It’s interesting to see how jarring old-world business behaviour is in the new world of blogs, remixing, mashing and market conversations. But I guess it’s also a reminder that the durability of the new world is not to be taken for granted. The latest episode, from Slashdot is this: RISK on Google Maps Shut Down:
Hasbro owns the copyrights for the game of Risk, as the guy who wrote the google maps based Risk found out. This was featured on slashdot earlier. However, he does not seem too discouraged and asks people to submit ideas for other games using google maps that will not have such legal wrangles.” One thing this reminded me of is how cool Risk is. My office is now in its 3rd round… Africa will be mine!
The funny thing about all this, as One Tusk.com points out, creating the mash-up (using Google Maps for an online Risk-style game) was great publicity for the game itself:
As a result, he reminded everybody that there was a game called Risk and everyone had a great moment of nostalgia for board games as they paused from salivating over the next console game. But of course, we can’t have everyday people out getting people interested in our games–Hasbro’s probably gotten more play out of this than any advertising they cooked up themselves.
Hasbro, therefore, would have been much better advised to have considered the situation before leaping for their lawyers. Hasbro has made several variations on the classic board game: one Lord of the Rings version, one set in 2210 AD and one Star Wars version. There are two software versions, I and II. The latter was issued in 2000, a generation ago in gaming terms. Why didn’t they talk with the guy involved, thank him for reviving a near-dead brand, and either hire him or quietly tell him that by calling it something else, or a ‘Risk-like game’, he could keep going?
After all, there are several games out there that describe themselves as “Risk-like”, and, as far as I know they’ve not received any legal letters. There’s Attack! (which carefully only hints at its Risk-like nature), Mare Nostrum, Quest for the Dragon Lords and Empire XP (which decsribes itself as ‘a Windows version of the classic Risk board game’.) (More on Risk, and all the Risk clones, at Wikipedia.) All this makes the heavy-handedness even harder to understand.
Sometimes security holes can be subtle rather than complex. Sidney Low of Aliencamel points out the vulnerability discovered by Secunia, called the Multiple Browsers Frame Injection Vulnerability.
It’s a fancy term for a simple enough trick, where the bad guy hijacks a frame in a legitimate webpage (a frame is one portion of a webpage which has been divided into sections). The result is that the overall page is kosher — including, crucially, the URL — but that one of the frames contained inside is not. In that frame, of course, the bad guy could do anything he likes, and the user is none the wiser.
The only way a user can tell, I think, is by right clicking on the frame content and seeing what URL it is coming from, but who does that?
This vulnerability, actually, is a variation on a vulnerability Secunia reported had been fixed in earlier versions of IE, but then created again in a recent version. The bad news is that the vulnerability is not only an IE also present in Opera, Safari, Netscape and Mozilla. I couldn’t get it to work in Firefox, interestingly. There’s a test you can perform here.
As Sydney says: “This one is quite worrying because it doesn’t need to do any URL masking. It simply exploits the fact that framesets will do the URL masking for the phisher.”
Quite a big hooha over this latest Microsoft vulnerability, and I readily ‘fess up to the fact that I didn’t really take this seriously. Seems like I wasn’t the only one.
But folk like Shawna McAlearney of SearchSecurity.com points out that the delay of 200 days between Microsoft being notified and their coming out with a patch is appallingly long. “If Microsoft really considered this a serious or critical vulnerability for nearly all Windows users, it should have been a ‘drop-everything-and-fix’ thing resolved in a short period of time,” Shawna quotes Richard Forno, a security consultant, as saying. “Nearly 200 days to research and resolve a ‘critical’ vulnerability on such a far-reaching problem is nothing short of gross negligence by Microsoft, and is a direct affront to its much-hyped Trustworthy Computing projects and public statements about how security is playing much more important role in its products.” Strong stuff.
So what is all the fuss about? The vulnerability in question can, in theory, permit an unauthenticated, remote attacker to execute arbitrary code with system privileges: That means a ne’er do well could do anything they want in your computer. And while it hasn’t happened yet, to our knowledge, it’s only a question of time, according to Scott Blake, vice president of information security at Houston-based BindView Corp.: “We believe attacks will be conducted remotely over the Internet, via e-mail and by browsing Web pages. We expect to see rapid exploitation — it’s simply a case of when it materializes.”
Paul Thurrot, of WinNetMag, weighs in with his view, pointing out that the flaw is a very simple one: “attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review 2 years ago.”