Slashdot Mirror
Latest IE Hole Lets Gopher Root You
rvaniwaa writes "Another hole in internet explorer has been discovered. This hole allows a hacker to root a user's computer whenever the user clicks on a gopher link. All versions of IE are affected and a Microsoft spokesman stated that the company is "moving forward on the investigation with all due speed""
Written in one of my journal entries.
See if this story follows pattern (I think it will).
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Let the "gopher hole" jokes begin.
Humm, it's early this week.
I do security
I haven't seen one in ages 1st post too
Vote Quimby!
Speaking as a person who used to use gopher quite a bit - how many gopher links are left on the WWW? Three?
sPh
The fact that this bug was found makes me feel like someone is still using gopher. :) Haven't seen such person in a while myself.
Leonid Mamtchenkov
"hostile Gopher site"? Ouch ... I think shall wear kevlar underpants while using IE in future.
From the article:
In January, Microsoft Chairman Bill Gates instructed employees to make software security a top priority.
Yeah, looks like everythings moving full steam ahead on that front.
----
One of us needs to stick ones' head in a bucket of ice water.
- Hobbes
And yet, despite regular reports like this, posters on Slashdot keep asking why anybody who "cares about the web" would bother using a browser other than IE, and suggest that somebody who wants to use another browser (and, heavens, support cross-platfrom and cross-platfrom browsers) is a naive moralistic high-horse-rider who needs to wake up and get with the program.
With the program doesn't look like a very nice place to get to me....
-Rob
"Where do you want to gopher today?"
"I smell varmint poontang, and the only good varmint poontang is dead varmint poontang, I think."
I'm just happy that it doesn't crash the browser when you click on a Dancing Hampsters.
How damn common those gopher links are, I click on hundreds per day, whatever am I going to do?
Use Archie!
Who the hell uses Gopher anymore, especialy 'doze newbies?
"After being embarrassed on an almost regular basis by security flaws in its products -- including a debilitating problem found in its latest Windows XP operating system just days after its release -- Microsoft began a companywide training program on security issues earlier this year."
D'Oh!
I can see thrue IE
every thing burns, all you have to do is make the fire hotter
What has happened to gopher?
Is there still a large number of gopher sites out there or has it really died a death having succumb to the "world wide web"?
I suppose it is why the bug wasn't discovered before. 90% of current Internet users probably never used gopher or have even heard of it.
Well you can't expect Microsoft to keep up with all these new technologies and formats!
--
Don't sweat the petty things, and don't pet the sweaty things.
...I can only imagine how someone found this one.
However dangerous this hole may be, there are a few reasons why it probably won't create an end of the world scenario, most imporatant of these that gopher is absolutly archaic. I personally havn't seen a gopher server since 1996 (at MIT).
Second, as always, Microsoft will have a patch out fairly quickly, which is more that can be said for mozilla half of the time...
*Ducks and covers due to flying penguins*
Linux is dead.
LU
i've no clue what gopher is...........however i'd thank you kindly to stay away from MY gopher hole!
--fetch daddy's blue fright wig, i must be handsome when i release my rage
To protect from potential exploiting, you can temporarily disable the gopher
protocol like this:
Go to Tools -> Internet options -> Connections. Click on "LAN settings".
Check "Use a proxy server for your LAN". Click on "Advanced...".
Go to the Gopher text field
and enter "localhost", and "1" in the port field. This will stop Internet
Explorer from showing and processing any gopher pages.
this will protect you for now, at least until M$ pull their finger out
so where's an exploit?
I don't have a root user...this must mean my M$ machine is perfectly safe!?
Due to the currently proliferation of gopher sites still left on the internet, this could be the death knell for Microsoft!!
Seriously, why is this even newsworthy? It's like bitching that the Titanic might need the watertight compartment partitions to extend a little higher than E-Deck in the future..
..cage goes into salsa. Shark's in the salsa. Our shark.
Has anyone ever tried to compile stats on security holes in browsers? What I'd like to see is a comparison of browsers in this case, with each version listed with the various vulnerabilities found? Obviously, IE is going to come out on top here, but I'd be interested to see such a list anyway. I've looked around the SANS site and didn't see anything like that. I'd even settle for a short summary. Something like IE has X amount of holes, Netscape has Y amount of holes, Opera has Z amount, and so on.
Life is hard, and the world is cruel
Don't use IE!
You're using her as bait, Master!
Press alt+F4 whenever the IE splash screen comes up.
Most of the other browsers have security holes found in them from time to time as well, but most of the kind crackers out there seems to take a diabolical pleasure in focusing on IE (and since it's one of the core technologies of it, Windows...). If people spent as much time trying to break many of the other Browsers out there, I'm sure they would find they're all their own brand of swiss cheese.
No software is rock solid, even when it's written to be. There's always a european teenager with way too much time on their hands just waiting to turn you Titanium fortress into a window screen...
Linux is dead.
LU
The sad thing is, so much stuff doesn't work on NT/2000/XP if you're not a local admin. How many apps out there feel the need to store their stuff in HKLM? Crap really.
The Day Today - Game Warden to the Events Rhino
segfault.org is temporarily out of busines or it'll be a good time for an "arcticle" in the lines of "no IE security flaws found this week".
/. to only publish news about IE when the head line is someting in the lines of the segfault.org's style headline above. It'd save a lot in terms of my patience and bandwidht.
now seriously, this is getting anoying. since I started to rely on mozilla only (or since I ditched netscape 4.x for good) some 6 months ago I saw only ONE serious security flaw reported on it and it was corected in a week or so. but with IE we have at least 2 anoucements a month. this is getting so frequent I'm here asking
What ? Me, worry ?
And Microsoft is just getting around to hunting down security holes *now*? What does this say about more current protocols?
I predict that by 2005, they'll start looking for holes in SOAP )
DO NOT LEAVE IT IS NOT REAL
At what point do we shift the name of a product like this from Explorer to Sieve? How many previous 'security holes' have there been?
MS is starting to look more and more like the little boy whose plugging the leaks in the dike with their fingers.
Awk! Pieces of eight. Pieces of eight. Pieces of seven... ERROR: General Protection Fault. [Paroty Error.]
Sandy: "I want you to kill all the gophers on this course."
Spackler: "Check me if I'm wrong Sandy, but if I kill all the golfers, they'll lock me up and throw away the key."
