T=Machine

(this assumes you are running Debian on your server; if not, I suggest you switch)

Mediawiki. One of the world’s less secure wikis? Probably. I use and install it a lot, and it’s usually “the compromise wiki”: it’s weak at a lot of things, but it’s the “least worst overall” a lot of the time. Here’s my current standard fixes and tweaks.

(more…)

Filed under : security, server admin

3 Comments »

Every now and then I scan through my auto-spam folder and see what’s in there. Sometimes the subject lines are hilarious. Other times they teach you about new kinds of phishing attack that are being attempted.

Mostly, they just say depressing things about what it is to be a human in the 21st century.

All the following were yanked from spams I received in the last few weeks (I just did a subject line sort for what was left since the last mass-deletion). I have to say … the depressing, “makes you want to kill yourself if this is the kind of email you receive and respond to” ones have mostly disappeared, which is good. But the ones about MEGADICK that used to make me LOL have sadly faded away :(.

Lost in translation? (aka “WTF?”)

Be a bedroom business master!
Make your hose’s radius great
Fertilize your male tree
From now you don’t need a crane to lift your instrument up!
Come now, pay less!

Sounds painful…

Your manhood will come back to you like a boomerang
Load into her like a geyser!
With a bigger tool you can break not only hearts but splits
Hammer your pile in her
Pills of lion stamina
Make her your rod’s slave
Best doping for night monster
Replace your pant snake with python!

Someone call the cops?

Your drawbolt will go deeper in
Pound her, more and more
Make your love gun active and effective!
Good shells for your love gun
Find how to drill her better

There goes my self esteem

Your instrument is so tiny she barely finds it in bed?
You have no stamina any more to satisfy your loved one
Greatness is measured by the size of your manhood
This watch will add some elegance to your taste
Losing your popularity as a man?
Get a diploma for your career!
Masters degree with no efforts
Show your girlfriend that there can still be a lot of flame in your bed
Feeling unneeded in bed?
What does a frog want with you?
With a monster device you will feel like a man
From now you will be able to satisfy every size – queen!

Telling it like it is, man

Man empties gun at car, victim survives
Why lie? I need money
Bacterial infections are stopped by Amoxicillin

“Optimism” (aka “O, RLY?”)

We cure anything from headache to cancer
Worldwide delivery instantly to your home
Go here for guaranteed boner
If you can’t beat CEOs … join them

Kindness

Free money
Wanna beer?
Sexually aroused
I can help you
We go to cinema tonight

… and threats

Fucking fill this form
I wanna worry you
Universal decision for men who want to stay men
We will not let your manhood die … call us
You are disqualified!
Get a degree
Suck it
List of conditions
Get your nice hair returned to you
Your friend in trouble
Click or cats gonna die

The men from UNCLE

Erase message after reading
We’ve found your car
Don’t settle for less than 15x power!
Respond, please
Medications that you need

Bad day

We canceled the exam
We canceled the conferences
Forgot keys, forgot phone

Story time

What’s this?
Shocking! Rihanna was cursed
A giant outside
Sitting by the well playing

To Much Information

That shit made my day
Celebrate independence day with a hard boner

Filed under : amusing, security

4 Comments »

I’m just finishing up a quick PHP project at the moment, which allows anyone to register an account – so as the final step before launching it, I needed to add some form of CAPTCHA system. I tried a couple of 3rd party ones and source code ones and none quite worked for me. This post gives full source for a simple user-friendly photo-based CAPTCHA in PHP. Use at your own risk – but it’s short and easy to integrate.

NB: this was more a quick-and-dirty practice exercise than a serious attempt at a CAPTCHA. I don’t believe in CAPTCHAs, generally – but if you ARE going to use them, it’s best to have a lot of them in the wild, so it’s harder for crackers to do “crack once, spam everywhere”. See the section at the bottom for links to suggestions for other people’s CAPTCHAs that I reckon would be better for production use if you can get them to work :).
(more…)

Filed under : PHP, programming, security

2 Comments »

Please stop spamming the blog, not for me, but for yourself. There are multiple layers of spam filter (you may have noticed that none of your fake posts has got through so far), so I have the luxury of having the few “uncertain” hits emailed to me, because there’s so few. If that changes, I’ll just add another filter. I wouldn’t normally call one person out, but … your comments keep getting sent to me for moderation, and it appears you are actually *writing them by hand*.
(more…)

