action metadata problem/bug/vunerability
 

yea, im not quite sure where to put this one, but some people have got the smart idea to set up a "sponsored" gnutella bot on the network, and when you try to download this result, it opens up a browser or just uses the one currently up and redirects you to a webpage.

and while you cant download this file at all because limewire will just keep reading the action metadata and sending you to some page, (auto-launching action) i moused-over to see the metadata, and their was an action that had the directing URL in its place.

some bug in limewire or is this meant to happen? because this is a definate vulnerability. cause someone in the wrong mind can maliciously send someone to a page that will install a trojan by some vulnerabilitys of the browser...

definately get this fixed asap. if someone already found out that they can exploit it for profit, then someone will eventually exploit it for malice.

btw, the url in its action was:

http://www.gnoozle.com/gofishXX

where XX is some ID number of top results listed.


i did a small bit of investigating, and it seems this is related to a limewire rip-off clone http://gnoozle.com/

and it also seems like this modified limewire client was modified so all these "sponsored" results would be at the fault of the user, giving out hundreds of sponsored ads without gnoozle having to spend bandwidth doing it..

man, sometimes i think its conspiracy.:p

Gnoozle is not a rip-off of LimeWire. It's a project by one of the LimeWire developers. As you can easily see it's completely legimate. It offers a free version (just like LimeWire) and the GPL'd source code.

I don't see a vulnerability either.

It'll be fixed.

Do you recall the search term that was typed in?

Sam, when you say 'it will be fixed', what do you mean? I hope you are only going to give a warning to the user like you do for .exe files. I don't see LimeWire disabling downloading .exe files. So it doesn't make sense to disable the html launches either.

Susheel

And for those folks who don't understand open source, you really can't 'rip' open source code. The whole point of open source is to allow people to 'rip'. I don't see Linus Torvalds complaining about people 'ripping' Linux :) .

It'll be fixed in the sense that we won't allow LimeWire users to be overrun by search results that only contain launches to websites. Precisely how we'll go about doing this is left to be seen. I most certainly agree that launching webpages from Gnutella search results is a useful feature, but on a mass-scale it can become a very large problem.

Susheel,

As I told John Borland, I hope you didn't open that feature up to every spammer in the world. Spammers could drive a truck through that capability and heavy use of it will only make it all too obvious. In the past, we have used it in extremely limited cases. You can't possibly expect it to survive as is with this concern in mind.

Thanks
-greg

Sam & Greg,
I don't think I've opened up any feature to spammers, etc. LimeWire is open source so any so called vulnerabilities are open to the world. The limewire.org website talks about open protocols and open networks - lets not backtrack on that ideal. Also, security by obfuscation (i.e., lets hope people don't figure stuff out) is never good policy.

I absolutely agree that gnutella spam should be detected and discarded like any other spam. I don't agree that LimeWire should make the decision about what is offered to users though - doesn't that get away from the ideals of decentralization and openness? As I've made clear, we don't spam - we offer relevant, targeted ads similar to Google AdWords.

Greg, gnutella is already open to spammers, as you know. If you want to get rid of spammers, close the source.

Adding a warning to a user prior to launching the html page is the correct course of action. Also, don't other open source projects, such as LionShare, depend on this feature?

Thanks!
Susheel

There is one slight difference between your results and google ad-words: your results look 100% like any other search result. Last time I checked, google ad words appear on a special place to the right of the screen.

You're correct on every point, for the most part. Security by obfuscation is bad, open protocols are good, and warnings are good.

Spam shouldn't be fixed by closing the source, though. I'd like to see you argue that to Thunderbird for their spam filter, or any open source enterprise level spam filtering software.

As far as LimeWire deciding what ads to show to their users, well, we'll see what's required.

Nothing in Gnutella says that this feature needs to exist. Distributed search and distributed download work fine without it. In reality, this was always a bit of a hack to allow for things like real estate and book searches (as demonstrated in the past). These are cool and interesting but not core. The fact that what looks like a file can launch an html page has always been a bit odd. These results could always have been html or url types that the user would then recognize directly as a web page.

It is niave to think that you could just make use of this feature in wide use. Opening a browser page is just too attractive to spammers. Encouraging more spammer activity is just bad. Sorry man.

Thanks
-greg

Zlatin, our sponsored results are very upfront. They are clearly marked as "(Sponsored Results)" so users can ignore them like they do for Google AdWords.

