NEWER POSTS

Broken Stuff and Security Concerns

By Shamus Posted Wednesday Jan 10, 2018

Filed under: Notices 51 comments
Patreon BackpedalPrevious Post
Next PostFuture Series

Yes, the forums are down. Yes, I realize you can’t edit your own comments. Let’s talk about that.

On my Linux-based webserver, there is a user account linked to me. This “shamus” account owns all the files: All the PHP scripts to drive the blog, all the scripts to run the forums, and all the images and other random files that makes the site operate. Under normal circumstances, the entire file structure is designed so that only my user can upload, delete, and modify files.

However, you need to make some exceptions. For example, I run a WordPress plugin that makes weekly database backups. This plugin needs to be able to save these backups, which means that I need to make the backup directory writable for all users, not just the “shamus” userPHP, MySQL, and other processes are owned by the root user.. Otherwise, the backup plugin would run but it wouldn’t be allowed to save the resulting backup to disk.

So I need to make a few spots on the machine where processes not owned by me can put files. This alone isn’t enough to compromise the security of the machine, although it’s often considered something to be avoided if you can help it. The danger is that it may provide an attack vector for potential hackers. If there’s a vulnerability in either WordPress (the software that runs the blog) or PhpBB (the software that runs the forums) then they would be able to write files to these directories.

Here is a ficticious example of how something like this could work: Let’s say the forum offers a feature where users can upload their own profile image. You’re supposed to upload a JPG or PNG image file. These files end up in /forums/profileimages/. In order for this feature to work, I need to set the permissions of /forums/profileimages/ so that anyone can write to that directory. Let’s say the people who wrote the forum software didn’t do their job and the forums don’t make sure that what the user uploaded was actually an image. Like, maybe they uploaded a PHP script. This allows them to put new pages on my site, and those pages can do all sorts of nasty things.

Now, they can’t just put those pages anywhere. Those pages can only end up in /forums/profileimages/, and only the attacker will know about them. Once the upload is done, the attacker can then manually type in the URL like so:

shamusyoung.com/forums/profileimages/badpage.php

This will cause the script to run and do whatever it’s supposed to do. This doesn’t give the attacker full control over the machine. (They can still only put new files in directories I’ve had to leave open.) They can’t re-write the blog or attack visitors directly, but this is still an alarming situation that allows them to see a lot of stuff they shouldn’t.

This is a very simplified explanation. The actual method of attack is a lot more complex and to be honest most of it is beyond me. But this is the idea in broad strokes.

A couple of months ago PeterHe doesn’t comment often so you might not know him, but Peter has been providing technical and hardware support to this site for a long time. and I discovered some files on the site that were not owned by the “shamus” user. Files like this:

lprvpluh.php
pvkmnwoj.php
onrvyxwg.php
ukwwtgwx.php

Always the same pattern: A PHP file with a gibberish eight-character name, probably generated at random. These files contained highly obfuscated PHP code and were not part of the normal file structure of either WordPress or PhpBB. More importantly, they are obviously malicious in nature.


Link (YouTube)

Peter and I have been battling this mess for the last month or so. We deleted all the suspect files, tightened up directory access, and then hoped we’d fixed the problem. Then a few weeks later the mystery files would show up again and we’d have to start over.

Last week the files showed up for the third time, and so we went to maximum paranoia level. We wiped WordPress clean and started over with a fresh install. We uninstalled the forums completely. This machine is now as locked down as we can make it. There are no directories with write access. This would break several of the WordPress plugins I use, but since I haven’t installed any plugins that’s not a problem yet.

If the problem returns, then I’ll need to contact my host and have them wipe the machine clean and start over. I’d hate to do that, since it would result in a ton of downtime. (The blog has about 1.2 gigabytes of images, and I don’t have a very fast upstream connection. That would be a long upload. Not to mention the time required to restore the databases and re-install everything.)

