In October 2021 I jumped from freebie GMail to business-class email provider Zoho. We have been living in the age of cloud computing and “free” services (in exchange for harvesting your data) for some time now. Paying for so basic a tool as personal email no longer sits well with most consumers, but I’ve since seen tangible benefits from moving from GMail to a paid service.
In this post, I’ll talk through this decision to move away from GMail, the lessons learned, and provide links to Zoho documentation that were helpful in making the switch. This post is not sponsored, I do not receive any incentive from Zoho. I just think that this was a worthwhile switch in email providers, and thus worth writing down for others who may take the same decision.
I was becoming increasingly frustrated with the spam and phishing messages I received in my GMail inbox. I felt that Google wasn’t providing enough control or insight into how these messages could be filtered and prevented.
The increase in unwanted and probable malicious mail to this address was inevitable. The account in question had been created in my teens and was used for the full range of purposes in my life without any purpose-defined aliases or filtering. As of the time of this post, the GMail address in question has been in 15 known data breaches per HaveIBeenPwned.com. Two of these breaches pose an increased phishing risk as they involve accounts capable of financial transactions. These attempts ran the full spectrum: from fake invoices, to Google Forms notifications, unwanted calendar invites that automatically sync with Google Calendar, and even mass spam with subject and body text in a Cyrillic alphabet language with a PDF attachment which you would think Google would be great at catching by now. 🙄
I came to feel that given Google’s inconsistency in preventing delivery of obvious phishing attempts to this inbox, and the volume of such attempts, an accidental click or open action on an attachment had become a matter of when rather than if. I can no longer trust this GMail account for human interactions or conversations and have now relegated it to information-only use.
I initially considered an encrypted email provider a la Tuta or ProtonMail. These were ruled out as nobody else in my contacts list was on these email providers, rendering their automatic same-service end-to-end encryption not relevant. I do recommend you do your own due diligence. These are impressive services, albeit relatively expensive. I merely determined that I have other solutions available for E2EE communication e.g. Keybase and Signal, and can fall back on manually applied email PGP if necessary.
I also evaluated Google Workspaces/GSuite but was unconvinced that the security and administrative controls provided by the paid-tier features would be sufficient to address my concerns.
Meanwhile, my father, a self-taught computerist with no background in enterprise IT, was mid-adventure to reduce his usage of Google services. He had settled on Zoho’s mail lite plan for his own email. He claimed the water was warm, and at $1/month I figured it was worth dipping a toe in.
Two caveats before we continue.
First, instead of providing a step-by-step guide that may not be comprehensive and could quickly become outdated, I will share the links to Zoho’s documentation for important features in the order I believe you will require them.
Second: the admin console for Zoho is featured as if for an enterprise organization, so some features are overkill or unnecessary for the personal email use case. Proceed accordingly.
Most Important: Zoho’s own instructions for Email Hosting Setup in Zoho.
Pricing: So far the Mail Lite plan at 5GB per user has been more than enough for my needs.
MX (DNS) records configuration: Most of the work here will be in your registrar’s admin panel.
If you plan to use Zoho mail accounts in 3rd-party apps via IMAP or POP, you will need to create Application-Specific Passwords. If you’re having trouble locating this, you have to create these from your Zoho My Account, Security page.
Due to my relative inexperience with the plumbing of email, I’ve set most of the Spam Verification options in the admin console to quarantine mail that fails these checks. I started out with these settings so that I could see what was coming in, with the intent to move to the permanent reject option later.
That said, DNSBL check failures I set to permanently reject; if the sending domain/email or IP address appears in Zoho’s DNSBL block list, that mail is rejected outright. There does not, however, appear to be a way to define your own or additional DNSBLs (E.g. Spamhaus’ Zen). Your only option is to trust Zoho in this regard, but if like me you’re coming over from a consumer email product you wouldn’t have had any insight or control into this function anyway. 🤷
You are also able to define explicit allows and blocks, pattern blocking, recipient-based blocking, and, most interesting to me: language-based, country-based, and whole TLD blocks.
How the internationalized spam language and country-based blocking are implemented is left opaque in Zoho’s documentation. But, as an ignorant American challenged by any tongue but my native English, I do have several languages blocked based solely on past experience with received spam and phishing.
As for TLD blocking, I periodically check the top-abused TLDs (ref: Spamhaus & SURBL) for both professional interest, and for blocking in Zoho and my home network firewall. I recommend blocking any you see as concerning or have no current reason to be interacting with. You can always unblock later if necessary. I can’t attest whether a proper mail admin would consider this best practice or not, but it feels like the right thing to do.
The Malware Processing section is also worth a look if you want to restrict email based on content or HTML tags. Any emails containing the listed content or tags are placed in the Spam folder. This could also break various mass and marketing emails, but it’s not like we need any more of those.
After completing your work, it’s a good idea to review the Security and Compliance Dashboard to ensure that you haven’t overlooked any major issues
Syncing contacts sucks. It has been, and remains, a bad user experience to sync contacts across multiple walled gardens. Zoho can export via CardDAV, but in my experience, this may introduce more problems for you than it solves if you already treat e.g. Apple or Google Contacts as your contact book of record. Instead, do periodic exports of your Apple or Google contacts in vcard format, .vcf, and import those into Zoho Contacts.
The price. Thus far the Mail Lite plan at $1/user/month for 5GB on a single user has been more than enough for my needs, and upgrading to 10GB storage is quoted at $1.25/user/month. That said, some features e.g. S/MIME do require you to step up to the next tier at $4/user/month. As always, do your own due diligence on the product and services you may need.
Plenty of domains and aliases. At the time of this writing, I have associated three domains to this account and a boatload of aliases across them for various downstream accounts and filtering. All with relative ease through the admin console, and without the need to step up to a higher features tier. Do keep a note somewhere of all aliases you’ve configured and if/how/where they are filtered, it makes upkeep significantly easier.
Zoho Mail contains no advertising. In the ~13 years I used GMail, I, like all GMail users, have assumed the role of the slowly boiled frog. The steady creep of advertising into the platform until advertisements disguised as emails arrived took me by more surprise than it should have. It is refreshing to experience an email client free from advertising and distractions-not-of-my-own-making, even if I must pay for the privilege.
And to a lesser extent, a near-total reduction in phishing and spam directed to my primary email address. However, I won’t represent this as a success due to the platform just yet, as this domain has yet to appear in significant, public data breaches as my GMail had.
Configuration. You need to put some work in yourself in setting DNS records, SPF, DKIM, DMARC, etc., defining various settings, troubleshooting any issues, on top of managing your email a la filtering rules, tags, folders, etc. But, the good news is Zoho’s documentation is generally good in my experience, and all can be done in GUI-land.
Configuring third-party clients e.g. Apple Mail or Thunderbird still isn’t quick per se. I recommend closely following Zoho’s own instructions for Apple Mail or Thunderbird and referencing their instructions for Enabling IMAP Access which also contains the relevant server addresses, ports, and other settings.
Overall, Zoho Mail is worth consideration for those in need of a reliable and affordable email client. I hope that this serves as an effective entry, and jumping-off point for your own move away from consumer-grade, advertising-laden options.
]]>This post is a lightly-scrubbed copy of a forum thread I wrote for Eve University, posted Jan. 13, 2023, about using multiple characters in the video game Eve Online for in-game trading and hauling of goods between solar systems as a means of using your in-game currency, ISK, to make more ISK as a side hustle. I’m sharing it here in the spirit of frivolity, and for the sake of continuing to build a body of work on this site.
Eve Online recently got it’s teeth back into me after a ~ten year hiatus. When I first played Eve during my undergrad years, my interests in games were very much in the FPS market, and the “submarine commander” style of Eve’s PvP didn’t resonate with me as a result. As I’ve moved into different phases of life I’ve had to acknowledge that my twitch-shooter reflexes are beginning to dull, presenting ample motive to find a “thinking person’s game” that doesn’t shy away from mechanical depth and complexity. Eve University has been an excellent space in which to embrace and explore that complexity, and I’d highly recommend them for anyone else seeking to try this game.
Hey folks! I recently began reading up on trade in Eve as a way to put my ISK-in-wallet to work generating more ISK. Through this effort I came across and incorporated several third party tools and snippets of advice into how I operate, none of which had been spelled out in a single place. I hope other new(ish)bros might be able to borrow or learn from this approach.
To set expectations, I assume that you have a functional understanding of Eve’s market and trade mechanics, equivalent to or having completed E-UNI’s Intro to Trade class. I would also recommend Cpt Bunny’s Trading Guide as I’ve based much of my own trading strategy on this guidance. Fair warning, Cpt Bunny’s guide is clearly out of date with regard to certain item names, but the core principles are functional and easily modified.
As a benchmark for my performance over the past month, I started my trading fund on Dec. 13, 2022 with an investment of 500M ISK.
A week in, as of Dec. 21, 2022, my two trade alts have 100,617,278 ISK in wallets, 479,816,650 ISK in inventory, and -35,890,285 ISK in future sales tax on said inventory, for a total trade fund value of 544,543,643 ISK and a projected monthly return of 37.7%. (I don’t know the exact formula Oz’s sheet uses for this projection)
Jan. 13 puts this little project at the one month mark. At the time of this posting the trade alts have 487,199,463 ISK in wallets, 249,525,148 ISK in inventory (and due for a restock), -12,725,783 ISK in future sales tax on said inventory, for a total trade fund value of 723,998,828 ISK for an actual monthly return of 44.8%.
For the sake of transparency: although [redacted] the character entered New Eden in October 2022, I had played Eve previously ~10 years ago on another character for a period of 6-8 months. I flew at first with Brave Newbies, and then with some IRL friends in a lowsec pirate corp, then drifted away from the game due to loss of interest. That previous character did not have a significant enough skill point total to be worth picking back up, and there are people who have my old toon on their contact lists who I would rather not interact with for personal reasons if they are still around. What that toon did have at hand is a pile of ISK, ships, and some PLEX that I handed over to this character, which has been the source of the initial 500M ISK investment in my trade fund.
I acknowledge that 500M could be a significant investment for someone new to the game, especially if they have not yet become comfortable in higher-earning Nullsec or Wormhole space. However, I do think that this approach can be replicated with a smaller initial seed fund. ~100M ISK would be a good target, and entirely within reach for a Highsec-oriented player if you prioritize setting funds aside for this purpose. In an E-UNI context, I suggest that Slays moon mining fleets and Guristas FOB bashes are both excellent for earning large chunks of ISK you can set aside in full towards this purpose.
This approach is inspired by Cpt. Bunny’s guide and utilizes a single account with two characters. A third character (my main) also has some trade and hauling skills and can supplement this activity where and when needed. This approach does require significant investment of skill queue time in two characters other than your main delaying your progressing, or the purchase of Multiple Pilot Training Certificates (MCT). That said, if multiple characters is a no-go for you, this approach can be made to work with a single character, albeit it will require more legwork in hauling and order management, and more spreadsheet upkeep in filtering out personal transactions from your trading business. I strongly advise that you modify, borrow from, or outright ignore this approach in favor of what fits your needs. In my case, I had IRL disposable income I was comfortable throwing at skill training packs, and this was an effective means to make use of the MCT certificates.
The Buyer: This character lives in Jita and trains T2 Transport Ships and their relevant fitting and evasion skills. As a lower priority they also have scheduled trade skills focused on Accounting to minimize sales tax on opportunistic sells in Jita, and some buy order management. I prefer not to deadhead my hauler (run with an empty cargo hold) back to Jita, so I often look to pick up items for or during a return run that I can flip quickly. More on that later.
The Seller: This character has Trade skills and little else. They sit in station in my primary market and manage market orders. Their Trade skills focus on Accounting 5 and Broker Relations 5 in order to drive sales tax and relist fees down as far as possible, with Trade and Retail to increase their market orders cap. They have also scheduled skill training for a T1 hauler and T1 destroyer for short range hops shunting cargo around the target market if/when the Buyer and Main aren’t in system.
The Main: This is [redacted], my main character. [redacted] does have Accounting 4 and Transport Ships 4 trained and can act as a backup buyer, seller, or hauler when needed. Generally speaking I don’t do business via my Main as I don’t want personal transactions intermingled with my trading business; that requires more time managing spreadsheets and takes time from undocking and exploding ships.
Among the prerequisites in Cpt. Bunny’s guide is finding or creating a spreadsheet to at least manage what items you acquire and what price you sell them for. I figured that given Eve’s moniker of spreadsheets online, surely a suitable sheet already existed for public use which I could copy without having to create from scratch. Some quick Google-fu yielded Oz’s Eve Online trading spreadsheet which I am using as my book of record for my trading activity. It is optimized for use with jEveAssets, a Java app. The creator of Oz’s sheet explains the interaction between these tools in this YouTube video.
In a nutshell, jEveAssets can fetch your transactions history (and a lot of other useful info) via Eve’s APIs. You copy the new rows of your transaction history over to the transactions log in Oz’s spreadsheet and run the Populate Transactions script to populate the Dashboard and Master tabs. These in turn show your current positions, what’s selling well vs what’s not, average price you purchased/invested in an item at, gross and projected profits, etc. You will want to update your Transactions and your wallet balance in the Configuration sheet on a regular basis to have an up-to-date understanding of your positions. These are viewable in jEveAssets via Tools –> Business –> Transactions, and Tools –> Worth –> ISK respectively.
I also added a working/scratch sheet that is kept independent of the other tabs in Oz’s sheet as I use it for pre-activity planning and don’t want these values contaminating the actual book of record. This planning sheet is a simple table where I drop in the name of the target item, what price I would buy it at e.g. in Jita, what price I anticipate selling for in the target market, and mass and quantity for hauling planning. Calculations based on these give me a cargo m3 figure, anticipated profit per unit, anticipated restock cost, anticipated profit, and no-restock cashout values. As I have characters in both the target market and Jita, this makes price checks easy. Eve Marketer does exist if you need to check prices in other regions and hubs, albeit I’ve been told that this tool is no longer shipping updates and may be missing some newer items.
I’ve also been made aware that [url=”https://evetycoon.com/”]Eve Tycoon[/url] a. exists, and b. provides most of the same functionality of Oz’s spreadsheet as a web app without the need to run another application such as jEveAssets. However, some Eve Tycoon advanced features are behind a paywall, whereas this Oz’s sheet & jEveAssets approach is free.
