Under Linux, I'm using a C615 with a Python OpenCV script to push it onto the screen.
The important point with using a webcam is that it needs to be able to focus at very short distances - the cheaper cams I've tried fail to produce sharp images when placed close enough to the book. Unfortunately this capability doesn't seem to get mentioned in the specs.
Does anyone know of cams with a good short-range focus other than Logitech C61x?
Coming "from the world of browser toolbars" is somewhat of an understatement in this case.
We are talking about a founder of CDT (latterly Zango Canada), who paid affiliates to bulk-install spyware on unwitting Windows users' machines, using tactics up to and including browser security hole exploits. Hats don't come much blacker.
Even without the security problem, I would disable XSS protection on my sites. If I've made a mistake and let an HTML-injection flaw in my app, chances are it'll still be vulnerable (since IE8's XSS protection is a pathetic string-hack on the HTML source which is insufficient to protect against anything but the most basic of attacks), so IE8 is offering only to obfuscate and not fix my problems.
Meanwhile if I allow XSS “protection”, I have a problem when someone legitimately uses a term in the query string that appears in the page and looks to IE like it might be dangerous. This is easy to do: just searching for ‘<style>’ will often break the CSS of the search results page.
Not only that, but I'm also open to deliberate sabotage when an attacker looks at my source, finds some script they don't like, and puts it in the query string so that IE8 doesn't execute it. Certainly this can be used to deliberately disable things like frame-buster scripts, to get around redress attack protections. It is presumably a form of this deliberate attack crafting that leads to whatever the undisclosed vulnerability is.
So no, I don't think Google are wrong. IE8's XSS protection is utterly, utterly bogus. It adds only more complication and more problems to webmasters' lot and no real effective security.
It will be nearly impossible to get delisted, too, and for good reason. For years the Russian malware gangs played silly buggers with changing names, corporations and hosting providers to pretend to be different unrelated entities whilst still engaging in the abuse.
So “but I bought this netblock from someone else, I'm not a hacker!” is, unfortunately, something we've already heard many times from the hackers.
The entire article is predicated on the idea that anti-virus software is effective at stopping malware.
But today, that simply isn't true. With the proliferation of web exploits and constantly-updated payloads, the traditional signature-based methods of detecting malware are almost totally useless. OK, they still pick up the odd old-school mail worm or whatever, but no-one's going to get infected by those these days; it's all about the web exploits.
(Even against the pen-drive infectors, which should be slower to mutate and easier to track, they're doing pathetically badly at the moment.)
Heuristics-based detections can pick up a few more trojans, but at the expense of user-befuddling and potentially dangerous false positives. Behaviour blocking is the only approach likely to be effective, but today's implementations are shonky and unreliable. This sort of stuff - full per-program-permissions - really needs to be provided at an OS level, not as a wobbly vendor layer on top.
Encouraging people to spend money on ineffective, performance-butchering anti-virus software is what we're doing too much of already, not something we need to be asking the Government to do more of. All it does is give users a false sense of security.
Yes - and from 'macromedia.com' in the same folder. And in fact you *must* delete these files directly if you want to clear your browsing history. The browser's built in delete-history function will not do it.
Even if you set Flash to never allow any storage for any domain(*), it still stores a pointless stub file for each domain in this folder, containing no information except for the side-effect of silently storing every domain you've visited with a Flash player in it.
* - and if you do that, a bunch of Flash apps will break. There is no Flash equivalent of the only usable cookie-privacy option, 'allow session storage only'. Flash's privacy settings are utterly useless and for now the only answer is the excellent Flashblock.
I would like to see the (especially open-source) alternatives to the Flash Player become more viable, much as Acrobat has spawned many alternatives by becoming increasingly obnoxious in every new version.
An approach like that guarantees you're going to overlook some security holes
And indeed the book does - that chapter is chock-full of HTML injection holes, leading to cross-site-scripting vulnerabilities. After giving the standard "Very important is a security!" spiel at the beginning this is a bit disappointing.
PHP as a language may have made some poor design choices, but the main reason so many PHP coders are security-ignorant - and consequently so many PHP applications are plagued with endless security holes - is that the vast majority of PHP tutorials are as FAIL as this book.
Escaping text for its target realm isn't neural network surgery, people. Please stop writing PHP books until you've got this basic stuff down.
