Tradewars Rising on Facebook

Got Facebook and some time to kill? Want to take a stroll with me back to the 70s and 80s?

TRADEWARS RISING

See you out there. . .

Remember the days of yore when there was hardly an IP packet transmitting around the Internet? Do you recall a thing called a modem, and the communities of geeks and nerds that frequented Bulletin Board Systems at all hours? If you do, then you are going to love this!!! I used to host the Blue Moon BBS out of Brampton, Canada. I had a registered copy of Tradewars 2002, and had about 100 – 200 regular players. I recently got in touch with the author of that old and wonderful game…

Turns out Sylien Games has brought the old Tradewars BBS game to Facebook. Now, this is not the same ascii and ansi graphics presentation (which I personally enjoyed), it has all been reworked and built from the ground up! If you prefer to play outside of Facebook, check out the Sylien website. They host free and premium games, just like the old days. Look for me. I’ll be the noobish looking fella in the shiny new escape pod…

 PLAY TRADEWARS® RISING WITH FRIENDS
Our purpose is to increase how much fun players are having in the game. A big way to do this is to increase the amount of people playing, so what we’ve done lately is to create the Tradewars® Rising Facebook application. Using this tool, you can easily invite a lot more people to the games you are playing, hence more fun!

Since this is a new application, it may still have a few odd bugs in it, so were asking any able player out there to check for odd behavior and report them to us by e-mail. For now, we’re considering it BETA.

First thing to do is INSTALL THE APPLICATION. It takes only a minute.

Then, send us an e-mail at support@sylien.com after you have done the following:
• Played a the game a while within Facebook
• Published a promotion or a player kill to your Friends walls
• Invited some Friends to install the application
Giving us feedback on all three points will help us improve on the application. In return for the feedback, well give you 30 days Premium time (or extension).

The more players we have in games, the more fun they will be! So lets all use this new tool!
Next step for us will be to fix a few bugs that our wonderful community discovered over the last while, so stay tuned for bug and feature fix updates.

STAYING IN TOUCH
Often we leave hints and other more up to date news directly on the Tradewars® Rising website, so visit it often to stay up to date.
To keep well informed, you may want to follow us on Twitter.

Play, have fun, and be creative, always!

The Sylien Team 

TRADEWARS

See you out there. . .

Advertisements

Light March Patch-Tuesday

Microsoft has published their Security Bulletin Advance Notification for March 2010. There are only two security bulletins expected for next Tuesday, patching against 8 vulnerabilities. Both appear to contain patches against remote code execution, but are only rated as Important. IT admins will appreciate getting a little bit of a break after February’s nearly record-breaking patch bundle.

The advance notification discloses few details, but does help admins prepare by providing warning of the number and severity of the security bulletins expected to be released, as well as a general idea of the type of vulnerability and the platforms affected.

The first bulletin affects Windows XP, Vista, and 7. A successful exploit could result in an attacker being able to execute malicious code remotely on the target system.

The second security bulletin affects Microsoft Office. The advance notification specifies that Office XP, 2003, and 2007 for the PC are all affected, as well as Office 2004 and 2008 for the Mac. In addition to the full versions of Office, there are a number of other peripheral applications that are also affected. The Open XML File Format Converter for Mac, Excel Viewer, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, and both the 32-bit and 64-bit versions of Microsoft Office SharePoint Server 2007 are impacted as well.

Both issues would require a user to open a specially crafted file. There are no network based attack vectors.

Microsoft defines their rating of Important as “A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.”

Microsoft Advance Notification

Windows Users Patch Every 5 Days

Secunia reports that the typical home user running Windows is expected to patch software every 5 days on average. 

"It’s completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching," said Thomas Kristensen, the chief security officer of Secunia. The result is that few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack.

That may be unreasonable, but unfortunately necessary.  Secunia’s FREE Personal Software Inspector (PSI) can help.  According to Secunia, of the users who ran PSI the last week of January, half had 66 or more programs from 22 or more vendors on their machines.  PSI scans PCs to produce a list of vulnerable software.  Users are then directed to the approprite vendor patch site for updates.  Nearly 2 million copies of the tool have been downloaded since Secunia debuted it in 2007.