There are a couple stipulations with how this tooling works.
First: jEveAssets requires Java. For better or worse, in a security context Java is a frequent target of attackers and draws a corresponding amount of scrutiny from security researchers. Having it installed does increase the attack surface of your device. Additionally, I know that Eve has a significant number of players on MacOS, and the Java Runtime Environment may have compatibility issues with Apple silicon / M* chips. To mitigate both issues, consider installing and running jEveAssets in a Virtual Machine. E.g. I have an M1 Macbook Pro I use when traveling or on the couch, which does not play nice with Java. To work around this, I run jEveAssets in a Windows 11 image in Parallels instead. On my main device, a Windows 11 desktop, I run jEveAssets from a Windows 10 VM in Virtualbox. In both cases the VM also has my Eve-specific Google Account (more on that below) signed in so I can update my copy of Oz’s sheet within the VM without having to allow clipboard access from the guest VM out to the host.
Second: Oz’s spreadsheet relies on custom scripting via Google Drive to parse the Transactions log and create the Dashboard and Master views. If your Google account has Advanced Protection turned on, these scripts will not be allowed to run, period. This same issue is true of E-UNI’s Mining Buyback spreadsheet. I highly recommend that you create an alternate Google account for use with 3rd Party Eve-related services, and in this case to act as the owner of your copy of Oz’s sheet in Google Drive. You can then invite your primary Google account as a collaborator with edit permissions if you don’t wish to switch between accounts regularly. Oh and turn two factor authentication on for that alternate account while you’re at it.
In case there were not already enough disclaimers, here’s another. I am no expert on Eve markets, nor am I providing you with financial advice about your imaginary internet money. Some of my product selection may be based on luck, Eve’s markets are volatile, and I want this thread to be serviceable as a reference piece. Instead of recommending you specific goods to sell, I will try instead to convey the criteria I’ve used to select products so that you have a starting point for your own trading.
To select products, you must become familiar with the market window’s price history view. If you’re unfamiliar with this chart, I recommend reading up on the the burger method on the E-UNI Wiki. The burger method does assume that you are buying and selling in the same region, and as I am buying in one region and selling in another I cannot rely on the burger method’s “patty” to reliably project profit. The market window is specific to only the region you are presently in. Instead I must rely on manual price checks, and perform any estimations and projections within my spreadsheet.
![[/assets/img/blog/EveTradeAB-1920-min.png]]
I try to stick to the following criteria:
As I’m primarily selling in Stacmon, I do try to keep my markup reasonable in order to not price gouge fellow Unistas. Twenty-ish percent profit has felt like a good range to play in, profitable but without being usurial towards newer players. I encourage you to do the same near newbro starter systems and systems hosting E-UNI’s communities, but if you’re replicating this approach in other areas of space do charge as high as the local market will support.
I’ve not played with buy orders extensively yet, but I anticipate these are at their most useful for those items which I find priced below my ~15-20% profit target. Instead of making a note to check back later, you might consider setting a buy order in Jita that would yield you ~30-40% profit, just to see if it fills. The 120 day price history graph should also be a good indicator whether there is enough volatility in that item’s price to make this viable. Within the last week I have started using buy orders for items that can be sourced in/around Stacmon which I can obtain at a discount due to a lack of other competing buy orders nearby. My Hauler fills their hold with these on the return run to Jita, which I can then immediately flip for the Jita buy price, netting a nice profit.
Lastly, in starting out I have avoided selling ammunition and minerals or industry inputs. I simply don’t understand these markets well enough for them to be profitable, and the ammunition market (at least in highsec) appears to have exceptionally low margins. Also be wary of entering the market in a location and product where you know that dedicated industrialists are already putting out their goods as sell orders. In most circumstances, dedicated miners and industrialists can obtain or create that product with a far greater profit margin than you can. Trading in minerals is a great example: you the dedicated trader must spend ISK to make ISK, but the miner only has to spend time to make ISK, the miner’s profit margin is squishier and more abstract than yours is as a trader.
Understand that T1 haulers generally lack the tank and agility to mitigate a serious highsec gank attempt. Although the Uprising patch and the recent inability of Alpha clones to set safety to red has made life more difficult for gankers, you should consider using hulls that have lower cargo capacity but are much more slippery/evasive for your business as usual hauling. From there, step up into Transport Ships, Freighters, and Jump Freighters [b]with appropriate fitting and mitigations[/b] if/when/as they become necessary.
Starting out, I highly recommend making the investment in a hauling Sunesis along the lines of AshyIn.Space’s fit. That the Sunesis is a SoCT hull allows you to start with minimal skills, has enough cargo capacity to get you started hauling low m3 per unit items in bulk, and the sub-3 second align time should be slippery enough to evade most low-effort ganks. However, you need to understand that a sub-3 second, and even sub-2 second, aligning ships are catchable so this won’t wholly mitigate the real professionals. Your best option is to accept additional jumps in order to avoid gatecamps and gankers, more on that in a bit.
Also note that this Sunesis fit does include guns and drones that require skill investments that you can make do without. Once you’ve skilled into Cloaking, the Sunesis is a very forgiving hull on which to practice the Cloak + MWD trick, which you will absolutely need to know in order to escape gatecamps. You will want to get good at this for hauling in heavier vessels and in lowsec, nullsec, and wormhole space.
```[Sunesis, Highsec hauler]
Expanded Cargohold II Expanded Cargohold II Expanded Cargohold II Inertial Stabilizers II
Multispectrum Shield Hardener II Medium Shield Extender II Medium Shield Extender II 5MN Quad LiF Restrained Microwarpdrive
Improved Cloaking Device II Core Probe Launcher I 125mm Gatling AutoCannon II 125mm Gatling AutoCannon II
Small Cargohold Optimization II Small Cargohold Optimization II Small Low Friction Nozzle Joints II
Hornet EC-300 x4 Warrior II x4
If you're farther along in your Eve career than I, to the point that you've skilled into T3 Destroyers and specifically the Hecate, I recently saw this fit in the E-UNI Discord. (Credit to Tealson Darkstar with additional information about align speeds from Zelda Pinkdottir.) This Hecate fit should be capable of a sub-1 second align, which means you will leave grid on the same server tick that a ganker would see you appear.
```[Hecate, Fast Align Hauler]
Shadow Serpentis Inertial Stabilizers
Shadow Serpentis Inertial Stabilizers
Shadow Serpentis Inertial Stabilizers
Inertial Stabilizers II
Caldari Navy Medium Shield Extender
Caldari Navy Medium Shield Extender
Pithum B-Type EM Shield Amplifier
5MN Quad LiF Restrained Microwarpdrive
Improved Cloaking Device II
[Empty High slot]
[Empty High slot]
[Empty High slot]
[Empty High slot]
[Empty High slot]
Small Low Friction Nozzle Joints II
Small Cargohold Optimization II
Small Cargohold Optimization II
Eifyr and Co. 'Rogue' Evasive Maneuvering EM-703
All of the other general advice you will have heard from haulers remains in effect: Never haul on autopilot. Never haul (semi-)AFK. Get in the habit of activating your spinners every time you break gate cloak, and keep their hotkeys consistent across at least your trading ships so you can build muscle memory. The cloak + MWD trick is mandatory to understand if you’ll be taking shortcuts or outright cargo runs into lowsec, nullsec, and wormhole space. Get these good habits established now so that they can save your ship and inventory later. If this is an area you need more knowledge in, consider joining the public Haulers Channel in Eve to seek advice.
Spend the time to set up instadock and undock bookmarks. Yes it’s boring, but just do it. You might get away with not having them if your selling market is in relatively quiet or friendly space, but this is not optional in trade hubs. For added safety, do your utmost to ensure that your undocks are not-on-grid with the trade hub station, although this may take significant time to get right and require you to borrow safes from other Unistas or depend on RNG for an aligned cosmic anomaly or site spawn.
I highly recommend that you use EVE-Gatecheck before making any multiple jump trip, especially when hauling. Make a folder of browser tabs you always open when playing EVE, and make sure this is in there. Also make sure to check it during haul runs; long warps across large highsec systems are the perfect time to tab over, hit refresh, and see if anything on your route has changed. The Jita to Stacmon run, both the secure and short variations, do experience gatecamps. Especially in the Caldari Border Zone. Especially in Sivala. Fortunately you can often avoid this bottleneck with some creative routing. E.g. If the Hatakani gate in Sivala is camped, go via the Iivinen gate instead.
Remember, Eve is a game of consequences. You might follow all of this advice to the letter and still lose ships and inventory because you got unlucky on the day. C’est la vie.
This two character approach opens some doors for content I would not otherwise be in a position for. This frees up my main, [redacted], to live with the Wormhole community and wander around the E-UNI communities at will as I don’t have to stay near Jita or Stacmon to babysit market orders. That said, I’m often reluctant to undock my main in a risky environment like wormholes if I’m sitting on the couch watching TV and talking with the wife, I don’t have the requisite attention to give to the game and my Main’s safety. Instead, I can undock the Buyer and find productive things to do in highsec.
Low stress arbitrage hauling: EveTrade.Space is an excellent tool that checks for arbitrage opportunities in the same station, across several stations, or across regions. I primarily use this with the Buyer to find goods with unusually low buy orders on my way back to Jita which I can then sell immediately for a (usually minor) profit. I also use it in the aforementioned couch-gaming scenario where I want to do something in Eve, so I check for arbitrage opportunities I can buy and haul easily between The Forge, The Citadel, and Lonetrek. Because EveTrade appends your search parameters in the results URL, like this example for Dodixie to Stacmon, you can set up multiple searches and bookmark the results URL for quick reference. It is worth noting though that EveTrade does not include player-owned structures in its searches, so you will want to check the in-game Market window to see if better buy orders exist at e.g. the Botane or Perimeter secondary markets than at the NPC trade hub. In one such instance, I found someone selling a big pile of Rage HAMs for ~20% below Jita buy only five jumps away. Turned this into ~3M ISK profit with nearly no time/effort invested. In another, I was looking for goods to haul from Stacmon back to Jita, and EveTrade called to my attention two skins for sale in Dodixie that had corresponding buy orders in Jita and Perimeter for an 8M ISK profit.
Purchases of opportunity: If the Jita market for an item is crashing or a really good deal comes up, I’ve got the Buyer there 90% of the time to take advantage. If I know I need some ammo or modules for an upcoming fleet, I can get them at a “fair” price rather than relying on what’s available and marked-up in Stacmon or Dodixie, and contract the goods over to my main. I can then use my buyer to haul the goods myself, or I can contract the E-UNI Hauling service, or a commercial hauling corporation like Red Frog Freight or PushX in a non-uni context. However, understand that your Buyer’s purchases on behalf of your Main will be imported by jEveAssets, which you will have to skip copying or otherwise remove from your book of record so as to not contaminate your sales book with “non-business” purchases.
Space trucker as a way of life: while I have not looked into hauling as a full-time-Eve gig, it is a potentially viable and lucrative playstyle. Not having to train most PvP skills means your Buyer may make relatively rapid process on hauling, fitting, and survivability skills, potentially to the point that working with the E-UNI hauling department or commercial hauling corps like Red Frog or PushX are viable ways to contribute to the Uni or make additional ISK.
I have started giving some thought as to what’s next for the alts’ skills if I extend their MCT licenses.
The Buyer has a significantly longer skill queue than the Seller due to the need to fly and fit T2 Haulers and trade skills to make bidirectional haul of goods to/from Jita more viable. Presently the Buyer has been hauling in the Sunesis, but my scheduled skill queue opens up Gallente T2 Haulers specifically to allow fit and flight of a Deep Space Transport. Anticipation is that a properly fit and tanked DST can both haul higher volume items and take lowsec shortcuts I would not otherwise be comfortable with. Addition of Scanning skills would also open up use of DSTs for hauling with the E-Uni hauling service in/out of the Wormhole community. I do not presently have Freighters in my skill queue, but this can be incorporated if/when need appears on the horizon.
Interestingly, the Buyer’s skills open up Blockade Runners and fitting skills that would facilitate BLOPS fleet fuel and ammo hauling. As I don’t anticipate them willingly appearing on any killmails, they should show up as 100% cuddly in zkillboard; perfectly within the spirit of that content. 😈
The Seller’s skills I’ve waffled on a fair bit, and I consider an extension of the Seller’s skills outside of trading to be a lower priority than those of the Buyer. Planetary Interaction is a potential option as the Seller stays in a single system for long stretches of time, and the skills investment for PI isn’t terrible while also yielding P2 and P3 that the Buyer can backhaul to Jita. But, if I understand correctly, further skill investment is needed into Customs Code Expertise to drive highsec POCO tax rates down. (This is not a concern in nullsec and j-space) Alternatively, I could skill the Seller along a typical mining path, though this would be an even more significant skill investment path.
I’ve converted “the 144 list” from Cpt. Bunny’s guide into a market quickbar-importable format. Some items in the original text have been renamed or no longer exist, so I acknowledge this version of the list to be incomplete and likely out of date with current market forces. But, it’s a very serviceable starting point.
