MSN Censors Your IM

Jamie ran across a story about censorship on MSN. Essentially, a number of suspicious strings result in silent failure of delivery. The strings are unsurprisingly things like .scr and .info. They've started maintaining a list if you're interested. Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

The genius that is Microsoft...

[KingSkippus]

From an article that is linked to from this one:

The link filter does not take canonical URLs into account: http: //evil.example.com/download.php and http: //evil.example.com/down%6Coad.php is the same URL, expressed in two different ways. The first one is blocked, while the second one is not.

Or for that matter, http: //tinyurl.com/z35a5.

Kind of reminds me of our software filter where I work. They blocked firefox.exe from running. My solution? I renamed the file to iexplore.exe. Worked like a charm.

It's also probably worth noting that the messages are blocked on the server, not the client. That means that it will block the message whether you're using the MSN client, Pidgin, or any other client to access MSN.

My advice: Get a frickin' Google mail account already and use Google Talk instead.

Re:The genius that is Microsoft...

[lattyware]

Or just any Jabber client, for that matter.

Re:Misleading headline

[jamie]

No, the data which is being blocked from transmission is not blocked because it's going to a computer program which would be exploited by it. At least I haven't seen any allegations of that. It's being blocked because the human that would receive the data might use it in a way deemed inappropriate (by clicking on it, say).

Re:Misleading headline

[jez9999]

Are you the guy that Slashdot hired to start correcting all the inaccurate stories and comments posted here?

At least they're doing something

[Deathlizard]

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place

At least their trying something (albeit a weak approach) to stop automated scripts from sending viruses all over their chat protocol.

When you work on 1000+ college student laptops, you learn a lot of things about software students use in general, and one of these things you learn is:

1) AIM is a Virus downloading service disguised as a chat protocol.

I know that AOL doesn't do this on purpose, but it is so easy to hack that it might as well be. it's great when a 12 year old downloads a virus that infects Aim thinking it was some game (probably from AIM i might add), it sends "Hey check this out!" to his sister at the college containing an infected link or program, and the next thing you know you're running Aimfix and cleaning Zlob off on 300 PC's.

If Aim would simply filter out the bad traffic (and they should be able to know if a client is spamming the servers like crazy by heuristics alone) it would stop a lot of scams dead in their tracks.

Re:Misleading headline

[TheRaven64]

It means he is a member of the Slashdot staff. You don't see them very often because only half a dozen or so people have them, and judging by the dupes not many of those actually read the site.

Old news!

[Stormx2]

This has been known about for years. Here's a digg posting from over a year ago...

All the more reason to use Jabber/XMPP

[MysticOne]

You can set up your own server, you can control your own IM stuffs, and really ... it's just a better solution. You could still go with GTalk if you want access to the Jabber network without setting up a server or doing anything fancy, but in that case I'd recommend encryption for your conversations (you should probably do that anyway). If you just want to set up a new Jabber account on one of the public servers, head on over to jabber.org and pick one out.

Re:Misleading headline

Thanks. Makes sense I guess, must be like the nerdiest badge of honour evar.

Four ways to hide the .php extension

[tepples]

And what does every Linux web server come with?

Perl.

Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation:

• With Options MultiViews, the client requests /download?foo=bar. Apache HTTP Server will look for a file called download, not find it, and then search for download.* and run the first thing it finds.
• Type-mapped negotiation in Apache works much the same way, except it uses .var files (similar to Windows shortcuts) that point to your script. For instance, /download?foo=bar would reference /download.var, which points to /download.php. It's useful if you have a lot of small requests, for which the repeated directory scans performed by MultiViews might become CPU-bound.
• Rename download.php to download/index.php, and Apache will find it when it scans index.* to display a default page for a directory.
• Last but not least, mod_rewrite.

Re:Four ways to hide the .php extension

[Zonk+(troll)]

Or, do it the way I do.

1. Name the PHP file "download".
2. Use this option either in httpd.conf or .htaccess:

<Files /path/to/file/download>
SetHandler application/x-httpd-php
</Files>

3. Access it like:
http://localhost/download or accept arguments like http://localhost/download/file.odt

If you want to get what comes after the slash, this is all you need:

$thePath = explode("/",ereg_replace($_SERVER['SCRIPT_NAME']," ",$_SERVER['REQUEST_URI']));


file.odt would be located in $thePath[1].

Re:Four ways to hide the .php extension

[Zonk+(troll)]

$thePath = explode("/",ereg_replace($_SERVER['SCRIPT_NAME']," ",$_SERVER['REQUEST_URI'])); There isn't supposed to be a space in the quotes. The lameness filter added that.

Latest version introduced this - Use ZIP or RAR

It's the latest update (July) that introduced this. I hadn't upgraded but a friend did. He could no longer receive MP3 files (We're game developers; Our sound files are all MP3 format! Nothing illegal here!!!!!!!)

Zipping is the way around this filter.