Shared posts

20 Feb 02:30

Lemmings, or how clever tricks make platforms more different than they seem

by Scali

The other day I read this in-depth article on font usage in early DOS games by VileR. Since some of the fonts were apparently stored not as 1-bit bitmaps, but as multiple bits per pixel, I was wondering when the usage of multicolour fonts became commonplace on the PC.

I randomly thought of Lemmings as a game that I recall using a very nice and detailed font. But that turned out to be quite the can of worms, so I thought I’d write a quick summary of what we uncovered.

Now Lemmings was a game originally developed on the Amiga, and then ported to many different platforms. I mostly played the Amiga game back in the day, although I did also have a copy of the PC version. I had a vague recollection that although the Amiga version did look somewhat better, the PC version used basically the same font as the Amiga version.

Let’s compare the Amiga and PC version of Lemmings. And while we’re at it, let’s throw in the Atari ST version as well. More specifically, let’s concentrate on the VGA version of Lemmings for PC. Then we have three machines that have roughly similar video capabilities. All three machines have a video mode of 320×200, and support a palette that can be user-defined by RGB values. The Atari ST supports 3 bits per component (512 colours in total), the Amiga supports 4 bits per component (4096 colours in total), and VGA supports 6 bits per component (262144 colours in total).

The Atari ST supports 16 colours at once, the Amiga supports 32 colours at once (or 64 colours in the special ‘Extra HalfBrite’ mode), and VGA supports 256 colours at once. So at first glance, all three machines appear to have similar capabilities, with the Atari ST being the most limited, and VGA being the most capable. But now let’s look at how the game looks on these three systems.

First, the original on the Amiga:

Then the Atari ST:

Okay, looks very similar at first glance, although there is something I couldn’t quite put my finger on at first glance. But let’s look at the VGA version first:

Hum, wait a second… When I look for screenshots on the internet, I also find some that look like this:

Are there different versions of Lemmings for PC? Well, yes and no, as it turns out. When you start the game, there is a menu that asks what machine type you have:

The first screenshot is from the game in “For PC compatibles” mode, the second screenshot is “For High Performance PCs”. So let’s call the first ‘lo’ mode, and the second ‘hi’ mode.

Okay, so let’s inspect things closer here. At first glance, the main level view appears to be the same on all three systems. That would imply that only 16 colours are used on all systems, otherwise the Atari ST would not be able to keep up visually with the others.

The only difference that stands out is that the Amiga and Atari ST have a blue-ish background colour, where the VGA versions are black. It’s not entirely clear why that is. Also, the blue background is used only for the level on Amiga, where the background is black for the text and icons. On the Atari ST, the background for the text is blue, and it only switches to black for the icons.

But then we get to the part that kicked this off in the first place: the font. On the Amiga we see a very detailed font, using various shades of green. On the Atari ST, we see a font that looks the same, at first glance (more on that later). On the ‘lo’ VGA version, we see a font with the same basic shape, but it appears to only have two shades: one green and one white.

The ‘hi’ VGA version however, looks different. For some reason, the font is not as high. Instead of the font filling out the entire area between the level view and the icon bar, there are 4 black scanlines between the level and the font. The icons are the same size and in the same position on screen, so effectively the font is scaled down a bit. It is only 11 pixels high, where the others are 15 pixels high. The font has more shades of green here: a number of 4 in total. Still less than on the Amiga (I count 7 shades there) and Atari ST (5 shades).

Okay, so there is something going on here. But what exactly? Well, we are being tricked! The game runs in a 16-colour mode on all three systems. However, if you inspect the screenshots closely, you will see that there are actually more than 16 colours on screen. As already mentioned, the font itself uses various shades of green. You don’t see that many shades of green in the level. That implies that the palette is changed between the level and the font.

This explains why the PC version has a ‘lo’ and a ‘hi’ version: Because VGA is not synchronized to the system clock, it is not trivial to change the palette at a given place on screen. While it is possible (see also my 1991 Donut), it will require some clever timer interrupts and recalibrating per-frame to avoid drift. So that explains why they chose to only do this on high performance PCs. On a slow PC, it would slow down the game too much. It also explains why there are 4 black scanlines between the level and the font. Firstly, because of all the different PCs out there, it is very hard to predict exactly how long the palette change takes. So you’ll want a bit of margin to avoid visible artifacts. Secondly, various VGA implementations won’t allow the RAMDAC to read the palette registers while the CPU is updating them. This can lead to black output or artifacts similar to CGA snow. But if all pixels are black, you won’t notice.

So apparently the ‘hi’ version does perform a palette change, where the ‘lo’ version does not. That means the ‘lo’ version can only use colours that are already in the level palette for its font. It also explains why the icons don’t have the brownish colours of the other three versions: the icons also have to make do with whatever is in the palette.

