What does downloading of music and the speed of your network have to do with Windows Media Player?

Of course, if it happens this way, there is an obvious security issue. Installations should always be manual, and not run from another piece of software. A dialog box asking for admin login/password information from within another software seems highly suspicious (well, at least to me).



Then why is it the default setup of OSX and several Unixes? To me this reduces risk a lot, as the computer can then still be cured/inspected from the administrative account. Any other proposition about how to handle that? (for any piece of software, not specifically WMP)

(btw there are not that many computer that should really be "single user", even in homes there are often several people using a single computer)

"User Accounts" are a half-assed approach to multiuser environments though, because the idea comes back from times, where HD-space was an issue. They try to seperate apps, from settings and media and do not employ any actual external security (all the security is only OS-internal - as soon as you access the storage from another software, you have full unlimited access). It is this half-assed approach plus stupid stuff like "centralized setting-storages" like registry, which to a large extend is responsible for all the complexity, problems and buerocracy in nowadays OSes.

The truth is that interface-level, app-level and media-level security and multiuser-support doesn't even need hardwired OS support! Check this out:

- All data except of OS and driver stuff is stored in encrypted filesystem images (truecrypt anyone?)
- This includes the user-environment which is just a "portable" application stored in that image (partially possible already).
- It also includes the applications, which are stored in that image, including their settings (portable apps do that already)
- And of course the users media
- multiple of such filesystem images can be mounted at the same time. Thus you can for example also mount an encrypted USB-stick or external HDD and then access it - if you know the PW.
- Thus, the OS doesn't even need to know "who" is currently using the PC. Users manage their privacy and security themselves simply by mounting/unmounting their encrypted images.
- User runs with very low access rights to the OS. Thus, he can do whatever he wants inside his images, but cannot damage the OS..... unless he knows the pass to elevate his rights. Interestingly, although he runs at such low privileges, he isn't constantly bothered with access-limitations, because he only needs to elevate his rights if he wants to do something to the OS.
- The OS automatically forbids any modification of unmounted images, unless one elevates ones access rights (thus, any app-level security breach can only affect the currently mounted images).
- add some mechanism to shield password entering during mounting from app-level keyloggers.

What you get:
- all the security of nowadays systems, and significantly more, without all the hassle
- no setups, package-managers, installations or deinstallations (except of just more comfortable "extractors"). Thus, also none of the downsides associated with those.
- easy backups of your data (just copy the image-file(s) and done!)
- full portability of apps, settings and data - from anywhere to anywhere.
- true privacy.... no centrally logged usage-data, own apps and media are internally and externally unaccessable. No worries about recovery of deleted data (as long as your image-encryption isn't broken)
- various niceties for corporate environments

Some interesting points although I don't agree with all your ideas.

To stay on-topic: Your concept would not have helped very much with the described trojan. Except for affecting only a single user on the system.

Which is impossible to solve without simply not installing software which behaves like WMP. Not even per-application access-restrictions would help here, because the player MUST have access to your audio-media - else it couldn't play it. The only sane solution is to simply not trust untrustworthy applications. The environment may restrict the damage, but there is no way around the simple logic, that if you give an app write-access to certain files, then it can write to them however it likes - if the app is malware-happy, then you shouldn't have given it that access in the first place.

Like gabriel said, windows illness is because of everyone is admin. Drop access rights of browsers media players etc and 85 % of problems will go away even without an antivirus. The other thing is that there is no package management so you are never really secure.

Vista tries to remedy the issue to an extent. With XP pro try LUA accounts + sudowin and dropmyrights for XP home.

Sweet Jesus! That's why I never trust any automated downloading instructions coming from any programs (in this case the missing codec tip). Except those "new version/upgrade" messages, perhaps not even that.


PS: Good point, 2Bdecided. I too agree with you it's not the average user who takes the blame here, or anywhere or anything. The problem really lies under those "demented" minds that think they know something and go make other lives miserable. Well, sometimes they really are brilliant minds in terms of intelligence, knowledge but look at what they use their brains for. It's totally devastating to see how there's so many remarkable minds but taking their knowledge for granted when they could very well be using it for real good things (and am not just talking about softwares, computers, etc). One don't need to know it all but only what they find it's important to them (if I decided to spend my money on a computer just as a 'pastime' hobby - you know, after stressed out from work - is there anything wrong with that? As long as I properly paid for the bloody machine).

