Slashdot Mirror
Slashback: Gopherectomy, Portacinema, Disunity
Throwing the gopher out with the bathwater. An Anonymous Coward writes: "As reported on News.com and discussed on Slashdot, MSIE's gopher support had a serious security vulnerability that allowed your machine to get ROOT'ed.
Well, it seems that Microsoft is unwilling or unable to make the fix, so it is removing support for the gopher protocol from IE. Not that MSIE's gopher support isn't very poorly implemented anyways."
Kept out of the U.S. by the secret conspiracy, no doubt. Buggalo writes "When I saw the article about the Pogo Flipster I thought I'd mention this too. Of course, it's not available in the US (not yet at least), but it sounds cool anyway. It plays MP4 video as well as MP3 audio. One thing that differentiates it from the Flipster is that this one includes video inputs so you don't even need a computer to get anything onto it. It also seems to have a larger screen. From what I can tell it has 64 megs of flash memory built in, and has an SD memory card slot as well. Sorry the website is in Japanese, but you can use Babelfish to translate it."
Not betting on a United front. dgb2n writes "Smart Money Magazine published an excellent article covering the business implications of the United Linux consortium. It provides some good insight into Red Hat's business model, stock price, and future prospects and names a potential winner in the Linux market."
At least this one aspect is happy. Hellkitten writes "The password for the database has been found, it was as simple as 'ladepujd', the name of the database's creator spelt backwards This previous Slashdot article explains the problem they had.
Aasentunet posted this notice, telling the password and thanking everyone that helped"
ZDNet has the story here as well."
According to a report and interview on NPR All Things Considered this afternoon, it only took about an hour to discover the password. The hard part was finding a copy of the old DOS-based database software that was capable of opening the database.
The institute now keeps copies of all its passwords locked in a safe. Of course, if all its passwords are as bad as the lost password, then what's the point?
--Jim
Bill Gates wearing full Viking armor and singing "Kill the GO-PHER, Kill the GO-PHER, Kill the GO-PHER!!!" to the tune of "Ride of the Valkyries." ;-)
Removing gopher will effect a very very small number of people, and probably no 3rd party software vendors.
Removing HTML rendering AND HTTP support (which is what removing IE equals) would screw many many users and thousands of 3rd party software vendors who rely on this support from the OS, in in fact render the system unusable as too many components rely on this support, 3rd party and otherwise.
When MS says Windows is not modular, they are using a legal, not technical, argument. This is based on past cases where, for example, Ford was banned from buidling pick-up trucks with covers (ie snugtop) because it was an optional module.
Why should IE continue to support Gopher?
...
...."
"Welcome to Internet Explorer. With this you can easily go everywhere on the Internet. Except for sites which have protocols that we have problems with implementing(*). Have a nice day.
(*) This is everything except FTP and HTTP. Even if there are problems with the implementation of FTP and/or HTTP, we will not remove them(**).
(**) This will happen after we've implemented the MS-PPTP(***) into our IIS servers and have replaced TCP/IP with the MS-PITY(****).
(***) Microsoft Private Propriatary[sp] Transfer Protocol is a trademark of
(****) Microsft Protocol for Internet TechnologY is a trademark of
bash$
it was as simple as 'ladepujd', the name of the database's creator spelt backwards
What an idiot. I, an 31337 hax0r, am much smarter. My password, "78sne4ml;w" is composed of random characters, which nobody would ever guess. Lam3r.
c-hack.com |
Next thing you know, they'll drop support for 75 baud cradle modems. Damn Microsoft! Damn them all to hell!!!!
The sarcasm and humor in the parent post aside, this is a very serious issue.
I think most of us know that Gopher is not used very much anymore, so MS supporters are definitely downplaying this hole. However, by not releasing a patch and instead just removing Gopher support, MS is leaving millions of people still open to vulnerabilities!
Not everyone who uses IE is going to upgrade to the next version of IE which will have no Gopher support. Not everyone runs WinXP, and can install the latest service pack that turns off Gopher support. People are going to keep their system the way it is, but because a patch is not available, they will be vulnerable to arbitrary code being executed at system-level just by clicking a link. And god forbid someone DOES actually want to use Gopher under IE, I guess they can't upgrade to the next version of IE. (Hey, they can always use Mozilla though!)
This could have a major spiral effect too; think of the Code Red worms. When worm writers realized that people were not patching their system, they released variants of the same worm, to do even more damage. If malicious people now hear that MS is not planning on patching this vulnerability, they might very well have a field day with it.
I guess all that talk from MS about their "trustworthy computing initiative" was exactly what we all thought; complete and utter hogwash. This type of behavior is simply unacceptable, but especially from a company that claims to be on a company-wide security audit.
Bill Gates in no way resembles a loud, fat, big breasted nordic messenger of doom.
It had to be Balmer.
Ergonomica Auctorita Illico!