I’ve deliberately left out a lot of details on the off chance that the attacker actually reads the blogThis is unlikely. These kinds of attacks are often done by bots.. So if you’re thinking of asking, “Why don’t you guys just X?”, then keep in mind we probably did X but I’m leaving it out of this explanation.

So that’s why the forums are gone and all of our quality of life plugins are missing from the blog. It’s a known issue. We’re still investigating. If all goes well, then we’ll eventually get back comment editing and all the other little plugins we’re used to.

 

Shamus Young is a programmer, an author, and nearly a composer. He works on this site full time. If you'd like to support him, you can do so via Patreon or PayPal.

Patreon BackpedalPrevious Post
Next PostFuture Series

51 comments

 

Dénouement 2017: The Best Stuff

By Shamus Posted Tuesday Jan 9, 2018

Filed under: Industry Events 132 comments
Dénouement 2017: The Good StuffPrevious Post
Next PostE3 Approaches

Other people have pointed out in the comments that this has been an amazing year for games, but as luck would have it the really stand-out titles came from platforms and genres that I’m just not into. Nintendo had a good year. (Mario, Zelda.) JRPGs had a good year. (Persona, Nier.) Online PvP was doing some interesting things. (PUBG, For Honor.) It wasn’t a bad year for collect-a-thons. (Assassins Creed Origins, Shadow of War.) And we got some genuine oddities that tried new things and succeeded. (Sexy Brutale and Cuphead.) But for various reasons, none of that stuff landed in my wheelhouse.

So while I’m not brimming with enthusiasm for the offerings of 2017, I acknowledge it was still a pretty good year overall. It just wasn’t my year. (Aside from my top pick.) Anyway, let’s finish this chalk outline I’m drawing around 2017 so we can send it off to the morgue…

Continue reading ⟩⟩ “Dénouement 2017: The Best Stuff”

 

Shamus Young is a programmer, an author, and nearly a composer. He works on this site full time. If you'd like to support him, you can do so via Patreon or PayPal.

Dénouement 2017: The Good StuffPrevious Post
Next PostE3 Approaches

132 comments

 

The Best of YouTube: Andrew Huang

By Shamus Posted Sunday Jan 7, 2018

Filed under: Random 64 comments
Oh Hi Mark HamillPrevious Post
Next PostGetting Over It with Bennett Foddy

If you’re on this site, then you probably have some passing knowledge of tabletop roleplaying games. Likely as not, you found me through this webcomic. Which means you know how it works when you create a character: You roll some dice, and the outcome determines your stats. Maybe you roll a 12 for Strength, a 13 for Charisma, a 3 for Wisdom, a 9 for Intelligence, and so on. The numbers fall on a bell curve, with the low and high values (3 and 18) being far less likely than the values in the middle of the range.

I actually experimented with this way back in 2006. The odds of you rolling the dice and getting a magical super-character with all of their stats set to 18 is an astounding 1 in 101 trillion. So if a player showed up to your game with such a character you’d feel pretty safe calling them a cheater, right? I mean, it’s obvious.

Now imagine they do one worse. Imagine they’re not just cheating at a roleplaying game. Imagine they’re blatantly cheating at real life. That’s what Andrew Huang is doing.

Huang runs a Youtube channel where he posts weekly videos about his experiments and adventures in music-making. I don’t know the full list of instruments he plays, but I know it includes keyboards, guitar, drums, and violin.

All by itself, that’s a little suspicious. It’s not unheard of or anything, but when someone has mastered that many instruments they’re clearly way ahead of the curve.

But then on top of that he’s also a composer and lyricist. And a singer with a pretty good range. Still not convinced he’s cheating at life? How about the fact that he’s also a rapper with amazing speed and he has a keen understanding of what makes music compelling.

Okay, I hear you saying this isn’t necessarily cheating. After all, guys like Beck have all these skills while also mastering a dozen instruments. It’s rare, but not impossible.