Sandy: "The GOPHERS, man! Kill all the GOPHERS!"
"And like that
Keep the burglars out of your house with the new Microsoft Door. Complete with not dead-bolts, but tape, yes TAPE to keep it locked. Also, we've reached an all new level of user friendliness with the omission of door-knobs!!!
"The best laid plans of mice and men gang oft agley..." - ROBERT BURNS
...anybody clicked on a gopher link?
If there isn't a patch yet, or if MSFT says you gotta have IE6 or something, easiest thing to do is just block gopher. What is the gopher port anyway?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
...to "root" for Linux!
;)
Karma: Good (despite my invention of the Karma: sig)
The Official Bugtraq Post:
. asp
OVERVIEW
========
Gopher is a protocol developed at the University of Minnesota in the
early 1990's. Gopher servers offer hierarchically organized directories
and files. These form a "gopherspace" which can be thought of as the
predecessor of the World Wide Web. Gopher was mostly abandoned soon after
HTTP and the World Wide Web started gaining popularity.
Microsoft Internet Explorer has a built-in gopher client. Gopher pages can
be accessed via URLs starting with "gopher://". The part of code in IE
which parses gopher replies contains an exploitable buffer overflow
bug. A malicious server may be used to run arbitrary code on an IE user's
system.
DETAILS
=======
When the overflow is triggered, a fixed sized buffer in stack gets
overwritten with data from the gopher server. This data can contain most
octets from 0 to 255 (also nulls) which makes it particularly easy to
inject a working shellcode in it. This is a traditional, trivially
exploitable buffer overflow. A test exploit has been successfully used to
run arbitrary code without user intervention with various IE versions and
systems including IE 5.5 and 6.0.
The attack can be launched via a web page or an HTML mail message which
redirect the user to a malicious gopher server when the victim views them.
The server can be very minimal, ie. a program that can listen on a TCP
port and write a block of data; a fully operational gopher server isn't
necessary in order to carry out the attack.
The exploiter could do anything that a regular user could do on the
system: retrieve, install, or remove files, upload and run programs, etc.
Full technical details aren't disclosed at this time to prevent
exploitation.
WORKAROUND
==========
Internet Explorer users can protect themselves from the flaw by disabling
the gopher protocol. Barely any gopher servers exist on the Internet
today, so this is unlikely to cause problems. If needed, a gopher client
or some other web browser can be used to access the gopherspace.
An easy way to disable processing and displaying gopher pages is to define
a non-functional gopher proxy in Internet Options. Select Tools ->
Internet options -> Connections. Click on "LAN settings". Check "Use a
proxy server for your LAN". Click on "Advanced...". Here you can define
proxy servers to be used with different protocols. Go to the Gopher text
field and enter "localhost", and "1" in the port text field. This will
stop Internet Explorer from fetching any gopher documents.
After installing the patch from Microsoft you can remove these gopher
proxy settings (or restore them to values they had before).
For more information and a vulnerability test see
http://www.solutions.fi
VENDOR STATUS
=============
Microsoft was contacted on May 20th. At the moment of writing this
advisory, Microsoft has started designing and coding a fix, but hasn't
given any approximation of when it would be released. The patch will be
available at
http://www.microsoft.com/technet/security/current
when it is completed.
I'll have something intelligent to add one of these days...
This site contains technical info on the hole. It's a buffer overflow.
A nice browser feature would be a regular expression based prefilter of web pages. If a file called prefilter.rules exists, the browser would run the raw html of each pages it downloaded through the filter. This would allow admins to make the browser safe again (with some lost functionality) until the browser was patched.
In this case you might want to use a rule something like:
s/(gofer\:[^'" \n\r\t]*)/about:blocked.html?$1/
I should see if this is a requested feature for mozilla yet. With browsers knowing about regexp for javascript this probably wouldn't be too hard to implement. Plus once it was implemented, you could use it for blocking ads and other annoyances.
Microsoft is so good at screwing up its own OS, thank God they seem to do a good job with Mac apps (though 90% of our security problems are due to M$).This will be moot for Mac Users anyway with Chimera looking better every day (nightly build).
Strange women lying in ponds distributing swords is no basis for a system of government.
Hmmm... Two headlines I saw immediately on going to /. today:
;))
One about a company releasing a report indicating that Open Source software is inherently insecure.
Another about a new security hole in IE (Thank god I use Konqueror
Now we need the good PR people at Microsoft to release the source code to Internet Explorer and IIS so that they can prove their first point...
LedgerSMB: Open source Accounting/ERP
You can go here http://www.solutions.fi/iebug2/run.cgi to test your system to see if it's vulnerable.
:-)
Odd though, when I hit it in IE, it asks me if I want to download the program or not.... maybe this isn't as serious as originally thought.
Of course in Mozilla it just shows the code in the browser
I'll have something intelligent to add one of these days...
Searched the web for link:gopher://. Results 1 - 10 of about 421. Search took 0.03 seconds.
:)
Not an excuse for Microsoft, just an excuse to get modded 'Informative'
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Since a windows system has an administrator account instead of a root account, shouldn't that be "lets you administrate a user's computer"?
This is especially rich after reading this.
-R
For those of you who don't know what gopher is or where it's being used, here is a little info and some links to projects and sites related to this good old protocol.
About gopher:
Gopher is an infoserver which can deliver text, graphics, audio, and
multimedia to clients. Keeping documents "link clean", making linking a
function of the server info-tree and not in the doc, layout is kept to
its most frugal minimum, and is standard across all docs. No graphic
design means its the ideal navigable interface, a hypertext Eden. It
gives simplified usage for sight-impaired users, same contents for
wired/wiredless, and requires no capital investments in layout and
"design". Gopher is real -- and it was fully functional in 1992, even
without advertisements!
Taken from the gopher manifesto
Google's Gopher stuff
Yahoo's Gopher stuff
For those that want to go gopher hunting. Here's a link to a gopher server at the University of MN. I don't think they will install BackOrifice or something, but user beware!
I wonder how secure a gopher server is?
However, a quicky search turns up several still-active gophers, for example:
gopher://gopher.umsl.edu/
gopher://gopher.cac.psu.edu/
(These actually return data -- some others I found the server up but no data returned).
As to why gopher died out, Tim Berners-Lee offers the following:
(from his book, Weaving the Web)
-- Alastair
Comment removed based on user account deletion
Oy? More like Oy Vey!
