Archive for September, 2008

« Older Entries
Newer Entries »

Create Arbitrary Sized Sparse Files under Windows and Linux

Thursday, September 25th, 2008

Apparently there is something to be said about short blog posts. Allegedly I tend to get long winded sometimes and my posts can run a tad verbose sometimes. I usually tell people to STFU and go read Steve Yegge if they want to see verbose. I’m short, concise and to the point compared to him. But I figured that I’ll try some of that short blog post thing that people seem to be enjoying in other parts of the web. So I’m making a post about a silly little windows command. This is so that I don’t forget it about it next time I need it.

Have you ever needed a file of specific size to test something but you didn’t care what that file was? You know, just a space holder or a space filler kind of a thing? This is what you need to do to create one on Windows XP:

fsutil file createnew file.ext 10000

Naturally file.ext is the desired name of the file you want to create, and the numeric argument is the desired size in bytes. Note that fsutil creates a sparse file which means that this operation will be blindingly fast. For example it took about 3 seconds to create a 10GB file on my elderly windows machine.

Useful trick. I sometimes use it to see how a given app will act when it encounters a file of certain size. To accomplish the same thing in linux you apparently need to do something like:

dd if=/dev/zero of=my-file bs=1 count=0 seek=10G

I messed around with it, and the bs and count are important so don’t just skip them. The seek attribute specifies the desired size of your file, and here you can use human readable units (like 10Gb in the example).

So if you ever need a file of a specific size to test something, here is how you make one. How is that for a short post? What do you mean 350 words is not short? Ah, go to hell then. I tried. Next post will be verbose again. ;)

Posted in howto, linux, technology, unix, windows | No Comments »

Death of PC Gaming May Mean Death of Windows

Wednesday, September 24th, 2008

In the past I argued that PC Gaming is far from being dead but the more I think about it the more I start believing that I was wrong. I don’t want PC gaming to be dead – I have been a PC gamer most of my life, and all my favorite games are PC titles.

  1. Upgrade Treadmill – It is getting progressively harder to keep up with the new hardware. Few years I was shopping around for a new video card and a I was looking up specs online, comparing prices on neweg and doing all kinds of research and I could not figure out what to buy. I ended up asking a friend who builds and sells tricked out gaming rigs (you know, water cooling, binged out cases and the works) for advice/ And I consider myself a knowledgeable computer professional. A Shamus wrote about this some time ago and it is getting progressively worse. At this point for example my brother doesn’t even bother reading the system requirements on the box because he knows he won’t understand them. He just asks me to investigate whether or not a given title will run on his machine before he buys it. Average customer won’t “upgrade” his video card – he will wait and buy a new computer when the time comes and hope that it will expect it to come with a video card that is able to play the newest games out there. Unfortunately this is not the case. A computer illiterate friend of mine bought a brand new, very expensive Dell which was advertised as a top of the line gaming machine. Few months later he bought Crisis and was disappointed and outraged that his brand spanking new gaming rig could barely run that game on medium settings. This is the sad reality which causes people to jump ship and buy a console. When you buy an xbox360 game you are guaranteed it is going to run on your xbox360.
  2. DirectX 10 – in addition to upgrading hardware, you are also forced to upgrade your OS. As far as I can tell, no one wants to run Vista these days. All my coworkers who recently bought new computers absolutely hate it, and keep telling me how happy they are our company is not migrating to that infernal system. But guess what? If you want the new shiny game to run on your PC, you may just have to switch to the big V and take the 80% performance penalty that comes with it. :P
  3. Stable Development Environment – I’m going to link to Shamus once again because he explains it better than I ever could. Console developers can rely on a stable environment that never changes. They can optimize their code, polish their engines to perfection and squeeze every last bit of juice out of the hardware. PC game developers on the other hand tend to be stuck in a runt, always chasing the latest and greatest rendering/shading/mapping technology. Consoles simply offer friendlier developer environment and one where you can accurately test the game play experience you are delivering to the player. No wonder many development studios shift their focus towards consoles more and more
  4. Price – a $600 buys you a PS3, including software, a blue ray player, controllers and etc – in other words a complete gaming system. Or if you are a PC gamer you can spend that $600 on a new video card alone. I don’t like this, but you can do the math and see where this is going.
  5. DRM – most PC games these days ship with a draconian DRM, online activation, installation limits and hidden rootkits. Not only do you have to jump through hoops to get them installed and activated – they can also damage your CD/DVD drives, or make your system unstable and vulnerable to attacks. Console games have none of the above.
  6. Fewer and Fewer Exclusive PC Titles – at the moment, the only games that actually require you to own a computer are the popular MMO’s. Almost everything else gets released on at least one of the nex gen consoles almost simultaneously with the PC title or soon afterwards. Interestingly enough many of the MMO’s are not exclusive to the Windows platform. For example WoW will happily run on a Mac.
  7. More and More Exclusive Console Titles – this trend started long ago, and is becoming more and more prominent. A lot of popular games never get a PC version.
  8. Console to PC ports done as an afterthought – those console games that do get a PC release, often get a poorly done direct port, complete with a cobbled interface designed for a controller rather than a mouse, and wonky controls and many artifacts of the console-centric design. In most cases you are better off playing the original rather than torture yourself with the PC version.
  9. Demographic Shift towards Consoles – most people around my age and younger these days own a next get console. Some own both the xbox360 and PS3. Most people own a Wii in addition to their primary gaming console. Conversely few of these people actually own an up to date PC gaming rig. Some do, but most either have an older machine that won’t play newest titles anymore, or a lightweight laptop that has enough powa to run WoW but not much else. Younger people seem to eschew desktops altogether, and shop for computers that are most battery efficient, and have good ratio of size/weight and comfortable keyboard layout rather than checking the specs on the video card. You can see this trend when you go to a local Wallmart (or other high volume retail chain) for example. One close to me has a single wire rack in the corner of the gaming isle where you can find PC games. And you’ll be lucky to find anything other than WoW and it’s expansions there. Occasionally there are few boxes of new hot releases but most of the time it’s mostly the same old MMO’s, 1 or 2 WW2 shooters, and few RTS games which have “Age of” in the name. Each console on the other hand has it’s own isle full of games. Consoles are the mainstream market now.

