Thursday, 10 April 2014

A Practical End-User's Guide to Heartbleed

(Disclaimer: I'm just a normal programmer and do not know what I'm talking about. I'm writing this for my friends. I accept no responsibility or liability arising from the content herein.)

Etymology & Definition

The name comes from a concept called a "heartbeat".
When computers call each other they tend to be quite curt and hang up the moment they've got the information they wanted. A heartbeat is a form of nagging where one computer sends meaningless data through and demands a response with the intention of keeping the line open. (CPUs are not known for their charm.)

Transport Layer Security/Secure Sockets Layer (TLS/SSL - TLS being the newer version essentially) is the little padlock that appears in the address bar of your browser when you are securely connected to a website.

Newer versions of SSL have a heartbeat feature perhaps intended for interactive websites such as chat services or games that are very "chatty", for whom making a fresh call every time they want to communicate would be prohibitively time consuming.

SSL's heartbeat says the server should return any heartbeat data the client sends as is. So if the client sends it "Are we there yet?", the server sends back "Are we there yet?". This is technique called an echo.

A specific implementation of SSL called OpenSSL (used by ~2/3rds of web servers) has a bug that allows the client to send through "Are" and receive "Are<random contents of server memory>" back. It does this by telling the server that it has actually sent 17 characters through but only sending 3.  Since the server is expecting to echo something back that is 17 characters long, it fills in the remaining 14 from whatever piece of memory is next to the place where it put the incoming 3 characters.

This kind of security hole is very old, very well known, easy to fix and a little unbelievable in something like OpenSSL. I'll leave the conspiracy theories to others though.

What can a hacker do with Heartbleed?

I have to reiterate that I could be quite wrong about much of this.

They can theoretically get the private key of the server in question. The secrecy of this key is the foundation on which many many other kinds of intrusions are prevented. Once they have this they'll be able to use a wide range of techniques to do all sorts of stuff.

It is very likely that a Heartbleed request will be stored within 64KB (the maximum read size of a single Heartbleed request) of someone's session ID or login request.  This does allow them to login as you and your password will be visible as plain text.

Repeating myself - what they can do by combining Heartbleed with other techniques likely goes far beyond what I've mentioned here.

The outcome is the same - servers need to change their locks (get new keys) and do a thorough sweep, if not reinstall, of their servers.  This is arguably a very good thing and might be a bit of a disaster for government surveillance.

What should we users do?

Firstly, if you have an existing session ("remember me") with a large site like Google, you're probably ok to keep using it.
This is because their throughput is so large that memory on the dedicated SSL server containing sessions is probably cycled so fast that is it less likely your session will be picked up in transit.  If it is, it might be picked up by a script-kiddie or hacking enthusiast that has comparatively tame/lame intentions.

However, in no circumstances should you login using your password or change your password for at least a week for large, well maintained sites and probably a great deal longer for smaller sites.

This will definitely expose your password as, even if it is processed on another server, it is decrypted on the SSL server and will be available as plain text to Heartbleed attacks.

It is important to note that the act of using an existing session will expose it to Heartbleed attacks.  I can't work without Google though so I kinda have to use my session - I won't be logging in for a while though.

Clicking the "logout" button is more important than ever right now as it will invalidate the session.

If you're thinking about what I'm saying here, you'll see that I'm contradicting myself.  Surely if I logout then I'll be forced to login, exposing my password.
This underlines that there is currently no way to safely use the affected sites.  The integration between sites on much of the internet potentially exposes much more than what is directly affected by Heartbleed as well.

Don't use your credit card online for some time (as long as you can bear).

Site-Unique Passwords

Don't re-use passwords.  One site, one password.  Even if the password is insecure, at least a hacker can't automatically test it against every site on the internet and turn one hacked site into 10 in a fraction of a second.

Security guys will tell you things about key stores and having passwords you can't remember but what I've mentioned above is much more important.

