Earthstation5 Responds to Malware Claims

Zip In The Wire writes "Random Nut, AKA Shaun Garriok, the Author of Kazaalite, has been a vocal critic of Earthstation5 because of a continual online insult war between himself and some rowdy Earthstation5 fans. This has motivated him to be extremely critical of Earthstation5." (We reported yesterday Garriok's claims that Earthstation5 contains spyware.) "We at Earthstation5 desire and request criticism at any time in fact we demand it as we believe that is the only way to make software truly superior." Read on for the rest of Zip In The Wire (Filehoover, ES5's lead programmer)'s explanation, in which he also points to an updated version of the software, and challenges all takers to find spyware within it.

"We at Earthstation5 are not perfect, but we acknowledge that Shaun Garriok might be and thank him for helping us root out bugs.

The problem with the Earthstation5 software that Shaun Garriok found truly exists; however, the sordid motives he attributes to Earthstation5 are incorrect. The following functions were put into Earthstation5 to allow automatic, remote upgrade of the Earthstation5 software.

These functions are:

1. Reload Earthstation5
2. Shutdown Earthstation5
   
3. Delete a File

All of these functions are necessary to perform when upgrading software.

We have long been admirers of Shaun Garriok's ability to superbly investigate even a fully compiled program. We believe that he is capable of finding ANY sort of trojan, worm, or bug inside a compiled program. We are relieved that all he could find was these remote upgrade functions. He didn't find any bugs that send user data anywhere, no spyware, no adware, nothing, in fact, that gives away any personal information about the user using Earthstation5.

It is also a fortunate fact that since Earthstation5 protects you from the RIAA lawsuits and hackers by hiding your ip address, the exploit program he wrote can only be used against your own computer, which he states in his exploit. If you want to delete files from your own computer, we feel you have the right to do that.

We are glad he found this bug and pointed it out. We completely removed the automatic software upgrade code because as it turns out automatic upgrade is no longer popular as it once was because it gives people an uneasy feeling and rightly so.

Since Shaun Garriok seems to be concerned about everyone's security, and is not on a personal quest for revenge, we would be grateful if he would download the latest Earthstation5 (version 1.1.31), and verify that we have truly removed the remote-update function which his exploit program accessed. We think his dedication to the good of all concerned would motivate him to do this. Anyone else who is concerned can do the same; download the latest Earthstation5 and test the exploit code against it.

-- Filehoover, Lead Programmer of ES5."

I'm surprised

that these people are based in the middle east... their statements have a certain nigerian ring to them.

I WISH THIS MY PROPOSAL WILL NOT COME TO YOU AS A SURPRISE... I CRAVE YOUR INDULGENCE AS I CONTACT YOU IN SUCH A SURPRISING MANNER. BUT I RESPECTFULLY INSIST YOU READ THIS LETTER CAREFULLY AS I AM OPTIMISTIC IT WILL OPEN DOORS FOR UNIMAGINABLE FINANCIAL REWARDS FOR BOTH OF US...

# Important Stuff: Please try to keep posts on topic. # Try to reply to other people's comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)

Well?

The original exploit was a method that let anybody delete any arbitrary file from your PC? Could it have just been a poorly implemented version of the "we need to delete specific files" thing mentioned above?

I've seen worse things put into code on purpose, I might be able to accept this was a mistake, who knows?

But I've also heard rumours they've been behind some DDOS of good people. That might make be question their motives.

Either way, whenever you install anything that you didn't compile and read and understand every line of the source yourself, you are just deciding to trust whoever wrote it.

This was addressed yesterday...

On the full-disclosure list. It seems that after ES5 found out people had discovered the malware contained in it. They decided to upload a new version which will probably have those functions taken out. I see this as a suspicious move and would be very hesitant to use any of their software myself.

Adults or children?

If the tone of that statement wasn't so sarcastic and flippant I might feel that RandomNut may have jumped the gun, but ES5 isn't making any more friends by being immature and insulting.

Delete file is not required remotely to upgrade

I am very suspicious of the claim that REMOTE deletion of a file is required when updating the software.

To me, this sounds like damage control, not an honest representation of why that code was in their program. Until the company that makes Earthstation comes up with a plausible explanation for what that code was doing in their program, I will regard Earthstation software as suspect.

How do you not notice (elipsis)

How do you not notice that being able to delete files remotely is a problem? Isn't that just about the most obvious thing ever?

Here is why I care, but it does NOT affect me...