Filed under : maintenance, security

0 Comment »

(in case you hadn’t been following, this year EA has been putting some particularly nasty DRM on their most-hyped games such as Spore and the Crysis expansion; but unlike previous years, there’s been public outrage)

A couple of things of note here:

EA thinks it can get away with what many consider lieing and cheating – and then having the CEO publically insult the customers

• Lies: they claim it’s all about piracy (the evidence suggests strongly that it’s about preventing 2nd hand sales while shoring up the artificially high prices that EA’s products retail for)
• Cheating: EA’s PR people claim you can always get around their dodgy restrictive-use business practice by calling a phone line, that they own and operate (there’s no reason they need to keep that phone line open, and there’s no guarantees that they will honour the customer request)
• Insulting: the new CEO, who came in on grandiose claims of reforming the company after the scandal of EA-spouse which revealed some very nasty internal practices of the company (apparently institutionalized abuse of its own staff), spoke to one of the largest trade-press websites and told them the people complaining were probably just pirates or stupid (*) (again, this is clearly not the case)

(*) “half of them were pirates, and the other half were people caught up in something that they didn’t understand” – see halfway down the article.

Apparently, little or no lessons were learnt with the public outcry over Spore

…in that the damage seems to be happening all over again with Crysis: Warhead, the same identical problems (c.f. the massive negative Amazon.com and Amazon.co.uk ratings). I would have thought that a publisher the size and power of EA would have managed to prevent “another Spore” – if they had wanted to.

Maybe the fallout isn’t so bad this time? There aren’t quite so many negative reviews this time around, but then Crysis:Warhead wasn’t so big a game as Spore, either in marketing or in predicted sales figures.

Amazon changes it’s mind about its policy on user-reviews more often than a Politician trying to appease the electorate

They’re there! Amazon is full of negative User-Reviews!

They’re gone! They’ve all been deleted!

They’re back again! They’ve been reinstated!

(this happened with Spore. Fair enough. They weren’t sure what to do).

But … reading the comments and off-site commentary apparently it just happened all over again with Crysis: Warhead. Huh? Why? What’s going on over at Amazon HQ?

(I’m getting visions of engineers in a central control room fighting over the keyboard of a machine running an SQL database client, alternately deleting and reinstating the comments, while a prematurely-aged sysadmin huddles in the corner weeping to himself)

The customers are refusing to be tricked into damning themselves; what appear to be EA’s shills are being spotted and beaten at their own game

Witness this fascinating comment on Amazon.co.uk review page for Crysis: Warhead:

C. Chapman says:
[Customers don't think this post adds to the discussion. Show post anyway.]
I’m so glad to see Amazon has taken steps to filter out all of the useless nonsense being said by the DRM protestors.

Brian W. says:
Hey dude, Amazon just reposted all of the bad reviews and this game is down to the 1.5 stars it had a few days ago.

J. Schwarz says:
Don’t even bother responding to this troll Chapman, he is obviously a company man who is afraid that EA may go out of business. In fact he truly has something to worry about b/c the only other job he could get was shoveling the bs and for that he had to pass an IQ test which he failed.

WolfPup says:
I’m not sure which is more sad. Is Chapman an actual person, who honestly holds such crazy beliefs? Or is Chapman a corporate troll, who thinks that insulting non-crazy people will somehow make their activation DRM acceptable?

Either possibility is frightening.

Paul Tinsley says:
I think Chapman is employed to post. He does use a classic strategy that involves discrediting the thread by making the discussion descend to a personal level. He also attempts to alienate the protest away from the topic by declaring them to either be criminals or a small sector of the community that isn’t even a targeted customer. It’s textbook “digital” insurgency or deep strike, just choose your analogy and most will fit.

WolfPup says:
Interesting. I guess I just thought someone working for a corporation would be more professional about it or something, but…yeah…I probably didn’t think that through very well. They’re not above using any types of tactics.

I guess he’s still a corporate shill even if he’s not paid, but I’m leaning heavily towards him being paid after reading your post.