Sam, you misunderstood my point. I was telling Greg that the only way he can ensure that some feature of LimeWire isn't used to spam is by closing off Spammers access to those features, i.e. closing the source. Feel free to add a spam filter to LimeWire - sponsored results aren't spam.

Greg, why are you excising a feature that allows artists and content creators to get paid for their labor and ingenuity? Does the Linux open source community not build imap and pop mail clients because it may open Linux users to spam?

Thanks!
Susheel

That usage if (and likely when) widely adopted by spammers could destroy our application. It has nothing to do with what it might allow if it will destroy.

If you want to support artists then promote weed files. They are perfectly suited for P2P distribution and the paying of artists.

Thanks
-greg

That's good - would you mind letting us know one of the keywords so that we can verify that?

Also, you know that these things affect dynamic querying, so even if marked they affect the user experience. All of this could have been avoided with a little coordination and communication!

If security is your concern, then the best option is to display a warning. You do the same for .exe files.

If spam is your concern, then excising the feature doesn't stop the spam. Users are already spammed by fake files, mislabeled results, etc., and I'm sure other spamming opportunities exist. Excising the html launch feature does not preclude spammers from sending bogus results.

It may be that you really have other, less virtuous concerns and that is why you want to excise the feature. I'm not sure such concerns will stand up in the face of public scrutiny though. They'll probably be viewed as anti-competitive and monopolistic, and at least adverse to your open protocol and networks mantra.

"if you can't be part of the solution, there's good money to be made prolonging the problem" -- thinkgeek demotivational calendars.

Oops - I clicked edit when I meant to click quote - can you repost pls?

This is arguable. Many people would think that any sponsored results should be complementary to whatever other people have shared on the network. Also, since those results come usually from single servers with high capacity, they should not count to the dynamic query limits.

Also, you leave no option for the user to opt-out of receiving sponsored results - something a ggep extention/flag in the query could have achieved.

Unfortunately we're all facing a done deal - and discussing what could have been done is not really productive.

Susheel,

This is not anti-competitive. It is PRO user. You've highlighted a major potential nuisance to our users. You've shown spammers how to get web pages into millions of users faces. (Okay, maybe they aren't that smart yet but they will soon likely figure it out.) I think we can safely assume that users will understand and appreciate the fact that we want to block spam.

No ill intentions on our part. We are just trying to do what's right and our users come first.

Thanks
-greg

In addition to being anti-competitive, excising the feature is reactionary.

1) You have no evidence that spammers are using it.

2) You are throwing out current *legitimate* (paying artists!) uses to guard against the potential of illegitimate uses. Perhaps you've heard of the substantial noninfringing use doctrine and the reasoning that underlies it? The feature is content agnostic and should not be excised simply because it can be used for bad ends.

3) Spam can be detected in other ways such that honest uses of the html launch can be allowed to continue.

Thanks!
Susheel

You're making a rather bold statement here. We're open to any technically sound ideas, so if feel free to enlighten us about those "other ways".

I do have some ideas which I'll present in a write up soon. It isn't too hard to catch the most egregious spammers.

Will I get one of your generous bounties if you end up implementing the system? :)

Thanks!
Susheel

Um, no, the bounties are for actually implementing the proposed feature. Complete with [working & non copy/pasted]^ unit tests*

Keep in mind that whatever scheme you have in mind it will be all open source, so I see a little point in hiding it.

* the punchline

^ the better punchline

I was kidding about the bounty. Of course any code submitted would be open source. Besides being bound by the terms of the GPL, I wouldn't have it any other way. I'm a firm believer in open source and open protocols, even it if means people utilize or develop features you don't like. Let freedom ring! :)

*ring*

lol, that funny as hell^

sdaswani, you seem to be the only one complaining on this issue. NO user wants this, and if i continue to receive these, im going to patch limewire to block this specific client from connecting or sending me results at all. i paid for limewire pro already, so their is no reason in hell i should be getting sponsored results. and no, i cant opt-out of your decision that you forced me into without blocking legitiment lots of content that i want. and it seems that you say

well, i am an eye-witness to it, and i will provide evidence if its needed. btw, have you seen the definition of spam lately, i have checked, and it says quote: To indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities. Noun: electronic "junk mail".
from: http://northnet.net/~midwest/0gloss.htm
actually, i have been using gnet for awhile now and havent seen anyone take use of this feature BUT spam.
see point 2. also, if we can get to the source of the problem, and fix this exploit of a feature that is not used, then we can get back to fixing other things.