But getting back to the ‘hi’ version… Its icons still don’t look as good as the Amiga and Atari ST versions. We can derive why this is: we do not see any black scanlines between the font and icons. So we know that the ‘hi’ version does not perform a second palette change between font and icons. The Amiga and Atari ST versions do, however. On the PC, this wouldn’t have been practical. They would have had to sacrifice another few black scanlines, and the CPU requirements would have gone up even further. So apparently this was the compromise. That means that a single 16-colour palette is shared between the font and the icons.

Speaking of which, during the in-between screens, the VGA version also changes palette:

The top part shows the level in 16 colours. Then there are a few black scanlines, where the palette is changed to the brown earth colours and the blue shades for the font.

Mind you, that is still a simplification of how it looks on the Amiga:

Apparently the Amiga version changes the palette at every line of text. The PC is once again limited to changing the palette once, in an area with a few black scanlines. In this case, both the ‘lo’ and ‘hi’ versions appear to do the same. Performance was not an issue with a static info screen, apparently.

The Amiga uses 640×200 resolution here. The PC instead uses 640×350. That explains why the PC version has a somewhat strange aspect ratio for the level overview.

But getting back to the font and icons in-game. They do look a bit more detailed on the Amiga than on the Atari ST. And it’s not just the colours, it seems. So what is going on here? Well, possibly the most obvious place to spot it is the level overview in the bottom-right corner. Yes, it has twice the horizontal resolution of the other platforms. Apparently it is running in 640×200 resolution, rather than 320×200.

That explains why the icons look slightly different as well. They are a more detailed high-resolution version than the other platforms. And if we look closer at the font, we see that this is the high-resolution font that is also used in the other screen.

The Atari ST cannot do this, because it does not have a 640×200 mode that is capable of 16 colours. And for VGA, as already said, it’s not possible to accurately perform operations at a given screen position. So if you can’t accurately change palettes, you certainly can’t accurately change display resolution.

So there we have it, three systems with very similar graphics capabilities on paper, yet we find that there are 4 different ways in which the game Lemmings is actually rendered. Clever developers pushing the limits of each specific system.

I suppose the biggest unanswered question is: why does the VGA version have this limitation? Worst-case, you have 3 palettes of 16 colours on screen, which is 48 colours. In mode 13h, you can have 256 colours, so no palette changes would be required. Instead the developers appear to have chosen to use the same 16-colour mode for both EGA and VGA, and only improve the palette for the VGA version. This may be because they use EGA functionality for scrolling and storing sprites offscreen. In mode 13h you wouldn’t have that. You’d have to perform scrolling by copying data around in memory. That may have been too slow. And perhaps they weren’t familiar with mode X. Or perhaps they tried mode X, but found that it was too limiting, so they stuck with EGA mode 0Dh anyway. Or perhaps they figured they’d need separate content for a mode X mode, which would require too much extra diskspace. Who knows.

15 Feb 17:23

4 reasons why the dual-chip graphic card trend died

by Ahmad Rafiq

Everybody knows about multi-GPU gaming setups, which were the spectacle of the previous decade. But did you know that mainstream GPUs that had more than one chip on their PCB used to exist? These rendering beasts have been around since 1997, with the Dynamic Pictures Oxygen 402 being one of the first with not two, but four GPU chips on a single PCB.

12 Feb 23:38

Gwed S01E01 1080p WEB H264-FishAndChips

02 Feb 23:19

I can’t believe it took me so long to go back to this very important post :D


I can’t believe it took me so long to go back to this very important post :D <3.

28 Jan 15:45

What's so great about being a prankster? You get to meat the best people [Weird]

26 Jan 11:57

If Wayne had gone right to the police, this would never have happened [Dumbass]

15 Jan 18:51

NVIDIA G-Sync Pulsar sounds great, but it will NOT fix video-game stutters

by John Papadopoulos

At CES 2024, NVIDIA announced G-Sync Pulsar. G-Sync Pulsar is the next evolution of Variable Refresh Rate (VRR). This tech aims to improve visual clarity. In its press release, though, NVIDIA claimed that G-Sync Pulsar will offer a stutter-free experience. And, contrary to what the green team stated, G-Sync Pulsar will NOT fix video-game stutters. … Continue reading NVIDIA G-Sync Pulsar sounds great, but it will NOT fix video-game stutters →

The post NVIDIA G-Sync Pulsar sounds great, but it will NOT fix video-game stutters appeared first on DSOGaming.

09 Jan 19:36

S.T.A.L.K.E.R. game engine OpenXRay gets taken down on GitHub

by Liam Dawe
OpenXRay is an improved cross-platform version of the X-Ray Engine, which is the original game engine used in the S.T.A.L.K.E.R. game series by GSC Game World. However, it seems a bad actor got it taken down from GitHub. NOTE: ARTICLE UPDATED.
05 Jan 23:27

I used a Mac with 8GB memory in 2024. Here's how it went.

by Brady Snyder

Memory and storage are in a really strange place as we begin 2024. Some devices have more RAM available than others have in storage, offering mind-boggling amounts of memory. The OnePlus 12, one of the best smartphones right now, offers up to 24GB of RAM, which puts many low and mid-tier computers to shame.