My current system for creating passwords goes like this:
  1. start with one of my 3 base passwords picked based on how secure I think the site I'm using is (Banking > Google/Amazon > everything else).
  2. add to it a word that I will come up with again and again if I think about the site (for my everything else category where it doesn't involve money, this is generally just the site's name).
  3. change every odd character in the added word one letter forwards in the alphabet and one letter backwards for every even character. E.g. "Google" becomes "Hnpfmd".
That'll give you passwords that you can remember that are not entirely trivial to crack.  Try to make the base passwords genuinely good - something that requires a bit of practice to memorise.

And always remember: no-one really cares that much about you specifically and they're unlikely to focus on hacking you meaning a modicum of security is usually enough.  If someone does see you as a valuable target then passwords alone are never gonna cut it anyway.

I also have 2 very insecure passwords that my friends and co-workers know respectively so that I can give them access to home file shares and the like.

If you have shared passwords across many sites, the damage is done and the time to change is months hence. I'm fairly certain that changing your password right now is madness.

Investment Opportunities

Since 2/3rds of the security certificates are going to need to be replaced, certification authorities are probably gleefully losing their shit right now.

Here's a list if you're wondering what you should invest in - most affected are those for whom certificates are a larger portion of their business.

Many of the smaller systems that can be more easily attacked will be employee portals into company intranet applications. If you can come up with a way of investing in companies that will use and benefit from corporate espionage...

The aftermath could be quite underwhelming or it could be staggering.  Either way it's very interesting.

Monday, 18 November 2013

Fuck Typing

You might think this post was some inarticulate rant railing against the constraints of compilers. Nope, I'm a Scala guy - compilers are cool.

So then, your creative brains infer, I have discovered some way to shed the shackles of my keyboard and psychically imprint code onto disk. I wish.


Nope, this is actually about Javascript's type system.

Here's some code:

"1" == 1 // true
"1" === 1 // false - triple equals is teh real deal
s = "abc"
s === "abc" // true
s = new String("abc")
s === "abc" // false - it's an object so equality doesn't work

Basically, it's triple equals or bust and woe to yea who accidentally "2" > 1 despite this conviction.

Experienced masochists will now be asking, "what about dates?"

Well, I thought things were ok.  After some trepidation and testing, I discovered that date1 >= date2 actually works.
I stupidly thought that this implies equality would work as well.

Not so much.  It turns out that equality always compares object references.  Dates are, unfortunately, objects.

1944-06-06 is not necessarily the same as 1944-06-06. Thank god it took them another 50 years to invent Javascript.

Apparently, in dynamic languages, "if it walks like a duck and farts like a duck, it's a duck".

What then do we use to describe Javascript's type system?

"If it walks like a duck but fucks the neighbour's cat - probably not a duck?"

Or perhaps we need to observe the duck that might be to discover the duck that is. Quantum xen typing.

I propose a new term and would like to suggest we extend it to all languages that indulge the duck.

Sunday, 18 August 2013

Why are we worrying about technical privacy on the internet?

In the last couple of weeks, I've received and encountered fairly excitable language used around revisions to spying laws in New Zealand.

Had we previously been under the impression that we had privacy on the internet?

We frequently consume services on the internet by accepting terms and conditions where we agree to trust whoever the provider does.

Even if this isn't the case, conceivably, the countries hosting these services can have surveillance laws which allow their governments to intercept traffic and analyse data.

It might be that information captured in this way is inadmissible (a concept I probably don't understand properly) in a New Zealand court because of our privacy laws.

Changing the law might have more to do with this admissibility than about adding surveillance which must already exist - or maybe I'm giving the spooks too much credit.


The core problem is that we rely on centralised services.  I haven't researched them enough but I suspect Bitcoin and Tor are decent examples of the challenges for alternatives to the inherent insecurity of centralised systems.


I do think we should all consider emails, social networks and instant messaging to be essentially public information.  If you want to discuss something privately, meet in person, preferably in a fedora and a trench-coat to avoid identification  :)


I also wonder if someone's blackmailing John Key to get this through with his history of moonwalking-dinosaur-mime porn  ;-D

Saturday, 16 March 2013

C# Better for Cross-Platform Dev than Java?!