Yes, and not just one file but the whole audio collection on your hard disk.

Maybe a software tool will be released later that will remove the malicious code ... and will offer the users the opportunity to change the extension of affected files from .mp2/.mp3 to .wma ... and so WMA will be the upcoming standard audio format on the web in one year or two - just let the Trojan spread and spread and spread.... ... and as we all know (also from all the discussions in this thread) - it will do so...

That - finally - will be the boost the WindowsMediaAudio format urgently needs....

i agree about UA in win (xp at least), but i don't get this:



so a user will press play and then for some reason type in an admin pass - yes, i have to be admin to listen to the music?

I'll never switch my workstation into a server.

I'm just waiting for the upcoming Haiku and the future ReactOS.

i wonder when it will be possible to install say adobe video bundle onto react-os, or all this devs expect silly users that are just happy with open-office & firefox in their lives?

I dont understand your question. ROS aims for full binary compatibility. It also clearly states, that it is currently far from that, architecturally incomplete and in alpha-state. So no, ROS-Devs do not expect development to stop in the near future.

As for BeOS.... i find the architecture VERY interesting... but i'm not sure if haiku will be efficient in practice.... at least in the near future...... mostly because of lack of software.

The NT codebase is a server OS and home / pro / server editions are the same beast. Win 9x could be considered the real home edition.

I get you point, Lyx, but do you really think that's any new? Regarding computer technology it's just another consequent step in a long determined development. We talk about a mentality which is rooted in the very fundament of western-scientific culture. Remember the greek myth about Prometheus stealing the fire from the Gods and Zeus' revenge in shape of Pandora's box. As man began to utilitize fire instead of just staring at it in awe, he was still sensible enough to cultivate a sense of his outrage. But this sensiblity vanished, at the latest, with the rise of modern scientific self-confidence.
Nowadays, we are proud to know about the nature of fire, but plug our lamps and computers into the socket without generally thinking about how the energy is brought to the wire (now we got Castor to take care of Pandora's box, but he's but a mortal...). And honestly - we can't. The very mode of scientific progress is utilization. Our world is a world of utility and the intrinsic complexity of these utilities, which we inescapably depend on, is ever growing. Alienation is the price to pay for any progress. Now geek's like us gladly pay that price. But not everyone can afford such a privation - and why should they? It's knowledge without any vital importance for them. No one has the capacity to be investigative in all the techniques he daily utilitizes. You can't be an expert on everything. Most people ain't experts on computer technology - yet they are culturally impelled to utilitize it. Technology creates necessity, but people create technology. Thus taking part in the development of technology is a matter of highest responsibility. Great scientist always knew about that. Companys like Microsoft obviously do not. So either you have blame them or, to be fundamental, you have to blame the overall modern scientific mind - but when you do so, you can't point at anyone other, because you are into that mind yourself (well, I don't suppose you're an Indian Yogi, are you? ).

This is a popular misunderstanding, caused by a typical western tendency to think in one-dimensional extremes (Boolean XOR). With well designed tools, it is not necessary to be an "expert" to use them powerfully and responsible. In the case of applications, i don't need exactly know HOW it works... i just need to understand the overall underlying meanings and relationships associated with them. I.e. knowing the difference between executable code and media. Knowing that whatever i can do, an application can do as well. Understanding basic stuff about trust. Almost no average user understands ANY of those things! I am not saying that only "geeks" should use computers. I am saying that only people who understand the basic overall principles in computing should use computers. Todays average PC users isn't just "not an expert" - he has no fucking clue about anything... he doesn't even know the difference between data stored on the internet, and data stored on his computer! He is simply a slave which obeys commands which the software gives him. He doesn't observe, doesn't think, doesn't understand, doesn't decide... he is a robot executing commands - an application which will do anything which it is told by anyone and anything.... he is literarily the most insecure application ever developed!

- Lyx

P.S.: From a wider POV, this isn't just an issue with western scientific mentality. It's related to the mentality of the entire society: People do not want to make decisions - they just want to function by letting others decide for them. In this case, the application - ANY application - decides for the user. Have you ever seen such a user getting into a conflict, by multiple apps giving the user contradictory commands? They do not investigate which is right... they don't even ask themselves "whom can i trust?".... they just panic and ask "what am i supposed to do?".

