- 0 Posts
- 58 Comments
Lessee. Username’s a reference to Snow Crash, which is a cyberpunk book. Played the game “years ago”. The game must have a name not so connected to the content that OP would have already remembered the name before posting.
I’m going to guess Shadowrun for the SNES.
Blaster Master was an underrated metroidvania. I’m a little bummed they didn’t mention that in the article.
Most games were never made to be modded. The communities are hacking mods into these games, many of which were even designed to make modding harder. (Because mods compete against sequels or something? I dunno. Intellectual property is a mental illness.) It’s not terribly surprising that games that weren’t meant to be modded have confusingly inconsistent methods for loading mods. Because those mods work fundamentally differently from game to game. If a mod happens to be easy-ish to install, chances are it’s either quite a simple mod (a model/texture replacement or some such, or just something that’s not terribly hard to mod) or a lot of work has been put into making it easier.
I wasn’t saying anything about who bears “fault”. My aim with that post (and honestly all the posts I’ve made in this thread) was about understanding the details of the vulnerability well enough for folks to be able to ascertain a) whether they’re affected and b) how to remediate.
About “fault”, I’m not sure I really agree that’s the best way to talk about these things in general unless they did them purposefully. (WEI, for instance, was malicious bullshit. But I don’t have any particular reason to think in this specific situation Microsoft didn’t handle responsible disclosure properly or anything.)
Clearly Microsoft made a boo boo in choosing to trust the vulnerable tools in the first place, but vulnerabilities are inevitable.
I’ll definitely say I don’t consider Microsoft “trustworthy” enough to protect my stuff. If only because Microsoft stuff is bloated and has a huge amount of attack surface. But also because their history make it clear they’ll perpetrate really shitty things against their users on purpose. The former could only really be addressed by them slimming down their technology stack. The latter by abolishing the profit motive.
And also, in general UEFI is apparently a cluster fuck of poor, buggy implementations. So there’s that.
In all, this is one doesn’t strike me as terribly high on the “blameworthy” meter unless you just consider it a symptom of Microsoft being assholes, which is undeniably true.
They don’t even have to be signed…
Yeah. My understanding is that Microsoft has signed several tools made by other companies that boot as UEFI PE executables and aren’t supposed to allow loading arbitrary (including unsigned and malicious) UEFI PE binaries, but due to security vulnerabilities in the tool, they’ll load any old UEFI PE binary you give them.
The payload/malicious UEFI PE binaries don’t have to be signed. But the third-party tools that contain the vulnerabilities have to be signed by a signer your UEFI firmware trusts. (And the tools are signed by Microsoft, which your UEFI firmware almost definitely trusts, unless you’ve already applied a fix).
(And I don’t know exactly what sort of tools they are. Maybe they’re like UEFI Shell software or something? Not sure. Not sure it matters that much for purposes of understanding the impact or remediation strategy for this vulnerability.)
The fix, I’d imagine is:
- Everyone should untrust the certificates used to sign those vulnerable tools. (And by “untrust”, I really mean they need to apply the revocations.)
- Microsoft needs to issue new certificates to replace the ones with which they signed the vulnerable tools.
- The companies who made those tools need to release new, fixed, not-vulnerable versions of the same tools.
- …and get Microsoft to sign those new versions with the replacement keys.
- And users need to migrate from the vulnerable versions to the new versions of the tools in question.
Now, I’m not 100% sure if there needs to be yet another step in there where individual users explicitly install/trust the replacement certs. Those replacement certs are signed by Microsoft’s root certificate, right? As long as all the certificates in the chain from the root certifcate down to the signature are included with the UEFI PE binary, the firmware should be able to verify the new binary? Or maybe having chains of certs is not how UEFI PE binaries work. Not sure.
Here is an example of something similar that disables Windows Platform Binary Table…(I’m not advocating that anybody actually use this).
Yuck. Thanks for letting me know of that. I’m still firmly in the “learning” phase when it comes to this UEFI stuff. It’s good to be aware of this.
As drspod said, no, Linux is not invulnerable. For Linux users using legacy BIOS boot or using UEFI but not secure boot, this vulnerability doesn’t make anything any more insecure than it was already. But any user, Linux or Windows, who is affected by this vulnerability (which is basically everyone who hasn’t revoked permissions to the Microsoft keys in question), if they’re using secure boot, no they’re not. (That is to say, they can no longer depend on any of the guarantees that secure boot provides until they close the vulnerability.)
