Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MSN Censors Your IM

CmdrTaco posted more than 7 years ago | from the its-for-your-own-good dept.

Privacy 287

Jamie ran across a story about censorship on MSN. Essentially, a number of suspicious strings result in silent failure of delivery. The strings are unsurprisingly things like .scr and .info. They've started maintaining a list if you're interested. Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

cancel ×

287 comments

Sorry! There are no comments related to the filter you selected.

The genius that is Microsoft... (5, Informative)

KingSkippus (799657) | more than 7 years ago | (#20120937)

From an article that is linked to from this one:

The link filter does not take canonical URLs into account: http: //evil.example.com/download.php and http: //evil.example.com/down%6Coad.php is the same URL, expressed in two different ways. The first one is blocked, while the second one is not.

Or for that matter, http: //tinyurl.com/z35a5.

Kind of reminds me of our software filter where I work. They blocked firefox.exe from running. My solution? I renamed the file to iexplore.exe. Worked like a charm.

It's also probably worth noting that the messages are blocked on the server, not the client. That means that it will block the message whether you're using the MSN client, Pidgin, or any other client to access MSN.

My advice: Get a frickin' Google mail account already and use Google Talk [google.com] instead.

Re:The genius that is Microsoft... (4, Informative)

lattyware (934246) | more than 7 years ago | (#20120987)

Or just any Jabber client, for that matter.

Anybody else notice its .php files that get ... (1)

crovira (10242) | more than 7 years ago | (#20121007)

squashed?

And what does every Linux web server come with?

RIGHT...

Re:Anybody else notice its .php files that get ... (1)

jZnat (793348) | more than 7 years ago | (#20121629)

Every Linux web server comes with Perl also...

Anyhow, I think it's because script kiddies tend to use (or exploit) PHP applications more often than other scripting languages due to its high availability in cheap hosting environments.

Re:Anybody else notice its .php files that get ... (1)

DrSkwid (118965) | more than 7 years ago | (#20121977)

Also the php files are in the document_root directory (or whatever you want to call it). Write access to document_root should be off but it usually isn't.

Perl and other CGI stuff is usually script aliased out of document_root and run from there /www/public_html # document root /www/public_html/index.php # shitty PHP script /www/cgi-bin /www/cgi-bin/dirty_perl.pl # Long tooth Larry's stuff

And pl files also need chmod +x ing whereas php files will just run.

Those crazy "easy to set up" routes get you owned, but they always want to learn the hard way.

Four ways to hide the .php extension (5, Informative)

tepples (727027) | more than 7 years ago | (#20121671)

And what does every Linux web server come with?

Perl.

Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation [apache.org] :

  • With Options MultiViews, the client requests /download?foo=bar. Apache HTTP Server will look for a file called download, not find it, and then search for download.* and run the first thing it finds.
  • Type-mapped negotiation in Apache works much the same way, except it uses .var files (similar to Windows shortcuts) that point to your script. For instance, /download?foo=bar would reference /download.var, which points to /download.php. It's useful if you have a lot of small requests, for which the repeated directory scans performed by MultiViews might become CPU-bound.
  • Rename download.php to download/index.php, and Apache will find it when it scans index.* to display a default page for a directory.
  • Last but not least, mod_rewrite.

Re:Four ways to hide the .php extension (5, Informative)

Zonk (troll) (1026140) | more than 7 years ago | (#20122151)

Or, do it the way I do.

1. Name the PHP file "download".
2. Use this option either in httpd.conf or .htaccess:

<Files /path/to/file/download>
SetHandler application/x-httpd-php
</Files>

3. Access it like:
http://localhost/download or accept arguments like http://localhost/download/file.odt

If you want to get what comes after the slash, this is all you need:

$thePath = explode("/",ereg_replace($_SERVER['SCRIPT_NAME']," ",$_SERVER['REQUEST_URI']));


file.odt would be located in $thePath[1].

Re:Four ways to hide the .php extension (4, Informative)

Zonk (troll) (1026140) | more than 7 years ago | (#20122223)

$thePath = explode("/",ereg_replace($_SERVER['SCRIPT_NAME']," ",$_SERVER['REQUEST_URI']));
There isn't supposed to be a space in the quotes. The lameness filter added that.

Re:Four ways to hide the .php extension (2, Interesting)

Dragonslicer (991472) | more than 7 years ago | (#20122513)

Still, the administrator of a server running PHP 5 can get scripts to run without having .php in the URL by using various forms of content negotiation [apache.org] :
Another option is to use the AddType directive to have other file extensions run through the PHP interpreter. If you don't have any static pages on your site or can accept the minor performance hit, you can send all .html files through PHP.

Blocked firefox.exe (2, Funny)

nurb432 (527695) | more than 7 years ago | (#20121009)

And simply renaming worked? Your IT department is pretty inept.

Re:Blocked firefox.exe (5, Funny)

lattyware (934246) | more than 7 years ago | (#20121037)

An inept IT department?
OMFG!
Someone alert the world press!

Re:Blocked firefox.exe (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20121249)

Well, they're blocking Firefox. What did you expect?