04 Jan 18:10

Beyond Protocols: How Team Camaraderie Fortifies Security

by Joshua Goldfarb

The most efficient and effective teams have healthy and constructive cultures that encourage team members to go above and beyond the call of duty.

The post Beyond Protocols: How Team Camaraderie Fortifies Security appeared first on SecurityWeek.

30 Dec 17:08

Linux 6.7 Will Let You Enable/Disable 32-bit Programs Support At Boot-Time

From the perspective of Linux distributions trying to reduce their attack surface while still making it possible for users to run legacy software without recompiling their kernel, SUSE has spearheaded the effort for boot-time enabling/disabling of x86 32-bit support for whether 32-bit user-space programs and 32-bit system calls can be executed. That code has been submitted for the imminent Linux 6.7 merge window...
20 Dec 03:53

Canada Lays Out Plan To Phase Out Sales of Gas-Powered Cars, Trucks By 2035

by BeauHD
"EVs mandates are coming to Canada whether you like it or not," writes Slashdot reader Major_Disorder, sharing a report from the Canadian Broadcasting Corporation. "Here is what my Canadian brothers and sisters need to know." From the report: New regulations being published this week by Environment Minister Steven Guilbeault will effectively end sales of new passenger vehicles powered only by gasoline or diesel in 2035. Guilbeault said the Electric Vehicle Availability Standard will encourage automakers to make more battery-powered cars and trucks available in Canada. "There's no mistaking it. We are at a tipping point," he said, noting sizable growth in EV sales in Canada and demand that has previously outstripped the available supply. Automakers will have the next 12 years to phase out combustion engine cars, trucks and SUVs with a requirement to gradually increase the proportion of electric models they offer for sale each year. The electric-vehicle sales mandate regulations will be published later this week. They are setting up a system in which every automaker will have to show that a minimum percentage of vehicles they offer for sale are fully electric or longer-range plug-in hybrids. It will start with 20 per cent in 2026 and rise slightly to 23 per cent in 2027. After that, the share of EVs will begin to increase much faster, so that by 2028, 34 per cent of all vehicles sold will need to be electric -- 43 per cent by 2029 and 60 per cent by 2030. That number keeps rising until it hits 100 per cent in 2035. Guilbeault said the government is working to revise the national building code to encourage the spread of charging stations. The updated code would ensure that residential buildings constructed after 2025 have the electrical capacity to accommodate the charging stations. [...] The policy will be regulated under the Canadian Environmental Protection Act and will issue credits to automakers for the EVs they sell. Generally, a fully electric model will generate one credit, with plug-in hybrids getting partial or full credit depending on how far they can go on a single charge. Manufacturers that sell more EVs than they need to meet each year's target can either bank those credits to meet their targets in future years, or sell them to companies that didn't sell enough. They can also cover up to 10 per cent of the credits they need each year by investing in public fast-charging stations. Every $20,000 spent on DC fast chargers that are operating before 2027 can earn the equivalent of one credit. Automakers that come up short for their sales requirements will be able to cover the difference by buying credits from others who exceed their targets, or by investing in charging stations. Automakers can start earning some credits toward their 2026 and 2027 targets over the next two years -- a bid by the government to encourage a faster transition.

Read more of this story at Slashdot.

05 Dec 20:15

Masters of Horror Pro-Life (2006) [720p] [BluRay] [YTS.MX]

Masters of Horror Pro-Life (2006)
IMDB Rating: 5.6/10
Genre: Horror
Size: 525.34 MB
Runtime: 12hr 57 min

Pro-Life, directed by John Carpenter,
27 Nov 19:59

Pentagon’s AI Initiatives Accelerate Hard Decisions on Lethal Autonomous Weapons

by Associated Press

The U.S. military is increasing use of AI technology that will fundamentally alter the nature of war.

The post Pentagon’s AI Initiatives Accelerate Hard Decisions on Lethal Autonomous Weapons appeared first on SecurityWeek.

22 Nov 02:01

What do you and George RR Martin have in common? Neither of you have written any new pages of the Winds of Winter in the past year [Obvious]

12 Nov 02:37

Ten Days Before The Twilight Zone Premiered, Mike Wallace Asked Rod Serling A Question That Aged Badly

by (William Bibbiani)
Rod Serling correctly envisioned that a commercial work of art also had the power to inform and subvert, and he did just that with The Twilight Zone.