As the author of those fluffy dice, I can tell you there was no intention of be (a) in any way useful or (b) anything I thought Microsoft would ever want to copy, let alone patent...
Anyone got any of the GP Alphas to work on Windows Server 2003 (SV1)? Every one of them has invariably crashed just after opening the first window for me.
BroadcastPC is not itself directly loaded by browser security holes, but it *is* bundled completely without notice by unrelated downloads, including other parasites (some of which *can* themselves be installed by exploitation of security holes).
More: http://www.doxdesk.com/parasite/BroadcastPC.html Incidentally, the 20MB of.NET framework may be bad news, but since the software's main purpose is to download multiple multimegabyte movie trailers, that's probably the least of your problems!
Crap. So *nearly* the Right Thing, and then fumbled at the last hurdle.
DRM-free downloads? Check. Platform-agnosticism? Check. Good choice of file formats? Check. Looking good. Might spend some money here if the tracks are any good.
So, are the tracks any good? Er. Where's the 'listen' button? Erm... [reads FAQ] so I have to sign up to the service and download and install a special application, just to see if there's anything I want to listen to. Aha.
Nope. Can't be bothered. Gone. Bye.
When you're launching a new web service it's vital to make it easy for uncommitted potential new users to slip into using your services easily, bit by bit.
This feature, however, is a great big roadblock to discourage potential customers. A simple link to an excessively-compressed or partial MP3 preview file would have been easier for everyone.
Well *you* might think that makes sense, but that is not how JavaScript is designed.
This is not a new bug, it's a deliberate design decision going back as far as, what, Netscape 3? If any of the intervening browsers changed the behaviour there's a possibility they could have broken people's sites.
Back in the Netscape days this kind of obviously stupid design decision was par for the course. We complain about Microsoft adding random security-harming pointless features to their browser to scupper the competition, but Netscape were there first.
As well as thinking about disallowing this behaviour, web browsers *must* disallow opening windows without the address bar - that's the main problem here, that the hijacked pop-up doesn't tell you where it comes from.
And web designers that open chrome-removed pop-ups need to be shot too.
> how are we to know which one of those ad providers are infected and which are not?
As a rule of thumb: they all are.
Seriously. Most of the major ad networks have distributed ActiveX drive-by-downloads and *many* have distributed exploits. Almost everyone in the online ad market has dirty hands.
Falk are known to have served exploits for some time, but I guess this is the first time they've hit the Reg.
The exploits are going absolutely crazy right now - they're *everywhere*. See also this incident:
It used to be that IE users could just avoid browsing untrusted sites to stay safe. Not any more. Anyone browsing with IE pre-SP2 and no extra precautions is going to get hit sooner or later, and most likely it'll be with enough chain-loading parasites to render the machine barely usable.
(SP2 of course is not safe either, having publically known exploits; but they don't seem to be targeted by the large exploit nets... yet.)
> WinXP should be strong enough to be safe with open ports.
This might be asking a bit too much.
Much easier would be just not to open unnecessary ports *at all*. Most home boxes should not need anything listening on ports 135-139, 445 etc., but XP goes out of its way to make it difficult-to-impossible to close these ports.
Instead of fixing the problem - by not listening for Windows networking on any interface where the user doesn't deliberately ask for it - they've added an extra layer of complication (the Windows firewall) to hide it. This seems to be the Microsoft Way, unfortunately.
Still, as with the other SP2 pseudofixes, it's better than nothing...
> And it may well be that software like VX2 is also installed through these means
That's one way VX2 is getting installed, yes. Another is by bundling with IE exploits.
For example the achtungachtung exploit (covered recently by Tom Liston in the SANS Internet Storm Center blog) compromises the machine then downloads a large number of spyware programs, including Transponder/VX2.
This has been going on for some time. Mindset/BetterInternet (the company behind VX2) is quite happy to pay affiliates to load their software using wholly illegal security exploits, and if Sophos doesn't think this is grounds for removal they're crazy.
> If you RTFA, they indicate that they felt that the disclosure practices and what-not are all above-ground.
Unfortunately, they are wrong. Never mind the argument over whether notice in a hundred-page EULA is allowable, SaveNow is being installed with no notice of any sort by many programs, including other parasites, some of which are loaded through exploitation of IE security holes.