Xamarin is a Mono-based commercial platform for developing Android, iOS and Mac applications in .Net - it even works with Visual Studio apparently.


Java has had good support for all these platforms except iOS for some time now.
Oracle announced that it would support iOS in 2008, which became especially relevant after Apple dropped  rule 3.3.2 in 2010 that essentially prevented 3rd party platforms.

In late 2012, Oracle released their ADF mobile toolset which allows HTML5/CSS development targeting Android and iOS with J2ME as a back-end for functionality.

Which strikes me as both crusty and monopolistic given that the solution requires an Oracle toolset.


C# is already arguably a better language than Java 7 let alone Java 3 (the limit of J2ME) and continues to improve it's APIs and documentation which were initially a bit of a let-down.

If Oracle continues down this tack it seems like the app development platform choice will come down to HTML5/JS/CSS (now capable of supporting an entire application) vs .Net of all things as the core of Java is becoming unsupported and fragmented.

Am I tripping?

Thursday, 31 January 2013

The Very Best Validation

void validate(Item[] items) {
    foreach(Item item in items)
        if(item.quantity == null)
            throw new ApplicationException(items[0].name + " has no quantity.");
}

Concise, informative, robust, composable and respects the flow of control.

This shining example inspired by ActualCode(tm)

Monday, 21 January 2013

XCOM Guide


Research


Being the nerd that I am, I worked out what I think is an enormously broken research strat:
(Google image search "XCOM tech tree" - this post was originally just for a friend but now it's getting a bunch of views I can't in good conscience link to an image without the creator's permission.)
  1. Start in South America (bonus: instant autopsies and interrogations)
  2. Rush research on alien containment and the stun gun
    • Weapon fragments -> Alien Materials are pretty key too
    • nano-fiber vest is completely useless - sans grenades, it forces you into fire fights which you'll never win early on
  3. Capture a grey, which gives beam research credit
    • Research through to laser sniper but don't worry about about heavy because they're just there for suppression and the level-saving rocket
  4. Capture a thin man, UFO tech research credit
    • Research Nav Computer-> UFO power source
    • This allows the elerium generator and satelite nexus which are awesome as early base improvements
  5. Capture a Floater, basic armor research credit
    • Rush skeleton suit over anything else as soon as you get this
    • Skeleton suits on everyone - best armor in the game until Ghost armor as it gives -10 to hit penalty against you and the grappling hook
    • Skeleton armor also gives easy access to higher ground which gives +20 aim bonus - don't even glance at carapace armor, rush skeleton.
  6. Capture a Heavy floater for Flight credit - you get them really early on one of the terror missions - it's important because they won't appear on downed UFOs for ages
    • Research New Fighter Craft -> EMP cannon
    • Prioritise EMP cannons over Firestorms (new fighters) because EMP preserves resources on downed UFOs and helps to get the resources for making firestorms and all the other stuff
  7. Capturing an alien commander in the underground base is handy because it's the earliest opportunity but PSI is only really useful on the last mission and you only need one psi soldier maxed out - though you might need a backup depending on how aggressive/suicidal your gameplay tends to be.
  8. Finish firestorms, faff around, always try and capture at least one alien per level - sectoids and thin men are really good because plasma pistols and light plasma rifles are awesome.
    • Consider researching light plasma rifles without the plasma credit as they give +10 to hit - but only if you have finished all of the above
    • If you do finish light plasma rifles and you haven't researched the new fighters/haven't captured a heavy floater, plasma cannons are a good stand in weapon but it'll slow you down in the long run
  9. Mid game kicks off - capture a fucking Muton FULE!
    • Plasma research credit
    • again, rush sniper then pistols - heavy plasma is awesome but there's a lot of research that comes through thick and fast in this time and heavies are mainly for suppression and the game saving rocket
  10. Capture a Muton Berserker
    • rush Ghost Armor, it has a -20 to hit penalty, can stealth and has a grappling hook so is way way better than titan armor - which is tempting and awesome but hold out for ghost armor - put it on your medics first because they have no defensive perks
  11. Once you have ghost armor on all your guys and full plasma weaponry, you can just clock the game.  Putting down an upgraded smoke screen on guys in ghost armor in the open gives a total of -60 to hit - that's in the open - in heavy covers it's -100 so they're basically invincible (beware grenades).