Obligitory reference to story posted earlier today...
'Think Tank' Issues Microsoft-Funded Troll
According to this ZDNet article, a Washington think tank known as the Alexis de Tocqueville Institution is soon to release a study stating that Open Source Software allows terrorists an easy time hacking into our systems. It's little suprise that this group takes money from Microsoft." The Register's story is good too. All the whoring reports in the world won't make open source any less secure.
Everybody knows terrorists love to target Mozilla users by sending them links which causes there system to email Star Office attachments to everybody with payloads that will delete all your OGGs and PNGs by exploiting security holes in Sendmail.
"Communism is like having one [local] phone company " - Lenny Bruce
Ignore that, that's a test for a slightly older IE bug from a year ago. Didn't do enough reading on the google link :-)
I'll have something intelligent to add one of these days...
The gopher URL is most likely bogus to begin with. Processing the URL is what roots you, not connecting to the actual Gopher site. i.e. you need a proxy that filters out all Gopher links from the HTML to keep them from ever reaching your browser (Just like the only way to protect Outlook from some classes of worms is server-side filtering)
retrorocket.o not found, launch anyway?
The Caddyshack Release. With this new brilliant marketing scheme, all subsequent IE patches will then be named after stars in the series, e.g. the Chase release, the Ackroyd release, the Dangerfield release
John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
i don't care how many people disagree with this but what needs to be done is all web browsers should be made to never access local harddrives, and file managers should never be able to access the internet, merging these features with either app only invites trouble...
Well, sort of, anyway. They don't go into much detail because of fear of people exploiting it, but it's some kind of buffer overflow (big surprise there) triggered by a malicious Gopher server.
certainly more applicable to the concept of fixing security holes in Microsoft software.
FYI: Whack-a-Mole is an old arcade game where you hold a padded mallet facing a slightly inclined surface with a half-dozen or so holes. Periodically a little mole pops up from a hole, and you try to whack him before he goes back down on his own. A little bit like playing XBill, only in the Real World.
The living have better things to do than to continue hating the dead.
That's strange - it's exactly how I like my dates to end.
The problem concerns Gopher, an Internet protocol that predates the World Wide Web with pages like Web pages except that they are unable to store audio and video content.
Gopher is quite capable of serving audio and video files.
According to Oy Online, a hacker could take over a user's computer simply by having the user click on a link to a "hostile Gopher site.
A "hostile gopher site"? like gopherse.cx?
Did I hear someone say Mozilla 1.0 was immenent :-)
Mr. Smoove
Here is another article from SecurityFocus about the issue, along with the original post to the BugTraq mailing list about this problem.
--Kylus
Idiot-proof something, and Life will build a better Idiot.
And the spokesman added, "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."
:)
Nice to know that they want te ensure customers are needlessly put at risk.
I know, I know... still.
-beme
1971
Do you remember the last time the US and England met in a World Cup? USA 1:0 England. Have fun watching us in the second round. You're going home early.
If it ain't broke, you need more software.
Because legit gopher sites that already aren't the problem.
/. post)
It's bogus trap Gopher sites (Or likely merely URLs) that are.
I'm guessing that the attack doesn't even involve contacting a Gopher server, it is likely to be a buffer overflow attack in the URL. (I'm guessing that it's a relative of previous URL BO attacks that both NS and MSIE were vulnerable to.)
It's just as newsworthy as bogus HTTP URLs rooting your system were. Because these gopher links look just like HTTP links unless you look at your browser's URL display. Most of us, including myself, don't bother looking unless we have reason to be suspicious. (Like any link in a
retrorocket.o not found, launch anyway?
Quote:
"This will stop Internet
Explorer from showing and processing any gopher pages"
of course if you have evidence and an example that shows different, please demonstrate it
Whereas Veronica helped you search gopher systems for documents, Jughead searched directory titles only.
Just a minor point. She's at least 21, and works for Linuxcare. The BSDi like her anyway, though.
It may not be just, but it is fair, and that is more important.
A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers.
Since when did M$ start offering downloads of Mozilla?
I stole this Sig
An easy way to disable processing and displaying gopher pages is to define a non-functional gopher proxy in Internet Options. Select Tools ->
Internet options -> Connections. Click on "LAN settings". Check "Use a proxy server for your LAN". Click on "Advanced...". Here you can define
proxy servers to be used with different protocols. Go to the Gopher text field and enter "localhost", and "1" in the port text field. This will stop Internet Explorer from fetching any gopher documents.
As you can imagine, "the gopher hole" was a project microshaft envisioned early-on. They couldn't let this go public until they had something to catch the little beasts with. Fortunately now they can catch the gophers with microshaft's giant .net.
"UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things."
I hate MS as much as the next guy, but my bet is that they will follow the exact pattern they have for years: announce what they are going to do (make their products secure), and then throw $40 billion at it for a couple of years until they have what they claimed. It's happened before and I would put money on it happening again. Mark my words: MS will, at some point, start shipping products that do not have these security flaws.
I smell varmint poontang. And the only good varmint poontang is dead varmint poontang. Freeze, Gopher!
How ya like dat?
I just found a site with more details. Turns out that a hostile server has to be set up.
? lang=fi
So it is a valid remedy.
The site's URL (It's all over this story, but for good measure...) - http://www.solutions.fi/index.cgi/news_2002_06_04
retrorocket.o not found, launch anyway?
Of course we all know how secure Netscape is
here &
here
It's a buffer overflow originated by a hostile Gopher server.
Just as dangerous, unless you block all Gopher sites using your firewall preferences. As I said before - It's not the legit links (Of which almost none still exist) that are the problem, it's the hostile servers whose links are displayed identically to HTTP links.
retrorocket.o not found, launch anyway?
Wow, I am impressed... the first two gopher servers slashdotted!
It's rock solid.
... this is why I'm still using Lynx. I'll maybe give one of these new fangled "GUI port 80 telnet clients" a whiz once they're robust enough to deal with ten year old technology.
If you were blocking sigs, you wouldn't have to read this.
Which has more holes? Internet Explorer or Swiss Cheese..
Anyone who's seen "Caddyshack" knows the damage that gophers can do!
