Slashdot Mirror
Crackers Tune In to Windows Media Player
jamshedji writes "Crackers are using the newest DRM technology in Microsoft's Windows Media Player to install spyware, adware, dialers and computer viruses on unsuspecting PC users."
← Back to Stories (view on slashdot.org)
"It's pretty ingenious," said Patrick Hinojasa, chief technical officer at Panda Software. "To take an anti-piracy feature and use it to feed spyware is extremely ironic."
Not quite ingenious but certainly not ironic. Perhaps if they were loading copyrighted materials such as movies and music onto your machine while you were attempting to download the license for DRM *then* it would be ironic.
The sad thing is that 99% of Windows users are likely telling WMP to install these licenses automatically when they try to play a media file. It's the "popup addiction" at work. People can't stand popups and anything to get them out of the way for good is they way they want to go.
This is going to become yet another excuse for trusted computing and single codec repositories. "Look! You are being infected by those bad sites on the Internet! Want protection? Use trusted computing and you'll never have a problem again! Just sign here, here and here. Pay here and connect here. Ahh, isn't that better?"
this time.. we probably wont have the ability to turn it off.
This will become the new ActiveX.. I can see it already..
Simon.
I'm so happy that I've got a system that doesn't integrate every little bit into the OS! Too bad Mickeysoft still doesn't understand that more features don't make their system any better.
One has to wonder why an application whose primary purpose it is to just display data is such a huge vector for infection. What was Microsoft thinking when they made it possible for movies to automatically open URL's and install stuff? Perhaps someone can explain the logic to me.
Be relentless!
At a glance i thought this was an arcticle about white people and spyware...
Crackers like the RIAA/MPAA contractor Overpeer?
Linux Wireless Hardware in the UK
Really, the article says Hackers. Crackers break software.
I mean if you're going to rip the first line 'summary' from the article itself, why skimp on one word?
Ok I'll admit it. I did a search on Limewire for some "adult" type content. Every single movie I grabbed up tried to get me to install some piece of software in order to watch the movie. 1800fastsearch, etc. I was annoyed that the spyware companies had gotten their tentacles this deep in porn. Those bastards, is nothing sacred?
I boycott signatures
You people have it all WRONG, DRM was meant to Stand for Digital Rights Manipulation, it's actually a Microsoft feature.
For those who still don't suspect, you might try Firefox.
What does Firefox have to do with ending Spyware via WMP? Absolutely nothing. Last time I checked Firefox opened WMP on Windows machines when you attempted to play a media file.
Hmm.
Now maybe if you had suggested some little known media player that didn't automatically install codecs after you clicked "don't ask me again, just install" then maybe your post would have been worth something.
At least RTFA.
Besides the obvious troubles of Windows, and of DRM, we now have the added issues of security? Well, at least I don't have to worry about it on my Linux desktop. Just on my Windows laptop. Really, I think that MS must try and leave these open so that they can sell subscriptions to their new AntiSpyware.
#define DRM chmod 000
Use the excellent - and free - VLC media player
Is it really worth sacrificing the safety of media files so that video players could launch web pages and other code? Another example of Microsoft trying to add usability, whlile sacrificing security. There's no way they couldn't have known about this security flaw.
Random rants about technology: http://technorants.blogspot.com
You mean Weatherbug isn't spyware?!? I guess I've been wrong for the past 3 years. I always pegged it as 'not much better than gator'.
But really, Windows XP does provide a way to keep users from installing just any software, that is by having a seperate administrator user and do you surfing and P2P downloading using a "limited" user account.
I went to visit some relatives a couple of weeks ago and I found 250 dialers, spyware and malware programs on thier computer using Spybot. It was unbelievable!
They aren't using Windows Media Player to install spyware. They are using WMP to get users to click on a link that takes them to a webpage where, presumably, the user's browser is compromised.
Give the proliferation of spyware *without* this new fishing technique, I don't understand the significance of this. People find spyware all by themselves, they don't need any help.
so when Bill G was up hawking the MS 'plays for sure' market-speak, little did he suspect it was really infected for sure!
comprehensive Microsoft security effort is continuing to provide new opportunities to developers/commercial interests to offer system enhancements, needed pharmaceuticals and privacy adjustments. It's so much better then on FOS or OS X, where such efforts are impeded.
spywarearcata.com just got pwned!
Download porn from kazaa lately?
.wmv files _years_ ago, because they frequently require a licence to play which is a PITA for offline viewing.
Many of us stopped downloading any
Has anyone told Chris Rock that crackers are doing this?
He'll be pissed.
There's nothing Intelligent about Intelligent Design.
...a media player? It's a flaw in Windows Media Player, not (unusual as it is) Internet Explorer.
:)
So, in other words - use VideoLAN
On the Beta Winamp TV stations, adult site operators quickly figured how to launch URLs on video streams. Needless to say, the support forums showed you how to turn off this feature about a day after the discovery.
Please, not every app in the known world needs to launch a freakin' web page, etc.
Especially not porn.
How can it be possible for one company to make software with that many security flaws?!
-- Jonathan Holst Geeks will take over the world - resistance is futile
It serves ads (the weatherbug) therefore it belongs in an antispyware (and adware)application.
i hope MS doesnt remove it.
