Wow!  Yesterday’s PETA turkey massacre reminded me of an old episode of WKRP in Cincinnati.  To my amazement, I found a video clip from it uploaded onto Yahoo Video!  Isn’t technology great?  I just had to share this holiday classic!

Yes, you read that right.  PETA, apparently none too happy with people breeding turkeys and killing them to stuff ourselves on just for a holiday, has gone and put up a gruesome web game: Cooking Mama, The Unauthorized PETA Edition: Mama Kills Animals.

I’m guessing their idea is to so badly gross out the kiddies that they no longer want to eat a deliciously prepared dead animal.  There’s plenty of blood and guts (in cartoon form of course) to delight the sicko in all of us.

Oh … wait … that can’t be right, can it?

Well, hell.  Maybe it can.

If you like cartoonish blood and guts and sick twisted preparation of a Thanksgiving feast, it’s actually kind of funny.  Though I’m thinking they could have worked a little harder on making the interface.  Some of it is quite a challenge, not because it’s actually challenging, but because the instructions are vague at best and don’t show up right away.  I guess that adds to the replayability?  That or the frustration was an intentional psychological push.

But so as you grossly prepare your Thanksgiving feast with Mama, you get rewarded with different PETA movies that I guess are meant to make you like eating animals even less.  And wallpapers.  And eventually you get rewarded with a bonus round of preparing a tofurkey.  (Which I’ve cooked one before, and they’re not stunningly great, but not a bad solution for the vegetarian in your family.)  PETA is trying to turn us away from meat.

Meh.

If they think so.

Let’s face it, a Thanksgiving turkey feast is tradition.  A cute video game isn’t going to make any impact one way or the other.  And frankly, I think PETA really did the opposite of what they intended to on this one.  If you don’t mind a little sicko, it’s a cute game.  But then I’m an adult, and used to help Grandpa ax off turkey heads by holding them down on the stump and then setting them free to run around headless, squirting blood everywhere, on the nice fresh snow.  Certainly not a childhood delight, but at least I always knew what my food was.  Frankly, I think any such lesson for kids these days, be it in cartoon game form like PETA is offering, or in real life experience, is good for the kids.  Yes little Suzie, that’s where your hamburger comes from.  Yes little Timmy, these cute little chicks grow up to be dinner.

After all, when the apocolypse comes, they’ll still know how to make a Thanksgiving dinner.  And isn’t that what really matters?

I think the bigger concern here is actually, what happens if your child enjoys this PETA game a little too much…

 Windows Vista Employee Timekeeping:

The first bad idea comes to light as a series of lawsuits against employers.  Their bad idea?  Tying in a time-keeping system for logging hourly employee hours into the startup and shutdown of an employee’s Windows Vista PC.  At first glance the idea sounds reasonable enough.  You identify how many hours an employee has worked by how many hours their computer has been on.  Simple and efficient.  Way better than some error-prone clock and paper stub system, right?

Well.

…Err…

Wrong.

Hence the lawsuits.  Now you’d think Microsoft might be to blame in this one, because everyone loves to blame Microsoft and it is Windows Vista.  And in a way Microsoft is to blame… just not legally.  The problem, you see, is that in some cases Windows Vista is taking over 15 minutes to start up or shut down.  And so employees on this computer-driven clock are sitting there for fifteen minutes at startup before being “clocked in” and likewise again at shutdown before being “clocked out”.  In these really bad cases, that’s a half of an hour a day that the employee is not being payed.  At five days a week that’s two and a half hours of unpayed time.  It adds up fast.  Even the employees who suffer less because they have faster PCs are still accumulating hours and hours of unpaid time over the course of their employment.  And obviously, to them, that stinks.

Clearly the idea of using the computer for timekeeping is in need of some adjustment.

US Army USB Sticks:

So you’re a soldier in the Army.  You don’t always have access to a nice handy network for delivering files.  So you have your handy-dandy military issued USB stick.  It’s a simple solution to data mobility.  Which is great.  Until some schmuck brings in a virus.  Uh oh!