What if I told you he was also an accomplished sound engineer, producer, and that he is able to work in almost any genre? Is that pushing the limits of credulity for you yet?

Now maybe you’re think this is still possible if someone dedicates their whole life. Like sure, you can accomplish all of this, but by the time you mastered the big stuff you’ll be a dumpy middle-aged person. But Andrew is young.

And fit.

And handsome.

And he’s funny.

And he’s got a talent for making fun YouTube videos, which is another skill set entirely apart from the music stuff. Oh, and let’s not forget the time he did a rap song that incorporated five different languages. I mean come on, man. Did you think we wouldn’t notice?


Link (YouTube)

Anyway. It’s a really cool channel if you don’t mind the flagrant stats inflation.

Envy? What envy? I have no idea what you’re talking about.

 

Shamus Young is a programmer, an author, and nearly a composer. He works on this site full time. If you'd like to support him, you can do so via Patreon or PayPal.

Oh Hi Mark HamillPrevious Post
Next PostGetting Over It with Bennett Foddy

64 comments

 

Overhaulout Part 11: The Ugly Factory

By Rutskarn Posted Friday Jan 5, 2018

Filed under: Video Games 93 comments
Overhaulout Part 10: Bury My Heart at Little LamplightPrevious Post
Next PostThe Witcher 3

The internet quakes with hatred for Little Lamplight, but besides a few dismissive complaints about flashbang logistics I’ve not heard anyone talk about Vault 87. This leads me to a small and admittedly contestable digression about how modern Fallout games are discussed by their fanbases. My survey methodology consists of Reading Too Many Internet Comments, so feel free to rebut with your own and be sure to include an appropriately scornful reaction gif.

By now I think I’ve read an equal amount of straightforwardly fannish discussions of Fallout 3 and New Vegas. I’m excluding here discussions about which one is better, or fun conversations co-opted into a dominance battle by salty New Vegas fans, or even nuanced goods-and-bads critical shakedowns. Basically, I’m just talking about low-key conversations where someone brings up either game and it sets off a chain of people complimenting it. Said positive discussions about Fallout 3 focus around two subjects:

  • The extemporaneous experience of playing the game (“I loved just roaming the Wasteland, dog at my side, gun in my hand, picking my nose, full bowl of cereal, she hadn’t left me yet, exploring ruins…”)
  • A dozen or so “hit” quests, character, or locations (“Remember the Vault with the Garys? Moira? Megaton? Paradise Falls? North Korea, South Korea, Marilyn Monroe?”)

Whereas the New Vegas conversations focus far less on the extemporaneous experience, but cover a much larger area of the written and planned content, to the point where I can’t say confidently that I’ve never read a discussion of almost any quest or character.

Assuming you buy any of my ad hoc sampling salad, you’ve got two faction-coded inferences to choose from: “A lot of Fallout 3‘s content isn’t very interesting” and “Obsidian’s bad at creating an experience that transcends its content.” I’d actually hedge somewhere in the middle, but for obvious reasons that first idea’s more relevant to this project, and I’ll follow it up with this one:

Nobody talks positively about Vault 87 because it’s nowhere near as good or interesting as it should be.

Continue reading ⟩⟩ “Overhaulout Part 11: The Ugly Factory”

 

Rutskarn is a writer, author, wordsmith, text producer, article deviser, prose architect, and accredited language-talker. If you enjoy his contributions to this site you could always back his Patreon.

Overhaulout Part 10: Bury My Heart at Little LamplightPrevious Post
Next PostThe Witcher 3

93 comments

 

Borderlands Part 23: The Big Googly Eye of Helios

By Shamus Posted Thursday Jan 4, 2018

Filed under: Borderlands 30 comments
Borderlands Part 22: Stay Awhile and ListenPrevious Post
Next PostBorderlands Part 24: The Rise of Handsome Jack

Once the player is done with the robot “army” thing, the team returns to Helios Station to kick the bad guys out. On one hand, it’s nice to get off the moon and see some fresh scenery. On the other hand, I really miss my low-gravity double-jump ground-pounding. I guess I’m just never happy.

