Teenage Blogger Finds Gmail Hole

cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."

How long until he's in Gimto

[RedHatLinux]

Seriously though, how hard do you think the hammer will come down on him?

Re:How long until he's in Gimto

Gimto huh. Wonder where that is....

Re:How long until he's in Gimto

[TechSnack]

I dont think he did anything wrong... he just documented what he observed.. AFASIK, there is nothing wrong with trying to email a javascript...

Re:How long until he's in Gimto

Gimto huh. Wonder where that is....

It's the magical world where all the tin foil hat wearers live.
The spend their day saving the world by surfing the web for barnyard porn and pics of japanese schoolgirls.
However, the evil facist government which eats freedom, is always trying to stop them.

Re:How long until he's in Gimto

It's in Cuab.

Re:How long until he's in Gimto

[generic-man]

He found a flaw in a piece of beta software. Where's the controversy? It's not like people were running their business off a Gmail account or anything...

Re:How long until he's in Gimto

[Merciful+Oblivion]

What's Gimto?

Re:How long until he's in Gimto

[ClockN]

Anywhere near Cuba?

Re:How long until he's in Gimto

I think its a new linux distro.

Re:How long until he's in Gimto

[ClockN]

http://www.nsgtmo.navy.mil/nsgtmohome.htm

Re:How long until he's in Gimto

Of course not. What gave you that silly idea?

Re:How long until he's in Gimto

[chad_r]

What about the sole (both administrator and technical) contact for the entire Iraq domain?

Re:How long until he's in Gimto

[PFI_Optix]

No, it's closer to Flordia.

Re:How long until he's in Gimto

[Woldry]

You mean somewhere in the Caribeban?

Re:How long until he's in Gimto

[generic-man]

Iraq's a beta country: occasional big glitches here and there, but some people seem to trust in it a lot more than others. It seems only natural that they'd rely on a beta e-mail service. :)

Re:How long until he's in Gimto

"There are 10 types of people in the world... those who understand binary and those who don't."

There are 10 types of people in the world... those who understand binary and those who have friends.

Re:How long until he's in Gimto

[muszek]

by the time you finished typing your comment, 2 newer distros were released. man, you must practise and go beyond 60 wpm!

Re:How long until he's in Gimto

[wampus]

I am scared by how many of my clients are using one AOL, Earthlink, Gmail, Hotmail, etc. mailbox for their entire company.

Re:How long until he's in Gimto

[Pentavirate]

Oddly, it's in Cuba.

Re:How long until he's in Gimto

[alpha_foobar]

new. not newest.

Re:How long until he's in Gimto

[weierstrass]

welcome to missing the joke

drive carefully.

Re:How long until he's in Gimto

He said newer, not newest... so you're both wrong.

Re:How long until he's in Gimto

No Japna.

So the story is?

[Osrin]

Something happened, he is not sure what, and now nobody can replicate it.

Stuff that matters huh?

Re:So the story is?

[GillBates0]

And then like every kewl teenager on the blogosphere is going like "huh, OMG".

Re:So the story is?

[Zenmonkeycat]

The story is that Zonk posted an statement by cpm80 stating that Network World ran an article about a guy who wrote a blog entry about something he did.

Re:So the story is?

[jeffshoaf]

> Something happened, he is not sure what, and now nobody can replicate it.

Sounds like the average slashdotter's sex life...

.

Re:So the story is?

Well, after Zonk finished BLOWING HIS WAD in the poor kid's mouth, the kid insisted that Zonk publish his little find...

Re:So the story is?

[mdshort]

Actually, this story was on Digg yesterday, several people were able to reproduce it until a few hours passed and google apparently fixed it.

You can't do it from gmail to gmail, it has to be an outside source.

Security flaw?

I'm probably just very very dense, but ... out of the description, how is that a security hole?

Re:Security flaw?

[triptolemus]

You're not dense, the article is...

He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane...

in *a* preview pane... what preview pane... where? Yahoo's preview pane? How is that google's problem?

I'm totally confused...

Re:Security flaw?

[dotpavan]

the code was "supposedly" executed in the preview pane of Gmail.

Re:Security flaw?

[DieNadel]

It could be used for Cross-Site Scripting (XSS), for instance, meaning that someone could send you an email and collect information on you, or make you think you're on google, but really be on another site, etc.

The preview pane is what you see before you read the message (when the list of messages is displayed - e.g. your Inbox).

Re:Security flaw?

[LittleKing]

I agree, how is it a security threat if it is removed from the email. Would it not have to be in the email to cause damage. Maybe I just dense too. Someone care to enlighten us.

Re:Security flaw?

[Soybean47]

The claimed security hole is that it is not removed if it's sent from Yahoo mail. Removing the code is the desired behaviour.

Re:Security flaw?

[Se7enLC]

Read the article.

It says that when you send an email from gmail, the code is removed. When you send it from Yahoo, the code executes right in the gmail inbox preview. The fact that javascript from the email executes in the gmail inbox is the security hole - anybody can email javascript to you and it will execute without your permission.

But anyway, the hole must be fixed, I can't reproduce the problem, either.

Re:Security flaw?

[jackbarnett]

Kid sends email from Yahoo -> Gmail email contains javascript When he cheks his gmail account that email automatically executes the javascript Google has since fixed the problem This was more "proof of concepts", that it would work but a creative javascript code slinger could probably write something for malcious purposes or that could do harm.

Re:Security flaw?

[tpgp]

I'm probably just very very dense, but ... out of the description, how is that a security hole?

Basically - you don't want someone to be able to send you javascript that will execute when you read a message. It can allow the attacker far to much leeway (within the confines of your browser)

Here's an (old) example that affected Microsoft's hotmail service that gives you an idea of why you don't want want javascript sent to you to execute.

Less seriously - it makes it trivial for spammer to verify that someone is opening their spam.

Re:Security flaw?

It says it is only removed when it is sent gmail to gmail. So you can send an email from Yahoo to a gmail account, place some code in that reads something from the users inbox, and then open a window sending this information to a waiting php/asp/etc. page.

Re:Security flaw?

[Nikker]

I guess if someone elses javascript ran while reading Gmail it would be a bad thing. With Gmail (DHTML) most of the headers and some content of your messages are loaded in your browser. Evreything loaded in your browser is a part of DOM which javascript can copy, send or hide or I guess even change. Don't forget though since Google's javascript is also running we don't know for sure if it will let the other script run, crash the browser, slow evreything right down or just do whatever it wants. Theoritically it could copy evrey branch of the DOM and send it as an object but as far as I know javascript can only communicate to the server from which it sources.

Re:Security flaw?

[gavri]

gmail provides a "preview" of each mail (first few words from the body of the mail) in the inbox.

Re:Security flaw?

[dioscaido]

No, the security hole is that gmail will execute javascript in e-mail. You can't assume that all clients on the web will filter out javascript before sending them gmail's way.

Re:Security flaw?

[DRAGONWEEZEL]

THANK YOU!

You stated that in clear terms that hopefully everyone else understands. I read the article, but saw too many posts saying "so what?" or "thats not a security breach."

Fixed

[hetairoi]

SANS Internet Storm Center says it's fixed. Seems pretty silly.

Re:Fixed

[pingveno]

The SANS post about Professor 'Packetslinger', which was linked to in a Slashdot article yesterday, had a link to the SANS post that is linked in this Slashdot article. Old news.

Re:Fixed

[nevernamed]

I agree. I don't even know what the hell he's talking about.

new?

[nkkdprgrmmr]

I didn't realize this was new. I vaguely remember hearing about this a year or so ago. Actually, it was with any embedded javascript, images, etc.. i think.

Re:new?

i think not

Re:new?

[nkkdprgrmmr]

Ok.. I guess. This is probably what i was thinking of, but i knew it was fudging with any embedded scripts. http://www.gmailforums.com/lofiversion/index.php/t 9312.html notice the date.

Well...

[Ayanami+Rei]

... it's a testament to the speed of the Google code slingers.

As the old slashdotism proclaims: "Nothing to see here. Move along"

Just one flaw

[mrsulu]

Well, it's not like there's a risk of taking down the system with this single bug, but an interesting story nevertheless. I wonder how many of these have been discovered previously?

Re:Just one flaw

[Bogtha]

it's not like there's a risk of taking down the system with this single bug

If you can get somebody to execute Javascript of your choosing in the security context of the gmail.com domain, then you can fairly easily write a worm that reproduces by emailing itself to everybody in your contacts list. A worm like that does stand a chance of bringing down the system.

Re:Just one flaw

[mrsulu]

Oh! I forgot that the script isn't filtered out by Yahoo, which means you're right, and such a flaw could be a very serious problem after all. Thanks for the reminder. :)

-- oh and that they read Digg... :-)

[Ayanami+Rei]

nt

Re:-- oh and that they read Digg... :-)

I really doubt that any of the programmers that work at Google read Digg on a regular basis. Digg is a terrible site and that's blatantly obvious by reading a few stories and any of the comments. I have yet to meet a single knowledgeable programmer that reads Digg.