So how should N00bs educate themselves if the word is not spread about what is dangerous and what not? Your remark have a distict "Elite" smell.

I'm hardly a "clueless n00b", but until discovering this, I've always let Windows Media Player grab whatever codecs it wants. As something "integrated" into Windows, I assumed it was going to a trusted Microsoft service (just like I assume Windows Update does), and assumed it was more safe than (hypothetically) downloading an unknown obscure media player, which, IME, have often been buggy, bundled with spyware, and sometimes conflicted with other codecs on my system.

Still, the point of this thread is to inform. I'm now informed that this is a threat, and will warn everyone I know.

It's another plus point to archiving to optical media - the trojan could attack back-up mp3 files on a spare HDD when it was connected to sync; it would struggle to attack those burnt to DVD-R. Shame - I've more or less given up on DVD-R for backup, and will now have to consider it again.

Cheers,
David.

As far as I'm aware, Windows Media Player can only grab codecs from an approved Microsoft site. It cannot get codecs from any site directly. What this trojan does is instruct WMP to open a web browser to the download site. One more step, but an important distinction.

"Not spreading a specific kind of info on THIS platform" != "Not spreading a specific kind of info on ANY platform"

I dont care how sentences "smell" to you. You are responsible for your interpretations.

Ignoring the validity of those statements, there's a useful implied question in this: What to do about this - what are the alternatives?

For videos, i'd say there are at least two app, which are significantly more trustworthy than WMP and which aren't too complicated to use. Both however are not "eye-candy" (no skinned interface).

The first most obvious choice is "Media Player Classic". It uses the codecs on the system and from my experience does not execute active scriptcode in mediafiles. It's interface is also quite easy to use (more easy than WMP i'd say) - but it does not automatically download codecs, nor does it do that manually. It by the way is also capable of playing quicktime and real mediafiles, if you have "quicktime alternative" and "real alternative" installed - though, in my experience the support for those two mediatypes doesn't feel stable (feels like lots of wrapper-hacks).

The second - and in my opinion most interesting alternative, is SMplayer. This is a rather clean and simple frontend to mplayer. The interface is also quite similiar to media player classic. Most settings are also easily accessible. And the best part: It is not dependent on system codecs! It uses its own codecs which - if you add the full package - can play almost everything, INCLUDING quicktime and real stuff! Because of this, there also are no codec conflicts, and you will never need to download codecs (at least not for trustworthy mediafiles). This is a simple and clean mediaplayer which can truely completely replace all other video-mediaplayers on your system. It's two most obvious flaws currently are: If a video crashes, then only the frontend will terminate, leaving a zombie mplayer-process running which needs to be killed via taskmanager. The second main downside is that if you want widescreen stretching of videos (thus, ignoring aspect ratio) then this cannot be done comfortably - you need to add certain switches to the "mplayer commandline options" in the preferences.

I use VLC. I'm not a fan of it, it's just the least bad thing I've found.

FWIW I just tried SMPlayer - it can't deinterlace HDV in real time on my PC (VLC, not known for being fast, can do this easily). It can't play back DV AVI files at all - it just crashes (this must be some obscure bug/interaction because I can't imagine them releasing it with broken DV AVI support knowingly, but everything else on my system can play them!). SMplayer is fine with WMV though - better than VLC (on my system).

I'm not saying Window Media Player is "better" than what you've suggested - by my experience illustrates (and confirms!) finding something "better" can turn into a wild goose chase.

(I already have MediaPlayerClassic and use it for DV at home - it respects DV AVI aspect ratios, which not many other programs do).

Cheers,
David.

Actually Media Player Classic also has own codecs for most formats. Each decoder can be enabled independently.

However, MPlayer is the only program that will play Windows Media formats satisfactory (apart from Windows itself).

Windows Media Classic works well. I would recommend you install ffdshow if you plan on using it though... You can use this one simple application to decode just about any media type; both audio and A/V as well as many other very useful features. I'd recommend everyone check it out.

Sourceforge: ffdshow
JXL

edit: corrected some typos

IME relying on ffdshow for "decoding just about any media type" is hardly a crash-free experience. Maybe I'm unlucky!

Cheers,
David.