+ The 144 List
- 10MN Afterburner II
- 1400mm Howitzer Artillery II
- 1600mm Rolled Tungsten Compact Plates
- 200mm Rolled Tungsten Compact Plates
- 220mm Vulcan AutoCannon II
- 50MN Microwarpdrive II
- 50MN Y-T8 Compact Microwarpdrive
- 5MN Microwarpdrive II
- 5MN Y-T8 Compact Microwarpdrive
- 650mm Artillery Cannon II
- 720mm Howitzer Artillery II
- 800mm Repeating Cannon II
- 800mm Rolled Tungsten Compact Plates
- Ballistic Control System II
- Bomb Launcher I
- Caldari Navy Mjolnir Heavy Missile
- Caldari Navy Scourge Heavy Missile
- Cap Recharger II
- Capacitor Power Relay II
- Co-Processor II
- Covert Ops Cloaking Device II
- Cruise Missile Launcher II
- Curator I
- Curator II
- Cybernetic Subprocessor - Basic
- Cybernetic Subprocessor - Standard
- Damage Control II
- Dual 425mm AutoCannon II
- EM Armor Hardener II
- EMP L
- EMP M
- Expanded Cargohold II
- Explosive Armor Hardener II
- Focused Warp Disruption Script
- Focused Warp Scrambling Script
- Garde I
- Garde II
- Giant Secure Container
- Gyrostabilizer II
- Hammerhead II
- Heat Sink II
- Heavy Assault Missile Launcher II
- Heavy Capacitor Booster II
- Heavy Missile Launcher I
- Heavy Missile Launcher II
- Heavy Pulse Laser II
- Hobgoblin II
- Hornet EC-300
- Hornet II
- Imperial Navy Multifrequency L
- Imperial Navy Multifrequency M
- Imperial Navy Multifrequency S
- Imperial Navy Radio L
- Imperial Navy Standard L
- Improved Cloaking Device II
- Inertial Stabilizers II
- Interdiction Sphere Launcher I
- Kinetic Armor Hardener II
- Large Armor Repairer II
- Large Capacitor Control Circuit I
- Large Capacitor Control Circuit II
- Large Core Defense Field Extender I
- Large F-S9 Regolith Compact Shield Extender
- Large Shield Booster II
- Large Shield Extender II
- Large Trimark Armor Pump I
- Layered Coating II
- Layered Energized Membrane II
- Magnetic Field Stabilizer II
- Medium Ancillary Current Router I
- Medium Armor Repairer II
- Medium Capacitor Booster II
- Medium Capacitor Control Circuit I
- Medium Cargohold Optimization I
- Medium Core Defense Field Extender I
- Medium EM Shield Reinforcer I
- Medium F-S9 Regolith Compact Shield Extender
- Medium Salvage Tackle I
- Medium Shield Extender II
- Medium Trimark Armor Pump I
- Mega Modulated Energy Beam I
- Mega Modulated Pulse Energy Beam I
- Mega Pulse Laser II
- Memory Augmentation - Basic
- Memory Augmentation - Standard
- Micro Auxiliary Power Core I
- Micro Auxiliary Power Core II
- Mjolnir Heavy Missile
- Multifrequency L
- Multispectrum Coating II
- Multispectrum Energized Membrane II
- Nanite Repair Paste
- Nanofiber Internal Structure II
- Neural Boost - Basic
- Neural Boost - Standard
- Ocular Filter - Basic
- Ocular Filter - Standard
- Ogre I
- Ogre II
- Optimal Range Script
- Overdrive Injector System II
- Power Diagnostic System II
- Prototype Cloaking Device I
- Radio L
- Reactive Armor Hardener
- Reactor Control Unit II
- Republic Fleet EMP L
- Republic Fleet EMP M
- Republic Fleet EMP S
- Scan Resolution Script
- Scorch L
- Scorch M
- Scorch S
- Sensor Booster II
- Shield Boost Amplifier II
- Shield Power Relay II
- Shield Recharger II
- Signal Amplifier II
- Sisters Combat Scanner Probe
- Sisters Core Scanner Probe
- Small Armor Repairer II
- Small Core Defense Field Extender I
- Small F-S9 Regolith Compact Shield Extender
- Small Tractor Beam I
- Small Trimark Armor Pump I
- Social Adaptation Chip - Basic
- Social Adaptation Chip - Standard
- Standard L
- Stasis Webifier II
- Tachyon Beam Laser II
- Target Painter II
- Targeting Range Script
- Thermal Armor Hardener II
- Tracking Computer II
- Tracking Disruptor II
- Tracking Enhancer II
- Tracking Speed Script
- Warp Disrupt Probe
- Warp Disruptor II
- Warp Scrambler II
- Warrior II
This is part three in a series of blog posts about the gaming community I built and ran for four years based on the video game Destiny 2. This part focuses on lessons learned from the experience, and will likely be the last in the series.
I sought for CORE’s membership to be open to players of all levels of interest and skill at the game. I wanted the community to accept differing focuses on cooperative and competitive content, differing progression goals, and differing levels of time investment, but with the clear expectation that we were a community focused on learning and growth, that scrub logic had no place here.
If you think of these two types of players as a spectrum, they can, and do, coexist in the same organization. The intent was that by having the experienced and competitive players present and available, they would at least passively “rub off” on the less experienced players in their gameplay and discussions, and at best seek to actively teach and pull the rest of the membership up in skill and knowledge. This I believe we executed on well for the majority of CORE’s existence. But, the guidance and emphasis that I was able to convey was insufficient within our first year to prevent elements of toxic elitism from taking hold, forming a fiefdom, and causing issues. Incompatibilities between a subset of players at each end of this spectrum, often in noisy and public fashion, led to the shuttering of our on-meta high-efficiency “hardcore” team as an official feature of CORE.
Formalizing a performance-oriented subset of the community focused on frequent, efficient, endgame raiding seemed to be a very good idea at the outset. That players who knew the content and knew the expectations could catch the express train so-to-speak for getting weekly raid clearances, and that this would in turn create more experts on endgame content who would pull others up behind them. But, I did not have the time personally to assign to this “hardcore” team both in my own participation and ensuring it aligned to the community principles and my expectations. Over the course of a year, I came to feel that some “strong personalities” in the team, and several explosive failures to integrate interested newcomers, were doing Ferrous Core as a whole more harm than good. Exclusion became the norm in this area rather than education, and with no clear pathway into this group this in turn bred animosity and contempt. With each failure to bring a newcomer up to speed in this setting, the relationship between hardcore and the general membership slid further into an “us and them” milieu. Shortly following the release of the year 2 Forsaken expansion, and more such blowups alongside, I came to feel that the situation could no longer be salvaged.
In writing about this it frustrates me to recall the number of issues that would have been resolved had newcomers to the hardcore team simply taking the time to understand this team’s expectations and mindset required above and beyond CORE’s base requirements. But this does not excuse the hardcore team, the admin team, and I, as we should all have put better guardrails in place.
No amount of blaming the user will fix a bad user experience.
From my perspective, with the label and enshrinement gone, although hardcore’s players essentially continued as their own cliques in the larger whole, the dramatics and in turn regular need for administrative acts fell away. But in turn I know that disbanding hardcore damaged the relationships I had with the people running it, people who I genuinely enjoyed playing with and whose inputs I valued in the admin team.
One of the guidelines I have set for myself is that no social interaction I engage in is without value. Every conversation is an opportunity to walk away with more information or insight than I had five minutes ago, even if those learnings are as bleak as that the counter-party is someone who I would rather not interact with again. I, and I hope you, enter into most interactions trying to make the relationship work, trying to assume the best about people.
Unfortunately, that willingness to assume the best, to find good qualities in people, and in the context of CORE, lent itself to tolerating toxic personalities and persons exerting a net negative influence on the community.
There were multiple individuals with multiple red flags that they should have been politely ushered out far sooner, who were retained longer than was right. Some even were enshrined as “Proven”, exemplars of our community values. I failed to both see the warning signs in front of me, and actively convinced others who did that there were redeeming qualities or a necessity for fairness in play. If you’re unwilling or unable to commit your mind to making such a decision, that you repeatedly see the problems and think “yeah, but…”, you absolutely must have others involved who you trust that have such a sense for when something is not working.
We dealt with a lot of dumb issues while I was at CORE. If there’s any single underlying trend I would point to, it is truly incredible how many people lack basic conflict resolution and deescalation skills. Many of these events did not require any intervention, but the cattiness and petty bullshit that would stem from two or more incompatible humans being unable to tolerate or avoid each other was more disruptive to the community than I had realized in the moment, and an incredible waste of my time in retrospect.
Know that the people engaging in your community are not projects to be iterated and improved upon. No amount of redeeming qualities are worth the damage a toxic personality will do by their self-centeredness, disregard for others, or outright malice. Once it’s clear they don’t fit well in what you’re building or running, I would urge you to politely part ways as best you can.
As a refresher from my previous postings, we set a role called “Proven” with a purple name in our Discord. These were to be line members of the community who had distinguished themselves as examples of our principles, people to look up to for our newcomers. I allowed Proven’s value to be eroded over time; the bar was allowed to dip too low, and to be too prone to individual favor as to who should be considered an example to be looked up to. There were two primary problems that weighed on the decision to ultimately scrap the Proven role:
First, and lesser, over time we saw that the mere presence of Proven in text chat was suppressing discussion. Newcomers to the community seemed to be if not intimidated, then at least unwilling to leap into conversations where multiple Proven were participating, as surely these examples of the community always know best. Not an environment conducive to open exchange.
Second, and worse, the Proven role came to shield several toxic users, some of whom had backslid from previously exemplarific behavior into something less than. If only because of remembering the good times, these were affording many chances where they should have been walked out the door.
Be wary of what, or whom, you set on a pedestal, and be especially wary of guaranteeing status or standing in perpetuity. This is simply good governance, circumstances and people change over time.
I had originally envisioned “ribbon” awards a la those found in some forum based communities (e.g. ribbon images in forum signatures) as a means of conveying this information without enshrining the user themselves, but there is/was no such solution for a Discord-based community. The role-based differentiation was a mistake, but was unfortunately the best tool available for what was originally intended, and the next best alternative before us was to not bother.
Most online-communities have a no politics and no religion rule for very good reason. We thought we could do better. We set up a channel called The Debate Hall with the intent that instead of quashing such conversations, we could instead redirect them productively. We did our utmost to set clear expectations about conduct therein in line with our principles and not making it personal. Debate Hall conversations disabused me, and many others, of several misconceptions and outright falsehoods I had carried in my mind for well over a decade.
I still wouldn’t do it again. Debate Hall was a recurring source of problems and general waste of my time. I delivered more stern warnings and chat bans in this channel than I felt appropriate for the health of the community. It is very frustrating to have to tab out of the thing you do for fun, to go do content moderation because two grown adults can’t keep their heads.
That this occurred during the height of certain people posing certain “alternative facts” (read as: blatant disinformation) definitely did not work in our favor.
I also know full well I fell into the trap of tone policing. There were many incidents where I and the admin team took action at least in part on the tone and tenor of how things were said, and that a focus on maintaining civility and respect distracted from addressing other problematic behaviors. This allowed several bad fits to linger in our community at least a little longer than they should have otherwise.
If you’re not actively striving to correct the problems being caused by bad actors, you’re not fostering a healthy environment. If someone is throwing rocks in the pool, don’t try to turn the waves into ripples, get rid of the rock-thrower.
Being along for the ride with Discord’s meteoric ascendancy to becoming a mainstream messaging app was a substantial reason for our growth as a community, but also meant that we experienced major feature updates and some scrambling to ensure everything was still working as anticipated. Credit where due, Discord has done a much better job in the last two years of proactively communicating updates and new functionality to server owners and community operators.
We encountered minor functionality limitations with Discord in the inability to display cosmetic, reward, recognition or inside joke ribbons or flair on users. The most effective means was use of the Roles hierarchy, which is already prone to unnecessary bloat even with our limited hierarchy. Pay close attention to your Roles hierarchy, and prune it aggressively lest it get out of control.
Discord does not do an effective job of differentiating an admin, mod, or privileged user just having a conversation in text, from the same giving formal direction. Announcements are easy enough to set apart in a discrete channel or with consistent formatting, but when wading into an argument to say it’s time for those involved to go touch grass, you as a moderator really have no first-party option to clearly denote that this is you speaking in an official capacity. Reddit, for the issues it has with volunteer moderators, does provide a truly excellent feature in allowing for mods to make posts “speaking as a moderator” with distinct, eye-catching formatting. Discord would do well to copy this outright.
If you’re considering applying to Discord’s partner program, do away with any 18+ / adult content. From the outset, just knowing my immediate friends who I brought in and and their interests, we implemented our own controls to prevent inadvertent access the NSFW channel and any future-state similar channels.
… And then with the advent of the partner program, Discord comes along and says “yeah we don’t want any adult content in Partner servers. Maybe consider using that NSFW channel flag for spoilers channels about TV shows or something.” 🙄 We felt that even with Partner status out of reach, and being okay with that, Discord had shifted the goalposts on paying users (I still maintain a Nitro sub) to make themselves look good to potential investors and is likely to do so again when they deem convenient. This is par for the course with most social media, but you must understand and plan around it up front.
To that ^ end, have a backup plan. In our case, if Discord were to ever turn evil, shut down, or arbitrarily decide we couldn’t use their platform anymore, we would have jumped to Slack and a Teamspeak 3 server. This is by no means a one to one match in functionality, but would have been good enough. Develop the familiarity with your backup plan platforms so that if this happens to you, you can at least try to roll with the punch.
I also urge you to give some thought to knowledge retention. Read-only reference channels in Discord can work, but can also quickly bloat, become stale, and are not easily searchable. Our solution here was initially a WordPress site in order to be both our public-facing internet presence, but also to host some evergreen content, guides, etc. Eventually we replaced WordPress as it was a bit heavy and difficult to maintain due to the cocktail of themes, plugins, and dependencies. WordPress is also seen as a soft target by many attackers scanning the internet. I was relatively comfortable with WordPress originally as we accepted no user input anywhere on the site, but keeping it and the relevant plugins patched became a problem. On dropping WordPress we adopted Wiki.js in order to allow for our members to make their own edits and provide their own content quickly and easily using Discord OAuth. This was much easier to administer, and allowed us to be much more fast and loose with allowing the general membership to type something up and ship it to the wiki, or at least capture/copy and retain quality Discord posts.
The game developers of the world have much to learn in how they implement and support in-game community structures. Devs, any decisions you make that create overhead for clan / guild / community leaders to administer and maintain their in game organization is taking away their time to enjoy your game.
Bungie capped their in-game organizations, “clans”, at 100 users. Add in the fact that our best option for doing so was (and still is) a shit web UI with no bulk select feature in the members list, and no effective tools for understanding user activity at a glance. We had to do this upkeep across five clans on Bungie.net at our peak. This was a constant burden to maintain, not only in periodically kicking inactive players from the clans to free up slots, but in doing so to ensure groups of friends could be in the same single clan in order to share buffs and bonuses.
Bungie, if any of your employees ever read this, not only was this upkeep in Bungie.net a pointless and unnecessary time sink, it was such on players who not only played your game, but went out of their way to create the conditions for fun and friendships that kept your game afloat through the bad times and content droughts. I would rather have no formalized community structure in a video game than have one that is actively burdensome to maintain.
