What I think is ironic - it's perfect legal for corporations to buy American politicians because, by the courts, corporations as classified as sort of a "virtual person" and money is considered "free speech". However, a real person can go to jail for giving money to an organization the government labels "terrorist".
In cases of stuff like al Qaeda I don't think many would complain, but how long until something like Greenpeace makes that list? The role of any protest organization is, by it's nature, usually at odds with the government, and often voices unpopular opinions. Anymore, the definition of "terrorist" is so loose and ephemeral it can be applied to almost anyone - not just suicide bombers.
Already in non-terror cases we've seen the Justice Department pushing the Patriot Act as a way for prosecutors to skirt normal civil protections. I don't doubt, for example, if this were happening in the early 60's, you can be sure most involved the civil rights movement would have been labeled "terrorist groups".
But that's not the issue. The issue is whether there is any evidence that they did anything malicious, rather than merely being stupid. And, from what we know, there is no evidence that they did.
Well, you can believe their story if you like, but answer me this...
1) If it was for "updates" why did it delete files from the *share* folder - not the program folder? You could only delete other folders by tricking it with relative paths.
2) Since the delete is done from the running app, it's exe and DLLs would be in use and locked by windows. How could the command then possibly be used to remove the old (currently running) version?
3) Even if you could get by 1 and 2, the app you're sending commands to is now gone. How do you then load the update?
Again, that's just not how updates of any kind work.
We are not debating whether their update mechanism was good (it wasn't), but whether the presence of arbitrary, data-driven file deletion code indicates malicious intent. It doesn't. That's all there is to it.
Again, that's not at all what we were debating. You're arguing an point you invented. The problem is not that the app had code to delete files (many, if not most, programs have that), the problem is that is had code to allow *anyone* to connect to the PC and delete files.
You're being silly - unless sandboxed, any application with access to the OS API can delete files. No one but you even said the problem was that the "application can delete files". You started that with the odd statement saying ES5's backdoor was doing nothing more than what RPMs do when it's not even remotely alike.
Likewise, it's not auto-updating itself that's the problem. If you trust a binary application enough to install it to begin with, you've already taken the risk of running "unknown" code. Though I agree updates are better left to the user's discretion, no one's complaining that IE5 had auto-update features.
However, even if you believe this ES5 mis-feature, was really for updates, it was the worst possible way to do it. As I explained above, there's no need for the server to "push" the update to begin with, and there's no excuse for allowing anyone - even the server - to connect remotely and delete files. Why people are upset *is* (as you put it) "the mechanism they chose". Auto-updates was just their inexcusable excuse for that mechanism.
Oh, come on, read the rest of his replies and be realistic about it. Besides, do you really consider the scenario where a server contacts each and every client separately and issues delete and upgrade packets realistic in any way?
ha ha ha, man you are clueless! Scanning random IPs is exactly how blaster, code red and many other viruses spread. Seems to me those were pretty "realistic".
You kind of remind me of those lusers who don't even care if their PC is infecting others with a virus as long as it still works for them.
Oh and I guess you go through and vet every line of code you ever run? Give me a break - running any software you don't write yourself involves a certain amount of trust, and I'm less likely to trust someone who admits they use an insecure methods.
Of course, I never said that's what I'd rely on, so please don't be so completely full of yourself. Honestly, if you must masturbate your ego, at least don't do it in public.
The original client can most certainly delete itself, including all DLLs and so forth, with no help from the "new" version. It may have to unload and run a temp process so its files aren't in use, but that's a common procedure. Most auto-update are in fact initiated from the client, not the server. Usually something like
1) client looks for new version 2) client downloads new version 3) client check digital signature of download 4) client runs temp program 5) temp program uninstalls old client and installs new.
It's also possible the old client may just run the install for the new one (and let the new one run the old one's uninstaller), but in any case everything's under the old client's control as much as possible. Never does the remote server tell it what to delete.
This is more than deleting files - this is having an open socket listening for requests from anyone to delete files. If your updater does that please tell me the name of the software so I can be sure to avoid it!
