Slashdot Mirror
Gamespy Installer Spreads Nimda
NSG writes "Yahoo News is running this story about the Nimda virus infecting some Gamespy Arcade 1.09 installers. Approximately 3,100 infected files were served in a seven hour period. What responsibility does Gamespy have to the users who downloaded the infected file?"
Viruses in gamespy software? The computer industry in general has demonstrated that the concept of ethics no longer applies when there is money at stake. Read the average EULA: you have to surrender fundamental rights, such as fair use. Worse than that, the developers generally absolve themselves of any responsibility or liability whatsoever -- they won't even guarantee that the software that you have just bought will do what they claim it does! What we're seeing is the culmination of an unfortunate trend. The creators of a piece of software for as long as they control it have a monopoly -- anyone committed to using their product is pretty much at their mercy. And that means money -- lots of money.
The theory of relativity doesn't work right in Arkansas.
Don't use Gamespy, use The All Seeing Eye for all your online gaming needs. It is 100x better. Trust me.
I mean, seriously, who downloads this anyway? I make a habit of not trusting any software that has to scan your entire harddrive in order to 'find' games.
If a game doesn't have an ingame browser, then I stick to direct connect, or single player. I shouldn't have to run external programs to play games online.
Still, I think the bad press alone will be Gamespy's punishment on this one. I've seen this news crop up everywhere in the past day or two, and chances are, anyone who reads any kind of net news knows as well.
Legally anyway. I haven't looked at the EULA for Gamespy (haven't downloaded it, actually), but I'm betting some large odds it'll have some clause in it saying they're not responsible even if it destroys your computer, sets fire to your home, and heralds the End of the World.
Whether this will stand up in court would be interesting to see, though. And the precedent it would set would be very wide ranging.
They're legally immune. From the GameSpy Website:
To the fullest extent permitted by applicable laws, GameSpy and its employees, agents, suppliers, and contractors shall in no event be liable for any claims, charges, demands, damages, liabilities, losses, and expenses of whatever nature and howsoever arising, including without limitation any compensatory, incidental, direct, indirect, special, punitive, or consequential damages, loss of use, loss of data, loss caused by a computer or electronic virus, loss of income or profit, loss of or damage to property, claims of third parties, or other losses of any kind or character, even if GameSpy has been advised of the possibility of such damages or losses, arising out of or in connection with the use of this Web Site, software, or any Web Site with which it is linked. You assume total responsibility for establishing such procedures for data back up and virus checking as you consider necessary.
The theory of relativity doesn't work right in Arkansas.
I finally bought a nice new PC for gaming instead of my trusty (yet older) mac, and am told I might have Nimda? I have Gamespy Arcade 1.09 installed! I feel like I've just been burned by unprotected sex.
And like an STD I think Gamespy does have a responsibility to alert all their users to the potential infection.
I can't believe GameSpy is doing this. It's sooo passé. Microsoft already did this. Next time GameSpy wants to get infected, it should be original and choose a different virus, maybe W32.Klez.E or even a McAfee homebrew bug, instead of just copying MS because it's an industry leader. Me, I prefer my KaZaA virus, because it has its own EULA.
According to this link at news.com Executive Mark Surfas said the virus infected one of their download servers for two hours on Tuesday and five hours Wednesday night, while they were performing routine service.
Surfas said a total of 3,100 infected files were served, and the company is in the process of notifying everyone who got an infected file and pointing them to free antivirus tools that will disinfect their systems.
Not cool...
Does it go on forever?
Answer: None
Have you ever read that LONG agreement before you install software? It clearly states this phrase:
NO WARRENTIES EXPRESSED or IMPLIED
idm owns me
I really doubt this will be a serious problem. I'm sure Gamespy will offer a patch for a small monthly fee. Or better yet, maybe if you subscribe to their eXtreme 3d++ platinum gamers edition fileservers for a few bucks maybe they'll sell you someone elses virus scanner demo with no long-term value. Or even better yet, maybe if you purchase one of their programs you can connect to an online scanner paid for and maintained out of someone elses pocket.
"God is a comedian playing to an audience too afraid to laugh." -Voltaire
Although many people believe they HAVE to use Gamespy Arcade to play their favorite game online, and some games bundle it on the CD and suggest you install it, most games also include their own in-game browsers and there are also alternatives available which don't try to force you into a chat room when ever you want to look for a game or shove banners in your face, although some (pingtool) are dead.
