nyxxie's comments

I built my initial programming/security skills by making PC game cheats, and now that I'm actually working in the software industry on other stuff I decided at the beginning of quarantine to see if I could still do it. Specifically, I targeted PUBG.

They've added obfuscation, that's about it. Even one of the guys the author interviews admits it:

> “Last year, we spent time working on various measures to block cheat programs,” explains Taeseok Jang, executive producer of PUBG PC. “Most of these actions focused on blocking cheat program developers to make it more difficult for them to create these highly lucrative cheats.”

That obfuscation was probably a huge problem when PUBG initially started adding it, but so long as some bored high school kid has a pirated copy of IDA and a desire to prove themselves, that info is going to end up online. Each new obfuscation feature or anticheat detection becomes a challenge, and the results of that challenge being inevitably solved are inevitably posted in a public and high-visibility place for others to learn from and use.

All of this public information meant that creating a cheat for the game probably added around a month or two of work to adapt to the cheat prevention efforts, on top of the month or so that I spent looking for the actual in-game structures necessary to implement the radar I was going for. I already expected every hindrance I encountered when reversing the game and writing the tooling to interact with the game's process. It was still daunting, especially since I had never touched the windows kernel until this project, but ultimately when I ended up getting everything working it felt like I was just using the same techniques I used to use back in the day only with extra steps.

My takeaways for anyone interested in preventing videogames from being cheated in:

  - Cheaters will eventually find a way, but you can always reduce the quantity and quality of them.
  - All information on how to write a cheat for your game eventually ends up in public forums. Keep an eye on those and learn how most people are writing cheats and target those methods specifically.
  - Obfuscation (new detentions, new anti-reversing measures, new countermeasures to cheating methods) buys you time in the immediate term and invalidates existing online information in the long term. They're like antibiotics--they increases the barrier to entry and pain factor of cheating only if you continue adding/changing it. 
  - Obfuscation will never be adequate to prevent cheating entirely. Human monitoring, ML, skill-based pairing, and full visibility & control over hardware the game is executing on are probably the next generation in terms of cheat prevention.

Terraform is really good at describing how infrastructure should be provisioned (VMs, load balancers, dns entries, networking, etc). Provisioning software on a VM and keeping it in a consistent state, however, is not something it's very good at. Userdata is very difficult to do anything complex with (limited size payloads, optimized for uploading a single shell script), and the provisioner system is explicitly described as a "last resort". This makes Terraform not so good at describing how software should be provisioned.

There is a bit of a movement, however, behind using it to deploy software by pairing it with Packer. You use Packer to create an e.g. AMI whose sole job it is to run your software (like a Docker container) then use Terraform to launch a bunch of EC2 instances that have juuuust enough resources to effectively run your software. That'd allow you to eliminate k8s from your stack, though it remains to be seen which stack would be more cost-efficient to run on.

Github issues and milestones for me.

Generally I put all features, ideas, bugs, etc into small granular issues that I can ideally complete in a day or two. I’ll group them into milestones representing high level goals (“implement video editor”, “v1.1 release”, etc) and then prioritize issues accordingly into a kanban dashboard.

I find that this method takes little extra time and lets me separate my development brain from my project management brain. I can come up with high level design and compose goals, then start hacking away later in tiny sprints without needing to think too much about how things fit together. Issue comments are also great places to record ideas when you’re e.g. at a bar with friends and have a sudden breakthrough that you want to jot down.

Most importantly though it helps with motivation, since it’s usually much easier to pick up my laptop knowing I’ll be able to achieve something that day rather than making incremental progress towards a larger goal.

That knowledge is becoming increasingly low level though as we build further abstractions over it. If you're working on a network you probably aught to know how TCP works, or at least know how to use Wireshark and a reference. If you're trying to spin up a simple webapp on AWS, you can pretty much stop thinking about firewalls and networking once you set up security groups/NACLs/policies/etc and confirm you can hit whatever is behind them. With new trends like immutable infrastructure coming into vogue, I'd even argue that system administration altogether is becoming a more niche skillset.

> If you need to constantly look up informations, it means you have no long term knowledge of anything.

