Forgot your password?

Comment: Re:What?? (Score 2) 106

by TheRaven64 (#46831935) Attached to: WhatsApp Is Well On Its Way To A Billion Users
I switched from giffgaff when they put up their prices and engaged in misleading advertising ('look, we're cheaper than everyone else if you pick the really expensive plans that you have to dig around on their web sites to even find and ignore the ones that are the same price we were offering before we put prices up!'). I guess the difference is what you count as a plan. I regard their goody bags as an add-on, not a plan. On a pre-pay plan you don't get anything included - that's the point. Given that Giffgaff's cheapest goody bag (which expires after a month) costs what I spend on my phone in 3-4 months, I think it reinforces my point. You get unlimited texts only if you buy them in bulk. The 200 minutes and 250MB that the £7.50 goody bag gives you would cost me £8.50, so if I used that much it would be a good deal (although I'd then be paying 7p/minute more for calls above that, so I'd have to be making close to exactly 200 minutes of calls a month for it to make sense). I spend under £2/month on my phone currently though, so it's a pretty poor deal with that in mind.

Comment: Re:Is this a lie like last time? (Score 1) 94

by TheRaven64 (#46831191) Attached to: <em>The Witcher 3</em> and Projekt Red's DRM-Free Stand
They did release it DRM free if you bought it from them. If you bought it via another publisher then you got some extra crap and had to go back to them to get the DRM-free version. How about next time giving money directly to the company that sells DRM-free games, instead of to a company whose only contribution was to add some DRM crap and put it in a box?

Comment: Re: They get it! (Score 1) 94

by TheRaven64 (#46831185) Attached to: <em>The Witcher 3</em> and Projekt Red's DRM-Free Stand
You're assuming that everyone who wants to get an illegal copy needs to crack the DRM. That's not how it works. One person cracks it then releases it on file-sharing sites / networks and everyone copies it. It may prevent casual copying (e.g. I lend a friend the CD), but these days it's easier to give someone a link to a .torrent file than to lend them a CD anyway. More importantly, if someone doesn't know about things like BitTorrent then when they try to copy their game and find that they can't, they're going to ask their favourite search engine and discover that they can get games that they can copy for free. With something like GOG, you get all of the convenience of illegal downloads (actually more - the downloads are a lot faster and they always work), and I get to support the companies that are releasing the games in a way that I want.

Comment: Re:Witcher series has historically been DRM-free (Score 1) 94

by TheRaven64 (#46831161) Attached to: <em>The Witcher 3</em> and Projekt Red's DRM-Free Stand

The first or the second? I really enjoyed the first, but about the only improvement in the second was the graphics (and my laptop could only handle the lowest detail at a playable rate anyway). The combat was a lot better in the first one and the characters seemed more interesting.

It's a difficult balance in this kind of game between making it open (so the player feels in control of what's happening) and providing a story (because part of the reason for buying the game like this is to be told a story). The first one seemed to get the balance right, but the sequel felt too scripted to me - I was just running from one plot element to the next and then making the four token decisions. There were lots of side-quests in the first one that impacted the story later on and interactions with characters that told you interesting things.

I think the sequel also got off to a bad start, because it let you import your save game from the first one, but after being given a silver sword by a Goddess and a steel sword by a king and finding some legendary armour exploring a tomb, I discovered that the first person I killed had a better sword than me. More importantly, swords and armour made a significant difference in the second. One thing that always annoys me in fantasy games is when the equipment makes more of a difference in fights than the skill. In The Witcher, the difference between a crappy sword stolen from a low-paid henchman and the amazing sword forged for the kind was about 10-20%. Enough to give you a slight edge, but not enough to make a real difference unless a fight was very close. The difference between Geralt at the start and Geralt after he'd (re)learned a load of fighting skills was significant. In contrast, in The Witcher 2, you can get a really good sword and then be easily able to beat monsters that would kill you easily with a less-good sword, without learning any new skills.

Comment: Re:GoG on linux (was Re:What kind?) (Score 1) 94

by TheRaven64 (#46831115) Attached to: <em>The Witcher 3</em> and Projekt Red's DRM-Free Stand

Most of their Mac games use DOSBox or WINE, so it probably wasn't too much effort for them to get Linux support working for most of them. Even before they announced Mac support, I ran quite a few of their games with WINE and DOSBox on OS X (their older games use DOSBox on Windows too), but it's a lot less hassle to get their configs (although they tend to be quite pessimistic about visual quality, and you can improve some of the older adventure games a lot by changing the scaling mode to hq3x in the DOSBox config that they ship).

