Peer-To-Victim File Sharing 266
ShareSniffer
is profiled in
a SecurityFocus article
today. The company has come up with a new and guiltless way to trade MP3s: just use someone else's hard drive. They have a "bevy of lawyers"
(bevy,
n., a group, esp. of girls or women)
who say taking advantage of public Windows shares is perfectly legal. And why not? Clicking "I Agree" without reading a license agreement is legally binding, right? So when you click "Share This Folder," whether you understand its implications or not, you've authorized the world to play with your drive, and have no right to complain.
</devilsadvocate>
Re:We have to respond to this (Score:1)
What if you wanted to share your files with men, but not women? Or blacks, but not whites? Or group A, but not group non-A? You can't. The closest you can get is to share files with those who know the password, but not with those who don't. This has nothing to do with ShareSniffer, it is just the nature of file-sharing.
Re:This is just silly (Score:1)
shitty (Score:1)
Yeh, me too.
What remains to be seen is: who is liable for the (alleged) illeagal material on one of the public shares? Is the user reasonably expected to make sure the material is legal?
The poster (assinine) is responsible. This is no different any other public share or common carrier. Putting Britany Spears on someone else's computer is an abuse in more ways than one.
Re:We have to respond to this (Score:2)
Sure my insurance company isn't going to cover this because it was my fault I left the garage open, but the police will arrest the person who took my implements of destruction, assuming they locate them.
Additionaly if I started a business that looked for open garages, and then let people know about it, I would assume that the authorities would quickly stop me.
What these guys are doing is clearly wrong. Taking advantage of someone else's property without explicit permission is wrong whether you gain access through an open door or open share.
Re:We have to respond to this (Score:1)
What about all those Doze users who bought/DLd RH or Mandrake, or even Slackware, only to realize six-months later, that they've been running a wildly-successful anon-FTP?
It's the same thing, you're setting up a disk-share over a hostile protocol.
Re:We have to respond to this (Score:1)
I mean, you totally contradict the previous poster's message, then you give an ambiguous one line description of why it is wrong.
Don't change the mod. (I guess my comment was trolling too.. doh!)
Thus Spake ADRA
Re:I'm glad someone finally did this (Score:1)
Re:goodie! (Score:1)
Where do you get the 'come on in' sign with file shares?
All I know is... (Score:1)
Re:How did all this schisse porn get in my MP3 sha (Score:1)
Giggle giggle
I mean, that's just SICK
Giggle giggle
That's not even funny to joke about!
Laugh Laugh, Fall out of chair to the ground...
Re:We have to respond to this (Score:3)
It's often not simple to find out what email address belongs to specific IPs, though.
I've actually used an open print-share to print a message like "You're sharing your printer to the world. This can be fixed by right-clicking on your printer and selecting 'sharing', then assigning a password. If you need help, please feel free to email me at
But then they just get scared and think I'm some cracker. People don't listen until someone gets hurt.
I'm not trying to be elitist about this, but look, for example at the DDoS stuff a year or so ago. Nobody cared that it was possible, until it hurt a bunch of dotcoms, then there were all kinds of outcries, and now the problem has died, and nobody cares now. Even though DDoS is still very possible.
"A person is smart. People are dumb, panicky, dangerous animals, and you know it."
-Kay, Men In Black, 1997
I tend to agree fully. (-:
Remember the #1 Choice (Score:1)
Re:Windows file sharing security (Score:1)
-james
Cool (Score:1)
This won't go anywhere except with a few kiddies who are immoral anyway.
Re:I'm glad someone finally did this (Score:1)
Re:I'm glad someone finally did this (Score:2)
At least in 98, it works like this: Windows does not enable file sharing by default. Nor do any major computer manufacturers enable it by default, as far as I know.
The problem comes when people start hooking their Windows computers up to their own LAN's. If you want to share files/printers between the upstairs and downstairs machines, you enable File Sharing support. You get a window asking you to create a share name for your share, and if you want to set a password. The default share name is "C" or "C-drive", something like that. And while there is a password-protect option, it's not required to create the share.
Also of note: the share is automatically enabled for every network protocol you currently have installed on your system. So if you only intend to share your files via IPX locally, if you have TCP/IP, or worse, NetBui, installed, it get's shared over those as well. You have to manually go in and un-bind the other protocols from Microsoft Networking.
This obviously isn't much of a problem until you start throwing DSL and cable lines into the mix, but there's where it becomes a big problem. Chances are most Windows users barely have a clue what a protocol or drive-share even is, let alone why they shouldn't be sharing it without a password over their cable modem.
Personally, I don't really buy this whole "they left it open, they deserve what they get" mentality. Come on people, we can't all be l33t h4x0rs. "You deserve what you get" doesn't fly when talking about cell-phone radiation, or getting mugged while walking to your car after dark. What's needed is a little education, not exploitation.
Re:Why Not (Score:1)
The RIAA's been stealing from the artists for years without being jailed... why should anyone else? The RIAA's pissed that some artists now have a bypass to the listeners that's as or more lucrative to the artist than the one through the RIAA, so the RIAA wants to choke it off. And you've buying into the RIAA-backed propaganda.