Re:Blocked firefox.exe (1)

nurb432 (527695) | more than 7 years ago | (#20121293)

There are reasons to block it, and anything else the user wants to install on their own.

Re:Blocked firefox.exe (1)

tepples (727027) | more than 7 years ago | (#20121729)

There are reasons to block it, and anything else the user wants to install on their own.
But still, only an inept IT department would refuse to consider a reasonable proposal to whitelist a version of Mozilla Firefox software in appropriate circumstances.

Re:Blocked firefox.exe (2, Insightful)

nurb432 (527695) | more than 7 years ago | (#20121949)

User installed softare that isnt part of hte official internal standard increases support costs, among other issues. So unless there is a business need, i dont see a problem with it being blocked. ( tho, simply blocking an executable name isnt the right way to do it, but that is a different discussion )

Now, if you come up with a valid business need for said non standard software, and its ignored, then we are in agreement.

Re:Blocked firefox.exe (4, Interesting)

KingSkippus (799657) | more than 7 years ago | (#20121739)

No, they specifically blocked firefox.exe. It wasn't part of a regular expression or policy to keep people from running their own programs. They made a deliberate and conscious choice to not only standardize on Internet Explorer as the Official Company Browser(TM), but to try to prevent anything else from even working.

It's not the only time they've done something lame-ass like that. For example, they've also created an Active Directory policy to push down the corporate intranet page as your home page. So if you're like me and prefer something like Google as your home page, too damn bad, it resets it next time you log in. I had to go in and deny permission to that registry key for Administrators to keep that from happening. (Yes, I know, they can reset the permissions on the key if they figure out what I've done, but they're not that motivated, and the point was to keep the automatic update from happening, which this does successfully.)

Re:Blocked firefox.exe (2, Insightful)

nurb432 (527695) | more than 7 years ago | (#20121899)

Pushing down the default page via GPO sonuds pretty responsible to me. It helps prevent users default pages getting hijacked with porn sites, among other things.

Part of It's job is to protect the corporate computing assets and keep them running properly for the needs of the job. If that happens to step on your personal wants, then thats too bad. The PC is there for work, not as a toy for you. You have your personal toys at home.

Re:Blocked firefox.exe (4, Insightful)

KingSkippus (799657) | more than 7 years ago | (#20122367)

If that happens to step on your personal wants, then thats too bad.

What if it steps on what I need to do my job? I'm glad I don't work for you. You seem to be one of those types that thinks that just because something can be done, it needs to be done. Pushing down the default page doesn't protect the corporate computing assets, though I'm sure that's how our desktop goobers pitched it to management. It's just one more way to control things they have no business controlling, and it impacts our productivity.

They also do thinks like push down custom Start Menu structures. Microsoft Word, for example, isn't under All Programs or even Microsoft Office like it is on every other computer. No, it's buried under "Office Applications" (not to be confused with "Business Applications," a separate directory), along with things like Adobe Acrobat and such. They've also moved Windows Explorer (the filesystem explorer, not Internet Explorer) under Accessories. If I change this to something I'm more used to, it gets reverted next time I log in. Obviously, they've also deleted and blocked Solitaire and Minesweeper from running; it wouldn't do for people to take a break from hammering their stones. The company logo is pushed out to be everyone's desktop background.

My favorite, though, is that they've decided that everyone needs a little application called Kontiki. It's a peer-to-peer video distrubtion software system that turns all of our PCs into filesharing peers for corporate videos. You can't disable it and you can't delete the videos that it pushes down. (If you try to deleting a video, the software automatically re-downloads it from--you guessed it--your coworkers computers.) I detest days when corporate videos go out. My bandwidth is sucked dry by something I neither want nor use and have no control over.

Let's see... Need more stories? How about this. They recently pushed out a piece of software called Connected Backup. What happened is that our fileservers where people's home directories were started filling up. Instead of going out and buying more hard drives or implementing quotas, they've rolled out this backup software to everyone's computer that automatically backs up your machine once a day whether you want it to or not. Now, they're telling everyone that official company policy is to NOT store important documents on the fileservers, but to store them on your local PCs. Brilliant! Of course, network traffic has shot up dramatically, and the backup servers had to have a TON of storage added to them (the data still has to go somewhere), and instead of only things that people save on the fileservers being backed up, all of their personal shit is, too.

Every day, my computer runs a Connected backup, a virus scan, a vulnerability scan, a document retention scan, a software installation scan, Notes database replication, and my Run key in the registry has around 50 entries in it that our desktop group has loaded in, and it takes around two minutes for all of the group policies and login scripts to run when I log in. Thanks to our desktop group, literally 30 minutes of my day is wasted waiting for all of that shit to run.

I could go on with the stupidity if you really want me to. You're right about one thing; they've definitely protected the corporate computing assets. People hate using their computers so much now that a lot of people I know have gone back to just leaving it on all the time for doing their timesheets, and conduct their normal business using such old school methods such as the telephone and pencil and paper. As for me, I actually do some of my work at home using my own computing resources, and the only reason I can tolerate using my work computer for anything is because I know how to get around most of the shit they try to push down on us.

