I had just finished a long day from work and was headed home on the 15 freeway when I encountered an unusual slow-down near my exit. Scanning the road ahead, my eyes caught the blinking lights that would alert me to be cautious and aware. As I got closer the large yellow sign proclaiming, “over-sized load” summed it up for me. Curious, I inspected the truck and its payload. A gleaming white structure, oddly curved rested its enormous frame along the backbone of the industrial big rig. Bewildered I pondered to myself what this strange apparition could be. In a matter of seconds it clicked in my head. What I was beholding in front of my bespectacled eyes was the single blade of a propeller of gigantic proportions. To further justify my quick-draw analysis were the partially obscured words blade king. This blade will one join its brothers to form a new wind turbine somewhere, and I will remember the magnitude of construction even a single blade has from 1 foot away.

This is one of those times that I really wish I had my camera on me, as the blade itself was staggering in size. The truck bed was longer than normal to accommodate the blade length. Height-wise, the blade was at 4 feet at its thickest, and the flat edge was easily my height if not wider. As large as wind turbines may seem from afar, they are even more impressive up close.

Yes, you read that correctly. Currently www.gaikai.com is offering a service that allows you to play computer game demos right from your browser, no download required! The catch? You need java. However, most people already have java installed on their systems and can play right away. This is an interesting way to try out new games without filling hard drive space. I tried the Mass Effect Demo, and I have to say, it’s pretty playable. You can tell the sound is highly compressed, and there are a few video artifacts, but nothing to be alarmed about.

I think it will be a popular way for advertisers to reach out to users to get some interest in their products. Imagine an ad on the side of a site. Click on it, and it takes you to the game demo, where you can be swayed or dismayed, and possibly  buy. Granted, it’s not a game video, so weaker computers will not be able to handle the processing load on the machine as easily and you may find stuttering.

According to Gaikai’s faq their goal will be to also produce demos of software such as that provided by Microsoft or Adobe.

Here’s a screenshot:

and here’s one when bandwidth gets a little screwy:

If you are like many other people who peruse gizmodo, you will be likely aware of the recent changes made over at their ring of websites. The newly hailed fresh layout which they say

The new layout looks good

If you don’t believe us, see for yourself.

However most people have either been turned off by the site or have just been left utterly confused as to how to navigate through. Now, I’m not a designer or anything, but I certainly liked the old layout. Which is why I provide you with this alternative! Point your browser to http://www.ca.gizmodo.com and you can have the old layout back in all its glory; at least for the time being. Go ahead and try it, your eyes will thank you.

I recently purchased BFBC2 on steam because it was on sale for under $10 and prepared to run the game through its paces. The game loaded up perfectly fine, though I had to deal with the normal first initialization by steam: installing directx and punkbuster. Once in the game I decided to test the multi-player functionality so that I could configure my firewall and router settings if necessary (something I always do with a new game or program so I don’t have to deal with it later). Quickly finding that I was unable to connect, I began the usual trawl through forums and guides searching for different causes. I opened ports, ran a port sniffer so I could see what BF was trying to connect with, and added the game to the trusted group in my firewall, all to no avail. The internet posted a multitude of “solutions” mostly following illogical troubleshooting steps. Finally I came across a youtube video that described my problem and proposed a solution that appeared verifiable by several other users. I decided to do as instructed, and not so surprisingly, it worked! I have yet to actually play any multiplayer games, but I have enabled access to EA’s servers.

Okay now to the problem and solution. This guide is written for Vista/Windows 7

If you have properly setup your firewall and allowed access to the correct ports shown below, but are receive an error trying to even connect to the EA servers ingame, then the next step to determine if this solution is right for you is to go to: https://profile.ea.com. If you cannot load the page then continue reading, otherwise this solution may not solve your problems.

18390 TCP Outgoing
18395 TCP Outgoing
18395 UDP Outgoing
13505 TCP Outgoing
80 TCP Outgoing

So you can’t access the EA profile page.

What you are going to need to do next is alter a system setting so make a system restore beforehand, incase something gets messed up.

Disable ECN

After the sys restore is complete, run CMD as an administrator by typing cmd in the start menu search box then right-clicking on CMD on click run as administrator. Once there you will need to type “netsh int tcp set global ecncapability=disabled” without the quotes of course. The command will run and displays “OK” when complete.

Needs Admin Elevation

That’s it. Now try loading https://profile.ea.com again and see if it loads correctly. If so, try logging in-game. The game should work from there, if not, then perhaps there is a problem with the servers.

Here’s the less verbose walkthrough version:

1. Try to load https://profile.ea.com if fails continued to step 2.
2. Run CMD in administrator mode.
3. Type netsh int tcp set global ecncapability=disabled
4. Hit enter and wait to see an OK
5. Try to load https://profile.ea.com if works proceed to next step otherwise check the command you typed in step 3.
6. Login in-game.
7. ???
8. Profit

As far as my research has led me to believe there are no inherent security risks to disabling this feature, just perhaps a slight degradation in large file downloads, but for the most part unlikely. If you want the benefits of ECN then you can write a batch file to disable it when you play Battlefield and then another to re-enable after playing. However, ECN only works where both peers or client and server both are utilizing ECN. It is not clear from what I found so far who utilizes this feature, so I do not know what impact you will see.