I was one of the original Gamespy employees from a few years ago, and I never thought I'd see Gamespy as the subject of a /. story. It just goes to show, before long everything ends up on this site. ;)
It doesn't surprise me in the least that this has occured, though I hate to bash on my old company (especially since when I left, I left with enough stock to really want the company to succeed, or liquidate and get it over with, hehe.) Truth be told, the company has always been run by a man who truly couldn't care less about customers, a development manager who can't understand why you don't call virtuals from a constructor, and a project lead who thinks UI coding is the end-all-be-all of computer science. Put them together and you end up with very little experience trying to manage a product that has long since outlived its usefulness.
And before you flame me or whatever, I do know a little bit about which I speak... having written much of the original Arcade myself (though I'm not too proud of the outcome, having followed its progress since I left in '00.)
All in all, you can continue to expect inferior product from an inferior company, shameful as it is. I often lament on how things might have changed were L-Fire and I given a little more freedom to get stuff done. C'est la vie.
/me waits to get flamed by crt and Walla now
--
[McP]KAAOS
It goes from God, to Jerry, to me.
A careful read of their TOS leads me to believe they had reason to expect this would happen. (Isn't that the implication you get from reading it?) If they knew or believed it would happen they may not be able to worm out of responsibility based on a disclaimer.
I'm an American. I love this country and the freedoms that we used to have.
OK, so they screwed up. They're not the first, and it would surprise me if they were the last. At least we haven't had any major virus targetting online gamers. Yet. (I'm sure the anti-virus makers have some cooking in their skunkworks-labs, to unleash on us once the artifical panic from the JPEG virus blows over.)
/tmp. Why give them blanket access to everything? Software that manipulates random files could communicate via a system call/trusted library that would combine a file-browser and grant one-shot access outside of the applications "playground" for the specific file-name/directory chosen by the user.
Part of the problem is of course the MS monoculture. Those of us wishing for a wider deployment of Linux (including me) may come to regret that wish, since it will inevitably lead to Linux virii. They will have a harder time of infecting the whole machine, but no doubt some clever cyber-{terrorist,vandal,take-your-pick} will come up with one that does exactly that, sooner or later.
And as sure as flies home in on shit, MS will take that as an opportunity to tout Palladium and denounce Linux.
Anyway, the big question is not really how to avoid having software distributions infected, but rather how to encapsulate software. On UNIX and Windows alike, any software you run, will run with the full privilegies of the user (at best) or root (at worst).
It would seem to me that one interesting future development for Linux (or one of the BSDs, perhaps?) would be to find a non-intrusive way of encapsulating software packages, even at run-time. Let them define what they need access to, and then have an installer grant them rights only to those parts of the system.
Most software really only needs write access to their own directory, plus perhaps
Oh well...
They Do...
....bla bla blah
From TOS
bla bla... loss caused by a computer or electronic virus, loss of income or
THE WORLD IS GOING TO END!!!! eventually.
Does anyone else find it ironic that people are getting infected through a program called GameSPY?
I'm going to post under my handle to tell you just what an asshole thing that is to do on your sig line. Some of us don't like to see that kind of shit. Thanks for nothing.
political_news.c: warning: comparison is always true due to limited range of data type
Well, aside from the recent MS nimda spreading, wasnt there a virus on the Mac that changed the "dog-ears" type of file around (I read it somewhere about viruses). Turns out that that virus was distributed on commercial disks and spread around the user base. I'd appreciate if somebody knew the name of it....
Oh well. Stuff like this happens. In this kind of "software world" where everything's connected, I'm amazed this doesnt happen more often (commercial product virite distribution).
It does not absolve Gamespy of responsibility -- but fortunately the actual impact is now. Nimda only infects servers running IIS as a HTTP server, and I'm sure not many gamers are running IIS on their machines.
There's 10 types of people in this world, those who understand binary and those who don't.
You're right. If everybody ran Linux, there'd be no need for GameSpy. Brilliant!
You obviously don't see the big picture. My guess would be that the majority of LameSpy downloaders are kids, either on the computer that daddy bought them, or on daddy's computer. Chances are that most of the 3000 people know just about squat about their computer beyond how to turn it on, frag like hell, and possibly how to turn it off.
