Together with Java Smith and A. Sembly he can form a White hat team that fights the evils of the 'dark net' and corrupt companies. Call themselves the Whizz Kids. Hey, sounds like a budding new series...
Damn my age.
A 16-year-old lad in Manchester, England, exploited flaws in Valve's developer site to publish on Steam an unapproved game about watching paint dry. Ruby Nealon, a computer science student at Salford uni, said a set of programming blunders in the Steamworks website let him sneak his Watch Paint Dry roleplaying game past Valve' …
Isn't that standard business practice? Brand someone that embarrasses your company by exposing critical security holes "a dirty rotten hacker" and throw the book at them.
It worked for AT&T (weev) and Sony (geohotz) after all. There is certainly no shortage of white-knight commentards to defend this either.
I thought Valve was better than that. I am disappointed that someone had to go and actually perform the hijack in order to get Valve to move on it.
That was a serious bug. Valve can be happy that the guy didn't post something truly disgusting or horrifying, or simply malware. Chances are, if some true scum had found out, Valve would be publishing meek excuses for having riddled x thousands of gamer's PCs with the latest-harddisk encrypting malware. Methinks that would have been a much worse thing, and this guy alerted them to exactly that fact.
When someone is nice enough to alert you to a problem that serious, you get fixing the issue, you don't ignore it. Shame on you, Valve.
Early Access, Steam Green-Light.. Screening programs that excel at rubber stamping crud! Valve realize this, that's why they planned to retire the system a year ago. So WTF happened no reform??? Meantime, Steam users continue to green light games like mindless zombies! Classic examples: Steam Greenlight: Gabe Newell Simulator - and - Early Access: Mountains of Madness.
Jim Sterling also covers these in his sarcasticallly titled 'Best of Steam Greenlight Trailers', although I suspect he's a tad more vitriolic in his coverage.
Also, a lot of his first impressions gameplay.
He's currently being sued by a company called Digital Homocide for slander after he pointed out their games are nothing but asset flips (IE buying asset packs, throwing them together and claiming it's an original game) which gives you an idea of how backwards some of these 'game devs' are.
Steam is (generally) a good platform, but there's some real problems with it these days.
Gabe Newell Simulator, the only thing I liked about that was the cards were worth more than the actual game (Earned 50p more than what it was worth and it was a troll purchase from one of my friends who I then brought Shower with your Dad Simulator).
Anyway Valve, kill them all with fire!
"Something I've definitely learned from doing this is when working with user-generated content that first needs to be approved, do not have 'Review Ready' and 'Reviewed' as two states of existence for the content," said Nealon
That's not the lesson to be learnt. The lesson is never, ever accept any response that comes from a user without first assuming it hasn't been completely buggered with. This especially goes for HTML forms or HTTP streams that are comically easy to modify. If your response is trusting something like an ID to be passed back to you untouched (instead of using tokens or something similar where you retain session scope on your box) then your design is completely broken...
There was nothing wrong with having two states for "ready" and "reviewed" and likewise the suggested solution of an audit trail wouldn't have stopped the core problem which was not validating the info coming back from the interface.
Boring games inexistence. The El Reg comments section is.
I waste time crafting rubbish comments to gain XP (upvotes) but theres no skill system to use the XP in.
I came here to create a high level ice mage and to grind out some loot slaying noobs, but ive since discovered the loot drops here are worse than Diablo 3 and the only class you can choose is "Anonymous Coward". What a let down.
Shittiest game of multiplayer Gedit ive ever played.
Not read all of the details, but it sounds like an "overposting" attack*, if thats the case then there must have been a series of very poor design decisions made when that site was being put together.
Bind the views directly to the model. Check
Allow model binding to reconstruct the model based solely on the data coming back from the view. Check
Pass the reconstructed model directly to the DAL for persistence in the database without checking it. Check
The golden rule "Never trust user input" seems to have been forgotten by too many people.
I demonstrated an over posting attack on a site that was delivered to an ex employer by a highly paid contractor while he was there, I used the F12 developer tool bar to make it easier. His response was "Why did microsoft make that available?" He genuinely didn't realize that the users would have access to the HTML and means of editing it regardless of the dev tools being there... He was a win forms developer trying to get into web... As far as I know he is still out there delivering crap like this.
* I use the term attack loosely
Microsoft has added the ability to edit code while in Visual Studio's All-In-One Search user interface.
The feature is included in Visual Studio 2022 17.3 Preview 2 and follows changes to search functionality in the development suite. At the start of the year, Microsoft introduced indexed Find in Files to speed up the already rapid searching (compared to Visual Studio 2019 at any rate).
The indexed Find in Files fired up a ServiceHub.IndexingService.exe process on solution load or folder open which scraped through the files to construct an index. Worries that the indexer would slug performance like certain other Microsoft indexing services were alleviated somewhat by the use of Below Normal operating system priority.