Yeah.

The Agent-BTZ worm, a modification of the SillyFDC worm, has been thrashing the US Army so badly that until they get it nailed down, no one is allowed to use any portable media solution.  No USB sticks!

Once the infection is removed, military issued portable media will be allowed once more.  But all of those naughty naughty soldiers and civilian contractors will have to stop using their own personal devices.

It actually comes as a surprise that the US Army didn’t see this coming.  Or maybe they did but they had no solution.  It seems like Windows autorun feature would be the first hurdle to tackle.  In a high-security environment, it’s kind of bad to just automatically run executable code when you stick a device into a PC on a highly secured network.  Next would be a good idea to do the opposite: Run a security program to scan any device for viruses automatically when it’s plugged into such a computer.  (Or even on any CD/DVD/Blu Ray/etc.)  And then of course, obviously, control the use of non-issued media. There are always rules about such things, but never complete enforcement.

Because keyloggers and remote executables on highly sensitive military servers is “A Bad Thing”.

Apple MacBook DisplayPort:

So you bought a shiny new Apple MacBook, and you’re all happy.  You hook up your old monitor to it (or one you bought on discount, et cetera) using a DisplayPort to DVI or VGA connector and sit down to watch this great video you bought from iTunes to celebrate your new purchase.

Only to have your new computer tell you that you can’t play your protected content on your unprotected screen.

Doh!

Yeah.

Because Apple’s DisplayPort is basically an HDMI port, using a built in copy-protection system like HDMI’s High-bandwidth Digital Content Protection (HDCP).  Only, because it’s Apple, they made it proprietary and call it DisplayPort Content Protection (DPCP).  It’s basically the same thing.  Before it will play, the media player asks if the media displayer (the monitor or TV) can decode the encrypted signal it’s about to send to it.  If it can’t do so, it doesn’t play.  This keeps pirates from grabbing an unencrypted video mid-stream and recording it.

There’s just one problem.  Apple’s DisplayPort is basically new and basically unused, because it’s proprietary.  So there aren’t many monitors or TVs out there that support it, and certainly buying a new one is expensive.  And Apple, the micro-managing control monster that they are, don’t give you unprotected VGA or DVI ports on MacBooks.  So you can’t connect your monitor or TV up to your MacBook in a way that skips this annoying layer of DPCP copy protection.  You have to do it through the protected DisplayPort in some way.  Meaning, basically, you’re screwed.  So you either have to buy a brand new Apple monitor, or settle for watching the video on your little laptop screen.  (Is there even a TV that will support it?)

You see, this is where PCs have that awkward advantage.  Because PC manufacturers really don’t care.  They’re not there to control your ever move.  In fact, they’re quite “open”.  So even though your PC might have a similar (though much more widely used standard) HDCP copy protection over an HDMI cable connection, it will also have a DVI or VGA port (or even component, s-video, or composite video cable option) where it will let you connect up to any old TV or monitor and play your protected videos.

I don’t think Apple really appreciated the number of MacBook owners that would, you know, actually use iTunes?  Or Apple just didn’t appreciate the number of people that actually wanted to watch their videos on a screen larger than a laptop?

Hmm…

Either way, Apple is not exactly impressing customers with this.

And so long as Apple continues to ship notebooks with only a DisplayPort (no DVI or VGA port) Apple customers will continue to have this problem.

At least until some inspired hack builds a DisplayPort to DVI converter that uses the converter to respond back to the MacBook that all is secure instead of letting the monitor/TV do that.  But that would probably be illegal as it’d circumvent security measures.

Now we only have to wait a year for devices to start actually using it.

But yes, you heard right.  “SuperSpeed” USB (hopefully to always just be known as USB 3.0 as I am not going to be asking people if they have a “SuperSpeed” port) had its specs finalized.  So now we can get a move on replacing that darned old USB 2 standard.