As part of re-taking the station, we have to rescue a bunch of scientists. These aren’t generic nobodies. These are named, voiced characters with unique personality quirks and character models. Which leads us to…

Continue reading ⟩⟩ “Borderlands Part 23: The Big Googly Eye of Helios”

 

Shamus Young is a programmer, an author, and nearly a composer. He works on this site full time. If you'd like to support him, you can do so via Patreon or PayPal.

Borderlands Part 22: Stay Awhile and ListenPrevious Post
Next PostBorderlands Part 24: The Rise of Handsome Jack

30 comments

 

Dénouement 2017: The Good Stuff

By Shamus Posted Tuesday Jan 2, 2018

Filed under: Industry Events 123 comments
Dénouement 2017: The DisappointmentsPrevious Post
Next PostDénouement 2017: The Best Stuff

A reminder that while I do arrange these best-of lists into numerical order and I do try to push my favorites to the top, you shouldn’t read too much into the placement of individual entries. If you handed me the titles from my 2015 list and told me to put them in order from worst to best, I have only slightly better odds at recreating my 2015 ordering than a random number generator.

Also, I’ve decided that once a game appears on this list, it can’t appear on a later one. I realize that games change significantly from Early Access to release to Major Updates Three Years Later and you could argue that the final form of the game differs from the original far more than any two subsequent Call of Duty sequels. You could make the case that it’s practically a different game now, so maybe it should be eligible to win again. But this would be boring. If games were allowed to win in multiple years, then Minecraft would have dominated from 2010 to 2014. If we go strictly by hours played, then Factorio ought to win again this year.

The No-Show List

The spelling of NIER will never not drive me crazy. Dunno why, but I want to spell it ANY OTHER way.
The spelling of NIER will never not drive me crazy. Dunno why, but I want to spell it ANY OTHER way.

Before I talk about the winners, here are some games I really wanted / intended to play this year but missed out because I procrastinated, forgot, was busy with other games, or didn’t discover them until the end of the year.

Continue reading ⟩⟩ “Dénouement 2017: The Good Stuff”

 

Shamus Young is a programmer, an author, and nearly a composer. He works on this site full time. If you'd like to support him, you can do so via Patreon or PayPal.

Dénouement 2017: The DisappointmentsPrevious Post
Next PostDénouement 2017: The Best Stuff

123 comments

 

Borderlands Part 22: Stay Awhile and Listen

By Shamus Posted Thursday Dec 28, 2017

Filed under: Borderlands 19 comments
Borderlands Part 21: Absolutely BadassPrevious Post
Next PostBorderlands Part 23: The Big Googly Eye of Helios

I’m not going to try to review the Pre-Sequel quest-by-quest. We’re doing a quick (by the standards of this site) overview of the plot. We’re not so much concerned with the “save the moon plot”, and instead I’m just examining the moments in the game dealing with Jack’s fall to the dark side.

Anthony Burch has writing credit on this game, which is odd because very little of the game feels like his work. For example…

Why is Everyone So Nice?

'ere to 'elp, if the price is roight!
'ere to 'elp, if the price is roight!

The character Pickle feels like an attempt to reverse-engineer the appeal of Tiny Tina. You’ve got a child character with an “adorable” design, but they’re also corrupted in some way. Tina is a demolitionist, and Pickle is a thief. But Tina subverts the “mischievous child” trope by having her “adorable mischief” be murderous destruction. Pickle doesn’t subvert anything. His Oliver Twist accent is trying pretty hard to be cute and there’s nothing really dark or subversive about his design or character. There’s nothing edgy or strange about this kid. He feels like a character that wandered in from a Disney cartoon.

