Slashback: Gopherectomy, Portacinema, Disunity

← Back to Stories (view on slashdot.org)

Slashback: Gopherectomy, Portacinema, Disunity

Posted by ryuzaki0 on Monday June 10, 2002 @11:59AM from the ann-arbor-is-lovely dept.

Slashback tonight with a quartet of updates. So, read on for more information on portable video viewing (and instant recording!), United Linux and one analysts view of What it All Means, Microsoft's answer to a Gopher hole, and why easily guessed passwords sometimes save the day.

Throwing the gopher out with the bathwater. An Anonymous Coward writes: "As reported on News.com and discussed on Slashdot, MSIE's gopher support had a serious security vulnerability that allowed your machine to get ROOT'ed.

Well, it seems that Microsoft is unwilling or unable to make the fix, so it is removing support for the gopher protocol from IE. Not that MSIE's gopher support isn't very poorly implemented anyways."

Kept out of the U.S. by the secret conspiracy, no doubt. Buggalo writes "When I saw the article about the Pogo Flipster I thought I'd mention this too. Of course, it's not available in the US (not yet at least), but it sounds cool anyway. It plays MP4 video as well as MP3 audio. One thing that differentiates it from the Flipster is that this one includes video inputs so you don't even need a computer to get anything onto it. It also seems to have a larger screen. From what I can tell it has 64 megs of flash memory built in, and has an SD memory card slot as well. Sorry the website is in Japanese, but you can use Babelfish to translate it."

Not betting on a United front. dgb2n writes "Smart Money Magazine published an excellent article covering the business implications of the United Linux consortium. It provides some good insight into Red Hat's business model, stock price, and future prospects and names a potential winner in the Linux market."

At least this one aspect is happy. Hellkitten writes "The password for the database has been found, it was as simple as 'ladepujd', the name of the database's creator spelt backwards This previous Slashdot article explains the problem they had.

Aasentunet posted this notice, telling the password and thanking everyone that helped"

ZDNet has the story here as well."

29 of 204 comments (clear)

The confusion by King+of+the+World · 2002-06-10 12:02 · Score: 4, Funny

Not that MSIE's gopher support isn't very poorly implemented anyways.
Er, wot?

--
--Giving to trolls for the benefit of us all
1. Re:The confusion by Lemmy+Caution · 2002-06-10 18:16 · Score: 3, Insightful
  
  A logician wouldn't see the negative. A linguist or a cognitive scientist would.
M$FT never ceases to underwhelm me by jazzbotley · 2002-06-10 12:04 · Score: 3, Funny

Now if only my employer would agree to let me fix all the security holes in W2K by UNINSTALLING. I can dream, can't I?
No more gopher? What a cop out by Anonymous Coward · 2002-06-10 12:05 · Score: 3, Funny

Next thing you know, they'll drop support for 75 baud cradle modems. Damn Microsoft! Damn them all to hell!!!!
Gopher probably is poorly implemented.. by rufusdufus · 2002-06-10 12:06 · Score: 4, Insightful

If I were the manager of IE, I'd just rip out support for gopher too. Why support this protocol which nobody uses (in IE) but has at least one major known security breach? The testing and validation of the bug fix's security, as well as the the rest of the code, would cost way more than its worth.
1. Re:Gopher probably is poorly implemented.. by Osty · 2002-06-10 12:27 · Score: 4, Funny
  
  (complete reposting, for the parent is an AC)
  
  Supporting many obscure protocols is one of the best way to justify bloat. Since Microsoft has arrangements with Intel (basically their software requirements must follow Moore's Law), I predict that the gopher code will return, or more simply that it will be turned off but remain in IE.
  
  Right, so there's a big conspiracy for Microsoft to create bloated software to force hardware upgrades. Right. And that's why IE 5.x was slimmed down and much faster than the old IE4? Hrm, looks like that right there breaks your argument. But go ahead and continue believing in the conspiracy theory, because it's apparently a lot more interesting than believing that Microsoft will add and remove features based on real criteria, like customer demand and usefulness.
2. Re:Gopher probably is poorly implemented.. by SirSlud · 2002-06-10 12:45 · Score: 4, Interesting
  
  And that's why IE 5.x was slimmed down and much faster than the old IE4
  
  See, if you really think customer demand and usefulness doth an MS product make, you're just as bad as our conspiracy theorist. Of course it enters the equation. But if you think its the only factor, keep dreaming.
  
