Slashdot Mirror
Gamespy Installer Spreads Nimda
NSG writes "Yahoo News is running this story about the Nimda virus infecting some Gamespy Arcade 1.09 installers. Approximately 3,100 infected files were served in a seven hour period. What responsibility does Gamespy have to the users who downloaded the infected file?"
First Post!
If everyone would run Linux this wouldn't be a problem!
Oh well, back to dowloading pr0n...
Pr0n K1ng
Viruses in gamespy software? The computer industry in general has demonstrated that the concept of ethics no longer applies when there is money at stake. Read the average EULA: you have to surrender fundamental rights, such as fair use. Worse than that, the developers generally absolve themselves of any responsibility or liability whatsoever -- they won't even guarantee that the software that you have just bought will do what they claim it does! What we're seeing is the culmination of an unfortunate trend. The creators of a piece of software for as long as they control it have a monopoly -- anyone committed to using their product is pretty much at their mercy. And that means money -- lots of money.
The theory of relativity doesn't work right in Arkansas.
Don't use Gamespy, use The All Seeing Eye for all your online gaming needs. It is 100x better. Trust me.
I mean, seriously, who downloads this anyway? I make a habit of not trusting any software that has to scan your entire harddrive in order to 'find' games.
If a game doesn't have an ingame browser, then I stick to direct connect, or single player. I shouldn't have to run external programs to play games online.
Still, I think the bad press alone will be Gamespy's punishment on this one. I've seen this news crop up everywhere in the past day or two, and chances are, anyone who reads any kind of net news knows as well.
Legally anyway. I haven't looked at the EULA for Gamespy (haven't downloaded it, actually), but I'm betting some large odds it'll have some clause in it saying they're not responsible even if it destroys your computer, sets fire to your home, and heralds the End of the World.
Whether this will stand up in court would be interesting to see, though. And the precedent it would set would be very wide ranging.
They're legally immune. From the GameSpy Website:
To the fullest extent permitted by applicable laws, GameSpy and its employees, agents, suppliers, and contractors shall in no event be liable for any claims, charges, demands, damages, liabilities, losses, and expenses of whatever nature and howsoever arising, including without limitation any compensatory, incidental, direct, indirect, special, punitive, or consequential damages, loss of use, loss of data, loss caused by a computer or electronic virus, loss of income or profit, loss of or damage to property, claims of third parties, or other losses of any kind or character, even if GameSpy has been advised of the possibility of such damages or losses, arising out of or in connection with the use of this Web Site, software, or any Web Site with which it is linked. You assume total responsibility for establishing such procedures for data back up and virus checking as you consider necessary.
The theory of relativity doesn't work right in Arkansas.
I finally bought a nice new PC for gaming instead of my trusty (yet older) mac, and am told I might have Nimda? I have Gamespy Arcade 1.09 installed! I feel like I've just been burned by unprotected sex.
And like an STD I think Gamespy does have a responsibility to alert all their users to the potential infection.
I can't believe GameSpy is doing this. It's sooo passé. Microsoft already did this. Next time GameSpy wants to get infected, it should be original and choose a different virus, maybe W32.Klez.E or even a McAfee homebrew bug, instead of just copying MS because it's an industry leader. Me, I prefer my KaZaA virus, because it has its own EULA.
According to this link at news.com Executive Mark Surfas said the virus infected one of their download servers for two hours on Tuesday and five hours Wednesday night, while they were performing routine service.
Surfas said a total of 3,100 infected files were served, and the company is in the process of notifying everyone who got an infected file and pointing them to free antivirus tools that will disinfect their systems.
Not cool...
Does it go on forever?
Answer: None
Have you ever read that LONG agreement before you install software? It clearly states this phrase:
NO WARRENTIES EXPRESSED or IMPLIED
idm owns me
I really doubt this will be a serious problem. I'm sure Gamespy will offer a patch for a small monthly fee. Or better yet, maybe if you subscribe to their eXtreme 3d++ platinum gamers edition fileservers for a few bucks maybe they'll sell you someone elses virus scanner demo with no long-term value. Or even better yet, maybe if you purchase one of their programs you can connect to an online scanner paid for and maintained out of someone elses pocket.