11 Nov 17:31

The Invincible Review – Exploring the Unknown

by Ule Lopez

What makes us ourselves? What awaits us in the vast confines of space? Are the hidden mysteries meant for us to be found? These questions are all tackled by the game The Invincible (not to be mistaken with the series of the same name). This game, based on a popular Polish sci-fi novel written by Stanisław Lem, puts us in the role of a space traveler who discovers a secret that probably shouldn't have been discovered to begin with. The game is essentially a walking simulator. As such, you are going to have to keep that in mind when unpacking […]

Read full article at

11 Nov 01:29

From classroom to cyberfront: Unlocking the potential of the next generation of cyber defenders 

by Tina Romeo

In a world where the digital frontier is expanding and cyberattacks are becoming more sophisticated with speed and scale, the guardians of our virtual realms have never been in greater demand.1 It’s important to leverage this year’s Cybersecurity Awareness Month to celebrate the people who keep us safe and to raise visibility on the need for education and awareness—for everyone. With a staggering 3.4 million unfilled cybersecurity jobs, almost 70 percent of organizations report not having enough cybersecurity staff to be effective.2

And security leaders are sounding the alarm as they want to keep cybersecurity professionals equipped with the right resources to avoid burn out. Yet, this isn’t merely about technical prowess. The ideal cybersecurity workforce harmoniously merges technical expertise with invaluable soft skills. While cutting-edge technology offers part of the remedy, the heart of our defense lies in human expertise—the minds that craft strategies, wielding these tools to ward off potential cyberthreats. The gap in cybersecurity talent is a collective concern, and Microsoft is eager to support the mission to bridge this gap through educational programs that include diversity, providing guidance to security professionals and their organizations on how to be cybersmart and generative AI technology to augment the talent that prevails.

A woman sitting in an office working at a computer near the window.

Be Cybersmart

Help educate everyone in your organization with cybersecurity awareness resources and training curated by the security experts at Microsoft.

Debunking myths about cybersecurity careers

There are still a lot of misconceptions about what is required to be a successful professional in this industry.

Common fallacies that may hold people back from exploring cybersecurity careers include that only science, technology, engineering, and mathematics graduates—or college graduates in general—can get cybersecurity jobs. The industry is growing more inclusively and attracting a broader range of people, including professionals outside IT. In fact, half of employees younger than 30 join the industry with a non-IT background.3 To take on cybersecurity challenges, security teams must be as diverse as attackers in terms of background, race, and gender. As we like to say, the door is open for anyone to become a cyber defender.

“Almost everything needs cybersecurity. It’s just going to keep growing and it will never go away, so we need more people in it. To get people into cybersecurity we need to break that stigma of what the industry is about. Cybersecurity is not just coding, and we legitimately need all types of people, like psychology majors, English majors, business majors, besides computer science, because there are so many different areas you can get into” says Caitlin Sarian, also known as Cybersecurity Girl, a prominent digital influencer that joined an episode of our Secure the Job Podcast and whose main goal is to help more people understand cybersecurity and consider joining the industry.

“We need to change the security narrative from fear-filled dark tones to hope-filled, optimistic, innovative tones for several reasons. First and foremost, security is a prime driver for innovation, and it needs to inspire and empower people. If we don’t involve everyone, if we continue to think of security as exclusive and fear-filled, then we are creating barriers to entry for defenders to participate,” says Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management, Microsoft.

Creating real impact in a new and more diverse generation of cybersecurity experts

We take the cybersecurity talent gap seriously and are committed to doing our part to help close it. In 2021, we launched a national campaign with United States community colleges to skill and recruit 250,000 people into the cybersecurity workforce by 2025 and in summer 2023 we made this mission global by expanding this program to 28 countries. Furthermore, the school 42 initiative provides Microsoft Cybersecurity Curriculum and facilitates the completion of Microsoft Certification (SC900) in campuses worldwide. Additionally, with programs like Technology Education and Learning Support (TEALS) and the Last Mile Microsoft Scholarship, and partnerships with organizations such as Codepath, we’re not only taking computer science and cybersecurity learning to students, but we’re also going the full circle in providing the financial support many families need to enable students to continue their educational pathway.

However, there is still a long way to go, and we know that one way to reduce the skills gap is to bring more underrepresented groups into the workforce. One important effort we’ve been focusing on is attracting more women to the industry. Women offer diverse points of view, deep analytics and risk assessment skills, and emotional intelligence that are hallmarks for a successful cyber defender, but they represent around only 25 percent of the cybersecurity workforce today.4 In a Microsoft-commissioned survey, we learned that the reasons for this underrepresentation include gender bias, not enough female mentors and role models, insufficient education opportunities, and uncertainty about cybersecurity career pathways.5 That’s why we partner globally with projects that practice similar values and have the same commitment to diversity in cybersecurity, such as Minorities in CybersecurityExecutive Women’s Forum, and WOMCY. In the United States, two of our main education partners, Women in Cybersecurity (WiCyS) and Girl Security, have been recently recognized by the White House’s National Cyber Workforce and Education Strategy as key players in changing the diversity landscape of the cybersecurity workforce.

“Part of the challenge is driving the message that diversity is not just about numbers. It’s about innovating security solutions that we can’t possibly conceive right now because we don’t have diverse voices in the room to yield those outcomes. When we bring first-generation college and immigrant students to the table, the effects are remarkable.”

