Valve Comments on Christmas Security Issues

Subject: General Tech | December 30, 2015 - 11:48 PM |
Tagged: valve, steam, security, Privacy

On Christmas Day, Valve had a few hours of problems. Their servers were being overloaded by malicious traffic. The best analogy that I could provide would be a bad organization who sent a thousand people to Walmart, to do nothing but stand in the check-out line and ask the cashier about the time. This clogs up the infrastructure, preventing legitimate customers from making their transactions. This was often done after demanding a ransom. Don't pay? Your servers get clogged at the worst time.

steam-family.png

A little too much sharing...

There are two ways to counter-act a DDoS attack: add hardware or make your site more efficient.

When a website is requested, the server generates the page and sends it to the customer. This process is typically slow, especially for complicated sites that pull data from one or more database(s). It then feeds this data to partners to send to customers. Some pages, like the Steam Store's front page, are mostly the same for anyone who views it (from the same geographic region). Some pages, like your order confirmation page, are individual. You can save server performance by generating the pages only when they change, and giving them to relevant users from the closest delivery server.

Someone, during a 20-fold spike in traffic relative to the typical Steam Sale volume, accidentally started saving (caching) pages with private information and delivering them to random users. This includes things like order confirmation and contact information pages for whatever logged-in account generated them. This is pretty terrible for privacy. Again, it does not allow users to interact with the profiles of other users, just see the results that other users generated.

But this is still quite bad.

Users complained, especially on Twitter, that Valve should have shut down their website immediately. From my position, I agree, especially since attempting to make a purchase tells the web server to pull the most sensitive information (billing address, etc.) from the database. I don't particularly know why Valve didn't, but I cannot see that from the outside.

It's probably a simple mistake to make, especially since Valve seems to blame a third-party for the configuration issue. On the other hand, that also meant that Valve structured their website such that sensitive information is in the hands of third-parties to properly cache. That might have been necessary, depending on their browser compatibility requirements, but I would hope that it's something Valve restructures in the future. (For instance, have the caching server store the site's framework, and fill in the individual's data with a JavaScript request to another, uncached server.)

But again, I don't work there. I don't know the details.

Source: Valve

Rantopad and Gateron, a switch from your usual mechanical keyboard provider

Subject: General Tech | December 30, 2015 - 03:04 PM |
Tagged: cherry mx rgb, Gateron Black, Gateron Blue, K70 Mechanical Gaming Keyboard, rantopad, Rantopad MXX

Gateron is yet another company to join the mechanical switch crowd and appears on the Rantopad MXX gaming keyboard.  The keyboard is tenkeyless and designed tore let you remove keys as you see fit thought it does not seem to come with additional keys to customize the board.  As you might expect it is backlit, there will soon be a Cherry MX RGB model for those who want more than just a single colour of light to display.  MadShrimps provides a full review of this $80 mechanical keyboard here, for those interested.

5.jpg

"Despite the fact that the Rantopad MXX does not feature software for additional configuration purposes, we were quite impressed with the build quality of the keyboard, while the compact (TKL) size and space-grade aluminum cover give the product a professional look. MXX does come for now with Gateron Black or Blue switches (and aluminum covers in blue or dark grey), but in the future we will also see white and red variants introduced and a much wider switch selection, including Cherry MX RGB switches."

Here is some more Tech News from around the web:

Tech Talk

Source: MadShrimps

UNIGINE 2 Earth Demo (Video)

Subject: General Tech | December 30, 2015 - 02:15 PM |
Tagged: UNIGINE, unigine 2

Apparently something is coming in 2016, but I don't know what that is. All I can see at the moment is a highly-detailed rendering of Earth, which UNIGINE classifies as a research and development project. The first couple of views are pretty impressive although, despite begging in the comments for a flight simulator with this technology, it looks like this content only works in an as viewed from space context.

That said, it ends up scaling down to the planet's surface, that would be highly entertaining.