The possibility of this being a Mosaic hole reminds me of one of life's fun little ironies:
Marc Andreessen wrote Mosaic while at the University of Illinois. After he went on to found Netscape, Microsoft came to an agreement with the University of Illinois to license the Mosaic source code to use it as the core of the Internet Explorer browser. The fact that they still license it is referenced in IE's "About Box". Now the UofI's intellectual property policy is that the creators of the property get ~40% of the licensing money. So, the odds are pretty good that Marc gets annual checks of Microsoft money to pay for his old source code, which was used to destroy his beloved company. Makes me feel bad for him.
Still, it is kind of funny that Microsoft ends up paying some miniscule part of my University salary because they've never been able to write a web browser from scratch.
How long till this is put in a javascript / html email exploit???
Why do we need anything but text in email? I could even live with a subset of html that would display graphics, but full html???
scary....
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
Sounds a wee bit kinky to me
Microsoft: Now with more exploited holes than a two-dollar hooker.
--
I Hit the Karma Cap, and All I Got Was This Lousy
For anybody following bugtraq this was an important issue, obviously, ma it was mixed with tons of other security issues
it seems that every software (well, almost: god bless djb) has security bugs, and usually (obviously) concenrning input from outside (being "outside" client input to the server or vice-versa).
tons of white-papers have been released pointig out which errors drive to which vulnerabilities, mailing lists and forums do exist about this.
Forgetting for a while that we are "just humans" and we are prone to ewwows... is there something deeper? Something in how we design the software? Something wrong in how we relate to writing software?
Every time a vuln hits the news I just ask myself if something will change... if we will finally break free from insecure-programming issues, eventually redirecting more brain power to innovation, rather than stabilization of what already exixst?
:dikappa
What do you think MS will do? Probably release a patch that disables gopher and call it a day.
Chase
-==-
I don't know why, but the title itself laugh my shit out. XD
m$ buys a thunk tink to squdge out an opinion that open source is less secure then proprietary closed source software. Later that day. . . . . A security exploit is found in all versions of internet exploder which is far more secure because "evil doers" cannot look at the source code. Chairman bill is doomed to a life of pies in the face. Apparently he has not learned how to duck.
Coming out of nowhere and .. IT'S IN THE HOLE!
Good point.
Let's just hope (for their sake) they get there in time. It took them five-ten years to get a stable Windows version, rid of all the DOS heritage.
Of course, fixing this Gopher bug shouldn't cost them more than a few days/weeks/months, but countless bugs&holes will remain until they get support from millions of volantary peer reviewers. (Which would surely reveal so plenty that people will no longer be able use their products for some time).
Currently, things are starting to shift, with Microsoft stubornly refusing to open up on any of their sources, or cooperating with any company they don't "own" (like Lernhout&Hauspie). Some governments (like china and germany) are tentatively moving the other direction together with some major companies.
My guess is that if Microsoft doesn't change course, sooner or later they will loose their monopoly. And without that - or even before they have actually lost it - some of that $40 billion (pfew, that IS a lot!) is going to vapourise on stock markets.
Afterall, MS is really just a giant marketing machine with a lot of money but little inherently inovative assets.
And just why should we trust anything this guy says? Their official spokesman won't even stand by what he's saying. And what is he saying, anyway?
So again, as far as Microsoft is concerned, it's the fault of the people who publicized it. It's prudent to assume these guys are not the only ones who know about the problem. Which means my information is already at risk.
So if there are people out there who can compromise my system, why shouldn't I be able to find out about it and take preventive measures? Why should I have to wait until Microsoft -- who haven't even admitted to the vulnerability yet, two weeks after being told about it -- get around to fixing it?
Nope, no sig
gopher://gopher.URr00t3d.ru
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
Asked to comment on the implications of this discovery for Microsoft security, Bill Gates pointed to the sky, uttered some comment about "ze plane," snapped his fingers and promptly vanished.
Eloi are stupid, throw morlocks at them!
Hmmm, yet another underground uprising eh?
Not only does the thing damage IE, they're hell on lawnmowers too.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
For those with firewalls, be sure to block port 70, if you do not already.
Port number
Not sure if a user could redirect gopher to port 80, but at least this will lock out the script kiddies. Be on the lookout for html emails with this stuff. Count your blessings that MicroSoft has not been able to put all traffic on port 80 (yet), and you can still filter some things....
I have come to a conclusion that one useless man is a shame, two is a law firm, and three or more is a congress -J Adams
I never trusted that guy on The Love Boat. I hear he's a congressman or something now.
Can you imagine the jocks with the lame gopher mascot getting back after years of abuse from the Mountain Lions: "My mascot is more powerful than yours. It will rape your browser!".
Stop the brainwash
In windows terminology, isn't this known as "access level escalation"?
Stop the brainwash
This is fine and good, but could we please stop this needless bashing of MS? There are better places for security information than Slashdot. Perhaps show just a hint of optimism instead of negativity all the time.
/.) in terms of security. It is nonsense and articles like this tell me that Slashdot editors are more interested in emotionally attached flamewars to increase page hits and advertisment views than actual unbiased news.
Many Slashdot readers have a serious flaw in placing the blame on one entity known as "Microsoft." They forget that MS is divided into many project groups with many developers that most likely do not have contact with other group members. If you want to make a better comparison of MS vs open source then take 80-90% of _all_ open source programs and compare the number of flaws to MS' flaws. Take a simple program like "BitchX," an IRC client. It has had countless security issues, and IRC has been around since '89 or so. We like to conveniently forget about sendmail and bind and focus on the Linux kernel stability. Let's not forget that the Linux kernel has a very poor track record of stability and security. Remember the 2.0.3x series? Nearly every other kernel had a remote exploit. In conclusion: there is no equal or objective comparison between MS and "Linux" (or whatever you want to define as the yardstick of security.. which is typically "Linux" on
Dijkstra Considered Dead
Would you please do us a favor and call it soccer? Using the term 'football' when speaking of soccer on an American website is derogatory.
LOL this story after reading that crap about Open Source helping terror.
Who needs a patch? just download OPRA and bam fixed.
http://www.opera.com/
hehehehehehehehehehehehe
...why do they have to find and fix them one by one? Can't they switch to a programming language, or debugging tool, or run-time library, that would find and fix all of them?
Indeed, about the time Windows 2000 was released with 65536 known bugs (or whatever the exact number was), didn't Jim Allchin say that they had such a tool and were using it?
