Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Games Entertainment

Gamespy Installer Spreads Nimda 171

NSG writes "Yahoo News is running this story about the Nimda virus infecting some Gamespy Arcade 1.09 installers. Approximately 3,100 infected files were served in a seven hour period. What responsibility does Gamespy have to the users who downloaded the infected file?"
This discussion has been archived. No new comments can be posted.

Gamespy Installer Spreads Nimda

Comments Filter:
  • Viruses in gamespy software? The computer industry in general has demonstrated that the concept of ethics no longer applies when there is money at stake. Read the average EULA: you have to surrender fundamental rights, such as fair use. Worse than that, the developers generally absolve themselves of any responsibility or liability whatsoever -- they won't even guarantee that the software that you have just bought will do what they claim it does! What we're seeing is the culmination of an unfortunate trend. The creators of a piece of software for as long as they control it have a monopoly -- anyone committed to using their product is pretty much at their mercy. And that means money -- lots of money.
    • I wonder though... since it's a one EXE file, would the file not infect your system before you are forced to accept the EULA? An interesting point. Still, how do you prove that a specific file infected your system? Difficult at best.

    • Even a clause that says they are not liable does not exclude them from liability.

      Here's an article [badsoftware.com] on software liability clauses and theories on lawsuits regarding software liability. The key to success in a lawsuit is as follows:
      Negligence: The company has a duty to take reasonable measures to make the product safe (no personal injuries or property damage), or no more unsafe than a reasonable customer would expect (skis are unsafe, but skiers understand the risk and want to buy skis anyway.) Under the right circumstances, a company can non-negligently leave a product in a dangerous condition.
      The users of the software would assume that this software would be free from viruses. This company, by both not securing its networked systems from known viruses, and by not verifying that it's software was not virus-infected prior to release, acted negligently.

      Now the question is -- would the reward of attempting lengthy litigation over a relatively small loss be worthwhile? Unfortunately, it's not all too often as such. To my knowledge, as of yet, data loss due to negligence (not resulting in death, destruction of people or property, etc) has not provided for large damages. I'm sure as judges and congress members become more technically savvy, we will see more resonable laws and judgements relating to software liability. Until then, good luck.
    • "...they won't even guarantee that the software that you have just bought will do what they claim it does!" Let me ask you something: Would you guarantee (as in back up with money) that an app you wrote would run without crashing on Windows? Or would you rather license it so that when the Windows computer crashes, your bank account doesn't go with it? Think very carefully before you respond.
    • No, it's not really the Nimda worm. It's a new game: Virus hide and seek. Fun! Fun!
  • Hahah (Score:2, Informative)

    by blackula ( 584329 )
    Don't use Gamespy, use The All Seeing Eye [udpsoft.com] for all your online gaming needs. It is 100x better. Trust me.
    • If they can goof like this, then it's probably only a matter of time before a few hundred thousand CD's are shipped with infected clients.

      Better hope that one of those 3000 odd downloads wasn't someone grabbing it to stick on their magazines coverdisk...
      • Re:Hahah (Score:2, Informative)

        by shepd ( 155729 )
        >Better hope that one of those 3000 odd downloads wasn't someone grabbing it to stick on their magazines coverdisk...

        Speaking of magazines and viruses, I think you'll find it interesting that the first virus [cknow.com] ever widely spread on Macs happened to be a veiled advertisement for a computer magazine itself, proving the truth is, in fact, stranger than fiction.
        • hehehe I can't remember which coverdisk it was (Amiga User International?) but back when the Saddam virus was wreaking havoc, one of the mags "kindly" gave away the virus on a coverdisk. The only program that could nuke it required two disk drives and I only had (and it wouldn't work from ram). Lost a third of my disk collection to that bastard.
    • agreed.. i'm against all forms of SpyWare... GameSpy could be spyware, it's not like you could say they are hiding it with the title gameSPY.
    • Nah. Use xqf [linuxgames.com] :-)
  • by crandall ( 472654 ) on Saturday June 29, 2002 @12:46AM (#3790981) Homepage
    I mean, seriously, who downloads this anyway? I make a habit of not trusting any software that has to scan your entire harddrive in order to 'find' games.

    If a game doesn't have an ingame browser, then I stick to direct connect, or single player. I shouldn't have to run external programs to play games online.

    Still, I think the bad press alone will be Gamespy's punishment on this one. I've seen this news crop up everywhere in the past day or two, and chances are, anyone who reads any kind of net news knows as well.

    • by yomahz ( 35486 ) on Saturday June 29, 2002 @01:00AM (#3791018)

      If a game doesn't have an ingame browser, then I stick to direct connect, or single player. I shouldn't have to run external programs to play games online.


