Slashdot Mirror
Slashback: Gopherectomy, Portacinema, Disunity
Throwing the gopher out with the bathwater. An Anonymous Coward writes: "As reported on News.com and discussed on Slashdot, MSIE's gopher support had a serious security vulnerability that allowed your machine to get ROOT'ed.
Well, it seems that Microsoft is unwilling or unable to make the fix, so it is removing support for the gopher protocol from IE. Not that MSIE's gopher support isn't very poorly implemented anyways."
Kept out of the U.S. by the secret conspiracy, no doubt. Buggalo writes "When I saw the article about the Pogo Flipster I thought I'd mention this too. Of course, it's not available in the US (not yet at least), but it sounds cool anyway. It plays MP4 video as well as MP3 audio. One thing that differentiates it from the Flipster is that this one includes video inputs so you don't even need a computer to get anything onto it. It also seems to have a larger screen. From what I can tell it has 64 megs of flash memory built in, and has an SD memory card slot as well. Sorry the website is in Japanese, but you can use Babelfish to translate it."
Not betting on a United front. dgb2n writes "Smart Money Magazine published an excellent article covering the business implications of the United Linux consortium. It provides some good insight into Red Hat's business model, stock price, and future prospects and names a potential winner in the Linux market."
At least this one aspect is happy. Hellkitten writes "The password for the database has been found, it was as simple as 'ladepujd', the name of the database's creator spelt backwards This previous Slashdot article explains the problem they had.
Aasentunet posted this notice, telling the password and thanking everyone that helped"
ZDNet has the story here as well."
It isn't very poorly implemented?
--Giving to trolls for the benefit of us all
...So that's what my forgotten Slashdot account password was...
Now if only my employer would agree to let me fix all the security holes in W2K by UNINSTALLING. I can dream, can't I?
Next thing you know, they'll drop support for 75 baud cradle modems. Damn Microsoft! Damn them all to hell!!!!
It's nice to see how quickly the password was hacked into. Now maybe people will realize how encryption and password protection is simply a smokescreen for system infiltration by hackers.
Did the data need to be encrypted? Nope.
I have been pwned because my
If I were the manager of IE, I'd just rip out support for gopher too. Why support this protocol which nobody uses (in IE) but has at least one major known security breach? The testing and validation of the bug fix's security, as well as the the rest of the code, would cost way more than its worth.
The password for the database has been found, it was as simple as 'ladepujd', the name of the database's creator spelt backwards
thats not a very smart choice of password, using your name.
at least it wasn't 'god' or 'sex'
GoatPigSheep, the 3 most important food groups
Since everyone knows the most common passwords are god and love. Does this breakthrough mean that 'ladepujd' will become one of the next most common ones as well.
..)
brandon berg,
(\_/)
(
(*)(*)
chicks dig *nix
I was born on RedHat.
Raised on Mandrake.
But Debian made me the man I am today.
chicks dig *nix Bell Labs Unix -- Reach out and grep someone 1 4m d4 1337
are you sure that's the name spelled backwards? spelling it 'djupedal' looks more backwards to me
"Teachers leave us kids alone
Why should IE continue to support Gopher? It is a protocol that is rarely used. It is outdated, and there is no need for it in IE. It's what is commonly refered to as program bloat. It's not needed and should be removed. For the .001% of IE users who do use Gopher, they can use a seperate Gopher utility, which will probably support it better than an all-in-one option like IE. Isn't program bloat one of the things everyone has against MS? Shouldn't this decision be applauded?
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
is a good thing. Homogeny can do nothing but help.
According to a report and interview on NPR All Things Considered this afternoon, it only took about an hour to discover the password. The hard part was finding a copy of the old DOS-based database software that was capable of opening the database.
The institute now keeps copies of all its passwords locked in a safe. Of course, if all its passwords are as bad as the lost password, then what's the point?
--Jim
The solar eclipse has begun. Don't look at it.
Don't moderate flamebait as Troll. Know the difference or you will be Meta-moderated.
How many /. reader's use their name spelt backwards as passwords ;)
...But we should all take it as a lesson. Use strong pass phrases!
Bill Gates wearing full Viking armor and singing "Kill the GO-PHER, Kill the GO-PHER, Kill the GO-PHER!!!" to the tune of "Ride of the Valkyries." ;-)
"djupedal" has proved inspirational. I've been looking for a new Slashdot ID....
