Vinnie the God and dictator of Gnutella has decided to heavily censor his board, meaning he can't stand not having control over what is posted about his spyware. He has started deleting any messages that don't support his program, so the forum there is now worthless. This is the only place where this can now be posted, I hope this forum stays open! Here's the thread:
Code:
"Spy Packets not Onflow message being passed around"
Posted by Stacker (Guest) on May-08-01 at 06:16 AM
What is with this message about spy packets? Is this true? This is a file being passed around on the network I found
Bearshare sends out secret packets and passes them around the Gnutella Network
disguised as search replies. Bearshare filters them so you don't see them! You
need a special program to see them! They can't be easly tracked back to their source!
SHARE THIS INFO FILE BACK TO THE NETWORK! GET THE WORD OUT! SPREAD FAR AND WIDE!
The question is why does Bearshare need to do this? Why scramble the packet? Why
not make the data human readable? Is this part of the SPYWARE we have been hearing
about? Is your MAC address in it? (network interface card ID can identify your
computer as unique) Did the RIAA pay Bearshare to put your personal information
on the net? Did the MPAA make a legal threat and Bearshare caved in? Is he
just insane? Did UFO's make him do this? Who knows!!!
I found these messages on a public forum called the "gdf" where developers hang out:
From: Nate <web1@p...>
Date: Sat Apr 21, 2001 6:00am
Subject: Strange Query Hit packets
While working on some routines, I found a strange scrambled packet, it's
always 175
bytes and very well formatted for Gnutella. Any idea what this is? The
IP address is never correct in the packet. Here's a sample I captured:
----------------- Query Hit Data
01 B4 16 16 B4 F2 48 38 00 00 00 01 00 00 00 AF .4..4rH8......./
00 00 00 A1 B3 D0 A9 E0 99 A0 B1 FF FE D9 EF 93 ...!3P)`. 1.~Yo.
EE C5 91 D5 80 85 AA B0 F2 97 E3 F6 CD BD D2 A1 nE.U..*0r.cvM=R!
A0 F9 C2 A9 94 8F D0 EE D6 C0 BA EE BE CA B9 DF yB)..PnV@:n>J9_
A2 A9 8B B9 88 AE E9 95 C4 D9 AB 99 F1 E4 B6 B7 ").9..i.DY+.qd67
F8 D0 97 9C 86 C9 D9 F8 8B 87 AA B9 DF C9 A1 B5 xP...IYx..*9_I!5
D3 E4 C8 95 CD BF 98 CB E7 E5 8E 91 E0 C7 B3 C4 SdH.M?.Kge..`G3D
AF 87 CE 82 94 C6 BF FF EF 92 A6 D9 A3 E4 B8 90 /.N..F?.o.&Y#d8.
AF EF B7 A8 E3 E6 E4 D7 96 DC 85 F9 8E FE 88 93 /o7(cfdW.\.y.~..
CA 83 A5 BC C9 BD 9E DF FC C2 A6 CE C0 00 00 53 J.%<I=._|B&N@....
C4 35 BE 55 AD 07 72 FF F3 F1 B6 67 D4 6D 00 XX D5>U-.r.sq6gTm.
----------------- Bytes = 175
----------------- Query Hit Data
01 7B B1 B1 7B C6 EC 38 00 00 00 01 00 00 00 AF .{11{Fl8......./
00 00 00 A1 AA C4 D5 99 CB E8 C2 FF D0 82 F9 F3 ...!*DU.KhB.P.ys
E7 91 E4 F3 B2 E5 AC 95 ED 89 D7 A4 D1 DD D9 F7 g.ds2e,.m.W$Q]Yw
C5 A1 C0 9C 89 A6 9C B6 D7 89 9D 89 F3 DE FE C7 E!@..&.6W...s^~G
A0 DC D2 8F 88 E3 CE BF F7 CF AB AB D8 9D C5 92 \R..cN?wO++X.E.
E9 B6 97 C1 B0 E4 99 EB A2 ED E6 DC 9F C5 EB 8B i6.A0d.k"mf\.Ek.
EF 8D EC AC 8D A8 B5 80 D7 E1 E4 AB B3 DE 83 C7 o.l,.(5.Wad+3^.G
BD C8 81 98 BD C8 8F FA 84 A0 CA D8 B9 AA EC F6 =H..=H.z. JX9*lv
83 EF D3 FB 90 97 A4 FF E0 E7 F4 AB EF A3 D3 C5 .oS{..$.`gt+o#SE
EE B1 C5 D1 B2 97 C9 BB B1 AB 8C 9E C0 00 00 53 n1EQ2.I;1+..@....
C4 35 BE 55 AD 07 72 FF F3 F1 B6 67 D4 6D 00 XX D5>U-.r.sq6gTm.
----------------- Bytes = 175
----------------- Query Hit Data
01 4D 75 75 4D 1E 9D 38 00 00 00 01 00 00 00 AF .MuuM..8......./
00 00 00 A1 9E DC 96 AF AA 8B AE FF DD FE DB D0 ...!.\./*...]~P
99 C3 83 A5 8A A5 A1 93 FD E4 8F 9C AA DD DA C8 .C.%.%!.}d..*]ZH
CD E9 BF C8 D0 D3 D2 A6 D4 A8 D9 92 C5 D0 E0 A7 Mi?HPSR&T(Y.EP`'
A0 B3 B0 9D 97 96 D8 82 C4 8B AB C3 E9 9B A8 D1 30...X.D.+Ci.(Q
AE EE 97 DA C8 A0 DE 96 87 A2 CA AD 9F DF E7 AA .n.ZH ^.."J-._g*
B4 BD 9D DA 8D AE CB 91 C6 9E CD 98 D8 C2 A3 C1 4=.Z..K.F.M.XB#A
FE C0 B7 F4 A1 F5 CF FB DB E4 EE E7 D3 86 96 91 ~@7...!uO{dngS...
8B EE 83 99 9D D4 8D 8A DF C2 C6 C0 88 9E 8D F4 .n...T.._BF@....