Re:-- oh and that they read Digg... :-)

[sjaskow]

You'd have to define knowledgeable? I consider myself a knowledgeable coder and I read digg. And, no, "knowledgable" doesn't mean HTML, it means C, C++, Java, PHP, Ruby, etc.

Re:-- oh and that they read Digg... :-)

[patiodragon]

And there is better stuff on Slashdot really?

Re:-- oh and that they read Digg... :-)

[hamoe]

Yes. Certainly more mature posters, at least when I don't read at -1.

Re:-- oh and that they read Digg... :-)

Slashdot isn't even close to perfect but it's much better than Digg. Reading Digg is like eating paste.

Re:-- oh and that they read Digg... :-)

[rm69990]

The quality of some of the submitted stories on Digg is absolutely pathetic. And 99% of the comments are one liners written by complete morons. So yes, Slashdot has better stuff. When reading the news, I care about quality over quantity and speed.

Some examples from the front page of Digg.com:

--"Women will get sterile just looking at you", Star Wars fans uncool??

A man was so bold as to blog that being a hard core Star Wars fan is social suicide. He backed up his statement with some hilarious convention pics and captions.

--Hidden task killer in Windows XP!

Most people probably know that Windows XP comes with a darn useful task killer. Lets you kill anything automatically!

--Zombie MMO???

A buddy of mine just forwarded me this link. Turns out the name mean lifeless in Latin. Does anyone know anything about this? I'm a HUGE Zombie and HUGE MMO fan!!!

--EA's Exclusive Contract With The NFL May Be Voided!

If the dispute between the NFLPA and the NFL continues then anti-trust rules will apply. If this happens then EA's contract is null and void!

--LEGO brick USB drive

The perfect USB drive. Why doesn't LEGO sell these?

So what is Digg? A news site, or a place for geeks to dump their filth? Sorry, I don't go out of my way online to read garbage, and that includes teasers written by retards. And I'm not even going to bother replicating some of the comments here.

Gimto

Is that like Vimto, with extra gin?

He wrote, this is my comment.

After this comment, he wrote. He wrote, he likes to write he wrote.

Lack of Responsibility

[Rolan]

This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.

Re:Lack of Responsibility

[geekoid]

Publicly ex[posed errors get fixed faster.

Once you tell a company of the issue, it then becomes possible for that company to take actions to shut you up.

Re:Lack of Responsibility

[kevin.fowler]

Reporting something to Google doesn't get you pageviews.

Re:Lack of Responsibility

Wrong.

Re:Lack of Responsibility

This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.

Fuck that, he should have been drug out into the street and horsewhipped. This is unacceptable. What kind of country would allow it's people to say or write what they please. No corporate run country that I know of should ever tolerate such things as freedom of speech or press. We owe our corporate masters everything and should never question or defy their wisdom and power. A corporation making a mistake by creating a faulty product have every right to punish consumers. Ford was correct in killing innocent people who bought their Pintos. The true crime was committed by the people who discovered Fords flaw and coverup. HOW DARE THEY question their coporate masters.

I am sorry for the language, but I am truly disgusted by this child. Doesn't he understand that today's society has no tolerance for people pointing out flaws in larege corporations software. Sure, by every right, companies that produce faulty crappy code should get what they deserve and go out of business. Some left wing psycho might even suggest that these fucking companies owe up to their mistakes instead of passing the blame onto (FUCKING) children for their complete, absolute, utterly complete incompetence.

In fact, we should start rewarding these business for creating faulty software. Wait, we do. We give them money, and when they make a HUGE FUCKING MISTAKE, we punish those who found their HUGE FUCKING (THEY SHOULD BE PUT OUT OF BUSINESS) MISTAKES and never the companies. Thank god for FREEDOM, GOD BLESS THE UNITED CORPORATIONS OF AMERICA!

Re:Lack of Responsibility

Wow, a really smart one there....

Re:Lack of Responsibility

Heres a thought. If everytime a company sold or distributed a piece of software before they secured it properly, THEY pay the penatly and fines. Then again, if we forced the responsibility on the corporations the next thing you know we would start seeing working secure software all over the place. Why would anyone want that. Much easier to complete ignore their incompetance.

Speaking of, last week their was a mistake at my bank. They accidently took all the money in the safe and left it on the street corner overnight. Would you believe people walking by took some of the money. We'll get em though. The bank told me it's not their fault, it's the people who took the money who are to blame. It's not the banks job to secure the money, it's the entire rest of the worlds job not to take it when they leave out in the wide open.

Beta software

Beta software like GMail has bugs in it? Holy cow!

No matter how many people are helping them test it, it's still a beta.

Not surprising

[Bogtha]

Google have shown repeatedly that they don't understand how to deal with Javascript securely. Example.

Re:Not surprising

[Derek+Pomery]

The fellow questioning the failure to filter anything but http (and hopefully he meant https too) doesn't know his src tags.
Not only can data URLs be in there, but absolutely any protocol is legal.
ftp for example is in fact used, as are others.
And of course the URLs can be relative.
Sure it is possible to try and handle every combination, but I don't see anything wrong with the google fix.

Re:Not surprising

[Derek+Pomery]

yeah, src attribute.
should've previewed.

Re:Not surprising

[Bogtha]

That's precisely the problem. Instead of only allowing known-safe protocols, they've let everything through but particular ones they know are unsafe. Anybody with five minutes' experience knows that is a recipe for disaster - do you really think you can anticipate everything that is likely to be unsafe? Including things like java\script, java\nscript, view-source:, etc? Including proprietary, undocumented Internet Explorer-isms and Netscape-isms? This is precisely the attitude that left MySpace wide open to the Samy worm.

Blacklisting certain string combinations is inherently unsafe in this situation, whitelists should be used. Google should know better.

Re:Not surprising

[panaceaa]

There's undoubtably numerous experts at Google that know about XSS mitigation techniques. However, there's a big difference between knowing how to do something and having enough time in your schedule to properly design code that's not vulnerable to cross-site scripting attacks and having enough resources to test the design. I think the responsibility for this problem lies in the QE and scheduling rather than in Google's supposed incompetence.

Re:Not surprising

[Derek+Pomery]

That may well be, I was just questioning the overly broad generalisation of the person on the other site.
It may well be they put a quick black list in while working on a white list.
Heck, the white list may be there now, have you checked? :)
Actually, it could even be server side. Who knows.

Re:Not surprising

[lucifuge31337]

You got it right.

Rule #5 of network security: enumerate goodness, not badness.
it goes right along with rule number 1: default=deny, not permit

Re:Not surprising

[Tellalian]

Could you explain how this is a security hole? The guy figured out how to execute javascript in his own browser, but no one elses. I guess he's in trouble if he hacks himself...

Dude, he's 14!

[TCQuad]

This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.

If this was a security expert or professional programmer or the like, I'd agree. But he's 14! Teenagers nowadays can barely open a door without first blogging about the experience. He saw something, he said he saw something. Now he gets a little recognition, Google fixes it and everyone goes home happy.

Re:Dude, he's 14!

I still think it's common sense to let someone know about a problem before you announce it to the world.

Sadly, even some who call themselves security experts are more interested in attention than ethics:

http://blog.php-security.org/archives/11-You-get-w hat-you-pay-for.html

Who do we hold accountable for their actions and when? I don't think it's an easy answer.

Gmail security can be over agressive too

[frovingslosh]

Unfortunately, I find I have problems with Gmail security the other way. Gmail blocks outbound attachments with exe files, even when those files are included inside zip files. I write programs and occasionally have to e-mail a client a change. Yet, unless I want to try to get my low-tech users to use more tools to help me sneak something past the Gmail filtering, I have to use a second e-mail account when I want to send out EXE files.

I'm all for Google not doing stupid things on their web interface, but I don't think they should be encouraged to be even more agressive and invasive as to what we send and receive in our e-mail. Claiming you are doing this for the users' protection just assumes that all of your users are idiots, and if you build a system that repeatedly makes that assumption then eventually all of your users will be idiots, as you will drive the others away.

Re:Gmail security can be over agressive too

[Attrition_cp]

I had a similar problem with emailing myself backup stuff from college computers to get at later.

I found the best way was to just rename the extension of the .zip or .fakezip or anything other than zip. They only check on .zips. Send a .rar and it will also not be scanned.

Re:Gmail security can be over agressive too

quick fix for your exe problem.... rename file.exe to file.txt...... Send through gmail... DL attached file rename file.txt to file.exe

Problem solved.

Re:Gmail security can be over agressive too

[Nos.]

password protect the zip file

Re:Gmail security can be over agressive too

[carleton]

Err... no...
Process:
    Send email with .exe ... bounced
    Send email with .exe renamed to .txt ... bounced
    Send email with .exe zipped, bounced
    Send email with .exe, zipped, zipped renames, ... bounced
    Send email with .exe, zipped, encrypted ... still bounced (I'm guess my zip program kept the file table unencrypted)
    Send email with .exe, renamed to .txt, zipped, encrypted ... gets through, now brother can't figure out how to get the file ...