Should buffer overflows be as outdated as Gopher itself?
"How to Do Nothing," kids activities, back in print!
Closing all the pop-up windows that you get at some sites is like playing whack-a-mole.
In Soviet Russia, hot grits put YOU down THEIR pants.
I wonder if the 'browser of hackers' Mozilla has this problem?
After just reading the alex de toker think tank stuff saying open source is the terrorists playground.
What perfect timing for M$
I really am supprised that 'Joe 6-pack' isnt willing to at least try Linux.
To bad he/she cant get a Dell that dual boots right out of the box
* Carthago Delenda Est *
Yeah, I tried this wonderful fix (IE 5.5 SP2). As soon as I ok'd the final ok IE locked up and had to be killed. Then I had to go back and do it all again ( once for lan, once for dial-up ), endure the lockup, and kill IE. Now I'm going to the test page to see if it actually worked...
Uh, not due, but overdue.
That IE was open source, because this must of been the only way that such a hole could have been found ... right?
This could bring the entire Internet community to a halt!
Next thing you know, they'll discover people using IE for archie searches will allow users to hack your windows box too.
---
The Internet is generally stupid
Is gopher used anymore? I thought the web supplanted it.
"Do I dare disturb the universe?"
I just sent this email to my manager and cc'd his manager and the rest of my team. I guess I might have jeopardised my career here, but something snapped... it's the last straw. I'm not prepared to keep quiet about STUPID and DANGEROUS POLICIES forced on us by clueless PHBs.
begin rant; this is copied verbatim from Outlook.
This week's REMOTE ROOT IE hole:
http://biz.yahoo.com/ap/020604/microsoft_security
http://slashdot.org/article.pl?sid=02/06/05/14824
All *known* unpatched security holes in IE (current total: 17, yes SEVENTEEN)
http://jscript.dk/unpatched/
Internet Explorer is a chronicly insecure mass of security bugs or networks. Why are we still allowing it even to be installed on production machines? When are we going to eradicate this pestilential crock (that surely has no place in a production environment) from mission-critical systems?
Or do we just not care about security? It seems to me that it must be one or the other.
(signed: me)
I really liked gopher... I was the gophermaster at echonyc.com and wfmu.org. Sorry, both servers are down.
Gopher made you explicitly name every thing you served so it was hard to maintain, but on the other hand, very secure. It had a crude cgi-like capability that I used to make some funny tricks like a FIGlet server and various calendar programs.
when I set it up, I made little gopher sites for a lot of institutions that I liked , like Film Forum, Experimental Intermedia, Harvestworks, and of course WFMU. I also made up gopher sites for ECHO's forums, the largest being the Whitney museums' site and High Times magazine, which had gopherized versions of their articles! gopher had a full text indexing feature that I used a lot. gopher was a swell protocol. Its demise was mostly due to the lack of form layouts - which was the case of the original www browsers too (I had the NeXT version, but the only place to surf was cern!) Once netscape put in Forms, that was the beginning of the end. The next part of the end was TABLE and FRAME. It was all downhill from there.
XML is a little closer to the idea of serving only information and not crapola, and I hope it catches on for this purpose.
-- Real Stupidity is the Artificial Intelligence of the 21st century
Actually four. But that's not really the point.. Probably none of the existing 'legitimate' gopher sites are 'hostile', so it doesn't matter if it's 4 or 400000000. It's not that hard to publish a _new_ gopher link to a hostile site.
--
Stay tuned for some shock and awe coming right up after this messages!
Everyone keeps saying "but there are like three gopher servers left out there". This is not the point. Any buffer overflow in the IE client code which is exploitable is a huge problem. It doesn't matter that there are damned few servers left that use the exploitable protocol. A malacious server need not even be a fully functioning gopher server, it just needs to listen for requests on the right port and respond appropriately. A worm'ed IIS server could fit the bill quite nicely.
A smart worm could:
1. Infect an IIS server via some unfixed hole, or backdoor left by another worm.
2. Open up a dummy gopher port which responds to all requests with the exploit.
3. Replace links on the web site the IIS server serves with links to the gopher server exploit.
4. The worm installs itself on all client machines that click the gopher links and begins scanning for vunerable servers.
5. Goto 1.
None of this has anything to do with the number gopher servers left on the Internet.
-josh
I wonder when this story hit Yahoo's page .. maybe about 12:00:01 AM Pacific time?
t y_ flaw_1.html
http://biz.yahoo.com/ap/020604/microsoft_securi
Geeeez!
It doesn't matter how many gopher servers there are!!!!! Someone can set up a web page that links to code that takes over a user's computer.
What's worse? Saying "Don't use IE!" as a blatant attempt at karma whoring, or that some idiot moderators modded that up.
Logic check: "Don't use the browser that most websites are designed for!"
Do you really think I'd be using IE right now if Opera was cutting it?
"Derp de derp."
Actually it's "mathematics".
Strange, it seems you are actually almost 50 times larger than our smallest state, Rhode Island (130,000 km^2 compared to 2700 km^2). England is much closer to the size of Florida, one of our larger states. And I do believe California alone has a larger economy than England (California would be 4th I think). And by the way, California is just over half the size of England (70,000 km^2). Do you see how this is going nowhere? The United States isn't anywhere close to the largest country in terms of land mass or population.
This is horrible, yet you can live with the idea that football fans are trampled or otherwise killed at your football matches? I mean, "we'd like to help you but who's going to pay for it" is a rough thing that should be solved, but "England is way better than Italy at football, let's get violent!" is kind of ridiculous. This doesn't happen in American sporting events.
That makes it all the more sad that the US dominates you along with the rest of the world in computing. You had a head start, and still couldn't do anything with it.
England has been a country in decline ever since the World Wars. This is common knowledge. They used to be a world power, now they are the righthand man of the US.
Frphevgl guebhtu bofphevgl vf abg frphevgl.
Guvf arjf pbzrf va gur sbez bs pbzrql pbafvqrevat gur bgure arjf gbqnl nobhg gur guvaxgnax ercbeg gung BcraFbhepr vf yrnivat bhe pbhagel bcra gb greebevfg nggnpxf.
Bs pbhefr, guvf vf n glcvpny negvpyr sbe Fynfuqbg, naq jr fubhyq nyy or hfrq gb vg ol abj. Pbafvqrevat gur fbhepr bs nyy guvf synjrq fbsgjner, naq gurve nyyrtrq pbzzvgzrag gb frphevgl; negvpyrf yvxr guvf jvyy arire prnfr gb or shaal.