Enter Nimda. Replicating at a rate whose exponent is the average of the number of email contacts in the infected group, in this case about 3000 minus the number of machines had virus scanners which actually caught the bug - most likely the number of infected machines is about half the number of downloads. How many people on those email lists are not terribly computer literate as well?
Not trying to blow a lot of fud on the table, but the reality is that these 1500 infected comps boils down to a real pain in the ass, simply because the, ahem, technicians at AdServerSpy can't properly manage their IIS box. I'm sorry, but enough is enough. Companies need to be held accountable when something this sloppy happens. I couldn't think of a better first pick than GameSpy... well, maybe ONE better pick...
political_news.c: warning: comparison is always true due to limited range of data type
Well now that there is talk on Capitol Hill that Congress should pass a bill making upper manangement responsible in the wake of Enron, Andersen, MCI, and now Xerox. I think they should also throw something in there stating any software that is downloaded or packaged with the exchange of money then the company should be liable for any virus or spyware involved. Now if its given away for free and does not contain any fee for monthly service such as Open Source then they are absolved.
GameSpy used to actually useful (and usable) way back in the QuakeWorld days. It stopped being relevant to me sometime before it got renamed to GameSpy Arcade (or whatever it's called now), and it came with a bunch of useless crap. I never understood the 'scanning the hd' bit... I mean, it knows what games it supports, it knows their registry keys, the whole process should take less than a second, not several minutes. I just added games manually anyways.
In any case, most games come with their own server browsers; launching a huge ad-riddled app just to connect to a server a pointless excercise.
So what do people who used GS back in the 'good old days' and still use it have to say about it? Good? Bad?
"Hot lesbian witches! It's fucking genius!"
Regardless of the legal ramifications and waivers there is still a responsibility of the server host to provide software that is free of damging components, say for instance someone sells you a car knowing that the car has major carbon monoxide emissions problem with seepage into the cabin, and has faulty brake lines that are just barely kept together... welcome to the Lemon Law, most judges will have the dealer buy back the car for the cost it was sold for, not the off-the-lot price, well if someone were to take gamespy to court under the auspices that they provided software which did the damages that it is well known for, yes there is really no legal remedy at hand to provide any kind of relief for the plaintiff, however it would prove that they are responsible for the files they serve from their webservers. Just food for thought
Click on the link in his sig, it is a small picture :-)
My girlfriend's kids downloaded GameSpy yesterday, ironically, so they could hook the Xbox up to the router and look for other Halo devotees. And they succeeded.
/., actually, posting this story that made me realize the source of my pain. And for that I say thanks, because for those of you that said so-what-big-deal, well, it's true that this didn't really constitute a national emergency but, speaking now from experience, I can honestly say that NIMDA SUCKS.
...
They also succeeded in hosing two W2K systems on our home network via the file share traversal vulnerability. One was my girlfriend's system, the only one with out-of-date virus protection and, of course, the only unprotected machine with truly irreplaceable files. Sigh.
Well, I downloaded AVG and it's getting clean as I type this, but I thought it might be of interest to those who posted saying that only those machines running IIS can be infected. That ain't the truth. The two infected machines on this network were W2K systems, neither of them running IIS. They were just poorly monitored and vulnerable.
It's
But here's the rundown: I've got nine machines networked here at home, four W2Ks, four Linux, and one Xbox. Well, two of the W2Ks met Nimda first hand, but two others didn't since all of the extant fileshares require logons. Email wasn't a factor, and on the one W2K system that IS running IIS and was potentially vulnerable to attack, well, I've got all the latest patches installed and everything on that machine is clean.
The Linux boxes, of course, didn't even raise an eyebrow
Peace.
Oh no, the users have to download a free virus scanner like AVG to remove it.
Unless you're from Europe of course.
So what is GameSpy? All I can see so far is a battle over EULA's. What does GameSPy do fer me?
I may be bad with names, but I'll never forget your IP address
Comment removed based on user account deletion
And this is why you're supposed to use your email address as a password when doing anonymous FTP. The theory is that if you downloaded something that later turns out to have a virus or some other problem, the server owner can contact those who downloaded the faulty software.
