info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bot Hack Perfect World
2 views
Skip to first unread message
Adele Maione
Dec 5, 2023, 11:58:09 AM12/5/23
to
Perfect World is set in the world of Pangu where three major tribes, Humans, Winged Elves and Werebeasts coexist. It is a world of magic and high fantasy featuring the Chinese creation myth as its backdrop and leveraging on a rich and diverse oriental setting.
Bot Hack Perfect World
Download File https://urllio.com/2wItj3
> You don't, however, incur any liability for RF designs that you publish for free - just because I can look up your design on the Internet, or in a library, doesn't mean that I get to blame you if the design doesn't work for me.It's all well and good and works fine in a world where companies don't blindly take designs software from the Internet and use these to build and sell RF designs software.
Right, but I'm arguing that software is currently broken, precisely because we let companies (of all scales, from one-man-bands through to multinationals) act like hobbyists are allowed to act.Software mixes things in one huge lump precisely because we make no distinction between hobbyists and commercial interests - we're all one big lump of software, and things that are acceptable when it's just me having fun are also considered acceptable when it's one of the world's biggest companies making huge amounts of money.As a consequence of this, we don't have an equivalent to the hierarchy of hazard controls for software security issues; we rely on individual engineers' judgement calls. As a result, we have what looks to me like the equivalent of PPE or administrative controls in hazard handling being touted as an important control to prevent software security issues - and yet (AFAICT, looking at how PyPI actually works here), it's being implemented as theater (you need your 2FA token and password to generate an access key, that access key can then be used unlimited number of times for uploading the project, without need for further 2FA).And Google has a problem regardless of whether it can exclude LtWorf from PyPI - unless LtWorf is completely banned from writing Python, it is always possible that a Google employee will copy-and-paste LtWorf's code into Google's systems, and then go through Google's review process to merge that change. Because the controls affect not the code itself, but the process around the code, Google can still end up depending on LtWorf's code, with all the liability that that carries. The only way for Google to keep LtWorf's code out of their codebase is for Google to not use any code that anyone wrote outside Google. Open source community split over offer of 'corporate' welfare for criticaldev tools (Register) Posted Dec 5, 2022 14:49 UTC (Mon) by khim (subscriber, #9252) [Link]
The relevant comparison is "this code was uploaded to PyPI with apparently LtWorf's username and a password looking similar to a password associated with that username stolen from a hacked shopping site last week". Sure, the 2FA adds only marginal utility *if everything else is done properly*. However, humans being humans, cut corners. Passwords are reused, passwords can be bruteforced, passwords are leaked. 2FA cannot be brute-forced, which is especially important for online services where attackers literally have all day to guess passwords. Applications and programs that generate 2FA values are by and large written in a way that makes accidental leaking quite difficult. Physical tokens are gold standard, but ridiculous overkill for the vast majority of cases.
It doesn't really matter if LtWorf is a person or a group. Whether they shared the 2FA token with their co-developers isn't really an issue either. Trust is built on previous interactions, not a 2FA token. The point is, it's almost certainly not a bot from Russia that's randomly scanning lists of usernames/passwords. That's the threat we're protecting against here. Not whether LtWorf is trustworthy or not.
Open source community split over offer of 'corporate' welfare for criticaldev tools (Register) Posted Dec 6, 2022 10:22 UTC (Tue) by farnz (subscriber, #17727) [Link]
The goal of 2FA isn't to prove it's LtWorf beyond all reasonable doubt. It's to prove it's *not* a Russian bot beyond all reasonable doubt. It's for drive-by attacks, not targeted attacks. If someone is targeting you specifically, you have more to fear from a $5 wrench.I don't see how you can say the incentives don't align. If your account get hacked and malicious software uploaded in your name, it's your reputation that's harmed. I'm a bit wary of sites without 2FA support, I've seen too much of the dark side of the internet to feel truly comfortable without it. Open source community split over offer of 'corporate' welfare for criticaldev tools (Register) Posted Dec 6, 2022 14:49 UTC (Tue) by farnz (subscriber, #17727) [Link]
That's not how it works. The Russian bots are going around around randomly brute-forcing/guessing passwords on any popular site. It doesn't care if it's PyPI. When it finds valid credentials it adds it to a list of for-sale leaked passwords on the darkweb. There someone sees that a bot has uploaded credentials for PyPI, buys them and performs a targeted attack.
