Slashdot Mirror
GoHip.com ActiveX Wreaks Havoc
This story popped in several times in the last couple days and it's pretty slow today so I figure it'll be good for a laugh. Apparently GoHip (no relationship to Goku or Gohan) had some sneaky ActiveX that a lot of people installed. Kinda a scary security situation right there. Makes me glad I don't have any of that OL- I mean CO- I mean ActiveX on this box.
The moral of the story is to go to Internet Options --> Security --> Custom Level on your IE browser and turn off ActiveX.
Marjo Wycam, Master of the Programming Arts
1) Read through all of the source of the installer, or
2) Have software that warns you about every change to your system,
there is a chance that the software is editing some part of your computer that it shouldn't. In short, this isn't just a company abusing ActiveX--this is a company abusing basic software practices.
Personally, I call software that changes my outgoing e-mail without my consent a virus...
~=Keelor
...as bad advertising.
Having read abvout what a nasty and insidious thing this company did, I went to their web site to see what they do. Before I hadn't heard of them. I'd be surprised if they didn't get a few more customers from this.
The real morale of the story?
Trust nothing. Trust no one on the 'Net. You don't get something for nothing, so stay away from sites that offer anything "free." It's most likely a scam.
READ those agreements before you click on 'Accept.' You'd read a contract before signing it wouldn't you? Under UCITA those click agreements just might become legally binding.
Most of all, don't use IE and don't use Windoze. You don't need ActiveX or any of that other flashy shit to use the WWW.
Disable anything that allows some site to run code on your machine. Use SSH. Use crypto. Encrypt your hard drive. Lose your keys, and then your data is even safe from your own prying eyes.
Be paranoid, be very paranoid.
Install from source, not RPMS. Read every line of code. Make sure you understand what every line of code does in a package before you type "make." Know the code better than its maintainer before you even dream of running it.
Knowledge is power. Forewarned is fore-armed. An ounce of prevention is worth a pound of cure. Pick a cliche, any cliche, and apply it to evey situation.
The truth is...out there.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
First, in the article, those "fine print software agreements" were discussed...the legal validity of such have been under question for a while now. Due to various legal details, those "click Next to continue installing" agreements are considered by many to be too automatic and do not require enough action on the agreeing party to be legally binding...
Second, I was amused that GoHip.com considers what they do a Browser Enhancement.
Third, ActiveX ever since it's first incarnation has been horribly gigantic a gaping security hole. Anyone even remotely self-respecting computer security-savvy individual would never dream of having ActiveX enabled on their computer. Unfortunately, the average Joe might not know this...hopefully, they will be educated in time.
Here's one (of many) place I definitely like Java a whole lot better...
Fourth, in the end, this really isn't that big of a deal, as it was relatively benign. Hopefully, however, it will educate people as to the dangers of ActiveX, in general. I think David Kroll said it best: "I think it's pretty tacky what they did". Although he and Finjin did get it wrong when they said: "this is the first time a company has used ActiveX to alter personal information on someone's computer." Just see the ActiveX Exploder link mentioned above! I think they'd be more accurate in saying this is the first time it's been done purposefully and on a large scale by a corporation.
Fifth, this reveals an interesting problem with "signing" such programs with things like Verisign. That signature doesn't really mean as much as most people think that is does, as Verisign said: "Verisign spokesman Gray Chapman confirmed that GoHip is certified by Verisign, but stressed that his company was not in the business of passing judgment on the business practice of its client."
Sixth, GoHip.com sounds horribly sketchy. No phone numbers, bouncing e-mail addresses...is anyone surprised?...But finally, I have to admit to being horribly amused at the final quote by one of the "infected" GoHip.com visitors: "I compliment GoHip for a fine marketing effort as I certainly know who they are. I hate them, but I know who they are". In the end, capitalism seems to be all that matters again...