Paul Tinsley says:
Think of Chapman as a sort of “troubleshooter”. He’s not the sort to polish the company front line, he’s the clandestine stealth agent, sent forth to discredit the argument, to make people think they we can’t hold a solid debate without being personal and also to convince casual readers that our complaint is irrelevant. If Chapman was just another gamer like you or I, he wouldn’t waste so much time trying to make us all “look like idiots” as he might put it.

WolfPup says:
Yeah, you’re probably right. Unfortunately I have a pretty low opinion of how stupid and/or evil people can be, at this point in my life so I don’t really doubt there could be someone out there that clueless about these (or any other host of) issues :-(

Paul Tinsley says:
Well, I will be called delusional and paranoid for stating my opinion. Neither are true, as anybody who thinks that limited activations is better than no activations isn’t thinking like a consumer, they are working to a different agenda.

It doesn’t so much matter whether the OP was a shill or not, it’s the reaction that interests me.

I remember a time (“in the olden days, when I were a lad”) when the audience who A) cared and B) understood the issues were generally teenagers and a very narrow band (niche within a niche) of hardcore gamers with little experience of expressing themselves or dealing with sly cunning bastards. Those people would easily get sucked into tit-for-tat rants and regularly derailed (and sidelined) in such conversations. It was almost too easy. I was once one of them :).

Nowadays, I believe there are three differences.

Firstly, the audience who cares is much more mass-market (mostly IMHO thanks to the arrival of Playstation in 1995, and Sony’s successful marketing of it to young-professionals instead of just children), skews somewhat older (although still noticeably heavily biased towards young and male for many of the PC games, action PC games in particular), and is generally more experienced with the gamut of humanity and the tactics they employ.

Secondly, and this one surprised me, the subset who grok the issues seems to have massively expanded over the past 10 years. If you read through the negative comments, the arguments against DRM are often cogent, direct, and well-informed. Views that were once only understood and appreciated by readers of TheRegister seem to be (finally!) making their way into the mindsets of the public at large. I am beginning to think that we may yet manage to rescue ourselves and our futures (and those of our children) from the idiots who seek to make Copyright last 100 years, put a 10-year minimum jailterm on anyone who copies a *digital file*, and want to force everyone to carry compulsory, biometric, ID cards.

Finally, the audience of hardcore gamers themselves seems to be a lot more skilful at manipulation, especially the “people hacking”/social engineering skills. They are much harder to deceive, and much harder to defeat, compared to the days of Usenet (and here I’m very happy to accept I may just be deceiving myself with my own sentimental memories). If that’s the case, I believe it’s a direct result of the increased prevalence of online communities, especially out-of-game communities, and to a lesser extent in-game communities: these things have made people better at dealing with other people, in ways both good and bad.

Filed under : computer games, games industry, security, web 2.0

2 Comments »

I’m there now, drop me a line (see About page for email) if you’re around.

I’ve just given a quick presentation introducing the ENISA’s (European Network and Information Security Agency) whitepaper on “Security and Privacy in MMO’s and VW’s”. It’s free, and it’s fairly simple (aimed at everyone from consumers to governments), worth a read if you’re interested but relatively new to this stuff. Contributors include people from Sulake (Habbo Hotel), CCP (EVE Online), NCsoft, and people like Richard Bartle and Ren Reynolds.

Filed under : computer games, conferences, dev-process, security

0 Comment »

This week, I was at the Virtual Goods Summit in San Francisco (my session writeups should appear on http://freetoplay.biz over the coming days). A couple of things struck me during the conference, including the large number of “payment providers” (companies that specialized in extracting cash out of your users via credit card, paypal, pre-pay cards, etc and crediting direct to you) and the large number of white-label “virtual goods system providers” (companies that were providing a turnkey (or near-turnkey) solution to “adding virtual goods to your existing facebook app” etc).

Which brings be to a recurring problem I’ve seen for a long time with the online games and MMO industry, which I suspect is going to cause a lot of damage to a lot of social games and virtual worlds companies in the coming years: online service providers are – in general – shockingly bad (lazy or plain stupid, usually) at handling their customers’ money.