Either Aluria have lost their senses and somehow think this is acceptable, or they've not been keeping an eye on SaveNow installs recently.
If you think DoubleClick are bad you've not been keeping up with the online ad industry. DoubleClick are actually one of the least bad networks; unlike most of the rest they haven't yet been caught doing drive-by downloads, exploiting IE security holes to install spyware, and operating endless pop-farms.
Well, yes, and they've been pushing MHz for much longer than that too.
Though the P4 may have been the first chip many believe to have been designed to put raw megahertz-marketing before real-world performance, all Pentia have been pushed primarily on clock speed. (And Celerons just as much so, Intel's way of allowing OEMs to sell cheap systems with high headline speeds.)
I think Intel have reached the point of desperation. Admitting MHz isn't everything is a giant climbdown for a company that has always marketed heavily on that front, and killing further ramp-up on Prescott is a sad end for a troubled core.
(A premature one, too, surely; multi-core and Pentium-M-based desktop kit isn't due for ages is it? And won't multi-core chips have to be developed from P-M tech anyway? I can't see *two* Prescotts on one die being easily coolable...)
Bunging more cache on the chip is a last-ditch brute force way to wring more performance from a processor when no real tech advance is current available. It worked for Intel with the P4EE but that was at a significant (nay, staggering) price hike; sticking 2 bulky megs of 90nm cache on mainstream kit has surely got to hit margins.
I am glad to see the end of the megahertz era. But I wish Intel's new model numbering scheme wasn't so impenetrable.
> Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.
Balls. The fact the Windows Firewall can be turned off makes it exactly the same as every other personal firewall, including ZA and Sygate.
Malware has been disabling the firewalls of machines it infects for years. It is simply not possible for a firewall to remain an effective security measure on a machine where hostile code has been run at the same level of privilege.
Once the attacker's code is running on your machine, the game is over and you have lost. Until we get full operating-system level sandboxing (whereby applications and users are fully protected from each other's interference until the user/admin explicitly grants rights), this will always be the case.
The main difference between the Windows Firewall and other personal firewalls is that it only blocks incoming traffic. But so what? An outgoing traffic block is of no use if the outgoing traffic is generated by hostile code on the local machine, as it can just as easily shut the firewall down completely.
Other firewalls still provided the feature because it figured most malware wouldn't bother detect and kill all the different brands of firewall. But Windows Firewall, soon to be very widely installed due to its default-on nature, would present a much more attractive target; soon every new virus, worm and piece of spyware would turn the block off as the first thing it did. Therefore the feature would be offer zero additional security.
Flexbeta's reviewer seems to have grasped the vocabulary of security countermeasures with no actual grasp of their practical implications. In summary: feh.
I like the HD1 a lot. It's true that its colours can often be a little washed-out (a consequence of the single-CCD design I guess); we've had to post-process the signal in the odd places where it's important, but the results then are fine.
(Actually, we're using the JY-HD10, the slightly-higher-end-but-really-the-same-thing version. As you say, it's a weird mix of pro and consumer features.)
But anyway, there's just no arguing with high-def for $2000. Getting rid of ^%£*$ interlacing is what does it for me.
There is a waterproof enclosure available for it, but as usual for this stuff it's hideously expensive. For a 15-minute scene, RENT IT.
Well it's a good thing they're asking for security issues now rather than later, as the very first form field I found had a cross-site-scripting hole in. eg.
Maybe this is unrepresentative, but to me this just screams that MyUID haven't the first idea about webapp security and have no business developing something non-trivial like a single-sign-on system.
Free clue to PHP weenies: using magic quotes does not magically make your scripts secure. Cheers then.
There was a nasty bug in Venkman with 0.8 but it could at least be fixed with a quick hack to one of the files in the jar... with 0.9 I just get a blank pane when I attempt to open it. Anyone know how to fix?
Slashdot Mirror
Under Linux, I'm using a C615 with a Python OpenCV script to push it onto the screen.
The important point with using a webcam is that it needs to be able to focus at very short distances - the cheaper cams I've tried fail to produce sharp images when placed close enough to the book. Unfortunately this capability doesn't seem to get mentioned in the specs.
Does anyone know of cams with a good short-range focus other than Logitech C61x?
Coming "from the world of browser toolbars" is somewhat of an understatement in this case.