I'm very happy with GOG - there are typically 5-10 games on my shelf that I haven't got around to playing yet. I got The Witcher 1 and 2 as a bundle and enjoyed them both, although I enjoyed the first one a lot more. They're DRM-free and let you redownload games, often with significant updates (e.g. I bought Dungeon Keeper, and they later added the expansion pack. FTL is now FTL: Advanced Edition).

Comment: Re:Security by Obscurity? (Score 1) 107

by TheRaven64 (#46831057) Attached to: OpenSSL: the New Face of Technology Monoculture
No, he's talking about mitigation, which is a well-known security practice. It's not about obscurity - you can have two or more open source implementations, but it's then harder for the same bug to be in both or all.

To give a concrete example, take a look at the DNS root zone servers operated by Verisign. They run a 50:50 mix of Linux and FreeBSD and increasingly a mix of BIND and Unbound. They use a userspace network stack on some and the system network stack on others. If someone wants to take out the root zone, they need to find exploits for each of these systems. A bug that lets you remotely crash a FreeBSD box likely won't affect Linux and vice versa. That gives them a little bit more time to find the fix (they also massively overprovision, so if someone does take out all of the Linux systems then the FreeBSD ones can still handle the load, and vice versa). If someone finds a bug in BIND then the Unbound servers will be fine.

If your web site were running a mixture of OpenSSL and something else, then it would be relatively easy to turn off the servers running OpenSSL as soon as the vulnerability is disclosed and only put them back online when they've been audited for compromises. Of course, it depends a bit on what your threat model is. If a single machine being compromised is a game-over problem, then you're better off with a monoculture (at your organisation, at least). If having all (or a large fraction) compromised is a problem, but individual compromises are fine, then it's better to have diversity.

Comment: Re:Apples and oranges (Score 1) 107

by TheRaven64 (#46831031) Attached to: OpenSSL: the New Face of Technology Monoculture
The problems with OpenSSL aren't actually in the crypto parts. libcrypto is pretty solid, although the APIs could do with a bit of work. The real problems are in the higher layers. In the case of heartbleed, it was a higher-level protocol layered on top of SSL and implemented poorly. It was made worse by the hand-rolled allocator, which is also part of libssl (not libcrypto).

Comment: Re:Is anyone surprised? (Score 3, Interesting) 107

by TheRaven64 (#46830969) Attached to: OpenSSL: the New Face of Technology Monoculture
OpenSSL is quite shockingly bad code. We often use it as a test case for analysis tools, because if you can trace the execution flow in OpenSSL enough to do something useful, then you can do pretty much anything. Everything is accessed via so many layers of indirection that it's almost impossible to statically work out what the code flow is. It also uses a crazy tri-state return pattern, where (I think - I've possibly misremembered the exact mapping) a positive value indicates success, zero indicates failure, and negative indicates unusual failure, so people often do == 0 to check for error and are then vulnerable. The core APIs provide the building blocks of common tasks, but no high-level abstractions of the things that people actually want to do, so anyone using it directly is likely to have problems (e.g. it doesn't do certificate verification automatically).

The API is widely cited in API security papers as an example of something that could have been intentionally designed to cause users to introduce vulnerabilities. The problem is that the core crypto routines are well written and audited and no one wants to rewrite them, because the odds of getting them wrong are very high. The real need is to rip them out and put them in a new library with a new API. Apple did this with CommonCrypto and the new wrapper framework whose name escapes me (it integrates nicely with libdispatch), but unfortunately they managed to add some of their own bugs...

Comment: Re:What?? (Score 1) 106

by TheRaven64 (#46830929) Attached to: WhatsApp Is Well On Its Way To A Billion Users

If by 'any deal' you mean 'any contract' then they generally do come with either unlimited texting or quite a lot, but that's not true for pre-paid plans, which have made up the majority of the market for the last few years. I'm currently with Three, and they charge 3p/min for calls, 2p/min for texts and 1p/min for data - I'd have to spend a lot of time on the phone to come close to the cost of the cheapest contract plan, so they really only make sense for people who use their phone for business, or who haven't worked out that the 'free' phone that they get is really a loan at 50+% APR to buy a phone. For 2p, I can have one SMS or 2MB of data. The latter is enough to keep an IM connection open all day, so I can see the attraction of things like WhatsApp, especially since you can switch to the desktop version whenever you find the keyboard too limiting.

And that's not counting the fact that you can use WiFi when you're somewhere where roaming is expensive, which is the only reason I still have a SIP client installed on my phone: It's cheaper for me to make calls to the UK from the UK over the mobile network, but when I'm abroad (outside one of Three's Feel at Home countries) it's often a lot cheaper to use SIP. Sending text messages abroad is very expensive, but using WiFi is usually free.

To understand a program you must become both the machine and the program.