1. You can generally get a feel for the intent by the developers reputation.
2. Look at the code that changed as part of the same commits. Eg was the vulnerable code included as part of the same commits as an unrelated change elsewhere in the codebase? If the latter then that’s hugely suspicious.
3. How is that vulnerability encoded? Eg is a bug parsing logic that was discovered via fuzzing? Or is it obfuscated code? Clearly the latter demonstrates intent.
4. What’s the nature of the vulnerability? Is it simply a dumb unhandled bounds or allocation error in C? Or is there an entire path of code that opens network ports? The latter also demonstrates intent.
5. How did the authors behind the vulnerable code react to the big report? Did they rush a patch out? Write more robust tests? Work with the community? Was there any transparency? Or was the issue quietly brushed over? This is least reliable indicator but it does demonstrate trustworthiness.
With these and other indicators you can build a body of evidence that can make an argument for or against a particular vulnerability being malicious. And while I do agree that in some cases it isn’t going to be clear cut, in most cases the evidence, or lack of, will be enough to justify an opinion.
The key part of my earlier statement being “beyond reasonable doubt”. Ie I’m not talking about a mathematical proof here.
It’s more the other way around: the first Mario game was a Donkey Kong game.
The user avatar is only “Mario” in appearance. He was called “Jump Man” in that game and even his outfit colours differed from the Mario games that followed.
> I assume it's probably a software bug, they assume it's an exploit.
They're not mutually exclusive.
I suspect you and the security team are arguing the same thing but with different terminology.
When vulnerabilities (which, in the vast majority of cases, are accidental) are published, or when static analysis tools review code, you'll get a description and a severity score. That description will broadly describe how, if possible, that vulnerability can be exploited.
Working for an in-house security team basically just means you're a risk assessor. And the way you assess risks is to look at the potential consequences of those risks. Which means looking at how bugs can be exploited.
But none of this means those vulnerabilities were placed in the code intentionally and with malice. It just means that someone else who is malicious could, theoretically, exploit those vulnerabilities. And if the risk of that is greater than the risk appetite of the business (as will typically be the case), then they'll feedback to you that there is an exploitable vulnerability that you need to patch.
> It's because you (like me) aren't quite as paranoid as security people are.
I work heavily with security-conscious clients where vulnerabilities would be catastrophic. And we are talking high profile clients that are juicy target for attacks.
My experience is still that the vast majority of vulnerabilities are accidental rather than due to malice.
And when I say “vast”, I mean the so heavily slanted in favour of “unintended” that it’s not even comparable.
> It's really a matter of context. Security people tend to only be involved when things are already nefarious
I’m guessing you’ve not worked with many “security people”?
You’d be surprised how much of their day-to-day is mundane.
As someone who really doesn’t take themselves even the slightest bit seriously, if there was ever a chance that your comment was funny then I would have realised it was a joke. ;)
You’re conflating two completely different things.
I’m a retro gamer. I have around 20 systems all hooked up and ready to play from the Atari 2600 through to modern systems like the PS4. In fact I bet I have systems you hadn’t even heard of, and machines that are older than you are.
So I know better than most that consoles can live for decades. But that’s not what people mean when they talk about a consoles life.
What that term means is the period of time that a console is the current generation (and yes, “generation” is the technical term here and not something I made up).
Also decay isn’t a phenomenon exclusive to biology. Plenty of things which aren’t organic can have a life and decay, even though we know they’re not technically a life form. For example stars. But even technology can decay. Capacitors and batteries are the biggest two killers of old technology, and common problems I’ve had to repair in my old hardware. The laser in your PS1 is also a consumable. I’ve had to replace the laser in my PS1 for that very reason. Solder can crack. Any moving parts like motors, fans, and CD/DVD trays can seize up over time too. There’s also sun-bleaching that happens to white and grey casing too, which is thankfully a very easy fix.
It was a trade association not Microsoft. And bullshit like this is the entire reason for trade associations existing.
Microsoft themselves support self-hosting Minecraft servers. As evidenced by the fact that the server software itself is provided as a free download from an official Minecraft (and thus Microsoft branded) site.
Lots of modern cars cater for this. It’s actually a marketing point with manufacturers like the VW group publicising how they’re bringing back tactile interfaces. And some ranges of cars never took that away (for example Jaguar).
I cannot comment on the cost in the US, but in the UK it would be the farm that’s more expensive because the cost is relative the distance. You still have to file the same government applications to close a dirt road as you would a busy city street. But you would have much more miles of road to file the application for, plus the actual expense of the engineering work, for rural destinations.
And that’s without factoring in that fewer subscribers are going to sign up in rural destinations vs busy urban hubs.
This is why the UK had to make subsidies available for rural fibre.
Server shutdowns are a problem regardless of the platform.
There used to be a time when PC games allowed you to connect to random servers. These days Minecraft is the only one that still allows it. And even there, Microsoft go hard on the upselling of their Realms.
Some studios kill their servers after just a couple of years. Even for games that are online first.
> especially if you were mislead into buying a PS5 with a disc drive thinking it'd be supported at least until the end of the product's lifespan
8 years is roughly the lifespan for a games console though.
And I say this as someone who hates Sony perhaps more than most, having lived through their the CD rootkit and PS3 OtherOS debacles. And been burned by their substandard yet overpriced audio equipment.
Author of murex (https://github.com/lmorg/murex, alt DevOps $SHELL). Contributor to open source. Also works on a few proprietary projects too.