Similar to how bots randomly hack machines on the internet and then sell the access to third parties. Why hack machines yourself when there are professionals who pave the way for you? The people running the bots are earning a living that way, they're not interested in the actual PyPI attack.
The long-term token issue is a different problem. It's probably a long randomly generated string so not amenable to brute-forcing, you have to actually steal it from the owner's machine. Passwords tend to be short and non-random. So it's a completely different problem requiring a different solution. Protecting the user account with 2FA however prevents new long term tokens being created without the owner's interaction, and secures the notification path to the owner because the email address can't be changed. Rotating the tokens would probably be an improvement though (but uploading from a CI pipeline needs to remain possible).
(Incidentally, I hope someone is monitoring for hacked PyPI credentials on the darkweb, would certainly reduce some of the risk.)
Open source community split over offer of 'corporate' welfare for criticaldev tools (Register) Posted Dec 5, 2022 19:43 UTC (Mon) by pizza (subscriber, #46) [Link]
It's hard to imagine many other games having as much of an "event" status then when Blizzard decides to announce a game. An impeccable pedigree and an admirable-yet-frustrating love of perfectionism, it's hard to imagine living in a world where Diablo III actually is actually out. It had to come out eventually but the long running jokes about its lengthy development time, delays and Blizzard's tinkering with game mechanics left us excited and just as nervous about the sequel to one of the best and influential games around. Launch day issues set aside, Diablo III is quite the remarkable and it's one of the downright fun games to come out and more than makes up for the lull in terms of releases but even then, it isn't entirely perfect and it's hard to tell whether this'll be the same long-lasting game Diablo 2 was but it's still an enjoyable experience.
Taking place 20 years after the events of Diablo 2, the game centers on new heroes sent to investigate a fallen star crashing into the cathedral near Tristram. Inside were Deckard Cain and niece Leah who were researching the possibility of an impending apocalypse. With Leah safe in town and Cain missing, you're sent to find out what exactly crashed into the cathedral and over the course of the game's 4 acts, you learn of the demons of Hell coming to unleash its armies on the world, the battle between them and the Angels and you taking on the biggest threat of them all, Diablo himself.
Blizzard has done some really cool things to make the story feel a little bit more dynamic. Each class, now with both genders, has a voice and a personality which makes them feel more like actual characters rather than the unremarkable loot wearers of previous games. In-game cutscenes along with Blizzard's beautiful trademark CG cinematics help make the story more engaging. Followers return from previous games only this time they too have a voice and talking with them will reveal more about the back story, where they came from and why they're following you. On the other hand, the story can be disappointing where the writing at times can be fairly poor and certain twists are easily predictable. It's not the most mindblowing story in the world but the mythology, game's events and locales make up for it.
And yet still with all of this, Diablo 3 is not entirely without flaws and chief among is its online-only setup. There's absolutely no option to play offline if you're without internet or servers are down which makes for really annoying experiences when you actually experience lag when you're playing on your own or a game you can't even access because of server issues. One primary reason is Diablo 3 introduces an auction house where you can buy useful items, put yours up for sale, and further into the game's life cycle, buy and receive items using real money. At first it becomes easy to excuse: Diablo 2 was practically ruined by bots, hackers and people spamming their shifty websites in chat so by having a Blizzard controlled and moderated way to get gear, police anybody trying to hack its game or broadcast their websites then drop back out makes a compelling argument for its DRM. And yet more than once, I've been unable to access the game or have been lagged out of it so this is a feature you're going to have to learn to live with or just not bother which is a shame because there's a great game when you actually get to play.