"God is a comedian playing to an audience too afraid to laugh." -Voltaire
Oh no, 3100 people got Nimda in a Gamespy Arcade installer. Oh no, a virus infected a webserver (who would have imagined something like THAT happening?). Oh no, the users have to download a free virus scanner like AVG to remove it. Oh no, it was their choice to download Gamespy Arcade in the first place.
Oh no, this is absolutely nothing.
using namespace slashdot;
troll::post();
Although many people believe they HAVE to use Gamespy Arcade to play their favorite game online, and some games bundle it on the CD and suggest you install it, most games also include their own in-game browsers and there are also alternatives available which don't try to force you into a chat room when ever you want to look for a game or shove banners in your face, although some (pingtool) are dead.
I was one of the original Gamespy employees from a few years ago, and I never thought I'd see Gamespy as the subject of a /. story. It just goes to show, before long everything ends up on this site. ;)
It doesn't surprise me in the least that this has occured, though I hate to bash on my old company (especially since when I left, I left with enough stock to really want the company to succeed, or liquidate and get it over with, hehe.) Truth be told, the company has always been run by a man who truly couldn't care less about customers, a development manager who can't understand why you don't call virtuals from a constructor, and a project lead who thinks UI coding is the end-all-be-all of computer science. Put them together and you end up with very little experience trying to manage a product that has long since outlived its usefulness.
And before you flame me or whatever, I do know a little bit about which I speak... having written much of the original Arcade myself (though I'm not too proud of the outcome, having followed its progress since I left in '00.)
All in all, you can continue to expect inferior product from an inferior company, shameful as it is. I often lament on how things might have changed were L-Fire and I given a little more freedom to get stuff done. C'est la vie.
/me waits to get flamed by crt and Walla now
--
[McP]KAAOS
It goes from God, to Jerry, to me.
A careful read of their TOS leads me to believe they had reason to expect this would happen. (Isn't that the implication you get from reading it?) If they knew or believed it would happen they may not be able to worm out of responsibility based on a disclaimer.
I'm an American. I love this country and the freedoms that we used to have.
OK, so they screwed up. They're not the first, and it would surprise me if they were the last. At least we haven't had any major virus targetting online gamers. Yet. (I'm sure the anti-virus makers have some cooking in their skunkworks-labs, to unleash on us once the artifical panic from the JPEG virus blows over.)
/tmp. Why give them blanket access to everything? Software that manipulates random files could communicate via a system call/trusted library that would combine a file-browser and grant one-shot access outside of the applications "playground" for the specific file-name/directory chosen by the user.
Part of the problem is of course the MS monoculture. Those of us wishing for a wider deployment of Linux (including me) may come to regret that wish, since it will inevitably lead to Linux virii. They will have a harder time of infecting the whole machine, but no doubt some clever cyber-{terrorist,vandal,take-your-pick} will come up with one that does exactly that, sooner or later.
And as sure as flies home in on shit, MS will take that as an opportunity to tout Palladium and denounce Linux.
Anyway, the big question is not really how to avoid having software distributions infected, but rather how to encapsulate software. On UNIX and Windows alike, any software you run, will run with the full privilegies of the user (at best) or root (at worst).
It would seem to me that one interesting future development for Linux (or one of the BSDs, perhaps?) would be to find a non-intrusive way of encapsulating software packages, even at run-time. Let them define what they need access to, and then have an installer grant them rights only to those parts of the system.
Most software really only needs write access to their own directory, plus perhaps
Oh well...
They Do...
....bla bla blah
From TOS
bla bla... loss caused by a computer or electronic virus, loss of income or
THE WORLD IS GOING TO END!!!! eventually.
Does anyone else find it ironic that people are getting infected through a program called GameSPY?
I'm going to post under my handle to tell you just what an asshole thing that is to do on your sig line. Some of us don't like to see that kind of shit. Thanks for nothing.
political_news.c: warning: comparison is always true due to limited range of data type
Well, aside from the recent MS nimda spreading, wasnt there a virus on the Mac that changed the "dog-ears" type of file around (I read it somewhere about viruses). Turns out that that virus was distributed on commercial disks and spread around the user base. I'd appreciate if somebody knew the name of it....
Oh well. Stuff like this happens. In this kind of "software world" where everything's connected, I'm amazed this doesnt happen more often (commercial product virite distribution).