We are talking about a founder of CDT (latterly Zango Canada), who paid affiliates to bulk-install spyware on unwitting Windows users' machines, using tactics up to and including browser security hole exploits. Hats don't come much blacker.
Not sure why this is suddenly news, the Russian iframe traffic hubs have been running for over a decade now.
The destination URLs are typically clickfraud, exploits, and iframes to other traffic redirectors.
The domain registrar mentioned in the article (DirectI) is notorious for high levels of abuse from the Russian-language sploit/AWM community.
Even without the security problem, I would disable XSS protection on my sites. If I've made a mistake and let an HTML-injection flaw in my app, chances are it'll still be vulnerable (since IE8's XSS protection is a pathetic string-hack on the HTML source which is insufficient to protect against anything but the most basic of attacks), so IE8 is offering only to obfuscate and not fix my problems.
Meanwhile if I allow XSS “protection”, I have a problem when someone legitimately uses a term in the query string that appears in the page and looks to IE like it might be dangerous. This is easy to do: just searching for ‘<style>’ will often break the CSS of the search results page.
Not only that, but I'm also open to deliberate sabotage when an attacker looks at my source, finds some script they don't like, and puts it in the query string so that IE8 doesn't execute it. Certainly this can be used to deliberately disable things like frame-buster scripts, to get around redress attack protections. It is presumably a form of this deliberate attack crafting that leads to whatever the undisclosed vulnerability is.
So no, I don't think Google are wrong. IE8's XSS protection is utterly, utterly bogus. It adds only more complication and more problems to webmasters' lot and no real effective security.
It will be nearly impossible to get delisted, too, and for good reason. For years the Russian malware gangs played silly buggers with changing names, corporations and hosting providers to pretend to be different unrelated entities whilst still engaging in the abuse.
So “but I bought this netblock from someone else, I'm not a hacker!” is, unfortunately, something we've already heard many times from the hackers.
The entire article is predicated on the idea that anti-virus software is effective at stopping malware.
But today, that simply isn't true. With the proliferation of web exploits and constantly-updated payloads, the traditional signature-based methods of detecting malware are almost totally useless. OK, they still pick up the odd old-school mail worm or whatever, but no-one's going to get infected by those these days; it's all about the web exploits.
(Even against the pen-drive infectors, which should be slower to mutate and easier to track, they're doing pathetically badly at the moment.)
Heuristics-based detections can pick up a few more trojans, but at the expense of user-befuddling and potentially dangerous false positives. Behaviour blocking is the only approach likely to be effective, but today's implementations are shonky and unreliable. This sort of stuff - full per-program-permissions - really needs to be provided at an OS level, not as a wobbly vendor layer on top.
Encouraging people to spend money on ineffective, performance-butchering anti-virus software is what we're doing too much of already, not something we need to be asking the Government to do more of. All it does is give users a false sense of security.
Yes - and from 'macromedia.com' in the same folder. And in fact you *must* delete these files directly if you want to clear your browsing history. The browser's built in delete-history function will not do it.
Even if you set Flash to never allow any storage for any domain(*), it still stores a pointless stub file for each domain in this folder, containing no information except for the side-effect of silently storing every domain you've visited with a Flash player in it.
* - and if you do that, a bunch of Flash apps will break. There is no Flash equivalent of the only usable cookie-privacy option, 'allow session storage only'. Flash's privacy settings are utterly useless and for now the only answer is the excellent Flashblock.
I would like to see the (especially open-source) alternatives to the Flash Player become more viable, much as Acrobat has spawned many alternatives by becoming increasingly obnoxious in every new version.
And indeed the book does - that chapter is chock-full of HTML injection holes, leading to cross-site-scripting vulnerabilities. After giving the standard "Very important is a security!" spiel at the beginning this is a bit disappointing.
PHP as a language may have made some poor design choices, but the main reason so many PHP coders are security-ignorant - and consequently so many PHP applications are plagued with endless security holes - is that the vast majority of PHP tutorials are as FAIL as this book.
Escaping text for its target realm isn't neural network surgery, people. Please stop writing PHP books until you've got this basic stuff down.
[quote]They were quite useful[/quote]
I LOL you.
As the author of those fluffy dice, I can tell you there was no intention of be (a) in any way useful or (b) anything I thought Microsoft would ever want to copy, let alone patent...