Re:Gmail security can be over agressive too

[inkdesign]

I've had no problem just renaming the files to *.ex and zipping them.

Re:Gmail security can be over agressive too

[redfood]

I've been changing .zip to .piz and things go through fine.

Re:Gmail security can be over agressive too

[frovingslosh]

I don't find it acceptable to tell a client that they need to jump through such hoops. I send the exe with a smtp client and another mail server. Problem solved. Just Gmail has the wrong approach here. And people who think it's acceptabe to have to do such things as renaming or RARing to get around it.

Re:Gmail security can be over agressive too

[bogado]

Then why use a generic email? Buy a domain and configure a forward, your email will sound more professional and it will be able to send whatever you want using it, and who knows, you can even make a little web page on top of that domain. :P

Re:Gmail security can be over agressive too

[killjoe]

Just change the extension. I routinely change the extension of zip files to 7z and tell my friends to use either rename the extension or use 7zip.

Re:Gmail security can be over agressive too

[catch23]

Maybe you're doing something wrong. I have been able to send emails just fine to gmail accounts just by changing the extension. You sure it's not something on your end that is blocking it? maybe your SMTP gateway doesn't allow binaries of certain types.

Re:Gmail security can be over agressive too

[Em+Adespoton]

Use 7zip, bzip2 or rar to compress the file -- that should be all you need to do.

Re:Gmail security can be over agressive too

[TClevenger]

Rename the extension of the ZIP file to .Z instead of .ZIP. GMail passes it right through, and WinZip (as well as many other Windows-based tools) will still see it as a ZIP file and give it the correct icon, minimizing confusion on the part of users.

Re:Gmail security can be over agressive too

>just assumes that all of your users are idiots,
>and if you build a system that repeatedly makes that assumption then
>eventually all of your users will be idiots, as you will drive the others away.

this might be a good marketing move, considering the usual idiot : non-idiot ratio in the world.

Re:Gmail security can be over agressive too

Just rename your .zip file to .zi_ and tell your client to rename it back to .zip. Then you can have as many executable files inside the compressed archive as you want.

Re:Gmail security can be over agressive too

Dude, like dozens of other posters have said, just rename the damn files. Surely your users can understand simple instructions like "rename the attached file from filename.exe.doc to filename.exe". We all have to deal with email filters.

Re:Gmail security can be over agressive too

[The_Sock]

Nope, the needs of the many outweigh the needs of the few, or the you in this case. I'd rather they do it then have more stupid viruses trying to infect my computers. If I need to send an exe or anything like that, or more importantly, when I'm talking to a client, I don't use a free e-mail service. It looks cheap. Would you put a hotmail address on your business card?

Re:Gmail security can be over agressive too

[Malc]

Rename it. I get around Outlook all the time by sending myfile.exe.delete_this_extension

Re:Gmail security can be over agressive too

[uglydog]

The users are idiots!

Clearly, you are a programmer, and not an admin. Filter the damn things so the users can't send trojans to each other! And get an FTP server!! Man, I bet I end up supporting your broken app. :-P

Re:Gmail security can be over agressive too

[poot_rootbeer]

I have to use a second e-mail account when I want to send out EXE files.

Aww. How horrible.

Email attachments are perhaps the worst imaginable way of distributing executables. It's too bad that your clients don't know of or care about alternative delivery systems, but that's not enough for me to conclude that Gmail was overbearing or foolish in forbidding EXE attachments.

Re:Gmail security can be over agressive too

[nkkdprgrmmr]

I have two methods to deal with this, as i have to deal with the same issue on a daily basis: 1. Throw updates onto our company web page under a 'userfiles' folder, and simply send a link in the email to download the files. 2. (Assuming Winblows) Setup a registry entry that associates a specific file extension (like *.update) with the same filetype as .zip, and just rename your zip to .update. Then on their side, windows will open it by itself.

Re:Gmail security can be over agressive too

[charlesnw]

Its sending FROM the account not to it. Read before posting.

Re:Gmail security can be over agressive too

[sethadam1]

This is like saying that patching ActiveX is silly, anti-spyware is unneeded, and anti-virus software unnecessary, just assume your users will know better.

Wrong.

Gmail's is the intended behavior. Use FTP for EXEs, or even CDs.

Re:Gmail security can be over agressive too

[JohnFluxx]

How arrogant and self righteous you come across. Let's just hope you didn't mean to sound in the way that you did.

Re:Gmail security can be over agressive too

[baresi]

My clients won't know its an email address if they don't see 'hotmail' or 'yahoo' on my business card :P

Re:Gmail security can be over agressive too

How many of the EXE files were legal anyway? Most EXE files sent by email are exploits, cracks, or illegal copies of a program. So they won't let you do things to potentially hurt other users or companies. If you write your own programs you should know ways around this already. Whine all you want its not like you are paying for Gmail or anything.

Re:Gmail security can be over agressive too

[drinkypoo]

Gmail's is the intended behavior. Use FTP for EXEs, or even CDs.

No.

Why don't you stop telling people how to use their computers. I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.

Re:Gmail security can be over agressive too

[sethadam1]

I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.

Or Outlook. Or several other capable email programs. Essentially, your suggestion is that general security should be sacrificed because lazy people sometimes want to send executable files? That's weak, friend.

Since most people run Windows, and most people have file extensions hidden (a STUPID default), most people will think anna_kournikova.jpg.exe is an image, and open it.

Email programs SHOULD block exe files. If you are smart enough to send an exe that makes sense, you're smart enough to rename it. Period.

Re:Gmail security can be over agressive too

[drinkypoo]

Email attachments are perhaps the worst imaginable way of distributing executables. It's too bad that your clients don't know of or care about alternative delivery systems, but that's not enough for me to conclude that Gmail was overbearing or foolish in forbidding EXE attachments.

Aside from using myspace or something, how do you propose that people send files to people so that they can download them when the sender is no longer connected? And when neither one has a 24x7 internet connection?

Re:Gmail security can be over agressive too

[Atlantix]

Email programs SHOULD block exe files.

Absolutely agreed.

If you are smart enough to send an exe that makes sense, you're smart enough to rename it.

But here is where you missed the point of this discussion. This is a smart user who has already tried to renaming and zipping a legit .exe file and gmail is STILL blocking it. That's NOT what an email program should do.

--A2K

Re:Gmail security can be over agressive too

[drinkypoo]

Or Outlook. Or several other capable email programs. Essentially, your suggestion is that general security should be sacrificed because lazy people sometimes want to send executable files? That's weak, friend.

Sometimes they want to send zip files with .exe files in them, too, but you can't do that either. If I want to just dash a zip file with an installer (or just a program that doesn't require installation, just unpacking) off to someone, I have to rename the zip file extension, and then they have to rename it, or I have to go into the zip file and rename the .exe, which they have to rename. It's not that I'm not capable of it, because clearly I am - I can string words together into sentences, and have more than two neurons to rub together - but that I think it's lame. At the very least I should have a configuration option I can use to turn off that behavior.

Email programs SHOULD block exe files. If you are smart enough to send an exe that makes sense, you're smart enough to rename it. Period.

Why should I have to fuck around just because people are stupid? The best reason to block .exe attachments outgoing is to stop worms from propagating. However, worms can pick a filename for an .exe like .exe.delete-this-extension just like anyone else can, so it won't help there, it only causes people to modify their tactics. Also, google shouldn't be susceptible to spreading a worm attack (barring javascript FUBARs) because you can't run code on gmail anyway.

A better behavior would be to harass people who download .exes and tell them that they may summon satan all over their hard drive, so that those of us who have legitimate reasons to send them aren't punished for the stupidity of others.

Re:Gmail security can be over agressive too

[Frodo420024]

Hi

There's a very easy fix for this problem: Remove the '.' from the file name, and the checker won't guess that it's an executable. Recepient puts the '.' back in, and you're all set. Works like a charm.

Re:Gmail security can be over agressive too

[JourneyExpertApe]

I've had this problem too. I just send the files named "TheProgram.rename_to_exe" or something like that. I also explain that it needs to be renamed before it will run because of gmail's filtering. I'll admit that it did catch me by surprise the first time, though.

Re:Gmail security can be over agressive too

Err... no...
Process:
        Send email with .exe ... bounced
        Send email with .exe renamed to .txt ... bounced
        Send email with .exe zipped, bounced
        Send email with .exe, zipped, zipped renames, ... bounced
        Send email with .exe, zipped, encrypted ... still bounced (I'm guess my zip program kept the file table unencrypted)
        Send email with .exe, renamed to .txt, zipped, encrypted ... gets through, now brother can't figure out how to get the file ...

Sounds like you just took the wrong path... there are quite a few easier methods... briefly:

1) Rename the file's extension to .ex_, gets through
2) Rename the file to _exe instead of .exe, gets through
3) rar the file instead (in addition?) to zipping, gets through

Re:Gmail security can be over agressive too

[inKubus]

No.