Re:I'm glad someone finally did this (Score:1)
Ack. My mistake, thanks for making me find some answers.
Here's the story -- as a favor, I maintain a dozen Win9x PCs in my department. A couple years ago, I noticed one that stupidly had C: as a read/write guest share. Then I went around the room and discovered that all of them were ready to do this -- all you had to do is right click "Sharing", switch from "Not Shared" to "Shared As...", and C: would be open to the public.
Ever since then I've assumed that this was Windows default. After a few tests and phone calls I found the truth. The IT guy who set up these PCs in the first place was lazy and wanted to handle tech support without leaving his desk. It was part of his standard config. How dumb is that?
Sorry for the false alarm, and thanks for the replies.Re:RIAA should clamp down on netbios! (Score:1)
I was under the impression SMB was just a subset of the ever evolving nasty 3-port 'netbios' application protocol suite.
Even if I slipped up, since when did facts stop
--
So you don't ever use anonymous FTP (Score:1)
Haven't there also been legal cases where people have come through unlocked doors and not been found culpable because the owner didn't take prudent steps to secure their property? I have knowledge of a case where a man was sued for not locking his door - the would be assailant was mauled by the Pitt Bull and nearly killed. Unfortunatly the owner came home and dialed 911, thus saving his life (baaaad bleeding). The assailant then successfully sued - amazing huh?
Oh, IANAL
Re:Talk about a non-issue... (Score:1)
Or they share out their WINDOWS or WINNT directory. This is how the 911 worm spread. It just copied itself to the Startup directories (forgot the full paths).
Re:Might work... (Score:3)
With file sharing you have specifically left the door open, and hung out a come on in sign.
Unless you have an access control system for the door, you cannot leave it unlocked for specific people, so you have to leave it unlocked for everyone.
With file sharing, you can specificy a password, and different users, and thus can allow in only the people you *want* to come in. Specifying "full access" means just that. If you're too lazy to lock it down properly, so be it.
Open Source!! (Score:1)
The ShareSniffer product could be prosecuted (Score:1)
Re:Bevy? (Score:1)
Re:Oooo... (Score:1)
Re:Might work... (Score:2)
In the house, if there is a VCR and I take it, then the original owner has lost all use of it. What if I came in and *cloned* the VCR, so the original owner still had his fully functional unit, but now I jad one just like it?
If you need to temporarily unlock your backdoor, specifiy a password, even if it's insanely simple.
If you allow write access .. (Score:1)
Yes, I know, it's unethical, rude, thoughtless, and selfish of people to use your open public share as a cache for things they don't want to store on their own drives, but allowing public write access to *any* directory on a machine you own and/or "administer" is about as smart as running your HTTP server as root and passing URL text to the shell. If you don't understand why either of these are bad
Use this and get TOSsed! (Score:2)
I've got enough netbus/subseven hits on my f-wall as it is; If it starts logging ShareSniffer hits on top of that, well the emails to abuse@whateverisp.com will start flying again ...
---
Re:yes and no (Score:1)
> likely savvy enough to realize that people will
> use it.
So what your saying then, by implication, is that if someone runs windows we should automatically assume that they are stupid and have no clue whatsoever?
That is a great stereotype and I, for one, am extremely amused by it.
-Steve
Re:AUP's don't trump dumb users (Score:2)
Most dialup spammers die pretty quickly, even with an estimated one-in-10000 abuse reporting rate.
If sharesniffing becomes widespread, I'd expect to see people running "honeypot" share-simulating clients and/or automated "log all probes and report to abuse after 10 probes from any single netblock within a 7-day period" tools.
Re:I'm sorry that does not pass the giggle test (Score:3)
In Amsterdamn, they had a system of white bicycles. There weren't owned by anybody. The idea was that if you needed to go somewhere, you would just hop on the nearest white bike, ride it to your destination, and leave it for the next person. Your analogy should be:
Suppose you had a bike, painted it white, and left it outside in a bike rack unlocked with a bunch of other white bikes. Could you then bitch when someone "steals" your white bike? That's what people are doing when they say you can't access open shares. Open shares are not like "[leaving] his bike out on the driveway unlocked". It is actually marking the bike in such a way that anybody who comes along a looks at it (via scanning) will see that the bike is marked as being free to use. By your analogy, every access to a publicly available web or FTP server is like stealing some poor kids bike off of their driveway.
Re:This is just silly (Score:2)
Well, there is no way to put a "sign on your door". Either your shares are world-readable, or they are not readable at all (at least if you are using default windows sharing, and are not part of an NT domain, etc. Most home users aren't of course). It *is* more like just leaving your door open. Maybe you don't care who comes in, or maybe you just intend to leave it open for a certain person...but in most cases I'd expect someone to be hesitant to just waltzing in. This has *nothing* to do with theft. You can read my diary and it is not theft - that doesn't mean I wanted you to read it!
So:
1) Windows has crappy file sharing mechanism
2) ShareSniffer is at best an unscrupulous company jumping on the P2P hype bandwagon. You can *already* do what ShareSniffer claims (P2P) by using public WINS servers.