Even still, the technology required to convert from recorded, public data into a rendered sphere is impressive. The “procedural data refinement” that converts various masks into clusters of human-made lighting, and so forth, look shiny and believable. This could be highly useful for space games and cinematics at the very least.

unigine-2-space.jpg

The engine itself is impressive. The original UNIGINE was a staple of DirectX 11 benchmarks for years. It made use of tessellation in one of the most compelling, stylized ways we've seen to date. Unfortunately, they seem to be sticking with their large (but not too large) up-front licensing cost business model. This stands against the free with royalty trend of modern engines today, such as CryEngine, Unity, and Unreal. Hopefully it delivers enough revenue to keep them running.

UNIGINE 2.1 was just released in November.

Fallout 4 can get confused if you aren't a gun toting yahoo

Subject: General Tech | December 30, 2015 - 01:35 PM |
Tagged: fallout 4, bug, gaming

The Fallout series has never been pacifistic, the isometric originals could allow you to become a drug addicted slave trader however they did not used to be so linear as Fallout 4 seems to be.  An inventive gamer decided to try to play the new Fallout without killing a soul and has accomplished that goal after much effort and a few bugs.  While it is certainly a blast to roam the wastelands slaughtering all those who get in your way, this article at Kotaku illustrates the problems you can face when playing a game differently than the developers expected you to.  The usual, and sadly inevitable game bugs aside, there are quite a few new ones that arise when you get creative with your playthrough.  As any DM worth their salt knows, you can never account for everything your players will do and flexibility is a must.  One hopes that devs at Bethesda read through this article and expand their creativity as a result.

o6v44jxqozehj9dfqxax.png

"Fallout 4 expects you to commit murder. While you can occasionally avoid killing others, the wasteland is ruthless and demands violence. That’s how Bethesda intended the game to be played, anyway—but clever players are finding ways around it."

Here is some more Tech News from around the web:

Tech Talk

Source: Kotaku

Sigh ... your Windows 10 device is probably only as secure as Microsoft's database

Subject: General Tech | December 29, 2015 - 02:13 PM |
Tagged: microsoft, windows 10, security

If your Windows 10 machine uses your Microsoft account as the login then your system's recovery key now resides on a Microsoft database in the cloud.  That recovery key is used in the file system encryption present on Windows 10 systems.  The backup is good news for people who find themselves with computer problems and need access to the key from a different machine, however this is also a huge security concern as your key could be stolen or demanded from Microsoft.  Follow the link from the Slashdot article to find out how to delete that back up recovery key and consider using a domain or workgroup style account as opposed to a Microsoft account to log into your machine.

advanced-boot-options.png

"The fact that new Windows devices require users to backup their recovery key on Microsoft's servers is remarkably similar to a key escrow system, but with an important difference. Users can choose to delete recovery keys from their Microsoft accounts – something that people never had the option to do with the Clipper chip system. But they can only delete it after they've already uploaded it to the cloud.....As soon as your recovery key leaves your computer, you have no way of knowing its fate."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

HAMR strike delayed until 2018

Subject: General Tech, Storage | December 28, 2015 - 07:21 PM |
Tagged: HAMR, delay

We had hoped to see Heat Assisted Magnetic Recording sometime in 2017 but that goal has proved to be optimistic and 2018 is now the current expectation for its arrival.  This technology will allow storage densities higher than 1.5 Tb/in2 but is not quite ready for primetime at the moment.  Prototypes do exist and some are being sent to customers to test the reliability and performance of drives in real life test scenarios.  The drives will be slower than flash based storage of course, however when it comes to storage density spinning rust still holds the crown and will continue to do so for some time.  You can refresh yourself on the technology by following the links in this post and read more about the delays over at Slashdot.

e689_cpt_hammer.jpg

"Unfortunately the hard disk drive industry is not ready to go live with Heat-assisted Magnetic Recording (HAMR). The technology is yet not reliable enough for mass production. Over the years, producers of hard drives, platters and recording heads have revealed various possible timeframes for commercial availability of drives with HAMR technology. Their predictions were not accurate."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Microsoft to Reclassify Certain Ad-Injectors as Malware

Subject: General Tech | December 24, 2015 - 05:52 PM |
Tagged: microsoft, windows defender, adware, Malware, superfish

The Microsoft Malware Protection Center has announced that, on March 31st, 2016, certain types of advertisement-injection will be reclassified as malware. This does not include all forms of ad-injection, just ones which use confusing, difficult to remove, or insecure methods of displaying them. Specifically, adware must use the browser's default extension model, including their disable and remove functions. Recent adware has been known to modify DNS and proxy settings to force web traffic through a third party that injects ads, including secure websites using root certificates.