I have a deep rooted hatred for that shitty program to begin with, but it still serves ad's and therefore should be includeed.
What is the difference between DRM and spyware?
How could DRM work without inherently 'spying' on the user/victim?
STOP. You're being farmed.
Now maybe if you had suggested some little known media player that didn't automatically install codecs after you clicked "don't ask me again, just install" then maybe your post would have been worth something.
I'll go for one, mplayer. There's been beta builds on mplayers site for a while now, but I don't usually hear about anyone using it. While a lot of the port isn't as nice as in linux, and it seems to choke on most real player content even with the codec pack, it's still fairly nice. I keep it on a usb drive and it really comes in handy every now and again.
Everything will be taken away from you.
That no good deed goes unpunished?
Faster! Faster! Faster would be better!
If AOL would open the WinAmp source, after it was examined by a horde of cranky Slashdotters bent on porting it to Linux, it would be at least believed to be less buggy than WMP. It might whip WMP the way Firefox has whipped IE, Apache has whipped IIS, and all the other open source "utilities" are whipping unreliable MS software. Especially if the community could factor down only the essential WinAmp features, leaving the bloated full WinAmp available as #2, just like Mozilla.
--
make install -not war
It seems that people neglect to mention the fact that countless times a week announcements are made that some piece of Open source software has a security hole in it which will allow root access to some fat slob in a basement somewhere. Each OS has its problems and really you choose based on what you need, not the fact that 1 percent of the media out there might try to get you to install some search bar on your internet explorer.
NJ Local Music Scene
I agree with your trusted computing satement, if Microsoft does acknowlege this incident there will only be more problems. Microsoft has been doing this kind of thing for years, so I dont expect their announcements to suddenly be more honest. I'd be even more surprised if the mass media found the real story instead of propogating microsoft garbage speak. Microsoft has been loosing credibility for several years now, in the future I look for "non-trusted computing" to be EASIER, and more trusted. When consumers see a open market that meets these requirements (and it's already impressive), they'll seriously consider a new platform.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Well, to be precise it opens which ever media player is associated with the media file you are trying to open. You can also override this on a per-filetype basis by specifiying a different handler for the file under the "Downloads" section of the Options box - the section titled "File Types". Whether your motivation for switching to Firefox was security, features, web standards or because it's FOSS, then the same motivation should apply to WMP too. Certainly on my Windows boxes none of the primary media types are associated with the DRM and security hole infested WMP.
UNIX? They're not even circumcised! Savages!
I thought this was going to be an article on a huge surge in Molly Hatchet and Lynyrd Skynyrd downloads
that more people are not hopping on the Linux bandwagon. I grew tired of crap like this long ago.
Linux affords people an out, at least until Linux reaches critical mass with a large installed user base.
Common sense can prevent 99% of all crap like this for Windows users. A Linksys router coupled with a fully updated system coupled with Zone Alarm or other software firewall along with using a decent browser like Opera or Firefox stops crap like this cold.
And here I was hoping this was a great new way to spice up my saltines.
Well, to be precise it opens which ever media player is associated with the media file you are trying to open. You can also override this on a per-filetype basis by specifiying a different handler for the file under the "Downloads" section of the Options box - the section titled "File Types". Whether your motivation for switching to Firefox was security, features, web standards or because it's FOSS, then the same motivation should apply to WMP too. Certainly on my Windows boxes none of the primary media types are associated with the DRM and security hole infested WMP.
By default, unless you remove it or change the media player in the browser setup, every recent Windows machine has WMP and thus regardless of browser, is vunerable.
If you want a decent open source media player, choose VLC. It works great on Win32, Linux & OS X. Works well supporting CDs, DVDs, AVI, DiVX, MP3, Ogg and just about every other media format known to man - except protected WMA.
So if the exploit relies on dangling a "carrot" in the shape of some free pr0n if you download some licence into WMP, VLC won't protect you from yourself and doesn't offer comparable functionality.
Windows media player like it should be. Low resource usage, plays dvds and any file you have the codecs for installed, without any network access at all. (Unless you're playing a stream or course)
I am trolling
This has kept my computer safe and my mind happy for the last twenty years. I don't plan to change it:
Don't buy products from Microsoft!
There is one exception: The Microsoft Optical Wheel Mouse is a great product. You can't fuck up a mouse, though.
Wait, Apple's round one-button mouse.
Now, that's a deal: Apple could learn from M$ how to design mice, while Steve explains to Bill what an Operating System is.
When I first saw the story, I was afraid that hackers were somehow exploiting program flaws in media player that would give them unauthorised access, allowing them to install spyware.
...wait for it... trying to leech other people's copyrighted material off of dodgy peer to peer networks!
Instead, it turns out that DRM is simply doing it's job - protecting the digital rights on content providers by punishing those people who attempt to gain access to unathorised media.
Here's my take, I'm pretty sure that I'll be safe wether I run linux or windows (I run both) since I am not
If you engage in pirating, you deserve the cannonball to your vessel; I, for one, feel no pity.
However, officials at AOL and WeatherBug did not take too kindly to the classification. "The vast majority of anti-spyware providers do not consider WeatherBug to be spyware, including Aluria, our own anti-spyware provider," said AOL spokesman Andrew Weinstein.