DC D6 D6 B6 82 CF A5 93 F9 A6 EE FE 80 00 00 53 \VV6.O%.y&n~...S
C4 35 BE 55 AD 07 72 FF F3 F1 B6 67 D4 6D 00 XX D5>U-.r.sq6gTm.
----------------- Bytes = 175
----------------- Query Hit Data
01 5A 87 87 5A 0B EC 21 00 00 00 01 00 00 00 AF .Z..Z.l!......./
00 00 00 A1 90 98 A3 C6 E7 EF D9 FF C5 83 DE E3 ...!..#FgoY.E.^c
B8 CB D5 A3 A1 A9 C9 9E 96 E2 A0 EC AB CF B6 BA 8KU#!)I..b l+O6:
FB B4 E6 D1 F1 B0 A6 FB AB 8A 9B BA E8 BE DA 8D {4fQq0&{+..:h>Z.
B0 98 E6 D2 98 B1 B4 89 DA 9A D5 FC A5 96 A1 E3 0.fR.14.Z.U|%.!c
D8 99 CA E6 B6 D8 A1 A6 8B F9 BD AB D1 D6 E8 BA X.Jf6X!&.y=+QVh:
E8 97 EC E1 CD A2 FE A1 DA DD DE B5 AC 88 E2 88 h.laM"~!Z]^5,.b.
96 86 EA EC FD BB BF F8 D7 C8 B6 D7 B7 ED AB 82 ..jl};?xWH6W7m+.
98 80 85 C1 DA C0 93 D7 A1 EC E1 C2 B2 BF FF AE ...AZ@....!laB2?..
F5 E1 E2 E6 85 BD D4 F7 A8 B5 DE E2 C0 00 00 98 uabf.=Tw(5^b@...
66 FE 71 6D 1C 24 FD FF ED D3 8F 40 1A 8A 00 XX f~qm.$}.mS.@...
----------------- Bytes = 175
----------------- Query Hit Data
01 F7 0E 0E F7 0B B6 21 00 00 00 01 00 00 00 AF .w..w.6!......./
00 00 00 A1 B8 E9 B9 AE E6 DB A0 FF F7 84 82 CF ...!8i9.f .w..O
C5 F7 9C FE B3 C9 C3 82 B0 B8 A0 C1 B5 EF BA FB Ew.~3IC.08 A5o:{
8C BF F9 FE E3 87 82 A3 A9 CD 92 EC A8 B5 FD C5 .?y~c..#)M.l(5}E
B3 88 DB B0 FF DA D0 C4 B3 8C D5 AD C7 A3 F1 E1 3.0.ZPD3.U-G#qa
B1 EB CA 82 B9 E0 F8 DC F2 EA 87 8E 91 C2 D0 F7 1kJ.9`x\rj...BPw
DC 97 B6 DD 8D BB FD CF CC E3 80 91 C2 C1 D2 8D \.6].;}OLc..BAR.
98 95 C7 EC EB F4 AF FE F7 B3 F3 98 E0 A4 B0 D0 ..Glkt/~w3s.`$0P
B4 81 A6 85 B1 EC D6 97 8A E9 9D AB F9 DC F5 A6 4.&.1lV..i.+y\u&
F3 A3 96 E4 91 D5 80 CC A1 CF E8 C1 80 00 00 98 s#.d.U.L!OhA....
66 FE 71 6D 1C 24 FD FF ED D3 8F 40 1A 8A 00 XX f~qm.$}.mS.@...
----------------- Bytes = 175
normal packet for reference:
----------------- Query Hit Data
04 CA 18 41 A2 C8 68 00 03 00 00 9A 00 00 00 60 .J.A"Hh........`
E9 18 00 4B 6F 72 6E 20 2D 20 49 73 73 75 65 73 i..Korn - Issues
20 2D 20 31 37 20 2D 20 48 69 64 64 65 6E 20 54 - 17 - Hidden T
72 61 63 6B 2E 6D 70 33 00 00 44 01 00 00 C7 C2 rack.mp3..D...GB
95 00 72 61 67 65 20 61 67 61 69 6E 73 74 20 74 ..rage against t
68 65 20 6D 61 63 68 69 6E 65 20 2D 20 30 31 20 he machine - 01
2D 20 62 6F 6D 62 74 72 61 63 6B 2E 6D 70 33 00 - bombtrack.mp3.
00 9D 02 00 00 00 D0 58 00 44 61 76 65 20 4D 61 ......PX.Dave Ma
74 74 68 65 77 73 20 42 61 6E 64 20 2D 20 42 65 tthews Band - Be
66 6F 72 65 20 54 68 65 73 65 20 43 72 6F 77 64 fore These Crowd
65 64 20 53 74 72 65 65 74 73 20 2D 20 31 30 20 ed Streets - 10
2D 20 54 72 61 63 6B 20 31 30 2E 6D 70 33 00 00 - Track 10.mp3..
89 00 00 00 AB C5 47 00 4B 6F 72 6E 20 2D 20 46 ....+EG.Korn - F
6F 6C 6C 6F 77 20 54 68 65 20 4C 65 61 64 65 72 ollow The Leader
20 2D 20 32 36 20 2D 20 20 28 48 69 64 64 65 6E - 26 - (Hidden
20 54 72 61 63 6B 29 20 43 68 65 65 63 68 20 26 Track) Cheech &
20 43 68 6F 6E 2E 6D 70 33 00 00 42 45 41 52 01 Chon.mp3..BEAR.
00 18 00 01 02 00 00 00 00 00 AF 8C 30 D4 1E 46 ........../.0T.F
CE 59 FF 83 94 41 60 5F 8A 00 XX XX XX XX XX XX NY...A`_..
----------------- Bytes = 298
From: Vinnie <info@f...>
Date: Sat Apr 21, 2001 2:43pm
Subject: Re: Strange Query Hit packets
> While working on some routines, I found a strange scrambled packet,
it's
> always 175
> bytes and very well formatted for Gnutella. Any idea what this is?