Why don't you stop telling people how to use their computers. I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.

You're right! It works in Outlook--hey, look, I just recieved an .EXE in my email. Sweet! I think it's a funny program from my girlfriend, Loveletter.exe! Man, double-click and I get the *&!@!*^#$~~$#!`1NO CARRIER

Re:Gmail security can be over agressive too

[drinkypoo]

See, the only thing keeping that outcome from being a happy ending for everyone but the luser that ran the attachment without knowing what it was is the fact that most ISPs are less than proactive about killing off users whose machines are spamming or what have you...

Re:Gmail security can be over agressive too

[Kredal]

Hey, it worked for AOL.

Re:Gmail security can be over agressive too

[generic-man]

Place the files on a secure server you control (or lease from a trusted source). Send encrypted access instructions to the recipient. Or establish access well in advance and just send the recipient a message "Please log in to MySecureServer to retrieve a new file."

There are already many companies around that establish secure file storage areas to avoid the inherent security and file-size problems associated with e-mail attachments.

Re:Gmail security can be over agressive too

[drinkypoo]

Place the files on a secure server you control (or lease from a trusted source). Send encrypted access instructions to the recipient. Or establish access well in advance and just send the recipient a message "Please log in to MySecureServer to retrieve a new file."

So because some people can't control their sphincters, others must incur additional costs? Great. I see we're working on the U.S. Government model.

There are already many companies around that establish secure file storage areas to avoid the inherent security and file-size problems associated with e-mail attachments.

This doesn't help non-corporate users, however. The whole website thing is too complicated for most people. E-Mail attachments make sense. The fact that they're poorly implemented doesn't change that. The simple fact is that email follows a "mail" metaphor and people are used to being able to mail things. You take 'em down to the shipper and send 'em off and they don't give a shit what media types are in the box unless they're controlled substances (whether drugs, or explosives.)

Re:Gmail security can be over agressive too

rename the zips to .bin worked (a few months ago) for me.

Re:Gmail security can be over agressive too

[generic-man]

I want to send you a 100-megabyte file in less than 24 hours and I live across the country from you. However my Gmail account only lets me send attachments up to 10 MB in size and Gmail probably won't let you receive a message that big. How can I send you this file?

Re:Gmail security can be over agressive too

[generic-man]

Before you respond "just cut it up into 10 MB chunks," realize:

• This is one file -- a really kickass PowerPoint slideshow which can't be shrunken, compressed, or compartmentalized
• Joe User doesn't know how to reassemble a file from fragments. What easy-to-understand program can he install on his Windows ME computer to do this, and how do you propose I get it to him?

Re:Gmail security can be over agressive too

[drinkypoo]

What easy-to-understand program can he install on his Windows ME computer to do this, and how do you propose I get it to him?

I suggest this program:

@echo off
copy /b file1+file2+file3 outputfile

You may refer to it as "runme.bat" or similar, if you like.

Re:Gmail security can be over agressive too

"No.

Why don't you stop telling people how to use their computers. I want to email executables"

Then you are a fool. Some people *want* to eat rat poison and some people *want* to run over people with their car. Just because you want it, doesn't mean its a good idea or that its right.

Quit your whining.

Re:Gmail security can be over agressive too

[a.d.trick]

Yes and no. First, what other people do with their computers affects all of us (i.e.spam doesn't grow on trees, computer criminals rarely do anything serious from their own machines, and viruses require hosts too). It's kind of like drinking alcohol. If you drink it and are responsible, there's no problem. But many people aren't responsible and you see car accidents. That's why laws are set up to restrict alcohol asumption.

Also I see nothing wrong with Gmail's behaviour. You can just rename the file (add a .removethis at the end or whatever). If your not intelligent enough to know how to do that than you shouldn't be allowed to recieve exe's. Personally I think the 'exe' thing should have never been in the first place. It would be like someone downloading something on our lovely linux machines and have it automagically set executible. It's just wrong.

Re:Gmail security can be over agressive too

[generic-man]

Outlook blocks incoming .bat files as they may just as easily contain:

cls
echo HAHA OWNED
format /y C:

So now you have to provide instructions to receive ten messages, save their attachments, save a renamed batch file, rename it to runme.bat, double-click it, ignore the Windows security dialog about running apps from the desktop, and end up with the file I wanted to send in the first place.

Or I could have encrypted* the file, uploaded it to YouSendIt, and sent you a link.

* Office XP and later actually do encrypt files when passwords are used to protect the entire file

Re:Gmail security can be over agressive too

[drinkypoo]

So now you have to provide instructions to receive ten messages, save their attachments, save a renamed batch file, rename it to runme.bat, double-click it, ignore the Windows security dialog about running apps from the desktop, and end up with the file I wanted to send in the first place.

Yes - and all of that hassle is solely because of email clients that do rude things.

Re:Gmail security can be over agressive too

[Lehk228]

i wonder how many users simply rename the file to "exe"

Re:Gmail security can be over agressive too

[griffeymac]

I don't rely on Google mail.

I actually pay an ISP every month, and use Eudora to send and receive mail.

And nobody censors me. And I don't have to worry about Google's "agenda."
 
I don't feel that Google "owes" me anything. (Besides, Yahoo has been giving away free e-mail accounts for quite some time--I never understood the fascination of gmail, whether or not it is searchable, etc....).
 
G.--

Re:Gmail security can be over agressive too

[viperblades]

if you make enough money setlling software... you should pay the 120 a year for ftp hosting.

Re:Gmail security can be over agressive too

[KanSer]

Claiming you are doing this for the users' protection just assumes that all of your users are idiots, and if you build a system that repeatedly makes that assumption then eventually all of your users will be idiots, as you will drive the others away.

Sorry, I got distracted for a second. Are we talking about Google or Apple?

Re:Gmail security can be over agressive too

[fatphil]

"Essentially, your suggestion is that general security should be sacrificed ..."

Complete straw man, drinkypoo suggested nothing of the sort.

The _sacrifice_ in security is the use of insecure clients and/or insecure OSes. Bits are bits, bytes are bytes, no bits or bytes are more insecure than any other bits or bytes - it's the actions performed on those bits or bytes that can be insecure.

The lazy people are the people who don't go to enough effort to install secure software.

FP.

Re:Gmail security can be over agressive too

[Pope]

Put it on a web server, email the client a link to download it. Problem friggin' solved!

Re:Gmail security can be over agressive too

[zopf]

dropload.com

Re:Gmail security can be over agressive too

[cwtxxx]

...I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.


I find that using ZIT files for emailing EXEs gets through GMail with no problems

This is embarrassing

[RedHatLinux]

My first ever first post on slashdot, and I make a typo.

Re:This is embarrassing

Can't help with the obligatory, "Me Gimto, you Jane."

Mmm.. Yes

Re:This is embarrassing

[Tweekster]

I would be more embarrased about the content of your post.

Re:This is embarrassing

[exi1ed0ne]

Embarassed about a typo on /.?

You really must be new here.

What's the issue here?

Execution of arbitrary javascript?! Call the HLSA, get FEMA on the line!

We are too used to being bitten by proprietary extensions of js in IE. Javascript is a sand-box programming language in every other browser.

Anyone know how Gmail (if gmail is even interpreting the js) might even pose a security risk?

Nothing to see here. Move along.

Re:What's the issue here?

[digital+bath]

Because of XXS Scripting attacks, I imagine.

Re:What's the issue here?

[eet23]

Anyone know how Gmail (if gmail is even interpreting the js) might even pose a security risk?

The Javascript will be running from the gmail page - it's probably possible read your email, send email 'from' you and/or steal your gmail login.

Yes, but remember this is post 9/11

[arthurpaliden]

and every thing is different......

Re:Yes, but remember this is post 9/11

[Tweekster]

what in gods name are you talking about? sorry, not everything in the world involves 9/11 and in you know, reality, very little actually changed post 9/11

Re:Yes, but remember this is post 9/11

[saforrest]

Hmm, on September 10, 2001:

The world is run by small-minded militaristic plutocrats with no concern for human life or the future of the planet who rule by intimidation and fear.

On March 2, 2006:

The world is run by small-minded militaristic plutocrats with no concern for human life or the future of the planet who rule by intimidation and fear.

Brave New World, eh?

Re:Yes, but remember this is post 9/11

[arthurpaliden]

the '....' denoted sarcasum.... I know, I know, I shoud have used ... for the literary impared.

Re:Yes, but remember this is post 9/11

[cb0nd]

Geez! Please! Use your sarcasm tags!

Re:Yes, but remember this is post 9/11

You're an idiot.

"sarcasum", "shoud"... and WTF does "literary impared" mean?

Re:Yes, but remember this is post 9/11

[Hosiah]

I can think of plenty of changes that happened as a result of 9/11, mainly that idiots whom we'd spent years beating into silence suddenly felt at liberty to speak up again. Many of them working for the government.