On a practical note, here's what I keep telling the people;
1. Turn off these everywhere...
HTML (except the browser)
Java
Java Script
Active-X
VBA or macro features
Anything similar to the above
2. Cookies - Delete it and recreate a new unreadable cookies file.
3. Never open any message unless you...
Know the person sending it
Expect the message
4. Move all mail to a Spam/Suspect/Trash folder automatically if the mail doesn't pass these two rules at a minimum...
It's from a known and trusted person or mailing list
It's addressed to one of your valid mail addresses; it's not from a mailing list
5. Remove all personally identifying comments from programs that have net access (Netcape's Mail Identity page, ...)
6. Don't give out your email address unless it's REALLY NECESSARY.
7. Use different email addresses for different types of mail; business, personal, ....
8. If you have to give out an email address for one-time use, tag it; /. asks, use something like slashdot_yanky@hotmail.com or some such (or better yet, get your own domain and mail server...quite handy!)
The best way to handle this is a firewall with filters. Remember, Procmail For Security and good ipchain rules are your friends!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I run a dual boot system here ( Linux / Win95 ) since I have some occasional guests that are a little afraid of Linux yet. I was absolutely incensed when I found out they had run across GoHip, and it had mucked with my system. I fired off a complaint to every one of their upstream providers, and the computer crime section of the FBI. As far as I was concerned, GoHip had run an exploit on my system, cracked it, and performed unathorized and hostile modifications to my files.
There is no longer a web browser available under Win 95 on my system. My guest will just have to overcome their "fear of flying" and surf under an OS that I can lock down.
There are just too many sites out there that use this stuff. Sure Javascript, Java, Active-X, etc. all have security issues. But every time I go disabling any of them guess what happens? My wife goes to use the computer and tries to bring up Playsite, or Uproar, Sony Play Station (etc etc), and what happens? Nothing works! Then she gets mad and I have to re-enable all that stuff.
;-)
The only real solution I see for myself personally is to simply have a separate computer for browsing the net. Computer are cheap these days, and how much resources does a computer need to browse the net? Since nothing important is kept on the net browsing computer these security issues don't really matter much to me. And having to reboot periodically isn't a problem either, since all the real work is being done on a more powerful machine else.
It makes for a lot less stress too. Heck if I did all the things some people advocate whenever a story like this comes up I'd be a paranoid cave-dwelling hermit!
I'm not a journalist, but I play one on slashdot
Cookies - Delete it and recreate a new unreadable cookies file.
Well, since you're posting on slashdot as a logged in user, you're obviously hypocritical on this one. Why not instead tell them to run something like junkbusters that'll actually let them control what cookies they want instead of just blindly and across-the-board killing them all?
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
that GoHip tells you exactly EXACTLY what they are going to do with your computer in its download agreement, but these people are 'too busy' to read it and 'feel they shoudln't have to'!
I don't see GoHip forcing people to their website and forcing them to download this stuff. Yet another example of personal responsibility taking a vacation within the walls of slashdot.
Did you see the terms and conditions?
I especially like the part under "E-Mail."
Your acceptance of the "Free Video Update" browser enhancement constitutes your agreement to receive periodic communications from GoHip! and THIRD PARTIES, via e-mail.
So, you have no choice but to let them sell your email address to spammers. In fact, you agree to this when you click "Accept" on the license agreement that nobody reads. This has nothing to do with ActiveX security of course, but it's just more evidence that GoHip is run by criminals.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
The problem, the issue and the greatest need in the internet community is user education. Period. Odds are, that if you're reading slashdot, you know at least enough that you're aware of the security issues involved with something like Active X, but does your mom? Does your sister? Do your customers? What we need to do is lay out a set of safe surfing practices. Practical ones get the average, or even the less than average web user educated enough to follow those practices. Then we'll see these sort of practices decrease, if not actually wither and die. Practical safety procedures, they have to be practical in the sense that we must make sure and offer our grandmothers an alternative to sending you those .exe greeting cards, show them how to point to a URL so you can download elfbowling for yourself, teach them that there are animated greeting cards online that are safe. It is NOT enough to tell them that "that's lame, you don't need to do it" we have to tell them *WHY* and show them a safe alternative.
While GoHip isn't too great, there is already a company out there called Aureate, who bribe shareware and trial program vendors to install a few files on your system, along with the main program. These files (look for advert.dll) sit around as IE and Netscape plugins, and spy on everything you do, from personal registry information to every url you click on.