It's not clear whether backward last name was the actual password. Both the thank you notice and the news article say that was a password submitted by users.
IE implimentation of Gopher can get you rooted (bloody typical), call comes down from above to yank support. Makes sense, in an MS sort of way.
Wait a minute...didn't they just tell us that Windows ISN'T modular?
Bastards!
So Microsoft is stepping up the removal of old code from Windows?
Hrm, so this means that Internet Explorer will be gone from the OS completely in a few months? Cool!
Want Slashdot headlines on your site? Try SlashHead
You're an anime fan and a troll- take him away!
What Microsoft should add is a protocol manager that shows all the protocols your system can access, whether it be through Microsoft or other 3rd party vendors like Real's prn protocol
This is yet another reason Microsoft should open the source for IE.
lol, Microsoft better not just remove every feature that has a security hole in.. or lots of people will have to go back to DOS in a couple weeks.
Removing gopher will effect a very very small number of people, and probably no 3rd party software vendors.
Removing HTML rendering AND HTTP support (which is what removing IE equals) would screw many many users and thousands of 3rd party software vendors who rely on this support from the OS, in in fact render the system unusable as too many components rely on this support, 3rd party and otherwise.
When MS says Windows is not modular, they are using a legal, not technical, argument. This is based on past cases where, for example, Ford was banned from buidling pick-up trucks with covers (ie snugtop) because it was an optional module.
Seriously, why? What difference would it make?
GNU/Linux is open source and it has plenty of security problems and exploits...
Fortunately for Microsoft, the Gopher implementation in IE was inextricably integrated with Windows. I guess only the HTTP part of IE can not be removed without breaking the whole operating system.
tato (and tato only)
This post is strictly opinion, including the spelling.
This reminds me of an old joke by George Carlin (or at least I think it was Carlin).
Newscaster:
A man got on to an eastbound bus and killed three people. He then took a transfer, got onto a westbound bus and killed two more people.
As a result, bus authorities say they will eliminate the transfer system.
Why don't people site down, write down a 10 digit passwd consisting of numbers, letters and symbols, then right it out over and over again untill they memorize it, done, everyone has a good password
Who can come up with the best anagram of "Slashdot Editor" ?
My best effort so far is: "Oddest oral shit".
Have fun!
Your friendly neighbourhood AC
...the password was selected as to be easy enough to discern in the event of death.... After all, these are not state secrets we are talking about, now are they. A password was obliged and enabled, that's the simple driver. Beyond that, not much was to be gained by making it cryptic.
Slashdotted Gopher server. Whatever next.
if ms and intel didn't continue to release software that continually pushed the hardware requirements they would both lose their largest source of revenue: new computer purchases!
it was as simple as 'ladepujd', the name of the database's creator spelt backwards
What an idiot. I, an 31337 hax0r, am much smarter. My password, "78sne4ml;w" is composed of random characters, which nobody would ever guess. Lam3r.
c-hack.com |
the japanese zaurus has a video adaptor so you can download movies to your zaurus. unfortunately, i don't think it's available for the us version (we have the ARM processor, they have the SH processor, i think) you can still view movies on your zaurus without a problem. smoother than the palm 505, i think
Supreme executive power derives from a mandate from the masses, not from some farcical aquatic ceremony.
If worse turns to worst, Red Hat could always become a bond fund for fixed-income retirees.
Funny, but then stacked up against the MS 40bn catastrophe fund even as bond funds MS still rules. The analysis was sound, and, sadly resonantes with the big questions Red Hat has yet to answer. IBM's brilliant play of the Linux market was worthy of note. Bill Gates stole the OS market from IBM when MS dumped OS/2, maybe IBM is looking to steal that market back. Mmmmmm a real fight between the Big Dawgs would be a spectacle to behold.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
Good thing my name's not Bob.
--It's Pimptastic!--
"The problem is that you are dealing with 50 million lines of code and everything depends on everything else,"
I'm prety sure that was established as bad form, oh, about 20 years before MS's birth.
They never cease to amaze me with thier forward thinking 'inovation' though... Apparently spagetti code must be 'the wave of the future'. I guess I must not be hip enough, my boss better hirry up and fire me!
I live in a giant bucket.