I don’t think this is a very charitable interpretation of what GP was trying to say. Of course you can’t get by being a blind conduit of Google’d/Wikipedia’d/etc information, but you certainly don’t need to (and probably can’t) cram everything you need into your memory for instant recall on demand.

How about a middle ground: memory can be thought more like an LFU cache, where “use” is defined as reliance on explicit details of a concept. For example, I rely daily on programming language syntax and best practices and therefore have them deeply embedded in my mental cache. Other knowledge however, like sorting algorithm implementations, I rarely utilize and probably won’t remember after the next time I’m quizzed on it in e.g. an interview or conversation with someone where I’m trying to sound smart (cache miss).

In many cases where I suspect that I’ll frequently encounter cache misses with a particular piece of knowledge , I often find it better to just cache high level details (useful properties of sorting algorithms) and Google the missing details. That or work with subject matter experts.

Idiotic policy. Side projects are one of the best way to learn new skills (they're the entire basis for my current skillset in this industry!). I often find that I import lessons and technologies learned in my freetime to my day job as opposed to stealing niche lessons from work. This fact basically makes my side projects akin to ongoing training that my employers aren't paying for but are reaping value from.

Not only is it unfair for these companies to leverage their power to try and claim ownership over side projects, but they're actively shooting themselves in the foot by discouraging a massive and free source of continuous education for their employees.

Definitely this for me as well. When I was younger I was at an interesting crossroads with my freetime where I'd either program or play video games obsessively. I decided to try putting that video game energy into improving my programming ability, and 10 years later now I'm in the valley making FAANG wages at a young age and still absolutely love programming. I have no idea how my life would have turned out if I didn't luck into discovering this amazing hobby. I feel bad calling my job "work" since I very rarely don't feel like coming in.

History is filled with constant examples of longstanding traditional arts and practices being invalidated and surpassed by technological advances. It seems that Go is one of year 2016's losses to technology. If history tells us anything, all that this means is that the future is going to be just a little more different than it was before. At some point, my work as a programmer might even dry up in the face of technological progress. I'm really looking forward to seeing how the world changes after that one. I wonder if I'll end up like Lee Se-dol and declare my defeat to technology and wait to die, or if I'll learn to adapt and adjust to a post-programmer society.

I couldn't care less about this rich person's beach nor the people who want to surf on it, but I do care about the property rights issue at play here and how it intermingles with popular perception and treatment of "rich people" (a relative term that, for most people reading this, almost certainly is applied pejoratively to them by those who have less than they do). I don't like the idea that someone feeling entitled to something I own factors into the question of control over that thing -- I worked and paid for it, I should get to do what I want with it. It seems to me that this simple principle is thrown out when the owner is deemed "rich", which is frightening to me.

> To what benefit to ones self can you possibly point? I worry that tolerating the entitlement of the many over the rights of the few will result in a degrading of those rights. It's this dude's beach today, what about a website that I suddenly charge for tomorrow? Or hey, lets be realistic here, what about my future beach when that aforementioned website makes me my billions :)

Academia is almost entirely based on trust and reputation, which we're seeming to discover is not a useful heuristic if your end goal is a net gain in uncovering the truth of the phenomena around us. If you ask me, credibility should be based on reproduction of results rather than reputation of the author, name of the sponsoring institution, journal title, or a vague "peer reviewed" badge. New papers should be by-default untrusted until several reproduction attempts have been successfully executed. This would incentivize authors and scientific institutions to produce science of quantifiable quality.

These systems are useless. Of the many flaws:

1.) Simple alteration (change a pixel in MS paint) or encryption of content bypasses the filter 2.) Patching out the filtering routine bypasses the filter 3.) Blocking the phone-home address (pihole, router firewall, etc) bypasses any reporting 4.) Any vulnerability in the future that allows an attacker to report arbitrary clients (disclosure of client IDs, weakness in app, weakness in server) renders evidence gathered by the system unreliable.

At best clientside filtering allows you to draw relationship maps of technically incompetent perverts who might possibly be sharing CP. What harm reduction are they trying to get out of that?? Why not just refocus efforts on catching the small minority of individuals who are actually producing this content??

But hey, if these garbage clientside filtering of image uploads is enough security theatre to keep governments satisfied, I say let them have it.