Also just beacuse ES5 doesn't reveal your IP in its protocol, doesn't mean someone can't scan IPs looking for it. Heck, that's usually how any other remote exploit works - just scan and you don't need a list of vulnerable IPs ahead of time.
It's a bit different - RPMs may delete files but don't sit and listen on an open socket accepting delete requests from a remote server somewhere. That's a whole 'nother kettel of calling the fish black!
A reasonable auto-upgrade would just have code for the client to delete itself and run the new install I'd think. Also just because ES5 hides IPs doesn't mean someone can't just scan to find people running it. If anyone can connect to you and delete any file, that's a little more than an auto-upgrade feature.
There is no such thing as being able to play them all, and play them all well.
Never used ffdshow?:-) If not you really should give it a try - it's just a decoder, but will handle most any MPEG4 codec you throw at it, including most all versions of DivX and XVID. It also has a ton of postprocessing settings you can play with. Be sure to get the latest version though as there are several floating around.
Has nothing to do with XVID per se - it's just whoever did the encode spaced the keyframes far apart. It takes a keyframe to completely restore the picture, and the codec may start transforming the video from the frame you left off before the skip rather than from the frame it would normally be expecting. Actually, depending on the encode settings, you can get some weird almost morph-like effects when this happens. In any case, once you hit the next keyframe, things will look normal again.
Wow. Your world must be an interesting place to visit.
Yes! unlike your world of pounding stupidy, it a place where people sometimes read the MAME docs. If you can kick your brain it to doing that without overheating it, you'll see several comments about analog sound hardware in old games being hard to emulate. Of course, I'm sure you believe the MAME authors just made all that up to taunt you.
Well, aside from the occasional bad dump, the ROMs themselves haven't changed since they were first burned into the original arcade chips. It's just that for some sadistic reason I've never fully understood, MAME developers positively revel in renaming them every few versions.
The Galaga hardware did not use samples of any kind. Like many early arcade games, it used good old analog components for sound effects. Since it's hard to emulate non-digital hardware, MAME just uses samples recorded from the original machines.
You know, I think in the near future we may have "Fark Superstars" - Where an artist rides an Internet meme to stardom by targeting popular link sites like Fark and Slashdot.
The Internet does have the potential to short-circuit the recording industry's promotion machine. Just look at popular memes from "all you base" to Strong Bad. So far it's really only been done for fun, but even this has made some money selling shirts, mugs, and so on.
The only this against this is, for kid especially, music is about image more than sound. This isn't new - it's always been like that. To many, music is alot like fashion - less about how it sounds and more about how popular and trendy it is.
I think there's some truth to this. If an artist can make as much (or even more) money selling fewer records, then there's not a need to sell millions. It might also allow for many more artists to be "successful" - even when they have only a small, but usually very loyal, fan base.
Oddly, this is probably how it was in the age before records and mass distribution when all music was "live" music.
Do you realize the public is under no obligation to buy their broken CDs either? At one time in the distant past corporations actually worked to give the customer what they wanted. It's so much easier now that you can just buy any laws necessary to insure your profits.
If it's no more than that it sould be trivial to get around. Doesn't most burning software come with a utility that lets you select an earlier session? I know EZCD Creator used to. There's also stuff like ISO buster that can pull stuff off earlier sessions.
Problem is, for most such countries there's a thousand steps in between that are far more critical. All the education in the world will not help a corpse.
I don't know - most spam isn't send from the company's own servers. They'll often outsource to bulk mailers (who of course insist they're "opt-in") to do the dirty work.
How are you going to prove that spam from a server somewhere in China promoting your extra deluxe cheese covered widgets really aren't your doing? Taken from the other end of things - how will them stop real spammers from just pretending they were likewise set up?
People need food People need cean water People need shelter People don't *need* the Internet.
It would be something for all these project to wire third world countries to remember - the Internet is great fun and all, but I don't think someone watching their child face malnutrition would find they need it quite as much as a good meal.
Slashdot Mirror
What I think is ironic - it's perfect legal for corporations to buy American politicians because, by the courts, corporations as classified as sort of a "virtual person" and money is considered "free speech". However, a real person can go to jail for giving money to an organization the government labels "terrorist".
