The 404 page now shows MMO Asteroids. After the game came out last year, I forked it to create MMO Spacewar (http://www.mmospacewar.com) where the rules were adjusted to be more like the iconic game (user now has a single life but also an energy bar, new warp command, and movement, shooting and getting hit costs energy but you regain energy over time) and additional improvements were made (you cannot get killed right after spawning, fixed sound effects, and users can choose the instance via a hashtag URL.)

The fork also lets you create asteroids and spaceships (added back from the original one-player version of the game), although at the moment they are not shared among clients so other players may be confused at what you're shooting at or is killing you.

One interesting aspect of this is that while developing I originally had my client playing on the MMO Asteroids Firebase table which in effect made this a cheat client (it can warp, not instantly killed). But it is a slightly more ethical cheat client in that the player still can be killed, the total amount of mobility is limited, and you only get one ship so instead of pure cheating it is like adding another spaceship class to MMO Asteroids.

Edit: I didn't have a lot of people to playtest with, so I'm not sure how much fun this actually is. My early observation is that it might be too hard to kill people and that you tend to have the best luck if your opponent moves around a bunch to deplete their energy.

The leaderboard is already hacked.

It wouldn't surprise me if it was since it is so easy to do, but I don't think it has been (yet).

I think the leaderboard might have been generated during development when I was playing 'single player' spawning asteroids and spaceships and shooting them. (Hold down 'o' or 'p' a bunch to get some easy targets.) It is much easier to get a high score that way, although I just noticed that you don't get points for that any more.

Since you cannot trust other peoples' scores, I think apps like this should just show you your own high score (which you can note yourself when you die for now).

Edit: (1 hour later) pwned

Yup. You can set your score to a string and it just puts the latest as highest. You can also manually rename yourself. Are all firebase apps this vulnerable?

edit* I left a message in the high score box for anybody looking for something proofy

I love Firebase but these kind of security holes make me hesitant to use it for anything serious. Is it even possible to prevent without adding an extra server layer?

well, you are exposing the database at the javascript level. If it is javascript then you can mess with it in your browser via the developer console. So if you are using firebase via javascript your application is fundamentally insecure. You cannot even put serverside sanity checks like "this person should not ask for this value" or "nobody should have a string for a score" because of firebase's limitations.

There was a time when that was true, but these days you can easily do those sorts of things using Firebase security rules: https://www.firebase.com/docs/security/security-rules.html

I still don't see how setting security rules would prevent cheating. I would love to know how to fix this issue as I'm making a similar MMO game with Firebase.

Aha! My only use of firebase was writing a chat application for fun back at their launch marketing push. This is good to see, and I think I might go play with it more.

You have obviously never tried Firebase.

So how would you prevent people from just setting whatever score they want in this game?

I love the Ehh messages:

It's not working on my browser! A patch by Bill Gates is imminent. In the meantime, use telnet as your browser.

It's probably not a good thing that your 404 page features _multiple other_ users that are also experiencing some sort of error at the exact same time

It's probably fellow HN'ers following the link.

Whoosh? Yes, in this context. But in the wild having several users viewing 404 pages at the same time probably means you're handling your URL's wrong.

But it sure does sooth my 404-induced anger.

I may have sorta kinda broke it completely.

  Game.score = [];
  for (var i = 0; i < 10000; ++i) {   
    Game.score.push(String.fromCharCode(Math.floor(Math.random() * 65536)));
  }
  Game.score = Game.score.join('');

One of those random characters needs to be escaped in the javascript returned by firebase, but isn't.

For me this is bad UX. Look at the small 404 message above. For some non-techie people, they won't read the top 404 message and they think "Oh this is the page i am looking for. But, my friend said that i would see a cat; why now i am seeing this multiplayer game?"

See also: http://kickassapp.com/

Is the game powered by FireBase somehow?

Yep—we took the single player HTML5 game and added Firebase to make it multiplayer; here's the diff between single & multiplayer: https://github.com/firebase/HTML5-Asteroids/commit/f42ae8b9f...

The giant "POWERED BY FIREBASE" section on the game's page is your hint.

yes. the game is 'multiplayer'

I was at 3600 with many lives but the game froze :/.

Hi score! I'm Guest8124 with 7400. Challenge me.