Avpr gel Zvpebfbsg... tbbq jnl gb cebir gung lbhe orfg whfg vfa'g tbbq rabhtu..
Fpber : Zvpebfbsg 0 Bcra Fbhepr 23.8k10^8
Bu, OGJ, Bcra Fbhepr vf pbzzhavfz, erzrzore? V thrff gur Havgrq Fgngrf FUBHYQ or jbeevrq.
. echo -e \\04 >
But it started off a pretty good thread, eh?
sPh
You can download it here.
if Microsoft's programmers spent more of their time on writing clean code and less time on coding Easter Eggs in Office Applications, Internet Explorer and Windows.
utter rubbish
I agree that moderating this crap up is even worse than posting it.
3.243F6A8885A308D313
This exploit was reported to Microsoft on May 20, according to Yahoo!
"Oy Online Solutions Ltd. of Finland said it notified Microsoft Corp. of the security hole on May 20 but the software giant has yet to produce a software patch to fix the problem, the Toronto Star reported Tuesday."
If Microsoft cared, this would be fixed or annonced to the public in a timely fashion. Instead, there have been days of silence.
They also dropped this little gem, "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."
Fashionable to bash Microsoft? Sure. Justified this time? Absolutely.
Set your gopher proxy to something bogus.
The bogus-proxy setting workaround seems good for individuals, but we've got a bunch of computers that we'd have to hit. I thought of blocking the "gopher port", but that wouldn't do any good, since any malicious link would likely specify some benign seeming port (like port 80 for example - can't think of anyone who'd want to block that port.
I found it humorous that in the "Special Offers" Box there was a ad/link that read: "Access Your PC from Anywhere - Free Download"
The problem is that with only 32-bit addressing it's impossible to programatically store all of the bugs in Microsoft's software.
The global economy is a great thing until you feel it locally.
I don't use Internet Explorer (Exploiter?), it seems that there's always a serious hole in IE that can compromise your entire system -- like this latest 'issue'.
They don't care.
Yeah, they made some PR stunts concerning security, but until stuff like this starts affecting their bottom line, they won't care.
There are just too many morons out there buying their stuff, so the situation won't change anytime soon.
And don't give me that crap about being forced into using it. Noone is going to hold a gun against your head and say: use explorer or die.
If your employer makes you use stuff you hate, then you're just a lame pushover and you deserve what you get.
This gets me thinking...
A few days ago I was "surfing the Internet" (if you want to call it that) with my crappy SprintPCS 4-line PCS phone, and I got to thinking that a raw, text-only, yet linked hypertext environment is precisely the type of thing that these types of ultra-thin clients need.
Has anyone explored the possiblity of using gopher as the standard for text-only wireless access to documents instead of some hacked version of HTML (WML)?
Hire a Linux system administrator, systems engineer,
I know this is a moot point since the exploit is for windows IE (i believe), but I found it kind of weird that the gopher protocol for Mac OS X IE is handled by OmniWeb as a 'helper app', another browser entirely. Weird stuff. Perhaps Microsoft's lack of effort in the Mac IE has been a saving grace in cases like this. Just a thought.
Yes, but those Moz people have plenty of money. You can't expect poor old Microsoft to keep up.
When will Slashdot's editors stop using the term "root" for NT machines? Sheesh.
Not All Who Wander Are Lost
It wasn't intended to indicate a misspelling, but to indicate sarcasm in that "steam locomotive" and "accelerate" don't really belong together... kind of like "military intelligence"
Duh.
There is no Microsoft patch!!!!!
Click here to download it.
my other penis is a vagina
Close one window, two more pop up!
Since when does Windows use Root for its superuser account???
Stop mixing windows and linux lingo!
Mod it up...
In related news, Mozilla 1.0 is finally out! celebrate!
at http://www.mozilla.org
Mozilla 1.0 has officially been released;
Source code is of course available,
as are binaries for many platforms.
It seems to me like a good time to use IE
less and less.
Do you even need to redirect? What happens if you do img src="gopher://site.running.exploit.server"?
better go use that over bloated piece of AOL crap called mozilla instead then huh
How incredibly lame. UGH.
I totally agree, but Microsoft is not the only example of this disservice out there. Speaking to a larger point: This is the level of service you can expect from all monopolies. Proprietary software is a monopoly and software monopolies don't care about your software the way competitors do. Without competition they have little compelling them to want to stay secure (or stay compatible, or whatever the issue at hand is). Microsoft is one of thousands of software proprietors that ship non-free software preventing you from sharing and modifying your software (or have someone modify it for you).
Digital Citizen
Wow, so you completely missed the point that they prematurely went from rc2->rc3 just to patch that bug. Within days.
A couple questions:
IE technically uses Spyglass code, Spyglass being the company the half of the Mosiac folks who weren't in Netscape founded to do browser parts instead of whole browser. Does Andreeson get a cut of this? I'm a U of I alum, and I know students don't automatically get a cut of anything they did as undergrad research, so unless he made a deal with U of I, Andreeson doesn't get cash.
And if he does get money, how much is this? I know there are a lot of companies that use IE parts: (Yahoo! messenger, AOL, even Morpheus KaZaa/FastTrack client) but how much money is this? I heard Spyglass got f**ked when they signed the code sharing agreement, Microsoft agreed to give them a cut of browser sales (not part sales), which was of course $0.
if'n yer english read about it here
0 4? lang=en
http://www.solutions.fi/index.cgi/news_2002_06_
after I posted this! Was 50, now it's 49! Yet another victim of slashdot fuzzy math!
You're using her as bait, Master!
Damn gopher holes, routing around my backdoor. Guess I'll have to close up my ground floor Windows to stop them from coming in and gnawing at the foundation.
--- I used to moderate, then I read the -1 articles and decided having to filter through them was not worth it.
Duh.
I do believe you have hit upon the answer here.
If software companies were held liable for damage done by their defective software, they would be encouraged to either fix problems in that software immediately or issue a product recall. Imagine the repercussions of a monthly recall of Internet Explorer or XP... and $50 million lawsuits over default installations that leave outlook subceptible to viruses.