—Lauren Buitta, Chief Executive Officer and Founder, Girl Security

At Microsoft we’ve also been using technology innovation to spread interest in cybersecurity while doing it earlier in the process, as early exposure strongly impacts career choices in the future. To help with that and to enable kids from all ages to behave safer online, we’ve developed the Minecraft Education Cybersecurity Collection, with levels that go from kindergarten to college and focus on teaching cyberskills at every level with fun, accessible lessons for the modern digital citizen, followed by learning resources.

This graphic shows the Minecraft Education Cybersecurity Collection games.

How AI is empowering a stronger workforce

The latest generative AI revolution has gotten plenty of people excited because of its potential to advance business initiatives, but there’s also a great potential impact of AI adoption in cybersecurity talent. Vasu Jakkal recently shared how AI can improve cybersecurity by harnessing diversity and offered other suggestions for how to encourage cybersecurity interest.6 Human ingenuity and expertise will always be a precious and irreplaceable component of security, and AI has the power to tip the scales in favor of cyber defenders by augmenting human capabilities, enabling machine speed cyberthreat detection, and fostering a stronger collective skillset of diverse backgrounds and points of view.

Among other things, generative AI also has the potential to expand the number of cybersecurity professionals and help them refine and strengthen their skills. Using AI tools in recruiting can also help “transcend biases, optimize talent acquisition, promote inclusive training and education,” and lead to more hiring of diverse candidates.7

Recognizing the increasing importance of AI skills in the global workforce, Microsoft has launched the AI Skills Initiative to enhance AI education and address emerging skills gaps. In partnership with LinkedIn, the initiative offers a Professional Certificate on Generative AI and the Generative AI Skills Grant Challenge, a collaboration with other organizations that focus on underserved communities.

Champion the advocacy to propel cybersecurity education and careers forward

There is a lot we all can do to support cybersecurity education and help narrow the skills gap. If you’re a security professional, consider being a sponsor for someone or supporting one of these many mentoring programs mentioned in this blog.

Many remain unaware of the vast opportunities awaiting them in cybersecurity, so we invite you to amplify these prospects to a broader audience. Check with your local area school if they have a TEALS program and let them know about the career path the Last Mile Education Fund offers. Amplify free cybersecurity content, training, and learning opportunities by earning a Microsoft and LinkedIn’s Career Essentials Certificate and show the wonders the Minecraft Cybersecurity education game can provide to the younger generation.

In the spirit of security being a team sport, explore our Cybersecurity Awareness Website to continue your education and to help educate your organization and community. It takes a village to make a difference in the lives of others and to support our cybersecurity professionals who tirelessly keep us safe. It is vital that no matter what role we play in our workplace, family or community, we all become a cyber defender.

Learn more

To learn more about cybersecurity best practices and educational opportunities, visit our Cybersecurity Awareness Website.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Microsoft Digital Defense Report 2023, Microsoft.

2Cybersecurity Workforce Study, ISC2. 2022.

3Attracting Young Talent to the Growing Cybersecurity Industry, JonesPR. May 13, 2020.

4Empowering Women to Work in Cybersecurity Is a Win-Win, BCG. September 7, 2022.

5Results based on March 2022 IWD Survey commissioned by Microsoft in partnership with WE Communications.

6How AI can improve cybersecurity by harnessing diversity, according to Microsoft Security’s Vasu Jakkal, Dan Patterson. August 25, 2023.

7The Power of AI to Enhance Diversity in Security: Strengthening Defences through Inclusion, LinkedIn. July 2, 2023.

The post From classroom to cyberfront: Unlocking the potential of the next generation of cyber defenders  appeared first on Microsoft Security Blog.

05 Nov 21:19

M3, M3 Pro, Criticized In New Report, Base Apple Silicon ‘Doesn’t Move The Needle Considerably’ But M3 Max ‘Is Quite A Feat’

by Omar Sohail

Apple's latest M3, M3 Pro and M3 Max

Apple’s latest 3nm family of Mac chipsets include the M3, M3 Pro, and the M3 Max, and based on various performance tests and leaks, two of them are considered iterative updates over their direct predecessors, while one of them is viewed as a worthy upgrade. In a new report, the base SoC and the M3 Pro are largely criticized as they do not bring anything noteworthy. M3 Max performance compared to desktop chips like the M2 Ultra that power the Mac Studio and Mac Pro In the latest edition of Mark Gurman’s ‘Power On’ newsletter, the Bloomberg reporter provided his […]

Read full article at

04 Nov 00:16

Distribute Cybersecurity Tasks with Diffusion of Responsibility in Mind

by Lenny Zeltser

The notion that security is everyone’s responsibility in computer systems dates back to at least the early 1980s when it was included in a US Navy training manual and hearings in the US House of Representatives. Behind the pithy slogan is the idea that every person in the organization contributes to its security program. Even if the company has employees with “security” in their title, they cannot safeguard information assets on their own. After all, people outside the security team are the ones who deliver services, build products, or otherwise engage in business activities that require making security-related decisions.