      Most in game browsers are really half assed and lame as hell.


      I make a habit of not trusting any software that has to scan your entire harddrive in order to 'find' games.


      Well, if you don't have the source to a program, you don't have any idea what it's doing anyways. At least it's telling you. You can always cancel it you know...

      One thing I do have to say is that gamespy "Arcade" is really lame compared to Gamespy "3D"... Arcade just seems like a spam filled piece of crap..

      • Most in game browsers are really half assed and lame as hell.
        Agreed, but compared to Gamespy Arcade (An UI that doesn't seem too nice, and ocassional crashiness) I'll pick them any day. =)

        And I don't need to pay extra to get the improved functionality...

        • I've been using Gamespy 3D for about 2 years and have never even been prompted to pay for it. The gamespy UI is about 1000 times better than anything in any game (Q3, CS, RTCW are the games I've played and GS3D is better than all of them). If you're trying to play a multiplayer game with other people (i.e. your clanmates) and trying to find a server, the in-game browser is nearly useless. Gamespy allows you to find a server (though the ping function in Gamespy has never given accurate results).
      • Kali [kali.net] -- it does dynamic list updating, it is ad-free, and they're offering free registrations now. It's a far superior game browser.
    • It doesn't really have anything to do with what type of program it is....even single player games would be affected. it's simply an infectable executable that was run.

      > I shouldn't have to run external programs to play games online.

      So you won't run the wolfenstein demo [activision.com]? Or even the full install from the CD? If you would, then you could theoritically get a virus (no, not starting any rumors here). You do understand that you're limiting yourself to games that run solely from the browser [yahoo.com] and even then, there's no guarantee that you won't get malware [securityfocus.com].
      • Read more carefully. He's saying that he shouldn't have to run a 3rd party's program to play a game (ie, he trusts the game's manufacturer to write a decent multiplayer environment, but not something like gamespy)
    • I've used it a couple of times to play Halo across the internet and probably will keep using it when MS releases their subscription service (since it's free :-)
    • But with out GameSpy, you would have never been able to play and find some certain online games. =\
  • by Shade, The ( 252176 ) on Saturday June 29, 2002 @12:47AM (#3790983) Homepage
    Legally anyway. I haven't looked at the EULA for Gamespy (haven't downloaded it, actually), but I'm betting some large odds it'll have some clause in it saying they're not responsible even if it destroys your computer, sets fire to your home, and heralds the End of the World.

    Whether this will stand up in court would be interesting to see, though. And the precedent it would set would be very wide ranging.
    • by yomahz ( 35486 ) on Saturday June 29, 2002 @01:16AM (#3791044)

      Legally anyway. I haven't looked at the EULA for Gamespy (haven't downloaded it, actually), but I'm betting some large odds it'll have some clause in it saying they're not responsible even if it destroys your computer, sets fire to your home, and heralds the End of the World.


      You mean like this one [gnu.org] and this one [apache.org], and this one [opensource.org], and every other EULA I've ever read?
      • Yep! :)

        That's what I mean. All (or practically all) EULA's have that clause. Hence the large odds, which I'll clarify as being 1 million to 1 against it not having such a no-liability section.
      • The open source liccenses only permit you to use and redistrobute the code.

        So if in writing code for open source program you accadentally write a virus and infect yourself it's not going to reflect on the orginal author.

        As for non-commertal code.. with the lawsute madness in the 1980's of every jerk with a lawer suing every hobby sysop they could I'd think they'd sue the programmers of public domain programs that mistakenly carried viruses if the lawer didn't blow the whole idea off as silly.

        All non-commertal software has a default protection. Just as you can not sue the berror of a gift if the gift is defective.

        That part of the GPL that states the code comes with no warrenty etc is becouse not all GPLed code is noncommertal. ID software could be sued for defects in the GPLed Quake code if it weren't for that.

        Mostly thow that clause is redundent.
        "You may not sue me for your own suiside"
        Of course people do sue for the suiside of children due to games music what ever. Eventually somebody will sue becouse his kid was working on a GPLed program.