If I’m understading what I’ve been able to glean about this just by googling, it looks like the vulnerability is in certain tools that Microsoft has decided to sign with some of its UEFI secure boot keys. It’s not a vulnerability in your UEFI firmware itself, except insofar as your UEFI firmware comes already configured to trust Microsoft’s certificates. So even though the vulnerability isn’t in your UEFI firmware per se, the fix will require revoking trust to keys that are almost definitely pre-installed in your UEFI firmware.
My most played game is probably The Legend of Zelda: Breath of the Wild. No idea in terms of how many hours. But I played it, then hundred-percented it (yes I found all the Korok seeds), then the DLC came out and I played that, then I started over in master mode, then I replayed it with mods, then I replayed it with cheats, then I speedran it for like a year.
The ship named “software does shit I don’t like on my own hardware” sailed the day proprietary software became a thing.
Mind you, it’s scary how many people applaud kernel-level anticheat. “This game was just ruined by hackers until they added kernel-level anticheat. Now it’s great again!”
How would a campaign against kernel-level anticheat “succeed” exactly? More awareness? More people boycotting kernel-level anticheat? Laws prohibiting the practice?
Like, obviously I’m never running any software that involves kernel-level anticheat, but I’m a Gentoo neckbeard with an EFF-approved tinfoil hat surgically attached to my scalp.
(Hell, I think it would be great if most of the games out there had cheater and bot servers where it was encouraged to run your cheat tools and/or bots. If they allowed that but just kept it separate from non-tool/non-bot players, that’d be a fantastic way to get kids more interested in STEM.)
(Also, if anyone made and sold a boardgame that made players want to cheat (in a bug-not-feature kind of way), it would get negative reviews and no one would buy it. In a way, kernel-level anticheat can almost be considered a type of “externality”. The game studio, rather than going to the trouble to tune their game to make cheating less appealing, they break their users’ computers and invade their privacy. And the game studio then rakes in more money as a result.)
But how would we get through to normie 12-year-olds who just want to play Valorant and not have their face constantly rubbed in the dirt by “hackers”?
That’s the neat part. I don’t!
I’ve got enough privacy concerns about my car’s privacy policies that I don’t want my phone talking to my car. (Except via the aux audio port, at least.)
And since I first got a smartphone, I haven’t done enough traveling that I’ve ever felt the need for a maps app. But there are options on F-Droid. I just can’t speak to how good they are as I’ve never used any of them.
Though, honestly, I can also just use https://maps.google.com/ through my browser.
I’ve got my caps lock key remapped to escape.
I use my left pinky for ctrl, shift, a, and my remapped caps lock/escape key.
I use my right pinky for shift, enter, and I’m pretty sure that’s all.
I use my ring fingers for backspace, tilde, tab, q, backslash, quote, and that probably isn’t a comprehensive list.
I use my middle finger for semicolon/colon! I never realized that before. Wild.
if you want to take OpenAI’s own research into account
No thank you.
OlympicArena validation set (text-only)
“Our extensive evaluations reveal that even advanced models like GPT-4o only achieve a 39.97% overall accuracy (28.67% for mathematics and 29.71% for physics)”
- The OlympicArena analysis that you cited.
I know I’ve seen “cryptographically secure” levels (as in, you can only possibly beat it within a human lifespan if you know the specific “combination” or “cryptographic key”), but maybe only in Super Mario Maker 2.
And I’m not sure if in 1 you can inspect the whole level. The SMM2 cryptographically secure ones I’ve seen rely on mechanisms that must remain off-screen the whole time or else it’s trivial to derive the key.
They will conclude that they did not actually save money by replacing human developers with LLMs.
The next CTO might realize that. If there hasn’t been a change in upper-level management, they’ll just double down and blame the few remaining human developers for the mess.
CTO’s are incapable of self-reflection.
Magarena also comes to mind. It’s a computer game implementation of Magic The Gathering. There’s a button in the settings that downloads all the card art from publicly available sources.
It seems like every time the alt-right and neo-Nazis make something a new dog whistle (remember the “ok” sign thing that started on 4chan?) the left is just like “oh fuck, I guess we better stop using that now.”
I’m not sure there’s a better option. It’s not like it’s a good idea to just go on flashing “ok” signs and pretending it hasn’t been coopted by fascists, but it seems shitty and frustrating to just cede ground like that every time the alt right is just like “this is ours now.”
Come to think of it, I named a project at my workplace “IG-88” a while back and didn’t think about the Nazi connection until the name was already in common use. (With that name, the project in question even had a badass theme song.)
How old is your phone and have you been updating it? Maybe your phone is so old that the certificates on it are too old to recognize the current Discord certificate?