And the result? Ultimately, it could drive increasing numbers of consumers back to preferring to purchase their games and other online content via retail, where the companies and transactions are more trustworthy. OH, THE IRONY!

(more…)

Filed under : games design, games industry, massively multiplayer, mmo signup processes, security, web 2.0

2 Comments »

Is it just me, or is calling this about “piracy” missing the point here? (and, in case this isn’t obvious enough: yes, this is a deliberately very flippant post, but the points are serious :) )

EDIT: just for the record, I actually bought and played the game, quite a lot. Although don’t expect a professional review there :).
(more…)

Filed under : computer games, games industry, security

5 Comments »

…according to Ed Castranova’s snippet that Scott J posted from the MDY vs Blizzard trial notes.

Courtesy of Scott, here’s a hosted copy of the source documents.

Ed writes a nice little explanation of why / how bots damage an in-game economy. I liked that. Good stuff – go read it. So far, so good – a great primer for anyone wanting to understand the situation better.

Unfortunately, the implication throughout the document is that this is all directly damaging to Blizzard’s revenue, and should be prevented *by someone other than Blizzard*.

I think this is a really stupid way of looking at things. My impression from reading the submission was that it’s overall a somewhat twisted description of the situation, coloured by a desire to use the facts (economic analysis) to support a personal desire (stop people using bots rather than go to the effort of fixing the bugs in the game-design). Sure, capitalist companies will pursue the cheapest possible means to achieve their goals, including suing people if they think they’ll succeed, but I deeply object to this kind of good factual analysis being spun to imply it proves stuff that it does not prove, and which consists an attempt to dodge responsibility and use the legal system to make up for mistakes in a company’s product-development strategy. Make better games, don’t blame the players for not playing the way they were “meant” to. Even the ones who are cheating. Ban them for cheating, stop them however you can, but don’t claim it’s not your fault that they’ve managed to cheat in the first place: of course it’s your fault.

Picking the snippet Scott quoted, which is nicely indicative of the whole piece:

Glider bots destroy this design, distorting the economy for the average player in two specific ways. When a Glider bot “farms” an area, it picks up not only experience points for its owner, discussed above, but also the “loot” that is dropped by the mobs killed by the bot. Because Glider can run constantly, it kills far more mobs than anticipated by WoW’s designers, thus creating a large surplus of goods and currency, flooding the economy with gold pieces and loot like the Essence of Water. This surplus distorts the economy in a specific way.

When bots gather key resources, they gather them in abundance. Owners of bots usually sell these resources to other players for gold, which inevitably deflates their price. Blizzard’s design intent is for the resources to command a certain high value, so that average players, who might get one or two of the resources in an average amount of play time, may obtain a decent amount of gold from selling them. But because characters controlled by bots flood the market with those resources, the market value of these resources is far less than Blizzard intended, and the average player realizes only a fraction of the intended value from the resources s/he finds. The deflated value of key resources presents a critical problem for ordinary players trying to enjoy the game. Blizzard’s game systems assume that players will be earning a certain amount of gold per hour, and many systems, such as repairs and travel, force players to make fixed payments of gold into WoW’s systems. Buying a horse, for example, costs a certain amount of gold. That pnce IS set by the game designers based on the assumption that normal players will accumulate gold at a certain rate, and that some of their gold will come from the value of resources that they harvest and sell. When the value of those resources plummets because of Glider, the amount of time it takes to accumulate the gold required for in-game expenditures like the horse skyrockets. This skews the economy, frustrates players, and, as a result of a less-satisfied user base, damages Blizzard.

My interpretation of the above argument:

1. Designer makes various tables of numbers showing relationship between prices, rarity, the difficulty of achieving items at a given level, etc. This is normal – people who do this are often called “balance” game-designers, because they’re balancing out the risk/reward, cost/effect of everything
2. Developers hard code these values, on the assumption that the world is perfect, they are God, and nothing could ever go wrong (this is fine; normally you make that kind of mistake once, and then fix it when you realise the problems this is going to cause)
3. System collapses because of “bad people”
4. When caught in such situations, Developers get to blame everyone except themselves, even though it’s clearly their own shoddy game design / implementation

The analysis is economically accurate, but the conclusions about the impact on design, and whose responsibility it is to contain/prevent/undo this, is just making out game developers to be lazy, stupid, bullies. People should take responsibility for their mistakes, not blame everyone else. Especially not blame the users of a game. Even if they hack your game to pieces and cheat like crazy THAT’S STILL YOUR FAULT AS A GAME DEVELOPER. You may hate them, rightly so, but it’s your responsibility to make better games. At least, that’s how we used to make games. Maybe the industry doesn’t work that way any more. Maybe it’s just me that thinks that way, maybe to everyone else in the industry a “bad game” isn’t your fault as a developer, it’s the players’ fault for not being clever enough to appreciate the coolness of your game.