Re:Blocked firefox.exe (1)

nuggetman (242645) | more than 7 years ago | (#20122411)

My favorite useless app we have is a small red E on a shield in the system tray. You double click it and it opens an intranet page along the lines of

WHAT DO YOU NEED TO DO
-Evacuate the building
-Report a fire or police emergency
-I received a suspicious package
etc

Re:Blocked firefox.exe (1)

QuoteMstr (55051) | more than 7 years ago | (#20121789)

Sure: to provide justification for your own job.

Re:Blocked firefox.exe (1)

Dragonslicer (991472) | more than 7 years ago | (#20122543)

There are reasons to block it, and anything else the user wants to install on their own.
Except they apparently didn't block a user from installing Firefox, but only prevent a program named firefox.exe from running.

Re:The genius that is Microsoft... (1)

ghmh (73679) | more than 7 years ago | (#20121339)

Kind of reminds me of our software filter where I work. They blocked firefox.exe from running. My solution? I renamed the file to iexplore.exe. Worked like a charm.

Just make sure you don't get fired for knowingly circumventing security measures....

Might Be Time To Bring Back FIDONET (1)

NeverVotedBush (1041088) | more than 7 years ago | (#20121533)

I've about had it with Google's spying, Microsoft's spying/interference, Yahoo's spying, and pretty much everything and everyone else that is working to profile ad nauseum.

Jabber (0)

Anonymous Coward | more than 7 years ago | (#20121575)

I'd recommend Gajim [gajim.org] in Gnome or Psi [psi-im.org] in KDE or Windows. The only real advantage to using Google Talk is that it enables voice calls to oher Google Talk users but there's a summer of code project [jogger.pl] to get that in Gajim too and Psi is also getting this soon. Jabber [jabber.org] is the future.

Re:The genius that is Microsoft... (4, Insightful)

ChowRiit (939581) | more than 7 years ago | (#20121781)

People always miss the point in these arguments, and say "get such and such instead" - it doesn't help, because my friends use MSN, and probably the same for most tech savvy MSN users. Sure, I'd rather use a better protocol, but I'm stuck using what my friends are on. This is the problem with "picking" an IM - the decision isn't made by you, but by the people you want to talk to who already have picked one.

Re:The genius that is Microsoft... (1, Insightful)

badc0ffee (969714) | more than 7 years ago | (#20121907)

You are known by the company you keep. Either get other friends, or convert the ones you have. Don't put up with dumbing down to the lowest common denominator. To paraphrase someone elses sig: Twice half fast make the dumb mass whole.

Re:The genius that is Microsoft... (1)

kc2keo (694222) | more than 7 years ago | (#20122447)

My school blocks programs from running on the computers also. I was running putty.exe or winscp.exe which was blocked. I renamed them to explorer.exe and notepad.exe and it ran fine.

-gasp- Slashdot, too! (4, Interesting)

Aladrin (926209) | more than 7 years ago | (#20120965)

"Nothing for you to see here. Please move along."

I'm guessing they're using that as a way to make sure only subscribers can get first post now? It wouldn't load for me until someone had posted.

As for the IM... I don't care what it is, it's not their job to censor it. Virus check attachments, sure... But not sensor the chat. Absolutely ridiculous. Reminds me of games that try to filter out all 'bad' words and end up filtering out words like 'fanny' because they mean 'butt' in the US and apparently refer to women's genitalia in the UK. How people NAMED Fanny deal with that, I can't imagine. There were quite a few more commonplace words that mean odd things in other languages or countries and were filtered as well. Ridiculous.

Re:-gasp- Slashdot, too! (0)

Anonymous Coward | more than 7 years ago | (#20121159)

People named Fanny are probably Swedish so it doesn't matter, it's just appropriate -- they're such asses/cunts for real...

Re:-gasp- Slashdot, too! (4, Funny)

KingSkippus (799657) | more than 7 years ago | (#20121167)

Reminds me of games that try to filter out all 'bad' words

I play City of Heroes, and for some weird reason, it blocks the word "count." I think it was a typo when someone was entering words to block into the filter. It was just kind of funny, because I discovered it when I told someone, "Don't worry, you can count on me!" and it came out as "Don't worry, you can <bleep!> on me!" They had no idea what I was talking about, and it took a few entertaining minutes to hash out what was going on.

Re:-gasp- Slashdot, too! (1)

UbuntuDupe (970646) | more than 7 years ago | (#20121193)

I remember on the Microsoft-run zone.com (a game site), the filter is also extremely harsh. They extended it to innocent topics that happen to get used for trolling a lot. (Don't ask how I know...) For example, you can't say "holocaust", apparently because people like to deny it, and you can't say any form of "racist".

Re:-gasp- Slashdot, too! (4, Funny)

gbjbaanb (229885) | more than 7 years ago | (#20121335)

Ah, the northern Uk town of Scunthorpe has been affected by this problem for some time now. I think a "Scun" must be a rude word in American English or something.