Is this guy serious ? Because the company's own software doesn't consider its other software bad, this is supposed to make us feel better ?
If AOL would open the WinAmp source
The problem is that Winamp (IIRC) uses DirectShow and standard Windows codecs for playing movies; WMP is also essentially a gui front-end for DirectShow. (It's just like Linux where you have xine-lib with its plugins, and all sorts of guis for it - xine-ui, kaffeine, totem etc). My guess is that the Windows Media DRM is implemented at the codec level or in the DirectShow pipeline, and not in the media player - otherwise, the DRM would be trivial to circumvent. The only real solution is a usable windows port of xine-lib or mplayer (even helixplayer would work, as long as it implements its own video pipeline).
However, officials at AOL and WeatherBug did not take too kindly to the classification. "The vast majority of anti-spyware providers do not consider WeatherBug to be spyware, including Aluria, our own anti-spyware provider," said AOL spokesman Andrew Weinstein.
I love that part of the eweek article in the grandparents post. God forbid AOL's own anti-spyware division peg it's own spyware as spyware.
Genius. Anyone know if Webroots SpySweeper removes WeatherBug? or AdAware? I'd like to know what REAL spy removal ap's think.
This is why I would only use MicroCraps AntiSpy/Virus crap with other more traditional methods like AdAware and SpySweeper. Atleast AdAware stays true to their roots without kissing other companies asses. The inhumanity that most people won't ever know about the shit that goes behind the scenes.
Trusted computing will make current spyware and worm problems a lot worse.
As soon as a bug is found in a trusted computing architecture, which WILL happen, things will get a whole lot worse for the average user. Spyware will be created which your hardware refuses to allow you to remove, even with a boot disk or safe mode. Your computer will refuse allow you to install anti-virus and spyware cleaning tools. The spyware will install a certificate with high trust levels for spyware vendors.
Even if no bug is found, companies like AOL have proven they're willing to sell out their customers by bundling adware with AIM without disclosure. This will likely create an initial hole which can be opened up much wider.
Issues like this are killing Windows. I learned my lesson a few years ago that almost no shareware or freeware can be trusted. This makes Windows a lot less useful and is one of the many reasons why I usually run linux on my desktop.
IMHO, trusted computing will only hurt Windows' usability by the average user.
It occurs to me that this sort of thing is just going to hasten the death of the home PC as a media device. We've already seen the decline in the PC as a gaming platform relative to dedicated consoles in part due to ease of use issues. If I'm Jane user and just watching downloaded videos opens the door to hundreds of spyware apps and other nonsense, I'm going to stop using the PC for stuff like that if there's an easier to use alternative.
The next generation gaming consoles may be ready to become the easy to use box in the living room that is easy to use and never gets infected by viruses or spyware. If this happens, home PC sales will plummet! Couple these boxes with HDTV and high quality sound systems and it's game over for the PC. Slashdotters may be able to cope with the nonsense, but most people are going to take the easy way out, especially if the price of admission is low. As for me, I'd love to see a really good web browser on Sony's PSP, then I could do my mindless surfing in the living room on a reasonably good display.
To the making of books there is no end, so let's get started
I was in NYC on business at the end of last week. The owner of our company had me swing by his apartment while I was in town and he wanted me to setup a wireless network there - which I did.
As part of the process I was tasked with fixing the 3 XP laptops that were "not working" or "too slow".
Sure enough, I found that they all had spyware - but one had 52 viruses on it.
The best part was that his wife (it was her laptop) said to me "oh that is odd because my IT person from work JUST scanned that two days ago - so I hardly think that I got 52 viruses in two days."
I tried to be polite but essentially told her that she might want to look into getting a better IT person.
One of the viruses that she had kept spawning instances of the media player and I couldn't figure out why... now I see why I guess.
(technically some of the viruses were trojans/worms/spyware, so I guess I should just say "malware")
There are some odd things afoot now, in the Villa Straylight.
DRM may only be a functional annoyance for the average user in concept. Backlash from that alone could be interesting. Add the possiblity that MS's DRM implementation will very likely result in a $150 trip to the local electronics lease & fleece, your average user is going to be more then a little irritated.
This is good news I say, good news indeed. The more people get pissed at DRM, the better.
Seriously I haven't felt the need to install any AV player after MP Classic and mega codec pack from kazza-lite. Also use real player alternative and quicktime alternative much less resouce use and no phoning back to home.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
i clicked on a link that said: "install spyware"
Only morons moderate based on a sig.
Guys, it could be much worse. It's not like WMP is forcefully bundled into the world's most popular desktop OS or anything....
I use FireFox, but the problem here is Media Player that I sure is using IE components. I've noticed this problem too and it's gotten to where I just don't download WMV files. Long live MP3 and MPEG! I haven't found a good WMP open-source replacement yet; otherwise, I would get rid of it like I did MS Office (replaced with OpenOffice.org) and IE (replaced with FireFox).
Warning!!!
Do NOT DOWNLOAD BRITNEYSPEARSNUDE.WMV!!! It is not really a video of her stripping. It is a virus!!!
BTW, HURRY! WAREZ LIST ENDS SOON!!!
racist?