Can Everyone be Responsible?

How might we distribute cybersecurity tasks and operationalize the perhaps utopian idea that "security is everyone's responsibility"? After all, the diffusion of responsibility principle suggests that people feel less responsible when they are part of a group, possibly because they think someone else will take action.

Saying that security is “everyone’s responsibility” might lead to it being “nobody’s responsibility.” To distribute security responsibilities among the stakeholders, we need to counteract the diffusion of responsibility. We should clarify expectations, hold people accountable, and establish a personal connection between the stakeholders and the affected items.

Clarify Expectations

Cybersecurity leaders generally design and manage the security program, which is the structure within which the organization can achieve its security objectives. Within that program, teams with “security” in their name have responsibilities such as:

  • Identifying and tracking the remediation of security vulnerabilities
  • Engineering systems for enforcing security measures
  • Monitoring and investigating security events
  • Documenting secure configuration guidelines, templates, and practices
  • Providing security guidance to business stakeholders
  • Noticing when security expectations aren't followed

Who should be fixing vulnerabilities, incorporating security principles into projects, and deploying technology in a security-appropriate way? In most cases, these tasks are distributed throughout the organization. 

Members of specific teams are typically  assigned security responsibilities in the company’s security policies and procedures, which communicate expectations such as:

  • DevOps or IT teams patch systems according to risk-based, agreed-upon timelines.
  • Procurement or Legal teams incorporate security reviews of vendors according to a defined process and include necessary security requirements in contracts.
  • People or HR teams screen new hires according to specific background check requirements.

For capturing expectations in great detail, we can use some form of a responsibility matrix, such as RACI, to capture who should be responsible, accountable, consulted, and informed for specific security-related activities. In addition to documenting expectations, the discussions that lead to creating a responsibility matrix can surface disagreements or coverage gaps so the organization has the opportunity to address them.

More broadly, organizations typically rely on the security awareness program to clarify which security responsibilities apply to all personnel, including items such as:

  • Handling information according to the company’s guidelines and the organization’s approach to data classification
  • Watching out for suspicious activities that might indicate a cybersecurity event or a scam and reporting them for investigation
  • Using established templates, libraries, and standards that incorporate security requirements or guardrails when engaging in business activities
  • Reaching out to the security team for guidance as appropriate, such as when launching new projects that require security or privacy considerations

Having clarified what members of the company’s cybersecurity program should do, we need to consider how to track whether these responsibilities are followed and, where practical, enforce the expectations.

Enforce Accountability

Even with the best intentions, those whose primary job isn’t cybersecurity will sometimes forget or not follow through on their security-related responsibilities. To increase the chances that the distributed security measures will be in effect, we can use a combination of three approaches:

  • Enforce security expectations using technology to prevent insecure choices or actions. For example, security teams can configure user authentication to require two-factor authentication (2FA) instead of merely reminding employees to enable 2FA. In another example, software development tools can be set up to block code commits that include secrets or vulnerable dependencies. Such measures eliminate the opportunity for non-compliance; however, direct enforcement doesn’t work for all security controls and situations. For instance, some applications don’t allow the organization to centrally control 2FA settings.
  • Implement guardrails against severe risks when people take actions or make decisions outside the boundaries the organization considers reasonable. For example, infrastructure-as-code tooling, such as Terraform, allows the creation of preapproved modules with minimum security requirements while letting engineers control other aspects of the infrastructure. Similarly, software developers might need to follow strict change control practices in production while having more leeway in dev environments. Another example of guardrails is the use of network security measures, such as DNS filtering, to restrict access to dangerous website categories.
  • Monitor for gaps and take action when the right security steps aren’t taken. Observing security-related activities through log aggregation is a part of this. Another is continuous compliance monitoring, which aims to automate the tracking of security controls. For instance, to confirm that background checks occur, we can query HR and background-checking systems to detect missed employee screenings. Also, modern asset management approaches involve gathering data from multiple sources to identify gaps; for example, organizations can correlate data from systems management and endpoint security tools to identify systems with missing security agents

Of the many security controls, ensuring accountability for patch management is particularly challenging because this practice often distributes responsibilities across multiple teams. The software might be patched by DevOps, IT, developers, external vendors, and so on. It’s even possible to assign some patching responsibilities to end users as long as accountability is tracked. For example, people might be allowed to install approved applications that are not centrally managed by the IT team. In that case, the individuals should be keeping the apps up-to-date. Organizations can use automated tools to track when the apps are not maintained and contact end-users reminding them to take action (see a real-world example of this).

Make It Personal

We’ve been exploring ways of counteracting the diffusion of responsibility principle as we distribute security tasks. Communicating expectations and enforcing accountability is a part of the effort to ensure that people don’t ignore their responsibilities. Another way to fight the diffusion of responsibility is to establish a personal connection between the person and the task at hand. What does this mean in the context of cybersecurity?