OOPS

[ROOK*CA]

Hey Maybe that mail filter should have been for INBOUND javascript in the message body instead of OUTBOUND javascript in the message body. Another injustice perpetrated upon the unsuspecting user base by those merciless hacks at "the brotherhood of the fat fingered sysadmins". :)

I thought teenagers. . .

[smooth+wombat]

were good at finding holes to exploit. Any hole.

Er, wait. Scratch that. I'm thinking of something else.

Re:I thought teenagers. . .

[Red+Pointy+Tail]

I certainly wouldn't want to scratch *that*...

Outdated

[brunes69]

None of the stuff on that page works anymore.

Re:Outdated

[Bogtha]

So the fact that they ignored a security hole for two years and then botched the fix is unimportant, because it's fixed now?

Re:Outdated

[ObsessiveMathsFreak]

So the fact that they ignored a security hole for two years and then botched the fix is unimportant, because it's fixed now?

Yeah! Yeah! Because... because Google are different OK?! They do NO EVIL! I mean "Don't be Evil", I mean, not like M$, I mean..... ....STOP DISSING GOOGLE!!!! They're cool and happy and good AJAX coders!!!!!! Better than others!!! They CAN'T Screw up!!!!!!!!!! This is a lie!!! WAS a lie!!! No Wait!!! AAAAAAAAHHHHHHH!!!!!

Re:Outdated

[The_Sock]

Take the short bus to school, perchance?

Blog Visitors

[digitaldc]

Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed.

Can these same blog visitors please examine and fix my slow computer network?

Re:In other news...

[spacefight]

In other news, a regular slashdot poster who doesn't get it, that links etc belong to the signature and not to the post itself...

So the attention grabber headline is...

[geobeck]

Teenage Computer Geek Finds Hole

Girlfriend says "Finally!"

Re:So the attention grabber headline is...

[duke12aw]

what?! he as a girlfriend!? that is first for our kind :P

Re:So the attention grabber headline is...

[ursabear]

Karma be darned!

Some of us geeks haven't had this particular issue. Some of us actually have children.

I laughed until tears when I read this. Thanks for making my day.

Re:So the attention grabber headline is...

I thought that went more along the lines of..

Teenage Computer Geek Finds Hole

Girlfriend says "Not that hole! Pull it out! Pull it out!!"

Re:So the attention grabber headline is...

Mom says, "He has a girlfriend? He hasn't been able to find any hole since birth."

Re:So the attention grabber headline is...

[SanityInAnarchy]

Don't you remember?

"All jocks think about is sports. All nerds think about is sex."
    - Revenge of the Nerds

When we do finally get girlfriends, all the academic knowledge from all the pr0n we watch comes in handy.

Re:So the attention grabber headline is...

[iamdrscience]

When we do finally get girlfriends, all the academic knowledge from all the pr0n we watch comes in handy.

Academic knowledge? You act like you take notes or something...

Re:So the attention grabber headline is...

Actually, it does! I'm using some of the "tricks" I've seen in non-BDSM pr0n and my fiancee loves it. Well, most of them... whipped cream & chocolate syrup are my personal favorites ;-) She likes the mint strips better.

Re:So the attention grabber headline is...

Girlfriend? /.? Get outta here!

Re:So the attention grabber headline is...

[geobeck]

*sigh*... All of the thoughtful, serious replies I've given to /. topics, and my first +5 comes from a crack like this.

(No pun intended.)

Re:So the attention grabber headline is...

[Tony+Hoyle]

You don't??

Re:So the attention grabber headline is...

[Helish]

Children?

I see you were to shy to buy a pack of condoms...

Re:So the attention grabber headline is...

[Lehk228]

Some of us actually have children.

that means you found the wrong hole

Re:So the attention grabber headline is...

[Kirth+Gersen]

In my experience, girls don't say that. They usually say:

"Are you in yet?"

Re:So the attention grabber headline is...

[pembo13]

Sucks to be you!

Re:So the attention grabber headline is...

[pedalman]

You are aware that "Wahoo!!!" is Slashdotese for "Wrong hole!!!!!!!! Wrong hole!!!!!!!!!!", aren't you?

change the file extensions

[ZX-3]

Just last night I had that problem. I renamed the .exe to .ex and zipped it (without any password). I've also used .bat --> .bat.bak in the past.

Malicious Self Intent?

Let me get this straight. He got code to run in a preview window, but it was filtered if it was sent? So he discovered that he could execute code on himself and no other. Does it really matter if a "hacker" crashes out his own computer?

Re:Malicious Self Intent?

[RubberDogBone]

"Hacked his own computer" is not worth any street cred.

So it instead becomes "Hacked the Fed, transferred $9bn to my Swiss account and I'm leaving the country scot-free!"

Re:In other news...

[gEvil+(beta)]

Oh, he knows exactly what he's doing. Google "religious freaks." Guess what comes up? Every time he posts a comment and tacks that on the end, Googlebot snags it and bumps it up cos it's coming from a reputable site (well, PageRank-wise at least ;) Slashdot sigs don't have the luxury of being indexed (you gotta be logged in to see them).

Obligatory grammar nazi reply

"Google has" or "The programmers at Google have"

A company name is singular. A company name is singular. A company name is singular.

Re:Obligatory grammar nazi reply

[Bogtha]

Sorry, but you are wrong. The treatment of group nouns as plural is perfectly normal and acceptable outside of America. Consult your international grammar nazi style guide for details.

"Reads like a grade-school short story", I said

[tommut]

That summary reads like any number one of my first attempts at writing:

I said "I'm hungry".
"How come?" Bill said.
"I didn't eat," I said.
Bill said, "That stinks."
I said "It sure does".

Re:"Reads like a grade-school short story", I said

[PitaBred]

That summary reads like any number one of my first attempts at writing:

It doesn't look as though things have made significant advances since then.

In other other news...

[suds]

A big gaping hole is found in Zonk's head.

There's a whole world out there

A company name is singular.

Only in the American dialect of English.

Email is probably the wrong tool for this task

[WebCowboy]

Gmail blocks outbound attachments with exe files, even when those files are included inside zip files.

Google is RIGHT in doing such filtering, although perhaps they should make it clear to users up front on its filtering policies rather than waiting for them to discover it for themselves. Besides, even if outbound executable attachments are blocked how many corporate systems permit them inbound? My employer blocks inbound executables unless you're in certain departments, and the majority of our clients do as well. These systems are getting very smart too--they analyse the actual content of the file rather than the extension and even if you rename your .exe to .abc, ZIP it and rename the .zip extension .xyz our system will check the header content of the files' data and determine it is a ZIP, then extract the files inside to examine THEM if that is how you configure it.

The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

There are some cases where email is the most convenient, such as for non-executable documents (I avoid sending .docs since I consider then "executable"--I send PDFs instead), smaller files and so on. For dealing with more novice users I send an email with the link to the file to click, and for getting files from them I set up a simple HTTPS "gateway" with a file submission form. Just as simple as attachments (for the client anyways) and more secure.

I don't think GMail and other mail systems need to be "fixed"...I think that people have to get out of the mindset of using email to exchange files. Use secure FTP or even HTTPS...or even better for big files use Bittorrent. It annoys me when people complain about limits on email attachments just like it annoys me when people use Excel to create "databases". At least learn to use MS Access dammit...it isn't THAT hard!

Re:Email is probably the wrong tool for this task

[Compenguin]

> email was not designed for file transfer and probably will never be the best tool for that purpose.

But it's a pretty good tool for transfering small files. If you are worried about who he message comes from then only take attachments from cryptographically signed emails from senders you trust.

Re:Email is probably the wrong tool for this task

[RedWizzard]

The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

What do you think the point of attachments is? Email is designed for small file transfer. And it's the most convienient way to do peer to peer file transfer we have. FTP requires a server so it is fine as a central repository, but it is not good adhoc transfers between people.

Re:Email is probably the wrong tool for this task

[SanityInAnarchy]

And when Gmail supports cryptographic signing, we can complain about them blocking our EXE's.

Until then, don't send EXE's through Gmail, not just because they won't let you, but because it's a bad idea.

Re:Email is probably the wrong tool for this task

[Manitcor]

Wait, did I miss something?? When did email not require the use of at least one server somewhere?

Re:Email is probably the wrong tool for this task

[Compenguin]

Well then wouldn't it make more sense for them to invest more energy in cryptographic signing than a cat and mouse exe blocker.

Re:Email is probably the wrong tool for this task

[WebCowboy]

What do you think the point of attachments is?

I mentioned what the point is in my original post--for small, non-executable files mostly of a documentation-use nature. If it is a spreadsheet (WITHOUT garbage like VBS macros) or an elecronic copy of a user manual, or an image or other "rich media" that is not alphanumeric in nature (within reason--I'd dislike flash games being sent as an attachment for example).

But sending me .exe files, or 50 megabytes of database snapshot or archived logs? Please don't try to send these things via email then b*tch at me when they bounce or get filtered out...that is abuse of email and there are better ways of doing things.

Email is designed for small file transfer.

