Congrats to Colm and Joost in becoming immortalised in /etc/services - they now have an official IANA assigned port. Incidentally - if you haven’t got a Joost account yet and feel like checking it out, let me know because I have a few invitations available.
The Daily Tech have an article about a hacker who is curretly holding Valve Software (the makers of Half-life) to ransom, having hacked into the system that manages internet cafe licences, and retrieved details and credit card information.
Most gamers will remember the bit of trouble that Valve had a couple of years ago, when a German hacker known as Axel G, or “Osama Bin Leaker” when he’s in a particularly powerful mood, snuck into their network. Internal emails were leaked, demos were leaked, and ultimately the source code was to Half-life 2 was put on the internet. Valve burst into action like a coiled spring - instantly assembling a dynamic and energetic tiger team:
The fiasco resulted in a lot of hassle for the company, but they got some consolation in the end when they caught the perpetrators by pulling the oldest trick in the book - offering to hire Axel G as an in-house security auditor. Beaming with pride as he headed for the plane, ready to start his new life in America working on the game he loves, the poor boy had no idea that the FBI were laughing their asses off at the airport, doing Axel G impressions as they waited for him to arrive.
Axel G - a misguided enthusiast, suffering from classic notions of teenage hackers convinced himself that he was working for the greater good. He claimed that the motive behind the source code leak was to expose Valve for lying to the public about the state of the game, which was far from finished, implying that they demoed a fake version of the game at E3.
This latest haxor, MaddoxX, displays the same symptoms of a glorified self-image, probably seeing himself as half Robin Hood, half Darth Vader and half Zerocool. However, by comparing the number of x’s in their names, we can assume that MaddoxX is at least twice as l33t as Axel G, and thus less likely to fall for the “hey, you’re good! Come and work for us” trick. I would remind Valve of the old Chinese proverb that is strangely apt here: “Blind eagles soar with wings, but do not mess with psycho Russian hackers because you’ll get pwned”.
The Daily Tech article quotes MaddoxX, who outlines his motives:
In fact, MaddoxX says that he’s been tooling around on the Steam server’s back door since January. “I did try [to] contact them several months ago. At the time, I didn’t do anything harmful — just got [a few free copies of games] but never heard anything from them,” he says. “Later,” the steamed hacker adds, “I tried to warn them to fix bugs…but as usual, they don’t listen.” He recounts that he allegedly tried e-mailing Valve employees on several occasions without a reply. When a friend of his called attention to the potential security breaches on Valve forums, every trace of each thread got shut down. “They don’t even warn or reply to their Café customers that private information is leaked,” he says.
And here we come to the issue that is bothering me: MaddoxX is dead right in what he says. When you take confidential information from your customers - be it credit card details, home phone numbers, or their dog’s middle name, you take on a degree of responsibility. My guess is that Valve’s IT guys are still sitting around eating sandwiches in front of an empty whiteboard. The director of marketing at Valve, Doug Lombardi, just recently confirmed the security breach and released this statement:
There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam.
The Daily Tech refers to a very reasonable Californian Law which says that you are required by law to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed). I’m not a lawyer, so I don’t know if Valve are bound by this, but I am aware of a general rule of thumb: if you discover a security breach, you snap to it and do something about it. You don’t hum and haw and mumble some comment a week later about an “alleged hacker” who broke into the system. If the guy has got:
…then I think its safe to put your hands up and acknowledge this. Funnily enough, the Cork gaming cafe Area 51 even makes an appearence on one of MaddoxX’s screenshots. I wonder if they know that their credit card details could be compromised? Perhaps I’m being unfair, and all of the affected customers have been contacted and informed, but judging by the concerned cafe account owners on the steam forums and elsewhere, this does not seem to be the case. This only serves to validate what MaddoxX is saying, and highlights a gross lack of responsibility on Valve’s part. I believe the guy when he says he has contacted them many times about exploits and bugs and never got a reply. They sound like an absolute disaster.