:)
I mean crackers? I'm sure asian people, black people and people of other races are doing it too
The more WMA gets compromised the sooner we can dump it in favor of open standards.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
It sounds like (after RTFA) all this does is direct a user to a website - supposedly to get a "license" to play the content.. and once on that website, spyware is downloaded.
:-> (now, to download some more porn off eDonkey!)
So.. isn't this just a new way to get people to visit spyware websites.. which exploit flaws in IE? Meaning, there is no new flaw in WMP here?
As long as WMP uses your default browser to check for licenses (can someone confirm this?) I'm safe
I am the maverick of Slashdot
They work so unbelievably hard at it!
You claim to be a Windows user and you haven't already been aquainted with the crash-curse-reformat-reinstall drill? I think you made your whole story up.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
And with ffdshow newbs will never be bothered with codecs again.
I use MPlayer-cygwin myself, but the lack of GUI would put them off.
Most people who use Windows are unaware of the fact that are running under an Administrator (root user) account where anything can be installed, copied or deleted. Including spware and viruses. To this day, I never understood why Windows computers don't come pre-configured to run as a non-root user with limited file, execution and registry privileges? If I remember correctly XP supports a feature called "run as" if a program needs to be run as root (ie. setup programs).
I say, "too bad if the user has to type passwords!" The world of single user, DOS type computing is over. Time to start educating the public about the need to type in some passwords every now and then. Today's Anti-Virus and other Anti-Malware applications just don't cut it anymore. Blocking malware at the IP/Port level is not enough as you can tell by the failures of SP2. Password protecting processes at the OS level and file access at the file system level is much more effective. This whole virus/adware problem could be substantially minimized if people would just be more damn educated and willing to sacrifice a little ease of use. If we can be inconvenienced to show ID at the bank and enter a pin number at the ATM I don't think it's so bad to enter a password on our home PCs either.
If you have to run Microsoft, one solution is to back off to Windows 2000. You run Windows 2000. Windows XP runs you. Many corporate installations refuse to go with XP for that reason.
It's not just Microsoft, either. Remember that DRM-protected CD that changed the firmware on Apple CD drives so the machine would never work again? (And remember Apple refusing to fix it under warranty?)
I use Winamp, but Winamp is pissing me off lately for various reasons, so I may try Mplayer. I have Mplayer (and Video Lan Client) installed for those odd situations when something won't play and I need to test the file with another player. So far it's been pretty good about playing things, but the interface is not as hot as Winamp - not that that's necessarily a bad thing since Winamp is "busy" and consumed with featuritis.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
and how do you know these scum are all white?
That said, I hate crackers too.
http://xkcd.com/386/
VideoLAN, plays just about everything.
between the greater and lesser infinities sleep the dreams undreamt
Now maybe if you had suggested some little known media player that didn't automatically install codecs after you clicked "don't ask me again, just install" then maybe your post would have been worth something.
Umm, then you would all be complainng about how said media player didn't work and asked you about codec installs even AFTER you told it not to.
Place the blame where it belongs in this case. On the stupid users who click the "don't ask me again, just install" button in the first place.
Apple doesn't have a DRM to break.
Cool! I'll try it right away. Thanx for the heads up. Bliz
Spy Sweeper Try this program in addition to SpyBot & AdAware. Spyware is one area where you need to seemingly use more and more programs to keep your system clean. Its one of the few known good pay-for-AntiSpyware products. Maybe even try Microsofts spyware? It surprises me how much stuff you find with each additional product you use. Crazy.
Since you seem to know what's going on I'm also going to suggest HiJackThis! Use it to find exactly what programs are opening on boot, and tons more information. If this is too much info for you just search google for HiJackThis Log Forums. Proffesional Nerds volunteer to help talk people thru the logs. Use it carefully as it is a powerfull tool.
I'm assuming you have some flavor of anti-virus and firewall.
If all else fails, maybe you need to format and upgrade to XP? Not sure if that's an option for ya tho.
This should be a wake-up call for anyone who is still using windows. Microsoft software has always been inherently insecure and things seem to go downhill for them at an alarming pace. Simply put, it is plain stupid to still use windows nowadays. At the current situation, with increasingly sophisticated viruses coming out every other day, we are talking "survival of the fittest" and that means Mac and Linux users.
do you feel hesitant to click on a link that says "install spyware"? :) ...to install spyware...
And then there was E
Which is why once a year or so I do a scheduled complete re install. everything gets backed up and then I boot from a floppy and type my all time favorite command for cleaning a windows computer.
/s
format c:
it takes a couple of days but hey it's all good.
i thought once I was found, but it was only a dream.
People ask why I bother with a Non-Windows OS. They ask about it being hard to learn, install, configure, etc.
I told them it was easer than trying to keep up with the MS exploit of the week. I have been watching for the last 6 months for the exploit of the week.
In some weeks I'm rewarded with more than one. I'm seldom let down my not having an MS exploit of the week.
I can always use Microsoft AntiSpyware to fix the problem! Right?
Wanted: witty unique signature. Must be willing to relocate.
Ridiculous! If ever there was anything that mandated nationalizing Microsoft and turning it into a regulated public utility, this is it - the straw on the camel's back! They seem incapable of doing anything that doesn't leave large holes that expose the security of every consumer to some dire threat! Every "improvement" is just another prelude to disaster. If this is the result of their focus on "security" - what do we have to look forward to is somebody comes in hung-over one day, and gets careless? Enough already!