Re:-gasp- Slashdot, too! (-1, Redundant)

jandrese (485) | more than 7 years ago | (#20121633)

Scun is no bad word that I've ever heard of, but if you move your observation one letter to the right I think you'll find the problem.

Re:-gasp- Slashdot, too! (1)

jZnat (793348) | more than 7 years ago | (#20121653)

And you usually can't say "sniggers". What are you supposed to use? "Snickers"? That's a candy, not a verb that means "laughing".

Re:-gasp- Slashdot, too! (0)

Anonymous Coward | more than 7 years ago | (#20122011)

And what about "niggardly"? It's a perfectly innocent word with no relation to racial epithets, but that doesn't stop some people. [adversity.net]

Re:-gasp- Slashdot, too! (0)

Anonymous Coward | more than 7 years ago | (#20122417)

snicker is, actually, a word for laugh. in fact, it means "to snicker [reference.com] ."

when it comes to language, it pays to not be niggardly.

Re:-gasp- Slashdot, too! (0, Redundant)

Darren Winsper (136155) | more than 7 years ago | (#20121787)

Actually, it tends to be because Scunthorpe happens to contain the word "cunt".

Re:-gasp- Slashdot, too! (1)

karnal (22275) | more than 7 years ago | (#20122291)

*whoosh*

Re:-gasp- Slashdot, too! (0, Redundant)

KingSkippus (799657) | more than 7 years ago | (#20121827)

For what it's worth, I got the joke. :-)

Re:-gasp- Slashdot, too! (0)

Anonymous Coward | more than 7 years ago | (#20121719)

I think it was a typo when someone was entering words to block into the filter.
Not necessarily a typo, some filters also block words that are similar to ones that listed to be censored.

Re:-gasp- Slashdot, too! (1)

markxz (669696) | more than 7 years ago | (#20121717)

In the Famous Five series of childrens' books one of the characters is called Aunt Fanny.

She also wrote a short story about a chocolate cock.

Or Fannie Mae? (1)

tepples (727027) | more than 7 years ago | (#20121745)

How people NAMED Fanny deal with that, I can't imagine.
As far as I can tell, they revert to their legal given name Frances. But then how do people discuss mortgages [wikipedia.org] or chocolates [wikipedia.org] without "Fannie"?

Re:How people named Fanny deal with it (1)

retrosteve (77918) | more than 7 years ago | (#20121871)

How people NAMED Fanny deal with that, I can't imagine.

...probably about the same way that people named Dick, Peter, John Thomas, or Willie do. LOL

Huh? (0, Troll)

jafiwam (310805) | more than 7 years ago | (#20120983)

"Fix the vulnerabilities first"?

WTF you talkin bout. Out of that list used as an example, 5 were PHP security problems (who has PHP installed on the local PC?) one was an odd but normal TLD. One was an executable file.

I'd like to know, how "just fix the software" works in a world where 60% of users don't know about updates, don't update when they do know, or use pirated software the vendor actively blocks from updates.

There are certain strings that have no legit business in MSN chat, that's true. In my opinion, that list doesn't have any of them, AND poses a threat to other stuff aside from the local computer.

God Damn I hate bloggers.

Re:Huh? (1)

lattyware (934246) | more than 7 years ago | (#20121023)

No. The first 5 were urls where there was the beginning of passing a variable in the GET style. As used by PHP. None of them are a vulnerability, they are just pages that sound likely to have a vulnerability.

Fix "automatically run code based on text message" (0, Insightful)

Anonymous Coward | more than 7 years ago | (#20121143)

That might be a good start - don't automatically do whatever some random dolt at the other end of a a few TCP connection hops implies you should. Running code just because it was sent to you in a link is downright fucking stupid, yet M$ does it automatically.

Then, fix the rampant security holes in the entire OS that allow someone running as a random user to totally hose the entire OS installation. In other words - get where Unix was, oh, about twenty or thirty years ago.

The fact that M$ has disabled their own apps and OS from doing what they coded it to do is proof that their entire approach to developing software results in insecure products. Time and time again, we see that's true. This is just another example. Why do you "hate" someone who is merely pointing that out?

Re:Huh? (0)

Anonymous Coward | more than 7 years ago | (#20121527)

There are certain strings that have no legit business in MSN chat, that's true.
Who the fuck do you think you are, and what gives you the right to tell people what they can and can't talk about on MSN?

Re:Huh? (0)

Anonymous Coward | more than 7 years ago | (#20121601)

I'd like to know, how "just fix the software" works in a world where 60% of users don't know about updates, don't update when they do know, or use pirated software the vendor actively blocks from updates.


Easy there.... Don't bust a vein.

Programming to the least common denominator because you assume the majority of users are idiots is exactly the reason we end up with shitty software like most of what Microsoft produces. It ends up being difficult to do anything but what they decided it's "safe" for you to do. Things they made a wizard or button for, and that's it. People how know what they're doing lose functionality. And the benefit? It keeps the idiots out of trouble for about 3 days until the people who exploit idiocy find a new way.