Streamers and other content creators talk about this consequence relatively often, as to how and when they experience burnout. Multiple times throughout my time with CORE, I sat down at my computer intending to log in and play the game, but instead had to push out an announcement post, or process probationary to full member promotions, welcome and set up an influx of new members, free up player slots in the in game clans, respond to emails, DMs, messages, and at worst deal with problems covering the gamut from technical issues, to petty spats and abusive behavior.
I had created a raft of additional workload around the thing I did as a reprieve from the responsibilities of my meatspace life. I did what I could to encourage our membership to step up, take on an administrative task or two, and help spread the upkeep workload. But my desire to tinker and iterate constantly created upkeep, busy-work to be done at times when I wanted to play and socialize. Once I stopped playing the game I founded the group for, all that was left for me personally was a never ending stream of administrative overhead and interpersonal bullshit. If you decide some day to organize and maintain such a community I hope you’re better at not letting resentment build around this lost “me time” than I was.
I sometimes wonder if I inadvertently created an engine that required constant upkeep and delivered me dopamine hits for a job well done, but in doing so created an engine that could not be turned off, that others came to rely on, and that in time delivered me reward that felt stale, thankless, and unsatisfying. Worse yet, did I create such an engine subconsciously? One deliberately flawed to maximize happy brain chemical hits? And if so, am I prone to doing so again elsewhere in my life? This possibility I’ve come to fear, and an answer has not been forthcoming.
]]>Image credit to CORE member Luna
This is a little mini post to show off a thing. But it’s in the kitchen. What’s going on here? This isn’t where I parked my car.
This is a Spotify Car Thing. Go read about it if you want detail, it’s essentially an appliance for your car that provides a nice, responsive UI for Spotify (Premium accounts only), meant especially to supplement older vehicles that lack Apple CarPlay or Android Auto. I bought one on a lark, but our vehicle is new enough that it has full support for iOS and Android’s automotive UIs, so not worth taking up the dash space. Of course I didn’t want to just put it on the shelf. My frugal Pennsylvania Dutch forebears would likely scowl at my disposable income habits as it is.
As I stepped through first time setup, the realization set in that Car Thing has exactly one job: it’s a remote control for Spotify on your phone. Car Thing does not care what you phone’s output device is: car stereo, TV soundbar, or any Spotify Connect linked device. This latter option opens the door to using Car Thing to control Spotify playback on a desktop or laptop, albeit you have to start playback on your phone first then transfer/connect to the other device.
My initial idea was to do like this YouTube video (Credit to Chris Xia), mount Car Thing as a remote control for Spotify on the desktop. The wife however suggested the kitchen, which made much more sense as it’s really the next location after our car where Spotify is most in use. An Amazon Echo device is present in that room anyway which we use as a Bluetooth speaker; practically identical to the use case for Car Thing in a vehicle.
A few recommendations from my experience; some are specific to this use case, but others applicable across all attempts at use of this device.
1) Just skip the mounting step in Car Thing’s setup process, and skip trying to make their hardware work. Spend the money on a mount fit for your purpose. I went with a “ClutchIt” magnetic phone holder off of Amazon.
2) I opted to mount under the kitchen cabinets using the 3M adhesive that came with the mount I bought. If your cabinets are made of particleboard, I do recommend taking some sandpaper to the desired spot and sanding down to consistent, smooth surface, then apply rubbing alcohol to the spot and hardware as you would with other adhesive hooks and mounts. My first mounting attempt failed as the base grabbed bits off of the particleboard in it’s endeavor to obey the law of gravity.
3) Power delivery is something you need to consider. Car Thing is, in a word, temperamental, about if it’s getting enough power. I used a spare adapter I knew could provide the necessary output, then gaffer-taped the cable up underneath the cabinets, tucking much of the excess into a void between two. Power connection into the device itself is USB type C male.
This Reddit thread provided helpful advice.
Per u/rickoroni, holding the face button and the top right settings button will override the wrong adapter error screen.
You should also plan out your adapter and cable such that you can deliver 12W of power to the device. (u/mattsuda’s comment)
4) Generally speaking, the Car Thing will put your phone in Driving Mode while connected via bluetooth. I haven’t figured out a good workaround to this, so I recommend turning off the Car Thing when not in use. (Hold down the rightmost button along the top edge)
It’s a neat little device, and definitely easier to interact with in the midst of cooking or cleaning than getting out and unlocking a phone. If you have one and end up changing vehicles, or find a used unit for cheap but don’t want it in your car, try mounting it in your home. Let me know how it goes.
]]>Hi again all. Following up from Part 1, I found that my first version of this post was quickly spinning out into extraneous detail and repetition. Throw in more prep for the CRISC exam and typical summertime schedule shenanigans, and you get a much longer time editing this post than I like.
For those jumping in new here, this is Part 2 of a retrospective on the intentions behind and lessons learned from building an online gaming community, Ferrous Core. I managed CORE from 2017 into early 2021, at it’s peak it topped >1000 registered users. I hope that this can help inform those stewards of that community into the future, and provide lessons useful to other running or seeking to run online communities.
About a year and a half in, we stood up a website just to be a semi-professional looking front end for our community. We ran Wordpress on a small AWS EC2 instance, paid ~$50 for a good looking theme, and threw a basic search engine optimization plugin on. This ran us about $10/month plus annual domain name renewal fees, amounts easily paid for by passing a metaphorical hat around in most communities.
In this space, a truly tiny bit of professional veneer and SEO goes a huge way. Most gaming clans, guilds, etc. don’t spend the time, know-how, or cash on these, often opting for nothing at all without realizing that it is seen as a differentiator by many. The group of friends I’ve since moved on to other games with came to CORE in large part because one of them saw said site and thought “oh these guys look legit.”
Do something, anything, to have a web presence beyond just your various forums or Reddit recruiting posts. It can be as little as an lnk.bio or campsite.bio page, or a Discord.me gateway, or an off the shelf free gaming site like Enjin or Shivtr if you must. (Be cautioned that canned gaming-forum services look samey-same-same very easily and can be seen as a negative)
In order to grow we made use of existing “find a…” communities and tooling. Reddit in particular was a prime source of our initial growth via the r/Fireteams weekly clan recruitment thread and the r/DestinyTheGame “Team Up Tuesday” thread. In our early days we were up front about being a new community, and as we scaled in size we clearly stated an estimate of our monthly active members, average age, our guiding principles, and that the line members generally favoring cooperative content.
Once we hit around the ~100 players mark, we ramped via word of mouth with only occasional recruiting posts. People felt like we were running a good place and in turn brought in their friends and acquaintances. While welcome, I have no tips to share in that regard other than to run a good environment, and have a bit of luck.
In a general sense, go where the interest and eyeballs are to advertise. And when doing so, don’t pretend to be something you’re not. Next time you’re looking through a Reddit or Discord find-a-community type of board, take a quick tally of the number of posts that don’t pass your smell test, don’t make their mistake. Be open and honest about what environment you provide and where you anticipate it going.
For most of CORE’s existence we have had only four hierarchal roles, which were distinguished from each other by the color of the user’s name in text chat, which aligned to the drop/gear rarity color scale in Destiny and most RPG-esque games. Respectively: Green –> Blue –> Purple –> Yellow.
We went into setting up CORE with the intent to minimize the ranks, roles, and hierarchy as I had seen complex and highly regimented structure play out badly previously. Heavily chain-of-command oriented communities fall into this trap often; by creating a highly segmented hierarchy, you incentivize behaviors where the general membership will chase rank and standing in the community because they see the next rank as something to be achieved or collected. Many members in these communities will pursue said rank even if the behavior they engage in in doing so is detrimental to said community, likely because they see imaginary internet points to be obtained, or feel a sense of need or obligation to “keep up” with their peers. At it’s worst, this can feed negative behaviors where members of the community flex their rank over those below them in the hierarchy, disincentivizing newcomers from playing with or interacting with those higher in the hierarchy, driving many away entirely.
I stated many times that complex rank or standing in a gaming community was just another flavor of imaginary internet points, and ascribing value to imaginary internet points deserves ridicule.
To this end we explicitly stated in our FAQs and documentation that asking “How do I become rankname?” was a sure way to demonstrate not understanding the traits and character that our community valued. We also made it a point to never use these ranks as a punitive tool. People participate in CORE of their own volition on their time; to take something away like a rank or role earned as recognition would both be counter to our principles and following in the footsteps of some of the more toxic, megalomaniac moderators I’d witnessed before.
One system that I had seen work well before was to have some form of probationary period for new members, and to grant membership in the community once the user passed some threshold of affirmative votes. In the context of a past community: they were based around a vBulletin forum as their primary communication platform. They performed this function by creating a sub-forum under the Apply For Membership board which was only visible to full members. A vote thread was created for each applicant, with the norm in effect that any “No” votes would be accompanied by a post in the thread with the rationale why. Likewise, any issues or red flags could also be brought up either in thread or by direct message with an officer/admin. It was a fair bit of administrative overhead, and may have disincentivized good people from joining who were unwilling to jump through the hoop.
I had also experienced “open” gaming communities, where one could just come in and put the [xyz]
tag in front of their name, to represent that community, without any say or input from the extant membership. While I appreciated their willingness to welcome newcomers in if on little more than if they felt at home, the most prominent of said communities had issues with both bad fits coming in with no control of flow, and with the extant membership of a certain mindset using the founding document of the community as a cudgel with which to No True Scotsman their peers.
I wanted the best of both: to establish a low-barrier(s)-to-entry, low-friction intake for newcomers to CORE, and for the members to have a say in whether newcomers were a good fit with the community and our guiding principles.
To achieve this, we created a Discord text channel called Aux-Reviews that was visible only to our voted in members, our “Regulars” and above. Similar to the former community in these examples, extant members who played with a newcomer would post a couple sentences in this channel, essentially stating that they played with the newcomer and thought they were good / not good with a brief explanation. Once the newcomer passed a threshold of affirmative votes, they were in as a Regular. If they had negative reviews, they would essentially be paused in the newcomer state until/unless we saw an improvement, or continued negative behavior warranting a “this isn’t going to work” dismissal.
Initially, this tracking of votes was all manual, spreadsheet based, and unsustainable. Eventually, one of our admins wrote a chatbot and a very lightweight database to handle this voting function. With the bot in place, this system has worked reliably for going on four years now. In a general sense I would point to this as a good lesson from the business / technology world: automate as much of the busy background work in running such a place as possible, if for no other reason than so that the thing you do for fun does not become a chore.
I’d recommend a similar approach, both in voting and letting a chatbot do the tracking, for anyone running a similar community. But do understand that this worked because the voting was done in the same social hub / tool as the rest of our interactions and that a custom bot was needed. (An off-the-shelf bot may exist, but I do not know of one)
Akin to minimizing rank and structure, we also did not want to gate play sessions, event hosting, raids, and the like to “you must be this tall to ride” ranks or measures. Instead of a highly regimented, structured hierarchy, I felt the members and participants in the community should have the agency to take initiative, schedule events, do things with no or minimal approval. I’ll call this “contextual responsibility”, although I’m sure there’s a proper term for it that I have yet to encounter.
For the sake of example: let’s say you want to raid this week. You’ve got a real hankering to run Last Wish, probably because it’s been three years and I still haven’t gotten One Thousand Voices to drop from the last chest ask me how I know I’m not bitter at all 😑 … Ahem… So you set up a raid on our The100.io group, enough of your fellow CORE members sign up over the next couple days to round out a team, plus an extra / backup. Let’s say you’re pressed for time: you want to do all the bosses, but you can’t commit to much more than that.
When the time of the event comes, it’s your event. You set it up, you get to define how it will run. You get to set the tone and pace.
We extended this not just to in game activity, but to creation of things like graphics and how-to guides, use of CORE logos and art in our content creators’ streams and videos, party game nights e.g. Cards Against Humanity, specific content coaching such as replay reviews, 1v1 and 3v3 PvP tournaments, etc. Instead of asking for the thing, start doing the thing and ask others to help; we the admin team would support it with announcements, Discord channels, event nights, whatever was within our power.
Set the norms and expectations clearly for what you’d like to see people in your organization. Give them the flexibility and comfort that they can go forth and do things within a defined risk tolerance, and to do so without having to run up layers of hierarchy. Correct the errors and amend guidance as issues occur, if you want people to be creative self-starters, you need to let them do so without you knowing all the details in advance.
One of the gripes I have had with organizations in virtual and meatspace settings both is a lack of visibility into or explanation of their administrative decision making, particularly when paired with problematic and inadequate choices and communication thereof. When such events occur paired with this failing, it feeds a lack of trust in turn opening doors to fear, uncertainty, and doubt as to the intentions and capability of those in decision making roles. From the start, I wanted to ensure our members had consistent insight into how CORE addressed administrative or moderation decisions, even if we couldn’t get it nitty-gritty detail we could at least explain how something came to pass. Additionally, I thought it best to provide self-serve tools for the members of the community to validate (at least in part) what was being communicated by the admin team.
If we could not truly provide total transparency, then we could at least provide something akin to it. Translucency, perhaps?
We emphasized that everyone with additional permissions, Admins, Moderators, and the like were in a service position, and not one of superior rank or stature. I tried very hard to impress upon all involved that an @Admins ping always deserved a serious and reasoned response, no matter how frivolous or eye-roll inducing the ask may seem. This does not mean dropping everything to deal with an @Admins, we have lives and obligations outside of this place we derive fun from in our spare time; merely taking administrative acts with our “Admin Hat On” seriously and solemnly.
For general awareness, we set a cadence of monthly, “community update” postings in our Announcements channel. These were a long form post to provide updates on both occurrences of the past month, administrative asks or topics on our minds that needed more fleshing out and feedback, and general upkeep such as Auxiliaries becoming Regulars / full members. While seemingly minor, and outsized in the time I had to invest writing relative to playing the game itself, these provided a feeling of connection and involvement to the general membership. It served as a consistent window into what was on the collective minds of the admin team, and standing prompt for feedback and suggestions.