    The only thing I research without a credit sometimes is light plasma rifles - they give +10 to hit and with the +10 from a scope makes your rookies, medics and assault guys GODS.

    Foundry projects


    (in order of priority)
    1. (for impossible) - Alien Grenades - so important as will make your grenades one-shot both sectoids and thin men
      On classic, it'll allow your grenades to one shot thin men and floaters
    2. Improved scope - crits are OP
    3. Improved medkit
    4. Improved ARC - mid game you don't want to die for the sake of captures
    5. Ammo upgrade - avoids those situations where you just have to run and pray while your whole squad reloads - particularly useful for suppression
    6. Pistols FTW - they massively improve the utility of snipers

    Officer School


    1. wet work - this'll make your sniper godlike in no time and will rush the squad size upgrades
    2. squad size upgrades - obviously
    3. willpower/level upgrade
      - this is really important on the last mission and when you don't save your rocket launcher for the alien commanders
      - having your psionic do the AoE team buff on guys with good willpower will make them effectively immune to mind control
      - game breaking on the final room of the last mission
      - it'll also give you more psionic soldiers later on
    4. the one that stops your higher level dudes from dying to stray headshots - heavy cover, smoke grenade, skeleton armor?  BAM! Headshot! - does not feel good.
    5. recovery time - I really don't know about this - you'll normally need 2 guys (3 for assault) in each role to cycle in for wounds anyway and I'm not sure how much this really helps.

    What to Build


    Early on, you'll need to make sure you have quite a few of the dodge/aim/the other one things for your shitty interceptors.
    This is much more effective than an early plasma cannon rush as you only really ever want EMP and firestorms - also, avalanche missiles are free and the consumables cost bugger all.

    Early base


    generator -> alien containment -> officer school -> thermo generator ->  foundry -> satellite nexus
    Be careful to leave enough power to build a lift to the thermal, which may mean holding back on the officer school.
    Also plan to have your initial power plant adjacent to the thermal generator with a spot for the elerium generator.

    Broader base objectives


    • 3 workshops, adjacent - get 2 up relatively early, 3 if you can afford it - the refund from construction once you start making EMPs, firestorms, plasma snipers and ghost armor is worth far more than the cost of the workshops
    • Satelite nexus w/ 2 adjacent satelite uplinks - gives full coverage I think (you might want to check that one)
    • No laboratories - I have no idea why you'd ever build them, even without starting in South America - perhaps if you were freakishly unlucky with captures
    • thermo generator adjacent to an elerium generator early - it'll take a while to run out of power once you have this up
    • I "fill in" the little spots between the stuff that needs to be adjacent with the one-of-a-kind buildings
    I do my best to never build plasma pistols, light or heavy rifles and cannons as you can capture them off sectoids, thin men/floaters, mutons/heavy floaters and muton elites respectively.
    This saves an enormous amount of resources - and gets you to late game incredibly fast.

    Satellites satellite satellites - I spend most of my early resources on these and skeleton armor.
    Then I build a firestorm with EMP for each continent which makes interception super easy and preserves lots of money making salvage.

    Money


    Make sure to visit the grey market and sell useless junk and corpses that don't do anything - takes a bit of figuring out to decide which corpses are useless - some corpses you only need for one foundry project too.

    It is often worth manufacturing the ingredients for country's missions too.

    As stated earlier - you should capture all of your plasma weaponry except the sniper rifles.

    I would say that most of the money I have used in my games came from the grey market - EMP only makes this better as the ships come down completely intact.
    Likewise, guns over explosives mid game really increases the salvage, particularly in aircraft - blowing up computers or power units is a big no-no.

    Early game team


    • 3 rookies/heavies - frag/alien grenades ftw - "Go die in the trenches, son."
      These guys should do all the dying and I basically bomb the fuck out of any difficult position - fuck salvage - the live captures are far more worthwhile.
      Motto, "see an alien, grenade an alien, closed casket ftw"
    • sniper - scope
      once they have squad sight, keep them safe - most insanely OP class in the game later on
    • assault - ARC thrower
      If you can capture one of each new type of alien when they first appear, it will make the game much easier
    • medic - medkit or maybe scope (since most guys get one-shotted early anyway)
      Medics win the game once they get the mobility, suppression and smoke grenade upgrades
      This dude is trying to last hit after grenades so he can level up
    • I use my assault and medic to finish or consolidate manouvers - I almost never double move and I never put these guys in the front lines.
      I generally have the assault towards the sides so he can come in with cover for the bag n tag.
    Playing on classic and not being an idiot, I didn't lose that many guys with this approach - haven't tried impossible yet.

    I generally capture the last guy on the level by suppressing him so he can't move and whittling him down with pistols to 1 or 2 bars of health for the guaranteed capture.
    Falling back is useful as it'll allow you to advance for a capture without aggroing any spawns further in the level.

    When sectoids do their power up thing, killing the caster will kill the powered up dude - if done with a grenade, the powered up guy still gives salvage as well.

    Thin men are pretty much the most dangerous enemies in the game - they have light plasma rifles which are super accurate and often one shot lower level guys without a crit.
    Their poison, if cast early in a level, will almost kill low level guys.
    They also survive grenades, unlike sectoids.

    So, if you can catch 2 in a grenade blast early, do it, if you can catch 3 with the rocket launcher, even if it's the second turn, it's worth it just because of what the poison will do to you.
    Getting in a drawn out fire fight with thin men is horrible.
    It can be a good idea to take 2 snipers on the agency missions because snipers pwn thin men so hard and there's often a good spot for them on these missions as well.
    If you can grenade thin men, sometimes there will be opportunities for snipers with pistols to both flank for the finisher and be setup for a good sniping spot next turn.

    It's hard to fall back against thin men as well because they can move and fire their poison and it's range is incredible.

    Mid-late game team 


    (starts when you get skeleton armor and laser sniper rifles):
    • heavy - scope
      He has three uses besides sitting in cover and taking a ton of damage:
      • holo targetting - if used to start a round will make focusing a single enemy much more reliable - can make your medic's and assault's light plasma/scope combos particularly deadly
      • suppression - takes a guy out of the fight - good since the heavy doesn't really ever do much damage
      • boom - this is most useful for dealing with floater patrols or destroying the cover of mutons so that your snipers can clean up while the rest of your squad prevents flanks
    • assault - arc thrower
      His plays:
      • sitting in cover beside door ways, getting free hits on aliens walking past
      • resolving flanking disputes - when you're getting flanked by a lone guy, you can run & gun to outflank to a corner next to the target and get a no-cover crit on them for the one-shot
      • if not flanked, he has more defense vs. more aliens so sitting him in cover at a choke point is actually quite safe, especially with skeleton/ghost armor
    • junior medic - scope
      This dude is for finishing kills, providing smoke screens and suppression. His goal is to level up and become a senior medic
    • senior medic - medkit, scope
      He has two utility slots, runs like the wind and has every tactical option in the game.
      Before you get the second slot, stick with the light plasma rifle so that he can actually hit something.
    • death squad - scopes and a fetish for headshots
      the story with snipers:
      • give these guys plasma pistols first
      • move and reload or move and overwatch with pistols if your ammo is fine
      • double tap is better than the killing spree final upgrade because it is more reliable, especially in mid game when you don't crit 60% base chance for 20+ (late game is just silly)
      • skeleton armor, the higher ground defense bonus and squad vision makes for a scary rooftop sniper - you can often swing from rooftop to rooftop too
      • once you have upgraded scopes and plasma pistols, these guys will do pretty awesome damage with pistols so the move or fire restriction isn't such an issue
      • in general, move either your snipers or the rest of your squad, never both in one turn
      • overwatched snipers don't have the penalty to aim later on and will generally get a hit on enemies in open cover for a one shot kill
      • the sensor is awesome but you have to position correctly
        it doesn't aggro whatever it detects
        it is most useful when snipers dash for safe flanking positions - throwing a sensor out further along said flank will prevent your troops from being flanked themselves, allowing you to have only 2 active fronts

    When you first encounter mutons, it's a really good idea to back-peddle because if you aggro two squads you'll usually lose at least a couple of guys and having them come to you also allows for safe captures.