The
> IP address is never correct in the packet. Here's a sample I
captured:
Queries, or Query Hits message which have only high ascii characters
(values with the high bit set) where strings are expected are
proprietary messages sent between BearShare servents.
Queries should be handled as usual (routed or dropped if
duplicate/expired) however there is no need to scan the local index
of files for a match if the high bit is set in every character.
Query Hits messages which have only high ascii characters should be
handled as usual (routed or dropped if expired or there is no route).
If you have passive monitoring implemented, do not scan these high
ascii file names as they do not correspond to file data.
MORE LINKS
more information ---> www.spychecker.com (search for bearshare)
more information ---> www.bearshare.com (in the forums, adware section)
more information ---> www.grc.com (read OptOut section)
get anti-spyware-software ---> www.lavasoft.de (download the Ad-Aware program)
http://forums.gnutelliums.com/
http://dss.clip2.com/
http://www.zeropaid.com/
"RE: Spy Packets not Onflow message being passed around"
Posted by ****ed on May-08-01 at 07:28 AM
Haa.
Just as I suspected, good thing I use ad-Aware
Thanks for the tip on spyware.com
Good to see the V.O.C.M.
Voice Of The Common Man. Fighting the "Dark Force" (parasitic greedhead scam, that leaves dark holes in the spirit world. Bruce Cockburn(really tired at this point...need sleep
))
LONG LIVE P2P
"Bull$hit"
Posted by Vinnie on May-08-01 at 08:20 AM
Its not spy packets.
BearShare sends encrypted messages that contain the version number, and high precision representations of the shared file count and bytes.
These messages are sent as both queries, and query replies.
The main purpose of the message is to support the "upgrade notice" when a newer version of BearShare is detected on the network.
The message is protected to prevent unauthorized users from claiming to be a higher version number.
Duh!!! This is old news!
"RE: Bull$hit"
Posted by ****ed (Guest) on May-08-01 at 10:50 PM
>>Its not spy packets.<< Actually what there called is >>>backdoor TCP/IP Trojans<<< what do they do... oh not much. These are programs that if you read the "end-user
aggreement", have basically gotten permission from the user, did you say yes! they use the tcp/ip backdoor "security hole" to STEAL the users bandwidth. THESE TCP/IP
BACKDOOR TROJANS ARE THE NUMBER ONE REASON FOR STRANGE COMPUTER CRASHES AND PERFOMANCE ISSUES !!! SOme computers can in fected with
so many of these programs like a small rodent infected with parasites !!!
So BUll****... I say BULL**** !!!
Your right about one thing... it is old news
BearShare sends encrypted messages that contain the version number, and high precision representations of the shared file count and bytes.
These messages are sent as both queries, and query replies.
The main purpose of the message is to support the "upgrade notice" when a newer version of BearShare is detected on the network.
The message is protected to prevent unauthorized users from claiming to be a higher version number.
Duh!!! This is old news!
"RE: Bull$hit"
Posted by BullNOT (Guest) on May-09-01 at 03:51 AM
>Its not spy packets.
>
>BearShare sends encrypted messages
WHY?
Why not in the clear?
Why not just have a pop up that asks the user if he would like to connect to your site and see if there is a new version?
Why FORCE this down people's throats?
Why waste EVERYONE'S bandwidth on this? Not all programs that are passing these are Bearshare!
Why shouldn't those other programs block your not within protocol spec packets?
Why not make a server like gnutellums.com 6346 and have Bearshare clients check in there and at that point do your check? You would have all the info you wanted and you would
know how many are running so you can count your money ahead of time.
Why not just have a simple button people can press to check?
Why do you assume all users are too lame to look for a new version every once and a while?
Why not run a few copies of your program on your computer and have it return search packets saying that there is a new version available when it detects one that is older?
Why do you bother people if they don't give a crap about upgrades every week?
Why do you bother people who know better than trust a new version that just came out?
Why do you think everyone is your personal testing ground?
Why do you think you can get away with lying about the purpose of this packet?
>contain version number, and high
>precision representations of the shared
>file count and bytes.
Yes, you need a high precision floating point number to represent a INTEGER from 1 to 9999.
You are right a 32 bit INTEGER couldn't handle how many bytes (in 1K blocks) that someone has shared. Like when I look to see how many GB's I have on my hard drive, I want
to know down to the last byte, give me high precision! BULL SH*T!!
>These messages are sent as both
>queries, and query replies.
What a nice waste of my bandwidth.
>The main purpose of the message
>is to support the "upgrade
>notice"
Like anyone cares. It's for you to see if you will be rich or not. Why not just figure you will always be broke and go get a job?
>The message is protected to prevent
>unauthorized users from claiming to
>be a higher version number.
BULL S*IT!
It's more than you are saying and you have no reason to put this packet on the net, period. Your lies suck and you know it.
"RE: Bull$hit"
Posted by Sephiroth on May-09-01 at 02:47 PM
This is needed to get users to update the program.
Gnutella is not like napster or any other crappy centralized or semi-decentralized program. The latest programs HAVE to be used or else the network will continue to be slow and
****ty for all. That is why its needed and because gnutella is not centralized you cant really have a central place to check for updates and get to everyone.
Waste of bandwith... a less than a fraction of a second to transmit.. Oh yeah thats a real waste..
It doesnt FORCE you it gives you the chance to say yes update or no dont...
The most important thing is
>The message is protected to prevent
>unauthorized users from claiming to
>be a higher version number.
If that wasnt in there i could take a nasty virus.exe set it to Bearshare 9.9.9 and watch as everyone upgrades to it and gets there computer infected with the nasty surprize of my
choosing..
The current upgrade method prevents that for ever happening and what you two are complaining about is that you want to take that feature away and open a paradoras box that will
have the potential to literally cripple gnutella network out of existance..
So ****ed i think that would be a little worse than the trojan rant you went on about. But trojans open a security hole on your computer and leaves them there and the upgrade
notice doesnt since you believe one is there i hope you go out and find this trojan and see how you can use it to gain access to other users machine. Since you said that it is a trojan
you must already know alot on it so you'd be the best one to track it down. Ill be waiting for your results and good luck testing that out.