  Customers dont know what to demand. Go ask your mother what the next feature of Windows should be. Most people dont know. I dont believe that MS and Intel have an agreement to push hardware requirements, however, the possibility that execs and project managers 'suggest' things to eath other (hey, keep that feature in there, whats the damage, or hey, we're thinking of do this and that, what do you think) doesn't require a conspiracy to influence the design decisions. And if you think glib, ignorant purely business strategy speak doesnt influence decision decisions suggests that your no less niave than he is conspiracy theorist.
  
  --
  "Old man yells at systemd"
3. Re:Gopher probably is poorly implemented.. by SirSlud · 2002-06-10 13:53 · Score: 4, Insightful
  
  Two things:
  
  1. No, I do not believe this gopher issue had anything to do with any partnership. More likely, it was the 'well, the code was written by some temp who was here 10 years ago' (or better yet, to be topical, the code was borrowed by someone we've lost track of, but thank god they licensed under BSD or we'd have had to write our own ;) I dont think the conspiracy guy had much water in this case.
  
  2. Of course, Apples hardware and software divisions are 'in cahoots' (if I were a stockholder, I'd hope so, they work at the same freakin company) .. they might not be 'in cahoots' to add this feature, drop that feature for driving each others sales. But it doesn't take a market analyst to understand that hardware people /rely/ on software people to push the latest and greatest to push hardware. It might not be a conspiracy, but the hardware camp leaning on the software camp to drive demand for various types of hardware, and vice versa is called 'business strategy'. Hell, its in the press releases. Thats the truely funny part about both conspiracy theorists and their naysayers who deny all intentions of said conspiracy. While the methods of using leverage across hard/soft-ware markets might not be as in the dark or 'cool' as the tinhats might like it to be, it still stands that tactics like this are used. It's kind of funny - it seems people are often more complacent of 'intent to conspire', so long as its done in plain view. I still dont think it excuses cases where that leverage is taking precendance over solid engineering design.
  
  Another poster made the wise observation that given how much of MS's revenue comes from new computer software royalties, they do have a massive vested interest in keeping the hardware upgrade cycle very short in order to keep the market fueling the damand for new computers, and thus provide a steady, reliable revenue stream.
  
  --
  "Old man yells at systemd"
4. Re:Gopher probably is poorly implemented.. by Osty · 2002-06-10 14:08 · Score: 3
  
  2. Of course, Apples hardware and software divisions are 'in cahoots' (if I were a stockholder, I'd hope so, they work at the same freakin company) .. they might not be 'in cahoots' to add this feature, drop that feature for driving each others sales. But it doesn't take a market analyst to understand that hardware people /rely/ on software people to push the latest and greatest to push hardware. It might not be a conspiracy, but the hardware camp leaning on the software camp to drive demand for various types of hardware, and vice versa is called 'business strategy'. Hell, its in the press releases. Thats the truely funny part about both conspiracy theorists and their naysayers who deny all intentions of said conspiracy. While the methods of using leverage across hard/soft-ware markets might not be as in the dark or 'cool' as the tinhats might like it to be, it still stands that tactics like this are used. It's kind of funny - it seems people are often more complacent of 'intent to conspire', so long as its done in plain view. I still dont think it excuses cases where that leverage is taking precendance over solid engineering design.
  