In other words, Superfish.

microsoft-2015-windowsdefender.jpg

An interesting side-story is that, while Microsoft requires that adware uses default browser extensions, Microsoft Edge does not yet have any. Enforcement doesn't start until March 31st, but we don't have a date for when extensions arrive in Microsoft. I seriously doubt that the company intends to give Edge a lead-time, but that might end up happening by chance. The lead time is probably to give OEMs and adware vendors a chance to update their software before it is targeted.

The post doesn't explicitly state the penalties of shipping adware that violates this blog post, but the criteria is used for antimalware tools. As such, violators will probably be removed by Windows Defender, but that might not be the only consequence.

Source: Microsoft

Podcast #380 - Microsoft's Surface Devices, the ASUS X99-E WS. HTC Vive and more!

Subject: General Tech | December 23, 2015 - 11:23 PM |
Tagged: podcast, video, asus, X99-E WS, microsoft, surface pro 4, surface book, htc, vive, ECS, LIVA, vulkan, dx12, Mantle, nvidia, shield tablet k1

PC Perspective Podcast #380 - 12/24/2015

Join us this week as we discuss Microsoft's Surface Devices, the ASUS X99-E WS. HTC Vive and more!

You can subscribe to us through iTunes and you can still access it directly through the RSS page HERE.

The URL for the podcast is: http://pcper.com/podcast - Share with your friends!

  • iTunes - Subscribe to the podcast directly through the iTunes Store
  • RSS - Subscribe through your regular RSS reader
  • MP3 - Direct download link to the MP3 file

Hosts: Ryan Shrout, Allyn Malventano, Morry Tietelman, and Sebastian Peak

Subscribe to the PC Perspective YouTube Channel for more videos, reviews and podcasts!!

The silence of the keyboards, a different type of feature from the Corsair Strafe RGB MX

Subject: General Tech | December 22, 2015 - 02:39 PM |
Tagged: input, corsair, Strafe RGB MX Silent, gaming keyboard, Cherry MX RGB red

In a world once again dominated by clicky keyboards a new marketing gimmick has emerged, silent keyboards.  The Corsair’s Strafe RGB MX Silent keyboard still uses Cherry switches but these particular switches are linear and so do not make noise when depressed.  If you like Cherry Red switches this keyboard will still feel comfortable as the keys still require 45g of actuation pressure, though they will feel different at the end of the stroke.  The keyboard still retains the LED backlighting of other Corsair Strafe keyboards and you can control your display with the Corsair Utility Engine.  Check out Benchmark Reviews for more on this hybrid mechanical keyboard.

corsair_strafe_rgb_box2.jpg

"The glut of mechanical keyboards with per-key RGB lighting continues with the release of Corsair’s Strafe RGB Cherry MX Silent series. In addition to features such as extremely versatile programmable lighting, a pass-through USB port, optional textured key caps, and a detachable wrist rest, Corsair adds a unique to them (for now) “silent” version of the Cherry MX Red key switch."

Here is some more Tech News from around the web:

Tech Talk

Samsung adding AMD to their customers?

Subject: General Tech | December 22, 2015 - 02:07 PM |
Tagged: amd, Samsung, 14nm, rumour

The talk around the watercooler includes a rumour that AMD may use Samsung to produce at least some of their 14nm chips in the coming year.  If true this has been a huge year for Samsung who produce NVIDIA chips as well as recently picking up a contract with Apple to produce some of their A9 SoCs.  The rumour still includes GLOBALFOUNDRIES as a source for APUs and GPUs so this would make Samsung a second source for working silicon, which we can hope will alleviate some of AMD's difficulty in maintaining supplies of products.  This could also help fund Samsung's development of their 10nm FinFET node which the claim should be in production by the end of 2016.  As always, take the rumour for what it is but if you want to learn more about what is being said you can pop over to The Inquirer.

Samsung_10_nm_Graphic_Wide.jpg

"A report in South Korea's Electronic Times, which cited unknown sources, said that Samsung Electronics will start making new chips for AMD sometime next year."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer