Slashback: Bass, Bomb, Deluxitude

A hefty handful of updates for you in tonight's Slashback, including: more information on how to make your plastic fish talk; more on the sounds-too-good-to-be-true Delux DVD player; and things that hopefully do not go boom in the woods. Also, shedding some more light on the Sun E10K review we ran a few days ago.

Make that fish say what you want it to say! vonmar writes: "Full details of the Boogie Bass Hack are now available, including schematics, sourcecode, and documentation. All the information should be there now for anyone with a soldering iron to make the Bass do their bidding!"

Here's the original story we ran about that crazy fish.

These are the things that go BOOM. Paul Jones of ibiblio writes: "To follow up on your nsa star hut story, take a look at this: a 40-year-old abandoned hydrogen bomb in eastern NC."

North Carolinians (Carolingians?) can sleep relatively easy though: according to the article, when a pair of hydrogren bombs went down with the plane which was carrying them, "Safety mechanisms designed to prevent unintended or unauthorized detonation served their function, and a historic nuclear catastrophe was averted. But published sources disagree on how close the people of Wayne County came to suffering fiery annihilation." Please don't retrieve this, anyone.

And EMlNEM writes with a cool addition as well: "Here are some pictures of the NSA station you had a story about."

Not so deluxe after all ... bluephone writes: "Well, it's been a while since the news of the Dulux DVD player hit Slashdot, and my question for my fellow /. inmates is can anyone post some FIRST HAND information about it? No more marketroid tripe, I'm talking about someone who ordered it, received it, played with it, etc. Was the company responsive? Did you actually get it? Is the playback quality good? Are the features promised actually there and functional? Currently, they claim to be out of stock, and will have more on the 15th of January, which could mena they've folded shop and run with the money, or that they sold like hotcakes. I want to know which it really is. A quick Google search revealed no actual post-testing reviews."

Adam Alexander writes: " Late in November, I read the ask slashdot article about the Dulux DVD/MP3/Game player and followed the link (http://www.gamedvdplayer.com) to purchase the item. I paid with PayPal (extremely hard to get a refund) and it turns out that I have never received the item, and although the company's web site is still up, they do not return phone calls or emails. I have set up a web site (http://oreo.donet.com/duluxhelp) for discussion between Dulux customers in order to trade information about (for example) ways to contact the company or success in getting refunds. I have a feeling that there may be many more Slashdot readers in the same position and I would like all of us to benefit from each other's experiences."

Well said. Who else can contribute words of wisdom (or chagrin) about what so far appears to be a non-deluxe player?

And now this newsflash with news ... on Flash! Peter Santangeli of Macromedia sent this email to the bugtraq mailing list, good reading for anyone interested in the Flash insecurity reported earlier.

As was posted earlier to BUGTRAQ, an issue has been discovered with the Macromedia Flash Player that shows a possible buffer overflow error when the player encounters a maliciously or incorrectly created SWF file. After an investigation, and consultation with the reporting engineer, Macromedia has determined the following:

• The data being accessed is located entirely in a dynamically allocated structure in the heap space of the application.
• The data access is limited to reading the information. At no time is the buffer in question ever written to. Neither the heap, nor the stack is written to during this processing, and at no time does this lead to the execution of arbitrary data as native instructions.

Given the above information, it is Macromedia's belief that the error in question, though unfortunate, does not constitute a significant security risk. The effects of this defect are limited to the crashing of the users client (denial of service).

On a personal note, I regret that the actual bug report did not reach the appropriate people at Macromedia in a timely manner. We do take security very seriously in the development of our products, and are looking in to mechanisms to ensure that this does not happen again. For a starter, we will be instituting a new email address by which these reports can be directly sent to the appropriate engineers.

Peter Santangeli
Vice President of Engineering, Flash and FreeHand
Macromedia Inc.

Credit where credit is due. Josh McCormick, who wrote this review on epinions.com of the heftily-priced Sun E10K server, was offered a call from Philip Ferreira, editor of Reviewboard Magazine, to discuss "what happened" with McCormick's review when a very similar review not crediting McCormick ran on the Reviewboard site, and was linked to by Slashdot (since removed, for reasons partly explained in this post from chabotc of Reviewboard). That message and the threads it spawned make clear what a big mess this was. Thanks to Josh for sticking up for his work. Here's his response to Reviewboard:

Phillip,

Considering the wild and numerous stories that were given to explain what has happened, you'll forgive me if I don't want to hear one more. I view the credibility of any explanation I would get as approaching zero.

Further, I pretty much already have what I wanted out of all of this. The article removed from your site (although it is still on the chabotc.com site), and recognition that I was the original author. There isn't much more that I can gain from having a conversation.

What I gained from this was an interesting story to share with my friends, and a better appreciation for what it takes to "prove" something online.

At this point, I'm satisified to drop it and go my seperate way.

Josh McCormick