In cases of stuff like al Qaeda I don't think many would complain, but how long until something like Greenpeace makes that list? The role of any protest organization is, by it's nature, usually at odds with the government, and often voices unpopular opinions. Anymore, the definition of "terrorist" is so loose and ephemeral it can be applied to almost anyone - not just suicide bombers.
Already in non-terror cases we've seen the Justice Department pushing the Patriot Act as a way for prosecutors to skirt normal civil protections. I don't doubt, for example, if this were happening in the early 60's, you can be sure most involved the civil rights movement would have been labeled "terrorist groups".
But that's not the issue. The issue is whether there is any evidence that they did anything malicious, rather than merely being stupid. And, from what we know, there is no evidence that they did.
Well, you can believe their story if you like, but answer me this...
1) If it was for "updates" why did it delete files from the *share* folder - not the program folder? You could only delete other folders by tricking it with relative paths.
2) Since the delete is done from the running app, it's exe and DLLs would be in use and locked by windows. How could the command then possibly be used to remove the old (currently running) version?
3) Even if you could get by 1 and 2, the app you're sending commands to is now gone. How do you then load the update?
Again, that's just not how updates of any kind work.
We are not debating whether their update mechanism was good (it wasn't), but whether the presence of arbitrary, data-driven file deletion code indicates malicious intent. It doesn't. That's all there is to it.
Again, that's not at all what we were debating. You're arguing an point you invented. The problem is not that the app had code to delete files (many, if not most, programs have that), the problem is that is had code to allow *anyone* to connect to the PC and delete files.
You're being silly - unless sandboxed, any application with access to the OS API can delete files. No one but you even said the problem was that the "application can delete files". You started that with the odd statement saying ES5's backdoor was doing nothing more than what RPMs do when it's not even remotely alike.
Likewise, it's not auto-updating itself that's the problem. If you trust a binary application enough to install it to begin with, you've already taken the risk of running "unknown" code. Though I agree updates are better left to the user's discretion, no one's complaining that IE5 had auto-update features.
However, even if you believe this ES5 mis-feature, was really for updates, it was the worst possible way to do it. As I explained above, there's no need for the server to "push" the update to begin with, and there's no excuse for allowing anyone - even the server - to connect remotely and delete files. Why people are upset *is* (as you put it) "the mechanism they chose". Auto-updates was just their inexcusable excuse for that mechanism.
Oh, come on, read the rest of his replies and be realistic about it. Besides, do you really consider the scenario where a server contacts each and every client separately and issues delete and upgrade packets realistic in any way?
ha ha ha, man you are clueless! Scanning random IPs is exactly how blaster, code red and many other viruses spread. Seems to me those were pretty "realistic".
You kind of remind me of those lusers who don't even care if their PC is infecting others with a virus as long as it still works for them.
Oh and I guess you go through and vet every line of code you ever run? Give me a break - running any software you don't write yourself involves a certain amount of trust, and I'm less likely to trust someone who admits they use an insecure methods.
Of course, I never said that's what I'd rely on, so please don't be so completely full of yourself. Honestly, if you must masturbate your ego, at least don't do it in public.
The original client can most certainly delete itself, including all DLLs and so forth, with no help from the "new" version. It may have to unload and run a temp process so its files aren't in use, but that's a common procedure. Most auto-update are in fact initiated from the client, not the server. Usually something like
1) client looks for new version
2) client downloads new version
3) client check digital signature of download
4) client runs temp program
5) temp program uninstalls old client and installs new.
It's also possible the old client may just run the install for the new one (and let the new one run the old one's uninstaller), but in any case everything's under the old client's control as much as possible. Never does the remote server tell it what to delete.
I'd add "only after verifying it's digital signature" to that list too.
This is more than deleting files - this is having an open socket listening for requests from anyone to delete files. If your updater does that please tell me the name of the software so I can be sure to avoid it!
Also just beacuse ES5 doesn't reveal your IP in its protocol, doesn't mean someone can't scan IPs looking for it. Heck, that's usually how any other remote exploit works - just scan and you don't need a list of vulnerable IPs ahead of time.