Does anyone find Kickstarter’s conflating of corporate ethics and adherence to far left political positions disturbing? Diversity hiring, “salary equity”, and other such policies are extremely hot issues; nearly every time they are discussed here the threads have hundreds of replies and give the mods a run for their money to manage. Chief among these recent issues is the recent controversy around deplatforming of political speech. This appears to have bit the louder left wing folks at Kickstarter (banning of the nazi punching comic book), to which at least one such employee cried foul at since it violated their dogmatic political worldview.

If you’re going to allow your employee’s controversial political opinions to guide corporate policy, I’d argue it’s unethical to build a culture in which disagreement is not permitted. A substantial number of people disagree with these policies and want to debate them, you can’t just dismiss those people as having wrong ideas and push forward patting yourself on the back for being the ethical good guy.

> The new Apple‑designed U1 chip uses Ultra Wideband technology for spatial awareness — allowing iPhone 11 to precisely locate other U1‑equipped Apple devices

Interesting. Will this thing be always on and broadcasting my phone's precise location? Seems like a rather privacy-sensitive feature.

> the clear argument is that, because drawing a line is hard, we shouldn't call for any action against those who have stepped over it.

I think you're putting words in his mouth. He doesn't want to see no consequences whatsoever for those who were involved with Epstein, GP argues that people are drawing arbitrary boundaries with no clear repeatable definition and then taking action on them. He wants to understand what precisely being "tainted" entails and why a particular definition is deserving of the consequences such a label entails. In other words, he rejects arbitrary and subjective persecution for an objective approach to justice.

Are you referring to the sudden boom of the general public dumping their money into cryptocurrency hoping to get rich?

Hell, I’ll bite here and assert the same as my parent comment: the folks who dumped their life savings into crypto made a personal choice. I fail to see how the rest of the market bears responsibility to those who lost their “investment”. So long as everyone is playing by the same rules, there’s no way you should be ethically responsible from benefiting from other’s losses.

You signed up for the risk when you chose to play. Do you believe that if I dump my money in a stock and it tanks, investors who benefit from that are now responsible for the money I’ve lost?

Is this insinuating that winning victimizes gambling addicts? If so, I don’t understand that connection.

Gamblers are making a personal choice to bet their money, other gamblers should not be made to bear responsibility if that gambler’s choice turns out to be a poor one. Gambling addicts obviously exist, but they are playing the same game everyone else is. If you want to protect addicts from harming their finances, change the rules to accommodate that goal (betting limits, credit/finance checks, outright banning of gambling) rather than expect other gamblers to follow undefined rules that may or may not protect other gamblers from themselves.

All this to get an app to make "do any of my contacts also use signal" requests? You could probably just figure out what endpoint the mobile client calls and imitate them yourself to avoid all the overhead of setting up the mobile devices. If you have to register to make the request, just provision a bunch of VOIP numbers and go to town.

Point being, if "who is using signal" is a question you want answered, it's far more trivial than having to acquire actual devices. Your oppressive regime could go from zero to black bag list in an afternoon.

Wow I actually thought of building a tool similar to this for CTFs, specifically this feature:

https://github.com/gchq/CyberChef/wiki/Automatic-detection-o...

This is REALLY cool. Basically given an unknown string or file from something CTF-y you can run this tool on it to look for low-hanging fruit like it being e.g. base64 encoded.

I've used protobufs in the past and I REALLY want to use them now, but the human readable aspect of json has always kept me coming back.

If I want to perform some rough tests of an endpoint during development, all I need to do is compose the json request and fire it off using curl. The response then comes back in a human readable format I can parse straight from the terminal. Boom, simple test conducted in less than 1 minute. I don't even need to think about it.

Compare that to protobufs; I need to create a custom client or unit test that'll compose and fire off the request I want to test, then I need to write a bunch of code that will introspect the contents of the response so I can pick out the details. Huge time loss, concentration ruined since I need to actually think about the process, I'd rather just take the extra latency that using json will incur.

This skips past all of the other advantages json has over binary serialization protocols, like quickly being able to parse requests while debugging issues, infinite client language support, ease of sharing breaking requests to help devs reproduce problems, not needing to add an extra compilation step to my deployments and packages, etc.

No, but they currently index ftp links.