How do you fix this when users don't update? Easy. Fix the problem, release a patch, and then don't allow users to connect unless their systems are patched. Or make it an option that's on by default, but can be turned off.

The Vulnerability Is... (1, Interesting)

EXTomar (78739) | more than 7 years ago | (#20122283)

...that MSN allows the user to to run things it never should. Or in other words, one should be reasonably expect that using MSN Messenger won't screw up their machine. You should be able to feed it any number of Url from anywhere, trusted or untrusted sources, and it shouldn't do anything bad let alone second guess whether or not the information sent is "good" or "bad". Here is a hint: Untrusted data sources serve untrusted data. Why does Microsoft consider it a feature that MSN Messenger blindly run any files fed to it? And "asking for confirmation" is not sufficient.

Having any IM program make it so easy to run applications from questionable sources is not a secure feature let alone the debate whether or not it is a good one. Asking "Run this? Yes/No" doesn't make the feature any better. Why do people keep thinking it is? MSN Messenger shouldn't be doing this period where the "fix" of filtering on "bad data" by extension is laughable.

experience (0)

Anonymous Coward | more than 7 years ago | (#20121013)

definitely they do this.

I remember I was trying to send the link to OldApps.com to a friend via MSN IM, and it just wouldn't deliver it.

AC: Here's the link:::
AC: http://www.oldapps.com/ [oldapps.com]
friend: ??
AC: did you got it?
AC: http://www.oldapps.com/ [oldapps.com]
AC: http://www.oldapps.com/ [oldapps.com]
friend: dude? wtf?
AC: God damn it... I'm sending it!
AC: http://www.oldapps.com/ [oldapps.com]
friend: ur a n00b

So I tried downloading the file my self, then sending him (file transfer) to him... and he just wouldn't receive the file transfer window/request.

Stupid MS.

Re:experience (0)

Anonymous Coward | more than 7 years ago | (#20121451)

Does www.oldversion.com work?

Different site, similar content.

Re:experience (1)

someone1234 (830754) | more than 7 years ago | (#20122459)

Next time try this: ht tp://www. oldapps. com/ And tell your friend to omit spaces.

I already knew some (4, Interesting)

alx5000 (896642) | more than 7 years ago | (#20121083)

Since the day I became almost crazy when I was trying to pass a URL which included 'download.php?' to a friend from a well trusted website. All of my messages sent back to me. PITA.

Fortunately, it's kinda easily fooled if you randomly place a space and add "delete the space" at the end of the sentence. If they trust me in the first place, what prevents them from copy-pasting it and deleting a character as I requested?

Re:I already knew some (1)

Jeff DeMaagd (2015) | more than 7 years ago | (#20121959)

It's not even a matter of trust, some people will follow instructions without asking why they are doing this. So your trick could be used to spam people and you'll get a lot of people that will do what you ask. It's even easier if you can tell people that the link goes somewhere that they might want to go, like cheap software, porn, cheap medicine, etc.

the list (0)

Anonymous Coward | more than 7 years ago | (#20121085)

  • .info
  • profile.php? (including ?)
  • download.php? (including ?)
  • gallery.php
  • pics.php
  • ListAllTopics.php
  • .scr

Reminds me... (1)

free space (13714) | more than 7 years ago | (#20121087)

Some time in 2002, if I remember, I wanted to make my MSN Messenger nickname a Microsoft related joke, only to find the client preventing me with a message that says:

"A part of your nickname contains trademarked words and thus cannot be used".

I changed "Microsoft" to "Micro Soft" but it just wasn't the same :(

Forgot to say... (1)

free space (13714) | more than 7 years ago | (#20121123)

For those who don't have MSN: They changed their mind and it can be done now.

Re:Forgot to say... (0)

Anonymous Coward | more than 7 years ago | (#20121769)

>For those who don't have MSN: They changed their mind and it can be done now.
Gosh, thanks for the update - I know that I couldn't have slept tonight not knowing that.

I've run into this issue before (1)

deftcoder (1090261) | more than 7 years ago | (#20121099)

I had tried to send my friend a link to a website like site.com/staff.php, and gaim said "blah blah received an error from the MSN switchboard".

Another thing to note: you used to be able to crash people out of chats by typing "[.pif]" (without quotes). It would cause everyone to exit the conversation with a "connection error". Now, it just kicks you out.

Re:I've run into this issue before (0)

Anonymous Coward | more than 7 years ago | (#20122335)

Another thing to note: you used to be able to crash people out of chats by typing "[.pif]" (without quotes). It would cause everyone to exit the conversation with a "connection error". Now, it just kicks you out.

In Soviet Russia... oh, never mind.

Misleading headline (3, Insightful)

noidentity (188756) | more than 7 years ago | (#20121105)

This isn't censorship; it's just a poor firewall. The difference is that the former is for stifling human communication, while the latter is to protect machines from malicious software.

Re:Misleading headline (3, Informative)

jamie (78724) | more than 7 years ago | (#20121183)

No, the data which is being blocked from transmission is not blocked because it's going to a computer program which would be exploited by it. At least I haven't seen any allegations of that. It's being blocked because the human that would receive the data might use it in a way deemed inappropriate (by clicking on it, say).