I Want To Start A P2V Company (Score:2)
I Want To Start A P2V Company. Will some VC throw lots of money at me? Oh d#!@ it, I'm a year and a half too late.
Re:We have to respond to this (Score:2)
And if Sally didn't everyone to come into her yard and store stuff there, she shouldn't have left access open to anyone. She should have put an unbreakable fence and guard dogs. But it doesn't work that way. In the "real world", access is something that is given, and it is assumed that if you have not been given access that you should have none. Why should we make special rules for the digital world? Unless you are given access, you have no right to be there.
Re:I'm sorry that does not pass the giggle test (Score:2)
If people want to share their MP3s via SMB, why don't they call their share "SHARE_SNIFFER" or something similar, so that people KNOW that they have been given implicit permission to access that share.
At my uni, there's part of the computing rules that say we're not allowed to access a computer system unless we've been given explicit or implicit permission. Explicit permission being something like having an account on that computer, eg. my account on slashdot:
Implicit permission is things like anon ftp, or computers in libraries, etc:
By naming your share "SHARE_SNIFFER" or whatever, people can take that as implicit authorisation. I don't think you can take the existence of an open SMB share as implicit authorisation because, as people have mentioned, it can be done without the sharer realising what they are doing.
This would be the equivalent of putting your bicycle out in front of your house with a sign saying "Free to a good home" or "feel free to take a spin on this".
Ugh, definitely not cool (Score:3)
My question, though, and one I will be actively investigating: how does this affect Windows 2000 machines. I know there are "administration" shares set up (default hidden shares like C$), but I believe... don't quote me on this... that you need a password to view them. Just the same, I'm going to have to read this Ars Technica article [arstechnica.com] in depth on how to secure my Windows 2000 box fully (I've followed most of the instructions, but I never removed the shares). I suggest any of you with Windows 2000 to do the same as well.
And I still have to secure my RedHat side of the box. *sigh*
Re:This is just silly (Score:2)
Nothing wrong with drinking a beer, but I'd be pissed off if he took my stereo or raped my wife. Not to equate mp3 file copying with, rape or theft, but it is wrong to load someone's hard disk with crap without their consent when that crap might bring cease and desist letters down on their heads.
Think! You know where you belong, and you know what you own. Walking into a stranger's house is a very ballsy thing to do. Here in Louissiana you can be legally shot doing that. Sneaking Britany Spears onto someone else's hard disk is not nice. An open door is not an excuse for abuse.
Good premise (Score:2)
LK
This might be exactly what P2P needs (Score:2)
The whole situation is akin to webservers and search engines. Webservers serve content, and search engines allow you to find the content. Once you have the link however, it is the webserver software that allows you to access the content, not the search engine. One might say that the difference is that the majority of websites are put up specifically so that other people can download, while sharing is not for internet-wide public sharing. This is true, but not relavent--google catalogues all sorts of webservers/pages that their owners don't want other people to find. (for an example check out their "secret server" faq [google.com]). In this case, the Sharesniffer software is not involved at all in the file transfer, which is a very different situation from Napster.
Anyway, the reason this might be the turning point for p2p is because for years, millions of mp3s and other files have been illegally copied on college networks, with the full knowledge of the RIAA/MPAA. Windows Networking (and whatever small percentage of Linux Samba that exists on campuses) has been facilitating file transfers and literally nothing has been done about it. If anybody wants to challenge Sharesniffer, they're going to have to tackle windows networking, and Microsoft is not necessarily going to just give in to RIAA/MPAA. Windows networking is too valuable of an asset to the OS to simply give it up. And this may be the first time that Microsoft's lawyers and money may benefit the little people -- they may be the only company who can successfully stand up the RIAA/MPAA.
Re:We have to respond to this (Score:2)
On the other hand, I'm a little tired of Mr. and Mrs. Average American expecting their PCs to be as easy to use as a lamp or a handgun. Today's home PC is more powerful than a mainframe was just 30 years ago. Apple sells a "supercomputer" in a seven inch plastic box!
As such, people should consider getting a little training in the computing, and security would be a part of any such training. Having Windows at work is no substitute for real computer training, since at home there won't be any rigid information security policies or professional admins to back up hapless users who go turning on every potential security hole because it sounds neat.
Most of the people I run into with computer questions don't even seem to know how to press F1 for help. They have no intrinsic understanding of why there is a problem, because other than the pretty windows on the screen they have little idea what is actually happening inside their machine. There's an awful lot of computer in the average home these days, run by completely clueless people. If their open share gets used as it was designed to be used, let's just call it part of the learning process. This doesn't do anything the protocol wasn't designed to do-- share files from a specified directory.
