I played an interesting game on the Star Realm app today:
Now to any player of the game will know that this is an unusual game. A lot of cards are in play. Recently, to make this game more interesting, I was wondering what was the higest amount of damage I could inflict in a single turn. This was the first time I broke the 500 damage mark.
There are a few particular cards needed to actually achieve a high damage cound. Since I’m bored, I’ll go into more details. But first, some additional information:
- I have the core set, gambits, 1 year promo cards, and bases (the last three are in-app purchases)
- I delayed killing the opponent for as long as I wanted
- Opponent is AI on medium difficulty (as shown in the screenshot)
So here it is:
The most overpowered card in the deck, in my humble opinion, is the Blob World Base.
Allowing you to draw one card per Blob card in play is absolutely insane. So how many Blob cards are in deck with the expansions listed above? Here is the list
- 3 Blob Fighters
- 2 Blob Pod
- 3 Trade Pod
- 2 Ram
- 2 Blob Destroyer
- 1 Battle Blob
- 1 Blob Carrier
- 1 Mothership
- 2 Battle Screecher
- 1 Obliterator
- 3 Blob Wheel
- 2 Trade Wheel
- 1 The Hive
- 1 Blob World
- 1 Breeding Site
18 units and 8 Bases. So potentially 26 additional cards. Actually it’s possible to bump that number to 28 using two of these cards:
So drawing 20+ cards in a turn won’t get you 500+ damage. There are a few other cards you’ll need to accomplish this:
Both these cards allow you to return the Battle World from play back into your hand. Allowing you to put it back into play and using it’s ability again. There are 2 Battle Barges in the deck and 1 Mega Mech. That said, I don’t know if it’s possible to draw all 26 Blob cards and both Merc Cruisers before using the Blob World. If possible, then in the best case scenario you could draw 112 cards in a single turn - plus the 5 you start with. If you have the Fleet HQ that’s 117 points of damage right there.
Oh wait, I forgot about the Stealth Needle!
Copy the Mega Merc and pick up another 20+ cards.
Now if you’re opponent isn’t absolutely conspiring with you to lose, it’ll likely take some of the Blob cards. I never got all the Blob units in a single game - and without having a human player willing to just pick up Explorers, you will likely never get that lucky (plus get both Merc Cruisers, both Battle Barges, the Mega Mech, and the Stealth Needle - and all the other high damaging cards you’ll need). You just need a lot of luck to get the right cards at the right time.
Regarding a stolen painting:
Mitic remains baffled as to how the drunken daredevil made off with the 30-by-40 inch portrait.
According to the thief, security guards stopped him at the door, but let him leave with the art.
“They asked him if he was supposed to have that and he said ‘Yep!’ and walked off,” Mitic said. “And that was it.”
I wonder how hush-hush the guards were when they learned it was stolen
Imagine I wanted to sign-up for Bob’s coffee roasters website1 to order some flavourful roasted beans2. I click sign-up button, enter my e-mail address and shpping information, and then told to go to my e-mail account to verify my e-mail account. At no point was I asked to enter a password.
I log into my e-mail account and click the verification link, the website then sets a password in my browser’s localstorage. I am assigned a session cookie, and can browse the website normally. I close my browser, relaunch, and visit the website again. I enter my e-mail. The browser takes the password from local storage, and submits it. If the password for any reason is invalid, I must re-verify my email. Otherwise, it lets me in.
- Password managers are (usually) amazing and incredibly useful, and I would recommend it over this approach for sure (my reasons why are below). That said, I don’t know how popular password managers are to the general public.
- I read something on, I believe it was hacker news, a comment that talked about a website that only used email to authenticate the user. Apparently customers loved it. I thought that was amusing (and frightening) and wondered if that kind of experience can actually exist securely.
What happens if I change devices
The same thing. You must go to your email account and verify. You would also need to store a device ID so you can map passwords to devices.
What happens if I lose my device?
This is probably fine, minus the loss of your device. Yes, technically anyone with access to your
device browser has access to your passwords. But given that your device (phone, laptop) probably has unrestricted access to your email, anyone can just use the standard password reset. When an attacker has access to the device, generally it’s lost cause and you cannot trust that device.
Devices often have PINs, fingerprint readers, passwords, and encrypted drives. That is what should prevent them from accessing your private data.
If you’re site has an XSS vulnerability, it’s game over. This is by far the biggest downside I see with this approach. There are mitigaton techniques, but you have to be perfect 100% of the time. (XSS is pretty bad even if an attacker wouldn’t be able to steal your password, but password is pretty much winning gold).
Some other caveats I see:
- Devices need access to email
- Browser support for local storage
- Private browsing may affect access to local storage
- You still need to protect the password in the database
- Devices/browser shared between multiple people
- If a user has multiple accounts, that may complicate things a bit
1: My imagination is shot and some coffee would be good right now
2: Man, I can realllly go for a coffee