Sign in or Join FriendFeed
FriendFeed is the easiest way to share online. Learn more »

Stephan Sokolow › Comments

Stephan Sokolow
ssokolow on modern web browsers are the emacs of this decade - http://www.reddit.com/r...
"At the moment, they're focusing on PDF and Flash since those are the biggest obstacles the average person would complain about if they switch their internal plugin whitelisting mechanism to "ask by default" too early. However, replicating the "offer the plugin as a fallback when encountering known problematic opcodes" approach [PDF.js](https://en.wikipedia.org/wiki...) and [Shumway](https://wiki.mozilla.org/Shumway) take could quickly bring something like [Doppio](http://badassjs.com/post...) to prominence once they shift their focus." - Stephan Sokolow
Stephan Sokolow
ssokolow on modern web browsers are the emacs of this decade - http://www.reddit.com/r...
"They're working on it. Most notably, by working to phase out plugin APIs altogether. (For example, Firefox and Chrome both now come with their own JS+SVG-based PDF renderers and both are working on solutions to retire Flash in the long run, resulting in only one JavaScript engine that needs to be secured.)" - Stephan Sokolow
Stephan Sokolow
ssokolow on modern web browsers are the emacs of this decade - http://www.reddit.com/r...
"Firefox and Chromium include a lot of things that Midori depends on as external packages. How many lines of code is Midori + GTK + GTKWebKit + LibXML2 + SQLite3 + libsoup? (I suspect just adding GTKWebKit alone will put you into the same ballpark. A modern browser engine is not a trivial thing.)" - Stephan Sokolow
Stephan Sokolow
ssokolow on modern web browsers are the emacs of this decade - http://www.reddit.com/r...
"Firefox is working on it... they just have a massive boat-anchor around their necks called "if we break extension compatibility in the process, everyone will leave for Chrome"." - Stephan Sokolow
Stephan Sokolow
ssokolow on modern web browsers are the emacs of this decade - http://www.reddit.com/r...
"To be fair, that's not entirely true. I was introduced to vim and emacs in university and I still use vim because, even with the plugins I need, it's lighter, less cluttered, and/or more stable than any of the alternatives I've tried." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"And yet, as we've detailed on the GOG forums for their benefit, there are various ways that are as simple or simpler to implement and do a better job of handling stupid people. (For example, using a custom extension and file header so it doesn't even get reconized as RAR, just like the old InnoSetup installer BIN files. That's a matter of editing a single string constant in their source they use to build their custom `unrar.dll` and using one line of Python (which I provided) or equivalent to apply the change after compressing.) Simpler, smaller downloads since there's no encryption overhead, and faster compression and decompression." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"To be fair, they were only applying this to really big, fairly new games and those tend to be the ones that tend to cost from $15 to $60 at regular price." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"The GOG installer is digitally signed. The password was an embarassingly ignorant attempt to reinvent the "EXE validates the BIN files" stage without having to re-read and re-hash each 4GB BIN file after just appending a few kilobytes of changed data." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"Something to do with ancient MPEG-1 video files. By the time I got broadband, that stuff had already fallen out of favor so I don't know the details." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"Whoever came up with it thought that malware bundlers would be stymied by having the password generated using an algorithm stored as compiled machine code inside a custom `unrar.dll`." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"The GOG installers are digitally signed as coming from GOG so Windows won't yell "Untrusted!". As I understood what Gowor was saying in the original thread, the RAR passwords were an "I'm not as smart as I think I am" attempt to reinvent the process of the EXE file verifying the authenticity of the BIN files so the "This comes from GOG!" message in the Windows properties dialog couldn't be deceptive." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"So you can use the data files with something like ScummVM without having to go through the entire install process just to copy them out and uninstall again. (For example, if you want to play the game on your Android phone or your Linux box or on Windows with an enhanced engine rewrite like EDuke32 that GOG doesn't bundle.)" - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"Apparently the RAR password part was an "I'm not as smart as I think I am" attempt to ensure that the RARs bundled with a GOG installer EXE were authentic." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"As I understand it, whoever thought this was a good idea was using the "secret password calculated by MD5ing the GOG game ID" **as** the ".exe *should* then verify the .bin files" step because it didn't require storing hashes within the EXE file itself which need to be completely recalculated every time your "code, compile, test, revise" loop changes one tiny thing. Hence my suggestion over on the GOG forums to store a digitally-signed manifest of expected contents (full of per-file hashes) inside the RAR which can easily be changed." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"They switched to RARs because a "code, compile, test, revise" process for debugging the installer scripts is slow and awkward if you have to rebuild multiple DVDs worth of installer after the tiniest change and pure InnoSetup forces that. Storing a hash inside the installer puts you back to square one because you have to re-read and re-hash the giant BIN files after small changes that could just be append-based during the development process. The proper solution is to use a digitally signed manifest of expected contents stored in the RAR (it can be changed along with the RAR but is verified by a key stored in the signed EXE) but that takes more work. I'm guessing that whoever designed this didn't know much about crypto and thought they'd found a free lunch." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"The GOG installer is digitally signed so Windows won't yell "Untrusted!" but the RARs aren't. If they don't come up with a protection measure (one that actually works, like the old non-RAR one did), then you can inject malware into a RAR-based GOG installer and Windows will still say "This came from GOG!" (They switched to RARs because a "code, compile, test, revise" process for debugging the installer scripts is slow and awkward if you have to rebuild multiple DVDs worth of installer after the tiniest change and pure InnoSetup forces that.)" - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"The GOG installer is digitally signed so Windows won't yell "Untrusted!" but the RARs aren't. If they don't come up with a protection measure (one that actually works, like the old non-RAR one did), then you can inject malware into a RAR-based GOG installer and Windows will still say "This came from GOG!" (They switched to RARs because a "code, compile, test, revise" process for debugging the installer scripts is slow and awkward if you have to rebuild multiple DVDs worth of installer after the tiniest change and pure InnoSetup forces that.)" - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"I suspect I might be one of those "Two whiny GOG users" so let me just say that I raised a stink as soon as I became aware of it. Only about 30 games out of the entire GOG catalog got this treatment so far and I hadn't tried any of them yet. As for the part about the "actual power users", they learned how to generate the passwords by poking around inside the `unrar.dll`. I wasn't aware that to be an "actual" power user, you had to understand assembly language and debuggers well enough to write a keygen for a warez group." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG plan to change TOS forbidding reverse engineering and disassembling even to their own tools and services - http://www.reddit.com/r...