Its (1) a crime and (ii) not a decent substitute (Score:2)
Further, the scheme as described is useless as a substitute for Napster -- there would be no centralized index facilitating that distribution. Napster wasn't liable for the copying that took place -- it was liable for its contribution in facilitating the same as a result of uploading and maintaining dynamic index information (Contributory Infringement).
interesting story regarding windows shares (Score:2)
first off, i am a college student. my best friend lives in a dorm different from me, but we manage. one day i showed him how to poke around the local windows network and get into people's mp3s/pr0n/movies. he thought this was insanely cool.
one day, he left me a message saying that he had gotten into some girl's share, and she had her whole hard drive shared up. rather than fuck her over by nuking a few choice files, he found her AOL IM id in /windows/aim95/usernamexxx. he added her to his list, and told her that her whole computer was shared and anyone had access to it, but he didn't know how to get rid of the sharing.
he called me over to her place, she and i finally met, and i showed her how to disable sharing.
yeah... that was how i met my girlfriend...
Re:Might work... (Score:2)
So does the same reasoning apply to read-only passwordless access? When I pull up a random web page, it's rarely because I've received a written invitation from their webmaster to do so; it's because there is no password restricting my access to the page!
Entering, instead of Breaking and Entering (Score:2)
If you break into a locked house, it's breaking and entering.
If you enter an unlocked house, without permission, it's entering. Still a crime. The fact that you left the door open is not "permission," not even implicitly. The fact that someone left his computer in its default configuration is sure as hell not permission. Someone specifically enabling sharing for their home-based network is a bit more debatable, but I still doubt it would take any reasonable person more than a few seconds to decide that it's not permission for everyone to enter.
If you take stuff without permission it's theft, even if the person didn't know he/she possessed the item. It's theft even if all you do is copy the papers on the desk.
Even leaving something in the house is a crime. Littering, if nothing else.
Finally, even if all they do is tell their friends where to find open doors, if they do that in the expectation that their friends will commit crimes (entering, theft, etc.), then they're still party to a conspiracy.
On computer networks, permissions express intent. (Score:2)
That's not the point.
On computer networks (in the absense of a STANDARDIZED publication of a declaration of a well-known excpetion) the permission system settings are normally considered the expression of the INTENT of the person who set them.
The only well-recognized exceptions I can think of at the moment are:
- Copyright notices on published text.
- Certain prohibitions (by custom and/or statute) on use of administrator privileges to snoop.
- The mechanism for restricting search engines from indexing certain pages (such as dynamic or proprietary site content).
Changing the permissions on a portion of their files so that the world can read and write them could be an expression of intent that they do so, or could be an error. This difference in intent is indistinguishable externally. So if another user takes advantage of the explicit permission change to do exactly what it allows, one must assume he is acting with the permission of the resource's owner unless he has been explicitly informed otherwise.
Further, when you're dealing with laws that ban an activity, any ambiguity in the law must (according to US jurisprudence) be resolved in favor of the person accused of wrongdoing and the lesser restriction.
This is true even if the BULK of the sites with open permissions in fact are, and can be expected to be, the result of user error. (I won't go into the reasons in more depth here.)
Given that using an open file system is legal by the above arguments, a tool to find such legal-to-use resources can not itself be a violation of law.
A related issue: There's been a lot of legislation lately directed at people who break into systems to misuse them, and this has resulted in prosecutions of people, especially juveniles (or chronological adults with arrested development B-) ) who were just exploring. But I have yet to see the doctrine of "attractive nuisance" applied to computer systems set up with inadequate attention to security.
Some chlorine for the computer-user gene pool (Score:2)
or, Practical Darwinism... take your pick. :)
Seriously, I view this program as a net Good Thing (I'm not going to comment on the business model). This will bring unsecured file shares to more prominent attention, at the expense of some Clueless Users, and hopefully will finally result in this crap getting cleaned up.
Just the other week, some putz on tribalwar blamed "those damn hackers" when somebody plunked a virus/script into his open read/write C share, resulting in a "ALL YOUR COMPUTER ARE BELONG TO US". Sorry, bud, you done screwed up first.
Regarding @home users - in my area (Vancouver, BC), they blocked that port YEARS ago. Pissed me off, too - I was foolishly using it for home to work transfers. I take from the comments this isn't standard among all the various regional @homes?
This sounds legal (Score:2)
What did her parents say when you explained them.. (Score:2)
------------------
I'm sorry that does not pass the giggle test (Score:3)
It just does not wash. And boy am I gald I'm running Linux.
WinNT/2K administrative shares (Score:4)
First, these MAY be removed. If you have no need of file sharing (e.g. a standalone PC) this would be recommended above any other security measure. Log in as administrator, right click on the drive, and change the sharing.
Second, the administrative shares are by default set to Full Control for administrators on the domain that was used to authenticate your machine to the network. This is their purpose: to allow human administrators and administrative processes to run unimpeded. You may retain the administrtive share but reduce the access to read-only, again by logging as administrator of the local machine.
If you are not authenticated on the domain, but are simply connected, someone trying to access this share will need to know the administrator password on the local machine (and they themselves will usually need to be logged out of the domain, to avoid a rights conflict, though there are tricks to get around that).
It is possible to lock out Domain Administrators yet still permit local machine administrators, by removing the one group from the other, but in most cases this will one day cause your administrator to pull his hair out.
To reiterate: yes, Win2K has shares by default, but they are only open to authenticated administrators.