        Anywho.. It's redundent but probablly nessisary under the situation
    • Almost every program out there says in the EULA that they are not responsible for any damages.
  • by User 956 ( 568564 ) on Saturday June 29, 2002 @12:48AM (#3790985) Homepage
    They're legally immune. From the GameSpy Website:

    To the fullest extent permitted by applicable laws, GameSpy and its employees, agents, suppliers, and contractors shall in no event be liable for any claims, charges, demands, damages, liabilities, losses, and expenses of whatever nature and howsoever arising, including without limitation any compensatory, incidental, direct, indirect, special, punitive, or consequential damages, loss of use, loss of data, loss caused by a computer or electronic virus, loss of income or profit, loss of or damage to property, claims of third parties, or other losses of any kind or character, even if GameSpy has been advised of the possibility of such damages or losses, arising out of or in connection with the use of this Web Site, software, or any Web Site with which it is linked. You assume total responsibility for establishing such procedures for data back up and virus checking as you consider necessary.
    • by I Want GNU! ( 556631 ) on Saturday June 29, 2002 @12:54AM (#3791001) Homepage
      Not necessarily. Just because a company states that it isn't liable for anything doesn't mean it is. Several rights cannot be forfeited in contracts. If they could, companies could make people indentured servants instead of foreclosing on them. The EULA is designed to make a user think he or she has no rights, not to actually take them all away (although it does take away some rights).
      • #include <disclaimers/ianal.h>

        That's not even an EULA. It's just this little document they hope you'll read, which they call the "Terms of Service". Supposedly, by using the site, you agree to abide by the TOS, but since you've already used the site (you had to hit one of their pages to see the link to the TOS, and viewing the TOS also constitutes use of the site), their TOS isn't worth the pixels it's displayed on, since you can't agree to a contract before you've even read it! And that's assuming the TOS is valid at all, which is highly questionable.

    • A careful read of their TOS leads me to believe they had reason to expect this would happen. (Isn't that the implication you get from reading it?) If they knew or believed it would happen they may not be able to worm out of responsibility based on a disclaimer.
    • People need to quite taking that kind of stuff literally. That statement from GameSpy is merely their fantasy of how they want things to be. It is not a legal document.

      If that document were legal, then the author of Nimda itself could make the same claim, and be off the hook.

      They trafficked in malware. It was probably accidental, not deliberate. But they still did it, and it they are partly responsible for what happens as a result, just as anyone else who spreads a virus is.

      There are some people who, systematically, do not ever spread viruses. And there are some who do spread them. There is a difference between the two groups, and it's not just luck or fate. It's responsibility vs negligence and recklessness. It's voluntary -- a person gets to choose which of those two groups he is in. And because of that, spreading viruses is not excusable.

      With all that said, I don't think it's practical to really punish them. But it is justifiable to do it.

      HYBTT?
      Hah! I think I see something!
    • I'm going to post under my handle to tell you just what an asshole thing that is to do on your sig line. Some of us don't like to see that kind of shit. Thanks for nothing.
    • Click on the link in his sig, it is a small picture :-)

    • However, also from the Gamespy website:
      Some U.S. states and foreign countries provide rights in addition to those above, or do not allow excluding or limiting implied warranties, or liability for incidental or consequential damages. Therefore, the above limitations may not apply to you or there may be state provisions that supersede the above. Any clause declared invalid shall be deemed severable and not affect the validity or enforceability of the remainder. These terms are governed by the laws of the State of California and may only be amended in a writing signed by GameSpy Industries.

      In addition, there are also a number of legal challenges to EULA's and the like (although I'm not sure whether any have succeeded yet) - see here [theregister.co.uk] and here [theregister.co.uk], for example

      I don't know whether any applicable laws apply in the States, but the UK has laws which effectively mean that even though you've put up a sign saying you can't have something (eg refunds in shops), it doesn't have any legal bearing over your statutory rights.

      Other laws apply which require companies to have signs in prominent positions - preventing vehicle clamping firms from stealth clamping. The legal stuff link on their home page is right at the bottom corner - you have to scroll right down (well past the files link) to even see it. OK, we'll let them off, so long as the files page has a prominent link. Erm, not quite - again right at the bottom, this time wrapped in a font size=-2 tag. Well done chaps.

      Not that the people who downloaded it didn't have any responsibility to run a virus scan of their download, of course. However, you do expect a "reputable" company that you get files from should prevent this from happening in the first place. It just adds a little touch of irony to the little check box found in the security warning popup which appears when you go here [gamespyarcade.com] Always trust content from Gamespy Industries, Inc.

      For a look at how EULA's should be, check the SVLA at CEXX.org [cexx.org]

    • So, I can post a little Terms of Service link on the bottom of my Web site [teamcluster.com] that says that, by viewing this site, you acknowledge and agree that I may gun you down in broad daylight in the middle of Times Square for any reason? And expect to get away with it? I think not!
  • I finally bought a nice new PC for gaming instead of my trusty (yet older) mac, and am told I might have Nimda? I have Gamespy Arcade 1.09 installed! I feel like I've just been burned by unprotected sex.

