MSN Censors Your IM 287
Jamie ran across a story about censorship on MSN. Essentially, a number of suspicious strings result in silent failure of delivery. The strings are unsurprisingly things like .scr and .info. They've started maintaining a list if you're interested. Personally, I'd rather they fix the vulnerabilities that make those strings dangerous in the first place: it's not like IM is the only place a URL can get on your machine.
-gasp- Slashdot, too! (Score:5, Interesting)
I'm guessing they're using that as a way to make sure only subscribers can get first post now? It wouldn't load for me until someone had posted.
As for the IM... I don't care what it is, it's not their job to censor it. Virus check attachments, sure... But not sensor the chat. Absolutely ridiculous. Reminds me of games that try to filter out all 'bad' words and end up filtering out words like 'fanny' because they mean 'butt' in the US and apparently refer to women's genitalia in the UK. How people NAMED Fanny deal with that, I can't imagine. There were quite a few more commonplace words that mean odd things in other languages or countries and were filtered as well. Ridiculous.
I already knew some (Score:4, Interesting)
Fortunately, it's kinda easily fooled if you randomly place a space and add "delete the space" at the end of the sentence. If they trust me in the first place, what prevents them from copy-pasting it and deleting a character as I requested?
MSN does some weiiiiiird things... (Score:5, Interesting)
However - and this is the kicker - when I click on the blue link to the file in the MSN chat window, I get this dialog [game-point.net]. Yeah, it actually DELETED the file I just downloaded. After I copied it using Explorer. And I have full access to it. Dunno who implemented that piece of genius.
Re:Blocked firefox.exe (Score:5, Interesting)
No, they specifically blocked firefox.exe. It wasn't part of a regular expression or policy to keep people from running their own programs. They made a deliberate and conscious choice to not only standardize on Internet Explorer as the Official Company Browser(TM), but to try to prevent anything else from even working.
It's not the only time they've done something lame-ass like that. For example, they've also created an Active Directory policy to push down the corporate intranet page as your home page. So if you're like me and prefer something like Google as your home page, too damn bad, it resets it next time you log in. I had to go in and deny permission to that registry key for Administrators to keep that from happening. (Yes, I know, they can reset the permissions on the key if they figure out what I've done, but they're not that motivated, and the point was to keep the automatic update from happening, which this does successfully.)
Re:And if they didnt -- feeping creaturism (Score:1, Interesting)
business model to have all these neat features, even if no one uses them.
Everyone who upgrades is hoping for bug fixes, not new features, but
M$ themselves have said of course they like the current model that keeps
the bucks flowing without them having to make this stuff safe or even work
correctly. They know people are looking for fixes, but not providing them
is what keeps the suckers on the treadmill of upgrades. Hey people -- software
doesn't really wear out or anything like that, especially well written stuff.
Some decisions made a long while back make it virtually impossible for them
to make all this safe in any normal meaning of the word. OLE (then activeX and then COM)
come to mind, as well as the ability of any app to broadcast messages (including
"shut down now" or "eat all this data") make it impossible to make things
safe unless they are disabled. There go all the "features" so it isn't going
to happen.
M$'s approach to "security" included for example, breaking DOS on Win2k in SP2
as it had access to hardware and therefore was unsafe. Never caused us a problem
as we were always careful. But -- to replace our old but perfectly serviceable
DOS CAD software would have cost over $20,000. So we now run it in Linux under
a dos emulator. And we're pitching windows completely out of our shop as it becomes
possible -- we still keep a few dual-boots around to support windows software we've
written for customers but we boot to Linux by default and choice.
At least in Linux, when there's a feature, it was thought out re too-easily-installable
insecurities.
Theres more than one way to do it, in nearly every case.
The Vulnerability Is... (Score:2, Interesting)
Having any IM program make it so easy to run applications from questionable sources is not a secure feature let alone the debate whether or not it is a good one. Asking "Run this? Yes/No" doesn't make the feature any better. Why do people keep thinking it is? MSN Messenger shouldn't be doing this period where the "fix" of filtering on "bad data" by extension is laughable.