----
Re:I'm glad someone finally did this (Score:2)
This is not true. The default share setting is read only.
Any reasonable person must infer that Microsoft WANTS people to give their hard drives to the internet at large.
It's more a Very Bad side-effect of oversimplifying security and making it friendly. What happens is that file-sharing is set when you install a network card. For most people this is already installed and ready to go. During Windows installation, the user is asked, "Do you want to give others access to your files?" which is straightforward enough. The problem is that this is a separate activity from setting up internet access, and there is no step during internet access that warns you, "You have given others access to your files, do you really mean that?"
Also, it would be better if the NETBEUI protocol used to access these shares were not bound to the dial-up adapter (i.e. modem). Unfortunately, all protocols are bound to all devices by default.
----
This is the way Scour worked for a long time (Score:2)
Scour, we miss ye...
Oooo... (Score:2)
(c) have a chance at some of those hot female lawyers!
Where can I sign up?
Re:So you don't ever use anonymous FTP (Score:2)
Most open windows shares are not meant to be open to the world, they're mistakes, you can't reasonably assume that your neighbor wants you to access his hard-drive simply because you can see it. Because someone doesn't understand how these shares work or how to secure them doesn't give anyone the right to take advantage of them.
We have to respond to this (Score:5)
Clearly, this is not a good thing or a moral thing to do -- I can defend Bob and Joe trading MP3s, but if they do it via Sally's open share (and grab some of her files too), that's a totally different thing. The problem is, the corps are going to point to this and say: "See? These geeks are just a bunch of thieves and pirates!".
In this case, it seems fairly clear-cut that they are right
you wouldn't believe (Score:4)
Or maybe you would..
Is this a default when you run the @home install CD or something?
Re:This is just silly (Score:2)
No. Copying is (or rather, may be) an infringement of copyright. Theft is theft. They may both be crimes, but they are distinct actions.
Mike Godwin of the EFF writes about this here [eff.org]:
The purpose of copyright is to promote progress in the arts and sciences, not to allow artists to profit. (Which they don't anyway...the profits accrue to the parasitic recording labels.) In the presence of easy copying, copying restrictions no longer server to promote such progress.Tom Swiss | the infamous tms | http://www.infamous.net/
It's not FTP (Score:2)
goodie! (Score:2)
I've got to find the addresses of the people who made this software, and see if they ever leave thier doors unlocked. Because if they do, of course, then I assume I have free access to borrow thier Home Entertainment System, and grab a Free-As-In-Beer on the way out.
Next thing you know, they'll be selling software that looks for Smoking Joes (users with the username and password the same), under the logic that if someone is so completely insecure then they obviously meant for thier account to be public access.
Might work... (Score:4)
I don't think this would hold up in court. Leaving your door unlocked requires NO action on the users part, thus it can be done accidentally or absent-mindedly. However, by default there are no public shares when you install Windoze. The user has to specifically share a drive, device, or folder. They cannot claim "whoops, I didn't know it was shared" because the only way for it to get shared is to perform the proper action(s).
If I come along and discover a public share, I can only assume that the person *meant* to share it. I would not ask them for permission to use it, or browse the files, because they have *already* granted that priveledge to me and the world.
The lawyers seem to always try to re-word everything so that things are selectively illeagal or wrong. Personally, I'm getting tired of the bullshit with the lawyers in America, but that is another topic.
What remains to be seen is: who is liable for the (alleged) illeagal material on one of the public shares? Is the user reasonably expected to make sure the material is legal?
Re:you wouldn't believe (Score:2)
AFAIK its not, but the reverse should be true. Cable and DSL ISPs should install (or at least warn you to install with an included download link) ZoneAlarm [linksynergy.com] or other personal firewall software when you configure your broadband account.
This might also give the Broadband ISP's some teeth when they try to enforce a 'no server' policy against their customers, since the customer couldn't plead that they were running Napster or an FTP site unknowingly if they had to specifically enable the ZoneAlarm [linksynergy.com] to allow each piece software that was running as a server.
Re:This is just silly (Score:2)
"
Why can't copyright owners dictate what you do with stuff you buy after you've bought it.
"
This would allow the restriction [even if it hasn't been done yet] and many others more restrictive that we haven't yet thought of.
Lawyers don't trump AUP (Score:5)
Remember - in many states, spamming is "legal" - but accounts still get whacked because an AUP that says "we nuke spammers" is every bit as legal.
Same thing applies here: Sniffing for shares may be legal (though morally questionable). Using the shares may even be legal (though even more morally questionable). But reporting sniffers to abuse@sniffer's-ISP is also legal, and it's just as legal for that ISP to LART the offender for TOS violation when a sufficient number of abuse reports pile up.
It's a EULA, not your mommy. (Score:2)
So I read through each EULA, going over the various Terms and Agrements. That way, if I see something I don't agree with, I can always not accept. Conversly, this way I know my responsibilities as an end user.
Think of each HD that gets fuX0red as User Darwinism.