An object location only provides the location of the object, whence the reader can see the world from the object's POV. The pleasant thing about a GSV link is that it provides by automation a good place to stand, and direction to turn, to see the object. This pleasant and informative view is what, in my (this time metaphorical) view, should be regularized with use of the template, or rather of a more general template if someone smarter than me can make one. Jim.henderson (talk) 02:10, 6 April 2010 (UTC)Reply[reply]
eebf2c3492
Bot Hack Perfect World
Download File https://urllio.com/2wItj3
> You don't, however, incur any liability for RF designs that you publish for free - just because I can look up your design on the Internet, or in a library, doesn't mean that I get to blame you if the design doesn't work for me.It's all well and good and works fine in a world where companies don't blindly take designs software from the Internet and use these to build and sell RF designs software.
Right, but I'm arguing that software is currently broken, precisely because we let companies (of all scales, from one-man-bands through to multinationals) act like hobbyists are allowed to act.Software mixes things in one huge lump precisely because we make no distinction between hobbyists and commercial interests - we're all one big lump of software, and things that are acceptable when it's just me having fun are also considered acceptable when it's one of the world's biggest companies making huge amounts of money.As a consequence of this, we don't have an equivalent to the hierarchy of hazard controls for software security issues; we rely on individual engineers' judgement calls. As a result, we have what looks to me like the equivalent of PPE or administrative controls in hazard handling being touted as an important control to prevent software security issues - and yet (AFAICT, looking at how PyPI actually works here), it's being implemented as theater (you need your 2FA token and password to generate an access key, that access key can then be used unlimited number of times for uploading the project, without need for further 2FA).And Google has a problem regardless of whether it can exclude LtWorf from PyPI - unless LtWorf is completely banned from writing Python, it is always possible that a Google employee will copy-and-paste LtWorf's code into Google's systems, and then go through Google's review process to merge that change. Because the controls affect not the code itself, but the process around the code, Google can still end up depending on LtWorf's code, with all the liability that that carries. The only way for Google to keep LtWorf's code out of their codebase is for Google to not use any code that anyone wrote outside Google. Open source community split over offer of 'corporate' welfare for criticaldev tools (Register) Posted Dec 5, 2022 14:49 UTC (Mon) by khim (subscriber, #9252) [Link]
The relevant comparison is "this code was uploaded to PyPI with apparently LtWorf's username and a password looking similar to a password associated with that username stolen from a hacked shopping site last week". Sure, the 2FA adds only marginal utility *if everything else is done properly*. However, humans being humans, cut corners. Passwords are reused, passwords can be bruteforced, passwords are leaked. 2FA cannot be brute-forced, which is especially important for online services where attackers literally have all day to guess passwords. Applications and programs that generate 2FA values are by and large written in a way that makes accidental leaking quite difficult. Physical tokens are gold standard, but ridiculous overkill for the vast majority of cases.
It doesn't really matter if LtWorf is a person or a group. Whether they shared the 2FA token with their co-developers isn't really an issue either. Trust is built on previous interactions, not a 2FA token. The point is, it's almost certainly not a bot from Russia that's randomly scanning lists of usernames/passwords. That's the threat we're protecting against here. Not whether LtWorf is trustworthy or not.
Open source community split over offer of 'corporate' welfare for criticaldev tools (Register) Posted Dec 6, 2022 10:22 UTC (Tue) by farnz (subscriber, #17727) [Link]
The goal of 2FA isn't to prove it's LtWorf beyond all reasonable doubt. It's to prove it's *not* a Russian bot beyond all reasonable doubt. It's for drive-by attacks, not targeted attacks. If someone is targeting you specifically, you have more to fear from a $5 wrench.I don't see how you can say the incentives don't align. If your account get hacked and malicious software uploaded in your name, it's your reputation that's harmed. I'm a bit wary of sites without 2FA support, I've seen too much of the dark side of the internet to feel truly comfortable without it. Open source community split over offer of 'corporate' welfare for criticaldev tools (Register) Posted Dec 6, 2022 14:49 UTC (Tue) by farnz (subscriber, #17727) [Link]
That's not how it works. The Russian bots are going around around randomly brute-forcing/guessing passwords on any popular site. It doesn't care if it's PyPI. When it finds valid credentials it adds it to a list of for-sale leaked passwords on the darkweb. There someone sees that a bot has uploaded credentials for PyPI, buys them and performs a targeted attack.