Security breaches happen occasionally, and that is inevitable. I won’t dwell on the fact that it seems to be a recurring event for this particular company, I’m more concerned about the reaction when something does go wrong. Read this example of how it should be done, from Wordpress. A responsible, well worded, concise account of what happened, when it happened, who is affected, and what to do if you are affected.
What would you have said if Automattic had come out with drivel like this: “There is no security breach at Akismet. I repeat, AKISMET IS SECURE AND SAFE. oh, by the way, Wordpress got allegedly hacked.” Doug Lombardi: the issue is not “There has been no security breach of Steam”; the issue is: “THERE HAS BEEN A SECURITY BREACH“.
I mentioned in my last post that very few people these days take the time to give their views on how things are shaping up in the world of online gaming. In the days of Geocities and Gibworld, the internet was hopping in time with its myriad of animated ‘mail me’ gifs. Dozens of clan sites and tinet homepages in Ireland were poised to strike at the slightest bit of news in the gaming scene. When the boat rocked, ripples would spread giddily through the network of fluorescent static HTML pages, lovingly tended by faithful enthusiasts.
Last week, the boat rocked. When I say it rocked, I mean it crashed into an iceberg and flipped over three times before landing upside-down in the Bermuda triangle. The thundering mother of all cheating scandals emerged in a haze of furious drama. eSReality has an account of the saga involving a English gamer called Fusen and netCoders.be - a group who make aimbots, wallhacks, etc., for games such as Quake 3, Enemy Territory, CoD 2, and SOF, and sell them for up to $200. This is story of the hacker who hacked the hackers and gained access to their database via a vBulletin exploit, exposing the details of all of their customers to the public. The wild-west response, where netCoders offer a $1,000 reward for information on their attacker. The irony of the moral high ground held by the victims and their alleged legal follow-up. The hackers’ threats to hack the hacker who hacked the hackers.
The plot thickened and boiled and simmered as professional players were busted, and respected Clanbase admins ruined. But it didn’t interest me until I noticed that several members of team Ireland were caught with aimbots and wallhacks.
I have followed Ireland in the Enemy Territory nations cups a few times, and despite our small playerbase, Ireland has always had a very strong squad which was able to compete at the highest level. More recently, a new generation of players has risen to eradicate the respect that Irish national teams have accumulated over the years. If this had happened 5 years ago, there would be riots.
I just installed Ubuntu 6.10 - “Edgy Eft” today. First impressions are good - it looks nice, and it’s very fast, particularly the boot-up process. I haven’t had a chance to check out any of the new features yet, like IceWeasel 2.0. There were a few issues with the installation - most critically the wireless card support. I’ve been using a Belkin USB wireless adapter via ndiswrapper with no problems since Breezy. Edgy detected it, for the first time, and loaded the rt73usb driver… which didn’t work properly. I blacklisted the module and opted for my trusty ndiswrapper instead - but Edgy packaged a very outdated version 1.1, which didn’t work either. This was nearly a show-stopper, since I depend on a wireless network as my only internet gateway, but luckily I had my ndiswrapper 1.8 source backed up on my /home partition and was able to get online with that.
The beardiest of Linux snobs sometimes sneer at Ubuntu, because it is not hardcore enough. It is pretty and graphical and far too easy to use, with tutorials on how to spell your name. As a Ubuntu user since Warty, I have always hated this kind of attitude… but for the first time I am starting to see where it comes from. The greatest strength of Linux in general is the ability to see exactly whats going on - and if you dont like it you can change it. Tragically, this refreshing verbosity is what keeps the average computer user at barge-pole distance. In an admirable effort to make Linux more accessible, Ubuntu made a compromise. Thanks to Dapper (with Long Term Support, an easy Live CD install, and programs like Automatix and EasyLinux which magically do all the work for you), for the first time, Linux was a genuine option as a desktop OS - I’m surprised that there wasn’t a bigger take-up among art students and the like, or enterprising refurbished-computer dealers who wanted to save on the cost of an operating system. But there’s a thin line between making the system more user-friendly, and unnecessarily dumbing-down the distro. The first thing I noticed upon booting up my Edgy system was the fact that there is no feedback, no step-by-step progress that we’re so used to seeing. I’m sure its easy to enable this again, but thats beside the point. I really don’t see any advantage to removing the diagnostics, but there are a number of obvious disadvantages, and this does not bode well.
