Earthstation5 Responds to Malware Claims

Zip In The Wire writes "Random Nut, AKA Shaun Garriok, the Author of Kazaalite, has been a vocal critic of Earthstation5 because of a continual online insult war between himself and some rowdy Earthstation5 fans. This has motivated him to be extremely critical of Earthstation5." (We reported yesterday Garriok's claims that Earthstation5 contains spyware.) "We at Earthstation5 desire and request criticism at any time in fact we demand it as we believe that is the only way to make software truly superior." Read on for the rest of Zip In The Wire (Filehoover, ES5's lead programmer)'s explanation, in which he also points to an updated version of the software, and challenges all takers to find spyware within it.

"We at Earthstation5 are not perfect, but we acknowledge that Shaun Garriok might be and thank him for helping us root out bugs.

The problem with the Earthstation5 software that Shaun Garriok found truly exists; however, the sordid motives he attributes to Earthstation5 are incorrect. The following functions were put into Earthstation5 to allow automatic, remote upgrade of the Earthstation5 software.

These functions are:

1. Reload Earthstation5
2. Shutdown Earthstation5
   
3. Delete a File

All of these functions are necessary to perform when upgrading software.

We have long been admirers of Shaun Garriok's ability to superbly investigate even a fully compiled program. We believe that he is capable of finding ANY sort of trojan, worm, or bug inside a compiled program. We are relieved that all he could find was these remote upgrade functions. He didn't find any bugs that send user data anywhere, no spyware, no adware, nothing, in fact, that gives away any personal information about the user using Earthstation5.

It is also a fortunate fact that since Earthstation5 protects you from the RIAA lawsuits and hackers by hiding your ip address, the exploit program he wrote can only be used against your own computer, which he states in his exploit. If you want to delete files from your own computer, we feel you have the right to do that.

We are glad he found this bug and pointed it out. We completely removed the automatic software upgrade code because as it turns out automatic upgrade is no longer popular as it once was because it gives people an uneasy feeling and rightly so.

Since Shaun Garriok seems to be concerned about everyone's security, and is not on a personal quest for revenge, we would be grateful if he would download the latest Earthstation5 (version 1.1.31), and verify that we have truly removed the remote-update function which his exploit program accessed. We think his dedication to the good of all concerned would motivate him to do this. Anyone else who is concerned can do the same; download the latest Earthstation5 and test the exploit code against it.

-- Filehoover, Lead Programmer of ES5."

This was addressed yesterday...

[LearningHard]

On the full-disclosure list. It seems that after ES5 found out people had discovered the malware contained in it. They decided to upload a new version which will probably have those functions taken out. I see this as a suspicious move and would be very hesitant to use any of their software myself.

Re:One question

[mOoZik]

I tried it out a while ago, and it sucked. Besides the horrible GUI and the constant "We're Israeli, Palestinian, Jordanian..." messages, the results for even common files were poor. The same searches on Kazaa yielded better results in my evaluation, which is ironic, because ES5 claims they have 3 or 4 times more people at any given time.

COINTELPRO

Go read about COINTELPRO and then realize that EarthStation 5 is the MPAA/RIAA version.

Re:Here is why I care, but it does NOT affect me..

[thinkninja]

Or use an open source client to connect to half a dozen p2p networks ( edonkey, overnet, bittorrent, gnutella, gnutella2, fasttrack, soulseek, direct-connect, and opennap)...

Re:Not afraid to share, afraid of the apps' author

[NaDrew]

Suggestion: Allow the virtual OS read-only access to your media library (presumably on the real OS). This will let your file-sharing apps share your files with no risk of affecting your system.

Re:ES5 Other Employees Comments

[AEton]

The forums can be accessed at http://formus.es5.com. It requires a username/password; I set up an account with u/p slashdot/slashdot, and that should work.

The quote in question is from the user "SharePro" in the thread "Danger do not use ES5, ES5 too easy to hack"; at present, it's on page 36 of the thread and it's the fourth post from the top. I can't find the home address of Random_nut (the person being berated by this fellow SharePro, a person who has 2666 posts on the EarthStation5 boards and is in "Group: Admin"); but one user has the address in his/her .sig - search for "Shaun AND Aberdeen" to see what I mean.

For context, here is the whole message (I have emboldened the part quoted by AC):

QUOTE (spinkmonkey @ Oct 3 2003, 06:58 PM)
If he had told you about the vulnerability you would have denied it and (like you have now) secretly modified the installer, I think that much is perfectly obvious to anyone. What he's done isn't about being good for ES5, in fact your right its completely the opposite, its good for the ES5 USERS because no one will trust this program anymore. Posting his details is the lowest of the low, quite frankly you are scum

You obviously dont know me very well if you think I am the type to deny shit. I have answered much more harder questions.