    Mutons use plasma rifles rather than the more accurate light plasma so smoke screens can often protect two guys - just make sure that they're not close enough to be grenaded.

    Classes/Builds


    Basically, damage is pretty useless because your guys will die before they get to a high enough level to use it.

    Rushing tactics seem foolhardy as you will aggro everything on the level and until late game, simply don't have enough explosives to deal with swarms of mutons.

    So, defense and tactical options are what I choose.

    Assault


    All the defensive options except rapid fire, which makes taking corners really easy.

    Heavy


    The heavy doesn't actually do much damage and is denied light plasma rifles.
    For this reason, you save a lot of research time by not getting them laser cannons and just using them for the suppression, holotargetting combo and massive AoE cover clearing.

    Later on the damage from AoE suppression is really awesome and the massive cover-anhilating rocket shots are more awesome.
    They are the first to move forwards and suppress the most dangerous target (often a berserker).
    I put a scope on them eventually because they are good against mechanicals.

    Medic


    The only class with actual choices really.

    Reaction shots on attack is bad because it wastes ammo; they'll be in cover and you'll have a -15 aim penalty on top of that - like I said, just wastes ammo.
    3 extra movement is actually very awesome too.

    The next two need to be considered as a pair.
    Reviving critically wounded allies is kinda cool except it really just gives them another chance to die because they'll get one shotted once revived unless you use yet another medkit (which means another turn).
    So, given that you'll be taking suppression, you probably don't need an extra smoke grenade so I'd take 3 medkits and suppression.

    Smoke grenades become hard cover?! I heard there was another option, I just never read it (also psionics do a better job and are easy to level up).

    Two reaction shots combos well with ghost armor but super medkits are more awesome and you generally need the ammo for suppression.

    Sniper


    Sniper rifles have a high crit chance and snipers have high aim; improved scopes give both aim and crit chance.
    See where I'm going with this?

    Your front lines basically suppress most things and smoke grenade themselves if they're over extended.

    The snipers do the actual killing.

    There seems to be an upgrade path focused around mobility and overcoming the sniper's issues inside ships and the like.

    I might consider this if not for the "wet work" officer upgrade - this gives extra XP for last hits.
    Once you've got your super-squishy sniper to corporal and have squadsight, they'll pretty much never take damage and will level super quickly.
    This opens up the squad size upgrades really quickly so you can pack more walking corpses into your flying coffin.

    You can have two colonel snipers on every mission when none of the rest of your guys have passed lieutenant.

    Add to this that a sniper who is higher than an opponent will generally one-shot anything in hard cover and I don't know why you would worry about any other build.

    Even then, there are a couple of things that (superficially) appear to be choices:

    Disabling shot vs battle scanner - disarm their brain pan soldier!!  That and scanners are awesome.

    Executioner vs opportunist - besides executioner implying that we'd need more than one shot and that we might miss, opportunist will solve our mobility problems by one-shoting anything our front line spooks when they advance.

    In the zone vs double tap - in the zone only works against flanked or uncovered and our main purpose is to render cover useless.  Double tap also disposes of sectopods and cyberdiscs rather nicely.


    Ghost armor allows snipers to double-move into a good position safely while also scouting for the rest of the squad - when they come out of stealth next turn, they can either kill everything or kill everything.

    The first sniper to fire will get both shots of double tap off before the aliens move into cover - if you overwatch the second sniper before you do this, they will generally kill the third alien if it's a single squad.

    The plays/Not dying


    Never double move unless it's run & gun to secure a flank or capture with an assault.
    Only advance with half your squad at a time, the rest should consolidate cover and overwatch.
    Don't be afraid to sit tight, reload, heal up and wait for cooldowns.

    Gather around doors with full moves and ammo available before opening them - there is never a good reason to break this rule.