    And like an STD I think Gamespy does have a responsibility to alert all their users to the potential infection.
  • by I Want GNU! ( 556631 ) on Saturday June 29, 2002 @12:51AM (#3790995) Homepage
    I can't believe GameSpy is doing this. It's sooo passé. Microsoft already did this [securityfocus.com]. Next time GameSpy wants to get infected, it should be original and choose a different virus, maybe W32.Klez.E [symantec.com] or even a McAfee homebrew bug [slashdot.org], instead of just copying MS because it's an industry leader. Me, I prefer my KaZaA virus, because it has its own EULA.
    • Wants to get infected?

      Nice conspiracy theory you've got there, now you can provide some proof. Homebrew bug? I'd like to see some proof on that too. The McAfee virus was real, but the complaints about how the announcement was worded somehow turns into "manufactured virus" into the ears of the credulous anti-industry types.

      No one needs to keep creating viruses to sell product, there are simply way too many kiddies willing to do the dirty work themselves and for free. Next we'll be hearing how IIS web defacements are fake and run by the people at Apache to get people to switch to their server.
    • The obvious choice for Gamespy should have been the Sircam virus. You're playing Unreal II and all of a sudden this girl [gamespydaily.com] shows up.... just before she blows you away she says:
      Hi! How are you?

      I destroy you in order to have your advice.

      See you later. Thanks

  • According to this link [com.com] at news.com Executive Mark Surfas said the virus infected one of their download servers for two hours on Tuesday and five hours Wednesday night, while they were performing routine service.

    Surfas said a total of 3,100 infected files were served, and the company is in the process of notifying everyone who got an infected file and pointing them to free antivirus tools that will disinfect their systems.


    Not cool...
  • Answer: None

    Have you ever read that LONG agreement before you install software? It clearly states this phrase:

    NO WARRENTIES EXPRESSED or IMPLIED
  • I really doubt this will be a serious problem. I'm sure Gamespy will offer a patch for a small monthly fee. Or better yet, maybe if you subscribe to their eXtreme 3d++ platinum gamers edition fileservers for a few bucks maybe they'll sell you someone elses virus scanner demo with no long-term value. Or even better yet, maybe if you purchase one of their programs you can connect to an online scanner paid for and maintained out of someone elses pocket.
  • alternatives (Score:4, Informative)

    by Barbarian ( 9467 ) on Saturday June 29, 2002 @12:59AM (#3791014)
    Although many people believe they HAVE to use Gamespy Arcade to play their favorite game online, and some games bundle it on the CD and suggest you install it, most games also include their own in-game browsers and there are also alternatives [udpsoft.com] available which don't try to force you into a chat room when ever you want to look for a game or shove banners in your face, although some (pingtool) are dead.
    • Speaking of, Kali [kali.net] is still around and somewhat alive and for the time being, completely free(as in beer). Doesn't support everything but for what it does it works very well.
  • Now I've seen it all (Score:3, Interesting)

    by mcpkaaos ( 449561 ) on Saturday June 29, 2002 @01:00AM (#3791015)
    I was one of the original Gamespy employees from a few years ago, and I never thought I'd see Gamespy as the subject of a /. story. It just goes to show, before long everything ends up on this site. ;)

    It doesn't surprise me in the least that this has occured, though I hate to bash on my old company (especially since when I left, I left with enough stock to really want the company to succeed, or liquidate and get it over with, hehe.) Truth be told, the company has always been run by a man who truly couldn't care less about customers, a development manager who can't understand why you don't call virtuals from a constructor, and a project lead who thinks UI coding is the end-all-be-all of computer science. Put them together and you end up with very little experience trying to manage a product that has long since outlived its usefulness.

    And before you flame me or whatever, I do know a little bit about which I speak... having written much of the original Arcade myself (though I'm not too proud of the outcome, having followed its progress since I left in '00.)

    All in all, you can continue to expect inferior product from an inferior company, shameful as it is. I often lament on how things might have changed were L-Fire and I given a little more freedom to get stuff done. C'est la vie.

    /me waits to get flamed by crt and Walla now

    --

    [McP]KAAOS

    • by kzadot ( 249737 )
      Why cant you call virtuals from a constructor?
      • ... a development manager who can't understand why you don't call virtuals from a constructor...
        Why cant you call virtuals from a constructor?

        You've given yourself away... let's see who's really behind this comment!