Next thing you know, they'll drop support for 75 baud cradle modems. Damn Microsoft! Damn them all to hell!!!!
The sarcasm and humor in the parent post aside, this is a very serious issue.
I think most of us know that Gopher is not used very much anymore, so MS supporters are definitely downplaying this hole. However, by not releasing a patch and instead just removing Gopher support, MS is leaving millions of people still open to vulnerabilities!
Not everyone who uses IE is going to upgrade to the next version of IE which will have no Gopher support. Not everyone runs WinXP, and can install the latest service pack that turns off Gopher support. People are going to keep their system the way it is, but because a patch is not available, they will be vulnerable to arbitrary code being executed at system-level just by clicking a link. And god forbid someone DOES actually want to use Gopher under IE, I guess they can't upgrade to the next version of IE. (Hey, they can always use Mozilla though!)
This could have a major spiral effect too; think of the Code Red worms. When worm writers realized that people were not patching their system, they released variants of the same worm, to do even more damage. If malicious people now hear that MS is not planning on patching this vulnerability, they might very well have a field day with it.
I guess all that talk from MS about their "trustworthy computing initiative" was exactly what we all thought; complete and utter hogwash. This type of behavior is simply unacceptable, but especially from a company that claims to be on a company-wide security audit.
Because I like Internet Explorer? Because it was a learning experience to develop a browser helper object? Because everybody keeps saying that Mozilla can do this and IE can't, while that's obviously not true? Because I wanted to? If I use Mozilla, then you're right, I don't need 3rd party software to kill extra windows. Instead, I just need 3rd party software to browse the web. All right, so I'm a lemming because I prefer IE, or because I don't know that mozilla is "better", or because I'm too stupid or lazy to download a 3rd party browser instead of using the built-in browser. Too bad, I don't care.
I remember using gopher back when search engines were just getting started. If you couldn't find it on the search engine, you could always try gopher.
I kinda miss it... sniff. Poor lil guy.
Codifex Maximus ~ In search of... a shorter sig.
about your sig: soooo true.
However, by not releasing a patch and instead just removing Gopher support, MS is leaving millions of people still open to vulnerabilities!
Not everyone who uses IE is going to upgrade to the next version of IE which will have no Gopher support.
Yeah, but those are the same people who wouldn't install the patch, so what difference does it make?
Actually, it's much more likely that people will install the new version of MSIE than that they will install a patch.
I agree that it's a cop-out, and probably indicative of MS' security future, despite all their lip-service to the contrary, but lets be honest here; people are stupid, so there will be millions left vulnerable no matter what MS does because those millions are too ignorant to protect themselves.
The only thing they could do that would actually make a difference is release the patch as a worm that would patch it's own exploit after emailing itself to your whole address book.
Under capitalism man exploits man. Under communism it's the other way around.
Removing HTML rendering AND HTTP support (which is what removing IE equals) would screw many many users and thousands of 3rd party software vendors who rely on this support from the OS, in in fact render the system unusable as too many components rely on this support, 3rd party and otherwise
Nope, try again. M$ could care less about other software, as you can tell by their conatantly changing print methods. The reason M$ claims that IE can't be removed is because they put it in EXACTLY the way they were forbiden to by the federal government: spagetti coded into the OS itself through innumerable DLLs with multiple undocumented and unrelated interfaces. This kind of code mixing, like passing disk access through the GUI, is one of the reasons M$ is so unstable. IE is always on because it recieves many unecessary function calls. What you get when you try to remove IE is a box that won't boot. I doubt even Bill Gates knows what you get when you leave it in, besides poorer.
Friends don't help friends install M$ junk.
I don't know if the password happened to be the former administrator's name spelled backwards but it definitely was the reversed name of one of the folders in the backup set.
So I tried to read how gopher on IE was so poorly implemented with my preferred browser,Mozilla 1.0, and all I got was a blank page. Nothing but whitespace. I had to open up the only other browser on my box to read the page which is as you may have guessed, IE.
very frustrating. I will have to bring this up at the release party after I am totally sloshed.
So it took them what, maybe an hour to figure this out? but the plea has been circulating for several days...
It's been true since I can remember: the larger the audience from which you beg a clue, the sooner you'll find it yourself, and the dumber you'll look because of it!
How much ya wanna bet the folks who panicked wish they had just asked one or two buddies to help them out? :-D
Or they could spend a few of those billions making secure code in the first place.
