Slashdot Mirror
MSN Censors Your IM
Jamie ran across a story about censorship on MSN. Essentially, a number of suspicious strings result in silent failure of delivery. The strings are unsurprisingly things like .scr and .info. They've started maintaining a list if you're interested. Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.
From an article that is linked to from this one:
Or for that matter, http: //tinyurl.com/z35a5.
Kind of reminds me of our software filter where I work. They blocked firefox.exe from running. My solution? I renamed the file to iexplore.exe. Worked like a charm.
It's also probably worth noting that the messages are blocked on the server, not the client. That means that it will block the message whether you're using the MSN client, Pidgin, or any other client to access MSN.
My advice: Get a frickin' Google mail account already and use Google Talk instead.
"Nothing for you to see here. Please move along."
I'm guessing they're using that as a way to make sure only subscribers can get first post now? It wouldn't load for me until someone had posted.
As for the IM... I don't care what it is, it's not their job to censor it. Virus check attachments, sure... But not sensor the chat. Absolutely ridiculous. Reminds me of games that try to filter out all 'bad' words and end up filtering out words like 'fanny' because they mean 'butt' in the US and apparently refer to women's genitalia in the UK. How people NAMED Fanny deal with that, I can't imagine. There were quite a few more commonplace words that mean odd things in other languages or countries and were filtered as well. Ridiculous.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
An inept IT department?
OMFG!
Someone alert the world press!
-- Lattyware (www.lattyware.co.uk)
Since the day I became almost crazy when I was trying to pass a URL which included 'download.php?' to a friend from a well trusted website. All of my messages sent back to me. PITA.
Fortunately, it's kinda easily fooled if you randomly place a space and add "delete the space" at the end of the sentence. If they trust me in the first place, what prevents them from copy-pasting it and deleting a character as I requested?
My 0.02 cents
Here's one it started doing since the recent MS security drive. Any file that could possibly exploit a hole in any piece of software seems to be treated with serious suspicion. Somehow, this seems to include GIF files. So, when someone tried to send me a GIF file, I get this warning. I download it anyway, and it's sitting on my hard drive. I can copy it somewhere else, open it, etc.
However - and this is the kicker - when I click on the blue link to the file in the MSN chat window, I get this dialog. Yeah, it actually DELETED the file I just downloaded. After I copied it using Explorer. And I have full access to it. Dunno who implemented that piece of genius.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Are you the guy that Slashdot hired to start correcting all the inaccurate stories and comments posted here?
== Jez ==
Do you miss Firefox? Try Pale Moon.
Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place
At least their trying something (albeit a weak approach) to stop automated scripts from sending viruses all over their chat protocol.
When you work on 1000+ college student laptops, you learn a lot of things about software students use in general, and one of these things you learn is:
1) AIM is a Virus downloading service disguised as a chat protocol.
I know that AOL doesn't do this on purpose, but it is so easy to hack that it might as well be. it's great when a 12 year old downloads a virus that infects Aim thinking it was some game (probably from AIM i might add), it sends "Hey check this out!" to his sister at the college containing an infected link or program, and the next thing you know you're running Aimfix and cleaning Zlob off on 300 PC's.
If Aim would simply filter out the bad traffic (and they should be able to know if a client is spamming the servers like crazy by heuristics alone) it would stop a lot of scams dead in their tracks.
In Soviet Russia, Trojan exploits YOU!
Perl.
Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation:
No, they specifically blocked firefox.exe. It wasn't part of a regular expression or policy to keep people from running their own programs. They made a deliberate and conscious choice to not only standardize on Internet Explorer as the Official Company Browser(TM), but to try to prevent anything else from even working.
It's not the only time they've done something lame-ass like that. For example, they've also created an Active Directory policy to push down the corporate intranet page as your home page. So if you're like me and prefer something like Google as your home page, too damn bad, it resets it next time you log in. I had to go in and deny permission to that registry key for Administrators to keep that from happening. (Yes, I know, they can reset the permissions on the key if they figure out what I've done, but they're not that motivated, and the point was to keep the automatic update from happening, which this does successfully.)
Someone want to tell me how you fix a user who downloads and runs untrusted executable code?
I've seen plenty of Linux n00bs get tricked into running rm -rf /. Or lynx -source example.com | sh
MSN implementing filters on certain strings is just a small measure in a huge arms race any major IM system has to deal with.
PS. You can save yourself the trouble of replying if you're going to tell me Linux only allows the user to destroy all of his files and not the entire OS.
What if it steps on what I need to do my job? I'm glad I don't work for you. You seem to be one of those types that thinks that just because something can be done, it needs to be done. Pushing down the default page doesn't protect the corporate computing assets, though I'm sure that's how our desktop goobers pitched it to management. It's just one more way to control things they have no business controlling, and it impacts our productivity.