When disciplinary issues arose, the expectation for admins and moderators was to communicate what’s occurred and the expectations, and let the recipient demonstrate if they’ve heard or not. “Do this or else” statements are internet tough guy nonsense which wastes everyone’s time. When issues resulted in someone being kicked out, I insisted that an explanation always be provided to the general membership. This was done consistently no matter the standing of the individual, whether it be a long time member, or a spambot. Additionally, I made it clear that we would bring receipts: chat logs, server logs, evidence, albeit sanitized of any personal or sensitive details and disclaimed as such. We did this especially for any circumstances with lots of back and forth and heated exchanges, and especially where these occurred outside of public view.
Discord provides an “audit log” pane in the server settings view that allows a user to view moderation actions on the part of both users and bots. Further, general-purpose administration bots, in our case Dyno and later Ser Aymeric, provide the ability to log more common user actions such as voice channel and server join and leave events, message deletions and edits, etc. to a text channel, which we set to read-only. The “Admin Discussion” channel was however exempted from the bot audit log, and clearly stated as such, in order to prevent leaking of admin discussions where user privacy was a concern.
We implemented a self-serve, opt-in role called “Auditors” that any user could toggle on/off at any time which granted access to both the Discord Audit Log and “Bot Audit Log” channel. To say this is worth doing is an understatement. These settings were painless to set up, and both supported investigation following an issue and backed many moderation actions after the fact with a clear, average-user-verifiable chain of events. That latter point I feel was a key reason why we never had any significant issues with misinformation or FUD around admin team actions.
Originally, I had intended for the Proven (purple) role to not just be distinguished members, but to also have access to the Admin Discussion channel. This was ultimately unsustainable, the community’s growth resulted in several more Proven than originally envisioned and a growing tendency towards admin discussions beating dead horses. This feature was dropped relatively quickly in our first year. About a year and a half later we revisited the idea and created a function called the “Orators.” Every month we selected two members at random; one from an opt-in “Candidates” role, and another from the full list of Regulars and Proven; that is all full, voted-in members of the community.
Orators were always given clear expectations up front. They could be as (un)involved as their time or interest allowed for. They were always posed the option to decline, no question asked, and allow for a re-draw for who would fill that seat. Once agreed, they would be publicly announced in the community update announcement at the start of the month, and have access to participate in the admin discussion channel for ~30 days.
This approach only works if you treat this role, such as our Orators, such that they belong in the conversation. Don’t just “value their input”, act upon it. We made it clear to all Orators that their voices had the same standing and clout as a yellow-name administrator. Any topics they wanted to table for discussion, any issues, any suggestions or “why is that?” questions, were valid and deserving of our time and effort.
]]>Image credit to CORE member advent_g0d
Featured image credit due to Ferrous Core member “Luna”
In June 2017 I started an online community in preparation for the release of the video game Destiny 2, named Ferrous Core, or CORE for short. In the course of two years it had scaled to over 1000 all-time users and a range of 300-500 monthly active users. I proceeded to operate CORE for four years, stepping back from a leadership position in 2021 due to new (but welcome) demands on my time and a loss of interest in the underlying game.
Over the past five years, several current and former members of that community, several close friends, and even some in my family have registered interest about the hows and whys of this pet project. How did it come to be, what were the foundational ideas and ideals? What did I learn from it? What would I do different?
Running this organization was, in inadequate summary, a learning experience. One that I hope to better process by writing about, and in doing so hopefully give back somehow in guidance to the stewards of that community as they steer it into the future, and to random internet passers-by who may be able to pull from my experience to inform the organizations they run or will run someday.
To set expectations, this topic would be far too lengthy if done as a single part.
Perhaps the most important learning was that my girlfriend at the time, turned fiancée, turned wife, somehow put up with my ramblings and frustrations throughout all of this. ❤️
In early 2017 I was fed up with the gaming communities I had participated in over the past five years. Most had been good experiences, a few had been actively negative. Universally, all featured some blend of organizational and cultural issues that I felt dampened the experience or atmosphere they were trying to provide. A surprising majority of these issues rendered down to the cruel simplicity of both leaders and members in these organizations failing to treat the other people in the communities they participate in as people. Not surprisingly, control freaks, megalomaniacs, and toxic managers in day jobs tend to also be so in virtual spaces.
I wasn’t satisfied with recent experience, and with hype rising around Destiny 2, I decided that I didn’t want to experience this game with a group where I would see the same mistakes and errors repeated. By building my own community, I could set the tone and expectations and steer it to what I felt would be the right place.
I think it necessary to first explain the context around why this game and communication platform, because it did appear to me at the time that a confluence of game, platform, and my own skills (or lack of) made creation of the community and scaling it not just possible, but relatively easy. The financial aspect is discussed in finer detail in a previous post I had written while I was still actively running CORE.
Destiny 1 had released in 2014 and developed what might be best described as a cult following. The players chasing the hot, new, flavor-of-the-month game had all long since moved on, but the remaining player base was highly invested in the endgame gameplay loop(s) and in any future iterations of the story. This seemed certain to repeat itself with Destiny 2, this time with the promise of being playable on my favored platform, the PC. I was certain that D2 would be a game that would hook me, and many others, for years on its own.
Destiny had an added benefit in the strength and depth of third party support provided by its player base. Destiny 1’s player base had already done the metaphorical heavy lifting to create large, unofficial public forums; most relevant to COREs origins and growth being subreddits /r/DestinyTheGame and /r/Fireteams, both of which were our initial sources of members and growth. Similarly, robust third party tools such as Destiny Item Manager had come into existence under Destiny 1, with support expected (and delivered) for Destiny 2. This gave me some hope for third party tools that would assist in and ease the burden of day to day management of clans/guidls/community entities in game.
In a macro sense, at this same time I felt that the barriers to entry for creating and growing a gaming community had reached their lowest in the history of the hobby. Search engines and social media platforms had both made discovering groups, clans, guilds, communities for games quick, easy, and most importantly independent of the game client and infrastructure. Player preferences, at least in the PC gaming sphere, had swung away from the large, heavy, forum plus voice client based communities in large part because they hadn’t kept up with an increasingly mobile and social media inspired real-time communications style. Admit it, using Tapatalk to read a vBulletin or phpBB3 forum on early versions of Android was an awful user experience, but it was all we had at the time. Similarly, the PC voice communication clients of the 00s and early 2010s such as Ventrilo, Mumble, and Teamspeak had not made the jump gracefully to mobile operating systems.
My emphasis here on mobile functionality may seem out of place with the predominantly desktop-bound PC gaming environment, which I do acknowledge. However, I strongly believe that these platforms’ (and the communities that relied on them) failure to embrace mobile devices in a timely manner is a major factor in the user preference shift we saw by the mid 2010s. The users expected, in an ever-increasingly mobile and internet-connected world, that they could remain connected while on the go to their gaming friends and the communities they participate in. When the forums, voice clients, and gaming infrastructure born of the 2000s didn’t meet those demands, the users shifted from (e.g.) vBulletin and Teamspeak to (e.g.) Reddit and Discord.
I will be the first to admit I am not technically gifted. I’m not a good developer. I am adequate at best at systems administration. I knew well from past experience helping run other communities that hosting and configuring a traditional forum would take more time, funds, and maintenance than I wanted to commit (I was still very early in my IRL career at the time), and by its nature would be very limiting as to who would take the time to read and participate in that environment, with that format of communication.
For those unfamiliar, Discord is a Freemium text and voice chat application originally marketed towards gamers and streamers + their communities. Think of it like Slack but with dedicated “voice channels” alongside the text channels. Because a user could create one Discord account and participate in multiple “servers” or communities, Discord made it exceptionally easy for users to participate not just in game via voice and out of game via text, but to also do so across multiple games and interests, multiple communities and circles of friends, and with a unified experience across devices. At the time I started CORE, Discord was on what felt like a meteoric ascendancy in user adoption and made perfect sense as the preferred communication tool for a new community. Even with the relatively limited server settings available at that time, it met or exceeded what we would need in functionality, made new user and technology-challenged user setup simple, and did so for free*. We could easily stand up, configure, and tear down channels myself, and with the rapid IRC-esque nature of conversations and feel of the space, if I messed something up it wasn’t a big deal, it wouldn’t be a show stopper on those present going about their business. Discord will warrant further attention in parts 2 and 3, but I wanted to give the platform its due up front as I believe its ease of use and flexibility was one of the major reasons for COREs growth.
Once committed to this course of action, I wanted to pull together a concise set of principles that could serve as a guide for community conduct and future structural decisions. I’ve included the finalized set of principles which CORE still uses today at the end of this post. That said, lessons learned in past communities informed the creation of these principles, some of which may not be clearly visible in the final product, but might shine through when viewed with this context.
To understand where some of these points originate from, between 2010 and 2014 I had been a member of a large multi-game community based around the monolithic website, forum, and voice client model I explained previously. I met several wonderful people via that organization who I still keep in touch with to this day. But especially in hindsight, the organization itself had several faults, and is one of the key examples of leaders failing to treat people online as people. That organization no longer exists, and I will take this brief aside to spit on its metaphorical grave. If you know, then you know; for all others I promise that I shall avoid further diatribes of this manner.
The most fundamental point that I can drive home here is that if you are running an organization of any type, you must treat the people who work for you, consume your product, or participate in whatever your thing is, as people.
I wanted an environment where people could hop online after their day to play the game or just hang out and have a drink and a chat with some internet-friends. A place that wouldn’t add unwanted complexity, obligations, or stress to their lives. At the most basic level they’re here to have a reprieve from those stressors already present in their lives, to decompress, to do something for themselves that they enjoy. This is their hobby, not their job. To that end we would not create requirements or processes that would be burdensome on the user. I even stated this clearly to our community in a message I kept pinned in our general channel: “We’re about playing games and playing them well. If doing that here ever feels like a chore, then I have failed somehow.”
This approach was driven by having participated in communities that did have hard requirements based on availability or in-game metrics, which when purpose-built and well scoped do work well for communities oriented around specific progression, performance, or competition goals. I expected that such criteria would not be appropriate here if the goal was to attract and retain members with a laid-back environment that would not inherently place additional demands upon them.
This was a saying that I reiterated often whenever the topic of giving back to help with expenses or a “tip jar” would arise. Especially early on as the community was forming, I was very averse to accepting donations or payments of any kind from the members and participants, because in doing so I believed that they would inevitably come to expect a higher quality of service for having done so. To my mind, if I could run the community with low overhead, low expenses, the need to accept funds from the community members could be avoided. This in turn would keep the membership’s expectations lower and thus easier to meet or exceed.
None of this should be taken as saying that your time is not valuable. Rather, that this community was to be as much the environment I wished to play in as for it’s members and participants. For me to accept payment for an environment with intentionally low overhead, and to accept increased expectations therefore, felt to me at best not worthwhile and at worst inappropriate.
Of course, then we went ahead and provided a high quality of service anyway for free. Like a bunch of suckers. 😛 That said, I do believe that because we were running a tight ship, one that was welcoming, active, very responsive to incoming new members and guests, and actively taking in and acting on feedback and issues, that quality of service in turn fed word of mouth as new members would pull in their friends to this fun game and chill group they had found.
Perhaps indicative of my own style of play and my own mentality, I think that gaming communities that at the very least discourage “scrub logic”, that emphasize learning, understanding why the game mechanics work as they do, yield the best environments overall. I’ve found that gaming communities that sit by silently and allow within their ranks the derision of valid in-game tools, techniques, or simple knowledge as “cheap”, unrealistic, or otherwise undesirable, quickly cede ground to the aforementioned scrub.
A scrub is a player who is handicapped by self-imposed rules that the game knows nothing about. A scrub does not play to win. … The scrub would take great issue with this statement for he usually believes that he is playing to win, but he is bound up by an intricate construct of fictitious rules that prevents him from ever truly competing.
For most communities, failing to directly address scrub logic yields an environment that is socially draining at best, and at worst actively toxic. It foments derision of those who do not fall in line with the scrubs’ artificial expectations. It drives away both otherwise-staunch regulars unwilling to deal with the “drama” of repeatedly justifying playing by the incentives and mechanics of the game, and both gatekeeps and discourages newcomers who have neither the time nor inclination to learn a set of artificial and unnecessary norms and mores. Scrub logic excuses substandard performance and the lack of knowledge, growth, or progression, all traded away to satisfy one person’s definition of fun.
To counteract this, we emphasized CORE as a community based upon learning and self-improvement. I intended to enshrine “game science”, and/or the hacker mindset, within the community with the intent to encourage and foster not just discussion, but tinkering, testing, understanding, and learning from both the game and whatever topics the members saw fit to discuss. I staunchly believe this yielded better performance in an in game sense, attracting and retaining (mostly) players who would not just want to regularly complete endgame content, e.g. raids, but seek to understand the raid mechanics, learn from mistakes, be understanding of wipes if a bad night happened (albeit with understandable frustration if oft repeated), and ultimately give back to the community in advice and helping others clear that content.
If I could have enforced David Sirlin’s “Playing to Win” as required reading, I would have.
This approach is not without its own problems. I’ve seen such performance-oriented environments breed egos, conflict, and toxic competitiveness that values performance above empathy and understanding for those not (yet) at that level. It was vital to recognize going in that this environment emphasizing both a relaxed environment, but also one rooted in improvement and learning, could yield such conflicts in personality and outlook between the casual and performance oriented players.
While I understand and in many cases agree that what is optimal is not necessarily fun, and vice versa, the worst of each go to a reactionary extreme, lashing out at those merely explaining the other position. This I would not tolerate. I would contend that these outcomes, both scrub logic and performance-above-empathy, can arise in any gaming community, even simultaneously. If abstracted, variations of these viewpoints can occur in any organization that lacks firm direction by its leaders and stewards, that lacks clear tone from the top, and that lacks timely intervention to identify and act upon the issues. These mitigating factors are not optional.
One of the most problematic behaviors I observed in other communities occurred in organizations that had a highly segmented hierarchy or structure, especially where paired with clearly defined criteria for advancement. This would inevitably create an effect where the membership would feel obliged to “climb the ladder”, if not out of their own interest then out of a compulsion to keep up with their peers in social standing.
Communities that borrow from military rank structures are especially prone to this issue, though these are more often found in * -simulator or realism-oriented multiplayer shooters such as ARMA, Red Orchestra, etc. Some organizations may benefit from rigid structure, but I felt a stratified hierarchy to be both unnecessary for this game and the desired environment.