Anyone got any of the GP Alphas to work on Windows Server 2003 (SV1)? Every one of them has invariably crashed just after opening the first window for me.
(OTOH XP and Linux seem fine.)
BroadcastPC is not itself directly loaded by browser security holes, but it *is* bundled completely without notice by unrelated downloads, including other parasites (some of which *can* themselves be installed by exploitation of security holes).
.NET framework may be bad news, but since the software's main purpose is to download multiple multimegabyte movie trailers, that's probably the least of your problems!
More: http://www.doxdesk.com/parasite/BroadcastPC.html
Incidentally, the 20MB of
Crap. So *nearly* the Right Thing, and then fumbled at the last hurdle.
DRM-free downloads? Check. Platform-agnosticism? Check. Good choice of file formats? Check. Looking good. Might spend some money here if the tracks are any good.
So, are the tracks any good? Er. Where's the 'listen' button? Erm... [reads FAQ] so I have to sign up to the service and download and install a special application, just to see if there's anything I want to listen to. Aha.
Nope. Can't be bothered. Gone. Bye.
When you're launching a new web service it's vital to make it easy for uncommitted potential new users to slip into using your services easily, bit by bit.
This feature, however, is a great big roadblock to discourage potential customers. A simple link to an excessively-compressed or partial MP3 preview file would have been easier for everyone.
Well *you* might think that makes sense, but that is not how JavaScript is designed.
This is not a new bug, it's a deliberate design decision going back as far as, what, Netscape 3? If any of the intervening browsers changed the behaviour there's a possibility they could have broken people's sites.
Back in the Netscape days this kind of obviously stupid design decision was par for the course. We complain about Microsoft adding random security-harming pointless features to their browser to scupper the competition, but Netscape were there first.
As well as thinking about disallowing this behaviour, web browsers *must* disallow opening windows without the address bar - that's the main problem here, that the hijacked pop-up doesn't tell you where it comes from.
And web designers that open chrome-removed pop-ups need to be shot too.
In summary, everyone is stupid.
> how are we to know which one of those ad providers are infected and which are not?
o de=flat
As a rule of thumb: they all are.
Seriously. Most of the major ad networks have distributed ActiveX drive-by-downloads and *many* have distributed exploits. Almost everyone in the online ad market has dirty hands.
Falk are known to have served exploits for some time, but I guess this is the first time they've hit the Reg.
The exploits are going absolutely crazy right now - they're *everywhere*. See also this incident:
http://www.dslreports.com/forum/remark,11904374~m
It used to be that IE users could just avoid browsing untrusted sites to stay safe. Not any more. Anyone browsing with IE pre-SP2 and no extra precautions is going to get hit sooner or later, and most likely it'll be with enough chain-loading parasites to render the machine barely usable.
(SP2 of course is not safe either, having publically known exploits; but they don't seem to be targeted by the large exploit nets... yet.)
No, what's really weird is that Opera calls itself IE-calling-itself-Mozilla.
This further demonstrates that the clever-trousers webmasters that use user-agent sniffing need to be shot in the kneecaps.
> WinXP should be strong enough to be safe with open ports.
This might be asking a bit too much.
Much easier would be just not to open unnecessary ports *at all*. Most home boxes should not need anything listening on ports 135-139, 445 etc., but XP goes out of its way to make it difficult-to-impossible to close these ports.
Instead of fixing the problem - by not listening for Windows networking on any interface where the user doesn't deliberately ask for it - they've added an extra layer of complication (the Windows firewall) to hide it. This seems to be the Microsoft Way, unfortunately.
Still, as with the other SP2 pseudofixes, it's better than nothing...
> And it may well be that software like VX2 is also installed through these means
That's one way VX2 is getting installed, yes. Another is by bundling with IE exploits.
For example the achtungachtung exploit (covered recently by Tom Liston in the SANS Internet Storm Center blog) compromises the machine then downloads a large number of spyware programs, including Transponder/VX2.
This has been going on for some time. Mindset/BetterInternet (the company behind VX2) is quite happy to pay affiliates to load their software using wholly illegal security exploits, and if Sophos doesn't think this is grounds for removal they're crazy.
> If you RTFA, they indicate that they felt that the disclosure practices and what-not are all above-ground.