Media don't kill ideas, people do.
If you opt out, you can't (or at least aren't supposed to be able to) play media that have DRM enabled until you change your mind and opt in.
Save Maine's economy: write stuff down. All comments are exclusively my own, not my employer.
Excellent
Wow, you must be Rip Van Winkle. That linguistic battle was lost ages ago. The survivors went on (as losers often do) to slaughter each other in an internecine battle over whether the term for software released under a liberal license should be called "free" or "open source".
These days, most people who want to play it safe disavow the belief that anything can mean anything, although a few nostalgic old timers are trying to rally the old gang around the idea that DRM should stand for Digital Restrictions Management.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
but what about black people?
Mod me off-topic? How's this off-topic you dumbass. If you were to download .wmv porn on kazaa you would know they've been using this exploit to infect your machine for a good while now.
What was your username again? -BOFH
This should not be modded insightful. What garcia didn't process is that WMP will open the default browser to process the DRM license. If Firefox is your default browser it will be opened and presumably the webpage will not be able to use IE exploits to install malware. This of course is due to the fact that the issue is with security holes in IE and not WMP. The issue with WMP is that it is accessing IE.
It seems to me that this causes a leak in the argument that Microsoft apologists use when talking about viruses and spyware. You know the "Your OS would be just as insecure if you had 90% marketshare" argument.
Perhaps we can all agree that iTunes and the iPod currently enjoy a much, much larger share of the purchased digital music (and thus DRM) market than all of the Windows Media players combined. Yet as far as I know (and somebody may prove me wrong) but the DRM Apple uses hasn't been hijacked to carry malware. I'm not glorifying Apple, since they license Fairplay DRM from another company, but just pointing out that, market share being irrelevant, Microsoft seems rather incapable of writing any secure code whatsoever.
Ugh. Does everything that comes out of that behemoth have to be a complete piece of shit?
It seems like I have to disable ALL the features that made Windows good. All the features that made it somewhat different from Windows 95. Are we taking huge steps back in time???
Is it really so that I need to disable ALL these cool features modern Windows OS offers to be safe? Is that the key to secure Windows computing? I wonder if there is ANY feature I havent already disabled.
Where are we heading with this? Are we taking huge steps back in time because all features disabled Windows XP looks very much like Windows 95 to me.
As an IT professional, I must commend M$ for another job well done. I have billed 6 hours this week (@$80/hr) fixing XP machines that were compromised via WMP. This is for 3 clients in a small town. What do you suppose this "feature" will cost consumers in the end.
Myself, I use linux on all of my desktops, OpenBSD on my servers and WinXP Tablet on my mobile "repair kit" laptop. The only thing I use the laptop for is backing up customer data before formating and reinstalling a fubared Windozer workstation.
While I promote open source software to my users, I would be out of work if Windows wasn't the standard.
You will be assimilated...
When will people realize that MS software and windows in particular are buggy with the purpose. And the purpose is to dominate the world.
MS needs to have its entire insalled base riddled with spyware, viruses, adware and all kinds of evil resource hogs to rally popular support for its next generation "solution" to the problem they created. The solution will gradually make them control the world. You know what I'm talking about, right? Palladium, DRM, La Grande (666).
As the island of our knowledge grows, so does the shore of our ignorance.
In other words, you can't opt out of Digital Rights Management. Their "digital rights" are still managed.
I'm sad now... :(
Isn't WMP already spyware? It seems to always want to be connecting to the Internet when I play local media on it.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Edelman article
You try to play a file and then see this Image
Most users would know that once some weird web page comes up that they maybe should be careful. But what if it looks like the picture above? You only see an installer and no webpage and you just want to play a file? At that point its not even clear that you were directed to a website since a webpage can be easily hidden leaving only the installer visible. Chances are most people just think they are agreeing to a media files licensed terms.
So yea its debatable what's at fault here, but by design WMP is flawed if this is what can happen if you simply try to play a Windows Media file. Scary stuff.
If you wanna get rich, you know that payback is a bitch
Mod up. Good point. Features disabled Windows is like Windows 95.
So if you don't trust the video source, or set WMP to not download codec you will be safe
Well, no you actually won't be safe...it isn't the codec that is the issue here, it is the acquisition of a license, and as in all Microsoft applications without exception when they added this feature they initially set the defaults to an automatic and hazardous setting.
You are right, however, that if you disable automatic stuff and not be so trusting that you will not be at risk ffrom this vulnerability. I STILL find it quite disturbing about the MS platform that vulnerability seems to be engineered right into the system, even at this late stage in the game when everyone knows better. Yes, you can nail things down and disable bells and whistles, but how usable is that to a typical end user? And if "trusted" computing and DRM is embraced by content suppliers then we'd have no choice--in order to use that content we'd be forced to use a flawed DRM mechanism.
I don't mean to bash Windows specifically because Linux and MacOS could be vulnerable as complexity increases as well. Point is, that DRM really contributes nothing to the user's experience whatsoever so it is useless complexity. Windows is full of useless complexity--moreso than any other platform, and not all of it is driven by pressure from the content industry.