In organizations with such structure, I had observed individuals pursuing advancement purely for the sake of advancement, a way of collecting more imaginary internet points. This would occur even if the behaviors that they would engage in in doing so were detrimental to individual or team performance in game, or actively toxic and harmful to the social environment of that community. The worst offenders would leverage their place in the imaginary internet points hierarchy for influence over others. This suppresses the voices of newcomers and creating an atmosphere ranging from stiff apprehension to adversarial one-upmanship over nearly all interactions. Remember too that these interactions are taking place in the free, personal time of the participants.
The solution as I saw it was to minimize the ranks or hierarchy built into the organization, and where necessary orient towards temporary, contextual responsibility, such as for raid leaders / event organizers. Doing so would both prevent these hierarchy based issues, while still granting authority to those who needed it where and when necessary.
Bluntly, any given online community, especially in video games, is not a unique experience. There are, have been, and shall be multitudes of clans, guilds, organizations of whatever name, that are just some guy and his buddies and some friends they made online hanging out and having a good time. Even in the days of those large gaming organizations that hosted their own forum, voice server, and game server(s), nearly all provided the same fundamental experience of a monolithic website hub with some form of “don’t be a jerk” rules that provided a (loosely-)common experience over one or more games. The names, voices, server settings, and alphabet soup in front of the names might be different, but you largely sought and received the same type of enjoyment from playing at {=BC=} BigClan[dot]com or at Joe Bob & Friends TF2 Server. What differs org to org, what makes or breaks the experience, is their execution on providing the environment they say they want.
Running an online community “with an iron fist”, so to speak, does not work. If you can’t or won’t provide a setting where people feel they will be respected and treated fairly, they will just leave, and they won’t lose anything by doing so. Thanks to search engines, social media, and third party services, (e.g. The100) they can, and will, find another place to spend their free time and derive enjoyment and satisfaction. They can find said other place, register for their communications platform of choice, say hello, and be all set up and good to go within minutes. We actively leaned into this effect in CORE’s public postings: “If you’re not having fun in a given group, then why are you playing with them?”
Similarly, people will come and go from any community at their will, most often as their free time, availability, and interests dictate, or even just based upon the presence of their friends. If and when they step away, if they return to find you have erected barriers to their (re)entry, such as resetting their place in an imaginary internet hierarchy, or haranguing them about participating in more than one group, they simply won’t bother returning next time. Consequently, I wanted a low friction environment. One where players could come in with minimal barriers to entry, and if they ever stepped away for something else they could return at any time with no fuss.
You must understand that your community isn’t special just by virtue of existing. You need to make it special by the quality of the environment and quality of the service you are providing.
These ideals, or rather the simmering stew of things I’d seen done wrong, coalesced into four principles that remain as CORE’s ethos today. I’ve included these below, copied verbatim from our Discord, for those who’ve not been involved in Ferrous Core to further understand the distilled, final product.
Games are meant to be fun. Games are an escape, an entertaining and challenging diversion from our day to day lives. Thus, if you’re not having fun playing in any given group, why are you playing with them? At Ferrous Core we’re about mutual respect among adults while playing for good fights, good loot, and more tally marks in the win column.
Teamwork is overpowered, so USE IT. We are unashamed tryhards. We play to win, because victory and personal success in these digital realms is always more rewarding and fun than the alternative. We will joke and laugh and screw around, but all players here are expected to put on their game face and play hard when the caller says it’s time to be serious.
Maturity, Responsibility, and Self-Improvement. We seek to foster an environment in which players identify and take responsibility for their own actions and defects, and seek assistance in improving both their level of play and themselves at and away from the keyboard. It is only in cooperation and pushing each other to be better that any of us may reach our full potential, both as gamers and as human beings.
Real life always comes first. There might be some good-natured ribbing if you have to go tuck in your kid, kiss your SO, or let the dog out, but as much we love the games we play our meatspace lives and responsibilities always take priority.
Expect to see the following topics, among others, addressed in Part 2.
Revisiting this post as there’ve been some significant changes in the backend for this site. I’ll provide an update via another post and provide a link here when ready. Here’s a quick summary in the meantime.
My need for a personal site arose out of frustration with commercial off the shelf offerings in 2022 and a desire for a personal project to obtain more happy brain chemicals. I’ve wanted a (semi-)professional looking site that could be associated with my public facing social media, directly host my own content without added crap to maintain like comments (ffs just @ me on Twitter), and link through to my other public facing accounts.
The habits formed by being raised in an inherently-frugal Pennsylvania Dutch family demanded something I could host for cheap, preferably free, and that I could spend near-zero time maintaining. Static sites came to mind by looking at the personal websites of several persons in infosec Twitter. (@varcharr’s How I Made my Website was an immense help here) So far Jekyll seems to tick all the boxes. ✅ Free. ✅ Relatively easy to build and maintain. ✅ Ample support, documentation, and how-tos. ✅ Did I mention it was free. That’s really nice.
I have another unique handle I’ve used for online gaming purposes for years, but as I’ve started doing more public and professional interaction it became clear I needed another that was separate or at least at arms length from games. BeerMetalPC came about as a half-asleep showerthought: you’ve heard of a bare metal computer. What about beer metal? 🍺🤘💻.
I’ve aligned most of my social media to this monicker, and had the BeerMetalPC.com pointed at other services. It’s now associated to this site, and I’ve also pointed FrankHelm.com here as a permanent redirect for the sake of consistency.
Previously I had made use of About.me, Linktree, and a couple others I’ve forgotten, but eventually settled on Lnk.bio. Lnk.bio was easy to set up, used a wide variety of identity providers, had very good customizations, and had a reasonable one-time payment option for premium features rather than the subscription model most of their competitors use. I’d still recommend them if you need a personal links or landing page easy, cheap, and fast.
I did most of this work on a 2021 Macbook Pro, M1 / Apple silicon. Admittedly this slowed my progress a bit as I was both learning macOS at the time, and having to fight my way through version weirdness to get all the necessary Ruby and Jekyll tools and dependencies installed. Once I was able to get both Ruby 3.0.x and Jekyll 4.2.x installed, I had some trial and error to get both Bundler and webrick installed and working. I’m including a few links below that I found helpful.
I’ve done all of the first time setup and content creation locally, with Github Desktop for the commit to a private repo once v1.0 was ready to ship.
Hydejack Pro stuck out as a gorgeous Jekyll theme with very good documentation, plus all the features I would need. Admittedly I could easily have gotten by on a free license, but I was jumping in with both feet and wanted to tinker with everything under the hood, and felt that given the means it was only right to duly compensate the theme creator for their time and effort. Being able to start from Hydejack’s prebuilt starter kit was an immense benefit.
Hydejack, or perhaps Jekyll itself does have some frustrating quirks with how categories and tags are handled. Yes you can do some more granular sorting by categorizing posts and then sorting the tags, but at least for the time being this feels unnecessary for the small amount of content I have / will have. I’m proceeding with pretending that the post categories feature does not exist. Similarly, Hydejack’s projects feature has felt like a blog post missing some bits, e.g. projects with tags don’t display in a the tag page/collection. Again, using only tags has largely solved this problem, I just make a distinct tag for projects instead.
Google Fonts is disabled in _config.yml because I don’t want to have to attest or explain anything more in the Privacy Policy than I must. If it causes privacy wailing and gnashing of teeth, and isn’t serving a specific desired feature or function, I threw it in the bin.
I did learn the hard way that Jekyll can be very tempermental about spacing and alignment in the underlying Markdown files. Be deliberate. Work from templates.
Another Hydejack user, Lazy Ren, made a blog post on how they modified the Hydejack theme that links through to how to guides. Specifically, I made use of the Applause button, and the Tags List page.
Applause worked out of the box and I would highly recommend it for other Hydejack users. But for the latter, because of my decision to only use tags, I had to remove every reference to categories and cut out the second nested loop in /_layouts/tags.html to get the featured_tags to display on the page semi-correctly. Not a huge problem, just another source of some trial and error; if you know what you’re doing you can make the tags list prettier than the hatchet job I’ve done.
Also: Ren’s description of type
might seems a big confusing. Go to /_featured_tags/ or /_featured_categories/ , in your tag/category .md files you need to add the text type: tag
or type:category
in order for the tag list page to be able to see and list those items.
Going into this project I knew that I would handle images to either extreme depending on selected Jekyll theme. As Hydejack does an excellent job of presenting images, I had to do a little extra legwork in cropping, scaling, and optimizing images and assets.
I took this project as a bonus opportunity to sit down and get truly familiar with Github. I completed some much overdue learning lab courses and capped it off with their Github Pages course which includes a tutorial on Jekyll. Although I’m hosting this site via Netlify, I’m still using Github to provide version control and CI. Github Desktop made committing the entire project to a private repo easy, plus enforces version control locally so that my tinkering self doesn’t hose the entire project.
GoatCounter is a free for personal use analytics solution, easily implemented by just dropping a script tag in the /_includes/my-head.html file, and it’s privacy friendly to boot. Users can block GoatCounter by just adding gc.zgo.at to their firewall or adblocker blocklist. I get some basic site analytics, and head off a raft of privacy policy headaches.
Netlify provides the hosting and SSL, and integrates with Github so I can publish the site from a private repo. Don’t know what else to say here than OAuth with Github, and go through selecting a repo and first time setup, it’s really simple and straightforward. (Free tier is 100GB / mo in traffic, so we’ll see how that holds up over time)
Also, build command was bundle exec jekyll build
, so don’t panic if the default jekyll build
isn’t working.
I use Google Domains as the registrar and DNS, but do so largely out of convenience. Use whatever you like. With everything stood up in Github and Netlify it was just a matter of delegating Netlify the domain, changing the DNS CNAME and NS records in Google domains, and waiting for the records to propogate. Netlify even automates the LetsEncrypt certificate generation.
Admittedly the Google Domains interface does not make it obvious how to change NS records. You have to navigate to yourdomain –> DNS –> and then along the top ribbon of the DNS page select “Custom Names Servers.” It is a part of the loaded view/page, not part of the bordering interface or blue text menus, if that makes sense.
]]>Photo by Vladislav Klapin on Unsplash
Hi folks. I’m Frank. 👋
I work in cybersecurity as a business information security officer (BISO), with a background primarily on the GRC side of security, and have worked in this field for about seven years at the time of this post. Head on over to About if you want more of the bits about me.
The itch set in to finally build a personal website and make something of a project out of it, something I could both learn from building and host content on going forward, without having to spend a ton of time maintaining it or paying inconveniently high hosting fees. This is the result; I’ve gone into some further detail as a blog post here: BeerMetalPC.com
I’ve been trying to overcome my own apprehensions and find more ways to participate in the broader security community: conferences, meetups, infosec twitter, and the like. (Admittedly, not great timing to have this drive in the midst of a global pandemic….) I’ve done a little writing in the past, primarily about things relating to video games and online communities. Writing has been a semi-consistent means for me to give back or add value in those fields, and I feel I’m now reaching a point professionally where I may have experiences or content worth sharing in the security space. I’ve struggled to come to grips with posting content publicly in the past. I can only assume my comfort level is greater this time around by having control over the content and how it’s presented. Rather than being hosted on a behemoth of a site or service, the personal site format feels available, but comfortable, if that makes sense.
While I will post security content here, it also won’t be the exclusive focus. Games and other personal interests may appear here. To that end, I’ve pre-populated this site with some of my old content back-dated to reflect when I last worked on it, as well as a potential conference talk that I’ve been working on more recently.
I don’t anticipate any set schedule or frequency of posting, if I have something longer than a tweet I want to share, or if I’ve gotten a project or conference talk idea to a point I feel comfortable making public, I’ll share it here and post a link to my Twitter, @BeerMetalPC That’s also the best way to get ahold of me if you have questions, requests, feedback, or just want to carry on a conversation or memery.
Welcome, thanks for reading, and if you ever find something of value to you here do let me know.
Cheers,
Frank
]]>Here There Are Monsters is the first potential conference talk I’ve worked on. Following Blue Team Con 2021 I was considering whether I’ve had any experience worthy of a con talk, and my thoughts kept landing on M&A projects. Over the years I’ve made multiple efforts to search for lessons learned or advice from security practitioners who have done similar work, and sadly I have found nearly nothing. M&A delivery is a side of security that either few have done, or at least few talk about.
Unfortunately, I have not yet had occaison to give this talk in any formal or public setting. Given the rarity of talks and material covering Security in M&A, sitting on this material waiting to win the CFP lottery feels irresponsible. I am making my slides available for the sake of open knowledge sharing, and I’ve coverted the bulk of this talk into text, below. I started in this role knowing nothing about the M&A process in general, let alone how security fit into it, and I want the next bright eyed analyst that falls over backwards into this type of role to have a better footing to start from than I had.
Note: the text version below hits the high notes, I’ve left jokes and anecdotes out of this version for the sake of being concise and readable, or at least approaching those things. Besides, I need to hold the jokes back so they’ll feel new if I ever get to speak at a con. 🙃
Resource(s) from a business or technical group (e.g. security, network, HR, etc.) who would act a) as an input and SME or organization guide for their area throughout the lifecycle of an M&A activity, particularly in pre-activity due diligence, acquisition/divestiture deal readiness, and integration/seperation activity.
Role entailed juggling multiple stakeholders from the central M&A office, technology, and security, and driving them all towards completion of estimates and tasks. Constant balancing act of doing security right, but also following a risk and materiality based approach. Heavy emphasis in pre-deal activities on materiality and understanding whether factors, anticipated work to integrate/separate, would have an impact to the final quoted cost(s) or contractual verbiage.
Three general phases of an acquisition from our Security perspective. (A central M&A office itself may have additional phases)
A few key dates, terminology, to understand regarding the milestones of such projects.
Obligatory note that your organization may have a different process than what I describe here. Normally we in delivery / SMEs would be engaged once the target is selected and a due diligence sprint begins. This would typically entail a 3-4 week sprint alongside SMEs from other teams. All engaged personnel at this step would be under NDA with a focus on least privilege, need to know personnel only. That said, we did have the freedom to speak to other stakeholders in non-specific terms. E.g. “Hypothetically, what would your area need to do if we added 200 endpoints?”