When Dapper came out four months ago, I spent days (literally) on dial-up downloading the standard installation CD. What a sickener it was when it woudln’t work on my system. I was gutted to see that there was no means to fail over to a text-based intallation without downloading another 700mb alternate install. I got stung again this time around, but lucky I’m no longer a narrowbander. I had to download Edgy Eft three times - the first one failed its checksum, and the second time I accidentally got the standard live CD again. In my opinion, the Live CD should be the alternative version. I fear for Fiddly Ferret, or Gawky Gazelle or whatever is coming next.
A minor annoyance - the bog version of vi is back again, but “apt-get install vim-full” puts it back in its cage quickly enough.
I just forked out €15 for a three month subscription to Transgaming’s Cedega - the portability product that allows you to run Windows games seamlessly on Linux. As much as I hate to say it, it was money well spent. After hours of recompiling several different versions of Wine, and troubleshooting minor bits and pieces that made some of the newer games just barely unplayable, I decided that it is just too much effort and the time that Cedega would save me is worth more than €5 per month. In other words, spurred on by a blast of nostalgia, I needed a fix of World of Warcraft immediately. Cedega did exactly what it said on the tin, and it surpassed my expectations by running Civilization 4 flawlessly. I’m told that there is even support for Oblivion and Age of Empires III… if only I had the inclination to find the CDs.
Unfortunately, WoW is just as boring as when I quit playing it over a year ago… only this time around my few buddies in-game are all gone (except for Spaceman). My once-buzzing guild was empty bar one other member… and he was 8 months idle. I’ll try to give it a few hours here and there but I don’t think I’ll ever reach level 60.
For any Ubuntu Dapper users who didn’t see this… there was a dodgy version of xserver-xorg-core released yesterday which breaks your X server. The thread on Ubuntu forums is here. There will be a fixed version on synaptic soon, so you’ll save yourself some hassle by not apt-get-upgrading today.
A couple of interesting Linux-related tidbits from the mailing list today. Conor on ILUG linked to a very valuable wireless card database. I have been forced to use ndiswrapper on all four of my linux boxes that have wireless cards, since none of my randomly chosen wireless cards were natively supported.
Elsewhere, on the Freevo Users list, there is discussion about the ivtv_xine_tv plugin, which allows you to record live TV on your Linux box. You’d need a few hundred megs of disk space, but it looks like a very nice feature.
All the fiddling with Freevo has made me think about compact PC’s, which has unfortunatley given me a crazy desire to build an in-car computer for myself. I spent some time on the MP3 Car forums today, and the idea is very firmly rooted in my mind now and I am struggling to shake it.
What a fright I got when I came back from lunch to find a naked woman floating across my screen at work. This is part of a default Ubuntu screensaver (Flipscreen3d) which I suppose ties in with the whole Ubuntu “human” theme. I know there is nothing wrong with the image, but my boss might not feel the same way. If its borderline NSFW, then leave it out of the default setup, please!
Today my boss introduced me to Freevo - an open source home theatre system for linux, written in Python. Record your TV shows and save them for later, accessible via the web interface if you’re at work and you forgot that The Return of Howard the Duck is on. A localised and accurate TV guide is provided on the system by XMLTV.
Play mp3’s, dvd’s, divx, and whatever else your average media centre does. Maybe install it on a modded Xbox for the ultimate entertainment system. I like the sound of Freevo, I think I will have to give it a bash.
I spent many hours this week trying to port the python-based network tool Scapy to Windows. After a number of slow downloads, red herrings, and lot of messing around, I finally had the end in sight. Thats when some guy posted this with everything I needed. Thanks Andrew - nice one, just wish you had posted it three days earlier and I would have been able to watch an extra few World Cup games.
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …
And in case you are wondering, I didn’t get clamped \o/
You are currently browsing the archives for the Computers category.
