Slashdot Mirror
Earthstation5 Responds to Malware Claims
"We at Earthstation5 are not perfect, but we acknowledge that Shaun Garriok might be and thank him for helping us root out bugs.
The problem with the Earthstation5 software that Shaun Garriok found truly exists; however, the sordid motives he attributes to Earthstation5 are incorrect. The following functions were put into Earthstation5 to allow automatic, remote upgrade of the Earthstation5 software.
These functions are:
- Reload Earthstation5
- Shutdown Earthstation5
- Delete a File
We have long been admirers of Shaun Garriok's ability to superbly investigate even a fully compiled program. We believe that he is capable of finding ANY sort of trojan, worm, or bug inside a compiled program. We are relieved that all he could find was these remote upgrade functions. He didn't find any bugs that send user data anywhere, no spyware, no adware, nothing, in fact, that gives away any personal information about the user using Earthstation5.
It is also a fortunate fact that since Earthstation5 protects you from the RIAA lawsuits and hackers by hiding your ip address, the exploit program he wrote can only be used against your own computer, which he states in his exploit. If you want to delete files from your own computer, we feel you have the right to do that.
We are glad he found this bug and pointed it out. We completely removed the automatic software upgrade code because as it turns out automatic upgrade is no longer popular as it once was because it gives people an uneasy feeling and rightly so.
Since Shaun Garriok seems to be concerned about everyone's security, and is not on a personal quest for revenge, we would be grateful if he would download the latest Earthstation5 (version 1.1.31), and verify that we have truly removed the remote-update function which his exploit program accessed. We think his dedication to the good of all concerned would motivate him to do this. Anyone else who is concerned can do the same; download the latest Earthstation5 and test the exploit code against it.
-- Filehoover, Lead Programmer of ES5."
If the tone of that statement wasn't so sarcastic and flippant I might feel that RandomNut may have jumped the gun, but ES5 isn't making any more friends by being immature and insulting.
I am very suspicious of the claim that REMOTE deletion of a file is required when updating the software.
To me, this sounds like damage control, not an honest representation of why that code was in their program. Until the company that makes Earthstation comes up with a plausible explanation for what that code was doing in their program, I will regard Earthstation software as suspect.
How do you not notice that being able to delete files remotely is a problem? Isn't that just about the most obvious thing ever?
...and it does seem believable. Random_Nut's comments with the exploit paper were a too influenced by his personal opinion....
Anyway, ES5 has a *baaaad* name and this last exploit is by far not the only reason of it.
Their claims of having zillions of users online(ever tried to use it???Well, not *exactly* true.), the chat snippet about DoS-ing bittorent sites(What kind of looser would do that???). A couple of "spammers" posting on the "concurrent" p2p tools boards.....
To conclude... ES5 has never been an option for me, and even if their claims on absolute privacy are a nice dream, I prefer sticking to Klite and Bittorent experimental.
1. No sig. 2. ???? 3. Profit!!!
Article:
It is also a fortunate fact that since Earthstation5 protects you from the RIAA lawsuits and hackers by hiding your ip address, the exploit program he wrote can only be used against your own computer, which he states in his exploit. If you want to delete files from your own computer, we feel you have the right to do that.
augustz:
How does 'hiding' your IP address help?
It doesn't. He's full of shit - and I bet he's dumb enough to believe that shit.
He screwed up rather badly, it's just a shame he isn't man enough to pull his finger out of his ass and take the blame for what's obviously a horrendous security problem.
He's right about one thing though: it's not spyware - it's an exploitable security hole. Probably one that should come to the immediate attention of their '15 million' users.
The following functions were put into Earthstation5 to allow automatic, remote upgrade of the Earthstation5 software.
These functions are:
Reload Earthstation5
Shutdown Earthstation5
Delete a File
All of these functions are necessary to perform when upgrading software.
Hell no.
These guys should learn something about computer security. Funny that the same guys who're using a solution that screams "EXPLOIT ME" is developing some application that's supposed to be focused on extra security.
This is how to perform a teeny bit safer automatic upgrade:
- Server sends a packet containing a field that says it's an update packet, along with a version ID to update to, i.e. 110 for version 1.10 or whatever.
- Client receives packet and uses a partial client-side URL to the place where the new version can be downloaded. For example, the client could use the partial URL "http://www.es5.com/files/es", attach the received version ID (that is: "110") to the string, and finally the file extension, to form the URL "http://www.es5.com/files/es110.zip". The client then takes care of its shutdown, auto-install, and restart sequence.
