Month: October 2003

Enno, there’s a .dat attachment on your emails!

~ Enno ~ 3 Comments

No, that’s not a virus. And no, there’s nothing with a .dat attachment on my emails, even though Outlook Express wants you to believe it. It’s a digital signature. It looks like this:

Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.2-nr2 (Windows XP)

Comment: Using GnuPG with Thunderbird -http://enigmail.mozdev.org

iD8DBQE/fSqo2FTH6fnzT0IRAv81AJ42L5GD3XrqN0Sv/

ksXaKvcOCuQhgCeOlgy9FaROdCRoGB3Qd6lunjKDvk=

=NHUe

-----END PGP SIGNATURE-----

What it does is to confirm that this email is actually written by me, and noone tempered with it. It’s like putting my signature under a written letter, only more safe against tampering.

Why is this such a problem for some people? Outlook Express. This degenerate piece of shit software decides that “if I don’t know what it is, I’ll make it look funny, invent an extension for it, and oh, while I’m at it, I’ll also not show my user the plain-text parts that I *could* understand, but pretend it’s in a .txt file attachment. And on the default security settings, it removes them:

If you’re an Outlook Express user, this is pretty annoying. But trust me, the mails from Outlook Express users are painful, too – and not because of a fault in anyone’s mailtool but the sender’s. So if it’s okay for the OE users to send their non-standard borked emails, I don’t see why I should stop sending my perfectly standdard-compliant emails just because OE doesn’t want to handle them.

“But Enno”, you’ll say, “don’t you care about whether people can read what you write?”. Yes I do. But the people I really care about are tech-savvy, and they don’t use mailtools that are old and broken. The standard for MIME (RFC 2048) will be 7 years old next month, and standard for OpenPGP/MIME (RFC 2440) will be 6 years old by then. They were practically invented before Microsoft realized that the Internet was something that mattered to them. Plenty of time to implement them. And about time to shrug, shake your head and go on with life. OE is dead.

Half Life 2 source leaked

~ Enno ~ Leave a comment

All major news outlets are reporting this today: IGN.com, Slashdot, GameSpot

It’s not a fake. It’s probably on bittorrent everywhere by now. Valve’s Gabe Newell made a statement on their messageboards explaining how it happened. It’s a typical tale of corporate security. They have something extremely valuable on their network, and all it takes to hack in is to get the clear text passwords of a webmail account, and customizing an existing trojan.

Everyone needs to learn that having a virus scanner isn’t enough to protect you from a direct attack. With the amount of bugs in Internet Explorer, Outlook and Outlook Express that are still unfixed, using them in an environment like this is plain crazy. And putting any business mail on a webmail account is a stupid, stupid thing to do. And yet I know that it’s the most common thing in the world, at least in every games company I know.

Here’s the full text of the statement:
Ever have one of those weeks? This has just not been the best couple of days for me or for Valve.

Yes, the source code that has been posted is the HL-2 source code.

Here is what we know:

1) Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.

2) Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.

3) For the next week, there appears to have been suspicious activity on my webmail account.

4) Around 9/19 someone made a copy of the HL-2 source tree.

5) At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook's preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn't been seen anywhere else, and isn't detected by normal virus scanning tools).

6) Periodically for the last year we've been the subject of a variety of denial of service attacks targetted at our webservers and at Steam. We don't know if these are related or independent.

Well, this sucks.

What I'd appreciate is the assistance of the community in tracking this down. I have a special email address for people to send information to, helpvalve@valvesoftware.com. If you have information about the denial of service attacks or the infiltration of our network, please send the details. There are some pretty obvious places to start with the posts and records in IRC, so if you can point us in the right direction, that would be great.

We at Valve have always thought of ourselves as being part of a community, and I can't imagine a better group of people to help us take care of these problems than this community.

Gabe

Palm m130 & Keyboard

~ Enno ~ Leave a comment

Palm ZireIch hatte vor einer Weile einen Palm Zire. Den habe ich gekauft, weil er günstig war, und ich eigentlich einen Palm nur als “erweitertes Gehirn” für Notizen, Adressen und evtl. Mail lesen auf der Busfahrt brauche.

Gestört haben mich aber dann doch zwei Dinge: Zuerst einmal das fehlende Backlight. Das Display ist in der Dämmerung schwer zu lesen, nachts unmöglich. Wenn man in einem Land lebt, wo es im Winter so früh dunkel wird wie hier, ist das unmöglich, aber auch im Sommer hat es schon gestört.

Und dann die Tastatur. Ich bin wirklich schnell mit Graffiti, aber trotzdem braucht das Aufschreiben seine Zeit, und vor allem kann ich nicht gleichzeitig schreiben und denken oder zuhören, weil es volle Konzentration braucht. Und der Zire läßt sich ja nicht erweitern wie andere Palms.

Palm m130Also habe ich mir dann einen m130 gekauft. Der hat Farbe (brauche ich nicht), ein Backlight, 8 MB und den Erweiterungsslot für die Tastatur. Was er nicht hat, ist den direkten USB-Anschluß, den der Zire hatte. Warum nicht, ist mir ein Rätsel, denn das war echt klasse: Der Zire braucht keine Dockingstation, und er lädt sich sogar über USB auf (langsamer als über Netz, aber immerhin). Der m130 braucht naturgemäß mehr Strom (Farbdisplay und schnellerer Prozessor), und man ist auf den Cradle angewiesen.

Das beste aber ist die Tastatur. Ich habe bei meiner letzten Deutschland-Reise für 44 Euro ein Logitech TypeAway Keyboard gekauft, das ist kleiner als das Keyboard von Palm, aber ideal für unterwegs im Zug oder für Meeting-Notizen und um schnell mal emails aus der Hüfte zu schiessen. Oder für blog-Einträge 🙂

Logitec TypeAway Keyboard