NO IT ISN'T. When Mr. Tomlinson sat down at his terminal in the 1970s and came up with email he was trying to create a system for MESSAGE transfer--that is, he wanted to replace the paper inter-office memo with something that was instant and electronic but non-verbal. There was no concept of a "file" involved, and in fact each email recipient only involved a single file (one for each "mailbox" which contained a concatenation of all incoming messages). File attachments came much later when more people saw the need to include non-alphanumeric data to express their message (graphic diagrams would be one of the most common requests). The use of an email message chiefly to transfer a file was an afterthought--a "hack"--simply because humans are lazy and, well if you could send a picture why not a program?

And it's the most convienient way to do peer to peer file transfer we have. FTP requires a server so it is fine as a central repository, but it is not good adhoc transfers between people.

If email was so good at ad-hoc, peer-to-peer file transfer then we wouldn't have had to invent P2P networks and clients. If you are a professional organisation setting up an FTP server is not a difficult task and you only have to do it once. If you have to do ad-hoc transfers of files that are inappropriate for attaching to email then there is also bittorrent--it is peer-to-peer and all you ahve to attach to your email is the little, non-executable .torrent file. Superior means of transfer are there--it just takes time to break old habits and to refine the technology for novice users.

(Actually, that is the direction I think email should be heading--stop with the "big binary attachment" madness and use HYPERLINKS and/or TORRENT FILES to reference "attachments" rather than shooting them all over the world and leaving countless full copies on countless email servers all over the world. Can email client developers not make such a thing transparent or at least easy for beginnners?)

Re:Email is probably the wrong tool for this task

[drinkypoo]

sending me .exe files, or 50 megabytes of database snapshot or archived logs? Please don't try to send these things via email then b*tch at me when they bounce or get filtered out...that is abuse of email and there are better ways of doing things.

It doesn't make it "abuse of email" just because you don't want large attachments. It might be abuse of you, and yes, I would expect people who care about your opinion to avoid mailing you large attachments, but it doesn't say anything about the world at large. Just your little slice of it.

Email is designed for small file transfer.

NO IT ISN'T. When Mr. Tomlinson sat down at his terminal in the 1970s and came up with email he was trying to create a system for MESSAGE transfer--that is, he wanted to replace the paper inter-office memo with something that was instant and electronic but non-verbal. There was no concept of a "file" involved, and in fact each email recipient only involved a single file (one for each "mailbox" which contained a concatenation of all incoming messages).

An email is a file. It's got a standard format and it gets sent from host to host. While it doesn't have to be treated this way - it's just a stream of bytes - it is treated this way, especially today. A file is prepared and passed to the MTA.

Also, "we always used to do it this way" is meaningless. Years have passed. Times have changed.

File attachments came much later when more people saw the need to include non-alphanumeric data to express their message (graphic diagrams would be one of the most common requests). The use of an email message chiefly to transfer a file was an afterthought--a "hack"--simply because humans are lazy and, well if you could send a picture why not a program?

No, that's not why. There were already means of transferring files before MIME mail was invented. The reason is that a delayed means of sending files to people was needed, in which the data would be stored on a server, and collected later when they connected. Like email. It only made sense to attach them to email. Why reinvent the wheel? And more to the point, how do you get people to use your wheel replacement?

If email was so good at ad-hoc, peer-to-peer file transfer then we wouldn't have had to invent P2P networks and clients.

That's a bunch of crap. P2P provides a new method of finding content. It exists for the same reason archie existed, and after it, ftpsearch. The idea was that it be easy to find and download content.

If you are a professional organisation setting up an FTP server is not a difficult task and you only have to do it once.

If you are not a professional organization, and you are trying to send a file to someone who is not connected at the same time as you, then FTP will not help you. Also, FTP uses plain text passwords, which are lame. Granted, you could use FTP with SSL, but that's not widely used. The fix for that is to use OTPs but that's too complicated for most people.

If you have to do ad-hoc transfers of files that are inappropriate for attaching to email then there is also bittorrent--it is peer-to-peer and all you ahve to attach to your email is the little, non-executable .torrent file.

Yes. And it still won't do any good if you don't have someplace to run a bittorrent client to seed while you're not online.

Superior means of transfer are there--it just takes time to break old habits and to refine the technology for novice users.

It's not superior if it's missing the feature you need most.

Re:Email is probably the wrong tool for this task

[DeafByBeheading]

Grandparent's wording was fuzzy, but e-mail is client-to-client with one or more servers somewhere in between doing the hard work, whereas FTP requires one of the end-users to be running a server.

Re:Email is probably the wrong tool for this task

[Wizardry+Dragon]

Indeed. And before the software developers get overly ornery about not being able to email binaries to each other, or code trees that contain binaries, I will happily recommend Sourceforge to them. (www.sf.net)

~ Wizardry Dragon

Re:Email is probably the wrong tool for this task

[WebCowboy]

It doesn't make it "abuse of email" just because you don't want large attachments.

Except that is IS an abuse because it clogs email servers as large attachments sit in inboxes waiting to be opened. This means the resources of the email server are strained for every user...it isn't simply a matter of what *I* want

An email is a file. It's got a standard format and it gets sent from host to host.

No, an email is NOT a file--it wasn't originally anyways. Perhaps it is common today for email systems to treat a message as a file but that was NOT how email was designed. An email was set up as more of a "packet"--it is a stream of data within an "envelope" sent from one host to another. It was the MAILBOXES that were the files in which emails were stored--stored emails were not files unto themselves, rather they were records within a file. Then attachments came around and you end up with giant records with gigantic, specially-encoded representations of files embedded into them. The Mailbox file becomes totally huge, and the encoding of the large binary attachment within that file only inflates storage requirements.

Also, "we always used to do it this way" is meaningless. Years have passed. Times have changed.

I know that email server backends are available nowadays that use relational databases and more sophisticated storage of messages, however I was talking about email's heritage--it was never meant for use as a sophisticated file transfer mechanism. Yes times have changed but the problem is that with email and a lot of other technologies it was just evolved in a kludgy fashion rather than finding a proper solution to a new problem.

That's a bunch of crap. P2P provides a new method of finding content.

ummm...the crap is all over you there. Searching for content is only one component of P2P--the other main part of P2P is coordinating and executing file transfers between peers without the involvement of a central server. The most (in)famous of all P2P systems out there is BitTorrent and guess what...that one does nothing at all to help you find a file! It is all about file distribution.

Also, it doesn't get sent to countless email servers anyway, just the few (maybe even just one) that are necessary.

Yes email does get sent to countless servers every day---when people send large attachments then carbon copy everyone. Then it has to sit in those servers until every user has picked up their email--and even longer if it is a POP client who has elected to leave the message on the server until it is removed from the inbox at the client, or it is left in an online foler in an IMAP server. Plus, the entire body of your large email has to bounce its way through routers/gateways/proxies/relays until it reaches its destination and eats up bandwidth.

If large files need to be delivered to multiple recipients, FTP, HTTP, BitTorrent, etc are more efficient. I'm not saying that sending ANY attachments in email is bad, just that there is a lot of inappropriate use of them nowadays.

If you are not a professional organization, and you are trying to send a file to someone who is not connected at the same time as you, then FTP will not help you.

Why not? I've run a personal FTP server before, and it is getting more and more common for people to have persistent, high-speed connections in their homes and always leave their computers on. Any limitations on "servers" by shortsighted and greedy ISPs are artificial restrictions on already capable technology. Also, there are secure implementations of FTP so that is not a problem...plus there is always HTTP which is also better equipped to handle file distribution than email. "Server" programs on "clients" machines are not an impossibility--they are just not engineered for casual home use right now and ISPs have this "server phobia".

In any case, whos to say you need to host your own server to use HTTP or FTP? My Nephew and his wife just had a baby and r

Re:Email is probably the wrong tool for this task

[kjh1]

While I totally agree with these comments, there is another point that we need to keep in mind: Gmail is *free*. Remember the phrase 'you get what you pay for'? Well, I believe that in this case you get a whole lot for paying nothing; in fact, you get a pretty kickass application. Sure, a security hole may pop up now and again, but how many major software apps have no security holes? As long as they fix them in due time, it's ok with me.

To the naysayers that argue that you 'pay' for it in ads and ISP fees, those are weak arguments. If you really believe Google is doing such a bad job with Gmail, stop using it.

Re:Email is probably the wrong tool for this task

[nmg196]

> Email is designed for small file transfer.

Um, nope! -1, Wrong

I think you'll find that attachments were bolted on WAY after the e-mail system had got up and running.

Re:Email is probably the wrong tool for this task

[xtracto]

Man, email attachments of big files is so 90's... nowadays there is YouSendIt, give it a try. I use it quite a lot so share big files with friends, I hate sending files through any messenger service (msn, yahoo, etc etc), yousendit is simpler.

Re:Email is probably the wrong tool for this task

[xtracto]

To the naysayers that argue that you 'pay' for it in ads and ISP fees,

Ok, about the ISP fees you are right, that is bullshit as google does not get anything of those, but about ads you are completely wrong, Google is an advertising company and they make all their money from advertising. That is their cash cow.