It does not absolve Gamespy of responsibility -- but fortunately the actual impact is now. Nimda only infects servers running IIS as a HTTP server, and I'm sure not many gamers are running IIS on their machines.
There's 10 types of people in this world, those who understand binary and those who don't.
Well now that there is talk on Capitol Hill that Congress should pass a bill making upper manangement responsible in the wake of Enron, Andersen, MCI, and now Xerox. I think they should also throw something in there stating any software that is downloaded or packaged with the exchange of money then the company should be liable for any virus or spyware involved. Now if its given away for free and does not contain any fee for monthly service such as Open Source then they are absolved.
Mac OS (before X) stores icons in a database. If you copied a file, you copied the icon over also. If you created an icon of the right type it would get substituted for the normal system icons.
If someone copied a file from your HD they got that new replacement icon along with it. Thus the icons spread.
But they weren't a traditional virus because there was no code of any kind associated with the icons. No code spreading thus no virus.
Switch
Strange women lying in ponds distributing swords is no basis for a system of government.
Very nice report, on by! But you should round those real numbers. Two digits after the decimal point should be sufficient.
Not "viri", not "virora", and definitely NOT "virii". Please kill yourself, you fucking idiot.
GameSpy used to actually useful (and usable) way back in the QuakeWorld days. It stopped being relevant to me sometime before it got renamed to GameSpy Arcade (or whatever it's called now), and it came with a bunch of useless crap. I never understood the 'scanning the hd' bit... I mean, it knows what games it supports, it knows their registry keys, the whole process should take less than a second, not several minutes. I just added games manually anyways.
In any case, most games come with their own server browsers; launching a huge ad-riddled app just to connect to a server a pointless excercise.
So what do people who used GS back in the 'good old days' and still use it have to say about it? Good? Bad?
"Hot lesbian witches! It's fucking genius!"
PayPal (among other companies) are promoting Providian National Bank for VISA Credit Card services. And, I feel it is reasonable to assume that PayPal customers that get the Providian VISA Card will be using the Providian online services available at https://www.providianservices.com/
Well... lets break out our friend OpenSSL from the Linux command line:
$ openssl
/NASApp/ola/base/Login
OpenSSL> s_client -connect www.providianservices.com:443
HEAD / HTTP/1.0
HTTP/1.1 302 Moved Temporarily
Server: Netscape-Enterprise/4.1
Date: Sat, 29 Jun 2002 08:59:59 GMT
Location:
Content-length: 0
Content-type: text/html
Connection: close
Hey! What do we have here? A web server that is over 2 years old.
Who is responsable for security patches? IPlanet was but they closed up shop in March 17, 2002.
And...in May of 2002, even Netscape's own www.netscape.com stopped using Netscape-Enterprise as a web server!
So... Providian Services Online (which is promoted by PayPal) is using an outdated web server to decrypt SSL packets related to credit card accounts and Slashdot users should be conserned about... GameSpy's temporily distribution of Nimda?!?!
Thats truely messed up. I rather consern myself with the credit card company that is continuing to screw up online than a game company that already resolved it's screw up.
Regardless of the legal ramifications and waivers there is still a responsibility of the server host to provide software that is free of damging components, say for instance someone sells you a car knowing that the car has major carbon monoxide emissions problem with seepage into the cabin, and has faulty brake lines that are just barely kept together... welcome to the Lemon Law, most judges will have the dealer buy back the car for the cost it was sold for, not the off-the-lot price, well if someone were to take gamespy to court under the auspices that they provided software which did the damages that it is well known for, yes there is really no legal remedy at hand to provide any kind of relief for the plaintiff, however it would prove that they are responsible for the files they serve from their webservers. Just food for thought
fade in...
john carmack just got fingered.
fade to black...
Click on the link in his sig, it is a small picture :-)
For a moment there, I was afraid the headline said "Gamespy Installer Spreads Ninjas!"
My girlfriend's kids downloaded GameSpy yesterday, ironically, so they could hook the Xbox up to the router and look for other Halo devotees. And they succeeded.
/., actually, posting this story that made me realize the source of my pain. And for that I say thanks, because for those of you that said so-what-big-deal, well, it's true that this didn't really constitute a national emergency but, speaking now from experience, I can honestly say that NIMDA SUCKS.
...