There is a blog called "the new old thing" or something along those lines that I find a fascinating read. It seems that MS has historically been hellbent on being all things to all people, which you can be to a degree when you are a behemoth corporation. Problem is, in MS's case it tries to make *each product* be all things to all people. The hoops and kludges and quirks outlined in that blog that show what that mentality has done to Windows is both fascinating and scary. MS employs some of the smartest, most talented developers on the planet and some of these stories demonstrate their genious--misguided as it is. This quest for compatibility and accommodation has gotten so bad now that typical apps--even "small" integrated ones like WMP--have dozens to hundreds of options buried levels deep in menus. This as much as any buffer overflow or open TCP port is a root cause of the security and reliability problems we have today.
I think we hit the "sweet spot" for the PC "user experience" in about 1995--that is when MS was at its best (but not perfect) with the Win95 interface, and when the MacOS was both pretty and elegant. Since then software in general has slowly been sliding back into the depths of hell in terms of being pleasant to use. Mac OS X is still a great platform, but even it seems to stand out in the crowd less prominently than its ancestor did 20 years ago. The whole reason? It is getting too complex again. I don't wan't my media player to have more switches and indicators on its UI than the Altair and IMSAI had on their front panels.
It seems that 99% of slashdotters didn't understand the article. The article author also has no idea about the subject. Even the "research note" is not perfectly clear.
This is not a security breach in Windows Media Player.
Here is what happens. A wma/wmv DRM protected file needs a license to be played. When WMP plays a file that does not have a license it will open a dialog with a web browser control inside and navigate to the "license store url" that was written inside the file. This feature is called "superdistribution" and it is present in other DRM enabled players as well.
That is all that Windows Media Player does. At most WMP can be acused of not displaying more information about why the dialog was opened. If even the slashdot crowd has problems understanding this, imagine the rest of the computer users.
Once the IE opens the web page it is no different than going to that url yourself in IE.
Crackers are what poly wants. If we ever want to 'take back' the work "hackers" we need to stop using a word which looks and sounds so much like it. Instead call a person who uses technology for nefarious purposes a 'Black Hat' (or 'black hats' for plural).
The force that blew the Big Bang continues to accelerate.
/q makes it go even quicker
I've been developing around DRM, rights management, etc. It's hell in binary form. The SDK is terrible and not so flexible outside of VBScript in certain scenarios (flexible being examples in C++, C#, VB.NET, etc.). It's terrible and even worse, the licenses can be revoked at any given time (but i'm sure this crowd knows that one). It's VERY easy to set up the file to give you spyware. Nothing magical about it. Just package the file with a licensing url that points to something that kinda tells you you have to get it to get the license, and the user is none the wiser. Even more so, license aqusition supports full IE in hidden form (allowing cookies to be used, nice during demo development for clients) so it's quite easy to sneak it by the user. Personally, I hate DRM. It's a joke and a waste of time. It's terrible to work with, terrible to support of multiple license solutions, 9/10 you lock out users when you start going custom on the way you handle it.
Upside is, it is quite flexible when you're trying to implement solutions when you want to force use of _your_ client (like this project). You'll see it hit the market soon and it will piss you off. You'll know it when you see it. Stay away from it. Boycott anything that uses DRM. It's evil as it doesn't give you control over anything that you purchase using the system.
Sorry for the rambling, but just my two cents.
I thought about it again, realized my mistake.
Nonetheless, I enjoyed the mental imagery.
In other news, Microsoft's products has been declared mega crap.
The evidence supporting your points is good, but your conclusion is faulty. There's nothing stopping people from using linux 2.4 even now. In my experience the updates even in 2.4.28 from linux2.6 don't cause problems. The bottom line is 2.4 is still way better than anything microsoft has to offer, and 2.6 is as well (for most systems)
The linux bsd comparisons are not really relevant. Nobody hoped linux would replace Unix. In the same way users were unaware of the sucess of linux back in the 2.4 "era", they are unaware of problems in the 2.6 kernel.
This isn't too bad as long as distributions can stabelize the current half assed vinella kernel.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
on the linked to research note reference,after first identifying one of the infected sites/downloads, he states
"On a fresh test computer, I pressed Yes once to allow the installation. My computer quickly became contaminated with the most spyware programs I have ever received in a single sitting, including at least the following 31 programs: 180solutions, Addictive Technologies, AdMilli, BargainBuddy, begin2search, BookedSpace, BullsEye, CoolWebSearch, DealHelper, DyFuca, EliteBar, Elitum, Ezula, Favoriteman, HotSearchBar, I-Lookup, Instafin, Internet Optimizer, ISTbar, Megasearch, PowerScan, ShopAtHome Select, SearchRelevancy, SideFind, TargetSavers, TrafficHog, TV Media, WebRebates, WindUpdates, Winpup32, and VX2 (DirectRevenue). (Most product names are as detected by Lavasoft Ad-Aware.) All told, the infection added 58 folders, 786 files, and an incredible 11,915 registry entries to my test computer. Not one of these programs had showed me any license agreement, nor had I consented to their installation on my computer."