I use VMWare. I have one VMWare image just for P2P, of WinXP Pro with Norton, Adaware, Sygate Firewall, and Spybot. Inside this VMWare session, I have KazaaLite, Bearshare, eMule, and a half dozen other P2P apps. They can do whatever the fuck they want, because when I shut down my VMWare image all changes are discarded. Every time I boot up the image, I have my fresh, clean install of all my apps. After downloading, I scan the hell out of files, and if good, I'll FTP it to the main box and scan again. I leave internet open for the vmware image, because the firewall will tell me about anything dialing out as nothing has permision and every connection must ask. IMO this is the ONLY way to use P2P safely. My main box has NOTHING P2P on it. It's all inside the VMWare session.

:)

Re:Here is why I care, but it does NOT affect me..

Unfortunately, sir, you are a leech if you do that.

I am not trying to flame, but that's what the RIAA is trying to do: Make people afraid to share. If that happens, then the networks will die themselves. The RIAA doesn't give a flying fuck about downloaders, the same way cops don't really care about petty drug users. They both know that you must cut off supply.

Not afraid to share, afraid of the apps' authors!

I am not afraid to share. I just don't want Bearshare installing some 3rd party marketing tracker type stuff on my box. I guess I'm wearing a tin foil hat, but this one is easy to wear.

Hiding IP Address

"by hiding your ip address" they claim that this is not exploitable?

Somone scans a network of cables users, and sends them all the packet and command to delete boot.ini. How does 'hiding' your IP address help?

If they have the feature in for automatic updates (unsigned), then clearly they expect to be able to connect to it using, what else, an IP ADDRESS, "hidden" or not.

Hard to beleive they have 15 million folks on at the same time.

Re:Hiding IP Address

I think they are implying that hiding your IP in the GUI makes it safe. It's based on the theory that RIAA spies are sitting around with copies of P2P apps and a notepad writing down IPs.

In all honesty I really don't care if there is code that allows remote deletion of a file in ES5. I refused to use it long before this. Ignoring the horribly ugly GUI, there are still many other concerns. Who guarantees the proxies you use are safe and don't keep logs? Can't the RIAA's enforcers set up a bunch of "anonymous" proxies and advertise their presence on IRC, Usenet, and other file sharing circles? How is spouting propaganda about hiding the IPs in the GUI supposed to make me think you know jack about network security? Being based in such an unstable area may help protect the company and/or developers, but that doesn't say anything about the users. With the developers constantly taunting copyright enforcers, how long will it be before they start targeting users? An over inflated sense of security is the worst enemy of P2P users. Encrypted data transfers don't mean anything. The enforcers don't sniff packets anyway. All they do is download a shared file, verify it's copyrighted, and issue a subpoena. If they can't get past the proxy, they will just have it taken down. Just pray that it didn't keep some sort of log. Eventually, the only operating proxies will be so obscure, distant, slow, or overwhelmed that nobody will use them and he network would slow to a crawl. The only decent servers will be RIAA honey pots. All this because some developer got cocky and started running his mouth.

One question

Before the usual Palestinian - Isreali flame war gets going, I would like to ask just one question:
Does anyone use Earthstation and how does it compare to the other p2p networks?

Re:One question

I tried it out a while ago, and it sucked. Besides the horrible GUI and the constant "We're Israeli, Palestinian, Jordanian..." messages, the results for even common files were poor. The same searches on Kazaa yielded better results in my evaluation, which is ironic, because ES5 claims they have 3 or 4 times more people at any given time.

I admire their explanation...

...and it does seem believable. Random_Nut's comments with the exploit paper were a too influenced by his personal opinion....

Anyway, ES5 has a *baaaad* name and this last exploit is by far not the only reason of it.
Their claims of having zillions of users online(ever tried to use it???Well, not *exactly* true.), the chat snippet about DoS-ing bittorent sites(What kind of looser would do that???). A couple of "spammers" posting on the "concurrent" p2p tools boards.....
To conclude... ES5 has never been an option for me, and even if their claims on absolute privacy are a nice dream, I prefer sticking to Klite and Bittorent experimental.

Do End Users Want These Features (tm)

Do users even want vendors to update their software remotely. I know if I want an upgrade, I much prefer to have to expicitly install the upgrade, rather than let the contents of my harddisk to the mercy of sales and marketing.

I'll accept that they've held up their hands and said sorry, and claimed it was only there for upgrading.

On the other hand, it would be very useful in a defense against a piracy lawsuit.