        (rips off mask)

        It's Old Mr Withers, Gamespy's development manager! Take him away, boys.
      • Why cant you call virtuals from a constructor?

        in C++ you can, but it's a bad idea because if someone overrides that function things may not work as expected:

        #include <iostream>
        struct A {A() {foo();} virtual void foo() {std::cout << "in A::foo" << std::endl;}};
        struct B: public A {virtual void foo() {std::cout << "in B::foo" << std::endl;}};

        executing the constructor B() produces the output "in A::foo", despite the fact that B overrides A's foo. this happens for the perfectly logical reason that since B hasn't been constructed yet, you can't call any of its methods, but it can be quite confusing. a parallel argument applies to destructors.

        • That's not logical at all. Since the compiler already knows that you're instantiating B and not A, it already has enough information to set up the vtables appropriately. Why does it need to call the constructor first? IMNSHO, Java gets it right -- the vtables are set up well before the constructor gets called, so calling methods (which are always virtual, unless they are final) always yields the expected (and most useful) results.
    • okay so, make a compatible open source one that doesn't suck...p2p gnutella esqe gamespy like.

      I'm no coder, but from the sounds of it you are...so do something about it.
      • Actually, I did. The summer after leaving Gamespy (Summer '00) I designed and implemented a server browsing platform that used URLs rather than command lines to launch a game and connect to a remote host. Addtionally, for Windows users, it integrated completely within the Windows Shell, allowing servers to be browsed like files, games and game types browsed like folders, anywhere, anytime, in any explorer window. It also persists its UI and in-memory server lists to disk when you launch a game (releasing some of the memory that is much better spent on the game itself, not the server browsing software you don't care about at that moment.) I had originally wanted to do something similar for Arcade, but none of the coders (and I use the term loosely) at Gamespy seemed interested. Too bad, I thought it was a rather cool idea.

        It's actually a pretty slick system, though I didn't spend enough time on it then to iron out some of the wrinkles (I think a total of 80-90 hours was spent on it over the course of 6 weeks.) I would have spent more time on it, but a non-compete agreement I had signed (lasting 2 years from my resignation date) prohibited me from releasing the source (as I'm an open-source kinda guy) or releasing a freeware product (as I don't need gamers' hard-earned cash.. they need it to buy more games and video cards!) Now that the non-compete has expired (as of this past March 8), I might think about starting up a new project based on the old idea.

        If anyone would be interested in such a project, please email me (kaaos at clanmcp dot com). The project would be for no money, sorry to say, as I don't see the need for charging for a product that anyone could implement with enough time and desire (sorry Gamespy).

        --

        [McP]KAAOS
        • kudos, I wish I could help, but alas, my focus is graphics.

          Nice to hear your actually thinking about a project like that
        • Why would you devote time and effort to developing an OSS alternative to a "product that has long since outlived its usefulness"? Just curious.
        • As you may already know, Unreal also uses URLs in the way you describe. It's pretty damn slick too. It also opens the possibility to a single server serving multiple games in (different threads of) the same process. Imagine:
          doom3://doom3.idsoftware.com/ctf/game1
          doom3://doom3.idsoftware.com/dm/slaughterhouse
          ...etc...

          By the way, if you use Java any, I suspect it would make implementation of such a program much easier, thanks to various facilities for manipulating URIs, the serialization system, easy-to-use network APIs, etc. Maybe make a companion "universal master server" program for it, too. Oh, and of course, this would be quite portable.

    • /me waits to get flamed by crt and Walla now

      Let them flame, you did the right thing. Quakespy was awesome. Early Gamespy's were good. Hate to flame them but they deserve it.

      Then, through some sort of Realplayer-esque type move, it turned to crapware. Around the same time Planet* multiplied to 5 billion useless clones - now it's top flash banner, bottom ani gif, and 2 skyscraper flashes framing a 10x10 area of content. Gamespy Arcade, why? Meanwhile, Radiospy, which was actually cool, is "off the air". Get my GamespyID to download a patch "exclusively hosted" by Fileplanet? Go fuck yourselves.

      Gamespy now infects games all over the place, and it really sucks. NWN's ingame server is "powered by Gamespy", and let me tell you, it's a UI nightmare.

      I want the old Planetquake back - and before someone gives me the sob story on how hard it is to make it on the net/we got hosed by advertisers/bandwidth is expensive blah blah, Steve's been doing it [shacknews.com] without selling his soul, and building a kickass gaming community - and when he got in trouble, his users paid off a substantial amount of bills. Keep selling out users Gamespy, I won't miss you.
    • Truth be told, the company has always been run by a man who truly couldn't care less about customers, a development manager who can't understand why you don't call virtuals from a constructor, and a project lead who thinks UI coding is the end-all-be-all of computer science.

