Slashdot Mirror
Gamespy Installer Spreads Nimda
NSG writes "Yahoo News is running this story about the Nimda virus infecting some Gamespy Arcade 1.09 installers. Approximately 3,100 infected files were served in a seven hour period. What responsibility does Gamespy have to the users who downloaded the infected file?"
Don't use Gamespy, use The All Seeing Eye for all your online gaming needs. It is 100x better. Trust me.
I mean, seriously, who downloads this anyway? I make a habit of not trusting any software that has to scan your entire harddrive in order to 'find' games.
If a game doesn't have an ingame browser, then I stick to direct connect, or single player. I shouldn't have to run external programs to play games online.
Still, I think the bad press alone will be Gamespy's punishment on this one. I've seen this news crop up everywhere in the past day or two, and chances are, anyone who reads any kind of net news knows as well.
Legally anyway. I haven't looked at the EULA for Gamespy (haven't downloaded it, actually), but I'm betting some large odds it'll have some clause in it saying they're not responsible even if it destroys your computer, sets fire to your home, and heralds the End of the World.
Whether this will stand up in court would be interesting to see, though. And the precedent it would set would be very wide ranging.
They're legally immune. From the GameSpy Website:
To the fullest extent permitted by applicable laws, GameSpy and its employees, agents, suppliers, and contractors shall in no event be liable for any claims, charges, demands, damages, liabilities, losses, and expenses of whatever nature and howsoever arising, including without limitation any compensatory, incidental, direct, indirect, special, punitive, or consequential damages, loss of use, loss of data, loss caused by a computer or electronic virus, loss of income or profit, loss of or damage to property, claims of third parties, or other losses of any kind or character, even if GameSpy has been advised of the possibility of such damages or losses, arising out of or in connection with the use of this Web Site, software, or any Web Site with which it is linked. You assume total responsibility for establishing such procedures for data back up and virus checking as you consider necessary.
The theory of relativity doesn't work right in Arkansas.
I can't believe GameSpy is doing this. It's sooo passé. Microsoft already did this. Next time GameSpy wants to get infected, it should be original and choose a different virus, maybe W32.Klez.E or even a McAfee homebrew bug, instead of just copying MS because it's an industry leader. Me, I prefer my KaZaA virus, because it has its own EULA.
Answer: None
Have you ever read that LONG agreement before you install software? It clearly states this phrase:
NO WARRENTIES EXPRESSED or IMPLIED
idm owns me
Although many people believe they HAVE to use Gamespy Arcade to play their favorite game online, and some games bundle it on the CD and suggest you install it, most games also include their own in-game browsers and there are also alternatives available which don't try to force you into a chat room when ever you want to look for a game or shove banners in your face, although some (pingtool) are dead.
I was one of the original Gamespy employees from a few years ago, and I never thought I'd see Gamespy as the subject of a /. story. It just goes to show, before long everything ends up on this site. ;)
It doesn't surprise me in the least that this has occured, though I hate to bash on my old company (especially since when I left, I left with enough stock to really want the company to succeed, or liquidate and get it over with, hehe.) Truth be told, the company has always been run by a man who truly couldn't care less about customers, a development manager who can't understand why you don't call virtuals from a constructor, and a project lead who thinks UI coding is the end-all-be-all of computer science. Put them together and you end up with very little experience trying to manage a product that has long since outlived its usefulness.
And before you flame me or whatever, I do know a little bit about which I speak... having written much of the original Arcade myself (though I'm not too proud of the outcome, having followed its progress since I left in '00.)
All in all, you can continue to expect inferior product from an inferior company, shameful as it is. I often lament on how things might have changed were L-Fire and I given a little more freedom to get stuff done. C'est la vie.
/me waits to get flamed by crt and Walla now
--
[McP]KAAOS
It goes from God, to Jerry, to me.
A careful read of their TOS leads me to believe they had reason to expect this would happen. (Isn't that the implication you get from reading it?) If they knew or believed it would happen they may not be able to worm out of responsibility based on a disclaimer.
I'm an American. I love this country and the freedoms that we used to have.
OK, so they screwed up. They're not the first, and it would surprise me if they were the last. At least we haven't had any major virus targetting online gamers. Yet. (I'm sure the anti-virus makers have some cooking in their skunkworks-labs, to unleash on us once the artifical panic from the JPEG virus blows over.)
/tmp. Why give them blanket access to everything? Software that manipulates random files could communicate via a system call/trusted library that would combine a file-browser and grant one-shot access outside of the applications "playground" for the specific file-name/directory chosen by the user.
Part of the problem is of course the MS monoculture. Those of us wishing for a wider deployment of Linux (including me) may come to regret that wish, since it will inevitably lead to Linux virii. They will have a harder time of infecting the whole machine, but no doubt some clever cyber-{terrorist,vandal,take-your-pick} will come up with one that does exactly that, sooner or later.
And as sure as flies home in on shit, MS will take that as an opportunity to tout Palladium and denounce Linux.
Anyway, the big question is not really how to avoid having software distributions infected, but rather how to encapsulate software. On UNIX and Windows alike, any software you run, will run with the full privilegies of the user (at best) or root (at worst).