Re:you wouldn't believe (Score:2)
But then, @Home isn't exactly designed for the power user, much less the security-conscious one. Heck, they claimed Linux wouldn't work on @Home, either. . .
It's understandable. (Score:5)
RIAA should clamp down on netbios! (Score:5)
Please cease and desist the use of netbios immediately, because it is used to transfer copyrighted material some of which are owned by our members.
Yours mercilessly,
RIAA
Could this spell the end of one of the most ugly MS TCP/IP protocol hacks?
I guess not. But the thought made me smile
--
A symptom of M$ Networking (Score:2)
It's a shame, because there are really good ways to do file-sharing besides sftp that are secure. Unfortuneately, Microsoft doesn't beleive in security. In the default installations, which everyone else is going to want to connect to your shares with, every protocol is bound to every adapter, etc. It takes a skilled hand to break the uneccessary bindings or use a Non-MS Filesharing service. Because Microsoft refuses to make a *sane* default Network configuration for Joe-Bestbuy, those of use who care about security will never be able to run shares across TCP-IP.
I leave you to rely upon your own legal advices. . (Score:2)
I leave you to rely upon your own legal advices, and at your own peril. The same argument can be made, and has been made, about open doors and keys and real property or automobiles; and about property that has been left alone for a brief time at airports. I can assure you that the law governing trespass, theft and implied consent in non-computer arenas is generally quite unkind to defendants -- and there are many an incarcerated felon who continues to grumble with remarks not substantially different from those you have made here.
This much is certain, you are not correct merely because you say so, and certainly not because you ended your posting with the term "duh!" Likewise, I may well be wrong in some cases, and perhaps not in others.
The trick is not to be the defendant in one of the others. Educate yourself, and be certain before you are sorry.
An undeniable, strong and powerful distinction can be made between an anonymous ftp account or a webserver on one hand, and a passworded system having known security bugs or easily guessable passwords on the other. Many skr1p7 k1dd135 feel that the latter are likewise invitations to plunder, but would be (and have been) laughed out of court on a defense based on that theory. Still others think that finding the "magic url" to breach into an intranet is legit, simply on the theory that it was permitted to be done -- this is a dangerous assumption.
The failure to password a portion of a system may or may not be an implied consent to plunder -- my suggestion is not to be wrong in assuming that it is. Be damned sure you are invited before you start taking data.
In particular cases, you might well not have committed a felony. Good for you. But in others, you may well have done something for which your life and liberty will later be in jeopardy.
Look, its entirely up to you to decide how you want to manage things -- but by all means have your a** well-covered when you do. Its a bad, bad idea to be your own lawyer, particularly when being wrong may cost you your life as you know it.
shares (Score:3)
Re:We have to respond to this (Score:2)
I disagree. It IS different online. Think of FTP sites. Where would we be if we had to request access to all of those great publiclly available resources?
But isn't the anonymous logon a way of goving permission? It's isn't that you don't have to log on, you have to use a specific log on to get access. That log on gives people permission to log on. If something is just open, there isn't an implied permission given by a log on.
It's like needing a password to enter your house. I could make the password my name and tell everyone that is the password, and tell them to tell all their friends. They then have implied permission because they know the password I set up. They would still need the password, even if I left the door open, but they have it. But if I leave my door open, and there is no password, there isn't implied permission to enter.
Entering (Score:2)
But on the Internet, how can you tell the difference between a private area (someone's house) and a public area (the town commons, McDonalds, etc). It all looks identical.
There are plenty of places where you really do have the owner's permission to read/write, and they are indistiguishable from Joe Schmoe's "accidental" ftp site or Samba share. This is what leads to the attitude that, if someone is sharing a resource, they mean for it to be shared.
---
Re:I'm sorry that does not pass the giggle test (Score:3)
Rogers also points out that ShareSniffer only locates open shares, it doesn't access them. The user does that through normal Windows functionality.
Sounds familar.....
Re:Its (1) a crime and (ii) not a decent substitut (Score:2)
Dammit, I just realized that I don't have even a shred of proof that Slashdot (or any other web server) has ever granted me express permission to access their server. And by replying to your post, I am even writing to their server. It looks like I'm a sitting duck for a felony charge at any time.
---
Interesting argument. (Score:2)
In the US, they might also have a case. Storing information on your computer, without your knowledge, has become pretty much the norm, with "stealth cookies", assorted "copy protection" schemes, etc. It would be very difficult to contend in court that one kind of unauthorized use of file space was more "acceptable" than another.
Worse, from any corporate standpoint, if it were to be declared illegal to use these kinds of schemes, virtually all proprietary software on the market would be illegal, as virtually all proprietary software tampers with your hard drive in ways that you do not explicitly authorize.
From the standpoint of "ethics", the trading of any kind of commercial product (be it a sound file or a computer package) is definitely in the "Not OK" pile. But the law doesn't work by ethics, it works by bloody-mindedness and party politics.
IMHO, we're going to see persecution of Napster, but a strange silence over PtV. Companies have too much invested in it themselves to risk it.
