Tuesday, November 29, 2005

Sony Sued for Shipping CDs with Malware

From Paul Thurrot's Wininfo: "If you thought that Sony's rootkit CD fiasco couldn't get any worse, you apparently forgot about the lawyers. This week, two major lawsuits were filed against Sony for its decision to include malware on audio CDs sold to consumers. The suits, filed separately by the Electronic Frontier Foundation (EFF) digital rights advocacy group and the Texas attorney general, accuse Sony of violating consumer rights and trading in malicious software. I can't stress my opinion here strongly enough: Sony should be strung up by its corporate petard for this, and if we're lucky--really lucky--this event will convince this silly, stupid company to stop screwing over consumers in a lame bid to over-protect its ailing music business. Sony is an embarrassment."

They make software like.no.other™ (oh, the bitter irony), but you can remove it quite easily without having to download any more of their buggy software.

Saturday, November 26, 2005

Limewire has no Spyware

If anyone tells you that they got spyware by installing LimeWire, they are idiots, or they are running a version of LimeWire that is older than May 2004. Here's why:

Comparison of Unwanted Software Installed by P2P Programs: "Hands-on testing reveals the specific additional programs bundled with certain peer-to-peer filesharing programs. I capture screenshots of key steps in installation, and I discuss the characteristics that make the installation licenses particularly difficult for users to read and understand. Some peer-to-peer programs bundle multiple other programs users may not want and may not intend to accept, but other peer-to-peer programs contain no apparent bundled software." This is probably the definitive review of all P2P file sharing programs, even though it is a bit dated.

Now there is also FrostWire, a derivative of LimeWire that is completely free and doesn't have any planned content restrictions or DRM.

How does malware infiltrate your machine? Either through security flaws exploited by the authors, or by users downloading it. Of course they think they are downloading something else, like a pirate copy of a program or a crack for a commecial program. But whenever they do that they are taking their life into their own hands. An EXE file can do anything it wants on your machine. Never forget that you have to trust that the programmer is not out to steal your data or destroy your PC. Most programmers are nice guys. ;-)

Worst Corporate Video Ever?

The Register posted a brief story on the worst corporate video ever. The company in this movie, Mindshare, rewrote the lyrics to the "hit" 1983 Donna Summer song, "She Works Hard For Her Money." I feel really sorry for those guys. They must cringe every time they hear that song; but then they are an ad agency. Perhaps this is a case of "having to eat your own dog food".

see video | read the register story | digg story

Friday, November 25, 2005

WFAA News Story: Flaws Exposed

This is a perfectly good example of a little knowledge being a dangerous thing. It is also an example how to scare the viewers by not understanding what a file sharing program does or how it works.

The video clip clearly shows the program in use was LimeWire PRO (see clip at 0:20, 1:16 and 1:37 1:57, 2:16, 2:30) yet when I asked, Ed Chiarini stated in an email to me, "Each time I use LimeWire, I download a current free version". However the free version can't display on screen as LimeWire PRO. And the story says they "did the same experiment using the most current LimeWire software." Why is this an issue? Usually when you "expose a major security flaw" you state which version has the flaw, and report it to the software company, so they have a chance to fix the flaw before it is made public. But in this case, there is no flaw, and when I asked Ed Chiarini which version number he was using and whether the flaw has been reported, he ducked the question and answered as above.

If you pause the video clip at the 1:02 minute mark (see below), you can see that the file sharing setting has been changed to include sharing "Documents", which is not the default setting, even though the reporter says "... most users would simply use the default settings".

For the reporter to claim that this is a "major security flaw with LimeWire" that "makes it easy to search the hard drive of anyone who is also using the program" is completely misleading. First of all, the default installation of LimeWire creates an empty folder called "Shared". On my IBM ThinkPad, this is stored as
"C:\Documents and Settings\user\Shared"
whereas the "My Documents" folder is stored alongside this as
"C:\Documents and Settings\user\My Documents"
so the only way you could share documents stored in the "My Documents" folder would be to add it in, using the "options" -> "sharing" dialog box. This indicates careful design on the part of the programmers to ensure that the risk of inadvertent file sharing is eliminated.

So if Chrystal Snow gave them permission to share her "documents" folder, she shouldn't be in the least bit surprised if the files in this folder show up on other machines. That is precisely what LimeWire is designed to do. It isn't a "security flaw", it's the reason you download a file sharing program in the first place! How did she think that she could download music from other computers? By magic? No, from their hard drive!

Ed explained to me that News 8 used the "Browse Host" function in LimeWire. If you search for files, you can select one of the files found and then choose the "Browse Host" function, which will display all the shared files on the user's machine, not just the one selected. Since the user has elected to share all his/her files, this is neither sinister nor is it a secret search. To say it is possible to say someone "can do a secret search of someone else's computer information without the victim knowing it" is like saying you can look into the windscreen of a car without the driver knowing about it.

So we have a news reporter (Dan Ronan) claiming to have exposed a "major security flaw" when in fact he is describing the stated and advertised behaviour of the software. We have a gullible user (Chrystal Snow) who gives permission for the News 8 team to change her settings to share all her "Documents" to the rest of the world on her file sharing program (LimeWire PRO) and then she says "I'm shocked my information is out there for anyone to find". Of course it is, you just gave permission! DUH!

The "security consultant" (Ed Chiarini) makes money of gullible users by charging $79.99 to uninstall LimeWire and delete the remaining registry keys and "Shared" and "Incomplete" folders on their system. But that isn't mentioned in the story, even though his web site is displayed several times in the TV clip, and the URL appears on screen and in the article.

To add insult to injury, the news story tries to imply that adding a user's "Documents" folder (see clip at 1:02 minutes) is the default setting when you install LimeWire, which clearly it is not.

