Wednesday, January 9, 2008

Security trough Stupidity

Lately, I've been doing some on-line gaming. This is perchance the only place where a PC is still a preferred platform for gaming. The reason why I've started playing is, of course, my girlfriend, who has been playing the game in question for a while, so I wanted to play with her. And that posed a problem. My PC is about 2-3 years old, uses an AMD Athlon64 CPU, but without virtualization support. While Xen works fine with para-virtualized guests, running a guest OS which doesn't support Xen isn't possible. So, I've decided to turn my eye on a commercial product - VM Ware.

Now, VM Ware, unlike Xen, can emulate a PC fully in software enabling users to run, as a guest, a OS which doesn't support virtualization. The problem is that, to create a virtual machine you need a product called VM Ware Workstation, costing about 300 USD. Ouch. However, to run a once created virtual machine, it is sufficient to use VM Ware player which is free, and comes with bundled with the Workstation. So, I've downloaded a trial version of the VM Ware workstation, and I was on my way.

The installation was quick and painless, although a bit lenghtly. I had a copy of XP around the house, so I've dedicated some 6GB of disk space to it, configured VM Ware via a user-friendly GUI and went on with the installation. Some time later, it was done. It takes time, but it gets done. Networking was a breeze, with VM Ware running it's own routing daemon all I had to do is setup a DHCP server, which it recognized, and reused for the virtual network. IN a few hours I had a fully working Windows XP guest running in an isolated environment.

Next step was to install drivers, which is also done using the VM Ware workstation menu. Not really hard, a truly windows-like click-click-click experience. A few minutes later I was aware that the VM Ware PCI graphics adapter had it's drivers installed :). Silly, but it does bring work up to speed and makes it more responsive. The final step, and the biggest reason why I chose VM Ware was - Direct 3D. By simply editing the .vmx file describing the virtual machine, and adding to it's end three lines :

mks.enable3d = "TRUE"
svga.vramSize = 134217728
vmmouse.present = FALSE

I've instructed VM Ware to enable Direct 3D support for the virtual machine. And, as dxdiag confirmed, Direct 3D was working. On to gaming :). I've downloaded the game, and started the installation. Now the installation took literally an hour, but, eventually, it worked. I had a Direct 3D game working under a virtual 3D adapter. Nice! And the nicest thing for home users is : that was the end of need for the VM Ware workstation software. From now on the free VM player could just as fine fire up that virtual machine, and run it, without the need to purchase the full product. How it ran is a different story...

While this is a major thing that VM Ware team did, the software isn't meant to run games, and doesn't do that very well. Now, the dislike goes both ways, and I've heard that the game manufacturers treat VM Ware as a "hacking tool", but still.... To run the game you must first allow the windows PC to fully boot. If you don't give it at least 5 to 10 minutes - it will crash. And I mean BSOD crash. Indeed, I've never seen Windows crash that much - not on a good PC. This is clearly a problem with the virtual machine, showing that, while this does work sometimes, it doesn't work as well as it should. It might be fun and interesting to use, and might even provide a testing ground for very, and I emphasize VERY, simple Direct 3D applications it's just not ready for production. Now, I am aware that it's a hidden, not-in-a-menu option just because of this, but still... It's very rough around the edges. Not working I could understand, error messages yes, but BSOD crashes and the need to reboot the virtual machine? Sorry guys, nice effort, but this software isn't still ready to be used as a test platform. Nice try, I'll continue playing with the player (pun intended), but as much as I need a test bed for my work this just isn't a production tool.

Now, back to the game and the security issues. The game in question, which for now I shall not name, has serious security issues. It's a free game, with income based on an existence of a "Cash shop" inside the game - an Asian concept which does make a lot of income. Players can log in and play for free, but can also purchase items which improve their looks. And we all know looks are everything on-line :). However, the free access policy also created a large number of people who abuse the game and use various "hacks" (small client-side scripts really), to cheat.

The first step the game company took was to use an anti-hacking software. It's one of those tools which load the game it self as a hidden process, disallowing the user to access the game, or even it's memory space directly. Not very elegant but working and, I'm guessing, the reason why they are against VM Ware - it allows you to access the memory of the entire OS, thus preventing such protection. Then again so does an ICE debugger... And, while I do support security, I find this very silly. Secondly, the software also monitors the system in a spyware-like manner, and search the memory for known "hacks". Not too bad an idea, I'd actually like it if the source to the tool was available, but not a very efficient one. You see, this only stops people from using game cracks that the developers are aware of - a new one cannot be detected, and in reality, the game is still full of those dumb kiddies.