More Info on NetBIOS Vulnerability (Score:2)
Tech Supp. (Score:2)
"We ga-run-tee you will have 100% satisfaction with our tech support. Hell, we'll even file your quicken tax forms for you and finish your doctoral thesis while we're at it!"
-pos
The truth is more important than the facts.
I'm glad someone finally did this (Score:3)
Windows file sharing is so fucking stupid -- why on earth would they set it up so the default share is "all users: full access"??? Any reasonable person must infer that Microsoft WANTS people to give their hard drives to the internet at large.
Of course, there are plenty of other idiots in town -- how many remote holes are there in the default RedHat install? And that's without even having to click a button that says "enable file sharing".
ShareSniffer should be viewed as a wake-up call to OS vendors in general. The default settings should not Not NOT open your computer to remote takeovers!!!
Like anonymous FTP upload scanners (Score:2)
This is almost exactly the same concept as the old anonymous FTP upload scanners. They both poll random IP addresses for poorly-configured servers that allow open access.
This program searches for Windows shares without a password, and an anonymous FTP upload scanner searches for world-writable upload directories on FTP servers that are also readable. Both have the same effect: allowing the server to be used by unauthorized third parties for anonymous file storage and retrieval.
This was very popular back in the early to mid 1990's, when anonymous FTP was the main way of transferring files on the Internet and security standards were low. Warez sites were just getting started, and most pirates didn't have the resources to put their own servers online full-time, so typically someone else's FTP site would be taken over to do the job.
I'm sure many sysadmins remember the surprise of seeing their disk space suddenly fill up over a weekend, all hidden under the ... (three dots) directory...
Super eurobeat from Avex and Konami unite in your DANCE!
Re:Might work... (Score:2)
And your law degree is from...?
This is not a new theory. I don't buy into it either, but it's been applied for as long as computer "trespassing" has been an issue. My first brush with the crazier aspects of computer security was when I made the mistake of informing a University IS director that some of his sensitive files were publically readable. And, like many another Good Samaritan, I was reamed out for "snooping" in directories where I had no business. Other places I've worked have taken that unauthorized access to data is always the fault of the accessor -- no matter how careless the data's owner has been. And don't think these policies were put in place without plenty of legal homework.
Law is a complicated and subtle topic. Understanding an issue like this is as difficult as understanding wave-particle duality. Plus the ultimate referee is not an objective experiment but a fallible jurist. Physics rarely works the way freshman logic tells you it will. Law is even more so.
__________________
Re:I'm sorry that does not pass the giggle test (Score:2)
The tool may be legal, just as Napster should be legal (prosecute users, not vendors). It is hardly moral, since it encourages users to basically commit computer crime that isn't defensible by any "fair-use" doctrine at all.
Optimal?? (Score:2)
Re:I'm glad someone finally did this (Score:3)
I have no idea what the default setting is, because I don't use Windows. But according to the folks at ShareSniffer, this is not true [securityfocus.com]: "Microsoft Windows by default will not expose files to the Internet. It has to be consciously configured to expose files to the Internet."
Jamie McCarthy
A clever hack! (Score:2)
OK, on the one hand, we have unwitting users sharing their HDD's inadvertently to the internet. On the other hand, as the article says, they had to click to share that folder; it was a conscious decision on their part to share it.
On the plus side, there is no big single entity to sue here like with Napster, only individuals. And those individuals can always say "Ooops, I didn't realise _everyone_ could see my files!", so the suing company will burn wedges of cash tracking people down just to see them roll over. Again, the legal vultures are circling..
Great idea using Usenet, though. And everyone thought that Usenet was dead!
Strong data typing is for those with weak minds.
How did all this schisse porn get in my MP3 share? (Score:5)
Developer: What? Why? I didn't do anything to get fired over!
IT Manager: We found all sorts of obscene materials on your harddrive in shared folders.
Developer: Huh?
IT Manager: Like German schisse porn and crushing videos.
Developer: That's ridiculous-- Oh my god! What are they doing to that poor German Shepard? Wait a second, I didn't put this on here! I swear!
IT Manager: It's your own fault. You didn't *have* to share those drives.
Developer: Yes I did! My manager told me to!
IT Manager: We're firing him, too. Seem's he has goat.cx pictures all over *his* hard drive.
Re:We have to respond to this (Score:2)
"Hello, Sally. You seem to have just asked me to share your files to the world, but did not set a password. Did you really want to do that?"
Along with a nice help button that explains how this is Not A Good Thing(tm). I just tried this with Win2K, it didn't prompt me at all!
At least with Unix, no claim is made -- if you're an idiot, and can't at least RTFM, don't come to play. Here, Windows claims to coddle the foolish user, and all it does it allow them to do stupid stuff... You can't have it both ways.
Re:Might work... (Score:2)
Re:Might work... (Score:3)
Re:We have to respond to this (Score:2)
First off, where did "grab some of her files too" come from? That's just gratuitous and you know it.
Secondly, there's nothing wrong with Bob and Joe using Sally's HD per se. It's really the "unknown to Sally" part that you object to. So I guess to appease that factor, we'd have to have some kind of explicit process Sally has to go through in order to share that drive. Guess what? That process already exists. Now granted, Sally may not realize what she (or the software she installed) did. But it's not entirely clear-cut to me that Bob and Joe are in the wrong.