I could post a list of exactly which vendors install this thing, but it's too long. (GetRight and Globlascape Cute** probably being the most ocmmon source). If I were you, and using any windows based o/s, I'd look for advert.dll. Deleting it only partially solves the problem, but it's betetr than nothing.
I decided to try this out. Mainly to see if the patch MS posted a few months ago to stop this sort of thing (i.e. ActiveX inserting arbitrary code into your StartUp directory) actually did.
It doesn't. Apparently all it does is stop *unsigned* ActiveX from inserting arbitrary code. Now, while that's certainly an absurdly necessary thing to have done--and it does stop the most major abuses of that ActiveX hole (eg. the Bubbleboy Outlook/OE virus)--I think it's pretty damn ridiculous to assume that any program should be able to stick arbitrary code in my StartUp directory just because it's signed. Or that it should be able to make changes to my registry without asking, as gohip's code does as well. (But don't worry--when you download their program to fix your registry (which does work, BTW), it pops up a cryptic looking dialog box asking if you really truly want to make changes to your registry.)
The sad thing is (flamesuit on) I actually *like* a lot of the ideas behind ActiveX--namely that it might be a good idea to store applets on the client side instead of having to download them every time you visit a web page--and I've seen some pretty nice uses of it. (eg. the dynamic hierarchical news menu on MSNBC. Of course, being ActiveX, don't bother trying to check it out unless you're running IE 4 or 5 on a Windows box--last time I checked, it doesn't even work in IE 4.5 for Mac.)
Unfortunately, its outrageous lack of cross-platform compatability and its moronic-to-criminal lack of safe security privilages have nearly killed off some actually sorta neat technology. Oh well.
Anyways, I hope this incident will point out to some people who've pretended otherwise what a farce "signed" code is. On the web, you don't know who to trust. As anyone who thought about it could have predicted, the danger isn't some 1eet hax0r somehow piggy-backing his trojan onto your connection with some Nice Commercial Website...it's the Verisigned trojan that Nice Commercial Website is asking your permission to install.
That's why when I leave my house I leave all my doors and windows wide open with a security camera on each entrance - after all, I can always always figure out who took all my stuff later, right?
Similarily, when I step away from my car I leave the doors unlocked, keys in the ignition, nad the engine running - then I hand a camera and a notepad to some bystander (VeriSign) and ask them to please take a photo and ask for information from anyone that should enter my car.
How much do YOU trust VeriSign to really determine if the people getting certificates are who they say they are? Do you really support a protection racket that demands every company on the planet give them money to present the illusion of security?
I'm not advocating anything apart from a dislike of VeriSign.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Here's a link to a story on the Aureate mess a friend sent me.
"Bear in mind that your signature on a public key certificate does not vouch for the integrity of that person, but only vouches for the integrity (the ownership) of that person's public key. You aren't risking your credibility by signing the public key of a sociopath, if you were completely confident that the key really belonged to him. Other people would accept that key as belonging to him because you signed it (assuming they trust you), but they wouldn't trust that key's owner. Trusting a key is not the same as trusting the key's owner."
This lesson is applicable to any public-key problem. VeriSign isn't to blame here - they did exactly what they were supposed to do.
18 USC 2701. Unlawful access to stored communications
(a) Offense. - Except as provided in subsection (c) of this section whoever - (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.
(b) Punishment. - The punishment for an offense under subsection (a) of this section is -
- (1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain - (A) a fine under this title or imprisonment for not more than one year, or both, in the case of a first offense under this subparagraph; and (B) a fine under this title or imprisonment for not more than two years, or both, for any subsequent offense under this subparagraph; and
- (2) a fine under this title or imprisonment for not more than six months, or both, in any other case.
This was probably drafted to protect E-mail services, but now that there's a lot more electronic communication, it has broader applicability. A computer running a web browser is certainly "a facility through which an electronic communication service is provided". And altering the user's selection of a home page fits within the phrase "alters, or prevents authorized access to, a wire or electronic communication". And notice there's an extra penalty when commercial gain is involved, indicating that Congress foresaw the possibility of businesses committing this crime.The main Federal computer crime act only covers some computers, basically government and bank systems. (Most computer crime prosecutions take place under state laws.) But this one is broader.