... and there is no doubt, that one day he will be
where the eye of his telescope has already been
Any reason we couldn't deal with this in such a simple manner as blocking port 70 at the router?
Obviously it doesn't solve it for everyone, and does nothing about the hole itself, but blocking 70 should solve the issue for all clients inside the router. Right?
$5 / month hosted VPS on linux = awesome!
Hey, maybe we could use this to our advantage, like Click here to upgrade to Linux!!
that trojan program that gets installed when you send someone a whack-a-mole game. It's functional, and yet, you know... If I got a corporation big enough to support my whack-a-mole game, would it be no longer classified as a trojan?
Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information."
Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our company's reputation."
He deserves it.
Here on MacOS X, it looks to me like the Internet Explorer process runs as the logged in user, not root. Still, this security hole is bad, but on OS X it is not as bad as the Slashdot headline would imply.
e n ts/MacOS:
To see this, once IE is running, in a shell window use "ps ux" and then see that the executable itself does not run setuid root:
On a system running OS X 10.1.3:
/Applications/Internet_Explorer.app/Cont
-rwxrwxr-x 1 root admin 3631813 Oct 5 2001 Internet Explorer
Poppycock! 640K should be enough for every bug!
My windows knows not this "root" of which you speak
MS can't even try to do something right without slashdot bitching about it.
Yeah, Slashdot treating Microsoft unfairly in their news stories is the reason my Microsoft "Critical Updates Notifier" has popped up on my screen at LEAST once a week for the past 2 months...
MS is getting the bashing they have deserved for a long time. There just wasn't any way to publicly display their faults to so many people so easily before the internet (and Slashdot) came along. If you make a product that 90% of all people who use that type of product are using, and your product has countless major security holes, which you don't fix in a timely manner, you deserve to get a verbal ass beating from the public.
Let's say you made security alarms for cars and houses. And the vast majority of all houses and cars used your company's alarms. And then imagine that people were constantly finding stupid little flaws in your product, like: blowing a dog whistle within 100 yards of the car will automatically disable the alarm, unlock the doors, start the car, and make the headlights flash so you can tell from a distance that the car has been "owned"...
Some MS bugs aren't even so obscure. Some are exploitable just by using the interfaces as designed, only with some oddly formed input that wasn't tested for. In our alarm example, it would be like being able to go to any house alarm, and hitting the "9" key about a dozen times and it will automatically shut itself off, regardless of what the "security code" was set to. And your company immediately issues "fixes" which consist of instructions telling people to take a screwdriver and pop the "9" key off of their keypad... For what reason should people do anything other than harass the hell out of your company publicly and argue the faults of having such a monopoly in charge??
Sometimes the best solution to morale problems is just to fire all the unhappy people.
Considering that the browser components are supposedly scattered through many DLLs, any patches from M$ could easily include updates for Digital Rights Management lockdown, spyware to tell tales, etc, as well as the 'next big hole' that someone will 'discover' whenever MS feels the need to send out more tracking/spying/crippling patches.
Heck, they don't even need to include such stuff, just track who downloads the latest patch and correlate with previous data to build a picture of what's out there.
For example, say ten million distinct folks download the latest patch for Win98. If M$ *know* they've only sold eight million copies of Win98, they know there are 2 million BSA targets out there...
Maybe I'm thinking of something else, but I remember this site just being a page that had some gifs and a sound file.
Now there's actually an international company behind it?
"© copyright 1997-2002 Abatis International, LLC. HAMPSTERDANCE is a registered trademark of Abatis International, LLC. No use of this page or any of these characters is allowed under any condition without the written consent of Abatis International, LLC
Please read our privacy statement."
MS added some extra switches to their c++ compiler which was supposed to weed out certain buffer overflows but there were apparently some problems with it. You can read about it here on securityfocus.
Keep in mind that companies like Symantec would LOVE to exploit this and include the following bullet-point on their next Win32 utility: "STOPS GOPHER PROTOCOL HACKERS!"
.10 solution, $100 SOUNDBYTE!
Their solution: Turn off browsers gopher protocol.
Crapdot
News from birds. Stuff that splatters.
... would be one that is spread through html email, and installs a rudimentary gopher server on every computer it infects an then sends an email to everyone on the address book with a link to itself (new gopher server)... Otherwise if you have a single or (many) static server it will be shut down quickly.
Im not here now... Im out KILLING pepperoni
I personally have been on a gopher site in a couple of years, and then it was to show someone what the internet used to look like.
DETAILS
When the overflow is triggered, a fixed sized buffer in stack gets overwritten with data from the gopher server
You have got to be terminally thick in the head to write code that does that. I always hear these stories about the IQ-testing Microsoft entrance exams... did they outsource IE production to some schoolboys or something?
..if they started calling them fucking script kiddies, hackers have skill, script kiddies don't, get it right!
MS should be bashed...it's like the diner that tries to sell rancid water and stale bread for $100(us). They use whatever means necessary to beat down their competition, so almost all of the other diners (or food producers) have gone out of business or are struggling. You can get better food from homeless shelters for free.
Probably 80-90% of all open source programs are made by one or more of: script kiddies, teenagers playing around, hobbists, power users, people that bought "Learn to Program C in 21 Days" who now think they are "experts", and the people can't program so they start a project on SourceForge with a basic description and hope someone bites. None of these people should be expected to create a decent, bug-free program. For you to even think MS needs to be compared with them shows how backwards your position is.
Anyone and their cat can start an open source project in their garage. It doesn't mean anyone will use these programs, and it is absurd to compare those projects with a funded company that has paid professional programmers. However, from what I've seen, Microsoft would barely scratch by with even this test. If compared with the commonly used (and made by real programmers) Open Source projects, Microsoft wouldn't even have a chance.
I've used it before. Not to dis the guy who made it (BitchX isn't too bad an effort), but it does seem a bit script kiddie-like. In fact only a script kiddie would choose such a name. ;-) In fact read their page: "BitchX was started by Trench and HappyCrappy as a script for the ircII client."
Why don't you compare BitchX with Microsoft's IRC client--assuming they still have one. All I remember about it was almost no features and stupid cartoons. BitchX has lots of features. Not that I'm saying they should be compared, BitchX is made by script kiddies after all--in fact they seem to want to be known as script kiddies--just look at their page!
What kind of dumbfuck would use sendmail or bind on their servers??? There are plenty of alternatives to those programs...
