OpenBSD to Implement Kernel Address Randomized Link

OK, this is very clever,

This feature is named KARL — Kernel Address Randomized Link — and works by relinking internal kernel files in a random order so that it generates a unique kernel binary blob every time.

. . .

Developed by Theo de Raadt, KARL will work by generating a new kernel binary at install, upgrade, and boot time. If the user boots up, upgrades, or reboots his machine, the most recently generated kernel will replace the existing kernel binary, and the OS will generate a new kernel binary that will be used on the next boot/upgrade/reboot, constantly rotating kernels on reboots or upgrades.

. . .

“It still loads at the same location in KVA [Kernel Virtual Address Space]. This is not kernel ASLR!,” said de Raadt.

Instead, KARL generates kernel binaries with random internal structures, so exploits cannot leak or attack internal kernel functions, pointers, or objects.

Let’s Encrypt to Offer Wildcard Certificates in 2018

Let’s Encrypt announced today that they plan to offer wildcard certificates beginning in January 2018.

A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.

Wildcard certificates will be offered free of charge via our upcoming ACME v2 API endpoint. We will initially only support base domain validation via DNS for wildcard certificates, but may explore additional validation options over time. We encourage people to ask any questions they might have about wildcard certificate support on our community forums.

That is excellent news. Wildcard certificates are fairly expensive. I’m paying $94/year for a Comodo PositiveSSL wildcard cert through a reseller. If you go directly to Comodo, they want $249/year which is going to be well out of the range of a lot of people to afford.

It will be interesting to see what the uptake is on this, as I assume wildcard certificates are a major profit center for certificate authorities. It would also be interesting to see an analysis of what effect Let’s Encrypt has had on the economics of CA’s already.

Are those who use Let’s Encrypt large companies and individuals who weren’t using SSL at all beforehand, or is a significant portion of that activity from people who opted for a free alternative.

I know I was at the point where I needed to buy a single domain certificate last year and opted for Let’s Encrypt because of its low, low price of nothing.

Steam, Achievements, and Achievement Spam

Over at Kotaku, Nathan Grayson wrote an interesting analysis of “achievement spam” games on PC gaming platform Steam.

Wikipedia defines an achievement as “a meta-goal defined outside of a game’s parameters.” So a very typical sort of achievement for a video game might be a little badge icon once you’ve killed 100 of some type of monster in a game.

Achievement-like systems had long been present in video games, but Microsoft made them a significant part of video game culture by including them on the XBOX 360 platform. This meant video game achievements would show up on players’ XBOX 360 profiles, and gamers could compare their particular achievements and overall completion rate. Other video game platforms quickly followed suit. PC video game platform Steam added achievements in 2007.

One of the things about the XBOX platform is that Microsoft has some limits built in regarding achievements. Each achievement in an XBOX game is worth a certain number of points, and Microsoft limits each major publisher game to only 1,000 achievement points, divided among how ever many individual achievements the developer wants to create. Indie and small publisher games that are sold at a lower price point tend to be capped at an even lower number of achievement points.

Steam, however, doesn’t award points for each achievement. In Steam, you simply see a total of how many total achievements you have earned. It also apparently has no limits on how few or how many achievements a game can have.

Some games have zero achievements, frequently because they were released prior to 2007, but also occasionally because the developer in question objects to achievements or doesn’t want to spend valuable time coding them to work properly.

And, as Grayson’s article points out, some games have thousands of achievements–in one case, just a bit more than 10,000 achievements.

While there are a few games on Steam that have hundreds of achievements that are intended to reward players for completing challenging content, more commonly they are what Grayson calls achievement spam games. The point is to sell a game at a very low price that has thousands of achievements that can be “earned” easily in a few hours to inflate the number of achievements a player has on their profile page.

Another achievement spam game is Blood Feed. The first-person giant insect shooter offers 3,001 achievements, all of which you can unlock in 15 minutes or so by wantonly blasting everything that moves. It’s a “game” in the barest sense of the word. Blood Feed’s developers offer custom achievements, allowing players to go on the game’s forums and request achievements with custom images and description text. Those make for especially fancy feathers in avid profile-decorators’ caps. Blood Feed’s developers know what they’re doing: in May 2017 alone, ANPA.US has released three games with over a thousand achievements (and little else) called Survival Zombies, Machine Hunt, and Dinosaur Forest. These games weren’t popular with reviewers, but they offered custom achievements and actually outsold Blood Feed, which came out at the end of April. Survival Zombies did especially well, managing to move around 40,000 copies, according to SteamSpy.

Not surprisingly, a lot of hardcore achievement hunters do not like the presence of such achievement spam games. Grayson quotes achievement hunter Xeinok who dislikes achievement spam games,

Getting 10,000 achievements for doing nothing in a game for 10 minutes can easily make a gamer who spent dozens of hours working on a single difficult achievement feel pretty bad.

I couldn’t disagree more. Achievements are a major part of the Steam experience for me–I pretty much won’t buy or play a game that doesn’t include achievements. But the fact that I downloaded Blood Feed and 100 percented it in a short time for thousands of achievements doesn’t distract at all from the accomplishment of achieving a particularly difficult achievement.

For example, in a story from 2016, Xeinok notes how he is one of the few people who has received the achievement in Frozen Synapse for beating one of the game’s developers. That achievement is far more meaningful and speaks to Xeinok’s gaming cred than the 3,000 or so achievements I received for playing some achievement spam games for a couple hours.

But honestly, there’s no reason the Steam achievement meta-game should be any different than video games themselves. Many video games give different routes and difficulties so that people of different skill levels and/or interests can play the game in different ways. Why should the achievement meta-game be any different?

Some people want to show off their hardcore gaming skills by earning insanely difficult achievements. Others just want to figure out a shortcut to maximize their total score.

Let a thousand achievements bloom.

Bandai Tamashii Mix Mechagodzilla Poster Version Figure

Now this is awesome.

A legendary design appears! Fans of the 1993 “Godzilla vs Mechagodzilla” may remember the thrilling poster with artwork by Noriyoshi Ohrai, which differed from the Mechagodzilla that appeared in the film. Now, for the first time ever, this unique design is being produced as a figure. Three G-Force mecha combine to form the incredible Mechagodzilla! It can even be posed in flying mode. Set includes the diecast and plastic G-Force mecha “Garuda,” “Gundalva,” and “Naga,” which combine to form a 170mm tall Mechagodzilla. Also includes Garuda stand and special explanatory manga.