Re:Misleading headline (4, Informative)

jez9999 (618189) | more than 7 years ago | (#20121239)

Are you the guy that Slashdot hired to start correcting all the inaccurate stories and comments posted here?

Re:Misleading headline (1)

GalionTheElf (515869) | more than 7 years ago | (#20121351)

Completely OT but what is that little /. icon I can see next to the friend/foe marker? Is that a new thing or am I just spectacularly dense? Also, what is it for? Surely if I'm reading the comments here I know how to find the front page? ;)

TIA if you find the time to answer these burning questions. Inquiring minds need to know!

Re:Misleading headline (1, Informative)

TheRaven64 (641858) | more than 7 years ago | (#20121409)

It means he is a member of the Slashdot staff. You don't see them very often because only half a dozen or so people have them, and judging by the dupes not many of those actually read the site.

Re:Misleading headline (1, Informative)

Anonymous Coward | more than 7 years ago | (#20121659)

Thanks. Makes sense I guess, must be like the nerdiest badge of honour evar.

Re:Misleading headline (1)

jZnat (793348) | more than 7 years ago | (#20121693)

Don't forget the little eye [slashdot.org] icon that means they're a part of the OSTG staff. Roblimo is the only one I've seen with that icon, but there could be others.

Re:Misleading headline (0)

Anonymous Coward | more than 7 years ago | (#20122587)

Which is why they should turn the fucking link parsing off! Drives me insane. Try selecting (to copy) just a portion of a link you receive on MSN, and see what I mean.

Priorities and mitigation (3, Insightful)

Fastolfe (1470) | more than 7 years ago | (#20121145)

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM? Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects? If it's going to take X weeks to fix the bug, but Y days to implement a filter that will stop some large percentage of infections, don't you think that both avenues are worth exploration at the same time? There's more to slowing and preventing the spread of malware than fixing the defect that allows them to propagate.

This also assumes that the same organization even owns the bug in question. Not all of these defects may be Microsoft's problem to begin with. This might even be a MORE reasonable action for them to take, since they're doing "everything in their power" to fight the problem rather than just sitting on their hands waiting for a 3rd-party to correct their bug, and sitting on their hands longer waiting for the end user to update their software.

With so many alternatives.. (0, Offtopic)

bealzabobs_youruncle (971430) | more than 7 years ago | (#20121201)

why use MSN at all?

Re:With so many alternatives.. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#20121391)

If I could choose, I would use only IRC and maybe Jabber if an IM-style protocol is absolutely needed. However, MSN is very popular around here and converting everyone I need to communicate with to the alternatives is just not possible.

I don't need to use the official client, but sadly I must use some kind of program that connects to the MSN network now and then.

.INFO (3, Insightful)

tverbeek (457094) | more than 7 years ago | (#20121203)

I don't suppose it's occurred to Microsoft that .info is a perfectly valid TLD used by a significant number of legitimate web sites, and a perfectly appropriate string to include in an IM discussion.

Re:.INFO (1)

SRA8 (859587) | more than 7 years ago | (#20122499)

Ah...no wonder these .info domains sell so cheap...!

.com (2, Funny)

Anonymous Coward | more than 7 years ago | (#20121217)

Do they block those scary executable .com files too?

MSN does some weiiiiiird things... (5, Interesting)

jez9999 (618189) | more than 7 years ago | (#20121223)

Here's one it started doing since the recent MS security drive. Any file that could possibly exploit a hole in any piece of software seems to be treated with serious suspicion. Somehow, this seems to include GIF files. So, when someone tried to send me a GIF file, I get this warning [game-point.net] . I download it anyway, and it's sitting on my hard drive. I can copy it somewhere else, open it, etc.

However - and this is the kicker - when I click on the blue link to the file in the MSN chat window, I get this dialog [game-point.net] . Yeah, it actually DELETED the file I just downloaded. After I copied it using Explorer. And I have full access to it. Dunno who implemented that piece of genius.

Re:MSN does some weiiiiiird things... (1)

sentientbeing (688713) | more than 7 years ago | (#20121399)

That Microsoft crackden 'feature' is one big pain in the ass! Damn. The hassle Ive had with that fucking policy. How do you turn it off?

Re:MSN does some weiiiiiird things... (2, Funny)

tepples (727027) | more than 7 years ago | (#20121817)

That Microsoft crackden 'feature' is one big pain in the ass! Damn. The hassle Ive had with that fucking policy. How do you turn it off?
One way is to install Ubuntu, but it's not for everyone.

Re:MSN does some weiiiiiird things... (2, Insightful)

gardyloo (512791) | more than 7 years ago | (#20121853)

Yep, that's astoundingly annoying. IIRC, you can do a "Save To..." instead of allowing MSN to choose where to save it. Then it doesn't get deleted.