Thanks to: http://www.youtube.com/watch?v=j6-PEnLBb2s

who got it from: http://www.battlefieldheroes.com/en/forum/showthread.php?tid=41186&pid=359519#pid359519

here’s additional information on the feature we are disabling: http://en.wikipedia.org/wiki/Explicit_Congestion_Notification

The internet has been a in a frenzy over Firesheep this last week, and for good reason. This tiny little firefox add-on makes session-hijacking (side-jacking) available to the masses from the script kiddies, to the trouble-making high schoolers, and adventurous college students. Strike that. Anyone with firefox can now wreak havoc.

So what is Firesheep and why might it be the best thing that has happened in terms of security?

To put it simply, firesheep is merely a firefox add-on that allows anyone who has it installed on a mac (for windows users you need to install WinPcap first) to instantly login onto someone’s twitter / facebook and a few other sites that are supported.

The way it does this is something called session hijacking which exploits the way these sites handle their secure logins. In order to protect your user credentials, facebook uses https through SSL/TLS in order to encrypt your password so that after you fill out the login form and click login, your password isn’t just sent out as text across the internet. Which, if it did, means that someone could “sniff” those packets and steal your password.

This is the first step in security and most, if not, all sites should be using this. Especially popular sites or sites that do banking or commerce.

Where this falls short, however lies in how the site recognizes who you are after you login. The website creates a cookie on your computer with an assigned key so that as long as you have it, the website knows that you are connected and logged in from your computer. The problem is, that this cookie is NOT encrypted, and all traffic to these sites afterward is done in the clear, through http.

Session hijacking grabs this cookie and basically uses it to access the website. With that credential, the site assumes that it is the original user and you instantly have complete access to the account. This is what firesheep does, now written into a nice gui application that anyone can install and utilize.

Surprisingly for many, this issue is nothing new. As early as 2003 the issue was mentioned and basically ignored. Hackers have used this technique for some time now with a lot of success. What firesheep has done, quite well in my opinion, has brought to light the large security flaw that is inherent in most websites today.

Steve Gibson of grc and the “Security Now!” podcast is understandably excited about this plugin. It takes a lot to motivate companies to change, and when user security/privacy is involved it is definitely an important issue. Because this tool brings the vulnerability to light and places it in the hands of even the most uneducated of users, it will help push these companies to change their security policies.

So when and where are you vulnerable? For the home user you will usually be safe from this particular exploit. The ones most affected are those who use open wifi such as unprotected WiFi hotspots like Starbucks. Also, users of WEP enabled networks can be attacked by other users on the SAME WEP network as seen in tests by Derek Schauland and posted on Tech Republic. WPA and WPA2 users remain safe, and I want to remind anyone reading that WPA/WPA2 encryption is the minimum you can do to secure your network. In fact it should be required.

Now that you have been sufficiently scared by the implications of all this, what can you do to protect yourself?

The best thing to do is to NOT use unsecured wireless networks such as at Starbucks or any other free wifi spot that does not password protect their networks. If you absolutely need to use WiFi at Starbucks, there are three measures you can take to protect yourself.

1. Setup a secure VPN (Virtual Private Network) that you can connect to which
   

   Lock your WiFi with WPA/WPA2

   will act as a secure proxy from you to the internet. There are numerous guides on the internet on how to setup one, and perhaps I will one day write an article on that. But it requires another computer for you to connect to, usually a server, but can be your home computer, or even your home router if it supports it (utilizing dd-wrt firmware can give you that option on supported routers).

2. You can setup remote desktop using LogMeIn’s remote tool. Their connection is secured by SSL. This will require you using a computer at home with the LogMeIn tool installed.
3. Use “HTTPS Everywhere” which is a firefox plugin that will force sites to use https the entire session. The one caveat, the site must be configured to use https or it will not work. Fortunately most large sites should work.

These three tips apply to both Open and WEP secured networks.

So, what needs to be done? The large social sites, as well as large e-commerce sites, should enforce complete https sessions while logged in to protect user’s security. There have been complaints that this would create too much overhead and cost more money and energy. However, google did this very thing with gmail with no additional machines.

One problem with google though. If you sign in via gmail through https, then start using google.com, you are no longer secured by https and thus can be exposed to session hijacking.

What WiFi hotspot operators need to do: Secure your networks with the minimum of WPA and preferably WPA2! This is the best thing any network admin can do. Even with a shared password WPA/WPA2 users will be more protected and will be completely protected from this iteration of Firesheep.

Well that was a long post. To re-iterate.

Firesheep makes hacking easier.
Open networks = BAD
WEP networks = just as bad
WPA/WPA2 = better
https = best

Finally, I will point out that the real hackers will be able to use workarounds to some of the things I mentioned, but at the very least it raises the bar in terms of protecting you and your connection.

References:
WinPcap
Firesheep
Security Now! with Steve Gibson – Firestorm
Security Now! with Steve Gibson -  Listener Feedback & Firestorm
Tech Republic
Session Hijacking @ Wikipedia
HTTPS Everywhere