Posts by Pete Spicer

What's really funny is that it's even easier than ever to identify the bad bots from the good because the bad guys haven't noticed that the physical GET requests have different headers to what they used to have several years ago.

If it can run independently of IE11 does that mean they finally disentangled it from the OS again?

As much as TdR is abrasive in style, he does actually care about security, and having been involved in forking software and having to deal with patches, I fully sympathise with his point of view.

In fact, I just donated to OpenBSD because the OpenBSD project actually cares about code quality - and that means users benefit too. That's really important.

They were not using their own platform, they were using the free and open source package SMF. Exactly what version of it is not entirely clear, and it's been modified beyond pure aesthetic changes from the stock distribution. The extent of modification is not entirely clear.

The method used by SMF 2.0.x series (which is what they're using) is SHA1(lowercase(username) + password), which is what SMF has always used, and the developers are upgrading that in coming releases. I could try and defend the reasons for staying with this but most of them amount to 'OMG we have to keep compatibility with hosts' which is why it wasn't until this week that the 2.1 series actually bumped its minimum PHP version to 5.3+ instead of 5.1+ (and 2.0 series will work on PHP 4.4.x)

There are no known vulnerabilities in the 2.0.6 or 2.0.7 releases (the 2.0.7 release strictly addressed minor bug fixes and PHP 5.5 compatibility after the preg_replace function deprecated use of /e, both of which are therefore considered 'secure' releases by the developers).

I still wonder, though, whether this was the fault of the software or someone with a bad password. It's certainly not unheard of for admin passwords to have been bruteforced - and all kinds of things that happen afterwards. Unfortunately there is a persistent stubbornness from the SMF team about allowing their package manager to do what it does (find/replace on raw code, which of course requires it be writable!), and anyone who bruteforces or otherwise acquires an admin account subsequently can upload any code they like to the server and most admins leave it insecure.

My understanding is that the developers have reached out to Avast to find out what happened, though details are apparently not especially forthcoming.

Disclaimer: I am one of the people that, in the past, has contributed to SMF. I am not trying to defend my contributions; all I worked on were minor bug fixes and new stuff for the current in-development version as well as providing support.

I haven't seen anything in Shockwave in probably a decade - while in that time I've still seen a bunch of Flash and slightly less so for Java applets (mostly ones that I've been helping rewrite to be not applets!)

I honestly thought Shockwave was a dead thing... what can you do in Shockwave that you can't in Flash?

Did they actually send out emails, because if they did I still haven't had one... (and yes, checked junk folders etc.)

Didn't we move away from this nonsense years ago in the first place?

DNT is great in theory, except it was doomed the minute Microsoft decided to make it on by default. A cynic mind might even suggest it was done deliberately to compromise the idea. Don't forget - this is not the first time something major has chosen to explicitly ignore DNT being set, on the basis that you couldn't actually rely on the user having made the choice.

Doesn't theft also imply depriving the rightful owner of something? Copyright infringement != theft

People still use Shockwave?

This puff piece is nonsense.

Open source, theoretically, should be more provable as secure than not. Which is fine, if you have the time, resources etc. to actually audit such code.

Real users do not, they do not download and compile from source (Linux on the desktop is increasing, sure, but it's still a rounding error compared to the Win/OS X userbase, and even then most of the time they're not building from source either), they download a 'trusted binary'.

And of course then there is the argument about compilers - I seem to recall a fantastic piece about compromising compilers from Ken Thompson. It was written 30 years ago, but here's the thing... when the Mozilla folks build the binaries for Windows, what do they use? I see from their Windows build requirements page that they use Visual Studio and cygwin in concert (VS for the compilation, cygwin for the linking, presumably? Not clear.) But you're still relying on those tools to be uncompromised. That means trusting VS and cygwin (and possibly gcc) - and you can't audit VS.

http://c2.com/cgi/wiki?TheKenThompsonHack is mildly scary reading. Not totally scary, but mildly scary.

What about those of us that develop for open source web software? Should we somehow try to find that money too? (Not that the open source software I develop for has anywhere near that amount of money anyway)

"At that time, the NSA had a trusted role in the community-wide effort to strength, not weaken, encryption"

Wait, am I reading that right? Why would it ever be in the NSA's interest to make encryption stronger for the masses?

I mean, it wasn't until that long ago that encryption tools required a munitions licence to distribute because they were weapons of a sort. Seems to me that keeping an eye on the industry and maybe slipping the odd slight hurdle into it, on the sly, would absolutely be SOP for them. But maybe I'm just too cynical.

Like some of the other commentators, I moved away from WinAmp with its 3.0 release.

Since I have a decent collection of tracker mods from ye olden games, I wanted a player that could handle reading all kinds of formats and ended up with XMPlay with one of the plugins (DelixTracker) which handles everything I can throw at it.

To the one person who asked about music devices, XMPlay lets you specify which device you want to use, including WAV encoding or LAME (for MP3) or OGG output should you need to transfer formats.

The choice of companies is interesting... I can't help but wonder if it's related to the non-standard disc format Nintendo uses for the Gamecube and Wii.

The reason I wonder that is because while Wii discs are weird, certain DVD drives can read them, especially models from LG...

Disclaimer: I don't have a degree, however I did tackle the fundamentals of this in Decision Maths as part of an A Level in Maths so while I may not be as boffiny as some here, I do understand what NP problems are and the relevance thereof.

The only time I can actually recall using the various things I learned was in the midst of writing bits for an RTS game, where pathfinding was required. Whether you go down the road of A* or D- or whatever in between, you're still talking dancing about with Dijkstra's algorithm to some degree.

Having an understanding of the differences between bubble sort, quick sort, exchange sort etc. is always useful too and where it can be an advantage not to use the good old quick sort (if the data is already mostly or completely in order, for example, quick sort may not be any use to you over a bubble sort)

The other algorithms covered - travelling salesman, shortest method of connecting a weighted graph (like network cabling) have applications out there in the real world but I've never encountered them, and neither have any of the folks I know, but I'm sure there are uses for them.

Wait... if you have to unlock the phone, surely you're already going to be able to access contacts anyway?

I don't really care whether Scotland gets independence or not. My concern is that if they go 'independent', independence should mean total independence - no money from England at all except for things we actually buy from them. No bailouts, no handouts, nothing.

Given the whole 'it's ad free if you have iTunes Match', you might be surprised to see how many people use that instead...

Friend of mine is using a 3 year old iMac... and using Parallels to run Steam games where there isn't a native version of the game for OS X. I was watching him play Assassin's Creed III on it the other day and it performs surprisingly well on a 3 year old machine running through an emulation layer. In fact, when we rebooted it and ran it through Boot Camp (i.e. native Windows), it wasn't actually significantly better.

Me, I'm using a MacBook Pro (developing for the mobile things) and I'm in Boot Camp most of the time. Don't know what it is but Parallels just doesn't run very well for me. Guess my friend is the lucky one.

Not understanding what the problem is here... she had gold bullion (physical item) in her house, which was stolen.

Unless there was some exclusion in the policy against gold bullion, I can't see that they have much of a leg to stand on... it wasn't obtained illegally as such... are they claiming the gold was proceeds from a crime? If so, what crime, actually, was committed? Seems to me that the worst that could be claimed was breach of contract (her with Blizzard) which in any case is neither a criminal matter nor anything the hell to do with the insurer refusing to pay out for the gold bullion.

What I could imagine, though, is that the gold bullion was worth more than what she had insured and that she wasn't going to get the full value back...