"I would like to point out that the defendant was not always in control of his computer, at several stages various software vendors took control and upgraded their software."

How can the RIAA prove that Earthstation5 didn't download those MP3s during an upgrade when you weren't in control of your computer.

IP Address Obfuscation

It is also a fortunate fact that since Earthstation5 protects you from the RIAA lawsuits and hackers by hiding your ip address

If you are establishing connections to a remote machine, there is probably a method by which an individual can determine your IP address. "Intermediary proxy servers" are susceptible to compromise, too.

ES5 Other Employees Comments

Just so ES5 PR doesn't get to have the only spin, perhaps people should see how other employees reacted to it such as:

I think its pretty fucking pathetic that he made a crack instead of a patch, so like I said, if I were him, I'd look behind my back. You attack me or my users, and yes, I will send people to your front door. I dont fuck around because the responsibility that I have to my users does not allow me to fuck around. Rules changed, and he probably doesnt know how to play them. My identity is sealed, so again, he doesnt know who his enemy is. He is not anonymous nor is his family.

This guy wants a patch to a closed application and would not listen to any one about exploits as the don't want to pay the $50,000 they would give to anyone finding an exploit. This guy posted Shaun's home address in the ES5 forums and threatened his family life.

This is thier network admin doing this, would you trust him with your IP and thier fancy anonymous security? If they want to keep any standing, at a minimum they need to fire that guy as his comments.. well I just don't trust him and in most places threats like he made are illegal.

Re:ES5 Other Employees Comments

The forums can be accessed at http://formus.es5.com [es5.com]. It requires a username/password; I set up an account with u/p slashdot/slashdot, and that should work.

The quote in question is from the user "SharePro" in the thread "Danger do not use ES5, ES5 too easy to hack"; at present, it's on page 36 of the thread and it's the fourth post from the top. I can't find the home address of Random_nut (the person being berated by this fellow SharePro, a person who has 2666 posts on the EarthStation5 boards and is in "Group: Admin"); but one user has the address in his/her .sig - search for "Shaun AND Aberdeen" to see what I mean.

For context, here is the whole message (I have emboldened the part quoted by AC):

QUOTE (spinkmonkey @ Oct 3 2003, 06:58 PM)
If he had told you about the vulnerability you would have denied it and (like you have now) secretly modified the installer, I think that much is perfectly obvious to anyone. What he's done isn't about being good for ES5, in fact your right its completely the opposite, its good for the ES5 USERS because no one will trust this program anymore. Posting his details is the lowest of the low, quite frankly you are scum

You obviously dont know me very well if you think I am the type to deny shit. I have answered much more harder questions.

Obviously (and you can quote me), if I know about a breach in security, then its not an issue of denying it, its an issue of fixing it. Since now that Filehoover obviously got a message before I did, and its fixed, there is nothing to deny. I was not here today, and everybody on this board knows that I am here everyday, so if I wasnt here, then I WASNT HERE!

Should I just let the breach sit there and say "Hey everybody, here is a breach in security"? C'mon, you do have brains. So you really dont make sense. Filehoover may have re-compiled without that specific code, and not changed the build number. So what? What is your point? A cover up? What cover up?

I wasnt here today, and Filehoover isnt here now. It appears that he found out about it, and fixed it and now cased closed. ES5 is still the most securist P2P program.

Kazaa had an exploit not so long ago and it was also fixed that left their entire network vulnerable to be turned down. There is a difference between somebody hacking and something that was left over accidentily. Random Nut didnt hack ES5, all he did was see some extra code.

According to the build numbers he posted, he has spent months on this program and that is the most he can find? Code that is not in use and that was accidently left over? I would have expected more.

I agree and can be quoted as saying that it should not have been there. I WILL EVEN SCREAM THAT IT SHOULD NOT HAVE BEEN THERE. Deny? Wtf should I deny?

I think its pretty fucking pathetic that he made a crack instead of a patch, so like I said, if I were him, I'd look behind my back. You attack me or my users, and yes, I will send people to your front door. I dont fuck around because the responsibility that I have to my users does not allow me to fuck around. Rules changed, and he probably doesnt know how to play them. My identity is sealed, so again, he doesnt know who his enemy is. He is not anonymous nor is his family.

I have known who Random Nut is for a while. Did you know that Kazaa wants his address to sue the fuck out of him for manipulating their code and making a derivative out of it? I wouldnt give it to them because why should I? I'm not Random Slut, I dont fuck people simply to fuck them.