Is it material to the deal? > The focus here is on materiality and what assumptions, knowns, and unknowns are going to add cost or savings on the deal? Especially if anything needs to be captured in legal or contractual verbiage.
Four key items to capture
At the end of the sprint the focus would shift from uncovering and documenting information, to packaging it all up, secure approvals (e.g. CISO), and presenting the full package to the M&A office and to the CTO (each SME would speak to their respective area). It’s very sobering to go from being the analyst way down at the bottom to being the guy representing info security presenting to the CTO.
Typically, M&A assessment team(s) receive docs, question responses, etc. into a virtual data room. Our standard practice was to read everything in the data room, starting with your own area of responsiblity but expanding outward to consume information triaged for other teams. As we would discover information that may be relevant to other SMEs, we would route that info to them and vice versa.
Do understand that the completeness of what you receive from the target may vary. Sometimes documents will be very bare bones, but may sometimes be very detailed. Typically for an acquisition I’d expect to see anonymized HR details (compensation), tech stack info, insurance policies, network diagrams (ranging from notional to detailed), board and risk committee minutes, etc.
You will typically have at least an opportunity to ask questions of the target, do so. If you’re going to be doing this type of work regularly, have a list of questions for the target’s IT/IS staff ready to go, generic to any deal. Understand however that just because you can ask, that does not mean you are guaranteed a straight answer. To my understanding, pre-deal, the other party does not have to give you nitty gritty detail. They might, but aren’t required. In deals where the target is entertaining multiple suitors, you might just get a canned response or a standardized set of documents or responses across all suitors. (Is that good for the deal? Maybe or maybe not. I am not a lawyer.)
Maybe you don’t participate in assessing the target. Why should you care about the due diligence phase? Care because we need to be on the lookout for opportunities to add value to the business and our partner functions. Or at least find wins that look good at performance review time.
First, understand that your M&A function handles insider information, and may themselves own crown jewel assets. (depending on how, what thresholds, you use to define crown jewel) Further, the M&A function may not have considered that they own crown jewels; consider the data room, their sharepoint sites, collaboration tools, etc. If you work for a publicly traded entity, take note. Apply controls accordingly.
Do you have a red team program? Pentest your data room or 3rd party data room provider. If you remember the Accelion File Transfer Appliance breach(es) in March 2021, that’s exactly the type of appliance that could be involved in this activity.
If you have an insider threat monitoring capability, have a chat with people who would run an M&A activity. Consider creating an enhanced monitoring group for any personnel under NDA for a due diligence activity. Similarly, consider some type of enhanced monitorng when divesting a line of business; consider how you would watch for client poaching or assets walking out the door in this context.
Lastly, and much more open ended, I believe there’s enormous potential here to use OSINT and business intelligence techniques to glean information about e.g. an acquisition target. I unfortunately lack that skill set, but if you have it (or have it in house), give it a try and PLEASE give a conference talk about it, I’d love to see it.
What you need for LD1 varies by deal and integration approach. The overall emphasis here is on getting the necessary functions in place to support the acquisition or separation so the purchase/sale can go through. Below are some items to consider, they are NOT an exhaustive list.
It is critical in an acquisition that you bring a sense of empathy to the table in dealing with your new colleagues. You must understand that the acquired people are experiencing a moment of uncertainty in their professional career. This directly affects their sense of safety and stability, especially so if any of the communication about their being acquired was unclear.
I know this sounds basic, but I say this because I have seen it be a problem before. These people are your coworkers now, not your adversary. You might not be able to trust the acquired network, systems, environment; but you do need to show these people that you are here to help, and you have to trust that they want to do the same.
Talk to the business about the deal, where’s the value? What are we securing? You / security leadership need to have a frank conversation with the business or driving force regarding the acquired entity, what their value drivers and crown jewels are. Determine what must be in place to protect the jewels during integration, and what can wait for a later phase?
Be careful with tooling deployments. IME the more of the initial validation / recon / assessment that can be done with EUC or appliance-ized tools, the better. Agents can be a hard sell, especially if the acquired see it as duplication of an existing capability or a performance hit. Play nice, try not to be too disruptive.
Understand that Sometimes your assumptions are wrong and you’ll have to roll with the punches.
Here there be monsters. I’m going to skip the fine detail here because this is where all of the unique challenges and weeds are, every one of these is different and you have to find your way through it.
Think of the worst piece of legacy enterprise shitware you have in your environment. Now consider that almost every organization has one of those too. If you acquire an org, you’ll find it eventually. - Legacy OS in prod? - Incomplete or nonexistent network segmentation? - Bad vulnerability or patch management practices?
Maybe you’re sitting here thinking “Hey Frank I don’t care about the phases or risk bits. How do I be prepared? How do I make this repeatable?”
I know much of this sounds basic, but I had problems getting straight answers to many of these, and I suspect you will too.
Like any good practice, we had several issues to overcome to make our M&A security function repeatable and sustainable.
Cost Estimates. Most importantely, get good work effort and cost estimates in hand now. Have a “most likely scenario” pre-made for an M&A project. Get a best guess on hourly rate, allocation (bucket of hours or per week), appliances and licensing, any impacts where they would need more headcount, etc. If you have a business management or finance people for your security group, go find them. Buy them a coffee. Ask how they can help.
Documentation. When I started we had a policy document, but didn’t have the procedure, job aides, or knowledge sharing in place for someone else to pick the role up if we got hit by a bus. Remember, if it isn’t documented, it isn’t repeatable. Document your processes. Once you’ve done that, get the advice you would give orally out of your head and onto something sharable, even if it’s only a text file. One such challenge we faced was that our documentation and reporting templates were suitable for an M&A audience, but didn’t quickly convey the information important to our security leadership. Always keep your executives happy.
Organizational debt. Specifically, during the time I was in the role, certain conceptions about the function were held by management that we had to gradually overcome. In a slow period, maybe a quarter, maybe a year, specialist personnel like M&A security delivery would be tapped for other projects. This is fine, but it took several hard lessons learned for that management structure to learn that a M&A project or a due diligence sprint was a “drop everything” event. This prompted a saying with one of our directors: “M&A is cold until it isn’t.” Once the fire is lit underneath, M&A is going to be off and running right now and running hot, and it can happen with very little heads up warning.
Additionally, Don’t bury your strategic projects personnel in the org chart. If you have people handling high criticality, strategic, super duper important (whatever terms you like) projects, you need to have some amount of trust in them. This is doubly importnt if you work in a shop that has a chain of command culture. Establish norms with these personnel, but also establish the trust and authority with them such that they can go straight to the CISO when necessary.
This is the storytime part of the talk. We bought a company, and it quickly became clear we needed to keep most of their existing environment because of the special sauce we bought them for. I had to identify what parts of our security stack needed to be deployed into their environment, and when.
There was no central place where I could find a listing of tools, critical, necessary, or otherwise. Nothing. Security business management were in the midst of a similar effort. They had a list of tools, but hadn’t mapped any of them to functions and owners. IT finance only had the contract view, and no understanding of contracts included what tools for what service/function. We did what anyone out of options with only half the puzzle would do. We built a spreadsheet of doom. It was messy, it was manual, it was out of date the moment we started using it. But it was good enough to get all of the major players and their tooling captured and start forecasting costs.
The point is, figure this out if for no other reason so you understand what you as a security program are paying for. And then, if a strategic project comes along like an acquisition, this is on hand to map capabilities and needs in tabletops, scenario planning, due diligence, etc.
Like it says in Hitchhiker’s Guide to the Galaxy, don’t panic. At the end of the day this is just a project with some unique wrinkles and structure. Button up your documentation: process and templates especially so that someone who stumbles into the role in 3, 5 years can pick it up and run. I just ask that you think about these scenarios now so that you don’t later have to build the railroad while the train is in motion.
]]>Photo by Florian Krumm on Unsplash
This post is a backdated copy of a blog post I wrote in 2019, originally hosted on Medium and my gaming community’s website. I’ve reposted it here for visibility and for my own reference. Some minor edits have been made to the text to clean up clunky phrasings and perspective, and add headings compatible with Markdown formatting. I must also state that all services and figures quoted were current as of July 2019, I have made no attempt to keep them up to date. CORE’s platforms are no longer fully accurate either, having moved off of Wordpress and stood up a Wiki.js site in 2020.
Although I founded and operated Ferrous Core for several years, I stepped away from it as of August 2021 due to limiting factors on my time, loss of interest in the primary game the community was built around, and frustration with demands on my free time to deal with administrative issues and matters of conflict management. These lessons learned are worth a blog post in and of themselves, I’ll get around to it someday.
I’ve been playing video games since I was seven years old and actively participating in and helping to administrate online gaming communities (“clans”, “guilds”, or whatever parlance you like) since seventeen. A decade has elapsed since that last figure, and over the last two years of that decade I took on the challenge of creating a new gaming community to fulfill my expectations of what a gaming community should be, FerrousCore.com. (Also shorthanded as CORE in this writing)
When I started that project in June of 2017, I did some searching for any lessons learned by other individuals who’ve run such an online gaming clan or organization, and was left wanting. Although gaming has received wider acceptance over the past ten years, per the results of my searching, resources for community organizers and potential leaders of gaming communities have yet to develop. It’s my hope that this writing can serve as at least a piece of that information which was not available to me two years ago.
There’s a few disclaimers I wish to make clear up front:
Today (July 9, 2019), Ferrous Core officially plays two primary games: Destiny 2 with ~300 monthly active players, and The Division 2 with estimated ~100 monthly active. We’ve had just over 1300 unique members all time, and ~970 users presently on our Discord. And we’ve spent less than $300 over two years to operate this community.
I won’t get into CORE’s ethos and guiding principles, as they’re beyond the scope of giving you a look at decisions in design and operating a gaming community, and the financial impacts thereof. (though perhaps are fodder for the telling of stories in a separate work) There are, however, two design decisions that I and the other founders made early on, which are important context for why certain services were selected over others.
As starting CORE has been an effort to create the gaming community we the founders had always wanted to play in, we didn’t want to accept any donation or payment from our members. Doing so would have incurred that expectation shift while the community was still forming, a time when stability needs to be the first priority.
Due to this fear of an expectation shift, and personal experience with an organization I thought to be a poor steward of its users donations: we resolved to never gate our community, its people, activities, or services behind any paywall, and likewise to never serve banner ads or sell user data. We also resolved to keep our overhead costs low, both to alleviate financial burden on what came to be “the admin team”, and to postpone any need to accept donations for as long as possible.
We wanted to grow to a size such that our users could come online during and adjacent to peak gaming hours, and immediately have their pick of other, similarly-skilled members of our community to team up with.
For comparison, most other “clans” in Destiny 2 operated within the developer (Bungie) imposed cap of 100 accounts. We were dissatisfied with this number, seeing it as too low to reconcile with this stated goal of growth to a critical mass facilitating ease of teaming up.
Instead, we took on the management headache of having multiple clans of up to 100 accounts per. We discovered within our first year that allowing for this growth (instead of constraining it) allowed us to weather the population low points of Destiny 2 far better than the smaller ~50–100 user organizations, most notably during the reviled Curse of Osiris, Q1 2018 expansion.
Discord is due the lion’s share of the credit for why our community model works. We wanted the “social hub” of our community to be more conversational in tone than forums typically achieve; more like Internet Relay Chat or “IRC”, less like a message thread. Discord has fit that ask perfectly as both a text and voice solution, for free. Discord has received fairly wide acceptance as a common messaging and voice platform in the gaming market. Discord Inc claims 250 million users, 56 million active monthly, as of May 2019. Because of Discord’s market share, the majority of our members have already been Discord users prior to joining CORE, removing the learning curve of navigating a new chat or voice platform.
In Ferrous Core’s public postings I’ve referred to our model as eschewing the “traditional” model of PC gaming communities. The traditional model is simply the best-fit term I have to describe the type of gaming community or guild one was likely to find between the mid-00s and early-10s; an organization based on a monolithic website and/or forum, supplemented by a voice chat server such as Teamspeak or Mumble. Many of these traditional model communities still exist, and many of these communities now supplement their forum and voice server with Discord or Slack as an extra chatroom tool. (In some cases replacing IRC chatrooms)
Instead, we established Discord as the central “social hub” of our community, setting a more conversational tone to user interactions and unifying text and voice interactions in a single application.
I think that this has been a key differentiator for CORE compared to other, longer-running large PC gaming communities; interaction between our users is simply faster and more convenient due to being in the same application, and bolstered by the fact that Discord has robust mobile and in-browser versions. Slack can function as a Discord stand-in in a pinch; Slack achieves the same conversational tone and feel, and is Discord’s peer in that it has robust desktop, mobile, and in-browser functionality. However, premium features such as historical message retention (a Discord standard feature) would be out of reach for CORE. Slack’s “Standard” tier targeting small/mid-size businesses, prices out at $6.67/month/user billed annually; this is an impractical sum given CORE’s Discord user list clocks in at 971 accounts on our Discord today, and over 1200 unique users all time. Free-tier Slack’s limits, such as no historical message retention and limits on the number of apps/plug-ins, do matter less if your intent is for Slack to be a simple chatroom in supplement to a forum, subreddit, or other discussion tools. But for COREs purposes, Slack would have been too much of a limitation on our ability to grow.
Discord has an excellent third party market for “bots”, chatbots and other tools used to aid in server administration, automation, and addition of new functionality.
Admittedly, we’ve been very lucky in that CORE was aided significantly by one of our members, cglatot, volunteering his time to create a Discord chatbot: “Sethlans” as we came to call it. This gave us the capability to assign individual users silly accolades (mostly quotes out of context), track vote counts given to newcomers and used to determine if they are a good fit for our community, and to automate the newcomer intake process by having Sethlans send the newcomer a direct message with reaction emoji allowing the user to self-select their server region, game channels they wish to see, and other optional roles. Prior to having the role provisioning and voting system via Sethlans, tracking votes was entirely manual and tracked via our Google spreadsheet by yours truly. Likewise, roles needed to be assigned manually by an admin for every newcomer on our Discord.