      People who think UI coding is computer science should be lined up and killed. UI is like fat: it shrinks and grows. When was the last time UI was discussed in an OS class?

      Put them together and you end up with very little experience trying to manage a product that has long since outlived its usefulness.

      As a person who has been using GameSpy services every since Quake came out, I can say that what you say is true. I mean ever since "Gamespy Industries" came to existence, Gamespy has gone down into the gutter. With the dozens and dozens of planetfuck sites, ad-ridden Gamespy arcade, and now the line-up Fileplanet(subscription service)...Gamespy has moved from what once had humble origins to corporate fuck up.

      Take for instance Gamespy Arcade. It is a novel idea, in that you can play webbie games and other fav. games from one client /w integrated IE web browser. They took the online game service models(M$ zone, Sega Heat, etc) and placed it coveniently under one app. But the point that pisses me off in Gamespy Arcade is simply the fact of those fuck-filled almost-full-screen ads. They force you to watch and wait for the ads(before the 'X' is enabled).

      When I want to play a game like Quake3, I want to quickly browse the list, check available servers, and join. GSA prevents this, and makes everything time-consuming to the point that I'm not in the "mood" to play anymore.

      Another quibble about Gamespy Industries(yes I want to really bash those fuckers), is they were one of the first big gaming sites to implement(badly) Flash-based ads. I remember the day Xbox was launched...I went to www.gamespy.com only to be served with a FULL-SCREEN fucking ad about Xbox. This was followed by lots of Taco-bell ads that fly across the screen where I difficulty of closing them(small 'x').

      This is when Gamespy became to corporatish for me, and I realized they didn't give a hootnany about gamers.
    • a development manager who can't understand why you don't call virtuals from a constructor
      Since when does one not call virtuals from a constructor? Unless your compiler really sucks and the generated code doesn't set up the vtables before passing control to the constructor (which, in case I forgot to mention it, means your compiler really sucks), it should be fine.
      • Actually, upon further observation, it would seem that even GCC has this behavior! Shame, shame. What can I say; I'm jaded from my Java experience, where all methods are virtual, and the vtables are set up well before the constructor gets invoked.
  • by Bjarne Bula ( 11937 ) on Saturday June 29, 2002 @01:05AM (#3791027)
    OK, so they screwed up. They're not the first, and it would surprise me if they were the last. At least we haven't had any major virus targetting online gamers. Yet. (I'm sure the anti-virus makers have some cooking in their skunkworks-labs, to unleash on us once the artifical panic from the JPEG virus blows over.)

    Part of the problem is of course the MS monoculture. Those of us wishing for a wider deployment of Linux (including me) may come to regret that wish, since it will inevitably lead to Linux virii. They will have a harder time of infecting the whole machine, but no doubt some clever cyber-{terrorist,vandal,take-your-pick} will come up with one that does exactly that, sooner or later.

    And as sure as flies home in on shit, MS will take that as an opportunity to tout Palladium and denounce Linux.

    Anyway, the big question is not really how to avoid having software distributions infected, but rather how to encapsulate software. On UNIX and Windows alike, any software you run, will run with the full privilegies of the user (at best) or root (at worst).

    It would seem to me that one interesting future development for Linux (or one of the BSDs, perhaps?) would be to find a non-intrusive way of encapsulating software packages, even at run-time. Let them define what they need access to, and then have an installer grant them rights only to those parts of the system.

    Most software really only needs write access to their own directory, plus perhaps /tmp. Why give them blanket access to everything? Software that manipulates random files could communicate via a system call/trusted library that would combine a file-browser and grant one-shot access outside of the applications "playground" for the specific file-name/directory chosen by the user.

    Oh well...
    • Doesn't matter, as a whole, we are moving to a 'computer' mono-culture. Every app is being ported to everything, hell, my palm runs gameboy, and has a simple dos prompt.
      with all of linux's efforts it's only a matter of time someone writes a virii designed to abuse all the windows compatibility software (read:wine), or codes a hybrid [slashdot.org].

      eventually no one will care which OS we run, like now, in the handheld market, we don't care which Processor we run. we have ARM, MIPS, PowerPC, SH, and X86.

      It will come down to speed, and at thaat time, everything will talk to each other and virii won't care. it's the future.

      As for permissions, how many newbies will actually run a linux box on a sub user? hell, every XP box I see is run in admin mode. no newbie cares what a particular person or app needs access to... they want plug and play, which means no logging in or out to install crap.

      So there.