$^&*((()! Frikking amazing!
man, fatcity for all the whitebox windows repair guys out there. Guaranteed job security! Hey, you California guys! Take advantage of the new antispyware laws that went into effect, a lot of loot there possibly if you follow through with complaints perhaps!
Hello!?!?!?! Any software based system is junk and as secure as a wet paper bag. You need hardware to get trust.
Trusted computing is set up with hardware on the client side so that Amazon doesn't ahve to store your credit card information anymore. Why should they? Who has access to that? Who the heck knows?
There is no trust without the server, so the server side is set up to verify the client side to make sure the client PC or platform has not been altered for destructive purposes by liars, cheats, hackers or terrorists.
This is all good and I would gladly pay $10 when I buy my PC to have it. Good luck to those that don't but its like going into battle with no armor and no ammo. Pretty dumb.
Crackers? Like trailer park dwelling white folks?
Huh huh. Huh huh. I made a funny. Pretty original, huh? Huh huh.
If AOL would open the WinAmp source, after it was examined by a horde of cranky Slashdotters bent on porting it to Linux, it would be at least believed to be less buggy than WMP.
/.ers who can/do read source and be swayed by it...
I'm not so sure that belief would necessarily follow:
Final versions are available of the 100% open source Helix Player & RealPlayer 10 for Linux, with RealAudio & RealVideo 10 and MP3 support.
Admittedly, this might have more to do with the vocal contingent who hate Real than
Weatherbug does not pretend -- at all -- not to be advertiser supported. When you run it, it tells you it's advertising supported, when you view the reports, you see the advertisements, etc.
Most anti-spyware companies either classify it as a non-threat and ignore it, or as is the case with Giant and Microsoft's new derivitive (and Sunbelt's) classify it as a low threat with a default of "ignore."
Similarly Wild Tangent (the other typically named AIM "spyware") reports back playing of Wild Tangent content files to Wild Tangent. As it turns out, the creator id in the wild tangent file is important to them, because they charge per-view for the use of Wild tangent. This charge goes to the content provider, not to the content viewer, who gets to see the content for free.
Again, it's a matter of definition. Weatherbug tells you up front it's going to deliver ads, delivers ads only when you're using it, and has well documented (on their website) information on what data it sends, when and how.
If you don't want it, there are plenty of alternatives, and AOL doesn't force you to install it.
If your code is acting bloated, and is running rather slow, it's likely and predicted that some loops you will unroll.
i think we all know that 'crackers' is a derogatory term by now
Data is code.
The file-open menu option in all their apps, might as well be titled file-execute. Likewise, whenever you click on an icon in their file manager, don't mislead yourself into thinking that this action just means "load this file into the appropriate application" because what it really means is "execute this program." When someone sends you a file, or you download a file, or you insert removable media that contains a file, don't think of it as just a "file." Think of it as a program. Everything is software. Clicking on a link in their web browser or entering a URL into the location bar, is your way of telling your computer, "I want to download and run that."
Look at it that way, and it all makes sense. There simply aren't any news stories about Windows security, once you understand this. There aren't any security-related bugs either -- this is a feature, not a bug.
If you think Microsoft's programmers are totally incompetent, then you're deceiving yourself, and you're just not looking at things the right way. This is a design issue. Heck, it's a requirements issue. Microsoft has defined the needs of users in such a way, that things simply have to be this way, and as long as you think of Microsoft as a leader, you are subscribing to this point of view. When you buy a Microsoft product, you are stating to the market, that you agree with this principle -- all data should potentially be code.
It is very powerful, I'll give it that. When all data is code, you can do amazing things with computers. And they don't even have to be your own computers. ;-)
Even more reasons not to go legit for downloading music from the internet.
What a puss.
Get a real operating system. I'm sure you'll still be able to run Habbo Hotel. I'm not sure about the Sims, but you'll get over it.
http://shit.slashdot.org/article.pl?sid=05/01/11/1 63254
You have to run spybot and adaware in safe mode. if you dont do that it misses things.
I'll just use my special getting high powers one more time...
I don't know about the rest of you but this sounds more like a MPAA scare tactic to me. Keeping people from downloading "risque" files off the internet that may contain viruses!
It's simply a link in a file that WMP is stupid enough to autolaunch for "ease of use". The problem is more so that it is a means to get to a site that has spyware on it. Which is a problem with WMP, but if IE is secure (and I use the term loosly) then you should be fine. (also assumes you're not an idiot who clicks yes to everything. Specially on files you downloaded that you know full well arn't "safe".)
This "feature" is easy to turn off and if you're not the type that succums to installing spyware in the search for these movies, you're unlikly to have the spyware installed after you've got the movies.
So to reinterate my topic. This is just a MPAA propoganded article to attempt to limit file downloads.
What you want is SELinux, which gives you the ability to individually set what an app can do. For example, you could set your mp3 player to have read only access to all mp3 files, read/write access to it's own config files and the sound device (if not using a sound server), and internet access to freedb, and no other permissions. That way even if the player were compromised by a malicious mp3 file, it couldn't do anything other than trash it's own config files or try to DoS freedb.
|)161t4|_ |200t Manglement :)
There is a very old addage that says if you want to lead you have to know how to follow.
It is true that there are a lot of bad managers. You must have experienced a few.
However, a good manager intuits who has what skills and then they trust that person and follow.