Curious about the history of home computing both west and east of the iron curtain? Berlin's ComputerSpieleMuseum in Germany's capital has you covered.
Museum director Matthias Oborski was The Register's guide around the ground floor site of the museum, which is located among the Soviet buildings of Berlin's Karl-Marx-Allee (a five-minute metro ride from Alexanderplatz, or 25-minute walk if you want to take in the brutalist architecture).
After the reception, with its impressive Soviet-era mosaic still in-situ behind the cheerful staff, there is a temporary exhibition celebrating the role of food in computer games. Oborski winced a little at the word "temporary" – it had been set up in 2019 and was still in place due, mainly, to the events of the last few years.
WWDC Apple this week at its Worldwide Developer Conference delivered software development kits (SDKs) for beta versions of its iOS 16, iPadOS 16, macOS 13, tvOS 16, and watchOS 9 platforms.
For developers sold on seeking permission from Apple to distribute their software and paying a portion of revenue for the privilege, it's a time to celebrate and harken to the message from the mothership.
While the consumer-facing features in the company's various operating systems consist largely of incremental improvements like aesthetic and workflow enhancements, the developer APIs in the underlying code should prove more significant because they will allow programmers to build apps and functions that weren't previously possible. Many of the new capabilities are touched on in Apple's Platforms State of the Union presentation.
Updated The Python Package Index (PyPI), a repository for Python software libraries, has advised Python developers that the
ctx package has been compromised.
Any installation of the software in the past ten days should be investigated to determine whether sensitive account identifiers stored in environment variables, such as cloud access keys, have been stolen.
The PyPI administrators estimate that about 27,000 malicious copies of ctx were downloaded from the registry since the rogue versions of
ctx first appeared, starting around 19:18 UTC on May 14, 2022.
Google IO Google I/O, the ad biz's annual developer conference, returned to the Shoreline Amphitheater in California's Mountain View on Wednesday, for the first time in three years. The gathering remained largely a remote event due to the persistence of COVID-19 though there were enough Googlers, partners, and assorted software developers in attendance to fill venue seats and punctuate important points with applause.
Sundar Pichai, CEO of Google parent Alphabet, opened the keynote by sounding familiar themes. He leaned into the implied sentiment, "We're here to help," an increasingly iffy proposition in light of the many controversies facing the company.
He said he wanted to explain how Google is advancing its mission in two ways, "by deepening our understanding of information so that we can turn it into knowledge and advancing the state of computing so that knowledge is easier to access no matter who or where you are."
What are your peers doing to stave off burnout? Research from Stack Overflow suggests about half of developers are still spending their breaks in front of a screen.
The Q&A programming resource surveyed 800 devs, and found most of the top five things they do when they need a break involve screens: listening to music (46 percent), visiting Stack Overflow (41 percent), browsing social media (37 percent), and watching videos (36 percent).
Actually talking with fellow humans did not make the top five, and 4 percent of respondents had some other outlet for stress (possibly angrily banging some really terse comments into the source).
RAD Basic has edged a little closer to bringing Visual Basic 6 back to your PC with the release of 0.5.0 Alpha 3.
We last looked at RAD Basic a year ago and soaked in a warm bath of nostalgia for a time when Windows applications could be knocked out with the same skills needed to persuade Sinclair or Commodore hardware to display naughty words in a 1980s computer shop.
While Microsoft ditched Visual Basic 6 in favor of .NET and C# many years ago, there remain plenty of IT professionals who owe their career to the language and an abundance of lashed-up solutions still underpinning substantial chunks of the corporate world.
There are doubts about the future of the new read-write NTFS driver in the Linux kernel, because its author is not maintaining the code, or even answering his email, leaving the code orphaned, says a would-be helper.
It took a long time and a lot of work to get Paragon Software's NTFS3 driver merged into the Linux kernel. It finally happened in kernel release 5.15 on the 31st October 2021. It has received no maintenance since.
If you're developing software or working with anything serverless, you'll know that remote and as-a-service APIs are what make the clouds float.
It's debatable whether the proliferation of cloud APIs is a good thing, and taking remote API advice from Google may strike some people as unusual given its past. Nonetheless, Google Cloud's director of product, Vikas Anand, and Google Cloud senior product manager David Feuer published a jointly-written blog post of seven trends in the cloud API world they've noted.
After a nine month pause, Beijing has finally granted new video game licenses to 45 titles.
The approvals arrived on Monday through China's National Press and Publication Administration (NPPA). The newly approved titles hail from video game makers Lilith Games, Baidu, XD, and Seasun Entertainment – but curiously not Chinese gaming giants NetEase nor Tencent.
China uniquely requires video game publishers to secure regulatory approval ahead of release, and NPPA suddenly ceased granting approvals back in July 2021. Prior to the halt, between 80 and 100 video games were approved monthly. The last batch, released in July, contained 87 titles.
Biting the hand that feeds IT © 1998–2022