Voila! Upgraded application without a RANDOM UNVERIFIED COMPUTER sending the CLIENT a message to DELETE something and it BLINDLY AGREES to. It's amazing that such poor programmers can even design something that compiles. Or are they hired by the RIAA to fool people into downloading their "new, cool and extra safe" application?
I wouldn't recommend anyone to download the DNS-faking "we-have-more-users-than-Kazaa" dudes' software.
Beware: In C++, your friends can see your privates!
I think they are implying that hiding your IP in the GUI makes it safe. It's based on the theory that RIAA spies are sitting around with copies of P2P apps and a notepad writing down IPs.
In all honesty I really don't care if there is code that allows remote deletion of a file in ES5. I refused to use it long before this. Ignoring the horribly ugly GUI, there are still many other concerns. Who guarantees the proxies you use are safe and don't keep logs? Can't the RIAA's enforcers set up a bunch of "anonymous" proxies and advertise their presence on IRC, Usenet, and other file sharing circles? How is spouting propaganda about hiding the IPs in the GUI supposed to make me think you know jack about network security? Being based in such an unstable area may help protect the company and/or developers, but that doesn't say anything about the users. With the developers constantly taunting copyright enforcers, how long will it be before they start targeting users? An over inflated sense of security is the worst enemy of P2P users. Encrypted data transfers don't mean anything. The enforcers don't sniff packets anyway. All they do is download a shared file, verify it's copyrighted, and issue a subpoena. If they can't get past the proxy, they will just have it taken down. Just pray that it didn't keep some sort of log. Eventually, the only operating proxies will be so obscure, distant, slow, or overwhelmed that nobody will use them and he network would slow to a crawl. The only decent servers will be RIAA honey pots. All this because some developer got cocky and started running his mouth.
It's a bit different - RPMs may delete files but don't sit and listen on an open socket accepting delete requests from a remote server somewhere. That's a whole 'nother kettel of calling the fish black!
A reasonable auto-upgrade would just have code for the client to delete itself and run the new install I'd think. Also just because ES5 hides IPs doesn't mean someone can't just scan to find people running it. If anyone can connect to you and delete any file, that's a little more than an auto-upgrade feature.
You would rather they waited weeks or months to fix a problem they were told about? The idea, as I see it, is to fix problems as soon as they can be fixed. It seems a bit unreasonable to falt them for fixing it quickly when we gripe at others for fixing problems so slowly. They could have put it there with bad intent, or it could be exactly what they clame, a poorly made auto-upgrader. Lord knows they wouldn't be the first to let out a program with less then perfect code. BTW, if it is what they clame, then all they would have to do is recompile it with out the source code for the auto-updater, hardly a time consuming fix.
Question reality.
Overwrite the file, install a new file and ignore the old files, but why delete?
People don't exist to serve systems, systems exist to serve people.
And herein lies the root of all conspriacy theory.
If you do something nasty, get caught, and backpedal it looks suspicious.
If you do something inadvertent for perfectly altruistic reasons and get accused of falling into the prior catagory and say, "Oh, shit. Ok, we fixed it," it looks just as suspicious.
If you suspect conspiracy everything always looks like it.
KFG
You get sued for sharing, distributing, and/or downloading files, on any peer to peer network. The only one so far that the RIAA has attacked as of late is the Fast-Track network, due to its incomparable size. Apparently people don't seem to remember a popular service known as Napster that also disappeared from existence by being sued. So, just because you use ES5, does not make you immune from lawsuits, because you are still violating the law. Using different programs, in my opinion, do give you a bit more freedom, as you don't ever hear of someone getting sued from using the Gnutella2 network (www.shareaza.com) for which I am an advocate of. So, it would just be time until they reached the other networks, unless they are stopped here, unless they are not allowed to go further, unless they can no longer hurl subpoenas at ISPs. But then again, those are just my hopes :)
P.S. K-Lite K++ is an illegal modification of KaZaA (even though its superior for doing the oh-so-illegal things :D)
If you can't look at the source for a p2p system, then its not truly safe. It is as simple as that.
...
P2P opens up a whole different degree of responsibility for local system resource usage, and in fact the primary function of a p2p app is to manage local system resources on behalf of a 'greater good' of bigger resources provided to the community.
I wouldn't really put much faith in any p2p solution provider who didn't have full disclosure of source code as a priority in their front line for dealing with their users
I mean this as a potential professional user of p2p, as well as a personal user too.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
How the heck do you manage to download huge files from P2P sources then?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).