Pleeeeeze - it can't be that hard scanning your code for unchecked buffers! So I don't think that fixing the thing even after the fact would be that insanely difficult...
Lastly how about software liability?
The only time that MS really fixes things (or anyone else for that matter) will be when it costs them. When they have to go before a jury, and explain how they didn't use any due dilligence, and that that total system crash that took down the First Interstate Loan Center (Portland Oregon) in the early-mid 90's for hours and hours every week was their own fault. (As I recall it was an undocumented switch in the TCP stack that fixed the SNA session dying thing...) [I know, I had friends that worked there then - NT 3.1, 3.5? dunno]
When companies no longer can shield themselves from liability by claiming that software is _SO_ different than the rest of the known world, they'll actually do somthing - till then, just get ready to take it like a good consumer!
Cheers!
I saw this on the TechTV message boards, some pivix has created a program to patch it. I got it from http://www.pivx.com/gopher_smoker.html hahahah! they said 'we clean up microsoft's mess again!'
gopher Pronunciation Key (gfr)
n.
Any of various short-tailed, burrowing rodents of the family Geomyidae of North America, having fur-lined external cheek pouches. Also called pocket gopher.
Any of various ground squirrels of the genus Citellus of North American prairies.
Any of several burrowing tortoises of the genus Gopherus, especially G. polyphemus of the southeast United States.
I was wondering where all the HOLES were coming from!! No HUMAN can write code *THAT* crappy.
...spread viruses/virii/whatever.
In all seriousness though, I do like to see a reduction in duplication of effort. However, diversity is a fundamental construct of open source philosophy. So as with anything else, United Linux has its positive and negative aspects.
Remember: umount it before you fsck it.
Bill Gates in no way resembles a loud, fat, big breasted nordic messenger of doom.
It had to be Balmer.
Ergonomica Auctorita Illico!
Hi, I'm with the DOD.
I'm posting anonymously because I'm embarrassed.
We've lost the password to the secret satellite missle defense network.
If one of you could please hack it to recover the lost pasword, and email it to us, like you did for those Norwegians, we'd really appreciate it!
Thanks!
Oh yeah, the address: mailto:sdi@area51.gov
If you find the lost password, and that email address doesn't work for you (e.g. your DNS client doesn't have a compartmentalized security clearance that would let it even look up the domain name), then you can just post it to Slashdot, and we'll read it there.
Thanks again!
TIA!
They ought to just hire Bill Murray and be done with the problem. (Hey, it wouldn't be any worse than anything else they've done...)
20 January 2017: the End of an Error.
This vulnerability is so easy to exploit (javascript popup to a gopher) its driven me and a couple of other people I know to use mozilla almost exclusively on win boxes. Unfortunately Mozilla doesn't render everything MSIE does (apparently checking your page in netscape hasnt been a priority for many web developers anymore).
Of those to whom much is given, much is required.
Is that what you have to do after a felching accident?
I don't really understand why MS should bother releasing a patch to this. That would be totally redundant since the Mozilla team has already made a very nice patch available to all. It's a bit of a download, but not much more so than the usual MS patches, and it's actually worth the download time. It fixes lots of other stuff too, e.g. the 'position:fixed' bug.
UPDATE: It appears that ladepujd was not the password to the actual database, but to the backup of the database, put there by the backup program
The password to the actual database appears to be reidar (the creators first name)
And before you all start bitching and moaning about bad password security. The database was an index of a collection of about 14000 documents and books and stuff, and would have no value unless you owned those documents. So basically there was no need for a password, and it probably was only there because the program asked for one. After all the guy was not an admin (as a lot of posters seem to believe) but a researcher and if the program wants a password you give it one. But not beeing completely clueless he used an easy password, since there was no need for a strong one
The problem arose because when Reidar Djupedal died, and his collection was donated to the museum, noone knew the password, and indexing 14000 books and documents takes a lot longer than cracking passwords
The thing I hope to see in the future is that this story about the password and the ensuing problems, slashdotting and cracking actually is told at the museum, we as a collective entity could become a part of Norwegian history :)
- We are the slashdot. Resistance is futile. Prepare to be moderated -
OMG LOL Your to funi I laf at you're funi LOL PLZ tell more jokes!!1 LOLOLOL
Neither did Elmer Fudd.