Secunia will release a technical preview of PSI 2.0 in the next six weeks which will include automatic updating functionality similar to Microsoft’s update programs.  Before the end of the year, Secunia should have PSI 2.0 wrapped up. "Updating is complicated, and we need to get it out to users so they can give us feedback," said Kristensen. Although PSI 2.0 is based on technology in Secunia’s Corporate Software Inspector along with Microsoft’s Windows Server Update Services (WSUS), PSI 2.0 will remain free for consumers.  Kudos Secunai!

"We want to promote patching," Kristensen said when asked why Secunia is expending resources on a product it’s giving away.  People know Microsoft’s patch service, Windows Update, but that’s not the only updating mechanism they have to deal with.  They have to patch Adobe software three, four times a year, and QuickTime, which is frequently exploited. That’s why we think this will make a difference."

Secunia has published a white paper that details its PSI scan findings (download PDF).

Download a FREE copy of PSI from Secunia today!  Check out CSI for your company while you’re at it.

CISO Lays It On The Line @ RSA

Representing the average customer, Tim Stanley, CISO of Continental Airlines had the opportunity to ask vendors and researchers direct questions regarding patches and vulnerabilities at the RSA 2010 Conference.  “Microsoft knows about a bug, researchers know about a bug, but I’m the guy who paid for the software.  When am I gonna know? … And don’t tell me about the pains you have in determining what has to be fixed, I don’t care.  You’re in the software business, you’re writing code, that’s what you’re supposed to do.  If you can’t handle it, get out of the business."

A panel discussion brought him in, and put him on the dais with Microsoft, Adobe and HD Moore.  He wasted little time making his displeasure known.  I am pleased to hear that he tossed cold water on some opening remarks regarding the exposure timeframe from the discovery of a bug to when a patch is released, as well as some points on the importance of constant communication between vendors and researchers.

"I love the love-fest between the vendors and researchers, but quite honestly, I don’t give a hoot.  I’m the consumer, the guy who paid for the product that I expect to be correct in the first place.  I’m perturbed with the relationships going on.  The issue becomes a matter where the people paying for the product need to be better represented in this process," Stanley said.

Discussion hit on all the usual topics: vendor triage, prioritization of patching, how zero-day vulnerabilities impact patch cycles, regression testing, and the quality and stability of patches.

HD Moore, famous for script kiddie tool MetaSploit for example, called responsible disclosure of vulnerabilities a vendor created delay tactic.  He opined that as a researcher reporting bugs, he’s at the vendor’s mercy.  Because the vendor controls the patch release cycle, the vendor determines when his research work becomes public.  Too bad, so sad.  Publicity is everything, it seems.  "If you have evidence that something is being exploited in the wild and a vendor has not patched it, at that point is the vendor irresponsible or you for not reporting?"  I only wish that the question was turned back to HD, asking if he publishes code publicly before or even shortly after a patch is available, or creates a plug-and-play module that simplifies exploitation, who is responsible.

I have nothing personal against him, but HD Moore needs to smarten up.  I hope nobody is buying what this guy is pedaling.  He is NOT the savior of all software and the elected dispenser of patch-justice.  Yes, the vendors don’t move fast enough, yes we can make them move faster by releasing dubious “admin” or “pen-test” labeled tools like MetaSploit and its modules that allow any clown with a PC to exploit serious threats.  Yes, HD stands to make a boot-load of money for himself and the company that bought his “product” (or as I’m sure he’d prefer, funds his research).  In my most humble of opinions, this is aiding and abetting an attacker to commit whatever crime they commit, and the authors of such tools and the companies that they work for/with/though should be accountable, regardless of whatever disclaimers are posted in their EULA.

I might not have all of the answers regarding what should be done to get vendors patching their mistakes faster, but lighting a house on fire to get the people to come out so you can save them from smoke inhalation is probably not the best route to take.  If “responsible disclosure” is a process that isn’t working, then fix the parts that aren’t working, or provide a better one.  One that meets the needs of those that a researcher and the vendors are supposed to be serving.  Why not advise the vendor, give them a REASONABLE amount of time to patch, if they don’t produce, release NEWS that you have discovered a serious vulnerability (if you don’t cry wolf, you will gain credibility) and have the vendor (or a trusted impartial 3rd party that is not seeking profit) confirm it.  If the vendor still doesn’t take action, start legal proceedings.  A couple of class action suits and they will probably get interested in patching, or better yet, cleaner coding practices…

There are too many self-serving and egotistical researchers and vendors already, running rough-shod, cowboy style across the windswept plain that is the Internet.  Time to clean up this one-horse town.

C-Net RSA 2010 Article List