How to play

The original EoP game is designed to be played with everyone together in a room. Unfortunately, this doesn't work well for open source projects where the contributors are distributed around the globe and need to play asynchronously. This site acts as a virtual card deck.

  • To track the game, use something that all your players can edit, like a wiki or git controlled file.
  • When you first visit this site you will get a uniquely shuffled deck, and will be shown the first card drawn.
  • Play this card as per the EoP instructions, and record your threat, making a note of the current url.
  • When the next player is ready, they visit the url recorded in the previous step and verify the last played card is correct.
  • They then click the "Next player" url to get their card which they play.
  • Repeat for each player until all the cards have been played.

To speed things up by minimising the wait between players, have each player play more than one card per turn. For example, play three cards per turn.

How it works

This site works by seeding a random generator which is used to shuffle a deck of cards (array of numbers). The seed and the position in the deck are authenticated with a SHA-1 HMAC. There is no card secrecy (no encryption) as this version of the game relies on the transparency of the recorded game. All state is stored as a combination of the seed and the card number in the url, nothing is stored by the app.

Find out more

The original game and instructions can be found here.

For more on threat modelling see: Threat Modeling: Designing for Security