All the other cute applications that they make are concieved to attract users (which for them are EYES) to their advertisments. It is like in TV, TV is free ok, but you have the right of getting some quality in the programs.

Re:Email is probably the wrong tool for this task

You sir are an idiot.

Re:Email is probably the wrong tool for this task

[mdwh2]

The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

The problem isn't with "professionals", but between any two random people. I can't say "Hey, give me your FTP address, and I'll send you that file". Even amongst people who are knowledgable about computers, it's a hassle to set up your own FTP server.

It would be a different matter if ISPs are companies like Google would offer you "FTP space" in a similar way to email, but as far as I know they don't.

Re:Email is probably the wrong tool for this task

[tepples]

whereas FTP requires one of the end-users to be running a server.

Most residential ISPs provide some sort of web space (FTP or HTTP form upload, HTTP download) to their users.

Re:Email is probably the wrong tool for this task

[kjh1]

Ok, about the ISP fees you are right, that is bullshit as google does not get anything of those, but about ads you are completely wrong, Google is an advertising company and they make all their money from advertising. That is their cash cow.

I was just making the point that you don't pay for Gmail, not even via ads. You don't take money out of your pocket and pay it to Google in any way so that you can use Gmail or many of their other applications. Agreed that advertising is Google's cash cow.

All the other cute applications that they make are concieved to attract users (which for them are EYES) to their advertisments. It is like in TV, TV is free ok, but you have the right of getting some quality in the programs.

A Right? You're joking, right? What right do we have to demand quality in TV or Gmail or any other freely provided service. Sure, we can ask. We can plead. But we have no right. We can with PBS, b/c some of our tax dollars go to pay for that, but that's it.

Great, another spammer in training

[AngryNick]

If the kid was looking to better humanity, he probably would have reported the flaw to Google before blogging on it. He should read the RFPolicy before he ends up being a scapegoat under someone's corporate bus.

Re:Great, another spammer in training

[drinkypoo]

From the linked page:

The RFPolicy states a method of contacting vendors about security vulnerabilities found in their products. It is written and recommended by Rain Forest Puppy.

Please pardon me if I don't give a fuck what was written by someone calling themselves "Rain Forest Puppy".

Re:Great, another spammer in training

[Q2Serpent]

Whatever you say, "drinkypoo".

Re:Great, another spammer in training

[drinkypoo]

I don't expect anyone to care what I say either.

Re:Great, another spammer in training

[neomunk]

That's right, I don't care what drinkypoo says, and I agree with him totally!

Democracy rocks!

amusing

[99BottlesOfBeerInMyF]

It is amusing that the ad at the top of the page while I read this showed the text:

script type="text/javascript" language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/s how_ads.js"

...instead of the appropriate ad.

Re:amusing

No, that's not really "amusing", and you're full of shit anyway. Get a life.

Re:amusing

[msbsod]

Well said!

This is exactly why we should not use HTML, MIME, JAVASCRIPT, PDF, MSWORD, WTF encoding for e-mail messages. Plain ASCII does the job. If you need more, then replace the ancient SMTP protocol and include ISO standard fonts. End of story. Sadly RFC-based protocols are just patchwork. With every additional layer of encoding there are new possibilities of interference, new bugs, new security issues. Those who do not understand this matter should ask themselves why people use Javascript to encapsulate an ad in an HTML document. What is good to bypass ad filters is also good to introduce malicious code.

Yeah

I had this fixed yesterday =]

Sick kid!

[EmbeddedJanitor]

Any healthy kid online would be hitting the pron!

Re:Sick kid!

Patience. He's on his way. Once he figures out how to stick his finger in the gmail hole, he might be able to find the gmail spot. Once you find that, you don't need pr0n...

News?

[cejones]

And this is news why? In another related story, teenager stubs toe and blames Microsoft and Google China Who cares.

why are you such a comment spammer?

every other post i see one of your posts. even when you've got absolutely nothing to say. it's amazing, really!

How is running client side code a security issue?

This may be a dumb question, but how can having the ability to run Javascript code be a security issue? Javascript will only run on the client side (the web browser), so therefore will only effect the user who is creating the so called malicious code, right?

Is it because using client side code you can effect what is sent to the server?

Re:In other news...

[spacefight]

And I know exactly that he knows exactly what he is doing. There were other people adding their links like him until they got modded down for it. So moderators, stand up.

Elements of Un-Style

[Icephreak1]

The kid's code might be deadly, but after reading his blog, I notice he can barely formulate a coherent English sentence.

- P

Re:How is running client side code a security issu

[inotocracy]

Its been shown that you could Email someone a redirect, so anytime they view their inbox (using non standard HTML mode) it would send them to the link you provide.

Stop The Presses!!!

[johnkoer]

There is a bug in a piece of beta software??? That is unheard of.

Re:Stop The Presses!!!

[zpeterz63]

Not to underscore what is a valid point, but I would like to point out that gmail has been in beta for quite a while. Perhaps they're never planning to move it out of Beta, but it seems like it is fully functional to me, and more so than a lot of other e-mail services on the web. Feature wise, functionality wise, as well as lifespan wise, gmail is not beta.

Re:Stop The Presses!!!

[johnkoer]

Google news was in beta for nearly 3 1/2 years, but it has been a great service for at least the last two. I think they are very cautious about moving things from Beta to production, and I don't think it is a bad thing. With so many companies moving things that are still being tweaked into production with a "we'll fix it later" mentality, it is refreshing to see a company, like Google, taking it slow before calling the product production ready.

Re:Stop The Presses!!!

[generic-man]

When Google is taken to task for flaws in Gmail, if Google says "Gmail is beta, it may have problems" then it's beta. I don't care how much you like it. If its creator doesn't consider it good enough for production use, then it's not good enough for production use.

Re:Stop The Presses!!!

Beta is simply their excuse for making poor services available to the public.

Re:Stop The Presses!!!

Sort of like how version 1.0, 2.0, 3.0, 95, 97, 98, millenium, etc ... are microsofts excuse for making poor services available to the public

Re:Stop The Presses!!!

[Quixote]

You mean to say all Microsoft has to do is call XP "XP beta", and all mistakes are excused?
Gee! You might have just saved them 100s of millions of dollars in bad PR!

Re:Stop The Presses!!!

[hanoverjames]

mod parent fanboy

GMail File Space - Firefox Plugin

was Re:Gmail security can be over agressive too

Unfortunately, I find I have problems with Gmail security the other way. Gmail blocks outbound attachments with exe files, even when those files are included inside zip files. I write programs and occasionally have to e-mail a client a change. Yet, unless I want to try to get my low-tech users to use more tools to help me sneak something past the Gmail filtering, I have to use a second e-mail account when I want to send out EXE files.

Try using the GMail File Space extension for Firefox. It allows you to use the storage space in your GMail account as an FTP server.

http://www.firefoxplugs.com/extensions/550/Gmail-S pace-02/

http://www.rjonna.com/ext/gspace.php

"Now, harmful extensions like ".exe, .dll, .zip" can also be uploaded."

I stick my dick in blogs

God I cant stand that fucking word!

Die pls!

Also he's 14, post pic pls!

POP3 access. :-)

[corychristison]

I use the Gmail POP3 access via Thunderbird 1.5.

I don't believe this will affect me in any way. :-)

Re:In other news...

[TedCheshireAcad]

Slashcode doesn't even put in rel=nofollow. Why isn't there more link spam here?!?

if you take the story at face value,

[museumpeace]

it certainly underscores a strength of web based applications: It was looking like a bug one morning but by afternoon, only fixed versions of the code were to be found. Centralized reloading of gmail's servers means everybody got the fix at the same time more or less. What would the time line of such a security hole be if it occured in Outlook? Eudora?

Re:if you take the story at face value,

[Q2Serpent]

It can be a double-edged sword, too. Aside from a few large applications (Windows, Office, IE), not many applications are running on tons and tons of systems. Having everyone running the same program from the same place means that if a flaw is found and not fixed quickly, *everyone* using that application is vulnerable.

Re:if you take the story at face value,

[Lehk228]

in general admins are smarter and more responsable than users.

Digg

[Psykus]

This story actually broke on Digg.com by the way, not mentioned in the summary.

Re:Digg

[/dev/trash]

and where did they get it from?

Re:Digg

[Psykus]

The teenage hax0r himself posted it, with a link to his weblog.

http://www.digg.com/security/Vulnerability_In_Gmai l_allowing_attackers_to_run_code

Re:How is running client side code a security issu

[shiznatix]

Obviously you don't know anything about javascript. Go to www.google.com and type in XSS and you will find your answer.

Re:How is running client side code a security issu

[inotocracy]

Obviously you didn't read enough, its been proven and shown to work already, by sending a document.location='yahoo.com'; redirect users were sent to yahoo.com everytime they viewed their inbox. Go read the digg.com comments.

OMG! A google story! Run it!

[IQpierce]

Quit running absolutely any story that has anything about Google.