Look at Diablo – it fell to pieces and died because of in-memory live hacking of the game-data. Seriously hardcore stuff (in a way). But that didn’t mean everyone just shrugged and said “those nasty hackers, they ruined a perfect game, it’s not the developers faut”, instead we took it to mean they hadn’t built it well enough, that next time they would have to change their approach, or their priorities, to prevent this from happening again.

To pick one more quote that underlines how silly I think this piece is because of the spin being put on it:

Glider bots occupy resources that Blizzard could otherwise put to other, more constructive uses. Because those resources are required to fight Glider, they are spent in a way that does not improve the game

Well, duh. And the same is true of most of the work being done by the Customer Service depts that all of the MMO companies pay large amounts of money to in salary every day. And it’s also true of the hardware that we use to run the game. Etc, etc. Just because a development cost “does not improve the game” doesn’t mean you have grounds to go and sue someone else for causing you to have to do it.

Where does it stop, if you go down that route? Are we going to start suing players who ask questions of the CS team that are too stupid? Will we bill players with crappy graphics cards for our time that was wasted diagnosing problems with their hardware that were stopping them from playing our games?

Which is not to say that I support botting or bot applications. I don’t support either. And I believe there are many different ways you can fight them, and there are many good reasons for shutting down people and organizations that use them. But I don’t think the reasons given above are included. And I don’t want to sink to the level of making specious arguments just because it’s the path of least effort…

Filed under : computer games, games design, massively multiplayer, security

6 Comments »

EDIT: downloading the nice plugin recommended in this post will now break your blog if you’re using WordPress 2.5 – the wordpress authors have made some incompatible changes. But it’s OK – bengreen has fixed the plugin, and made a new version available (read here for some very basic information on what will break and idiot-proof instructions on how to fix it)

I had a nasty shock when I realised that wordpress by default has no security at all. Anyone in your office who doesn’t like you and has a basic knowledge of using google can potentially steal your admin password and take complete control of your blog. This is, really, pretty mind-blowingly stupid – I love wordpress, but “no HTTPS support out-of-the-box” is frankly irresponsible, especially for a product used by so very many people across the world. The only good part is that AFAICS on a quick glance there’s no easy way of taking control of the entire webserver if you’re the wordpress admin (plugins still have to be manually uploaded, so you’d need separate access to the server to manage that).

What follows is a discussion of how to fix this, along with links to step-by-step guides that worked well, and an extra note on how to complete the process without doing the “login once insecurely” that all the guides tell you to do at the end.
(more…)

Filed under : conferences, security

1 Comment »

AGDC is a small computer-games conference (about 1,000 attendees) with a particular focus on online and massively-multiplayer online games (MMOGs). In that context, it’s pretty big – with such a niche within a niche, it tends to have talks and representatives from most of the players in the space.

Every year, each of the games industry conferences have to pick between 100 and 300 talks and speakers, each of whom gets a free all-access ticket and usually free international travel, hotel, etc. The process is fairly straightforward: they put out a request for proposals about 6-9 months earlier, receive thousands of 1000-word abstracts, and select those that they think are interesting, novel, or will attract people enough to make them buy expensive tickets.

Democracy rules

Often, the choices made baffle, frustrate, or infuriate people in the industry. The most common complaint is that each year the conferences a higher proportion of worthless talks on subjects that everyone with any experience already knows about, and contain no information you couldn’t have got from home just by using google for a couple of hours. A lot of conferences have a few near-identical talks each year, so that if you’ve been to one you needn’t bother with the rest – one conference even got a reputation for just recycling the talks given at other conferences already that year, which killed it. There are always slightly bitter rumours about the best way to get a talk accepted – “pay for some advertising with the company that owns the conference”, or “offer a favour to someone on the advisory board”. Certainly, the biggest games industry conference (owned by the same people who this year bought-out AGDC) – GDC – has had a substantial number of talks in the last few years that either blatantly broke the conference rules on talks “not being an advert for a product”, or which were of an extremely low quality / low in any actual content.