Obviously (and you can quote me), if I know about a breach in security, then its not an issue of denying it, its an issue of fixing it. Since now that Filehoover obviously got a message before I did, and its fixed, there is nothing to deny. I was not here today, and everybody on this board knows that I am here everyday, so if I wasnt here, then I WASNT HERE!

Should I just let the breach sit there and say "Hey everybody, here is a breach in security"? C'mon, you do have brains. So you really dont make sense. Filehoover may have re-compiled without that specific code, and not changed the build number. So what? What is your point? A cover up? What cover up?

I wasnt here today, and Filehoover isnt here now. It appears that he found out about it, and fixed it and now cased closed. ES5 is still the most securist P2P program.

Kazaa had an exploit not so long ago and it was also fixed that left their entire network vulnerable to be turned down. There is a difference between somebody hacking and something that was left over accidentily. Random Nut didnt hack ES5, all he did was see some extra code.

According to the build numbers he posted, he has spent months on this program and that is the most he can find? Code that is not in use and that was accidently left over? I would have expected more.

I agree and can be quoted as saying that it should not have been there. I WILL EVEN SCREAM THAT IT SHOULD NOT HAVE BEEN THERE. Deny? Wtf should I deny?

I think its pretty fucking pathetic that he made a crack instead of a patch, so like I said, if I were him, I'd look behind my back. You attack me or my users, and yes, I will send people to your front door. I dont fuck around because the responsibility that I have to my users does not allow me to fuck around. Rules changed, and he probably doesnt know how to play them. My identity is sealed, so again, he doesnt know who his enemy is. He is not anonymous nor is his family.

I have known who Random Nut is for a while. Did you know that Kazaa wants his address to sue the fuck out of him for manipulating their code and making a derivative out of it? I wouldnt give it to them because why should I? I'm not Random Slut, I dont fuck people simply to fuck them.

Did you know that the RIAA / MPAA wants his address to sue him? The list goes on including various law orgnizations. I wouldnt give it to the RIAA either because I hate the RIAA. I handle my own problems. But in reality, now that I am printing it, you can bet that it will appear everywhere by various people. I will also be printing pictures of him and

Re:Well?

[S.Lemmon]

The original client can most certainly delete itself, including all DLLs and so forth, with no help from the "new" version. It may have to unload and run a temp process so its files aren't in use, but that's a common procedure. Most auto-update are in fact initiated from the client, not the server. Usually something like

1) client looks for new version
2) client downloads new version
3) client check digital signature of download
4) client runs temp program
5) temp program uninstalls old client and installs new.

It's also possible the old client may just run the install for the new one (and let the new one run the old one's uninstaller), but in any case everything's under the old client's control as much as possible. Never does the remote server tell it what to delete.

Oh man this seems a bit weak as excuse go.

[aepervius]

I mean, I programmed this last month a test tool application on a LAN network, and frankly I *DO NOT* need to have a delete file command in the client. I mean,the client pretty well know which files it has to update (it is included in the update message) and it launch an updater application in background and stop itself so as to allow the files to be deleted/copied.

This is one solution, and I am pretty sure bunch of people here can come with others. But having a delete command is certainly a loosy way to do that. Heck on the net it OBVIOUSLY means that you open the door to an attacked reverse engineering your app for bad purpose and allow it a nice way to wreak havoc on a system. Either their application E.S.5 is not that great as they are hypping it (haha), or they really are searching excuse for obvious malware. If this is the second option which is true, the next malware code will be hidden behind encryption and packet won't be easily decoded.

people go away from ES5. You will from now on have now way to determine if you are not installing a trojan on your computer UNLESS they give you the source code and a compiler to compare the final binaries md5 with what you can generate...

Re:Do End Users Want These Features (tm)

[Jonah+Hex]

Users don't really want or care about this functionality, however I'll tell you who does: administrators and programmers. In a biz environment where you may have hundreds or thousands of users version control and updating are very important issues, especially so when it comes to in-house applications or virus scan updates.

I spent about three weeks once working on a scripted install of Acrobat Reader, Netscape, VirusScan, NTSP4 and a few in-house apps; all with custom setup files/registry keys and setup for our in-house programmers to do their own "pushes" of updates to the call center computers. Over the course of a weekend 6 techs working at 3 locations (HQ, call center, print/packing center) updated over 5,000 computers by simply rebooting and letting the login script do all the work, then coming by and checking for errors. We ended up with 2 machines that had serious problems after the upgrade and another 10 or so that had minor issues, which is most likely less than we would of had if the techs would of had to do the procedure by hand on each machine.

Properly used, automatic updates are a wonderful thing. However it's alot harder to implement outside the corporate structure, since most users who are burned once by an auto-update tend to mistrust all such methods. Even companies that require all users to be patched to the latest version for the large online games such as Ultima Online or Everquest occasionally get bit by the "patch bug" and make alot of enemies in their userbase whenever it happens.

Jonah Hex