Even worse, and the main reason I'm writing this, is the existence of people who steal others accounts. As real money is involved these accounts can be resold for cache, or at least abused. So, they tried to prevent at least that, by stopping the most obvious methods. One of which are, of course, keyloggers. Most of those kids go to warez sites and download various junk. Some even download these "hacks", to find out that they don't work. Or at least, that they aren't "game hacks" but something else. So, for the first time the game company comes up with a good solution. They institute a PIN, a 4 digit code just like on a credit card. And, to prevent keyloggers, the PIN has to be entered on a virtual keyboard by pressing keys with a mouse. And, to top it all of, the key layout is randomised after every key-press. It take a minute to enter a PIN, but the method is really good. Or it was. And here's why I've named my blog as I did.

After several complaints (I wonder form who :) ), the game company has decided to allow players to reset their PIN, trough a website, by simply entering their username and password. In effect they've decided to allow the users to "recover" the only data not collectible by a keylogger by entering data which the keylogger can pick up, and only that data. And they are keeping the anti-keylogger protection. This is just an "extra feature". Go figure.

Wednesday, December 12, 2007

The death of the Workstation

Long gone is the Unix Workstation. Even Sun is no longer going as SUNW, but as JAVA. Software is the new game. And, for the most part, I love it. Linux has matured and is an excellent workstation OS. Solaris is moving forward in giant steps lately and still has an edge, at least IMHO. And Mac OS, the latest Unix(TM) OS looks just fine. Just one of these is an original workstation OS, but at least the new players are a nice replacement. AIX still lives, but it was never popular. HP/UX seems to be gone from the workstation market, and Tru64 and IRIX are no more. But they aren't the reason the workstations died. Hardware is.

In the old days workstations were proprietary, well optimized for their tasks and expensive. Now, they are mostly PC based, and only Sun still makes UltraSparc Workstations (hurray for the return of the Ultra name), but those look a lot like PC's too. Simply put Xeons and Opterons gave us several gigaflops on the desktop, and we don't need more. It's just fine. Also, nVidia gave us the Quadro graphics which, in general 3D can run circles around the Wildcats, Creators and Impact graphics of the day. No complaints from me. The new CPU's support virtualization and are an excellent tool for both the developers and technical users, and the new cheap graphics are just wonderful. What I'm missing is the other stuff.

First, we seem to have lost the idea of purpose building. While this has brought the cost down, we lost something in the way. Sure, major vendors put in ECC memory, good PSU's and high-quality motherboards, but all of those machines just look the same. It's not just that I miss the good looks of the SGI O2, I miss expansion options. Now your typical workstation is just a PC with several graphics slots and not much else. Even if you do get extra slots you have to look for options elsewhere, the manufacturers offer graphics, and nothing else. And that is what we really lost: I/O. Back in the day a workstation had a lot of I/O. You rarely saw a bus, like PCIe of today, instead there were ASICS, bridges and even crossbar switches in Octane2 or Sun Blade 2000. In those machines there were no bottlenecks, any piece of I/O had it's own dedicated bandwidth. Sure, RAM was slower, but it was more closely matched to CPU speed and well interleaved so that, unlike today, CPU had to wait for a lot less cycle's for RAM. Old SGI O2's could map video as a texture for rendering graphics in real time. It wasn't because of the great CPU, it was because they had an ASIC to do it, and a dedicated datapath to transfer the data. But since most people don't want to pay for that these days, we ended up with generics. Generics who work fine for most people, most of the time, but still can't replicate all the performance of a ten year old machines.

As if that wasn't enough, look at the hard disc. While i do ADORE the fact that I can get the same storage in 10 times less space, for 10 times less money and using 10 times less power I somehow still feel robbed. Probably because I've ended up with 10 times less uOPs as well. Solid state is being promised for almost a decade, but there is still no one offering something even comparable to a modern SAS drive, or a few of those. So, economics wins, and we and up with slow drives. People storing mp3's don't care, and they make the economy work.

While economics of scale do work, and do bring advantages, we seem to have lost a lot on the way. We all love faster CPU's but we are wasting them most of the time. I rarely see my CPU being utilised over 10%, and my I/O is always slow. We made a trade-off to get a lower price, but did we make a good one? I'm having a feeling that what we're getting is just what you would get if you would've swapped a trusty IBM Model-M for a new wireless, bluetooth, low-profile flat keyboards with 13 extra buttons, volume control, backlit and with a smart card reader. I don't know about you, but I still own a Model-M. It's sturdy, reliable and it works. And it still has the best tactile feeling I've ever experienced. It's nice to have new features, but I first and foremost need my keyboard to provide a good typing experience, and that is what Model-M does. Now, we have all the new features, but instead of the buckling springs we get a piece of rubber. It's cheap.