So … it’s particularly interesting that for this year’s AGDC, the advisory board only chose the majority of the talks. For the rest, they took all the speaker proposals they had received, stuck them online, and invited the world to come and vote for which talks should fill up the remaining places. Even more interestingly, you can see how many people have voted for each talk, and what the average score is so far.

One man, one vote … maybe?

One problem – there’s no apparent rules restricting who votes. All you need is an email address (or gmail or mailinator) and a programmatic web browser, and you can choose who gets the free conference passes. I wouldn’t mind, but there’s a couple of talks I really want to go to myself which are on the voting list, and at least one of them isn’t going to get in – and I’ve little confidence right now that the ones that beat it will have done so by being the most popular with people who actually attend the conference.

And so onto the security angle here. This is the games industry, and this is a conference almost entirely dedicated to online games. It is immediately obvious that this voting system is open to rampant abuse (assuming they haven’t got silent back-end detection going on – I’m not criticising the conference organizers here, who probably have some good security measures in place, I’m merely using the visible details of the system as a starting point to talk about similar systems), and here’s a standard attack pattern:

“Write a program in a scripting language to automatically create accounts and vote for my talk”

1. Use a free open-source library to make requests and post responses to the web server (libcurl)
   
2. Use Firefox with the View Headers feature whilst surfing the site manually to see and record what you need to send and receive
3. Create enough fake email addresses to swing the voting in your favour
4. Don’t get detected

First of all, I’m not even sure that 4. above is an issue. Things to do:

1. Use the US census data to programmatically make email addresses using believable REAL names with a wide variety of different names – and in the right proportion to be all US citizens
2. Don’t have them all registered from a single domain name
3. Don’t have them all from a single IP address (assuming they save your IP address when you vote, which most such sites don’t bother to do until too late)

In which case, the only question is “can we pass step 3?”. “But email providers have captchas, that stop automated account creation!” I hear you cry. Ahem. Even if they did (stop you automatically creating email addresses) the attack described only requires you to register enough email addresses to sway the voting. That may be as little as 50 or 100 emails – easily few enough that you could create them all yourself, manually. (in fact, right now, it would only take 20 or so votes to make sure your preferred talk was top).

Cheating better

If you’re still worried about the organizers getting suspicious of all those 5/5 votes for one talk, just look at it this way:

“Identify the major competitor talks, and vote them down, instead of just voting yours up”

Easy enough to hide your skewing of the results in the sea of all the other, genuine, untraceable voters voting one way or another based on personal preference…

Finally, I just want to briefly look at the expected outcome of this, because it touches on a real-life problem with games security: it’s unlikely any individual will cheat, so it may seem it’s “mostly” OK … but with some systems (such as this one) it only requires one cheater to destroy everything. As soon as one person starts cheating, others will notice and will feel “forced” to cheat also – this is what happened with Diablo, when cheaters found a way to make their character able to attack in towns, where no-one was allowed to attack. Non-cheaters were forced to cheat just in order to become able to defend themselves – there was no other defence that would work.

Some people started promoting their talks on their blog, and others have now followed suit. The voting contest has become a contest of who has the biggest blog :). I’m sure this was intentional by the conference organizers – it’s an excellent way of getting more free publicity that specifically targets and promotes the individual talks rather than just the generic conference itself. Even better, it has a natural tendency to give the most publicity to the most popular talks-to-be, whereas the conference organizers have to second guess what they think will make people pay to come and listen.

I wonder why they decided to let anyone vote, rather than restricting it to people who had booked tickets? They could even have just taken a refundable deposit, up to a certain date, to force only people who were willing to stump up some cash to take part in the voting. That could have filtered out most of the “no intention of going to the conference” people (although it certainly wouldn’t have made the system secure from determined cheating).

Filed under : conferences, security

0 Comment »