"RE: Bull$hit"
Posted by Great Maker (Guest) on May-09-01 at 09:25 PM
>This is needed to get users
>to update the program.
>because gnutella
>is not centralized you cant
>really have a central place
>to check for updates
WHAT? Are you on drugs? What is this Bearshare site? A non central place to get a upgrade? WHAT IS YOUR PROBLEM?
You are the new guy working for Vinnie, arn't you? Now we see your motivation. How could he find someone else who is willing to cover up this abuse? Two peas in a pod.
>If that wasnt in there i
>could take a nasty virus.exe
>set it to Bearshare
>9.9.9 and watch as everyone
>upgrades to it
Yea and stick it on the Bearshare site. Yea right.
If it always points them to the Bearshare site, whats the problem? Don't try to dazzle me with your brilliance, it just makes you a bigger liar.
This is BULL**** people, plain and simple. Not buying this crap!
There is no reason for this, there are much simpler methods to do what they want, other programs use them, and therefore this packet has another purpose.
Virus my ***! If it's that lame then I will decrypt the packet and do just that, point it to a better program that overwrites Bearshare! It's going to happen anyway, why not start
now? YOU WOULD BE STUPID TO DO IT THIS WAY! because you know sooner or later it would be cracked and then a virus would be put out for sure. So don't tell me you are
lame *** stupid enough to put this upgrade thing in there this way! If you are, no one should use your program ever cause it's too big a security risk!
Stop lying to cover all this up! Just take this crap out and do it right!
"still sucking it seph?"
Posted by sephiroth suckup bitch (Guest) on May-09-01 at 10:16 PM
Nevermind sephiroth. He/she is a dam suckup bitch. Or a d!ck rider as some would say. Always trying to assimilate people towards his defeatist ideologies, insulting each user
that disagree with him/her, comparing bearshare to napster including their users, protecting vinnie, etc...
Just forget about him/her. Eventually he/she will die by choking on come and the world will become a better place.
"RE: still sucking it seph?"
Posted by x (Guest) on May-14-01 at 09:19 PM
Well said!!!
couldn't agree more.
>Nevermind sephiroth. He/she is a dam
>suckup bitch. Or a d!ck
>rider as some would say.
>Always trying to assimilate people
>towards his defeatist ideologies, insulting
>each user that disagree with
>him/her, comparing bearshare to napster
>including their users, protecting vinnie,
>etc...
>Just forget about him/her. Eventually he/she
>will die by choking on
>come and the world will
>become a better place.
"RE: Bull$hit"
Posted by ****ed (Guest) on May-10-01 at 02:29 AM
What is Spyware?
Spyware is ANY SOFTWARE which employs a user's Internet connection in the background (the so-called "backchannel") without their knowledge or explicit permission.
Silent background use of an Internet "backchannel" connection MUST BE PRECEDED by a complete and truthful disclosure of proposed backchannel usage, followed by the
receipt of explicit, informed, consent for such use.
ANY SOFTWARE communicating across the Internet absent these elements is guilty of information theft and is properly and rightfully termed: Spyware.
*******************************
Silent background use of an Internet "backchannel" connection MUST BE PRECEDED by a complete and truthful disclosure of proposed backchannel usage, followed by the
receipt of explicit, informed, consent for such use.
ANY SOFTWARE communicating across the Internet absent these elements is guilty of information theft and is properly and rightfully termed: Spyware.
****************************
END-USER LICENSE AGREEMENT (example)
By becoming an End-User, you hereby agree that TransCom may share with other parties both aggregate information and limited individual information gathered during your use of
TransCom's BeeLine and/or the Internet. "Aggregate Information" is information that describes the habits, usage patterns and/or demographics of its End-Users as a group but
does not indicate the identity of the particular End-User. "Individual Information" is information about an End-User presented in a form distinguishable from information relating to
other End-Users but not in a form that enables the recipient to personally identify any End-User. You also agree that locator information about you may be gathered, processed or
used as provided in the following paragraph. "Locator Information" consists of an End-Users name, e-mail address, physical address and/or other data that enables the recipient
to personally identify the End-User. You agree that Locator Information on you may be gathered, processed or used in the following instances: first, TransCom's BeeLine may
provide Locator Information on you to TransCom so that TransCom may notify you directly of special offers and communications regarding TransCom's products. In addition,
although Locator Information will not be disclosed directly to a third party except as described above, TransCom's BeeLine may use Locator Information to forward special offers
or communications from selected companies to TransCom via TransCom's BeeLine. Locator Information and Individual Information will be processed and stored by TransCom in
the United States and, if you do not live in the United States, possibly in your country of residence. You may contact TransCom to determine whether such information has been
accurately recorded and, if not, to request correction of any inaccuracies in the information recorded by TransCom.
******************************
Spyware Detection
Almost without exception, spyware deliberately hides inside the computer and works at avoiding detection. For example, the Aureate spyware system inhibits its Internet
backchannel use in the absence of keyboard or mouse activity so that the user won't see modem lights flashing and wonder what the heck is going on. Since spyware is
deliberately trying to go undetected, special tools are required to sense the presence of these sneaky spys. Of course, Ad-Aware instantly and efficiently detects the presence of,
and optionally removes, any spyware it knows about.
********************************
The days of Spyware playing fast and loose
with users' Internet connections are over.
Informed users will now dictate the terms
of continued access to their systems.
*******************************
"RE: Bull$hit"
Posted by titan63 on May-10-01 at 06:04 AM
>This is needed to get users
>to update the program.
>
>Gnutella is not like napster or
>any other crappy centralized or
>semi-decentralized program. The latest programs
>HAVE to be used or
>else the network will continue
>to be slow and ****ty
>for all. That is why
>its needed and because gnutella
>is not centralized you cant
>really have a central place
>to check for updates and
>get to everyone.
>
>Waste of bandwith... a less than
>a fraction of a second
>to transmit.. Oh yeah thats
>a real waste..
Take care of the cents and the dollars will look after themselves. The longest journey begins with one step.
I guess you are too dumb to figure it out for yourself: Millions of little messages = MASSIVE bandwidth load.
>It doesnt FORCE you it gives
>you the chance to say
>yes update or no dont...
>
>
>The most important thing is
>
>>The message is protected to prevent
>>unauthorized users from claiming to
>>be a higher version number.
Yeah, no #####, gits like me spend days trying to figure it out.
>If that wasnt in there i
>could take a nasty virus.exe
>set it to Bearshare
>9.9.9 and watch as everyone
>upgrades to it and gets
>there computer infected with the
>nasty surprize of my choosing..
Get your head out of your ***. Ok "I am mr anonymous dude. I am so powerful, I can hack whatever I choose." F-u-c-k off.
>The current upgrade method prevents that
>for ever happening and what
>you two are complaining about
>is that you want to
>take that feature away and
>open a paradoras box that
>will have the potential to
>literally cripple gnutella network out
>of existance..
You are so anal I could puke.
>So ****ed i think that would
>be a little worse than
>the trojan rant you went
>on about. But trojans open
>a security hole on your
>computer and leaves them there
>and the upgrade notice doesnt
>since you believe one is
>there i hope you go
>out and find this trojan
>and see how you can
>use it to gain access
>to other users machine. Since
>you said that it is
>a trojan you must already
>know alot on it so
>you'd be the best one
>to track it down. Ill
>be waiting for your results
>and good luck testing that
>out.
Good luck, sub seven sucks ***, netbus even worse, and as for back orifice aka "I am so anal I want to take the **** out of microsoft back office and call it back orrifice, and I am
so clever for doing that, please give me reconition, my name is the (cult of the dead cow), please recognise me" oh...
Im sure we (undisclosed government agency) have recognised you.
"RE: Bull$hit"
Posted by x (Guest) on May-14-01 at 09:41 PM
>Its not spy packets.
You sure?, have you decrypted the stuff yourself?
Even if you say you have, do you think anyone here would trust you with thier pc??
..doubt it.
>BearShare sends encrypted messages that contain
>the version number, and high
>precision representations of the shared
>file count and bytes.
Yeah, sounds like really important top secret version #'s 'n stuff, the kind that you encrypt because you wouldn't want the user to know about it.
>The main purpose of the message
>is to support the "upgrade
>notice" when a newer version
>of BearShare is detected on
>the network.
Uh huh, sure, if you say so.
>The message is protected to prevent
>unauthorized users from claiming to
>be a higher version number.
Geez, I shoulda thought of that!
Always wanted to claim that I had a ner version of Bear Share!!, heck if I could do that I'd be top dog on the block!
>Duh!!! This is old news!
But not as 'old' as your lame *** response!
"RE: Bull$hit"
Posted by Ted (Guest) on May-19-01 at 08:34 PM
I'm not as concerned with the spyware thing I can deal with that it is easy to kill it. My concern is all the crap running in the backround sucking up resources! When I run a program
that should be the only one running (BIG PERIOD)
"RE: Spy Packets not Onflow message being passed around"
Posted by Wildhorse (Guest) on May-09-01 at 06:42 PM
Anyone using Bearshare, and even worse the latest version of Bearshare and thinking they are preserving their privacy should really think twice about it. The Savenow crap that
Bearshare install is just one more exemple on how agressive the creators of this program and the director of this company is about ads and spyware technologies.
I got only one tip, just delete the crap and move to any other Napstep clone out there that does the exact same job but you risk not having crappy ##### spyware being installed on
your system without (and in this case) without your consent. You might also wonder about a company that creates an entire new TCP/IP stacks, this, not knowing at all if firewalls
will really react to this new stack which replaces previous stacks. Not only for the fact that this stack cannot always be removed with success. My experience which napster like
clones is that bearshare as never been worth the danger and the risks when they are so many other software out there that does the same and usually, better. And believe me, I'm
not naming any here, I just used/installed bearshare and speak of experience.
"RE: Spy Packets not Onflow message being passed around"
Posted by Sephiroth on May-09-01 at 07:25 PM
And
>believe me, I'm not naming
>any here, I just used/installed
>bearshare and speak of experience.
>
You know nothing about the Gnutella protocol or the tcp/ip stack as you called it. Bearshare isnt any crappy Napster clone its decentralized.
And all firewalls work on Gnutella since you speak of experiance i guess you allready know that. I and many others have used a wide range of firewalls and they have all worked on
gnutella. You see Gnutella uses port 6346 on tcp/ip which tcp/ip is what most internet programs use in some way,shape or form. A new one isnt created at all.
Well see how much you love your napster clones when your paying 20 bucks a month and up for them.. At least Bearshare will always stay free and unless you want to be forced
into paying the RIAA then you better be supporting the programs that will remain free because next month alot wont be..
Have fun just so you know youll probably be handing over your name, adress, record of downloads(so they know how to bill ya), credit card number, e-mail adress, and phone
number to the centralized places or the riaa companies themselves by paying.
And i guess thats not considered a privacy violation..
"RE: Spy Packets not Onflow message being passed around"
Posted by titan63 on May-10-01 at 05:52 AM
Ah, so thats why I couldn't hack that "you must now update" crap, Vinnie pulled a fast one and encrypted it. Good one Vinnie. It would be mildly ammusing although fairly pathetic.
"Hack a pack"
Posted by Stacker (Guest) on May-12-01 at 12:48 PM
Well then, it looks like time for those who know how to hack the packet and let us know what's in it since there is a cover up going on here. Anyone got any talent out there? I
would think the encryption sucks and is something made up at home.
"RE: Hack a pack"
Posted by Grant (Guest) on May-13-01 at 04:39 PM
So is there a security hole? Is that what you are saying?
If someone wants to send a packet saying they have a upgraded version my client will accept it and then download and install the new version. Or make it look valid so I install it?
Sounds like a big security hole to me! Has this encryption been tested by the big encryption programmers? If not, you are doomed!
I cant wait to see the first formatted hard drive and law suit cause this was done incorrectly.
"RE: wHack a clown"
Posted by Sephiroth on May-13-01 at 05:12 PM
Because of the way it is now what i said in my last post cant ever happen. And even if it did then you have to be directed to a web page which contains the file. Plus theres others
way to prevent it from happening that are in place. So your all full of it.
So many clowns and theres not even a circus..
"RE: wHack a clown"
Posted by Zippit (Guest) on May-13-01 at 06:59 PM
Quote Sephiroth "I always have a good laugh at when people have to resort personal attacks just proves they have no other way to defend there arguement.."
Having trouble defending your argument are you sephiroth?
10 points for effort
0 for consistency
"RE: wHack a clown"
Posted by Sephiroth on May-13-01 at 07:38 PM
First i didnt attack them personally just generally. I didnt say anything about that and there are always the occasional exception to any rule. Anyways your a troll you dont have the
right to give me a morals lesson. You can just make a different name to insult people.
Anyways i just read the end part of the first topic before i stopped where it said "Did aliens make him do it?"
This thread is outright funny because all that info is the same thing. in the reply by vinnie it explains what that packet and why its like that in the first topic. To optimize the
searches Bearshare doesnt show the ascii characters. Meaning that stuff has the same information except one of them has it in ascii or the text and the other in just the code By
having just the code it shortens the message length therefore making it go faster.
too funny..
"RE: wHack a clown"
Posted by Zero (Guest) on May-13-01 at 07:58 PM
Hi Sephiroth
In an ealier post you said:
<<And all firewalls work on Gnutella since you speak of experiance i guess you allready know that. I and many others have used a wide range of firewalls and they have all worked
on gnutella. You see Gnutella uses port 6346 on tcp/ip which tcp/ip is what most internet programs use in some way,shape or form. A new one isnt created at all.>>
-----------
To the best of my knowledge this isn't actually true. Sure any firewall will -work- on Gnutella but that depends what you mean by work. 6346 is a port which is not normally used
by standard internet applications other than Gnutella clients. Most firewalls by default require manual opening of ports over 1024. Therefore this does in fact actually create a new
open port. Again it depends what you mean by "work". Packet filtering etc is surely going to work but you aren't going to get the protection that a closed or stealthed port offers.
You say that most internet programs use TCP/IP but this doesn't actually have any relevance to port 6346.
However if you can think of other standard non-gnutella apps that use port 6346 feel free to correct me on this one
"RE: fun fun fun"
Posted by Sephiroth on May-13-01 at 08:29 PM
Why cant someone else be in the "hotseat" playing 20 questions tonight..
I gave a general answer and what i ment was in the general tense. By work i ment does the firewall do what a firewall should do which is to block net attacks.
And i didnt mean that all one programs use the same port 6346 thatd be dumb. I meant that all online programs use tcp/ip weather it is to download or use them in. It looked a little
confusing but thats what i ment..
"RE: fun fun fun"
Posted by Zero (Guest) on May-13-01 at 08:56 PM
That's fine - I see what you were saying now Sephiroth
Thanks for the clarification
"Home run"
Posted by Vinnie on May-13-01 at 11:27 PM
>So many clowns and theres not
>even a circus..
ROFL
You mind if I use that one?
"Snap into a Slim Jim"
Posted by Vinnie on May-13-01 at 11:35 PM
>So is there a security hole?
>Is that what you are
>saying?
>If someone wants to send a
>packet saying they have a
>upgraded version my client will
>accept it and then download
>and install the new version.
No - BearShare does not automatically download and install anything.
Even if it did (which it might, eventually) it would use download.bearshare.com, ask the user before the installation proceeds, and be digitally signed by Free Peers, Inc. using the
code signing tools developed by Microsoft.
Compromising the private key from Verisign would require either #1 breaking the encryption strength, or #2 hacking the machine which stores the certificate and stealing a copy.
For #1 the chances of this happening are just as likely as someone cracking the private key for Microsoft's code signing certificate. If I were devoting CPU resources to breaking a
cipher, I would certainly go after a more valuable certificate than the one held by Free Peers, Inc. especially since both Internet Explorer and Windows Update can automatically
trust certificates from Microsoft.
For #2 someone would have to break into the facilities since this machine is neither connected to a local area network nor is it connected to the Internet.
If I were dead set on gaining access to the certificate, I would certainly go for method #2 since that one has a higher chance of success.
Whoever tries, better make sure that I'm not there or else they will get a major can of whoop-asss opened up on them
"RE: Snap into a Slim Jim"
Posted by Wonko on May-14-01 at 05:29 AM
So, what this means, in essence, is that as long as it doesn't automatically install anything, and if autoinstalls will be done from a central source, there's no security reason for
encrypting the update messages.
Which brings us back to the original question - why encrypt? If it's not a security issue, who cares about `unauthorized users` (Didn't know this even existed as a concept on
gnutellanet...) pretending to have a higher version number?
"Then take it out"
Posted by Grant (Guest) on May-14-01 at 03:29 PM
Yes, we are right back to no reason for it being there.
Any other program out there simply waits a week or two and pops up a box asking if you would like to check for a upgrade. They *always* include a check box that says "don't
bother me again with this cause I am a adult and can find a upgrade all by myself" or something like that.
So stop worrying about your $$$$$ because you want people to upgrade if something like onflow happens again (you get no $$ so upgrade everyone quick!), just keep adding new
features and everyone will upgrade cause there is "value added".
If you don't do this then we will all know you have other sneaky reasons for this packet and I will personally mount a spamfest to every media outlet till no one downloads it.
Warning: if the next version still has it, spamfest enabled - everyone is invited to join the party, come one come all!
Spamfest 2001 !
"RE: Gnutella 101"
Posted by Sephiroth on May-14-01 at 04:04 PM
You dont understand Gnutella and why updated versions are so important. If users were allowed not to upgrade then gnutella would be very very slow and have alot of problems
because it would be next to impossible to improve the network. In other words it will cause more problems than good.
This isnt napster you cant use a version thats a year because if you do then you will be hurting yourself alot. There are alot of bug fixes and upgrades even though they may be
small that makes updating worth it.
You want to risk it and use the outdated version then just press no and dont come back here complaining if you have any problems with the old version.
"RE: Gnutella 101"
Posted by x (Guest) on May-14-01 at 09:30 PM
>This isnt napster you cant use
>a version thats a year ...
And why not, if that's what I want to do?
>..because if you do then
>you will be hurting yourself
>alot.
Really?, and who should to decide what's 'good' for me?
..gee, thanks!
>There are alot of
>bug fixes and upgrades even
>though they may be small
>that makes updating worth it.
Worth it to you or me?
>You want to risk it and
>use the outdated version then
>just press no and dont
>come back here complaining if
>you have any problems with
>the old version.
You want risk it just press yes and quit bitchin about those who pick no!
#####!
...or maybe that should be, ..dickless!
"... but having troubles doing so"
Posted by Want To Believe (Guest) on May-15-01 at 00:54 AM
>You dont understand Gnutella and why
>updated versions are so important.
>If users were allowed not
>to upgrade then gnutella would
>be very very slow and
>have alot of problems because
>it would be next to
>impossible to improve the network.
>In other words it will
>cause more problems than good.
Here's why I don't understand the rationale you give ("So people don't impersonate higher versions.") How exactly are Bearshare users going to do that? I can see some hacker
making their own version of a GNET client, based on gnut or something, and then they can put anything they want in the messages. But they're not going to be avoiding upgrades
to Bearshare, which they don't have in the first place, right? How are users of Bearshare, that you propose would try to avoid upgrades (!?!), going to change their app to send out
modified query and query response packets? And even if they COULD, why WOULD they?
Do you see why the reasons given don't ring true?
Vinnie has said elsewhere that he plans on putting additional info in these packets soon, such as Processor, RAM, etc. I don't know if he was joking (I think sometimes that he
replies on these forums after a couple days of no sleep), but why would he do this? And why encrypt it? I don't get it.
I CAN think of a couple reasons for this type of packet that don't NECESSARILY involve RIAA or MPAA, but I don't understand why he wouldn't just SAY so. For example,
something to prevent other apps from masquerading as BS (for what reason, I can't imagine.)
"I didn't have sex with that woman!"
Posted by Monica (Guest) on May-15-01 at 02:24 AM
It's all bullshlt, a coverup.
A. The RIAA threatened a lawsuit, Vinnie whimped out and is now kissing RIAA Lawyer ***.
B. Privacy means nothing to Vinnie.
C. Socialists loaned money to Freepeers and now want to pull the strings.
D. You are dreaming, WAKE UP!
"Eh?"
Posted by Vinnie on May-15-01 at 07:58 AM
>Here's why I don't understand the
>rationale you give ("So people
>don't impersonate higher versions.")
>How exactly are Bearshare users
>going to do that?
A malicious hacker could send a message out that claims a higher version - this would wreak havoc on the network, no one would trust the upgrade dialog again.
>Vinnie has said elsewhere that he
>plans on putting additional info
>in these packets soon, such
>as Processor, RAM, etc.
>I don't know if he
>was joking (I think sometimes
>that he replies on these
>forums after a couple days
>of no sleep), but why
>would he do this?
Certain high end machines will become eligible to run extended peer to peer services. Criteria for running these extended services include:
- someone who leaves their machine on for a long time
- dedicated IP address (that doesn't change with DHCP)
- ability to accept incoming connections
- sufficient RAM
- sufficient idle CPU time
Part of these features requires "tuning" the network. This tuning process assigns random number probabilities to each eligible machine to determine if they are elected to run
extended services - this provides control over density and distribution within the network of machines running extended services. In order for me to tune it, I need to have a rough
idea of the distribution of computer resources through the network and this requires gathering statistics.
>I CAN think of a couple
>reasons for this type of
>packet that don't NECESSARILY involve
>RIAA or MPAA, but I
>don't understand why he wouldn't
>just SAY so. For
>example, something to prevent other
>apps from masquerading as BS
>(for what reason, I can't
>imagine.)
It is impossible to prevent other applications from masquerading as BearShare. It simply cannot be done.
However, it is possible to prevent other applications from claiming to be a higher version number of BearShare than is currently shipping, thus the encryption.
"Thanks for the explanation"
Posted by Einstein (Guest) on May-15-01 at 10:58 AM
>A malicious hacker could send a
>message out that claims a
>higher version - this would
>wreak havoc on the network,
>no one would trust the
>upgrade dialog again.
Ah! I think the lightbulb just went on! So, the way this works then, bearshare apps send out messages that tell other peers what version they are running. If my app sees a message
from a higher version, it pops up the upgrade dialog. Got it. So, you do this to cut your bandwidth costs at your download servers (seeing how the alternative would be for them to
check in there when they are fired up)? So, if this is how these are used, you are effectively spreading your bandwidth costs out to the rest of the network. That sort of makes
sense. Now you need to figure out a way to propagate the downloads through the network
>Part of these features requires "tuning"
>the network. This tuning process
>assigns random number probabilities to
>each eligible machine to determine
>if they are elected to
>run extended services - this
>provides control over density and
>distribution within the network of
>machines running extended services. In
>order for me to tune
>it, I need to have
>a rough idea of the
>distribution of computer resources through
>the network and this requires
>gathering statistics.
Have you been working at all with other peer developers on this? I would think that messages of this sort would be generally useful for network distribution. You could implement
the use of those messages in a superior way, and maintain your competitive advantage, and the network would enhance the value of your software by complying with the
messages. That might also ease the fears of some of the more ... er ... cautious on these forums.
"RE: Thanks for the explanation"
Posted by AlieXai (Guest) on May-15-01 at 03:45 PM
Finally, after reading this entire forum, the person who posted the last message is the only one that has a clue (Besides vinnie and seph and maybe 1 more person)
Obviously that data posted by the creator of this thread was misunderstood. Ripped directly from one of the discussions by the Defender test team. Actually, I (if I remember
correctly) think that was some of the data used to prove that onflow, savenow, new.net aren't 'spyware' in the typical sense.
"RE: Thanks for the explanation"
Posted by Einstein (Guest) on May-15-01 at 08:35 PM
>Finally, after reading this entire forum,
>the person who posted the
>last message is the only
>one that has a clue
>(Besides vinnie and seph and
>maybe 1 more person)
Please don't compare me to "seph" or anybody else for that matter. I find "seph"'s comments to be the worst kind of rah-rah suck-up nonsense. They rarely get to the point, or try
to see any other perspective, and instead try to defend BS at all costs. Stupid, pointless, and a waste of time.
>Obviously that data posted by the
>creator of this thread was
>misunderstood. Ripped directly from one
>of the discussions by the
>Defender test team. Actually, I
>(if I remember correctly) think
>that was some of the
>data used to prove that
>onflow, savenow, new.net aren't 'spyware'
>in the typical sense.
No, ripped directly from the discussions by the GDF, and group of developers of GNET peers. The data had nothing to do with the spyware that is unfortunately bundled with BS, it
had to do with one of the other GNET developers seeing odd packets, and asking what they were. The data has been explained by Vinnie (more or less satisfactorily in my
opinion), but nonetheless it is still encrypted, when other methods that don't require secrets would accomplish the same thing without feeding fears. This is why I suggest working
with the other developers.
Please think before you post. Being praised by you and your ilk is worse than being damned. Open your mind and try to understand why people feel threatened by the actions of an
application that sends data from their machines that they do not understand, and is not explained.
"Going `round in circles."
Posted by Wonko on May-16-01 at 04:57 AM
Ok, let's try this again:
This comes from the parent:
A malicious hacker could send a message out that claims a higher version - this would wreak havoc on the network, no one would trust the upgrade dialog again.
This comes from another message by Vinnie:
No - BearShare does not automatically download and install anything.
Even if it did (which it might, eventually) it would use download.bearshare.com, ask the user before the installation proceeds, and be digitally signed by Free Peers, Inc. using the
code signing tools developed by Microsoft.
So, how can a message claming a higher version client wreak havoc on the network, if all downloads are made from download.bearshare.com anyway? At max, it'll be a minor
inconvenience. So, there's really no need for encrypting this unless a distributed update mechanism is going to be in place, and I belive one of those would be inheritantly insecure
under any circumstances.
As to the additional info added to the packets - again, this is not a security or even a network-health issue, and does NOT require encryption.
"Loki"
Posted by Vinnie on May-16-01 at 05:04 PM
>A malicious hacker could send a
>message out that claims a
>higher version - this would
>wreak havoc on the network,
>no one would trust the
>upgrade dialog again.
>So, how can a message claming
>a higher version client wreak
>havoc on the network, if
>all downloads are made from
>download.bearshare.com anyway?
No one will upgrade in a timely fashion.
One of the biggest fixes I made to BearShare was in the "push" handling. Part of this fix actually rejected connections from older BearShare servents on or after a specific date (a
"time bomb"). This timing scheme was necessary to make sure there was a sufficient number of fixed versions out on the network before the connection reject logic took effect.
Without the time delay, early adopters of the new version would have a difficult if not impossible time getting hosts.
Having a false ugprade dialog would not only be annoying, it would interfere with the upgrade process itself, causing delays in propagation of bug fixes and enhancements.
Thats called havoc.
"RE: Loki sucks"
Posted by Wackooo (Guest) on May-17-01 at 01:26 AM
People, we have a control freak here, he wants to have total control and dreams about being the dictator of Gnutella, plain and simple.
Vinnie says:
>In order for me to tune
>it, I need to have a rough idea of the
>distribution of computer resources through
the network and this requires gathering statistics.
Notice the word ** me ** , yes that's right, I can see him now in his lab in front of a huge control panel saying "I have a plan to take over Gnutella", sort of like you see in cartoons.
This is laughable, he's about as bad as Bill Gates.
These encrypted packets are not needed, there is no excuse and it's time to take them off the net. YOU HAVE NO REASON!
How does anyone know that their e-mail addressbook isn't being shipped to the RIAA to help identify them?
>Criteria for running these extended services include:
Again, the dictator will say what machines will run what. How nice. Most other programmers would allow people to decide if they are "worthy" to use such a program. How the hell
do you know how long I will leave the program up? Does your software read minds too? This is STUPID, LAME and you have no excuse. YOU ARE BUSTED, PLAIN AND
CLEAR, ADMIT IT!
Another user said:
>you are effectively spreading your bandwidth
>costs out to the rest of the network.
Wow, it would cost a bundle if you returned a simple short packet of say 20 bytes with the latest version number in it from Bearshare central. THIS IS BULL****!
More bandwidth is wasted in this forum, and most web server places charge less than $50 for major gigabyte transfers.
And another user said:
>Obviously that data posted by the creator of this thread was
>misunderstood. Ripped directly from one of the discussions by the
>Defender test team. Actually, I (if I remember correctly) think
>that was some of the data used to prove that
>onflow, savenow, new.net aren't 'spyware' in the typical sense.
Yes, yes, try to cover it up. Nice try.
"Gone in 2.2.4 ?"
Posted by Rank (Guest) on May-19-01 at 07:07 AM
So are these spy packet things gone now in 2.2.4 ?
"You have a choice"
Posted by MIGHTY MAN on May-19-01 at 07:47 AM
You have a choice if you want to install them or not you can untick the boxes if you dont want them installed.
"James Bond"
Posted by Vinnie on May-19-01 at 08:00 AM
There are no SPY PACKETS
That was just some fool talking without knowledge.
Yes, 2.2.4 uses the same version notification scheme as all other versions of BearShare.
Nice try to cover this up, but how do we know what is in those packets?
DON'T USE BEARSHARE TILL HE GETS RID OF THIS CRAP!