    If you can hear a patrol, back off, reposition and flank them from cover - much better than mindlessly opening doors and walking into the middle of them with nowhere to go.

    Against spaceships, sighting the enemies then backing outside so your snipers can get clear shots is a fantastic way to proceed - especially if they have to walk past an assault that'll get free hits on them too (don't do this against chrysalids or berkserkers - it will not work out  :)

    Also, against the larger space craft, the roof is often a good place to start out as it'll give you offensive and defensive bonuses and immunity to chrysalids and berserkers.
    Buildings are ok for this but can be destroyed so be very careful about becoming a good grenade target - in particular, take note of soldiers on different levels who are still in grenade range of eachother.

    Suppression works against berserkers - if you decide to kill one, do it all in one turn.  Rooftops are a good counter.

    Cyberdisks and Sectopods are other enemies that will always be an open shot - you must focus these as soon as you spot them.
    One of the sectopod's abilities targets a location - you must move out of it immediately.
    The only thing the heavy is actually good at killing is these two.

    Pistols are important early for getting capture targets as low as possible without killing them - once you have improved scopes, the medic is often the best person to do this as they will have a medkit instead of a scope and won't accidentally crit and kill the target.

    Using your heavy to suppress a target that has a good vantage is often safer than killing the target, even if they're the easiest target - because if you fail to kill them, they will kill you with their height advantage.

    Likewise, if an enemy gets caught in a bad spot, using a medic or heavy to hold them in place while the rest deal with more dangerous targets is often a good call.
    Conversely, it is better to suppress well defended targets than to try and kill them - suppression will apply holo-targeting with heavies too, allowing you to dig out that last muton.

    Go to great lengths to avoid becoming a grenade target - the loss of cover is far worse than the blast.
    I've never seen the AI grenade a single target.

    Sometimes using a grenade or rocket to destroy walls or cover is more effective than using it for kills - especially with snipers and assaults that can fire twice.

    Ghost armor is ridiculously good - if you're already in position, decloaking won't even proc overwatch or (for the first soldier's turn) cause them to take cover - decloaking a sniper and getting 2 one-shot crits on a squad of mutons is like XCOM nirvana.
    You can also put the rest of your squad on overwatch then fire with one soldier, which'll cause them to run for cover and take overwatch shots in the open. Hilarious Rex.

    Thursday, 22 November 2012

    GIMP is SOOO BAD!!!

    Some friends and I have had this on-going "discussion" for some time - GIMP vs Photoshop.
    This is one of the many "rants" from which they have urged I create a blog so here goes.


    http://piestar.net/2009/03/01/gimp-sucks/

    Read that, it's a balanced opinion.

    I respond:

    I've never argued that GIMP was better, just that it isn't as bad as people think.

    1. Layer vs Canvas size

    Layers are basically how you get things done in GIMP - uses for layers that are a different size from the canvas:
    • Application of filters to selected parts of an image
    • Ditto for masks
    • Different layer blending methods for different parts of the image
    You orient a lot more around layers than selections in Gimp - I'm not sure about photoshop but I suspect they use selections in this role more, supported by undo layers to access previous selections.

    2. Layer groups


    Sure, but Photoshop gained this feature in version 8/CS.

    I've always said GIMP was lacking features.

    3.  Smart objects and undo layers

    CS2 & 3?

    4. UI bad and improving much more slowly than PS

    Gee, free vs flagship project of multinational corporation and it's improving more slowly - never woulda seen that coming.

    5. The name

    If you're a self righteous fool who rants about "GIMP sucks" as opposed to the truth - "photoshop is amazing and GIMP is second best by a long margin but still better than everything other than PS" - then you're unlikely to enjoy silly names or the accompanying irony.


    Another "penix" with poor analytical skills misses the point that a free tool can still actually do the same things, albeit with ?more? difficulty, and is the closest competitor to a *massive* monopoly with enormous amounts of funding.

    The real question is, why are they even comparable?  With the difference in funding, shouldn't PS magically pull perfect designs out of it's digital asshole on the merest hint that you might desire satisfaction?