People get accustomed to the systems they use at work. Many start to think of the company-supplied laptop as “their” laptop. To some extent, they consider the folders where they keep work documents as “their” folders and the applications they’ve customized as “their” apps. The security team can point to this attachment to highlight the person’s connection to such assets, so they’re more likely to remember their related security responsibilities. For example:

  • When end users have patching responsibilities for their laptops, for instance, if they need to reboot the system or allow an update to be applied, remind people that these are their systems. Keeping the laptop in top shape allows them to do their best work.
  • When people need to remember to include security in projects or design discussions, highlight the benefits of keeping their data secure, which they’re more likely to achieve when considering a security expert’s advice. Addressing security risks upfront will minimize the chances of a disruption to their project.
  • When highlighting the need for colleagues to safeguard data shared with third parties, point out that their interactions might be compromised if they don’t follow the necessary security measures. Not only will the company look bad if the data is mishandled or misused, but so will they.

When sharing security responsibilities across stakeholders, also point to the shared business objectives that the organization’s personnel are looking to achieve. To be successful, colleagues should understand the organization’s business goals and how their security responsibilities can enable or hinder the company from reaching them. By framing security tasks in that context, you’re more likely to establish a security program that scales in a way that security will truly be everyone’s responsibility.

01 Nov 20:36

Power Up Anywhere With Up to 48% Off Anker Power Stations - CNET

by Adrian Marlow
Amazon has major discounts on power stations, solar panels and power banks right now to keep all of your essential devices charged wherever you go.
06 Oct 10:44

Dungeons of Eternity is the best alternative to traditional DnD

by Niall Walsh
Dungeons of Eternity is the best alternative to traditional DnD

There can be no doubting the resurgence of Dungeons and Dragons over the last few years. It has once again stepped into the pop culture spotlight, and few video games, with the exception of Baldur's Gate 3, have managed to capitalize on this. Enter, Dungeons of Eternity.

MORE FROM PCGAMESN: Best VR games, Meta Quest 3 release date, Best VR headset
27 Sep 02:06

GPUs From All Major Suppliers Are Vulnerable To New Pixel-Stealing Attack

by BeauHD
An anonymous reader quotes a report from Ars Technica: GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper (PDF) published Tuesday. The cross-origin attack allows a malicious website from one domain -- say, -- to effectively read the pixels displayed by a website from, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains. [...] works only when the malicious attacker website is loaded into Chrome or Edge. The reason: For the attack to work, the browser must: 1. allow cross-origin iframes to be loaded with cookies 2. allow rendering SVG filters on iframes and 3. delegate rendering tasks to the GPU For now, is more of a curiosity than a real threat, but that assumes that Web developers properly restrict sensitive pages from being embedded by cross-origin websites. End users who want to check if a page has such restrictions in place should look for the X-Frame-Options or Content-Security-Policy headers in the source. "This is impactful research on how hardware works," a Google representative said in a statement. "Widely adopted headers can prevent sites from being embedded, which prevents this attack, and sites using the default SameSite=Lax cookie behavior receive significant mitigation against personalized data being leaked. These protections, along with the difficulty and time required to exploit this behavior, significantly mitigate the threat to everyday users. We are in communication and are actively engaging with the reporting researchers. We are always looking to further improve protections for Chrome users." An Intel representative, meanwhile, said that the chipmaker has "assessed the researcher findings that were provided and determined the root cause is not in our GPUs but in third-party software." A Qualcomm representative said "the issue isn't in our threat model as it more directly affects the browser and can be resolved by the browser application if warranted, so no changes are currently planned." Apple, Nvidia, AMD, and ARM didn't comment on the findings. An informational write-up of the findings can be found here.

Read more of this story at Slashdot.

07 Sep 20:24

Starfield players are using physics to steal, in classic Bethesda fashion

by Eric Van Allen

Starfield: An astronaut sat at a cockpit.

A few things are inevitable in life. Death and taxes, of course. And then there's Bethesda games having weird, physics-y ways of getting around its systems, as Starfield players are currently doing to steal their way across the galaxy.

On social media, various Starfield players are popping up with examples of using the physics of Starfield to steal some good loot out from under guards and NPCs. Usually, when you pick up an item in Starfield that you're not supposed to (noted by the red icon in the corner of its pop-up description), guards will be alerted. And, in my experience, they respond pretty quickly and violently.

While some games have let you get away with picking up the object and relocating it somewhere where no one can see, that doesn't always work in Starfield. Picking up an object counts as stealing, so if someone sees you do it, it triggers the alarm. The method for getting around this, it seems, is to simply move objects with another object.

As GoogleyGareth shows, dragging an object around to move other objects will let you relocate Starfield loot for an easy steal. You can do this by either grabbing something that doesn't count as stealing, quietly nabbing an object away from prying eyes and bringing it over, or dropping an object from your inventory.