A good manager is a great leader.
What's sad is that you've accepted this as a normal part of using your computer.
Right now I'm using a Debian system that's been installed for four years -- and running the "unstable" branch, so there are new versions of packages (sometimes containing bugs) almost daily -- and it with a little care and feeding on my part, it's still running cleanly. I certainly wouldn't want to have to reinstall and lose all the work I've put into getting my system set up the way I like it.
It is sad. That's why I have run linux, and am typing this from my powerbook.
it's normal for my windows machines, I haven't owned the apple long enough yet, and well linux doesn't last cause I change distro's because i was bored.
My windows don't last due to use, my linux os's don't last cause i keep changing them.
What comes next?
i thought once I was found, but it was only a dream.
I remember posts on boards that I visit predicting this would happen when M$ first released their descriptions.
M$'s response: "nawwwww..."
Another system had a few hundred copyies of Netsky and MyDoom variants on it.
What part of "gestalt" don't you understand?
I've had the following in my signature file rotation for some time. Looks as if it's starting to be fulfilled:
What part of "gestalt" don't you understand?
Sure: sudo aptitude install foo
Oh yeah, can't do that in legacy MS Windows. Don't talk to me about "Run As". Should be called "Run as...maybe, if I feel like it...but it will probably break." A little long for an advertising jingle, but accurate.
Sorry, but the idea of losing 60 windows worth of state, including several editor and mailer sessions, and nine browser windows with on the order of 100 open tabs, just to install/update software, sucks.
My desktop session's been running for over a month. In the meantime I've updated my system almost daily, as well as several others on the local network. Without having to physically access those other boxes (unless using one as a footrest counts).
What part of "gestalt" don't you understand?
For those who prefer group policy over screwing with the wmp settings (good for hiding settings from family) and can't find it: it's in Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Digital Rights Management. My family is smart enough to check options, but not smart enough for gpedit.msc. muahahaha.
[!] No, I can't see my comments. They are not worthy of +3 moderation.
Its ironic indeed when someone trying to explain the meaning of irony is confused and mistakenly thinks that unexpected and incongruous are the same thing. Unexpected events are not ironic, unexpected incongruous events are - a black fly in your chardonnay is not ironic, as part of a greater chain of incongruous events it may well be, but in and off itself it definitely aint.
This is one reason why I've stuck to Windows Media player 7.1 and Win98SE. Yes, I'm serious.
:)
However, on the Linux side I use mplayer, xine and xmms...
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
There was a really insightful bit I read in some GNOME (was it GNOME?) interface guidelines handbook, which said that people don't want confirmation dialogues, they want to be able to undo things. Which is why the 'recycle bin' is the right solution to the accidental-deletion problem, and the confirmation is not, as people in the process of deleting something will regard the confirmation as simply another step in the process, and hit enter automatically.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
The only real solution is a usable windows port of xine-lib or mplayer
Worked out of the box for me.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
The trouble begins when software requires outside assistance. Whats with all this outside assistance anyways? Since when do we all of a sudden need a license to listen to stuff. I never needed a license to make a copy of music on the radio or record a TV show on my VCR.
Don't you think companies are taking this encryption and licensing crap too far? Perhaps Notepad or Calc should be licensed too. Helk, I may have the need to add some numbers and type some text and God only knows who has the patents on the letter 'H' and the number 7!!
I keep my Windows box behind a NAT firewall. I don't run IE, and I don't run Outlook. I don't install stuff I downloaded from the Intarweb. But I tried to watch a movie, and lo! for the first time in two or three years of running Windows XP, I got infected with spyware. The reason this is such a big deal is because a movie file is just media data. It never occurred to me, and probably never to you, that I should hunt around WMP to find the option to stop it automatically fetching other data. That there is the crux of it. Why the fuck would I ever consider a /media player/ a likely source of trojan installation? And if I, who has gone to some lengths (though not as far as I could have or should have gone) to protect myself, and knows not to click "Yes," can be caught by this happening silently (no, I never clicked 'Yes' or accepted an option for this to happen by default; WMP installed like this, silently) how the hell is someone less technically inclined supposed to get by?
Worse yet, what else is going to do this sort of thing? Will ZIP files start executing arbitrary code? Will images start requiring 'licenses' too? Should I hunt around the multitude of configuration options in every program I run, in all the odd places and incomprehensible terminology those options can be, trying to stop them doing anything as stupid as this?
No, Microsoft fucked up big by allowing media data to be more than media data.
The fact that I can never entirely get rid of IE doesn't help either, because everything Microsoft and a bunch of other things also use the IE engine. See the WinAmp skin exploit, for example.
Is it just me, or did this title make anyone else think of a bunch of rednecks sitting around on a front porch, drinking beer, talking sports, cars, and coon dawgs, with a 196s clock radio tossed off the end of the porch and a computer sitting on a wire spool with car speakers jury rigged to it, and Windows MediaPlayer running on a 13" monitor in 640x480 mode?
[Run-on sentences a specialty]
^-- That doesn't equate. WMP7.1 has DRM too. Heck, even WMP6 does.
If it does, I've never seen it. And you have to admit, even if it has some DRM, it's nowhere NEAR what WMP 9+ has.
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??