Forgot your password?

Comment: Re:Is this a lie like last time? (Score 1) 82

by TheRaven64 (#46831191) Attached to: <em>The Witcher 3</em> and Projekt Red's DRM-Free Stand
They did release it DRM free if you bought it from them. If you bought it via another publisher then you got some extra crap and had to go back to them to get the DRM-free version. How about next time giving money directly to the company that sells DRM-free games, instead of to a company whose only contribution was to add some DRM crap and put it in a box?

Comment: Re: They get it! (Score 1) 82

by TheRaven64 (#46831185) Attached to: <em>The Witcher 3</em> and Projekt Red's DRM-Free Stand
You're assuming that everyone who wants to get an illegal copy needs to crack the DRM. That's not how it works. One person cracks it then releases it on file-sharing sites / networks and everyone copies it. It may prevent casual copying (e.g. I lend a friend the CD), but these days it's easier to give someone a link to a .torrent file than to lend them a CD anyway. More importantly, if someone doesn't know about things like BitTorrent then when they try to copy their game and find that they can't, they're going to ask their favourite search engine and discover that they can get games that they can copy for free. With something like GOG, you get all of the convenience of illegal downloads (actually more - the downloads are a lot faster and they always work), and I get to support the companies that are releasing the games in a way that I want.

Comment: Re:Witcher series has historically been DRM-free (Score 1) 82

by TheRaven64 (#46831161) Attached to: <em>The Witcher 3</em> and Projekt Red's DRM-Free Stand

The first or the second? I really enjoyed the first, but about the only improvement in the second was the graphics (and my laptop could only handle the lowest detail at a playable rate anyway). The combat was a lot better in the first one and the characters seemed more interesting.

It's a difficult balance in this kind of game between making it open (so the player feels in control of what's happening) and providing a story (because part of the reason for buying the game like this is to be told a story). The first one seemed to get the balance right, but the sequel felt too scripted to me - I was just running from one plot element to the next and then making the four token decisions. There were lots of side-quests in the first one that impacted the story later on and interactions with characters that told you interesting things.

I think the sequel also got off to a bad start, because it let you import your save game from the first one, but after being given a silver sword by a Goddess and a steel sword by a king and finding some legendary armour exploring a tomb, I discovered that the first person I killed had a better sword than me. More importantly, swords and armour made a significant difference in the second. One thing that always annoys me in fantasy games is when the equipment makes more of a difference in fights than the skill. In The Witcher, the difference between a crappy sword stolen from a low-paid henchman and the amazing sword forged for the kind was about 10-20%. Enough to give you a slight edge, but not enough to make a real difference unless a fight was very close. The difference between Geralt at the start and Geralt after he'd (re)learned a load of fighting skills was significant. In contrast, in The Witcher 2, you can get a really good sword and then be easily able to beat monsters that would kill you easily with a less-good sword, without learning any new skills.

Comment: Re:GoG on linux (was Re:What kind?) (Score 1) 82

by TheRaven64 (#46831115) Attached to: <em>The Witcher 3</em> and Projekt Red's DRM-Free Stand

Most of their Mac games use DOSBox or WINE, so it probably wasn't too much effort for them to get Linux support working for most of them. Even before they announced Mac support, I ran quite a few of their games with WINE and DOSBox on OS X (their older games use DOSBox on Windows too), but it's a lot less hassle to get their configs (although they tend to be quite pessimistic about visual quality, and you can improve some of the older adventure games a lot by changing the scaling mode to hq3x in the DOSBox config that they ship).

I'm very happy with GOG - there are typically 5-10 games on my shelf that I haven't got around to playing yet. I got The Witcher 1 and 2 as a bundle and enjoyed them both, although I enjoyed the first one a lot more. They're DRM-free and let you redownload games, often with significant updates (e.g. I bought Dungeon Keeper, and they later added the expansion pack. FTL is now FTL: Advanced Edition).

Comment: Re:Security by Obscurity? (Score 1) 93

by TheRaven64 (#46831057) Attached to: OpenSSL: the New Face of Technology Monoculture
No, he's talking about mitigation, which is a well-known security practice. It's not about obscurity - you can have two or more open source implementations, but it's then harder for the same bug to be in both or all.

To give a concrete example, take a look at the DNS root zone servers operated by Verisign. They run a 50:50 mix of Linux and FreeBSD and increasingly a mix of BIND and Unbound. They use a userspace network stack on some and the system network stack on others. If someone wants to take out the root zone, they need to find exploits for each of these systems. A bug that lets you remotely crash a FreeBSD box likely won't affect Linux and vice versa. That gives them a little bit more time to find the fix (they also massively overprovision, so if someone does take out all of the Linux systems then the FreeBSD ones can still handle the load, and vice versa). If someone finds a bug in BIND then the Unbound servers will be fine.

If your web site were running a mixture of OpenSSL and something else, then it would be relatively easy to turn off the servers running OpenSSL as soon as the vulnerability is disclosed and only put them back online when they've been audited for compromises. Of course, it depends a bit on what your threat model is. If a single machine being compromised is a game-over problem, then you're better off with a monoculture (at your organisation, at least). If having all (or a large fraction) compromised is a problem, but individual compromises are fine, then it's better to have diversity.