It's a bit different - RPMs may delete files but don't sit and listen on an open socket accepting delete requests from a remote server somewhere. That's a whole 'nother kettel of calling the fish black!
A reasonable auto-upgrade would just have code for the client to delete itself and run the new install I'd think. Also just because ES5 hides IPs doesn't mean someone can't just scan to find people running it. If anyone can connect to you and delete any file, that's a little more than an auto-upgrade feature.
There is no such thing as being able to play them all, and play them all well.
:-) If not you really should give it a try - it's just a decoder, but will handle most any MPEG4 codec you throw at it, including most all versions of DivX and XVID. It also has a ton of postprocessing settings you can play with. Be sure to get the latest version though as there are several floating around.
Never used ffdshow?
Has nothing to do with XVID per se - it's just whoever did the encode spaced the keyframes far apart. It takes a keyframe to completely restore the picture, and the codec may start transforming the video from the frame you left off before the skip rather than from the frame it would normally be expecting. Actually, depending on the encode settings, you can get some weird almost morph-like effects when this happens. In any case, once you hit the next keyframe, things will look normal again.
Wow. Your world must be an interesting place to visit.
Yes! unlike your world of pounding stupidy, it a place where people sometimes read the MAME docs. If you can kick your brain it to doing that without overheating it, you'll see several comments about analog sound hardware in old games being hard to emulate. Of course, I'm sure you believe the MAME authors just made all that up to taunt you.
Well, aside from the occasional bad dump, the ROMs themselves haven't changed since they were first burned into the original arcade chips. It's just that for some sadistic reason I've never fully understood, MAME developers positively revel in renaming them every few versions.
The Galaga hardware did not use samples of any kind. Like many early arcade games, it used good old analog components for sound effects. Since it's hard to emulate non-digital hardware, MAME just uses samples recorded from the original machines.
You know, I think in the near future we may have "Fark Superstars" - Where an artist rides an Internet meme to stardom by targeting popular link sites like Fark and Slashdot.
The Internet does have the potential to short-circuit the recording industry's promotion machine. Just look at popular memes from "all you base" to Strong Bad. So far it's really only been done for fun, but even this has made some money selling shirts, mugs, and so on.
The only this against this is, for kid especially, music is about image more than sound. This isn't new - it's always been like that. To many, music is alot like fashion - less about how it sounds and more about how popular and trendy it is.
I think there's some truth to this. If an artist can make as much (or even more) money selling fewer records, then there's not a need to sell millions. It might also allow for many more artists to be "successful" - even when they have only a small, but usually very loyal, fan base.
Oddly, this is probably how it was in the age before records and mass distribution when all music was "live" music.
Do you realize the public is under no obligation to buy their broken CDs either? At one time in the distant past corporations actually worked to give the customer what they wanted. It's so much easier now that you can just buy any laws necessary to insure your profits.
If it's no more than that it sould be trivial to get around. Doesn't most burning software come with a utility that lets you select an earlier session? I know EZCD Creator used to. There's also stuff like ISO buster that can pull stuff off earlier sessions.
Problem is, for most such countries there's a thousand steps in between that are far more critical. All the education in the world will not help a corpse.
I don't know - most spam isn't send from the company's own servers. They'll often outsource to bulk mailers (who of course insist they're "opt-in") to do the dirty work.
How are you going to prove that spam from a server somewhere in China promoting your extra deluxe cheese covered widgets really aren't your doing? Taken from the other end of things - how will them stop real spammers from just pretending they were likewise set up?
Yeah, if your goal is to DoS your ISP's DNS server.
People need food
People need cean water
People need shelter
People don't *need* the Internet.
It would be something for all these project to wire third world countries to remember - the Internet is great fun and all, but I don't think someone watching their child face malnutrition would find they need it quite as much as a good meal.
Well, if what you're saying is true - LSH may predate the "OpenSSH" name, but not the OpenSSH codebase.
I'd guess many if not most legit OS patches would need to be installed as root.
Of course no legit OS patch would be sent unrequested via email, so in the end, I agree it's a user education issue.