Starfield players are already getting pretty creative with this, too. A clip from a Japanese streamer using both a pushing object and a container to gather up massive amounts of credits from a card table, in front of the players, has made the rounds too.

It does seem to all work, but I can't leave it at just clips. I had to test this for myself, of course.

A layperson's guide to fun with physics and theft in Starfield

I went out to Neon, popped over to Madame Sauvage's, and thought I'd try my hand at this trick to see if it truly worked. First, I needed to learn how to pick up items; the game does not explicitly tell you, but hold E over items on PC to lift them. It works on anything you can put in your inventory, as well as environmental objects. Be careful though, as again, picking up items can be seen as stealing, and some otherwise innocuous things like garbage cans or buckets also count as theft.

Screenshot by DestructoidI recommend either bringing your own receptacle and/or pushing your object of choice, or finding something you won't get in trouble for stealing. I grabbed a nearby succulent. Apparently, Madame Sauvage doesn't want her buckets disappearing but does not care about customers walking out with plants.

Nearby, I located some liquid-filled bottles with the telltale red marker, and started pushing them around with my succulent. Despite creating quite a ruckus — and even re-enacting those bottle-breaking TikToks at one point — no one really seemed to care I was sending precious property ricocheting around the bar.

[caption id="attachment_402689" align="alignnone" width="640"] Screenshot by Destructoid[/caption]

I pushed it all the way to the bathroom and into a stall, where I could then safely lift my newly acquired property. Even through several re-tests and literally sweeping the bar off in front of everyone using my succulent-in-crime, no one cared. It works! And genuinely, I hope it keeps working. This is too much fun to not leave in. Just like the infamous bucket-on-the-head trick in The Elder Scrolls, I hope bucket-pushing becomes a new go-to for stealing items in Starfield.

The post Starfield players are using physics to steal, in classic Bethesda fashion appeared first on Destructoid.

04 Sep 10:58

Old and busted: Swallows returning to Capistrano. New hotness: Giant inflatable ducks retuning to Belfast Harbor, Maine [Strange]

29 Aug 14:19

Meta Fights Sprawling Chinese ‘Spamouflage’ Operation

by AFP

Meta has purged thousands of Facebook accounts that were part of a widespread online Chinese spam operation trying to covertly boost China and criticize the West.

The post Meta Fights Sprawling Chinese ‘Spamouflage’ Operation appeared first on SecurityWeek.

21 Aug 00:24

Windows 11 version 23H2: Everything you need to know

by João Carrasqueira

Windows 11 is in a constant state of flux, getting new updates on a regular basis to improve the experience. The first big Windows 11 update was version 22H2, which came around last year, and since then, we've been getting smaller Moment updates that add new features and capabilities. The latest of those is the Moment 3 update, which was released in June 2023. But we're already looking at what the future holds, because the next big update, Windows 11 version 23H2, isn't too far off.

20 Aug 11:14

Disney Spent $100 Million Making Willow, Then Threw It In The Bin

by (Hannah Shaw-Williams)
Financial statements have revealed that Willow, which was removed from Disney+ after less than six months, cost over $100 million to produce.

20 Aug 11:01

TMNT's Disastrous First Rehearsal Bled Into Raphael's Angry Persona

by (Witney Seibold)
The character Raphael was full of anger in 1990's Teenage Mutant Ninja Turtles. It turns out there was a behind-the-scenes reason why.

16 Aug 18:28

The US Is Turning Away From Its Biggest Scientific Partner at a Precarious Time

by msmash
One of the most productive scientific collaborations of the 21st century is pulling apart, as deteriorating relations between the U.S. and China lead researchers to sever ties. From a report: The decoupling, which began in recent years with investigations into Chinese researchers in the U.S., has accelerated as tensions have risen between the superpowers. Now some U.S. lawmakers are pushing to let a landmark agreement to cooperate on science and technology, signed in 1979 and renewed routinely since, expire this month. China has built itself into a powerful engine of scientific discovery in recent decades, partly with American help, and many in Washington fear that China could gain a security and military advantage unless the U.S. takes decisive steps to cut off cooperation in scientific research. Many scientists warn, however, that Washington would be severing ties as China is making its greatest contributions to scientific advancements, and cutting it off risks slowing American progress in critical areas such as biotechnology, clean energy and telecommunications. While the U.S. remains the world's pre-eminent science power, fundamental scientific research has grown borderless in the era of globalization, much as business has. More than 40% of America's scientific production -- measured by the number of high-quality papers that U.S.-based scientists produce -- involves cooperation with researchers abroad, according to Clarivate, a London-based data firm that tracks global scientific research. China and the U.S. are each other's No. 1 partner in producing scientific research, with collaborative research between the two consistently among the most-cited papers across fields, according to an analysis of Clarivate's data by Caroline Wagner, a professor of public policy at Ohio State University.

Read more of this story at Slashdot.