Re:MSN does some weiiiiiird things... (1)

snillfisk (111062) | more than 7 years ago | (#20122563)

My MSN Messenger currently thinks that all MP3-files should be treated that way.. Quite ingenious the first time someone sent me some music they've made and voilá, all gone after the transfer (because we all know how fast MSN Messenger is at sending files)..

This issue was brought to my attention a while back when they blocked _all_ links containing download.php. Yep. Not sure if they still do that, tho.

So... (1)

Perseid (660451) | more than 7 years ago | (#20121357)

...as a web developer I need to find a new IM service? Great move. :P

And if they didnt (2, Insightful)

nurb432 (527695) | more than 7 years ago | (#20121361)

The first person that got infected wiht something would bitch that Microsoft didn't do enough.

Not that im fond of them either, but it seems they cant win either way these days.

Re:And if they didnt -- feeping creaturism (1, Interesting)

Anonymous Coward | more than 7 years ago | (#20122277)

These vulnerabilities come from creeping featurism. It's better for their
business model to have all these neat features, even if no one uses them.
Everyone who upgrades is hoping for bug fixes, not new features, but
M$ themselves have said of course they like the current model that keeps
the bucks flowing without them having to make this stuff safe or even work
correctly. They know people are looking for fixes, but not providing them
is what keeps the suckers on the treadmill of upgrades. Hey people -- software
doesn't really wear out or anything like that, especially well written stuff.

Some decisions made a long while back make it virtually impossible for them
to make all this safe in any normal meaning of the word. OLE (then activeX and then COM)
come to mind, as well as the ability of any app to broadcast messages (including
"shut down now" or "eat all this data") make it impossible to make things
safe unless they are disabled. There go all the "features" so it isn't going
to happen.

M$'s approach to "security" included for example, breaking DOS on Win2k in SP2
as it had access to hardware and therefore was unsafe. Never caused us a problem
as we were always careful. But -- to replace our old but perfectly serviceable
DOS CAD software would have cost over $20,000. So we now run it in Linux under
a dos emulator. And we're pitching windows completely out of our shop as it becomes
possible -- we still keep a few dual-boots around to support windows software we've
written for customers but we boot to Linux by default and choice.

At least in Linux, when there's a feature, it was thought out re too-easily-installable
insecurities.
Theres more than one way to do it, in nearly every case.

Just tried it... (-1, Redundant)

Gordonjcp (186804) | more than 7 years ago | (#20121373)

... and sure enough, the strings mentioned in the article get blocked. Gaim returns "Message could not be sent because a connection error occurred:" and the offending message.

Losing battle... (1)

MalHavoc (590724) | more than 7 years ago | (#20121379)

It's pretty much impossible to block everything. If someone really wants to send you a link to something that will infect (or try to infect) your computer, there are tons of ways to do it. The tinyurl example has already been mentioned, but every single Apache server out there comes with things like mod_rewrite or Redirect directives that can send innocuous URLs to the intended malicious URL. In the case of mod_rewrite, you can do it without even changing what the browser displays, so users don't even know they evaded (or didn't, as the case may be) an infection attempt.

At least they're doing something (4, Informative)

Deathlizard (115856) | more than 7 years ago | (#20121401)

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place

At least their trying something (albeit a weak approach) to stop automated scripts from sending viruses all over their chat protocol.

When you work on 1000+ college student laptops, you learn a lot of things about software students use in general, and one of these things you learn is:

1) AIM is a Virus downloading service disguised as a chat protocol.

I know that AOL doesn't do this on purpose, but it is so easy to hack that it might as well be. it's great when a 12 year old downloads a virus that infects Aim thinking it was some game (probably from AIM i might add), it sends "Hey check this out!" to his sister at the college containing an infected link or program, and the next thing you know you're running Aimfix and cleaning Zlob off on 300 PC's.

If Aim would simply filter out the bad traffic (and they should be able to know if a client is spamming the servers like crazy by heuristics alone) it would stop a lot of scams dead in their tracks.

Old news! (3, Informative)

Stormx2 (1003260) | more than 7 years ago | (#20121423)

This has been known about for years. Here's a digg posting [digg.com] from over a year ago...

Office Communicator (1)

pboyd2004 (860767) | more than 7 years ago | (#20121465)

.... does the same stuff. I try to send a coworker the name of an exe or a dll and it shoots back that my message could not be sent. So even in a closed corporate environment stuff like this happens. Of course there probably is a way to turn that off at the server side, but our IT department has better things to do like hunting down copies of WinRAR and send us threating emails because "WinZip is our corporate standard compression tool."

Re:Office Communicator (0)

Anonymous Coward | more than 7 years ago | (#20121631)

our IT department has better things to do like hunting down copies of WinRAR and send us threating emails because "WinZip is our corporate standard compression tool."

So, what do you do when external vendors/customers send you .rar files? RAR is much less popular than .zip, but it does happen. Call up and annoy the IT department?

If you wanted to be BOFH-ish, get someone to start sending all attachments in .rar format. After 50 support calls, and document all the time you are wasting due to IT policy, I'm sure a steering committee will start a focus group to allow the use of unrar.