They also succeeded in hosing two W2K systems on our home network via the file share traversal vulnerability. One was my girlfriend's system, the only one with out-of-date virus protection and, of course, the only unprotected machine with truly irreplaceable files. Sigh.
Well, I downloaded AVG and it's getting clean as I type this, but I thought it might be of interest to those who posted saying that only those machines running IIS can be infected. That ain't the truth. The two infected machines on this network were W2K systems, neither of them running IIS. They were just poorly monitored and vulnerable.
It's
But here's the rundown: I've got nine machines networked here at home, four W2Ks, four Linux, and one Xbox. Well, two of the W2Ks met Nimda first hand, but two others didn't since all of the extant fileshares require logons. Email wasn't a factor, and on the one W2K system that IS running IIS and was potentially vulnerable to attack, well, I've got all the latest patches installed and everything on that machine is clean.
The Linux boxes, of course, didn't even raise an eyebrow
Peace.
I hate Gamespy for buying some of the best websites out there and turning them to shit. I hate Gamespy for releasing an inferior product and doing some fancy corporate manuvering to make it ubiquitous. They have no quality control whatsoever, and this is just a shining example of their horrible product development process in action. Testing? What is that? Does that cost money?
So what is GameSpy? All I can see so far is a battle over EULA's. What does GameSPy do fer me?
I may be bad with names, but I'll never forget your IP address
Comment removed based on user account deletion
FUCK! My fucking EYES! God DAMN that fucking slashdot url shower! FUUUUUUUUCK YOOOOOOOOU, man!
And this is why you're supposed to use your email address as a password when doing anonymous FTP. The theory is that if you downloaded something that later turns out to have a virus or some other problem, the server owner can contact those who downloaded the faulty software.
In practice, that probably doesn't happen all too often, but it's still a good idea IMO. Using "mozilla@" as a password doesn't really help the server owner when he needs to get an urgent message across related to a file you downloaded.
Esli epei etot cumprenan, shris soa Sfaha.
However, also from the Gamespy website:
Some U.S. states and foreign countries provide rights in addition to those above, or do not allow excluding or limiting implied warranties, or liability for incidental or consequential damages. Therefore, the above limitations may not apply to you or there may be state provisions that supersede the above. Any clause declared invalid shall be deemed severable and not affect the validity or enforceability of the remainder. These terms are governed by the laws of the State of California and may only be amended in a writing signed by GameSpy Industries.
In addition, there are also a number of legal challenges to EULA's and the like (although I'm not sure whether any have succeeded yet) - see here and here, for example
I don't know whether any applicable laws apply in the States, but the UK has laws which effectively mean that even though you've put up a sign saying you can't have something (eg refunds in shops), it doesn't have any legal bearing over your statutory rights.
Other laws apply which require companies to have signs in prominent positions - preventing vehicle clamping firms from stealth clamping. The legal stuff link on their home page is right at the bottom corner - you have to scroll right down (well past the files link) to even see it. OK, we'll let them off, so long as the files page has a prominent link. Erm, not quite - again right at the bottom, this time wrapped in a font size=-2 tag. Well done chaps.
Not that the people who downloaded it didn't have any responsibility to run a virus scan of their download, of course. However, you do expect a "reputable" company that you get files from should prevent this from happening in the first place. It just adds a little touch of irony to the little check box found in the security warning popup which appears when you go here Always trust content from Gamespy Industries, Inc.
For a look at how EULA's should be, check the SVLA at CEXX.org
It's okay, though.. I'm sure the people who hacked the Nimda into the program also added a disclaimer into the Terms of Service for the software. After all, it's just another virus that gets installed when you install "free" software...
Josh Woodward
...Install something unix-like on their servers?
:)
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
No, it's not a anti-micro$oft troll, well, maybe, yes, but it really would be the solution, wouldn't it?
What kind of spy distributes viruses besides James Bond with his STD collection?
Arcade 1.1b This version of Arcade, released on June 28, 2002, included the following changes: - Removed nasty NIMBA virus - Fired security admin
From what my friends tell me about gamespy (I know people who work there and I attend the company lan parties), it's run by a bunch of kids who love to play games, but they have no business or software development experience. There's also a bunch of weird stuff going on inside their engineering group.