Comment: Re:Apples and oranges (Score 1) 93

by TheRaven64 (#46831031) Attached to: OpenSSL: the New Face of Technology Monoculture
The problems with OpenSSL aren't actually in the crypto parts. libcrypto is pretty solid, although the APIs could do with a bit of work. The real problems are in the higher layers. In the case of heartbleed, it was a higher-level protocol layered on top of SSL and implemented poorly. It was made worse by the hand-rolled allocator, which is also part of libssl (not libcrypto).

Comment: Re:Is anyone surprised? (Score 3, Interesting) 93

by TheRaven64 (#46830969) Attached to: OpenSSL: the New Face of Technology Monoculture
OpenSSL is quite shockingly bad code. We often use it as a test case for analysis tools, because if you can trace the execution flow in OpenSSL enough to do something useful, then you can do pretty much anything. Everything is accessed via so many layers of indirection that it's almost impossible to statically work out what the code flow is. It also uses a crazy tri-state return pattern, where (I think - I've possibly misremembered the exact mapping) a positive value indicates success, zero indicates failure, and negative indicates unusual failure, so people often do == 0 to check for error and are then vulnerable. The core APIs provide the building blocks of common tasks, but no high-level abstractions of the things that people actually want to do, so anyone using it directly is likely to have problems (e.g. it doesn't do certificate verification automatically).

The API is widely cited in API security papers as an example of something that could have been intentionally designed to cause users to introduce vulnerabilities. The problem is that the core crypto routines are well written and audited and no one wants to rewrite them, because the odds of getting them wrong are very high. The real need is to rip them out and put them in a new library with a new API. Apple did this with CommonCrypto and the new wrapper framework whose name escapes me (it integrates nicely with libdispatch), but unfortunately they managed to add some of their own bugs...

Comment: Re:What?? (Score 1) 88

by TheRaven64 (#46830929) Attached to: WhatsApp Is Well On Its Way To A Billion Users

If by 'any deal' you mean 'any contract' then they generally do come with either unlimited texting or quite a lot, but that's not true for pre-paid plans, which have made up the majority of the market for the last few years. I'm currently with Three, and they charge 3p/min for calls, 2p/min for texts and 1p/min for data - I'd have to spend a lot of time on the phone to come close to the cost of the cheapest contract plan, so they really only make sense for people who use their phone for business, or who haven't worked out that the 'free' phone that they get is really a loan at 50+% APR to buy a phone. For 2p, I can have one SMS or 2MB of data. The latter is enough to keep an IM connection open all day, so I can see the attraction of things like WhatsApp, especially since you can switch to the desktop version whenever you find the keyboard too limiting.

And that's not counting the fact that you can use WiFi when you're somewhere where roaming is expensive, which is the only reason I still have a SIP client installed on my phone: It's cheaper for me to make calls to the UK from the UK over the mobile network, but when I'm abroad (outside one of Three's Feel at Home countries) it's often a lot cheaper to use SIP. Sending text messages abroad is very expensive, but using WiFi is usually free.

Comment: Re:What?? (Score 1) 88

by TheRaven64 (#46830899) Attached to: WhatsApp Is Well On Its Way To A Billion Users
No prepaid plans in the UK come with unlimited texting. You can generally buy a bundle that includes it, but a bundle that provides more data than it's easy to use on a smartphone (without tethering) is generally cheaper and allows you to use email and the web as well as IM apps. I generally pay £1-2/month, and it costs as much in terms of data to have an entire day of IM connectivity as it does to send one SMS.

Comment: Re:openWRT runs, without wireless (Score 1) 109

by TheRaven64 (#46821465) Attached to: WRT54G Successor Falls Flat On Promises

The last time I bought a dedicated device like this, I got a PC Engines WRAP, which is similar to the boards that Soekris sells. For about £100, I got a 266MHz AMD Geode (x86) CPU, a board that could boot from a CF card, and had 3 wired sockets and 2 miniPCI slots (with an 802.11g card in one), a metal case and a couple of antennae. That was quite a few (actually, almost ten) years ago.

The first search result has a similar kit for £139, which is a bit more, but if you shop around you can probably get it for cheaper. That includes a 500MHz x86 CPU and 256MB of RAM, so it will happily run most stock *NIX distributions, or something firewall-centric like pfSense.

Comment: Re:Intentional sabotage? (Score 1) 151

by TheRaven64 (#46821129) Attached to: Next-Gen Thunderbolt: Twice as Fast, But a Different Connector

That's already double what USB provides over data connections, and you shouldn't be drawing much more than that from a notebook anyhow

No, you shouldn't, but the laptop is probably drawing something on the order of 60-85W and there's no reason why it couldn't get that from a power supply in the display, rather than a separate wall wart...

Comment: Re:Thunderbolt does USB, so no. (Also PCIe and HDM (Score 1) 151

by TheRaven64 (#46821121) Attached to: Next-Gen Thunderbolt: Twice as Fast, But a Different Connector
Thunderbolt doesn't do USB, however the fact that it does PCIe means that you can run a USB controller on the other end. You wouldn't want a Thunderbolt mouse, because it would require sticking a USB controller in the mouse as well as a Thunderbolt interface and a load of PCIe bus logic. USB is nice because the client component is relatively simple and can be made very cheap. It's also nice because there are a number of standard higher-level protocols built on top of it (e.g. HID for keyboards, mice and so on, DUN for things that look a bit like modems). Thunderbolt doesn't replace USB, it's the connection that you use between your laptop and the display or docking station that has all of the USB devices plugged into it.

The only thing cheaper than hardware is talk.