Consider an alternate universe: A lot of people use ShareSniffer and a lot of people share out their hard drives for the express purpose of letting people store MP3's there. (this isn't ridiculous, it's pretty much how Napster or FreeNet works) Now imagine Sally accidentally shares her drive out and finds it filling with MP3's. ShareSniffer has no way of knowing that Sally didn't mean to share the drive out. Are Bob and Joe in the wrong? Or is Sally to blame for not understanding her technology?
*MY* objection to ShareSniffer is: What if I WANT to share my files...but not to ShareSniffer users? To be good netizens (not their purpose, I know) they should really have invented their own protocol.
--
Non-meta-modded "Overrated" mods are killing Slashdot
Re:This is just silly (Score:3)
No. A better analogy would be if I had a sign on my door, meant for a visting friend, which said "Come on in and have a beer". If a stranger sees it and comes in and helps himself to a cold one, has he done anything morally or legally wrong?
Opening your shares is inviting other people in. If you fail to specify who you're inviting, that's your fault.
Copying is not theft. HTH. HAND.Tom Swiss | the infamous tms | http://www.infamous.net/
Re:We have to respond to this (Score:2)
I'd say, comparably stupid to those at M$ who gave the world a nearly insecurable networked filesystem, and those who use said filesystem. How many problems have to be exposed in M$'s heap of shit before people will raise the proper squawk? Robert Morris got prison, Bill Gates got rich... what a world.
Re:I'm sorry that does not pass the giggle test (Score:2)
Should it be illegal to access an anonymous FTP server? Do I have to get written permission to access an HTTP server? No. The mere fact that someone is running a publicly available server which offers a service to the world without any authentication implies that I can use that service.
If ShareSniffer was some tool for stealing passwords, or hacking into Windows shares by trying to crack the passwords, that would clearly be a tool for assisting hackers. But this isn't the case. Some of the people with open shares may have done it by mistake. But, a lot of them are doing it on purpose. It is a simple way to share files, and it's just as legitimate as running an FTP or HTTP server.
Granted, it might be a good idea for ShareSniffer to put some simple sanity checks in place before reporting shares. For example, it can see if the user has shared their entire hard drive. If they have, it might be a reasonable assumption that that's a mistake which should not be advertised. On the other hand, if only certain folders are being shared, that's probably a legitimate share.
Re:goodie! (Score:2)
Leaving a door *unlocked* is not inviting unwanted guests. If a door is closed, then you should assume that you are not encouraged to enter, unless a sign is present like "Come In, We're Open!". You would be expected to *knock* first (ie: ask permission), and then go away if no one answers.
By sharing a file/drive/folder/device the user has completed a set of actions the secifially makes the items available to The World. You *could* use Microsoft's pathetic Network Neighborhood tool to browse for shares, or you could use a 3rd party tool to browse for shares. Either way, you are browsing items that the user has *specifically* made availble for public consumption.
Re:you wouldn't believe (Score:2)
No, I'm not wrong. Is this the legion you're talking about?
Legion 2.1 is a complete rewrite of the previous version
Legion will scan up to 64 class C subnets for open file shares and will
allow the user to map shares to a drive. The registered version
includes a brute force tool that will attempt to guess share level
passwords . It's available at http://rhino9.ml.org
This looks like nothing more than a scanner with a brute force password cracker. So either way you'll need the admin password to get to the share. Good luck trying to guess the password.
Re:This is just silly (Score:2)
"
It's something to do with fair use rights. For example, if you buy a book you should be allowed to read it. However, if your book came with a EULA inside the package that said reading it was forbidden the person who bought it has been ripped off. This applies to electronic books you are not allowed to read aloud [famous case - Alice in Wonderland from Adobe's E-books site].
Oh, if copying is theft, then if I come to your house and note down what posessions you have in the lounge, the decor and go home and produce an idnetical lounge without asking you - did I steal the lounge from you?
Re:you wouldn't believe (Score:2)
I was never talking about 95/98. I don't care/use 95/98. The first post I responded specifically mentioned NT/2000.
Re:OT: Thawte Advert (Score:2)
Re:Bevy (Score:2)
I'm not denying the part about the idiot paddle, but the definition was from my college dictionary, Webster's New World Dictionary of American English, Third College Edition, 1988.
Scroll down on the linked definition and you'll see similar definitions:
1. A company; an assembly or collection of persons, especially of ladies.
bevy n 1: a group of girls or young women
Jamie McCarthy
Re:This is just silly (Score:2)
The misdeed here (may or may not be a crime, depending) is fraud, not copying. It would be just as wrong to represent a work placed in the public domain (by expiration of copyright, or by deliberate act) as your own as to represent a copyrighted work as your own.
The idea of an exclusive right to copy is no longer worthwhile. However, the ideas of a right to be recognized as an author or creator and a right to receive royalties from for-profit use (like songwriter royalties today) would still be of benefit.
Tom Swiss | the infamous tms | http://www.infamous.net/