you are defending something noone likes or cares about, you are defending annoying ads that noone wants to see, you are defending something that noone willl ever like, if you are defending something like that, then you are guilty of it also.
.....
why? its their software they are creating. and since i pay for this software, i should have a voice. limewire only creates what the public and MAJORITY of what people want. this isnt anarchy brother.

sponsored by who? i dont remember agreeing with this, and since your client is not a majority gnutella holder, you have a small voice when it comes to that stuff. we dont make deals with terrosists. im not paying you to send me something i dont want. and i believe i speak for everyone on this.
Limewire wont open exe files.
no, but it stops you. 1 down, ~1,000,000 to go. a journey of a thousand miles starts with one step.

companys dont become a monopoly unless the public makes it a monopoly, people like microsoft, so they pay them to be a monopoly (even though i personally dont like them). limewire has a monopoly, and it wasnt by accident. limewire has the trust of the public, so in order to keep this majority rule, then you have to keep giving the people what they want.

keep telling lies, and you become a lier, keep telling the truth and you become trusted.

I don't think "sponsored results" are bad per se. However, I don't see a reason to use the Gnutella infrastructure for this. I suggest you implement this as a opt-in feature and use a few dedicated servers for this. You could use some kind of QRP to ensure that those servers see only results that would match - to reduce the load on those and to prevent spying on users.

You could even use a cluster of ultrapeers and handle this in a similar way as "locale preferences" are used by LimeWire. I recommend to refrain to utilize the common Gnutella network for such advertising. Spam is a fuzzy term but many people would certainly regard it as such. I definitely consider Google Adsense as spam - in many cases. You as LimeWire should know very well how much damage this (along with domain squatting) causes to you and your reputation.

i guess you are one naive user. have you ever bothered to read up on the dangers of that kind of stuff? http://cve.mitre.org/

also, you are saying they are not bad... to me, that is an error, they are just helping to muddy the water for other people that want REAL content, not ads. im not going to pay for THEIR (gnoozle users) application by viewing THEIR (gnoozle) ads when im using ANOTHER companies (limewire) agent.

evidence? a picture is worth a thousand words..

they are also making their searches appear more prominent by lying about the alt-loc's

http://rootproject.servehttp.com/alk...snapshot03.JPG
http://rootproject.servehttp.com/alk...snapshot04.JPG

I'm not only naive, I'm straight fvcking dull. Yay!

Your first post wasn't very clear to me. I'm not affiliated with LimeWire nor am I a frequent user of LimeWire.

To be honest, while this "feature" makes things easier you can easily cause almost the same effects without it. You can also easily filter those out which is much more difficult when confronted with a real spammer. What's worse is that the results interfere with dynamic querying whether you want them or not.

Regarding your payments: Well, Gnutella is an open network and by using it you'll use resources of people you didn't pay and you'll "donate" resources to people other than LimeWire or their users anyway.

Unlike real scammers and spammers, these sponsored results also seem to be legit and licensed. Real P2P scammers and spammers usually sell pirated contents directly or indirectly.

Claiming that they spam alt-locs isn't fair either. That's just a way to distribute load on their servers but I'd expect that there are better ways (e.g., a DNS record with multiple IP addresses) to achieve the same. It's rather a flaw of LimeWire to rank these higher (or maybe yours as you insist on this sort order) because this completely ignores the fact that any single source may know of further sources through the download mesh.

If these screenshots are genuine it means we're dealing with the same type of deplorable spammers we've had for ages. I regret my attempts at civilized discussion earlier in the thread.

Sorry I don't have time for full reply but here are a few comments:

1) alt-locs: sorry if they seem inflated. i put that code in there to demonstrate to our clients what their result will look like with a farm of servers running. i will take out that code tomorrow. that said, i'm also increasing the amount of servers we have running. more on that next....

2) users LIKE our results. we have statistics showing that. why? because as someone said above, our results are targeted. search for new order, you get results related to new order. i don't see what is wrong with offering legitimate, related content to users. i thought this was an open network?

zab, what happened to "[w]e believe in open standards, open networks"?

If you go to the link shown in the picture above, it had nothing to do with the search.

Hmmm, I'll look into it. We are in beta after all :) .

Folks,
I've fixed the alt-loc issues. Now you'll only see alt-locs if your query hits multiple servents.

Sorry about that.
Thanks!
Susheel