These trends are scaring me. I don’t want PC gaming to die, but the facts above do not suggest a rosy future for the PC as a game platform. Unless something changes, consoles will take over and the number of original PC releases will dwindle. It made me think though – the imminent death of PC gaming may mean hard times for Windows monopoly.

Let’s face it, gamers make up a very large chunk of Windows user base. The biggest source of income for Microsoft is naturally the business sector. I don’t see them being pushed out of there any time soon. The home desktop market however is huge chunk of change for them, and loosing it could mean trouble for the high and mighty MS. Home market consists of three types of people:

  1. Clueless users who don’t know any better
  2. Gamers who elect to run Windows as a gaming platform
  3. People who would love to switch but are locked in
  4. People who simply prefer windows

Group #4 consists of MS fanboys, Visual Basic developers, or simply loyal customers who might have tried other alternatives but prefer to use windows for some reason. These people are stuck in their ways and will likely use Windows until the day they die.

Group #3 includes people who are locked into the OS because the software they use for their hobby/creative work is not available on other platforms and there are no good alternatives. Many of them might be open to an alternative OS if they can figure out a way to take their favorite software with them or find an alternative. Since projects such as Wine and Cedega are continuously getting better, and emulation is getting easier, and open source community is rolling out new projects to replace proprietary software every day the number of the people in this group is bound to fluctuate and fall over time.

Group #1 is the most flexible one. A clueless user is usually bound to windows because that’s the OS which came with their computer. They generally rely on relatives, friends or co-workers for tech support and generally don’t know how to use anything other than a browser. They’d be equally confused using Windows, Apple or Ubuntu so you can swap their OS at any time. I mean, if your user doesn’t know the most basing stuff like navigating the file system, copying files or changing basic display settings will it really be a big shock to move them to another platform? They still won’t know how to do these basic things, no? So what is the difference?

As long as they can still get to MySpace and Facebook they will be fine. In fact, a lot of members of this group actually buy Apple laptops these days and use them without realizing they use a different OS. In fact, I recently talked to someone who was convinced that everything looked so different on his new MacBook because it shipped with Vista. This is a market that can dwindle down to zero provided that there is enough computer savvy people out there willing to switch their clueless friends and relatives to a non-windows platform.

Then there are gamers, whose primary reason for using Windows is that it is currently a major gaming platform. What happens to this group when the PC Game market fades away into oblivion? There will be some reshuffling. Some gamers will decide to stick with windows and move to group #4. Others won’t know any better and will move to group #1. Some will remain stuck and will end up in group #3. The rest may jump ship.