      -
      Hey I gave you a nickel, give me my 3 cents back!
      • In XP, permissions are a pain in the ass. Most older programs don't run properly. Compatiability Mode must be run as an admin. MS screwed up their User/Admin structure in XP. There are no groups like in Linux. Oh, I run my XP as admin, and my Linux as user. Its a neccessity to run XP as admin, until the coders catch up.
        • My point is, that XP can be used as a user level OS. (my wife uses mine at that level) but in either OS, odds are, to install you need admin.

          Yes, some programs don't run in user mode if you lock it down too tight, but same as Linux. what I am saying is, a nwbie or John Public doesn't have time or patients to figure out what permissions are required to get his copy of said app to run. Hell, I get pissed at Linux some times just because I have to log in and out so damn much to test a new install and not actually run it as root.

          I disagree that you absolutely have to run XP as admin, but it's sure alot easier. and anyone who has had that experience won't give it up for a little extra security. after all, the smart neighbor kid is just down the lane.

          This mind set is what is causing this epedemic to come. If everyone had an admin over their personal boxes, siting around all day locking crap down it would be easier, but it won't happen.
      • with all of linux's efforts it's only a matter of time someone writes a virii
        Wow, that's a first. I've seen the plural of virus written (incorrectly) as "virii", but I've never seen the SINGULAR of "virus" written as anything except "virus" until now. Kudos for expanding the English language! ;)

        All joking aside, "virii" is not any form of the word "virus" [perl.com]. I'm not trying to be pedantic, I just can't stand it when otherwise intelligent people make mistakes like this.

    • have a look at systrace, which is an attempt at providing a means of reviewing/restricting an application's access to system resources.
      http://www.citi.umich.edu/u/provos/systrace/ [umich.edu]

      v
    • I've been suggesting the development of a "partition Dataset" concept for quite a while now. Basically this maps the directories and files into a single file. You can think of it as an application specific chroot, with the idea that the loopback is application specific.

      The time has come where we really need this and your post illustrates very clearly why we need to get this done ASAP. Linux is almsot ready for the desktop and the idiots out there are going to wreak havock with any security we might try to build into systems.

      The weakest link is the end user and we really need to design systems that are so tight that even they have trouble f*ing them up.
  • Does anyone else find it ironic that people are getting infected through a program called GameSPY?
    • Does anyone else find it ironic that people are getting infected through a program called GameSPY?

      And even more so that people are suggesting a program called "The All-Seeing Eye" as the replacement?

      Of course, this isn't funny in itself. GameSpy is a double agent, and the all-seeing eye can't see everything because I keep my webcam unplugged when I run Windows. =/

  • Well, aside from the recent MS nimda spreading, wasnt there a virus on the Mac that changed the "dog-ears" type of file around (I read it somewhere about viruses). Turns out that that virus was distributed on commercial disks and spread around the user base. I'd appreciate if somebody knew the name of it....

    Oh well. Stuff like this happens. In this kind of "software world" where everything's connected, I'm amazed this doesnt happen more often (commercial product virite distribution).

  • by Ryu2 ( 89645 ) on Saturday June 29, 2002 @01:25AM (#3791066) Homepage Journal
    It does not absolve Gamespy of responsibility -- but fortunately the actual impact is now. Nimda only infects servers running IIS as a HTTP server, and I'm sure not many gamers are running IIS on their machines.
  • Well now that there is talk on Capitol Hill that Congress should pass a bill making upper manangement responsible in the wake of Enron, Andersen, MCI, and now Xerox. I think they should also throw something in there stating any software that is downloaded or packaged with the exchange of money then the company should be liable for any virus or spyware involved. Now if its given away for free and does not contain any fee for monthly service such as Open Source then they are absolved.
  • GameSpy used to actually useful (and usable) way back in the QuakeWorld days. It stopped being relevant to me sometime before it got renamed to GameSpy Arcade (or whatever it's called now), and it came with a bunch of useless crap. I never understood the 'scanning the hd' bit... I mean, it knows what games it supports, it knows their registry keys, the whole process should take less than a second, not several minutes. I just added games manually anyways.

    In any case, most games come with their own server browsers; launching a huge ad-riddled app just to connect to a server a pointless excercise.