Similar to how bots randomly hack machines on the internet and then sell the access to third parties. Why hack machines yourself when there are professionals who pave the way for you? The people running the bots are earning a living that way, they're not interested in the actual PyPI attack.
The long-term token issue is a different problem. It's probably a long randomly generated string so not amenable to brute-forcing, you have to actually steal it from the owner's machine. Passwords tend to be short and non-random. So it's a completely different problem requiring a different solution. Protecting the user account with 2FA however prevents new long term tokens being created without the owner's interaction, and secures the notification path to the owner because the email address can't be changed. Rotating the tokens would probably be an improvement though (but uploading from a CI pipeline needs to remain possible).
(Incidentally, I hope someone is monitoring for hacked PyPI credentials on the darkweb, would certainly reduce some of the risk.)
Open source community split over offer of 'corporate' welfare for criticaldev tools (Register) Posted Dec 5, 2022 19:43 UTC (Mon) by pizza (subscriber, #46) [Link]
It's hard to imagine many other games having as much of an "event" status then when Blizzard decides to announce a game. An impeccable pedigree and an admirable-yet-frustrating love of perfectionism, it's hard to imagine living in a world where Diablo III actually is actually out. It had to come out eventually but the long running jokes about its lengthy development time, delays and Blizzard's tinkering with game mechanics left us excited and just as nervous about the sequel to one of the best and influential games around. Launch day issues set aside, Diablo III is quite the remarkable and it's one of the downright fun games to come out and more than makes up for the lull in terms of releases but even then, it isn't entirely perfect and it's hard to tell whether this'll be the same long-lasting game Diablo 2 was but it's still an enjoyable experience.
Taking place 20 years after the events of Diablo 2, the game centers on new heroes sent to investigate a fallen star crashing into the cathedral near Tristram. Inside were Deckard Cain and niece Leah who were researching the possibility of an impending apocalypse. With Leah safe in town and Cain missing, you're sent to find out what exactly crashed into the cathedral and over the course of the game's 4 acts, you learn of the demons of Hell coming to unleash its armies on the world, the battle between them and the Angels and you taking on the biggest threat of them all, Diablo himself.
Blizzard has done some really cool things to make the story feel a little bit more dynamic. Each class, now with both genders, has a voice and a personality which makes them feel more like actual characters rather than the unremarkable loot wearers of previous games. In-game cutscenes along with Blizzard's beautiful trademark CG cinematics help make the story more engaging. Followers return from previous games only this time they too have a voice and talking with them will reveal more about the back story, where they came from and why they're following you. On the other hand, the story can be disappointing where the writing at times can be fairly poor and certain twists are easily predictable. It's not the most mindblowing story in the world but the mythology, game's events and locales make up for it.
And yet still with all of this, Diablo 3 is not entirely without flaws and chief among is its online-only setup. There's absolutely no option to play offline if you're without internet or servers are down which makes for really annoying experiences when you actually experience lag when you're playing on your own or a game you can't even access because of server issues. One primary reason is Diablo 3 introduces an auction house where you can buy useful items, put yours up for sale, and further into the game's life cycle, buy and receive items using real money. At first it becomes easy to excuse: Diablo 2 was practically ruined by bots, hackers and people spamming their shifty websites in chat so by having a Blizzard controlled and moderated way to get gear, police anybody trying to hack its game or broadcast their websites then drop back out makes a compelling argument for its DRM. And yet more than once, I've been unable to access the game or have been lagged out of it so this is a feature you're going to have to learn to live with or just not bother which is a shame because there's a great game when you actually get to play.
An object location only provides the location of the object, whence the reader can see the world from the object's POV. The pleasant thing about a GSV link is that it provides by automation a good place to stand, and direction to turn, to see the object. This pleasant and informative view is what, in my (this time metaphorical) view, should be regularized with use of the template, or rather of a more general template if someone smarter than me can make one. Jim.henderson (talk) 02:10, 6 April 2010 (UTC)Reply[reply]
eebf2c3492
0 new messages