Note that each gamer jumping ship may potentially pull several friends and relatives from group #1 with him. Why? Many gamers are computer savvy enough to provide free tech support to their close ones when needed. Enough gamers switching away from windows may whisk away a huge chunk of group #1 sales from Microsoft. This in turn may create a critical mass of Apple and Linux users forcing major software and hardware companies to acknowledge these platforms and make their products available for them. Thus members of group #3 may after a while find themselves unstuck. Perhaps the death of PC Gaming will be a first step towards a better world – one in which no software company has almost complete market monopoly.

Again, this is wishful thinking – sort of best case scenario if you will. Still, being a gaming platform is a major selling point for Windows. Apple marketing has already cornered the “all fun and no fuss, entertainment platform” market. Windows is already viewed as a primary work related OS by many people. If the PC games go away Apple may actually have a chance to crave out a nice chunk the household computer market for themselves. And where Macs go, Linux will follow since both OS’s are of the Unix’y kind.

Posted in games, linux, musings, opinion, technology | 34 Comments »

Commentary on the Palin Email Thing

Wednesday, September 24th, 2008

I know that I promised not to talk about politics on this blog. You get some of that in the form of politically charged funnies at /dev/random and short bursts of venom on twitter. I don’t really want to become too verbose about my frustrations with certain presidential candidates here. So this won’t be about politics – this will be about security or lack of thereof. I will try to restrain myself from political comments and only make comments about human stupidity which is quality that is equally distributed amongst the democrats and republicans.

I initially wasn’t going to comment on this, but people keep asking me for my opinion and I figured I should put together something more eloquent than “Palin got pwnd by /b/. She should totally invest in a dog.” And preferably something that is not as politically charged.

Let’s start from the top. Once upon a time, Gov. Palin had a Yahoo email account. Note that I’m using the past tense here. She no longer has it, because a /b/tard heard about it and took it over in 5 minutes. How was this feat of extremely 1337 hacking on steroids performed? From the horse’s mouth:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

As you can see, there was no hacking done here. In fact, the very act of taking over Palin’s email required no computer knowledge, and no skill. Hell, it didn’t even required intelligence. All it required was the ability to type in the word “palin” into google search box. Anyone in the world could have done this. It just happens that it was done by /b/ and for LULZ but it could have been just as easily perpetuated by someone with a much more malicious agenda to either monitor, intercept or forge Gov. Palin’s work related messages.

The obvious point of failure here is of course the password recovery system. Almost all online services use one of these, because remembering strong passwords is difficult and using weak passwords is dangerous. It is an age old problem, and the solution is to force people to use strong passwords, and allow them to go through a recovery process involving easy to remember questions in case they forget. Most services won’t actually allow you to reset your password on the spot, but instead will send a temporary password or a confirmation message to the email you used to the email you used to sign up for the service. So if someone tries to recover your Facebook password for example, and correctly guesses the name of your first dog and your zip code they still won’t get access to the account. Instead you will get an email notifying you about the recovery attempt. Not the most secure solution, but it works.

Of course in case of Yahoo mail this is apparently not the case which sort of makes sense. Requiring someone to use an email address sign up for another email account is a bit silly. As a result Yahoo apparently relies solely on the very insecure personal questions to verify your identity. These questions may often work for a private person. After all, how many people in the world know the zip code of your mom’s house, the name of your high school crush and the name of that pet goldfish you flushed down the toilet when you were 11. Even if you blab about yourself constantly, there is only a limited number of people who could potentially know these things – and these are the people who know you personally, and who you can track down slap around if you find out they have tried to read your email. This changes when you become a public person and you have your own detailed Wikipedia entry that gets vandalized 5 times a day. The flaw that is inherent to the password recovery system becomes a gaping security hole.

The lessons here are twofold:

  1. Using a free email account when you are a public figure puts you at risk, even if it is purely for personal use. You really want to invest into something more robust. It’s fine if you want to keep your public email, and your private email separate but you should really look for a more professional solution. Perhaps something where you can confirm your identity by giving out the CC number associated with your account, and it’s security number. After all, that’s something a random /b/tard won’t be able to find on wikipedia.
  2. We need to carefully reexamine the way we use the password recovery mechanisms. It’s obvious that Yahoo’s solution is very vulnerable to a common sense, logic based attack. This is unacceptable, and needs to be fixed for Yahoo and all the other services which use a similar recovery method.