    So what do people who used GS back in the 'good old days' and still use it have to say about it? Good? Bad?
  • Regardless of the legal ramifications and waivers there is still a responsibility of the server host to provide software that is free of damging components, say for instance someone sells you a car knowing that the car has major carbon monoxide emissions problem with seepage into the cabin, and has faulty brake lines that are just barely kept together... welcome to the Lemon Law, most judges will have the dealer buy back the car for the cost it was sold for, not the off-the-lot price, well if someone were to take gamespy to court under the auspices that they provided software which did the damages that it is well known for, yes there is really no legal remedy at hand to provide any kind of relief for the plaintiff, however it would prove that they are responsible for the files they serve from their webservers. Just food for thought
  • My girlfriend's kids downloaded GameSpy yesterday, ironically, so they could hook the Xbox up to the router and look for other Halo devotees. And they succeeded.

    They also succeeded in hosing two W2K systems on our home network via the file share traversal vulnerability. One was my girlfriend's system, the only one with out-of-date virus protection and, of course, the only unprotected machine with truly irreplaceable files. Sigh.

    Well, I downloaded AVG and it's getting clean as I type this, but I thought it might be of interest to those who posted saying that only those machines running IIS can be infected. That ain't the truth. The two infected machines on this network were W2K systems, neither of them running IIS. They were just poorly monitored and vulnerable.

    It's /., actually, posting this story that made me realize the source of my pain. And for that I say thanks, because for those of you that said so-what-big-deal, well, it's true that this didn't really constitute a national emergency but, speaking now from experience, I can honestly say that NIMDA SUCKS.

    But here's the rundown: I've got nine machines networked here at home, four W2Ks, four Linux, and one Xbox. Well, two of the W2Ks met Nimda first hand, but two others didn't since all of the extant fileshares require logons. Email wasn't a factor, and on the one W2K system that IS running IIS and was potentially vulnerable to attack, well, I've got all the latest patches installed and everything on that machine is clean.

    The Linux boxes, of course, didn't even raise an eyebrow ...

    Peace.
  • So what is GameSpy? All I can see so far is a battle over EULA's. What does GameSPy do fer me?
    • A great time saver for lazy game programming teams.

      Basically, it's a tool for helping people to find company for multi-user games. Back in the day, games didn't have in-game server lists and things like that (QuakeWorld and like are a good examples); The program lets you find servers to play on and launch the game to go directly to that server.

      Less relevant now that game companies implement this internally, but some game companies still think "what the heck, let's just implement 'connect to that IP' and let GameSpy or other such tools to do the rest"...

  • And this is why you're supposed to use your email address as a password when doing anonymous FTP. The theory is that if you downloaded something that later turns out to have a virus or some other problem, the server owner can contact those who downloaded the faulty software.

    In practice, that probably doesn't happen all too often, but it's still a good idea IMO. Using "mozilla@" as a password doesn't really help the server owner when he needs to get an urgent message across related to a file you downloaded.

  • It's okay, though.. I'm sure the people who hacked the Nimda into the program also added a disclaimer into the Terms of Service for the software. After all, it's just another virus that gets installed when you install "free" software...
  • ...Install something unix-like on their servers?


    HTTP/1.1 400 Bad Request
    Server: Microsoft-IIS/5.0


    No, it's not a anti-micro$oft troll, well, maybe, yes, but it really would be the solution, wouldn't it? :)
  • by keller999 ( 589112 ) on Saturday June 29, 2002 @08:55AM (#3791692)
    Arcade 1.1b This version of Arcade, released on June 28, 2002, included the following changes: - Removed nasty NIMBA virus - Fired security admin
  • What responsibility does Gamespy have to the users who downloaded the infected file?"

    About the same as Microsoft I would guess...

    (Remembering the recent slashdot story where .net CD's were shipped infected with a worm)

  • This certainly isn't the first time that an online service has distributed viruses to it's users.

    Back in 1998, an online gaming service called mplayer.com (which, coincidently, is now owned by gamespy) distributed copies of the W95.CIH virus through it's automated software update system. The sad thing is that the company never admitted to it until it's users started complaining to gaming news sites about getting infected.

    Another more recent example is an outbreak of Nimda in Kazaa, which was being distributed through the 1.7.1 upgrade installers of their software.

    Anyway, these stories are just two more reasons why you should run updated Anti-Virus scanners 24/7 on your Windows boxes.
  • I love Gamespy, they have supported the industry much more than any other company ive ever seen, and hey, if you get Nimda its your own damn fault, there is software called "antivirus software", it normally helps with this sort of thing. If you run windows and dont have AV software, your an f'ing idiot and deserve what you get. Hell, you can scan it for free online (housecall.antivirus.com, no this it not a plug i just use it for my customers who are too cheap to buy software). Get a life, if you have a computer chances are you have had a virus, nimda has an easy fix ..

GREAT MOMENTS IN HISTORY (#7): April 2, 1751 Issac Newton becomes discouraged when he falls up a flight of stairs.

Working...