The sad truth is that the Workstation is dead. No more nice and reliable machines. If the fact people now call Dell as a workstation vendor doesn't convince you nothing will. The PC has won and, for better or for worse, you're stuck with it. At least we got something in return - the software. Linux, Solaris and OpenSolaris bring many innovations to the desktop (I'm not an Apple user, at least for now). Virtualization, new file systems like ZFS, and tools like DTrace make desktops a great place to be, and something I'll probably blog a lot. But somehow, something is missing. I just feel like those old workstations had a soul.

Sunday, December 2, 2007

A sad, sad state of the gaming industry.

This is a strange way to start blogging, but someone has to say it. I am a computer professional. I have worked as a system administrator for the last seven years, and have been a geek as long as I remember. Both my girlfriend and me are avid gamers. We spend a lot of money on games, even today, since we used to believe that people in the game developers are professionals and have the right to be paid. Now, I feel like an idiot. I am honestly embarrassed to be working in the same industry as them. Never again will I but a PC game. Here's why:

Back in the days we both played a lot. She was always fond of the Sims, and I played RPG's. We both enjoyed playing titles like Baldur's Gate and Icewind Dale together. Neverwinter was amazing, we bought a new computer just to play that. I own both regular games, and box sets. I even own a copy to play at work. And, I live in Serbia. For those unaware it is a country which used to have incredible piracy rates. No one was even selling original games, and even today you can buy pirated copies on the street, if you know where to look. The reason I bought games was respect for the developers, not availability. I enjoyed them, and I wanted to pay what I taught was fair.

Today we have copies of NWN 2 and the Sims2 with all expansions. We bought those as well. NWN turned out to be unplayable. The entire game was a bad cliche, with the already seen story, and the only thing new about it was the graphics engine. Looking at it, they should've sticked with the old one. The latest release of the original game has a graphics almost as nice, and, unlike the old one, has no problems. The new one is so buggy it's unplayable. Starting with the red sky, which drove me crazy to places where the game got in a loop simply repeating the single cutscene over and over. And that is nothing compared to the Sims 2 experience... Now, it's not my kind of game, but my girlfriend likes her Sims. It relaxes her after a hard day. Now, it just pisses her off... The game always comes out with a ton of new bugs. Some just never get fixed. But the worst is the "copy protection" mechanism. I'm not about to say that SecuROM is junk, but our Windows PC just refuses to work after the games gets started. The "protection" just doesn't unload. This isn't just a joke issue, my e-banking gets silly, and that is not a joke. And it's not even a CD protection issue: we bought the game from "EA Link", online, and downloaded it. So, we got a CD copy protection, for a game without a CD. Why? I have no idea.... maybe so that we don't miss on the wonderful experience. :). And the download manager itself is also just peachy - it sometime just loses all the downloads, and, if we want to reinstall the game we have to re-download all 8GB of data...

We finally ended up playing the Sims with a no-CD crack. Yup, we cracked a perfectly legal game. Why? Because it just works better like that. And we don't play any new games anymore. The only thing that might have a point are online games, they are relatively free of that junk, since they can use normal authentication. As for the traditional games, I'm never buying that again. The game companies need to realise that circumventing copy protection is easy, and it's existence counterproductive. My PC isn't a "gaming" machine, it's my property. They have no right to treat me like a thief in a start, and take over it "just to make sure".

So what will we do? For a start we will not support the gaming industry anymore. Not the PC one, at least. We are considering getting a game console. She will switch to a Mac, I will stick to Linux. The first looser is Microsoft, but that is their problem. I'll probably be blogging about them a lot, so I'll just skip them this time. The second are game makers, since we'll probably never again buy a game we're not SURE are good. And I recommend you do that also. Stop paying for junk, buy only the games you will get your money's worth out of. Don't support them in taking over OUR computers. Stop being an idiot and thanking the companies for "letting you play their game" like most kids today do, demand that for what you've paid for. With today's pervasive internet there is NO reason for invasive copy protection. Don't let them get away with unfinished products, if the games are buggy, bug the developers. Make them pay twice as much for customer support as they would've payed for QA instead of skipping on it. And refuse to buy something that doesn't work. Go to the store and ask for a refund if you can. Money is the only thing the game companies understand, so take it away from them. Make them change or go bust. That's the only way they'll understand.