I use it primarily for h.264 A/V media in conjunction with the modified windows media classic player and it has always worked well for me.
JXL

Sorry, but this a bit funny. Reminds me of an email I got a few months back, warning me not to open a 'exe' attachment about an undeliverable email.

As Lyx has rightly said, users should be aware of what codecs they are using. If in doubt, thought is needed (i.e. turn brain on temporarily).

Ffdshow can indeed be used for just about every format. And ffmpeg is the only decoder for certain formats (WM/, Sorenson). But the package has no media splitters (demultiplexers). These must be installed separately.

The updated version: http://ffdshow-tryout.sourceforge.net/

about the windows noobines, not entirely users fault, there is absolutely no good documentation about the OS.

Chapter one should be:
1. how to secure your OS

Step 1: Download a real operating system.
Step 2: Install it over your Windows partition.

Step 3: No, i don't need open office and i don't really care about apache and why is my wi-fi not working? Oh yeah somebody will soon compile another kernel that will make that happen..., common (when i really need to play with some 'real oses' i have putty and remote shell account..., but i need to feel a bit masochistic as well.)
edit: some good reading imho http://www.reactos.org/en/about.html
Step 4: Back to unreal os, where some real tools can be run

---

the real error from some real os:
PANIC: CPU 1: Cache Error (unrecoverable - dcache data) Eframe = 0x90000000208cf3b8
NOTICE - cpu 0 didn't dump TLB, may be hung

yeah, that kind of info really makes me happy...

Windows can be made lean, fast and secure (maybe not NT6, yet). But it indeed involes replacing most parts what the user perceives as "Windows". The media player is just one of them. There is also the graphic viewer (WMF bug anyone?), Exploder, Outlook, SMB/NetBIOS, MovieMaker/Sndrec32.

However if you give up Windows completely you're gonna miss some great software. Foobar, Total Commander, IrfanView, EAC... There were complaints about Vista, where buttons were in the wrong places and a couple applications didn't run. Imagine a completely different system, where nothing you are used to works. What's an operating system without programs, programs that you can operate quickly and efficiently?

Windows help is indeed pretty much useless, I agree.

j7n: now somebody will start with 'wine'

Well, I claim I too am able to make Windows XP secure, as it involves creating a non- privileged account and installing an anti-virus-scanner. However, this is not default. This and things like this trojan that infects audio files (via WMA) indicate that Windows is flawed by design. Why make a chapter about securing your OS? Why not ship it secure? I don't get it.
What I was just trying to say is: This (trojan) does only work because Windows has a a big flaw.

both is obviously needed.

Is some other OS was king, I suppose more efforts would be made to undermine its security instead of Windows.

M$' target market is people who don't think. When these people insert a CD-ROM they expect a program launching. And as was said earlier, they trust this program. In NT5 Windows went a step further and offered to play music and videos from that CD-ROM (wasting time to scan it first).

In my opinion a secure OS can't have autoplay enabled. But the user would realize that his CD-ROM suddenly doesn't work! I've heard complaints from users whom I set up computer this way. Of course later USB-stick malware spread, but the computers were immune...

By releasing a secure OS, M$ would have to undo what they worked so carefully to build so far. Software that makes decisions for you.

1. i think that the problem is that there is a large gap between 'chmod 664 oses' and 'my cd won't start oses', that gap OS would nicely cover intermediate user (say a user that wants to write a script or two per month besides clicking around the icons), amiga os comes to my mind....

2. or maybe from a videoguy perspective, say i'am buying more single-task oriented machine, what do i have;

a. win with adobe (+ gazillion small or big OS tools, say avisynth which can save my ass)
b. mac 'that just works'
c. redHat based (overpriced) autodesk smoke* (Why did they pick Red hat, why not opensuse? or ubuntu?)
d. i'am sure there is more
e. non-existant combo of a. b. and c.

3. about silly users, say a user needs to do a decision:

a. i will start gimp and do some really nice photo manipulation, but first i need to spend 3 hours googling to make my graphics card to work properly
b. oh, ok, there is gimp for unreal os as well, and drivers there seem to work just fine
c. i relly like iphone, so the only obvious solution is to be coolish in whole, mac is only logical choice for a real artist.

decisions, decisions...

edit: Darwin would say that the ones with more food will survive, where food is software, what makes things moot is that you have to be sexy as well.