They also do thinks like push down custom Start Menu structures. Microsoft Word, for example, isn't under All Programs or even Microsoft Office like it is on every other computer. No, it's buried under "Office Applications" (not to be confused with "Business Applications," a separate directory), along with things like Adobe Acrobat and such. They've also moved Windows Explorer (the filesystem explorer, not Internet Explorer) under Accessories. If I change this to something I'm more used to, it gets reverted next time I log in. Obviously, they've also deleted and blocked Solitaire and Minesweeper from running; it wouldn't do for people to take a break from hammering their stones. The company logo is pushed out to be everyone's desktop background.
My favorite, though, is that they've decided that everyone needs a little application called Kontiki. It's a peer-to-peer video distrubtion software system that turns all of our PCs into filesharing peers for corporate videos. You can't disable it and you can't delete the videos that it pushes down. (If you try to deleting a video, the software automatically re-downloads it from--you guessed it--your coworkers computers.) I detest days when corporate videos go out. My bandwidth is sucked dry by something I neither want nor use and have no control over.
Let's see... Need more stories? How about this. They recently pushed out a piece of software called Connected Backup. What happened is that our fileservers where people's home directories were started filling up. Instead of going out and buying more hard drives or implementing quotas, they've rolled out this backup software to everyone's computer that automatically backs up your machine once a day whether you want it to or not. Now, they're telling everyone that official company policy is to NOT store important documents on the fileservers, but to store them on your local PCs. Brilliant! Of course, network traffic has shot up dramatically, and the backup servers had to have a TON of storage added to them (the data still has to go somewhere), and instead of only things that people save on the fileservers being backed up, all of their personal shit is, too.
Every day, my computer runs a Connected backup, a virus scan, a vulnerability scan, a document retention scan, a software installation scan, Notes database replication, and my Run key in the registry has around 50 entries in it that our desktop group has loaded in, and it takes around two minutes for all of the group policies and login scripts to run when I log in. Thanks to our desktop group, literally 30 minutes of my day is wasted waiting for all of that shit to run.
I could go on with the stupidity if you really want me to. You're right about one thing; they've definitely protected the corporate computing assets. People hate using their computers so much now that a lot of people I know have gone back to just leaving it on all the time for doing their timesheets, and conduct their normal business using such old school methods such as the telephone and pencil and paper. As for me, I actually do some of my work at home using my own computing resources, and the only reason I can tolerate using my work computer for anything is because I know how to get around most of the shit they try to push down on us.
The solution?
Apply some idea of "common carrier" status to MSN. Like the telephone companies, as long as they do not attempt to edit or censor the content that passes through their networks, in any way, then they are not responsible and cannot be held liable for any damage caused by such content. But the moment they start taking measures like this to try to "sanitize" the content of the network, make them legally liable to pay damages for any successful attack/exploit that they are unable to prevent.
Overnight, this stupidity would go away. It would also set a great precedent for any other companies that wish to do this.
It is a miracle that curiosity survives formal education. - Einstein
Maybe, but I kind of doubt it. I was a NT server support person for a couple of years, then a systems admin (and a damned good one, if I do say so myself) for almost a decade. I've fought my fair share of battles, and my background is precisely why I know how to get around most of the shit they keep trying to push down to my workstation.
Did you try to fight it? Did you tell your manager, "This is a bad idea, and here's why..."? Like I've said, I've fought my fair share of battles. I haven't won them all. I had to delete Solitaire and Minesweeper at a smaller company I worked at because, as my boss said, "I hate those stupid timewasters." However, when he had a meeting to tell us that he read that you could lock down the desktop background image, I explained to him why that was a bad idea, and actually won that battle.
At my last job before the one I have now, I was the manager of server operations. I hate to say it, but my boss was a complete idiot who didn't know a thing about managing an IT department. It was ridiculous, and on more than one occasion, I found myself in the CFO's office (his boss) explaining why what my boss had told him was a load of hooey. I ended up quitting because I literally was afraid that I would be prosecuted at some point for something my boss would make me do and pinned on me as a scapegoat, and a few months later, he was finally fired because he screwed up a license scheme and it cost the company over $100 thousand (a LOT of money for that company). While I was there, I actually deliberately disobeyed him on many occasions when he asked me to do things that were illegal and/or unethical.
But the desktop goobers where I am now? They don't just implement management's decisions. Believe me, I've talked to them on many occasions, and they actually defend what they've done. I know for a fact that they are the ones who are instigating a lot of this crap, because in my company, it's how you get ahead; you lead a project that costs hundreds of thousands of dollars and put together reports about how well it went. What? There isn't a project involving spending hundreds of thousands of dollars? Then you make one up.
So yeah, I guess I am one of those users. As a matter of fact, I do know more than most of our IT folks about how these systems work. And if they stand in the way of me doing my job, I'll go around them without an iota of guilt because frankly, what I'm doing is much more important then them locking down my home page and desktop background.