Sethlans has also been used for other hijinks, such as a feature set in Dec. 2018 where we celebrated the Seinfeld holiday Festivus, complete with Sethlans accepting grievances from users to be aired in a dedicated channel, and the bot reacting at random to messages, declaring them to be a “Festivus miracle!” This bot alleviated a lot of administrative time and headache; it’s been a labor of love on the part of cglatot, hosted on his own home server, and he’s never asked for a dime.
Off the shelf solutions do exist that address some of these features, like Reaction Roles bot and general administration bots like Dyno, but be prepared to find certain features and uptime commitments behind paywalls. E.g. $30 for a lifetime license of Reaction Roles, and $5/month for a 1 server license of Dyno’s premium features.
You may also be able to automate or supplement some administrative functions via commercial services, like Zapier integrations with webhooks into Discord, but you’ll be limited at 5 zaps in Zapier’s free tier. Past that you’re looking at $20/month, $240/year.
If such costs come as a surprise, let me be the first to welcome you to the enterprise world.
There are two other bots used by CORE which incur or may soon incur subscription costs, below.
Currently we maintain most of CORE’s administrative tools, images, our intake form and master membership spreadsheet, and other documents on my personal Google Drive, as I have a higher than normal storage capacity thanks to various Google promotions over the years. Cost to CORE for this storage has been nil. A share link with edit rights is provided to each of the admins for the entire folder tree relevant to CORE, and special purpose folders further down have read only links for use by our members. (such as links to our images and logos folders)
But I must emphasize: using a personal account for this purpose incurs risks of data loss and lockout if that account were ever lost/hacked, or closed by Google.A separate account shared amongst your admins or inner circle is recommended, and be prepared to pay for additional storage if your community is going to need additional capacity for things like video sharing and editing.
For the sake of establishing a baseline, when measured on my local machine via Windows Explorer, CORE’s Google Drive folder is just under 7.5GB in size. This would easily fit in the free 15GB Google Drive capacity of a shared Google Account.If you were to need more space, I’ve cited costs of Google One, G Suite for Business, Office 365, Dropbox, and Box.com below.
You will likely need some form of eye catching logo and imagery to go along with the name of your community, and while some possess skill with Photoshop and other graphic design tools, I am not one of them.
I have a friend who does some graphic design work on the side, and knowing this I asked if he’d be willing to design a logo for this new gaming community I was starting. For his ask of $75, I got a logo and about ~20 variants ready-to-go, including vector format originals and rights to use the images. While I don’t know if this price in question is competitive, it was worth it to give business to a friend. (Lately he’s been doing a bunch of calligraphy, check out his website and Instagram if you need some work done)
I don’t know what path or website will yield the best results in the event that you need assistance with website banners, logos, and the like; but there’s no shortage of graphic designers offering their services on Etsy.com and Fiverr.com. Also thanks to the rise of games live-streaming via Twitch.tv and other services, I’ve seen that many streamers will plug their art and emote designers in their channel descriptions; you can find some neat artists if you’re willing to spend an evening channel surfing Twitch or searching for “Twitch Graphic Designer” on Google.
If you’re not inclined to create your own graphics and imagery, be prepared to phone a friend or hire a freelancer, and spend between ~$50–200 or on images and the relevant permissions/rights.
CORE’s website is based on WordPress running on an AWS EC2 t2.nano instance. That website serves primarily as a discovery and intake path for newcomers to our community, and to a lesser extent as a site on which to host reference material for use by our members. The site in question does not host any forums or interactive content, or really serve any content other than static images (and few of those anyway). As a result, costs and maintenance need are both low, and our attack surface is small thanks to no input fields and minimal plugin use.
AWS still offers their 12 month free tier, which we found to be sufficient for the above purposes. Once we surpassed the free tier’s one year limit, we found that normal traffic runs us between $6 to $10 USD in a normal month, with a few cents in AWS Route53 charges for domain name and DNS. Depending on traffic we normally see an invoice of between $7 and $12 USD. I project our annual costs at $120 + $12 for the domain name renewal, although realistically the total falls short of projection due to low demand periods. We’ve to date had one additional one time cost of $49, spent on a WordPress theme for the website at ThemeForest.net.
Admittedly, there is possibility here to save some money if your goal is to have a simple web presence for search engines to find. Amazon offers a simple monthly AWS calculator, the results of which match our experience thus far with WordPress on EC2. Amazon Lightsail offers virtual servers which you could deploy WordPress on for $3.50–10 per month, so $42–120/year. Digital Ocean offers comparable “Droplet” virtual servers for $5 and $10 per month, $60–120 per year. Google also offers a free tier on their cloud platform comparable and with a few advantages over AWS. Otherwise, if you lack the expertise in your community or yourself to stand up a site from bare metal, hosting services like SquareSpace exist but will run you around ~$144/year on their personal plan.
If you want a forum solution, hosting an off-the-shelf solution like phpBB or a WordPress plugin such as bbPress are your best bets for keeping price down. But be prepared to pay one time plugin license costs if you proceed the WordPress plugin route. As to cost of higher traffic driven by the forum, my best guess, extrapolating from what I know of my own website’s activity, is that you’d be looking at around $30–50 or more per month in AWS EC2 invoice due to the increased traffic necessitated by the forum. (This is conjecture, in hindsight I feel this may be incorrect but I do not have known good figures to quote)
Gaming oriented forum providers also exist, such as Enjin and Shivtr, though as the arguable cost of total customizability. You can expect to pay ~$9/mo for these platforms, ~$108/year, after you surpass their free tier limitations.
You have the option of commercially hosted forum software; but these, especially their on-prem offerings, is where we get into the land of the very large gaming communities of years ago. Be prepared to spend the big bucks, or take your hat in hand to your members asking for their assistance. vBulletin is one of the better known commercial forum software providers, with on-prem license costs to match. $250 one time for new licenses of vBulletin 5, and $400 for the former plus their mobile version tools. vBulletin also provides a hosted cloud forum solution these days, pricing based on bandwidth with their most popular Silver 75GB tier priced at $30/month when billed annually at ~$360. Gold 200GB tier service charges double the Silver tier’s pricing. Invision’s cloud forum solution charges in tiers based on then number of concurrent users, potentially bumping you up a tier(s) if you have a surge of users online around a big bit of news. Their cloud hosted forum prices at $45/mo for <=65 concurrent users, <=200 concurrent will run you $130/mo. For their on-prem version you’re staring down, depending on features, up to $625 one time with $105/year renewals for ongoing support.
I would also encourage you to pick up a domain name for your community, even if only to have it serve as an easy-to-remember forward/redirect to a Discord invite link, or to a freeware forum or blog. If someone asks how to join your community in in-game text chat, would you rather type in CoolGuys dot com? Or CoolGuys dot BobsClanHostingService dot com? And which one will make your clan look better organized and managed? Appearances matter. A quick search of Google Domains shows that a dot com or dot org will run you $12/year, and a quick check of gen.xyz shows dot xyz domains going for $10/year.
“What about SSL?” For COREs purposes, our (former) website took no user input except a search bar, and thus we had no firm need for that encryption. Some have rightfully pointed out that having an SSL cert would boost our ranking in Google searches, but we compensated for with just some basic search engine optimization; something which most other online gaming communities lack.
We initially looked at services like Doodle and Band.us. Both of those options truly shine for small groups like a circle of friends, or a tight-knit team trying to find a common play time. We found that their interfaces aren’t suitable for a community of 300–500 Destiny 2 players looking to run multiple distinct play sessions in the course of a week.
CORE ultimately settled on The100.io, a game and group finding service that made a name for itself with the 2014 video game Destiny as a means of helping Xbox and PlayStation users congregate into groups, “companies”, and lightweight communities; The100.io has over time expanded to other titles. The100 also has mobile versions for iOS and Android, a big plus for a community already based around an app (Discord) with a robust mobile version. For CORE, The100 has been a success because we stood up “private groups” for each game we support. Linked to those private groups are dedicated text channels in our Discord for each of our supported games. A bot provided by The100 automatically reports new game sessions and RSVPs to the relevant text channel. The end result is that players in our community don’t have to leave our social hub (Discord) to see what game sessions are coming up, and which ones have seats open.
It’s worth noting that the Discord Bot and Private Group features, last I checked, are paid “supporter’s only” features of the100.io. I pay for this supporter status out of my own pocket, $5/mo coming out to $60/year.
If you’re running a monolithic website and forum such as Enjin, phpBB, or vBulletin, you most likely have a Calendar system included as a part of that service or software. You’ll likely find it easier to organize players via a calendar or events plug in on your website as that is where your users are interacting already. For Slack, Discord, or other services where your social hub is a more chatroom-like or ephemeral setting, services that can integrate with or at least post to your hub (such as The100) are worth your time and money.
Before we go on, I need to define the term “slot.” In the context of games, “slots” is short for “player slots”, or the number of individual users who can be connected into a game or voice server concurrently. A “50 slot server” can have 50 users connected at once, but will decline connection attempts of the 51st player if no slots are open.
CORE uses our Discord server for voice calls and communication, you can see more as to why we prefer this approach up ^ there somewhere in the section about Discord.
We also do not play any games which have significant integration with or value add from voice services like Teamspeak 3 or Mumble. We’re touching on this topic as the reader may have need of higher voice server uptime that Discord can guarantee. Or, the reader may be seeking to create a community in a military-simulation (“milsim”) game like ARMA 3 which has third party plugins to add additional features and integration between the game and a Teamspeak 3 server.
For reference, the largest number of users in our Discord voice channels at CORE at a single time was 52, and occurred on Sept. 15, 2018, about a week and a half following the release of Destiny 2’s yearly capstone expansion, Forsaken. We’ll use a 50 slot TS3 server as the benchmark figure for what you should expect, but starting out you will almost certainly manage with a 20–30 slot server and can scale up as needed.
A quick check of game and voice server hosting providers I’m familiar with returns the following prices per voice server slot.
Note that it is possible to license and host Teamspeak 3 and Mumble on your own infrastructure, but the costs of that approach are well outside my knowledge.
CORE operates in games-as-a-service titles such as Destiny 2 and The Division 2, titles which do not allow for player ownership/control of private servers. But it is worth noting that for certain games and community types you may have need of your own game server, whether that be for facilitating normal public matches, or for running competitive or private events. Your experience with hosting providers and cost may vary wildly title to title.
I have only ever encountered one other community that would openly state its finances in this manner for its general membership for review and comment. I think that that needs to be the norm and not the exception.
Finally a bit where money isn’t leaving your pocket. As your community grows it’s entirely likely that you’ll have people asking if they can purchase from you, or print their own, t-shirts, stickers, hoodies, and other kinds of merch. Merchandise was not on my mind in the course of creating CORE, but by the middle of our first year members had begun to meet with each other away from the keyboard and to ask about purchasing t-shirts and hoodies with our logo. The solution we went with was a print-on-demand service, TeePublic.com, so as to avoid the hassle of printing batches of items, having to handle individual packing and shipping, and having surplus stuff cluttering up the my house.
CORE is the gaming community that I always wanted, so I have no problem with putting in $10/mo from my own pocket to the group’s coffers. At the time of this writing, the clan funds had taken in ~$99 in Teepublic commissions with the operating fund sitting at a comfortable $62.05. (given our low monthly overhead costs) I state this openly for the benefit of COREs membership because in my past decade of online gaming, I have only ever encountered one other community that would openly state its finances in this manner for its general membership for review and comment. I think that that needs to be the norm and not the exception.
If CORE ever reaches a scenario or state in which we need to pass the hat around to help cover our (low) overhead costs, our go to option would be to create a Patreon.com account for CORE. Planning out incentives would require further thought, and I personally would want to ensure that donation incentives do not become a “pay for access” program.
(Edit 9/27/21: Ferrous Core ultimately did go on to operate a Patreon through 2020 and early 2021. This allowed us to provide some more “premium” Discord bots and features. We ultimately spun down the Patreon in 2021 when it became clear I could no longer provide the level of administrative service that I felt accepting patron’s funds demanded. We have cruised along on the accumulated donations plus my monthly input to the operating fund since that time.)
For the reader interested in running their own community, if you’ve created logos and images to promote your community, there’s little reason not to stand up an account with a print-on-demand service that you like for merch sales. CORE has been using TeePublic.com, but plenty of others exist like RedBubble (TeePublic’s parent company), TeeSpring, SpreadShirt, CafePress, and plenty more.
Affiliate programs are another potential route for helping to cover your overhead costs. Most of the major gaming peripheral manufacturers have affiliate programs, such as Razer, Corsair, and Steelseries, as do some other large services such as Amazon. These programs typically pay out commissions on sales made via a discount code or unique link associated to your account.
This is another area where I am not well versed, so you’ll have to do your own legwork regarding affiliate programs, their terms of service, and requirements. It’s worth understanding that some are geared specifically towards gaming live-streamers and content-creators, (Such as Corsair’s program) rather than organizations or community managers. CORE presently does not have any such affiliate arrangements.
And of course, there’s serving ads on your website, which I am opposed to from both a security and user experience perspective. I would encourage you to run an ad blocker in your web browser if you are not already. The confidentiality, integrity, and availability of my data and that of the users of my website is more important to me than a couple of cents per page view.
Altogether and to the best of my knowledge, the annual spend to operate Ferrous Core totals $150 per year between the website and discord adjacent tools. We had a year of coverage under AWS’ free tier, so that simplifies the math to only one year of web hosting. Past one-time expenses totaled $124, a combination of $75 spent on graphic design of logos and art, and $49 spent on a WordPress theme. Taken together, that’s a total of $274, offset in part by $99.50 in inflows from merchandise sales, for a net loss of $174.50. To create the gaming community I always wanted, it’s been completely worth it.
If you recall, we have been lucky to have a wonderful bot developer in the form of one of our members, and I was already budgeting and paying $60/year for The100.io supporter status. These together contribute to about a ~$90 savings compared to assessing such a project from zero. I would advise anyone looking to start a gaming community following in these footsteps to expect to go in around ~$350 your first year if you’re going the low overhead route like I have with CORE. You also do not have to foot the entire bill yourself; I just have the means to have funded CORE out of pocket thus far, and have been too stubborn to accept monetary help from our members.
I hope that this work has been worthwhile. When we started Ferrous Core I could find few/none resources of this nature, and I’m happy to answer any questions or provide future lessons learned. I’m best reached @BeerMetalPC on Twitter.
Thanks for your time!
]]>