Actually, Microsoft knows pretty well how to ship a secured-by-default OS, but they decided to not ship the consumer OS this way. On the other hand, server versions like win2k3 are way more secured by default. (but note that the win2k3 default config would be totally innapropriate for the casual user)

(and I fully agree that NT5 can be both secured and useable with the proper configuration, which strangely is not the default config)

As I see it, the problem are the users who think that they know "all" about Windows, but it turns out that they know how to install OS and drivers and run keygens and copy cracks for games. Once you start learning about that thingie you work on, you see that there are many things under the hood. A guy I know lost all his important documents because he encrypted them to be green, therefore important, backuped them to external HDD, and reinstalled windows. You know what happened next. And reading about encrypting wasn't the priority, so he didn't ever backuped his encryption keys.

A lot of users use pirated windows which they don't update regularly - leaving unpached security holes. Combine that with "if you are smart and don't run every file you get in the mail, you don't really need firewall and AV" attitude, the disaster is just waiting to happen. You really don't have to run the file - unpatched IE will do that for you.

Windows can be as secure as you make them - and it is up to user to inform him or hrself how to be more secure. You can't know nothing and expect the things work for you, it just doesn't happen that way.

As for this nastyness - well, that happens when you are running OS with Administrative rights. Don't do that. Inform others that it isn't really needed, except for installing drivers, and then you have secondary logon feature (sudo ) for administering system.

Interesting. Please explain to me how IE will run something without me doing anything. (BTW: Since i am "smart", i of course dont have outlook, nor do i use a mail client which uses its engine - same for scripting host, scheduler, addressbook, etc.).

calling users stupid won't really help the situation...., it is helpfull as much as this sing:

IMHO, this is getting ridiculous. You don't go skiing without training. You mustn't drive a car without a license. But most people who buy a PC, a device so powerful so and advanced, and they think they could just use it. Everyone is "studid" when he/she does something for the first time. But most PC users don't try to change that. The results are topics like this one or the W32.Blaster story. If the first version of that worm hadn't been coded so badly, consequences would have been much worse. Most users didn't even know that this behaviour was caused by a virus, that it could be aborted with shutdown -a, and that a patch from MS, that had been out for quite some time when Blaster was recent, existed.

Probably depends on how one defines "stupidity/intelligence". I wouldn't call "non-experience" stupidity, nor would i call "experience" intelligence. Stupdity/intelligence IMO is the mindset how one approaches issues, how one deals with information, etc....... in this context, i wouldn't call the lack of experience, knowledge and understanding of most users "stupid" but instead the unwilligness to gain enough of those properties to use computers efficiently and self-responsible. Not having the required understanding to use computers, and consequently not using computers, isn't stupid - it's reasonable. But not having that understanding, yet still using them, is.

Haiku, for example.

An open clone of BeOS, the OS optimized for digital media work and was written to take advantage of modern hardware facilities such as symmetric multiprocessing by utilizing modular I/O bandwidth, pervasive multithreading, preemptive multitasking and a custom 64-bit journaling file system known as BFS.

Well yes. Why miss out ? because EAC, Burrnnn, irfan and Foobar work near flawless under wine. Even if an app doesn't play nice then some VM solution will do it - running windows vm inside your OS of choice. You could even setup some terminal server and have any OS run the apps as a thin client.

There is a difference between cars and computers. If you make mistakes while driving a car you can kill yourself or kill others but nobody will died if you make a mistake while using a computer.

Well, Foobar 2k might work under Wine but the audio stack the data needs to pass is not as clear as under Windows. If I set 192kHz/24bit resampling to output I don't have much confidence that it reaches the soundcard's DAC without conversion.Well, it probably won't cost someone's life but letting your computer zombified in hands of a hacker might cause considerable damage (thousands+ of $$). And the fact that court probably won't make you liable for the damage (it is that nasty virus' fault, right?) doesn't help it either. If you were responsible for what your computer does, it will force people to more responsibility and more caring about their own computer's safety.
The car analogy is not a nonsense.

Actually yes, That myspace mommy who created a fake profile which lead to a teen girls death.

Arguably that was done with malicious intent rather than a user error affecting only their PC.

a. you are saying that 'advanced' equals 'good'?
b. you are saying that 'advanced' equals 'powerful'?

p.s. And yes, i know that kind of thinking is quite modern/politically correct, but how about your own opinion?