Did you know that the RIAA / MPAA wants his address to sue him? The list goes on including various law orgnizations. I wouldnt give it to the RIAA either because I hate the RIAA. I handle my own problems. But in reality, now that I am printing it, you can bet that it will appear everywhere by various people. I will also be printing pictures of him and

Show me the code!

This is all very nice, but if you want to convince me that EarthStation V is safe, show me the code.

Don't trust ES5 anyway...

...unless you can explain this. [slashdot.org]

Not that I'd trust that AC either, but be on your guard anyway.

moving along

To be honest and blunt... Who gives a rat's ass? Let's be realistic about something here; if someone purchased a product which injures you, or doesn't work to your expectations, what do you do? You get your money back and move on to another program. So what's the big deal here?

Firstly it's a free damn program, so it's not like nothing is lost unless someone is a moron knowing what they 'could' do, and still using the product.

FYI do you know how many times I see emails from companies like Symantec, Windows, and others who send emails about users on our network with the same serials... FYI I work at a mid sized ISP, and I'm sure other engineers (sys/network) can verify this claim. So why not ramble on about that type of spyware, where you spent something. Not about some cheesy p2p program of which you have umpteen million other free programs to choose from

Much Ado About Nothing?

There are all kinds of fanboys who either love a program or hate a program so much that they will claim that it has/does not have Malware in it when the opposite is true. Take GameSpy Arcade, for instance. There are people coming in all the time with claims that GSA has spyware in it when it really isn't there.

Why this is a story worthy of Slashdot confuses me in some ways. People make false claims all the time, and when it is one as inconsequential as this then why are we giving it so much attention? This looks like the demon-seed of a flame war if you ask me.

That is all.

Need to be able to delete files to upgrade?

The following functions were put into Earthstation5 to allow automatic, remote upgrade of the Earthstation5 software.

These functions are:
Reload Earthstation5
Shutdown Earthstation5

Delete a File
All of these functions are necessary to perform when upgrading software.

Hell no.

These guys should learn something about computer security. Funny that the same guys who're using a solution that screams "EXPLOIT ME" is developing some application that's supposed to be focused on extra security.

This is how to perform a teeny bit safer automatic upgrade:

- Server sends a packet containing a field that says it's an update packet, along with a version ID to update to, i.e. 110 for version 1.10 or whatever.

- Client receives packet and uses a partial client-side URL to the place where the new version can be downloaded. For example, the client could use the partial URL "http://www.es5.com/files/es", attach the received version ID (that is: "110") to the string, and finally the file extension, to form the URL "http://www.es5.com/files/es110.zip". The client then takes care of its shutdown, auto-install, and restart sequence.

Voila! Upgraded application without a RANDOM UNVERIFIED COMPUTER sending the CLIENT a message to DELETE something and it BLINDLY AGREES to. It's amazing that such poor programmers can even design something that compiles. Or are they hired by the RIAA to fool people into downloading their "new, cool and extra safe" application?

I wouldn't recommend anyone to download the DNS-faking "we-have-more-users-than-Kazaa" dudes' software.

Bwahahaha

This is a laught riot.

It is also a fortunate fact that since Earthstation5 protects you from the RIAA lawsuits and hackers by hiding your ip address, the exploit program he wrote can only be used against your own computer, which he states in his exploit.

• Broadband connection: $50
  
• 150GB Disk: $175
  
• Realizing your OS was wiped after trying to grab Britney's latest album: priceless!

There are some things money can't buy, for everything else, there's netstat -i

COINTELPRO

Go read about COINTELPRO and then realize that EarthStation 5 is the MPAA/RIAA version.

Feature proposal

When several reqests for a file comes in, a source sends it to someone with more bandwidth who then gives it out to the requesters. This has the added benefit of source cloaking.

You either love it or you hate it...

Has anyone read these [com.com] comments?

I love how all the positives sound almost the same. It's as if maybe 2 or 3 people (the people involved in ESV?) wrote all the positive comments. The negative comments speak for themselves.

OK Then

Open your code base up and we'll have a look.

Are these guys working for the RIAA?

This is the best reason I have found yet to delete all P2P applications off my system and never install one again.

Sheesh. Talk about inspiring confidence.