  I think the difference between what I'm trying to say and what you're trying to say is this: you make it seem as though making software slower is the goal. I don't believe so. Yes, software drives hardware, and yes, newer software typically runs slower on older hardware. That's not because the developers set out to make the software run slow on old hardware. Instead, the idea is that as hardware advances, so can software. To give an example, let's look at Windows XP. The fancy new gui can be a bit of a resource hog. However, Microsoft has provided very granular controls to turn off the effects you don't want, or even switch back to the "Classic" style (which is actually native controls, not pixmaps that look like the old style). If the goal here was to slow XP down on old computers, those features would not have been provided. Instead, the goal was that as computer hardware advances, Windows can do some more cool presentational things. Don't like those, or your machine can't handle it? Turn them off. Windows XP runs just as well on an old p200 (with a liberal amount of RAM) as did Windows 2000. But if you have the hardware, why not take advantage and have a nicer looking display (if you don't like the Luna style, check out ThemeXP). Same goes for OS X. The goal was not to make the new OS slow on older G3s to drive G4 purchases. Instead, it was that the new hardware gives more processing power that can be used on trivial things like all the fancy alpha blending and scaling in OS X. The X.1 patch sped things up, not slowing them down to force people into buying dual 833 G4s (or whatever).
  
  A business decision that consists of, "Let's make things slower so that people will upgrade their hardware," is a bad idea. Something more along the lines of, "Today's hardware is more powerful than that of two years ago, so let's use it. People will probably need to upgrade, but c'est la vie," is much more acceptable. Same end result (more or less), but the means are different.
bad password by GoatPigSheep · 2002-06-10 12:11 · Score: 3, Funny

The password for the database has been found, it was as simple as 'ladepujd', the name of the database's creator spelt backwards

thats not a very smart choice of password, using your name.

at least it wasn't 'god' or 'sex'

--
GoatPigSheep, the 3 most important food groups
Gopher support shouldn't be in IE by dirk · 2002-06-10 12:14 · Score: 3, Insightful

Why should IE continue to support Gopher? It is a protocol that is rarely used. It is outdated, and there is no need for it in IE. It's what is commonly refered to as program bloat. It's not needed and should be removed. For the .001% of IE users who do use Gopher, they can use a seperate Gopher utility, which will probably support it better than an all-in-one option like IE. Isn't program bloat one of the things everyone has against MS? Shouldn't this decision be applauded?

--

"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
1. Re:Gopher support shouldn't be in IE by Anonnymous+Coward · 2002-06-10 12:21 · Score: 3, Interesting
  
  Because the RIAA isn't looking for MP3 sites, the BSA isn't looking for warez sites, and the IDSA isn't looking for ROM sites on the gopher:// protocol. Oh well, the clued already aren't using IE anyway, so no loss.
2. Re:Gopher support shouldn't be in IE by MavEtJu · 2002-06-10 12:37 · Score: 5, Funny
  
  Why should IE continue to support Gopher?
  
  "Welcome to Internet Explorer. With this you can easily go everywhere on the Internet. Except for sites which have protocols that we have problems with implementing(*). Have a nice day.
  
  (*) This is everything except FTP and HTTP. Even if there are problems with the implementation of FTP and/or HTTP, we will not remove them(**).
  
  (**) This will happen after we've implemented the MS-PPTP(***) into our IIS servers and have replaced TCP/IP with the MS-PITY(****).
  
  (***) Microsoft Private Propriatary[sp] Transfer Protocol is a trademark of ...
  
  (****) Microsft Protocol for Internet TechnologY is a trademark of ...."
  
  --
  bash$ :(){ :|:&};:
3. Re:Gopher support shouldn't be in IE by Tottori · 2002-06-10 21:26 · Score: 3, Insightful
  
  Why should IE continue to support Gopher?
  Because IE is supposed to be a web browser. The original concept of a web browser was to provide a unified interface to Internet resources.
  Naturally, this is an invitation to software bloat, although if the browser is modularised it needn't be so bad. But arguably the user interface benefits are so compelling as to compensate for the conceptual ugliness.
  By removing Gopher, Microsoft are moving away from the concept of a web browser and towards the concept of a proprietary content viewer.
  
  --
  use constant PERL_IS_BROKEN => $] >= 5.006;
Bad passwords and old software... by kzinti · 2002-06-10 12:17 · Score: 5, Insightful

According to a report and interview on NPR All Things Considered this afternoon, it only took about an hour to discover the password. The hard part was finding a copy of the old DOS-based database software that was capable of opening the database.

