other than Gary Seven, Armus, Defensive Phlox, Seven of Nine, and then a variable crew member, often Captain Beverly. I.e., just plunk the heavies in all the time. In this case, I'm certain I would have had to crank "featured skill" WAY up and/or crit bonus WAY up (down, in the tool) for KBJ or Romulan Picard to show up as a recommend.
I believe what was going on is that the default parameter settings significantly undervalued the utility of the featured skill in "unlocking" medium-strength crew's points to be available, or "blocking" strong but non-featured skill crew's points in being unavailable. The tool allowed you to set a variable for this which started at "10", but there was no description of what "10" meant, and allowed you to adjust it in increments of 1. From messing with it I believe you would have had to crank it up to ~30+ to have the featured skills' impact correctly (statistically) accounted for. I seriously doubt any users felt comfortable in doing that, I certainly didn't. So many went with what they instinctively felt were the best choices.
The "throw the heavies at the wall" recommendations worked adequately, I regularly ended up somewhere in top 25 which is all I wanted. So far, using my optimized crew, I'm ending up in the same rank range. The question would be how many more rounds might my optimized crew have bought me (which I didn't record), and then, did the one-on-one IAP matchup recommendations provide an offsetting edge (they may have). Either way, I'm very confident for myself now that IAP did not provide a deterministic, optimal advantage to users who left it at the default parameter settings. YMMV may vary based on your gauntlet strategy.
Interesting note: using this approach, Abe Lincoln should be equivalent to Klingon Bride Jadzia in utility for this round, but I have not once seen him in matchups this Gauntlet. KBJ has done admirably for me, regularly knocking down wall heavies when I need to. I suspect there's some human bias that Abe is now a middling / aging Gauntlet crew who has lost his value due to skill creep. Or just that he's an icky card that isn't pursued, so fewer have him to play. Dunno, but he should have been able to hold his own this round.
I always set the trait modifier to somewhere around 0.8 instead of 3, though I never adjusted the featured skill thing because my non-rigorous analysis of skill pairs didn’t suggest it came up as often as you have shown. Result: ending up pretty much where I did before using IAP (and since), depending on RNG and my own availability more than anything else.
Even if, as some say, all the answers weren’t there, or weren’t clear-cut, I think there was enough to warrant the removal of the tool. I said somewhere about 900 comments ago that I reserved the right to be wrong about IAP, and I will claim that right now. 95% of the tool was great and should be replicated in-game as soon as possible, unfortunately the other 5% was completely game-breaking, whether by design or unintended consequence. It simply could not continue to exist as it was.
Well, if you are referring to the Roonis / Frank video, did you watch it? They showed a screenshot of dilemma results from executing the code attached to the "Random" button. It was a lot more
On of my favorite lines from "A Secret to my Success" is "There is no right or wrong. There is only opinion." Here's another way to put this:
By my definition, a public API is public facing, with the author publishing documentation and giving people permission to access it. Access controls do not play into this definition.
By your definition, a public API is any API that can be discovered by the public and accessed with or without the permission of the authors, as long as you do not have to authenticate (providing an identity) to do so. Whether or not the author intended for it to be public does not matter. As long as you can access it, it is public and you have the rights to access it.
A summary:
If what the video says is correct (The code is designed as a auto multi tapper, the code exist since July), everyone (every user of IamPicard, web and desktop), since July should have gotten multiple rewards (from the random choice button). WITH JUST ONE CLICK, NO NEED TO MULTIPLE PRESSES BY THE USER (as the video says)
The only way to link that code with the multiple rewards reported, is to consider a change in the server (DB server, nothing to do with IaP) that allowed multiple requests for the same dilemma. That change could have been introduced in 7.0.9. This would explain reports in week of the update, and why it didn't happen before, and is not happening now (the change, a bug in the server, has been patched).
It would explain why DB is ultra silent about this.
Public profile
Captain Zombie's Combo chain calculator
You understand that my definition is how the internet actually works?
A Web API is just an endpoint that emits a subset of media types and directly supports a richer set of verbs.
You go to https://www.google.com, that's a GET request that serves an text/html response.
You go to https://api.github.com, that's a GET request that serves an application/json response.
Now GitHub does have a brief TOS for using their API, however that is for their private one where they can revoke access as needed. They can't really do that for the public root beyond the usual anti-DDOS mechanisms, so... Use as you wish. Not much you can do, but then they're smarter than DB.
Now, go to https://api.github.com/notifications
Spot any difference between that and the root?