Hiding an IP address

Is this accurate? Isn't this built into IPv6 that most systems use today and if not, it is built into the older IP standards, all part of the TCP/IP layers. I thought you would have to modify the kernel to make it such that a packet sent to your computer could not be traced back. And even if you do remove that part of TCP/IP protocol, the very next hop will attach it's IP so your IP is never more than 1 hop away. I should read their methods first I guess (proxy servers?), but if you send it, someone, somewhere, can trace it back to you.

These idiots cant code.

These functions are: 1. Reload Earthstation5 2. Shutdown Earthstation5 3. Delete a File All of these functions are necessary to perform when upgrading software. You dont need "delete", you can just overwrite pre-existing files to upgrade.

Sounds like earthstation's stepping up at least!

I have never heard a company like Real, for example, come right out and say, "hey, our code does a, b, and c, and that's because we want the following relevant functionality." Huge, chocolate-coated kudos to Earthstation for having the cajones to just state what their supposed "spyware" is actually doing. If only other software makers would state what their software is up to (or perhaps just make the source open so we can figure it out), maybe there'd be less security scares!

Oh man this seems a bit weak as excuse go.

I mean, I programmed this last month a test tool application on a LAN network, and frankly I *DO NOT* need to have a delete file command in the client. I mean,the client pretty well know which files it has to update (it is included in the update message) and it launch an updater application in background and stop itself so as to allow the files to be deleted/copied.

This is one solution, and I am pretty sure bunch of people here can come with others. But having a delete command is certainly a loosy way to do that. Heck on the net it OBVIOUSLY means that you open the door to an attacked reverse engineering your app for bad purpose and allow it a nice way to wreak havoc on a system. Either their application E.S.5 is not that great as they are hypping it (haha), or they really are searching excuse for obvious malware. If this is the second option which is true, the next malware code will be hidden behind encryption and packet won't be easily decoded.

people go away from ES5. You will from now on have now way to determine if you are not installing a trojan on your computer UNLESS they give you the source code and a compiler to compare the final binaries md5 with what you can generate...

it's still a security hole

The reason for ES5's inclusion of the function is as bad as the function itself; if ES5 is remotely upgradeable without the user's okay, then the upgrade may contain malicious code.

keylogger too?

According to a post on this weblog [gonze.com] (search for "ES5" on that page to find the relevant post), it seems like ES5 may also have a keylogger and some DRM software. How ironic that would be, for a company that claims to offer risk-free P2P to actually be collecting information about illegal filesharers and perhaps selling it to the RIAA/MPAA.

Free Publicity

I really hope Shaun Garriok wasnt planning on ruining Earthstation5 with this little stunt. I, for one, just downloaded what I think is a cool program that previously I had never heard of, nor would get to know about, because I missed the earlier article on it.

Thanks for drawing it to my attention Shaun. I appreciate it.

This is why: ALL GOOD P2P APPS ARE **OPEN SOURCE**

If you can't look at the source for a p2p system, then its not truly safe. It is as simple as that.

P2P opens up a whole different degree of responsibility for local system resource usage, and in fact the primary function of a p2p app is to manage local system resources on behalf of a 'greater good' of bigger resources provided to the community.

I wouldn't really put much faith in any p2p solution provider who didn't have full disclosure of source code as a priority in their front line for dealing with their users ...

I mean this as a potential professional user of p2p [ampfea.org], as well as a personal user too.

Investigative Info. on Some Blog

Check this out... apparently this guy did some research into the domains and IP blocks owned by ES5 and it seems to back up the hoax theory... http://taosecurity.blogspot.com/2003_08_01_taosecu rity_archive.html

Observations on ES5

1. They spend a lot of energy attacking other P2P applications: much of their marketing is simply "we're better than such-and-such". I don't recall such hostility in the P2P camp before ES5 showed up.

2. Their application does not work. Pure and simple.

3. They lie about the number of users online.

4. They have an high number of "features" with no obvious sense or meaning.

5. They distract the user with chat, dating, movie downloads (?).

6. They are highly aggressive: "declare war on the RIAA, Palestinian camp, etc." It sounds like smoke.

Conclusion: the software is not what it seems. A true high quality P2P application needs no marketing whatsoever. It needs almost no "features" (compare ES5 to bittorrent), and it certainly does not need to provide dating, movie downloads (if this worked?), etc.

Software professionals do not build in remote exploits, and do not promote their software with flames. And I would not use something that was built by a non-professional.

Re:Oh no!

Nah. If you want silly stupid internet drama, Slashdot presents it ALL, baby. Its kinda like the "Talk Soup" of the internet, just without Greg Kinnear.

Internet Drama?

You're new here, aren't you?