The institute now keeps copies of all its passwords locked in a safe. Of course, if all its passwords are as bad as the lost password, then what's the point?

--Jim
1. Re:Bad passwords and old software... by Dr.+Nonsense · 2002-06-10 12:33 · Score: 3, Funny
  
  "The institute now keeps copies of all its passwords locked in a safe."
  
  And where do they keep the code or key to the safe?
Sighting today in Redmond, WA, US... by Anonymous Coward · 2002-06-10 12:24 · Score: 5, Funny

Bill Gates wearing full Viking armor and singing "Kill the GO-PHER, Kill the GO-PHER, Kill the GO-PHER!!!" to the tune of "Ride of the Valkyries." ;-)
Protocol manager by hackwrench · 2002-06-10 12:31 · Score: 4, Interesting

What Microsoft should add is a protocol manager that shows all the protocols your system can access, whether it be through Microsoft or other 3rd party vendors like Real's prn protocol
To clarify why parts are "impossible" to remove by rufusdufus · 2002-06-10 12:34 · Score: 5, Insightful

Removing gopher will effect a very very small number of people, and probably no 3rd party software vendors.
Removing HTML rendering AND HTTP support (which is what removing IE equals) would screw many many users and thousands of 3rd party software vendors who rely on this support from the OS, in in fact render the system unusable as too many components rely on this support, 3rd party and otherwise.

When MS says Windows is not modular, they are using a legal, not technical, argument. This is based on past cases where, for example, Ford was banned from buidling pick-up trucks with covers (ie snugtop) because it was an optional module.
Re:Well, this password crack worked well... by agentZ · 2002-06-10 12:37 · Score: 4, Insightful

I disagree. The lesson we should take away is that there should be a password recovery mechanism.

If this person had used a strong password and strong crypto, all of their work could be lost! The password recovery mechanism has to be difficult enough to deter an attacker (e.g. require physical presence of company CIO, etc), but easy enough to do in an emergency. This could be necessary for untimely deaths, disgruntled employees leaving without turning over the access devices to their accounts, etc.
fool. by jcsehak · 2002-06-10 13:09 · Score: 5, Funny

it was as simple as 'ladepujd', the name of the database's creator spelt backwards

What an idiot. I, an 31337 hax0r, am much smarter. My password, "78sne4ml;w" is composed of random characters, which nobody would ever guess. Lam3r.

--

c-hack.com |
Back what? by TheFlu · 2002-06-10 13:20 · Score: 3, Funny

Good thing my name's not Bob.

--
--It's Pimptastic!--
Re:No more gopher? What a cop out by thesolo · 2002-06-10 13:28 · Score: 5, Insightful

Next thing you know, they'll drop support for 75 baud cradle modems. Damn Microsoft! Damn them all to hell!!!!

The sarcasm and humor in the parent post aside, this is a very serious issue.

I think most of us know that Gopher is not used very much anymore, so MS supporters are definitely downplaying this hole. However, by not releasing a patch and instead just removing Gopher support, MS is leaving millions of people still open to vulnerabilities!

Not everyone who uses IE is going to upgrade to the next version of IE which will have no Gopher support. Not everyone runs WinXP, and can install the latest service pack that turns off Gopher support. People are going to keep their system the way it is, but because a patch is not available, they will be vulnerable to arbitrary code being executed at system-level just by clicking a link. And god forbid someone DOES actually want to use Gopher under IE, I guess they can't upgrade to the next version of IE. (Hey, they can always use Mozilla though!)

This could have a major spiral effect too; think of the Code Red worms. When worm writers realized that people were not patching their system, they released variants of the same worm, to do even more damage. If malicious people now hear that MS is not planning on patching this vulnerability, they might very well have a field day with it.

I guess all that talk from MS about their "trustworthy computing initiative" was exactly what we all thought; complete and utter hogwash. This type of behavior is simply unacceptable, but especially from a company that claims to be on a company-wide security audit.
Re:No more gopher? What a cop out by MrResistor · 2002-06-10 14:47 · Score: 3, Insightful

However, by not releasing a patch and instead just removing Gopher support, MS is leaving millions of people still open to vulnerabilities!