Okay, so on a more serious note, USB 3 seems to not entirely use the same cable.  Somehow the port is meant to be backward compatible so that USB 2 and 1 devices can plug in, but USB 3 devices will be physically different.  And the cables themselves will be more like ethernet cables than USB cables with a lot more wires inside.  Though rumor has it that an optical system in USB 3 may even be in the works.  Goodness knows how this is all going to work out.  It sounds rather like a mess to me.  The more complex a system is, the more places for things to go wrong.

But on the plus side, compared to USB 2’s 480 Mbits/s speed, USB 3 will have 5.0Gbits/s, which is a bit over 10x faster.  This is handy, as disk drives keep getting larger and larger.  Also, while USB 2 and 1 have used a single direction (unidirectional) data flow, USB 3 will have full duplex flows.  That’ll be nice. Plus this time around power management and rest/sleep states will be a part of the spec from the beginning, so we’ll be getting better energy savings.  Green is always good.

Now comes the hard part: waiting.  The spec may be finalized, but the production doesn’t seem to have been jumped on by pre-spec hopefuls, so literally, the production only now begins.  R&D using the new spec is just starting.  First the electronics and chips to put into USB 3 device controllers and in the USB 3 devices themselves have to be developed.  For that matter, the cables too.  And then the crap that actually uses these like motherboards, add-on cards, joysticks, external disk drives, web cams, et cetera all have to be worked on.  It’ll likely be 2010 before USB 3 devices really come to market in earnest.  That’s over a year, and a long time to live with USB 2 when you know that something better is just around the corner.

You might have thought that with Microsoft’s “Patch Tuesday” fix of the seven year bug, things would be over.  And in a more perfect world, they would be.  Unfortunately we don’t seem to live in that more perfect world.

The problem is, according to sources like Metasploit, it ain’t over yet.

“The MS08-068 patch addresses this attack only in the case where the attacker connects back to the victim,” says Metasploit.  In fact, Metasploit goes on to say, “The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to.”

And since this is quite possible to do, it basically means that Microsoft’s “fix” ammounts to nothing for any dedicated attacks.

So what does Microsoft have to say about it?  Well, let’s take a gander over here, where Christopher Budd speaks.

Let’s see. “At a high level, the behavior that was discussed in the original SMBRelay attack is related to some of the basic behavior of the legacy NTLM protocol.“  Okay, congratulations on being able to throw acronyms around.  “When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications.“  Well … yeah.  Obviously fixing the problem would mean changes to every application that uses the faulty code.  It’s a lot of work.  Something that should have gotten on right away, instead of being put off.  But why do that when you can procrastinate?

“We did say that customers who were concerned about this issue could use SMB signing as an effective mitigation, but, the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing.“  So the workaround wasn’t actually feasible.  Microsoft’s own words here.  “As Mark notes in his post, implementing SMB signing is still an option and one that we ultimately recommend.“  Wait, so it’s not feasible, but it’s still the option that Microsoft recommends?  Even after releasing their “fix”?

“However, if you’re like me and remember the SMBRelay attack, you now have a protection option in case you can’t implement SMB signing: apply MS08-068.“  Oh, great.  The MS08-068 that according to Metasploit isn’t actually a fix at all because a hacker can work around it to still execute code remotely.

So let me get this straight.  Microsoft delays a fix to Windows for seven years because it would mean also fixing all of the affected networking clients.  Instead of just fixing it and fixing the clients too.  Their suggestion to people who are afraid of an attack by this route are to use an admittedly “infeasable” workaround.   And when, so much later, Microsoft finally patches the actual security hole, they don’t fully patch it, but just one approach to it.  So that hackers can still get around the patch.  So your options are use a patch that doesn’t work, or use an “infeasable” workaround? And that’s after seven years!

Yep.  That’s security, Microsoft style.