There is no equal or objective comparison between the two because MS doesn't care about security or bugs! Whatever Linus would call a "Brown Paper Bag Bug", Bill calls a "feature". ...and I don't think most slashdot readers define Linux as a "yardstick of security". That would be something more like OpenBSD, who kick the hell out of Microsoft in terms of paranoia and therefore security. Numbers from bug reports aren't a good comparison between them either--the OpenBSD people seem to raise hell when they find the tiniest potential exploit, while Microsoft won't even acknowledge the most horrid of bugs/exploits and will only release a patch if they are embarrassed into it.
How about this for the *really serious* problem...
;) lies with M$ bundling unnecessary, unsecure software with server and desktop OS releases - it means admins have to scramble to keep up with updates to software that they never wanted in the first place.
Internet Explorer, Outlook Express, and Windows Media Player are on virtually every M$ machine in a given network - they can't be removed. According to you... when a problem like this comes along, "Admins who are on the ball" need to go around to every desktop and server on their network, apply the patch, and (unless it's the odd 1 out of 1,000) reboot the machine.
The fact of the matter is that most "administrators who are on the ball" wouldn't install Outlook Express and Windows Media Player in the first place if they were given a choice. Furthermore, I might argue that some would prefer to deploy a more secure browser for desktop users, or uninstall IE completely from their servers. Honestly, why does a server need a browser anyway?
The real problem (or at least one of them
This means that M$ will go ahead with another quick fix. My guess is that internet explorer will refuse to follow gopher links because it is either "a hacker tool", a "vestigal of UNIX", or a "deprecated thingumy that we can't figure out".
It is pathetically easy to root a windos system. And I'll bet money that a virus will take advantage of this. Fake e-cards anyone?
You can't judge a book by the way it wears its hair.
Am I supurized, not at all.
Microsoft Internet Explorer: 17 unpatched vulnerabilities.
Netscape/Mozilla: 1 patched vulnerability.
Opera: 1 unpatched vulnerability.
See http://sec.greymagic.com/adv/
Bill Gates Has No Penis.
You don't even know that grep stands for:
General Regular Expression
Do you?
Find doesn't even come close to the functionality of grep. It doesn't support any form of regular expression matching. No, I won't define that term because getting it broken down to your level would require entire volumes of computer books, starting at "Pointing and Clicking on MS-DOS prompt for Idiots".
And your one liner won't even execute. Find.exe doesn't support any kind of user input, and that's what pipes are for. Did you ask your next door neighbour for help on the problem? Even a goddamned high-school drop out should have taken Comp. Sci. in grade school and would know how to use the pipe function.
I can't believe you can't even open a fucking MS-DOS for Dummies book and educate yourself. Are you fucking blind, or just too fucking stupid to read an entire book without help?
You are full shit. Go back to AOL, troll.
Posted by me, shepd, as an AC because I'm not gonna lose any karma to you, dickwad.
Now go fuck yourself, assuming you have the intelligence to required to do at least that much.
But, whatever you do, don't fuck anyone else. We don't need morons like you copulating. I don't suppose you'd be up for a vasectomy, for the good of humanity, would you?
I personally am a big fan of Lisp, especially Franz's Allegro Common Lisp. The Lisp kernel automatically does handy things like protect against buffer overflows, and allows for debugging and modifying a running program - all of which is optional if you want to get sheer speed out of it.
Pretty handy, shame that so many people think Lisp is too old, ACL is quite modern and highly optimized - Lisp has undergone a lot of maturation over the last 50 years. Take a look at the list of links in my journal and see some of the things people are using Lisp for nowadays (AMD, Sony, Nasa, even Microsoft).
Let's fight this disgusting business the best way Slashdot can! Click here to Slashdot Mediaforce!
If Windows is installed I'd consider the computer to be rooted anyway. For the Americans have a look in the Macquarie dictionary for root and rooted.
Now you will probably say "Well they aren't expected to make bug-free programs," and I will tell you that you do not give a damn about bug-free programs and you simply want to bash Microsoft. If you cared about it then you would have well payed professionals who _designed_ the software. Instead you are using software designed by hobbyists in their spare time which at any given moment could theoretically crash and burn and destroy your entire computer. You won't believe this is possible simply because you are so sold on the Linux hackers reputations of good, honest, giving people.
To gripe about bug-free programs and to be using software that was not designed, but hacked together is pure hypocrisy. Actually it is a horrible effort. It is an extremely hacked-up ircII (the original IRC client). Because of the layers upon layers of hacks almost nothing works consitently. There are antiquated features still present with new features simply thrown ontop. But this is my point. Microsoft is not simply one individual, nor are they one group. They have many different groups working independently. I'm sure they have varying degrees of skill level too. Many, many people would (and still do). This is FUD. MS released info on the Code Red worm way before Slashdot (and many others) got word. If I remember correctly, it was _months_ before Slashdot posted about it. There was no pressure to say anything about it.
Dijkstra Considered Dead
"Anyone and their cat can start an open source project in their garage"
Whoah! Maybe this would be a good idea for a new claymation by Nick Park (of Wallace and Grommit fame).
graspee
There should have been a fp here.
/me had the same experience...
/* FUCK - The F-word is here so that you can grep for it */
You know, in Aussie slang, "to root" == "to fuck".
Windows doesn't have "root", it has an "Administrator" account. They are substantially different (I think Microsoft's security scheme is considerably worse and more difficult to secure).
- Suddenly every geek in the world seeks out a Gopher site. All the protocol analyzers out there register a huge spike in a dormant protocol. Most think it is a bug.
- Some "artsy" or "retro" computer person decides to create a series of Gopher sites simply because it is "creative" to do so. I guess this is kind of like people who release software for obsolete computers or people who play vinyl records just to impress people with how cool they are.
Note: Just to avoid any flames, I am NOT bashing vinyl; I happen to be an avid vinyl collector for personal reasons (cover art, sound, etc)..Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
I had a lengthy discussion on IRC last night on Alternet #gopherfix on how to come up with a better solution to have this fixed in a fashion where it could be SMS scriptable.
m mand="
We finally came to the conclusion that you could go in the registry for this setting:
"HKEY_CLASSES_ROOT\gopher\shell\open\co
And leave the value blank. This will prevent gopher from running commands.
Easy, They'd better use g_list instead arrays in those MicroProducts.