In practice, that probably doesn't happen all too often, but it's still a good idea IMO. Using "mozilla@" as a password doesn't really help the server owner when he needs to get an urgent message across related to a file you downloaded.
Esli epei etot cumprenan, shris soa Sfaha.
However, also from the Gamespy website:
Some U.S. states and foreign countries provide rights in addition to those above, or do not allow excluding or limiting implied warranties, or liability for incidental or consequential damages. Therefore, the above limitations may not apply to you or there may be state provisions that supersede the above. Any clause declared invalid shall be deemed severable and not affect the validity or enforceability of the remainder. These terms are governed by the laws of the State of California and may only be amended in a writing signed by GameSpy Industries.
In addition, there are also a number of legal challenges to EULA's and the like (although I'm not sure whether any have succeeded yet) - see here and here, for example
I don't know whether any applicable laws apply in the States, but the UK has laws which effectively mean that even though you've put up a sign saying you can't have something (eg refunds in shops), it doesn't have any legal bearing over your statutory rights.
Other laws apply which require companies to have signs in prominent positions - preventing vehicle clamping firms from stealth clamping. The legal stuff link on their home page is right at the bottom corner - you have to scroll right down (well past the files link) to even see it. OK, we'll let them off, so long as the files page has a prominent link. Erm, not quite - again right at the bottom, this time wrapped in a font size=-2 tag. Well done chaps.
Not that the people who downloaded it didn't have any responsibility to run a virus scan of their download, of course. However, you do expect a "reputable" company that you get files from should prevent this from happening in the first place. It just adds a little touch of irony to the little check box found in the security warning popup which appears when you go here Always trust content from Gamespy Industries, Inc.
For a look at how EULA's should be, check the SVLA at CEXX.org
It's okay, though.. I'm sure the people who hacked the Nimda into the program also added a disclaimer into the Terms of Service for the software. After all, it's just another virus that gets installed when you install "free" software...
Josh Woodward
...Install something unix-like on their servers?
:)
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
No, it's not a anti-micro$oft troll, well, maybe, yes, but it really would be the solution, wouldn't it?
Arcade 1.1b This version of Arcade, released on June 28, 2002, included the following changes: - Removed nasty NIMBA virus - Fired security admin
What responsibility does Gamespy have to the users who downloaded the infected file?"
.net CD's were shipped infected with a worm)
About the same as Microsoft I would guess...
(Remembering the recent slashdot story where
No thanks. I don't smoke anymore.
That's 3100 people who wouldn't have had a problem were they using Linux instead of Windows.
Just a thought.
May we never see th
This certainly isn't the first time that an online service has distributed viruses to it's users.
Back in 1998, an online gaming service called mplayer.com (which, coincidently, is now owned by gamespy) distributed copies of the W95.CIH virus through it's automated software update system. The sad thing is that the company never admitted to it until it's users started complaining to gaming news sites about getting infected.
Another more recent example is an outbreak of Nimda in Kazaa, which was being distributed through the 1.7.1 upgrade installers of their software.
Anyway, these stories are just two more reasons why you should run updated Anti-Virus scanners 24/7 on your Windows boxes.
Wow... He's right!!!
Unless I'm missing something, he's got a really good point here.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
I've been suggesting the development of a "partition Dataset" concept for quite a while now. Basically this maps the directories and files into a single file. You can think of it as an application specific chroot, with the idea that the loopback is application specific.
The time has come where we really need this and your post illustrates very clearly why we need to get this done ASAP. Linux is almsot ready for the desktop and the idiots out there are going to wreak havock with any security we might try to build into systems.
The weakest link is the end user and we really need to design systems that are so tight that even they have trouble f*ing them up.
I love Gamespy, they have supported the industry much more than any other company ive ever seen, and hey, if you get Nimda its your own damn fault, there is software called "antivirus software", it normally helps with this sort of thing. If you run windows and dont have AV software, your an f'ing idiot and deserve what you get. Hell, you can scan it for free online (housecall.antivirus.com, no this it not a plug i just use it for my customers who are too cheap to buy software). Get a life, if you have a computer chances are you have had a virus, nimda has an easy fix ..
Kali -- it does dynamic list updating, it is ad-free, and they're offering free registrations now. It's a far superior game browser.
[insert witty comment here]
thats not necessarily true