"They've responded. It's good news. https://www.reddit.com/r..." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG has promised to remove the password protected RARs found in some of their installers - http://www.reddit.com/r...
"Their upcoming TOS that they're currently gathering feedback on would forbid practices you might need to engage in to create or install mods. https://www.reddit.com/r..." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG has promised to remove the password protected RARs found in some of their installers - http://www.reddit.com/r...
"http://constexpr.org/innoext... ...or, if that fails for some reason, you can run `innounp.exe` in Wine, which is made from actual InnoSetup Pascal code. http://innounp.sourceforge.net/" - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG gave an answer about password encrypted packages, and it's not good. Please vote for them to revise their approach - http://www.reddit.com/r...
"To clarify, until now, innoextract was all you needed to extract any and every Windows GOG installer." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG gave an answer about password encrypted packages, and it's not good. Please vote for them to revise their approach - http://www.reddit.com/r...
"GOG's own, publicly stated definition of DRM is much broader than what you think it is. This violates that definition by being a technical measure which attempts to control what you can do with what you paid for. Copy protection is the most common form of DRM, but it's not the only one. (Look at DVD CSS, for example. It does nothing to prevent copying. Its only purpose is to enforce region locks so they can charge a lot more for a North American English release than an Indian English release.)" - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG gave an answer about password encrypted packages, and it's not good. Please vote for them to revise their approach - http://www.reddit.com/r...
"DRM is about attempting to restrict what you can do with what you purchased. No ifs, ands, or buts. That's basically what GOG's prior statements boil down to. Open- vs. closed-source is irrelevant here and muddies the waters because "what you purchased" is the compiled binaries and game resources, not the source code." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOGs' Installer Encryption Proving to be Difficult for Linux users - http://www.reddit.com/r...
"Linux can extract password-protected RARs, but the password is generated by machine code hidden inside a customized `unrar.dll`. One of the guys on the GOG forums managed to figure out that the current algorithm is "take the GOG game ID and md5sum it" but, if they change that, finding the new algorithm takes skills equivalent to writing a CD keygen." - Stephan Sokolow
Stephan Sokolow
ssokolow on Will games I have on steam that have a Linux alternative already be in my library when booting into a Linux system or do I have to repurchase? - http://www.reddit.com/r...
"If you can only read from it, that probably means you're using the kernel's built-in read-only NTFS support and you need to install the ntfs-3g driver." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG gave an answer about password encrypted packages, and it's not good. Please vote for them to revise their approach - http://www.reddit.com/r...
"Tar (and a few things of niche purpose like cpio) are the only things that I've ever heard of where the reliable preservation of permissions and filesystem attributes is a goal. However, if you just want to preserve basic file permission flags, all is not lost. I haven't done much investigation into it, but some other compression formats do leave room in their data structures for "non-DOS/Windows metadata" if the compression and extraction tools want to make use of them. For example, the Zip format **does** have support for preserving basic POSIX file permissions if you pack things using a Linux ZIP utility that is willing to do the work. That's why you'll sometimes find a zipped Linux game that unpacks with the execute bits already set properly. I'd look into whether 7-zip can be used that way. The manpage only mentions a failure to preserve ownership information when it recommends using tar and, even if the 7z format can't preserve POSIX permissions, WinZIP 10 extended the Zip..." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG gave an answer about password encrypted packages, and it's not good. Please vote for them to revise their approach - http://www.reddit.com/r...
"I [also made one](https://gist.github.com/ssokolo...), though I haven't yet had time to adjust it to handle non-multipart installers. The point is that, before, there was an implicit understanding that Linux and OSX users would unpack the Windows installers and not ask for support. With the RAR, the understanding is a lot more tenuous and reverse-engineering a new password-generation algorithm requires more specialized skills than adapting to a new InnoSetup version did. It also muddies the waters regarding what is and isn't acceptable and why, which makes it harder for opinion in their customer base to constrain what actions they're willing to take." - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG gave an answer about password encrypted packages, and it's not good. Please vote for them to revise their approach - http://www.reddit.com/r...
"The algorithm can be changed at any time and is stored as opaque machine code in a customized `unrar.dll`. All we have is Gowor's statement that (until someone else replaces him), he won't change it. If I can't be sure that my offsite backups of my games will *remain* usable, why did I re-buy so many of my old CD-ROM and floppy games?" - Stephan Sokolow
Stephan Sokolow
ssokolow on GOG gave an answer about password encrypted packages, and it's not good. Please vote for them to revise their approach - http://www.reddit.com/r...
"Yeah. They're basically just a chunk of whatever data you want, run through the compression algorithm, with a checksum and a format-identifying header glued on." - Stephan Sokolow
Other ways to read this feed:Feed readerFacebook