It would seem to me that one interesting future development for Linux (or one of the BSDs, perhaps?) would be to find a non-intrusive way of encapsulating software packages, even at run-time. Let them define what they need access to, and then have an installer grant them rights only to those parts of the system.
Most software really only needs write access to their own directory, plus perhaps
Oh well...
Here's an article on software liability clauses and theories on lawsuits regarding software liability. The key to success in a lawsuit is as follows: The users of the software would assume that this software would be free from viruses. This company, by both not securing its networked systems from known viruses, and by not verifying that it's software was not virus-infected prior to release, acted negligently.
Now the question is -- would the reward of attempting lengthy litigation over a relatively small loss be worthwhile? Unfortunately, it's not all too often as such. To my knowledge, as of yet, data loss due to negligence (not resulting in death, destruction of people or property, etc) has not provided for large damages. I'm sure as judges and congress members become more technically savvy, we will see more resonable laws and judgements relating to software liability. Until then, good luck.
Well, aside from the recent MS nimda spreading, wasnt there a virus on the Mac that changed the "dog-ears" type of file around (I read it somewhere about viruses). Turns out that that virus was distributed on commercial disks and spread around the user base. I'd appreciate if somebody knew the name of it....
Oh well. Stuff like this happens. In this kind of "software world" where everything's connected, I'm amazed this doesnt happen more often (commercial product virite distribution).
It does not absolve Gamespy of responsibility -- but fortunately the actual impact is now. Nimda only infects servers running IIS as a HTTP server, and I'm sure not many gamers are running IIS on their machines.
There's 10 types of people in this world, those who understand binary and those who don't.
You obviously don't see the big picture. My guess would be that the majority of LameSpy downloaders are kids, either on the computer that daddy bought them, or on daddy's computer. Chances are that most of the 3000 people know just about squat about their computer beyond how to turn it on, frag like hell, and possibly how to turn it off.
Enter Nimda. Replicating at a rate whose exponent is the average of the number of email contacts in the infected group, in this case about 3000 minus the number of machines had virus scanners which actually caught the bug - most likely the number of infected machines is about half the number of downloads. How many people on those email lists are not terribly computer literate as well?
Not trying to blow a lot of fud on the table, but the reality is that these 1500 infected comps boils down to a real pain in the ass, simply because the, ahem, technicians at AdServerSpy can't properly manage their IIS box. I'm sorry, but enough is enough. Companies need to be held accountable when something this sloppy happens. I couldn't think of a better first pick than GameSpy... well, maybe ONE better pick...
political_news.c: warning: comparison is always true due to limited range of data type
My girlfriend's kids downloaded GameSpy yesterday, ironically, so they could hook the Xbox up to the router and look for other Halo devotees. And they succeeded.
/., actually, posting this story that made me realize the source of my pain. And for that I say thanks, because for those of you that said so-what-big-deal, well, it's true that this didn't really constitute a national emergency but, speaking now from experience, I can honestly say that NIMDA SUCKS.
...
They also succeeded in hosing two W2K systems on our home network via the file share traversal vulnerability. One was my girlfriend's system, the only one with out-of-date virus protection and, of course, the only unprotected machine with truly irreplaceable files. Sigh.
Well, I downloaded AVG and it's getting clean as I type this, but I thought it might be of interest to those who posted saying that only those machines running IIS can be infected. That ain't the truth. The two infected machines on this network were W2K systems, neither of them running IIS. They were just poorly monitored and vulnerable.
It's
But here's the rundown: I've got nine machines networked here at home, four W2Ks, four Linux, and one Xbox. Well, two of the W2Ks met Nimda first hand, but two others didn't since all of the extant fileshares require logons. Email wasn't a factor, and on the one W2K system that IS running IIS and was potentially vulnerable to attack, well, I've got all the latest patches installed and everything on that machine is clean.
The Linux boxes, of course, didn't even raise an eyebrow
Peace.
how the hell do you inform everyone? most people who sign up for gamespy give a bogus or a spam trap email that will never be checked. How the hell are they gonna notify all of them?
And this is why you're supposed to use your email address as a password when doing anonymous FTP. The theory is that if you downloaded something that later turns out to have a virus or some other problem, the server owner can contact those who downloaded the faulty software.
In practice, that probably doesn't happen all too often, but it's still a good idea IMO. Using "mozilla@" as a password doesn't really help the server owner when he needs to get an urgent message across related to a file you downloaded.
Esli epei etot cumprenan, shris soa Sfaha.
It's okay, though.. I'm sure the people who hacked the Nimda into the program also added a disclaimer into the Terms of Service for the software. After all, it's just another virus that gets installed when you install "free" software...
Josh Woodward
Arcade 1.1b This version of Arcade, released on June 28, 2002, included the following changes: - Removed nasty NIMBA virus - Fired security admin
What responsibility does Gamespy have to the users who downloaded the infected file?"
.net CD's were shipped infected with a worm)
About the same as Microsoft I would guess...
(Remembering the recent slashdot story where
No thanks. I don't smoke anymore.
That's 3100 people who wouldn't have had a problem were they using Linux instead of Windows.
Just a thought.
May we never see th
Wow... He's right!!!
Unless I'm missing something, he's got a really good point here.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin