action metadata problem/bug/vunerability yea, im not quite sure where to put this one, but some people have got the smart idea to set up a "sponsored" gnutella bot on the network, and when you try to download this result, it opens up a browser or just uses the one currently up and redirects you to a webpage. and while you cant download this file at all because limewire will just keep reading the action metadata and sending you to some page, (auto-launching action) i moused-over to see the metadata, and their was an action that had the directing URL in its place. some bug in limewire or is this meant to happen? because this is a definate vulnerability. cause someone in the wrong mind can maliciously send someone to a page that will install a trojan by some vulnerabilitys of the browser... definately get this fixed asap. if someone already found out that they can exploit it for profit, then someone will eventually exploit it for malice. btw, the url in its action was: http://www.gnoozle.com/gofishXX where XX is some ID number of top results listed. i did a small bit of investigating, and it seems this is related to a limewire rip-off clone http://gnoozle.com/ and it also seems like this modified limewire client was modified so all these "sponsored" results would be at the fault of the user, giving out hundreds of sponsored ads without gnoozle having to spend bandwidth doing it.. man, sometimes i think its conspiracy.:p |
Gnoozle is not a rip-off of LimeWire. It's a project by one of the LimeWire developers. As you can easily see it's completely legimate. It offers a free version (just like LimeWire) and the GPL'd source code. I don't see a vulnerability either. |
It'll be fixed. |
Do you recall the search term that was typed in? |
Sam, when you say 'it will be fixed', what do you mean? I hope you are only going to give a warning to the user like you do for .exe files. I don't see LimeWire disabling downloading .exe files. So it doesn't make sense to disable the html launches either. Susheel And for those folks who don't understand open source, you really can't 'rip' open source code. The whole point of open source is to allow people to 'rip'. I don't see Linus Torvalds complaining about people 'ripping' Linux :) . |
It'll be fixed in the sense that we won't allow LimeWire users to be overrun by search results that only contain launches to websites. Precisely how we'll go about doing this is left to be seen. I most certainly agree that launching webpages from Gnutella search results is a useful feature, but on a mass-scale it can become a very large problem. |
Susheel, As I told John Borland, I hope you didn't open that feature up to every spammer in the world. Spammers could drive a truck through that capability and heavy use of it will only make it all too obvious. In the past, we have used it in extremely limited cases. You can't possibly expect it to survive as is with this concern in mind. Thanks -greg |
Sam & Greg, I don't think I've opened up any feature to spammers, etc. LimeWire is open source so any so called vulnerabilities are open to the world. The limewire.org website talks about open protocols and open networks - lets not backtrack on that ideal. Also, security by obfuscation (i.e., lets hope people don't figure stuff out) is never good policy. I absolutely agree that gnutella spam should be detected and discarded like any other spam. I don't agree that LimeWire should make the decision about what is offered to users though - doesn't that get away from the ideals of decentralization and openness? As I've made clear, we don't spam - we offer relevant, targeted ads similar to Google AdWords. Greg, gnutella is already open to spammers, as you know. If you want to get rid of spammers, close the source. Adding a warning to a user prior to launching the html page is the correct course of action. Also, don't other open source projects, such as LionShare, depend on this feature? Thanks! Susheel |
There is one slight difference between your results and google ad-words: your results look 100% like any other search result. Last time I checked, google ad words appear on a special place to the right of the screen. |
You're correct on every point, for the most part. Security by obfuscation is bad, open protocols are good, and warnings are good. Spam shouldn't be fixed by closing the source, though. I'd like to see you argue that to Thunderbird for their spam filter, or any open source enterprise level spam filtering software. As far as LimeWire deciding what ads to show to their users, well, we'll see what's required. |
Nothing in Gnutella says that this feature needs to exist. Distributed search and distributed download work fine without it. In reality, this was always a bit of a hack to allow for things like real estate and book searches (as demonstrated in the past). These are cool and interesting but not core. The fact that what looks like a file can launch an html page has always been a bit odd. These results could always have been html or url types that the user would then recognize directly as a web page. It is niave to think that you could just make use of this feature in wide use. Opening a browser page is just too attractive to spammers. Encouraging more spammer activity is just bad. Sorry man. Thanks -greg |
Zlatin, our sponsored results are very upfront. They are clearly marked as "(Sponsored Results)" so users can ignore them like they do for Google AdWords. Sam, you misunderstood my point. I was telling Greg that the only way he can ensure that some feature of LimeWire isn't used to spam is by closing off Spammers access to those features, i.e. closing the source. Feel free to add a spam filter to LimeWire - sponsored results aren't spam. Greg, why are you excising a feature that allows artists and content creators to get paid for their labor and ingenuity? Does the Linux open source community not build imap and pop mail clients because it may open Linux users to spam? Thanks! Susheel |
That usage if (and likely when) widely adopted by spammers could destroy our application. It has nothing to do with what it might allow if it will destroy. If you want to support artists then promote weed files. They are perfectly suited for P2P distribution and the paying of artists. Thanks -greg |
Quote:
Also, you know that these things affect dynamic querying, so even if marked they affect the user experience. All of this could have been avoided with a little coordination and communication! |
If security is your concern, then the best option is to display a warning. You do the same for .exe files. If spam is your concern, then excising the feature doesn't stop the spam. Users are already spammed by fake files, mislabeled results, etc., and I'm sure other spamming opportunities exist. Excising the html launch feature does not preclude spammers from sending bogus results. It may be that you really have other, less virtuous concerns and that is why you want to excise the feature. I'm not sure such concerns will stand up in the face of public scrutiny though. They'll probably be viewed as anti-competitive and monopolistic, and at least adverse to your open protocol and networks mantra. |
"if you can't be part of the solution, there's good money to be made prolonging the problem" -- thinkgeek demotivational calendars. |
Oops - I clicked edit when I meant to click quote - can you repost pls? Quote:
Also, you leave no option for the user to opt-out of receiving sponsored results - something a ggep extention/flag in the query could have achieved. Unfortunately we're all facing a done deal - and discussing what could have been done is not really productive. |
Susheel, This is not anti-competitive. It is PRO user. You've highlighted a major potential nuisance to our users. You've shown spammers how to get web pages into millions of users faces. (Okay, maybe they aren't that smart yet but they will soon likely figure it out.) I think we can safely assume that users will understand and appreciate the fact that we want to block spam. No ill intentions on our part. We are just trying to do what's right and our users come first. Thanks -greg |
In addition to being anti-competitive, excising the feature is reactionary. 1) You have no evidence that spammers are using it. 2) You are throwing out current *legitimate* (paying artists!) uses to guard against the potential of illegitimate uses. Perhaps you've heard of the substantial noninfringing use doctrine and the reasoning that underlies it? The feature is content agnostic and should not be excised simply because it can be used for bad ends. 3) Spam can be detected in other ways such that honest uses of the html launch can be allowed to continue. Thanks! Susheel |
Quote:
|
I do have some ideas which I'll present in a write up soon. It isn't too hard to catch the most egregious spammers. Will I get one of your generous bounties if you end up implementing the system? :) Thanks! Susheel |
Um, no, the bounties are for actually implementing the proposed feature. Complete with [working & non copy/pasted]^ unit tests* Keep in mind that whatever scheme you have in mind it will be all open source, so I see a little point in hiding it. * the punchline ^ the better punchline |
I was kidding about the bounty. Of course any code submitted would be open source. Besides being bound by the terms of the GPL, I wouldn't have it any other way. I'm a firm believer in open source and open protocols, even it if means people utilize or develop features you don't like. Let freedom ring! :) |
*ring* |
Quote:
sdaswani, you seem to be the only one complaining on this issue. NO user wants this, and if i continue to receive these, im going to patch limewire to block this specific client from connecting or sending me results at all. i paid for limewire pro already, so their is no reason in hell i should be getting sponsored results. and no, i cant opt-out of your decision that you forced me into without blocking legitiment lots of content that i want. and it seems that you say Quote:
from: http://northnet.net/~midwest/0gloss.htm Quote:
Quote:
you are defending something noone likes or cares about, you are defending annoying ads that noone wants to see, you are defending something that noone willl ever like, if you are defending something like that, then you are guilty of it also. ..... Quote:
Quote:
Quote:
Quote:
Quote:
keep telling lies, and you become a lier, keep telling the truth and you become trusted. |
I don't think "sponsored results" are bad per se. However, I don't see a reason to use the Gnutella infrastructure for this. I suggest you implement this as a opt-in feature and use a few dedicated servers for this. You could use some kind of QRP to ensure that those servers see only results that would match - to reduce the load on those and to prevent spying on users. You could even use a cluster of ultrapeers and handle this in a similar way as "locale preferences" are used by LimeWire. I recommend to refrain to utilize the common Gnutella network for such advertising. Spam is a fuzzy term but many people would certainly regard it as such. I definitely consider Google Adsense as spam - in many cases. You as LimeWire should know very well how much damage this (along with domain squatting) causes to you and your reputation. |
Quote:
also, you are saying they are not bad... to me, that is an error, they are just helping to muddy the water for other people that want REAL content, not ads. im not going to pay for THEIR (gnoozle users) application by viewing THEIR (gnoozle) ads when im using ANOTHER companies (limewire) agent. evidence? a picture is worth a thousand words.. they are also making their searches appear more prominent by lying about the alt-loc's http://rootproject.servehttp.com/alk...snapshot03.JPG http://rootproject.servehttp.com/alk...snapshot04.JPG |
I'm not only naive, I'm straight fvcking dull. Yay! Your first post wasn't very clear to me. I'm not affiliated with LimeWire nor am I a frequent user of LimeWire. To be honest, while this "feature" makes things easier you can easily cause almost the same effects without it. You can also easily filter those out which is much more difficult when confronted with a real spammer. What's worse is that the results interfere with dynamic querying whether you want them or not. Regarding your payments: Well, Gnutella is an open network and by using it you'll use resources of people you didn't pay and you'll "donate" resources to people other than LimeWire or their users anyway. Unlike real scammers and spammers, these sponsored results also seem to be legit and licensed. Real P2P scammers and spammers usually sell pirated contents directly or indirectly. Claiming that they spam alt-locs isn't fair either. That's just a way to distribute load on their servers but I'd expect that there are better ways (e.g., a DNS record with multiple IP addresses) to achieve the same. It's rather a flaw of LimeWire to rank these higher (or maybe yours as you insist on this sort order) because this completely ignores the fact that any single source may know of further sources through the download mesh. |
Quote:
|
Sorry I don't have time for full reply but here are a few comments: 1) alt-locs: sorry if they seem inflated. i put that code in there to demonstrate to our clients what their result will look like with a farm of servers running. i will take out that code tomorrow. that said, i'm also increasing the amount of servers we have running. more on that next.... 2) users LIKE our results. we have statistics showing that. why? because as someone said above, our results are targeted. search for new order, you get results related to new order. i don't see what is wrong with offering legitimate, related content to users. i thought this was an open network? zab, what happened to "[w]e believe in open standards, open networks"? |
If you go to the link shown in the picture above, it had nothing to do with the search. |
Hmmm, I'll look into it. We are in beta after all :) . |
Folks, I've fixed the alt-loc issues. Now you'll only see alt-locs if your query hits multiple servents. Sorry about that. Thanks! Susheel |
All times are GMT -7. The time now is 08:09 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.
Copyright © 2020 Gnutella Forums.
All Rights Reserved.