The project lead for Arcade is a spaghetti-coder who does nothing all day, but meets deadlines by hitting a meth pipe all weekend to hack out masses of buggy code that gets released to customers on monday. This is the guy that does the bloated Arcade user interface. He and his "wife" are closet homosexuals that use each other as beards. The married couple live with the wife's girlfriend who is a well-known female quake player.
Their head of engineering is a sexually frustrated 24 year old virgin who spends 22 hours a day at work, half of it late at night surfing for porn. I hear there's a betting pool inside Gamespy for when this guy is gonna get laid. Coworkers are praying it'll be soon so he'll chill out and stop being so uptight. He dropped out of school and got hired at Gamespy, but he's never worked at a software company before! This guy hired the Arcade programming team.
So with an engineering group like that, is it any wonder that they could be incompetent enough to release Arcade with a virus?
It's too bad because the original Arcade (Gamespy 3D) and the planetquake.com website worked well. There's nothing wrong with Gamespy making money, but Mark Surfas could have at least hired some real programmers.
...PB82
It's not a troll. I can't believe what idiot mods we have somedays. Why am I posting AC? Because some stupid mod that likes NIN decided that a direct quote attributed to the source was flamebait. Killed my Karma of 4.
All those links did was say "Connection refused while attempting to contact goatse.cx"
Post a correct link, please.
do all your gaming in Linux, that's what I do. most games have pretty good in game browsers, plus there are other options such as Xqf that do all gamespy does, save for the viruses. plus, no registration required!
P
What responsibility does Gamespy have to the users who downloaded the infected file?"
.net CD's were shipped infected with a worm)
About the same as Microsoft I would guess...
(Remembering the recent slashdot story where
No thanks. I don't smoke anymore.
This certainly isn't the first time that an online service has distributed viruses to it's users.
Back in 1998, an online gaming service called mplayer.com (which, coincidently, is now owned by gamespy) distributed copies of the W95.CIH virus through it's automated software update system. The sad thing is that the company never admitted to it until it's users started complaining to gaming news sites about getting infected.
Another more recent example is an outbreak of Nimda in Kazaa, which was being distributed through the 1.7.1 upgrade installers of their software.
Anyway, these stories are just two more reasons why you should run updated Anti-Virus scanners 24/7 on your Windows boxes.
Wow... He's right!!!
Unless I'm missing something, he's got a really good point here.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
I have 3 zones behind the OpenBSD firewall. One is for my kid. I firewalled his W2K boxen from my systems. Its sad when you have to do this... sad from a LOT of perspectives.
He's a bright boy, but he doesn't understand why people would "write a virus". He's also been know to leave the car running on the street with the doors unlocked. One day his car will drive away and he will proclaim "I wonder why that happened".
I can only say that Experiance is a good teacher and fools learn by no other method.
I've been suggesting the development of a "partition Dataset" concept for quite a while now. Basically this maps the directories and files into a single file. You can think of it as an application specific chroot, with the idea that the loopback is application specific.
The time has come where we really need this and your post illustrates very clearly why we need to get this done ASAP. Linux is almsot ready for the desktop and the idiots out there are going to wreak havock with any security we might try to build into systems.
The weakest link is the end user and we really need to design systems that are so tight that even they have trouble f*ing them up.
This kind of thing has been happening for years without any recource from the companies that sent out the virus's. I remember a couple of years back when IBM was doing their big ebusiness security marketing campaign, the RS6000 configurator tool had a virus in it for like 4 builds in a row.
The first time I came across it I put calls into IBMLink (that's where you download the app from), and the Rs6000 software support center and still nothing was done about it. 3 releases (about 5 months) later the virus was not included in the build anymore.
01:36AM up 426 days, 2:46, 1 user, load average: 0.14, 0.11, 0.05
I love Gamespy, they have supported the industry much more than any other company ive ever seen, and hey, if you get Nimda its your own damn fault, there is software called "antivirus software", it normally helps with this sort of thing. If you run windows and dont have AV software, your an f'ing idiot and deserve what you get. Hell, you can scan it for free online (housecall.antivirus.com, no this it not a plug i just use it for my customers who are too cheap to buy software). Get a life, if you have a computer chances are you have had a virus, nimda has an easy fix ..
Kali -- it does dynamic list updating, it is ad-free, and they're offering free registrations now. It's a far superior game browser.
[insert witty comment here]