(Presuming the parent was a reference to one of the best Bugs cartoons ever.)
The living have better things to do than to continue hating the dead.
And here is the scary part - MS sees this as being a fix to a security issue. I have no doubts that this will be spun to show that they ARE concerned about security*.
*provided the user upgrades to the latest release of IE. Of course, it would be even better if they had to upgrade the whole OS to XP. (picks up recorder) Note to self: email the boys in development and tell them to only remove the Gopher support in IE for XP. Use the usual excuse that it is the only technically feasable solution... Oh, and pick up a new kicking-puppy on the way home.
My beliefs do not require that you agree with them.
This reminds me of Spaceballs (slightly paraphrased)
.... 2! ..... 3! .... 4! .... 5!
1!
That's the combination? That's the kind of combination an asshole would use for his luggage!
I really hate signatures, but go to my website.
In other words, you have to figure that, as many clueless people are not patching their systems, our co-worker represents a large number of quite saavy people that are completely apathetic to wanting to be bothered. They don't have the interest to want to take the time; we can't reach these people using fear or logic. How, then, do we protect ourselves?
Still, there are people like myself that stick will IE5.5 because it's the standard for the applications they are working on. You can't install two versions of IE, so I can't just quickly use one and then use another for surfing.
Of course, I use mozilla for the majority of my surfing, but I'll check pages that don't work in IE (9 times out of 10 they don't work there either), and I could be gamed into seeing a page that doesn't work, switching over to IE, and then being sent by javascript (which detects my browser) to a gopher exploit.
-no broken link
No, you've got that wrong: it's MS-PITA, the Microsft Protocol for Internet Telecommunications Access.
I'm old enough to remember when discussions on Slashdot were well informed.
Mod this ac up!
(MS dropping gopher reminds me of an old BASIC joke...)
Ready
LOAD "FOO"
Ready
RUN
?Syntax Error on line 45
Ready
45
RUN
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
valkyries aren't neccessarily loud and fat. They were beautiful women. They became known as loud and fat as a result of the hefty opera singers who played the part of the valkyries in wagner's operas.
but that being said, i'd still say that bill gates does not resemble a beautiful woman by any stretch of the imagination. Ballmer doesn't either, but maybe you remember that he did demonstrate his musical talent by dancing. possibly not what wagner had in mind.
you probably shouldn't have read this.
No conspiracy, just the fluid nature of software. It always expands to fill the available container, which in this case is the tolerance of the user to the software being slow. New software puts pressure on this barrier as the developers get new hardware, and, at a certain pressure, the user gives in and buys a new!faster!better! computer. The developers will (unless they have other specific goals) create software that is at (or below) their tolerance limit on their machine, but now, knowing that the user has the faster machine, needs to buy an even more zippy box because, damnit, developers need the best, because a debug cycle must be slower than an end-user cycle, and it's the debug speed that the developer works to. Can you see the positive feedback loop coming?
The effect of the feedback is increasing because hardware manufacturers aren't going to release new! hardware unless it's faster!better!, but I'm not entirely sure why it's exponential other than that it's a positive feedback system with all real poles that hasn't saturated yet, and that's what they do.
Reality is the ultimate Rorschach.
As quoted from the M$ Gopher article:
Marc Maiffret, 21-year-old security prodigy and chief hacking officer for eEye Digital Security, doesn't fault old code for security problems. He said that programmers who don't review the code before using it are at fault. Old code may have more security holes in it, but those holes should be caught, he said
Okay, so they're interviewing a 21-year old who thinks he knows more about Microsoft's code than Microsoft itself. Yes it's true, in a perfect world we would all have infinite time to review legacy code and peek into shared libraries, but the matter of the fact is that fundamental reason we reuse code is to save time and effort. If we all spent our time rereading and retesting code whenever we glue it into something else, we'd be better off starting from scratch every time.
This kid is a fast-talking idiot, nothing more.
-Billco, Fnarg.com
Just as predicted, news media this week seems to be covering the MSIE gopher root exploit with a new focus on Microsoft and their real problems with security, not just the latest hole. One company even goes as far to say that they 'cleaned up Microsoft's mess, once again'. With 18+ un-patched vulnerabilities in line for a fresh MS-fix, this may be the straw that breaks the camel's back.