The problem with password recovery is a serious one, because there is really no easy way to make it more secure. Let’s remember that the only reason people use this feature is because they can’t remember their 6-8 character password. If you make the recovery questions to obscure or complex, people will forget them as well. This is why most free online services insist that you sign up with a valid email address where they can send you a password recovery confirmation. The only way to ensure that you are not giving away the password to a bad guy is to hand over the job of confirming your identity to someone else – your email provider. Of course if you are trying to be a primary email provider for people who already have, but don’t want (or don’t know how) to use their ISP provided emails you don’t really have that option.

How do we resolve this? First off, don’t do what yahoo did. When you are a free online service, always deffer the job of confirming identity when attempting password recovery to someone else. This way, when account gets compromised it is not your fault. The easiest way of course is to require you user to sign up with a valid email account. But not necessarily – you can also become an OpenID consumer. Everyone and their mom is an OpenID provider these days, but no one ever wants to be consumer. However, using OpenID logins is a perfect way to defer trust to another entity without asking the user for another email address.

This way security issues cluster around popular OpenID providers, some of which are paid services (eg. Live Journal) which can ask the user to verify their CC# upon password recovery. Better yet – if you are a public figure you can roll out your own OpenID provider solely responsible for authenticating you, and only you on bunch of online services. If you forget your password you simply visit or call up “Joe” the guy who maintains your OpenID server and ask him to reset it for you. If someone hacks your account, you can personally kick Joe’s ass, and then fire him.

Of course there are many issues with actually implementing OpenID in a way that works. If you trust the wrong OpenID provider for example, you may find yourself overrun by spammers. Not an ideal solution, but a solution nevertheless. It does seem to work for Stackoverflow for example.

If you don’t want to defer authentication to someone else, and you want to remain free do something like Google did for Gmail registration – ask your users for a phone number and send them a text message with a security code when they try to recover a password. It is almost like a poor man’s two factor authentication. There are of course usability issues with this scheme as well – problems with sms transports across networks, and other random stuff. I’m not saying everyone should do it – I’m just saying it is a more secure option than asking for the name of a person’s dog. At least in theory.

At the very least, we should revisit the questions and answers the recovery process is using. Obviously things like DOB, zip code and spouse name are very easy to find out for a potential attacker. Perhaps a different kind of questions would be in order. Perhaps something among the lines of:

You’re in the desert, you see a tortoise lying on its back, struggling, and you’re not helping. Why is that?

Only don’t use a known quote, because 80% people who watched/read Blade Runner will invariably answer this one with “what is a tortoise?” and that’s not exactly what you want. Simply ask a personal question, and assume that the answer for a given question doesn’t change. Perhaps something among the lines of:

“You are walking in the park, alone. It is cloudy day but it is not raining. You smell wet leaves. What are you thinking about?”

Again not perfect, but it may trigger some rather personal memories, or incite a trivial response among the lines “better get home before the rain”. We would probably have to test this type of questions on a group of users, and then have them try to recover their passwords 6 months later and see if they are able to use the same responses. Also it would be interesting to see if this sort of emotionally charged questions prompt similar answers from many people. I have a hunch that the above question would end up with many responses among the lines of “I think of her/him” but again – it would take some testing. Assumption is that these questions would be harder to defeat by looking them up, but since we are all emotionally wired in a similar way they may be easy to guess by intuition alone.

Those are my 3 ideas. Feel free to suggest your solutions to the password recovery issue in the comments. Maybe there is a better way to do this.

Is it Gov. Palin’s fault that she got pwnd? Yes and no. Yes, because she should have known better than to use Yahoo. No because this would not have happened if it wasn’t for the un-elegant kludge that is the “password recovery question” mechanism employed by Yahoo. She is not the only person who had their account compromised this way – it’s just that content’s of most people’s Yahoo inbox is not a matter of national security and thus we don’t hear about it on the news.

The interesting thing is what will happen to the kid who did this. What’s his name? David, was it? Yes, it was David. Will he get a slap on the wrist, or will he be made an example of? Will he spend some quality time in a federal prison or will he get off with a fine, some community service and a nasty smear on his daddy’s reputation. Or will he doge all punishment by a small margin due to insufficient evidence?

What do you think?

Posted in politics, security, technology | 5 Comments »

« Older Entries
Newer Entries »