As I recently said to a friend: "People are getting weird about google. 1/3 of people think that they're wonderful and going to kill Microsoft; 1/3 of people think they're horrible and going to replace Microsoft; 1/3 of people think that they are a giant robot attached to the back of a Tyrannosaurus Rex with tentacles coming from its head."

Slashdot runs any article that seems to support any of these views. Which ends up meaning, any news item with "Google" anywhere in it is automatically accepted.

Re:OMG! A google story! Run it!

[cpm80]

You figured out my social experiment / hack! (I'm not kidding) How do you get Slashdot to post a story? I figured slashdot would run any story about Google. Excellent.

Was it exploitable?

[illuminatedwax]

What does running Javascript "from gmail.com" even mean? Javascript is run on a client machine. So you can put Javascript in your code, and it will parrot it back to you. How exactly is this a security vulnerability? You could run the same code from anywhere - it doesn't have to be Gmail.com supplied Javascript code. Please correct me if I don't understand, but if he just got gmail to give him back his own javascript code, there is no vulnerability. How is it going to run "from the gmail servers"? And even if it COULD do that, how do we know gmail hasn't sandboxed it in some manner?

I should just post shit like "Hotmail.com vulnerability found!" all the time. Maybe I could garner this kind of media attention.

Re:Was it exploitable?

[IQpierce]

This is simple. 1. I have a Yahoo account. 2. I create an HTML e-mail that contains javascript which launches pop-up windows on my site. 3. I send you the e-mail. 4. GMail runs the javascript (this is the part it shouldn't do), and suddenly your browser is doing basically whatever I want. Consider that nearly every annoying thing that has ever been done to you by a webpage, was done using javascript. (Except maybe the tag.)

Re:Was it exploitable?

[makomk]

What does running Javascript "from gmail.com" even mean? Javascript is run on a client machine. So you can put Javascript in your code, and it will parrot it back to you. How exactly is this a security vulnerability? You could run the same code from anywhere - it doesn't have to be Gmail.com supplied Javascript code.

Because what JavaScript is allowed to do is restricted according to the site you're on. JavaScript on nastysite.com can't steal cookies from gmail.com, nor can it open and interact with pages on gmail.com; however, JavaScript from gmail.com can do both of these. In theory, this would be more than enough to allow it to, say, quietly send gay porn to everyone on your contacts list...

Re:Was it exploitable?

[illuminatedwax]

i need to read faster

Re:Was it exploitable?

[kestasjk]

JavaScript runs on the client machine only, yes, however depending on what server provides the JavaScript you can do certian things. eg JavaScript you download from slashdot.org can manipulate slashdot.org cookies, JavaScript you download from gmail.com can manipulate gmail.com cookies, JavaScript run on a webpage on your account can do anything your account can do. So when you can inject JavaScript into another website you can set up a JavaScript so that the websites of the users will send their cookies to you, which you can then use to log on.

It's called cross site scripting, and it's a pretty serious vulnerability.

Re:Was it exploitable?

[illuminatedwax]

I pretty much read this as "teenager writes javascript in a gmail draft window and can run it in preview but cant send it anywhere." Not "Gmail doesn't filter out javascript from Yahoo!". Which now makes sense why it matters.

Re:In other news...

[Pusene]

I, for one, welcome our new 13-year old hacker overlords.

One word:

[JazzLad]

RAR

These things are nice to know if...

[Yellow+Crane]

...you have a gmail account, for example. In the long run, I always prefer to get more information, rather than less. The people complaining about this story being on /. can simply choose not to read it. If you don't like what's on, change the [website].

Besides, the point isn't the "size" of the bug or it's potential to cause damage. The "point", and the benefit, of an article such as this one is that when people make others aware of problems in a company's product, it allows said people to make a more educated decision on using or not using the product. In addition, when a company's products are consistently shown to be problematic in some fashion and the company is shown to ignore said problems regularly, this also allows a consumer to steer clear of a company that doesn't hold their customer's best interests at heart.

Clarification for dummies

[Jack+Earl]

It looks like most of the people posting have no idea what happened, or didn't RTFA, but that's not surprising, of course. The POINT of the article is that I can/could have sent you a message from a Yahoo account with javascript code, and when YOU opened your Gmail inbox on YOUR computer that code would have been executed.

What is so hard about this? Its very obvious to see the security risks associated with this vulnerability. And yes, it is a vulnerability. Are all the previous posters the same guys from Microsoft who sat in a board room, straight faced, and decided letting other people run C++/Java code on your Internet Explorer window would be a GOOD idea?

Congratulations!

[jabber]

Way to go! You just set up tomorrow's "Google has a security hole" Slashdot story. You get +1 Foresightful. :)

Use a mail client.

[Ash-Fox]

Pfft, just use a mail client like Thunderbird or kmail.

plop

[Danzigism]

how often do you coders send your code in the body of an email message?? i mean, are CVS's, RDS's and hell, even throwing your shit in a zip file that outdated already??

So in other words...

[Tellalian]

You're unable to executing arbitrary javascript in *someone else's* browser because Google filters it out? In other news, banks foil bank robbers by storing money in large metal boxes.

Do you get this Gmail error.

[earthstar]

This is one Gmail bug I see of late... I get mails with lots of pics in it forwarded by friends to my gmail account without a problem.However when I forward it to any other email address [ including to my own Gmail address] , only the text appears & the pics dont (only rectangles with 'X' appear]. I have been having this problem for the last 1 week or so only. has any one of you come across such a problem too?

And stay online for how long?

[tepples]

Any limitations on "servers" by shortsighted and greedy ISPs are artificial restrictions on already capable technology.

Unfortunately, "shortsighted and greedy ISPs" who impose "artificial restrictions on already capable technology" are the norm, and if both the local telephone company and local cable company charge exorbitant rates to lift the TOS restrictions, then you're going to see continued use of either e-mail or web space to transfer files.

if you attach a large file to email, then hit send, you STILL have to be online for the entire duration it is moved to the email server. If you had to be the first seed for a torrent you wouldn't have to be online for that much longer.

The difference is that once you click send in an e-mail, FTP, or HTTP user agent (or in any other store-and-forward system), you wait only for the e-mail program to report that it has finished encoding and transferring the file. In BitTorrent, on the other hand, you have to leave your computer dialed up to the Internet (and miss voice telephone calls) until the intended recipient replies that he or she has received the file.

we'll continue to have people try to ... use email like instant messaging (or vice versa, deliberately leaving big IMs when they KNOW the recipient is offline)

The difference is that IM spam is perceived to be less common than e-mail spam, which in my experience tends to make it past even SpamAssassin too often.

SourceForge.net

[tepples]

And before the software developers get overly ornery about not being able to email binaries to each other, or code trees that contain binaries, I will happily recommend Sourceforge to them. (www.sf.net)

Not all software is 1. intended for consumption by the general public, 2. Free, and 3. in one of the specific categories of functionality that SourceForge.net accepts. Or did you mean installing GForge or SourceForge Enterprise Edition on a server controlled by the developer?

Re:SourceForge.net

[Wizardry+Dragon]

The SourceForge framework is freely available under an OSI license, so if you don't like their TOS, or don't fit under their acceptable projects filtering, then you can simply install the software for yourself.

The right tool is web space, right?

[tepples]

I can't say "Hey, give me your FTP address, and I'll send you that file".

So say "Here is my FTP address; log in anonymously and get the file." Or, equivalently, "I've uploaded the file to my web space; go to this URL to get the file."

"I wanna be a minority"

[tepples]

The lazy people are the people who don't go to enough effort to install secure software.

Unfortunately, the lazy people are the majority, and you are the minority.

Some paid ISPs can be national socialists too

[tepples]

I actually pay an ISP every month, and use Eudora to send and receive mail. And nobody censors me.

You are lucky to have been born in a town whose local mono- or duopoly residental broadband ISP does not censor your attachments. Had you been born in an SBC state (now at&t), you might have got stuck with Yahoo! mail and all its restrictions, as SBC has partnered with Yahoo! for quite some time now.

@ sign

[tepples]

My clients won't know its an email address if they don't see 'hotmail' or 'yahoo' on my business card

Wouldn't the commercial at sign ('@') be enough to clue them in?

• Phone: 333-555-7777
• E-mail: johndoe@example.com

Sarcasm tags

[tepples]

the '....' denoted sarcasum

If you want your ironic message to cross the sar-chasm intact, it's best to use well-known protocols. Better-recognized end tags for sarcasm are ;-) or </sarcasm> (written as &lt;/sarcasm> in Slashdot comment markup).

apparantly the mods haven't come around yet but...

I laughed!

there's a reason he found this...

So...maybe he found this, but there's a reason a 14 year old is finding stuff like this...

he's most likely trying to find a hole out there and exploit it...

Most young kids don't spend their days trying to find buffer overruns or execute code burried in normal text buffers... most of them are busy playing playstation.. or text messaging the latest American Idol singer.. or they're busy getting their soccer moms to drive them all over creation to play soccer..