Part of the texture of Borderlands 2 is that everyone – good guys and bad guys alike – is a little crazy. Moxxi, Scooter, Marcus, Hammerlock, and Zed are all a little nuts and have occasional moments of surprise sadism in their character. For contrast, here in the Pre-Sequel we end up with a few characters who are just regular nice people. Pickle is kind and sane. Gladstone – who we meet later in the story – is nice and friendly with no creepy quirks or sadistic hobbies. Felicity is an AI that’s been held prisoner by a gang of nutters and forced to be their “girlfriend”, and yet she’s friendly, clear-headed, and not at all insane.

Speaking of Felicity being an AI…

Earlier in this series I said:

[Head writer Anthony] Burch likes to do this thing where he’ll go for a really obvious joke or twist, and then telegraph that he knows that you know where the joke is going. It becomes this sort of meta-joke about expectations. He did this in the situation with the totally un-suspicious power core when Angel betrayed everyone in Borderlands 2. He did it in the sidequest No Hard Feelings. He did it again with Pyro Pete in Torgue’s Campaign of Carnage. He built an entire character around this gag with Captain Scarlett in the Pirate DLC. Likewise, Crawmerax has a section where you have to track down a bunch of assassins, only to discover they’re already dead. After the first couple it stops expecting you to be surprised and instead begins poking fun at how everyone knows where this joke is going.

In contrast, this game sets up this situation where you’re looking for a “military-grade AI”. You meet Felicity over the radio, and even though her radio portrait shows her as human, it’s obvious early on that she’s the AI you’re looking for. But instead of telegraphing this and using the available tropes for humor, the game plays it straight and acts like you’re really supposed to be surprised. Pickle is the first to figure it out, and even then it’s only after the truth is too obvious to ignore. And then Felicity congratulates Pickle for being so clever, which means the writer is sort of patting themselves on the back for pulling off this twist, whether it surprised you or not.

To compare authorial voices:

Borderlands 2: “Yeah, you’re a smart player and I know I can’t fool you. Still, these situations are kinda funny when you think about them, right?”

Borderlands Pre-Sequel: “Gotcha! Good twist, right?”

It’s not wrong. It’s not like this is some terrible crime against writing or anything. It’s just that you can really see the difference in writing style here, and that difference is once of the reasons Pre-Sequel doesn’t feel as vibrant or as funny as its predecessor.

Continue reading ⟩⟩ “Borderlands Part 22: Stay Awhile and Listen”

 

Shamus Young is a programmer, an author, and nearly a composer. He works on this site full time. If you'd like to support him, you can do so via Patreon or PayPal.

Borderlands Part 21: Absolutely BadassPrevious Post
Next PostBorderlands Part 23: The Big Googly Eye of Helios

19 comments

 
OLDER POSTS
From The Archives:

Silent Hill Turbo HD II

I was trying to make fun of how Silent Hill had lost its way but I ended up making fun of fighting games. Whatever.

 

What is Piracy?

It seems like a simple question, but it turns out everyone has a different idea of right and wrong in the digital world.

 

Fable II

The plot of this game isn't just dumb, it's actively hostile to the player. This game hates you and thinks you are stupid.

 

My Music

Do you like electronic music? Do you like free stuff? Are you okay with amateur music from someone who's learning? Yes? Because that's what this is.

 

Programming Vexations

Here is a 13 part series where I talk about programming games, programming languages, and programming problems.

 

Stop Asking Me to Play Dark Souls!

An unhinged rant where I maybe slightly over-reacted to the water torture of Souls evangelism.

 

Silent Hill Origins

Here is a long look at a game that tries to live up to a big legacy and fails hilariously.

 

Self-Balancing Gameplay

There's a wonderful way to balance difficulty in RPGs, and designers try to prevent it. For some reason.

 

DM of the Rings

Both a celebration and an evisceration of tabletop roleplaying games, by twisting the Lord of the Rings films into a D&D game.

 

Trekrospective

A look back at Star Trek, from the Original Series to the Abrams Reboot.