Not everyone who uses IE is going to upgrade to the next version of IE which will have no Gopher support.

Yeah, but those are the same people who wouldn't install the patch, so what difference does it make?

Actually, it's much more likely that people will install the new version of MSIE than that they will install a patch.

I agree that it's a cop-out, and probably indicative of MS' security future, despite all their lip-service to the contrary, but lets be honest here; people are stupid, so there will be millions left vulnerable no matter what MS does because those millions are too ignorant to protect themselves.

The only thing they could do that would actually make a difference is release the patch as a worm that would patch it's own exploit after emailing itself to your whole address book.

--
Under capitalism man exploits man. Under communism it's the other way around.
Re:No more gopher? What a cop out by GSloop · 2002-06-10 16:51 · Score: 3, Informative

Or they could spend a few of those billions making secure code in the first place.

Pleeeeeze - it can't be that hard scanning your code for unchecked buffers! So I don't think that fixing the thing even after the fact would be that insanely difficult...

Lastly how about software liability?

The only time that MS really fixes things (or anyone else for that matter) will be when it costs them. When they have to go before a jury, and explain how they didn't use any due dilligence, and that that total system crash that took down the First Interstate Loan Center (Portland Oregon) in the early-mid 90's for hours and hours every week was their own fault. (As I recall it was an undocumented switch in the TCP stack that fixed the SNA session dying thing...) [I know, I had friends that worked there then - NT 3.1, 3.5? dunno]

When companies no longer can shield themselves from liability by claiming that software is _SO_ different than the rest of the known world, they'll actually do somthing - till then, just get ready to take it like a good consumer!

Cheers!
You're wrong.Bill Gates is nothing like a valkyrie by Ilan+Volow · 2002-06-10 17:48 · Score: 5, Funny

Bill Gates in no way resembles a loud, fat, big breasted nordic messenger of doom.

It had to be Balmer.

--
Ergonomica Auctorita Illico!
Re:No more gopher? What a cop out by ncc74656 · 2002-06-10 18:19 · Score: 3, Funny

I think most of us know that Gopher is not used very much anymore, so MS supporters are definitely downplaying this hole. However, by not releasing a patch and instead just removing Gopher support, MS is leaving millions of people still open to vulnerabilities!

They ought to just hire Bill Murray and be done with the problem. (Hey, it wouldn't be any worse than anything else they've done...)

--
20 January 2017: the End of an Error.
Re:Backwards? by hta · 2002-06-10 20:58 · Score: 4, Interesting

are you sure that's the name spelled backwards? spelling it 'djupedal' looks more backwards to me ... :)

Americans......
"djupedal" means "deep valley" in Norwegian, and is a reasonably common surname.
American cultural imperialism is already imperiling the Norwegian heritage with given names like "Roger" and "Angela", but the surnames are still holding on against the flood.
Where is Ivar Aasen when you need him.....?
Re:No more gopher? What a cop out by slide-rule · 2002-06-11 01:40 · Score: 3, Interesting

... but lets be honest here; people are stupid, so there will be millions left vulnerable no matter what MS does because those millions are too ignorant to protect themselves.
Interesting (and depressing) thing occured last week here at work. Couple of us "linux" nuts were talking to a "windows" nut about the need to at least keep up on system patches, etc. Now, he's a very brilliant engineer and can get around in a computer system more so than you'd otherwise think when you heard his reply: "I don't care. I really don't." This even after we explained it wasn't about someone taking stuff from his system as much as it was about someone using his system to attack others. He is smart enough to do it, understands the repurcussions of not doing it, and still doesn't care. It was at this point that the couple pro-linux nuts in the discussion realized that there was honestly nothing we could say to move his opinion.

In other words, you have to figure that, as many clueless people are not patching their systems, our co-worker represents a large number of quite saavy people that are completely apathetic to wanting to be bothered. They don't have the interest to want to take the time; we can't reach these people using fear or logic. How, then, do we protect ourselves?