Re:Four ways to hide the .php extension (Score:3, Interesting)
Re:Priorities and mitigation (Score:3, Interesting)
Yes.
``Perhaps this is just one effort among multiple efforts to correct problems AND mitigate their effects?''
That sounds almost reasonable. Except that it implies that Microsoft actually makes a serious effort to fix the security holes they've saddled their users with. I had some hopes that, with Vista, they had actually started down that road, but these hopes have since been thoroughly dashed. Microsoft aren't and have never been serious about the security of their users.
This is not part amond "multiple efforts to correct probems AND mitigate their effects", this is a lame cop-out.
``If it's going to take X weeks to fix the bug, but Y days to implement a filter that will stop some large percentage of infections, don't you think that both avenues are worth exploration at the same time?''
Yes, but that's not what's happening. What's happening is that Microsoft is censoring their IM service. I believe this is in a sincere effort to slow the spreading of malware over MSN, but that doesn't mean it's a Good Thing. For one thing, it also degrades the usabiltiy of the service for legitimate purposes. For another, it doesn't _actually_ stop the malware. What it does is erect some barrier. In that sense, it's not very different from the bazzilions of "Are you sure?" dialogs that Microsoft software is full of. Except that these dialogs _could_ actually help educate users, if said users would bother to read and learn. Blocking certain messages just annoys legitimate users of the service. The filter will be bypassed. After that, everything is as it was, except less usable. And in the meantime, Microsoft introduces new security holes and lets other holes linger.
Oh, and did you realize that this censoring (which really has been going on for months if not years now) can also be used as a stepping stone to censoring things that Microsoft considers harmful, even if the users would likely find them bona-fide? I've already had several of my messages blocked by the filters, and I assure you they did not in any way relate to malware. Perhaps a few cases of open-source software, though.
``There's more to slowing and preventing the spread of malware than fixing the defect that allows them to propagate.''
Sure. And I do believe this is a sincere effort to protect MSN users. I just think the cure is worse than the disease.
Full list (Score:2, Interesting)
http://www.amsn-project.net/forums/viewtopic.php?
Re:Blocked firefox.exe (Score:5, Interesting)
Maybe, but I kind of doubt it. I was a NT server support person for a couple of years, then a systems admin (and a damned good one, if I do say so myself) for almost a decade. I've fought my fair share of battles, and my background is precisely why I know how to get around most of the shit they keep trying to push down to my workstation.
Did you try to fight it? Did you tell your manager, "This is a bad idea, and here's why..."? Like I've said, I've fought my fair share of battles. I haven't won them all. I had to delete Solitaire and Minesweeper at a smaller company I worked at because, as my boss said, "I hate those stupid timewasters." However, when he had a meeting to tell us that he read that you could lock down the desktop background image, I explained to him why that was a bad idea, and actually won that battle.
At my last job before the one I have now, I was the manager of server operations. I hate to say it, but my boss was a complete idiot who didn't know a thing about managing an IT department. It was ridiculous, and on more than one occasion, I found myself in the CFO's office (his boss) explaining why what my boss had told him was a load of hooey. I ended up quitting because I literally was afraid that I would be prosecuted at some point for something my boss would make me do and pinned on me as a scapegoat, and a few months later, he was finally fired because he screwed up a license scheme and it cost the company over $100 thousand (a LOT of money for that company). While I was there, I actually deliberately disobeyed him on many occasions when he asked me to do things that were illegal and/or unethical.
But the desktop goobers where I am now? They don't just implement management's decisions. Believe me, I've talked to them on many occasions, and they actually defend what they've done. I know for a fact that they are the ones who are instigating a lot of this crap, because in my company, it's how you get ahead; you lead a project that costs hundreds of thousands of dollars and put together reports about how well it went. What? There isn't a project involving spending hundreds of thousands of dollars? Then you make one up.
So yeah, I guess I am one of those users. As a matter of fact, I do know more than most of our IT folks about how these systems work. And if they stand in the way of me doing my job, I'll go around them without an iota of guilt because frankly, what I'm doing is much more important then them locking down my home page and desktop background.