Every website is effectively a Web API serving text and media, and when you see a login page, that is where you are moving from a public domain into a private one where access and account are combined into one mechanism.
Now when doing my VAT returns I sometimes make use of http://www.vatcalculator.co.uk/ - it has no terms of service. Should I not be using it? Is it a private website because there is no explicit consent given?
Or is consent implicit?
And, remember, the only functional difference between that page and a API endpoint is the content-type. Nothing else.
Edit: Oh, and hands up who diligently goes through Google TOS - yup, they have some - when searching for something. Bueller?
Can't we apply the same statement above to the 18 posts you've added to this thread (since page 11) attempting to refute Frank and Roonis' opinion?
Especially since you yourself said on page 11 .....
Protecting the Galaxy's Future from Itself
Fleet Admiral
For more info on us, check our wiki page:
https://sttwiki.org/wiki/Fleet_Guardians_of_Tomorrow
GoT Bot server: https://discord.gg/R8QzpjW
All are welcome to join and use the Bot.
I said I'm not a developer in that particular technology, to honor the truth. But I'm a software developer of 15 years experience, in several techonolgies (including limited knowledge of the ones in question), and while I can't assert with 100% precision what the code does (if there is someone who can come here and do it, please, do), I'm 100% sure the analysis in the video is incorrect, and with all the information available, I have no doubt about my opinion.
But please, don't take my word. If we can have someone here with a better understanding, to challenge any opinion, I'm all for it.
Public profile
Captain Zombie's Combo chain calculator
It's also how one tech support guy received a cash bounty from a software company. They had a line in there that said if someone contacts the company referencing that line in their TOS they would receive monetary compensation for reading the TOS
The Guardians of Tomorrow
Protecting the Galaxy's Future from itself
the IAP App still has a lot of positive parts that enhance and aliviate a lot of the issues that DB has continued to ignore for an extended duration (at least the 1.5 years i played).
so remove the Rand function from those parts, eliminates the issue.
it wont stop hackers and cheats from being hackers and cheats, bad peeps will still be bad peeps.
unless DB is willing to start fixxing the issues that the AIPs address, then what else can be done. because with out some kind of fix the game has become little more than money hungry add generator. a great many of us have obviously been paying for it, and DB keeps pushing the problems aside or completely ignoring them.
i dont see the point in playing a game i no longer have fun at. the way DB has set up events, you practically have to make it a full time job just to keep up, with out the IAP its even worse. i for one, am so disheartened, that i have practically stopped playing. i log in collect my daily from my monthly card, because i had all ready paid for it. but other wise, i have bailed.
[FSC] Peace Keepers
Gryphon [****] Adm
The random choice exploit was caused by a bug created and then fixed by DB (server side) as Kanon has shown. Like you, I did not know the real multi tap exploit, but the "Section 31" of the players knew about it and used it as an excuse to kill the tool. They managed to complete what they had started 3 months ago, thanks also to DB that in the meantime acted as Pontius Pilate.
This reaction is precisely why there are so few people willing to be a whistle-blower. The blame is put on them instead of on the cheaters. The "Section 31" of the players are the cheaters, and their cheating has managed to kill the tool.
It’s a shame it took a video by Frank and Roonis to shed some light on the situation. It was only after the publication of that video that we got a statement from Shan.
This suggests that DB didn’t know what was going on or didn’t (and doesn’t) want to communicate with us about bugs in the game code.
I suspect that DB often finds itself in the predicament where it doesn’t know how to fix the situation quickly and doesn’t want to draw attention to their failures and so wants to pretend like there is no problem. Whilst I understand this sentiment I do feel like this leads to an unfair advantage for people who are happy to indulge in exploits over many of the rest of us.
Has the voyage multi-tap been fixed or is it expected that we should all be trying to do it now?
Public profile
Captain Zombie's Combo chain calculator
It still works in the game app. What Kanon is saying here is that hitting the random choice inside the voyage section of the IAP desktop app does not work.
I’m breaking my self imposed ban from these forums just to post to you.
I’m afraid I have some bad news for you. This was done via 0.8.3 desktop client, today.
I don't know what to tell you. I can't seem to duplicate that behavior, and I'm using the game app, and IamPicard. Did you do that yourself or someone sent you the screenshot?
Public profile
Captain Zombie's Combo chain calculator
Yeah, doesn't happen to me either. I'm dubious how one person can supposedly reproduce it ad infinitum, but nobody else can.
There has to be something different assuming first hand undoctored information.