Unfortunately, they are wrong. Never mind the argument over whether notice in a hundred-page EULA is allowable, SaveNow is being installed with no notice of any sort by many programs, including other parasites, some of which are loaded through exploitation of IE security holes.
Either Aluria have lost their senses and somehow think this is acceptable, or they've not been keeping an eye on SaveNow installs recently.
If you think DoubleClick are bad you've not been keeping up with the online ad industry. DoubleClick are actually one of the least bad networks; unlike most of the rest they haven't yet been caught doing drive-by downloads, exploiting IE security holes to install spyware, and operating endless pop-farms.
Well, yes, and they've been pushing MHz for much longer than that too.
Though the P4 may have been the first chip many believe to have been designed to put raw megahertz-marketing before real-world performance, all Pentia have been pushed primarily on clock speed. (And Celerons just as much so, Intel's way of allowing OEMs to sell cheap systems with high headline speeds.)
I think Intel have reached the point of desperation. Admitting MHz isn't everything is a giant climbdown for a company that has always marketed heavily on that front, and killing further ramp-up on Prescott is a sad end for a troubled core.
(A premature one, too, surely; multi-core and Pentium-M-based desktop kit isn't due for ages is it? And won't multi-core chips have to be developed from P-M tech anyway? I can't see *two* Prescotts on one die being easily coolable...)
Bunging more cache on the chip is a last-ditch brute force way to wring more performance from a processor when no real tech advance is current available. It worked for Intel with the P4EE but that was at a significant (nay, staggering) price hike; sticking 2 bulky megs of 90nm cache on mainstream kit has surely got to hit margins.
I am glad to see the end of the megahertz era. But I wish Intel's new model numbering scheme wasn't so impenetrable.
> Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.
Balls. The fact the Windows Firewall can be turned off makes it exactly the same as every other personal firewall, including ZA and Sygate.
Malware has been disabling the firewalls of machines it infects for years. It is simply not possible for a firewall to remain an effective security measure on a machine where hostile code has been run at the same level of privilege.
Once the attacker's code is running on your machine, the game is over and you have lost. Until we get full operating-system level sandboxing (whereby applications and users are fully protected from each other's interference until the user/admin explicitly grants rights), this will always be the case.
The main difference between the Windows Firewall and other personal firewalls is that it only blocks incoming traffic. But so what? An outgoing traffic block is of no use if the outgoing traffic is generated by hostile code on the local machine, as it can just as easily shut the firewall down completely.
Other firewalls still provided the feature because it figured most malware wouldn't bother detect and kill all the different brands of firewall. But Windows Firewall, soon to be very widely installed due to its default-on nature, would present a much more attractive target; soon every new virus, worm and piece of spyware would turn the block off as the first thing it did. Therefore the feature would be offer zero additional security.
Flexbeta's reviewer seems to have grasped the vocabulary of security countermeasures with no actual grasp of their practical implications. In summary: feh.
I like the HD1 a lot. It's true that its colours can often be a little washed-out (a consequence of the single-CCD design I guess); we've had to post-process the signal in the odd places where it's important, but the results then are fine.
(Actually, we're using the JY-HD10, the slightly-higher-end-but-really-the-same-thing version. As you say, it's a weird mix of pro and consumer features.)
But anyway, there's just no arguing with high-def for $2000. Getting rid of ^%£*$ interlacing is what does it for me.
There is a waterproof enclosure available for it, but as usual for this stuff it's hideously expensive. For a 15-minute scene, RENT IT.
Well it's a good thing they're asking for security issues now rather than later, as the very first form field I found had a cross-site-scripting hole in. eg.
s cript%3Ewindow.alert%28document.cookie%29%3B%3C%2F script%3E&code=boo
http://www.myuid.com/activate.php?email=fdgdfs%3C
Maybe this is unrepresentative, but to me this just screams that MyUID haven't the first idea about webapp security and have no business developing something non-trivial like a single-sign-on system.
Free clue to PHP weenies: using magic quotes does not magically make your scripts secure. Cheers then.
Anyone got the debugger extension working yet?
There was a nasty bug in Venkman with 0.8 but it could at least be fixed with a quick hack to one of the files in the jar... with 0.9 I just get a blank pane when I attempt to open it. Anyone know how to fix?