Devil's Advocate (1)

MrNonchalant (767683) | more than 7 years ago | (#20121503)

It's probable that they're seeing a lot of automated traffic with these URLs. They know for sure that these are malicious networks and they're spreading on their IM client. Maybe they already patched the vulnerabilities, but these are people who have (apparently) not set auto update to work. Maybe they plan to fix it in the next roll-up but need a stopgap in the meantime. It's not hard to imagine an ethical scenario where you pretty much have to block that traffic. Now the question becomes how. I'm not sure I agree with the silent blocking or the indiscriminate targeting like .info, but the very fact that they're blocking known attack vectors I don't think is a bad idea.

All the more reason to use Jabber/XMPP (2, Informative)

MysticOne (142751) | more than 7 years ago | (#20121543)

You can set up your own server, you can control your own IM stuffs, and really ... it's just a better solution. You could still go with GTalk if you want access to the Jabber network without setting up a server or doing anything fancy, but in that case I'd recommend encryption for your conversations (you should probably do that anyway). If you just want to set up a new Jabber account on one of the public servers, head on over to jabber.org [jabber.org] and pick one out.

spying (1)

hey (83763) | more than 7 years ago | (#20121585)

I wonder if MSN also spies on users. Do they have keywords in place to log messages related to possibly competing products, etc?

Oh please. (2)

arcade (16638) | more than 7 years ago | (#20121783)

Anyone who knows me knows that I haven't used windows since 1999. I simply can't stand the system, nor can I stand the corporation behind it.

However. I'm also interested in computer security.

It _MAKES SENSE_ to block stuff that has been observed in automated worms. It's a simple solution. It's not something that will make all systems invulnerable - but it _MAKES SENSE_. It's a quickfix. A quickfix that works.

This is only "censorship" insofar that it actually prevents stupid automated worms to spread. It's a defensie measure. Not a perfect one, but one.

Oh, and patching the holes. Sure. You can patch the holes. Then everyone has to update .. should we try to protect, or should we ignore those that do not upgrade their systems? The cynic in me tells me : "Let them be cracked". The humanitarian in my tells me: "Well, think of the victims of the DDOS attacks from the botnets of previously-vulnerable people".

I'm dead tired of _idiots_ who thinks that any preventative measure is evil! censorship! bad!

Microsoft is simply trying to help in this case. If you do not like it, use another IM service. Like Yahoo! .. or IRC for that matter. Heck. PLEASE go back to IRC. It's still the best means of communication there is.

So, please you censorship-screaming morons:

SHUT UP! STOP USING THEIR SERVICE IF YOU DO NOT LIKE IT. THEY ARE TRYING TO DO THE RIGHT THING IN THIS INSTANCE !

*phew*. Now I have to go wash my brain. I've just defended satan.

Re:Oh please. (1)

Zaknafein500 (303608) | more than 7 years ago | (#20122249)

Generally speaking, I agree with you. Unfortunately, as has been demonstrated in the article, the filtering can be avoided by countless methods of obfuscation. Thus, it's not really accomplishing anything at all.

Before calling everyone morons... (1)

_Shorty-dammit (555739) | more than 7 years ago | (#20122317)

perhaps you should consider exactly why it is that you think IRC is the best means of communication. Seriously? You think IRC is the best means of communication? No wonder I have so much trouble communicating with someone by going up them and talking to them in person. I should try using IRC next time. Communication always works so much better when there's no pesky voice inflections or body language to deal with, and when there's things like network lag or netsplits. I find I always get my point across when the other person sees half of my message 5 minutes later, and then I disappear in the netsplit before getting the rest of my thought out. You're right, IRC is the best.

Re:Oh please. (1)

BenoitRen (998927) | more than 7 years ago | (#20122601)

PLEASE go back to IRC. It's still the best means of communication there is.

If you like to see tons of users idling, sure.

Fix what? (4, Insightful)

defile (1059) | more than 7 years ago | (#20121797)

Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.

Someone want to tell me how you fix a user who downloads and runs untrusted executable code?

I've seen plenty of Linux n00bs get tricked into running rm -rf /. Or lynx -source example.com | sh

MSN implementing filters on certain strings is just a small measure in a huge arms race any major IM system has to deal with.

PS. You can save yourself the trouble of replying if you're going to tell me Linux only allows the user to destroy all of his files and not the entire OS.

Not Just MSN (1)

eegad (588763) | more than 7 years ago | (#20122131)

Amazingly enough, I just discovered this bug in Lotus Sametime a couple of days ago. Whenever I sent a message with a filename ending in .scr, it sent a blank line to the recipient instead. I haven't verified with any of the other identified strings. Maybe there's a common piece of crapware they're both using?

Another blocked keyword? (0)

Anonymous Coward | more than 7 years ago | (#20122181)

I ran into this problem a few months pack, trying to paste the url http://www.scrapheap-challenge.com/ [scrapheap-challenge.com] to a friend of mine. Absolutely refused to send unless I put a space in there somewhere.

Frost pI5t (-1, Troll)

Anonymous Coward | more than 7 years ago | (#20122213)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?