It gets worse. The story implies a sinister motive on the part of LimeWire: "... The problem occurred from something written into the program, which was more than likely not an accident." That's a bit like saying that cars all have front wheels that could turn suddenly and make you go off the road, and that it is not an accident that there are steering wheels in the car.

The story has an interesting opening sentence: "Users of LimeWire ... might be making their private financial and personal information vulnerable." This is like saying that people in cars might be putting their lives at risk by driving on the roads.

By the time we get to the end of the story, "...
personal data is there for everyone to find."
So which is it? Is it there for everyone to find, or is it only that it might be possible to find it, if the user elects to share it.

As you can see, the story has flaws and holes, and LimeWire is only doing what it is supposed to be doing. File sharing programs share files; irresponsible users share the wrong files.

Next week WFAA TV will be running a story on a dangerous new security flaw in Microsoft Word: it allows you to change and print documents! Imagine the security implications: anyone who prints out the document can read it, even if they aren't logged in. Shock! Horror!

Limewire File sharing program exposes hard drives | digg story

Fear, Uncertainty and Doubt

The "security consultant" is interviewed by Dan Ronan from WFAA-TV. He demonstrates what he says is a massive security hole in LimeWire. What he doesn't say is that he charges users to uninstall LimeWire:
File Share (LIMEWIRE) Removal & Repair
Windows® 2000, XP & XP Pro Desktops – $79.99
Get rid of the security leak! Just uninstalling the software does not get rid of LIMEWIRE, or other file sharing software. Call before your the next victim of identity theft. Don't believe me? Sign up and I'll test your system! If I can't find a hole in your defense, you get your money refunded.

And to do this he needs to install remote control software to do so. After that, your PC can be controlled from a browser, presumably with your permission. But this adds a security hole, rather than removing one.

Now this may be reasonable if you are running older versions of LimeWire, but that program was patched in March 2005. So why kick up a fuss in November 2005? See WellAwareNet.com - Press Material.

Also, how can he say that a LimeWire uninstall doesn't get rid of the software? After all, the entire LimeWire directory gets deleted! Since when are remaining registry entries regarded as software? Or is he referring to the Java runtime software?

Why has he got it in for LimeWire? It's one of the only file sharing programs that doesn't have adware, popups and hidden spyware in it! It is an Open Source Java application, so anyone who understands Java can download the code and read it. That makes it more secure, not less. See Comparison of Unwanted Software Installed by P2P Programs.

I wonder if he is WellAware of all this or not? I doubt it. See full article text below

Limewire File sharing program exposes hard drives

11:39 PM CST on Tuesday, November 22, 2005
Click here to view video.

Users of LimeWire, a file sharing program used by millions of Americans, might be making their private financial and personal information vulnerable.

A major security flaw with LimeWire makes it easy to search the hard drive of anyone who is also using the program while sending files back and forth.

While News 8 won't expose how to do that, when showed to people who were running LimeWire on their computer they were shocked.

With a few clicks of the keyboard, in just a matter of minutes and with Chrystal Snow's permission, News 8 found out a lot about the Dallas business woman.

"Anything from my bank statements are on there, my resumes, personal information, photos, you name it," Chrystal Snow said about her computer.

She let News 8 try to search her private computer files using LimeWire, and it turned out to be amazingly easy.

News 8 found her credit card records, banking information and proprietary business information.

In an earlier era, the famous bank robber Willie Sutton once said he robbed banks because that's where the money was.

With LimeWire, it is possible to take someone's identity and money.

"I thought you got on LimeWire to share music, and I'm shocked my information is out there for anyone to find," Snow said.

The problem occurred from something written into the program, which was more than likely not an accident.

Dallas computer security consultant Ed Chiarini is one of many warning about the dangers of file sharing. He said what someone can find goes far beyond identity theft.

"There are national security issues when it comes to some files on there," said Chiarini, from WellAwareNet.com.

Experts said what makes LimeWire so dangerous is that anyone using the program can do a secret search of someone else's computer information without the victim knowing it.

"It's the equivalent of you walking into someone's house with their permission and noticing a pile of papers on the table, picking them up and looking at them and realizing I have got your social security number, your tax forms," said Paul Schmehl, University of Texas Dallas computer security expert. "I've got sensitive information you would never let me see."

LimeWire declined repeated requests for an on-camera interview. Instead, the company issued a statement insisting it fixed the problem last spring, and that no further action is needed because the company said the program is safe.

For her part, Snow took LimeWire off her computer immediately and vows never to use it again.

"You never know who it is, or where they are or what they're involved with," she said. "If you can sit down at a computer and in five minutes find really sensitive information, then someone who wants to find it will have already done so."

News 8 also did the same experiment using the most current LimeWire software. The company said you can customize the installation of the program on the computer to avoid making information vulnerable.

But experts said most people who download LimeWire would simply use the default settings.

As News 8 discovered, personal data is there for everyone to find.
(emphasis added).

According to LimeWire Features History, version 4.8.1 was released in March 2005, and in June 2005 version 4.9 was released. In the notes for 4.9 the following statement is made:

We've gone to great lengths to make sure that you don't accidentally share files you didn't mean to. LimeWire will now detect directories that are "sensitive", prompting the user to confirm that they really do want to share them. You can also now choose to stop sharing a single file from a shared folder, or stop sharing a subdirectory of a shared folder. For users who want to share files from arbitrary locations, you can also choose to share any individual file. These files will show in a special 'Individually Shared Files' item in the library. The Library tab has also been revamped to give you more control over what you're sharing while maintaining LimeWire's famous ease-of-use.

So the story is either out of date or not referring to what is normally known as a "security flaw".

original story | digg story | WFAA News Story: Flaws Exposed