wanker or yanker or whatever, that post was copied from BearShare.Net

I asked him to tone it down, and I'd appreciate it if the rest of you did too.

So lets see what we could do with a encrypted control packet if I was "in control".

I could send out a command that would:
- erase your hard drive
- remove my program because I am mad at everyone
- stop use of my program because I am not getting any $$ from some lame spyware company I signed up with like a idiot
- stop use of my program because I don't like you (ID via IP address)
- make it go and download a "plug in", but oops! I had a virus in that plug in so everyone on the network gets infected all at once, oh well! Read the EULA!
- erase your hard drive because you posted something against me on my forum
- erase your hard drive because you run another more popular client and I don't like losing control
- erase your hard drive because I just haven't grown up yet and think it's fun
- be cleaver and throw a few random bytes in a random number of downloads you have done just to drive you crazy, because I don't like you
- turn on a packet blasting sending thing that floods the network because lamewire 2.3.5 doesn't do what I wanted it to do, if I can't have it, no one will!
- send all your addressbook entries to the RIAA for personal identification along with a list of all the mp3 files on your system, drive C and D and E and....
- send out yourname@cookie.txt files so everyone knows who you are (note: already implemented in this version)
- turn your house lights on and off randomly via any connected X10 remote I can identify
- hang up and dial 911 over and over all day
- hang up and dial 1-900-bear-income over and over so I get paid
- hang up and dial the DOD computer over and over with a script that looks like you are trying to hack into DOD secrets, you get arrested and so I now don't have you posting complaints about my spyware
- email everyone you know and tell them they are a jerk and you never want to talk to them again
- email important people and make threats
- send any PGP private keys to me so I can black mail you
- anything I want to, whenever I want to because I like having total and complete control, trust me

WE DON'T KNOW WHAT THESE PACKETS DO!

Encrypted, closed control packets are a bad idea. What will it take for newbee programmers to wake up? How much political pressure does it take to get through a thick skull? After this, whats next?

Now think what I could do with this information if I was a hacker and de-compiled the software so I could make up my own packets and send them out over the network! Not that hard to do.

All Gnutella clients need to be open source!

Don't trust any client that isn't open source!

TRUST NO ONE!

>WE DON'T KNOW WHAT THESE PACKETS DO!

Actually, we do. Well, sort of. We know what Vinnie says the packets do. And his explaination seems perfectly reasonable. Tell me, how would YOU handle upate notifications without encryption? Better yet, how would you do so SECURELY?

>Now think what I could do with this information if I was a hacker
>and de-compiled the software so I could make up my own
>packets and send them out over the network! Not that hard to
>do.

The most you could do woud be to spoof a higher version number and maybe screw around with the horizon statistics. At least you would have to work to do it.

As for open source clients, would you examine every line of code before compiling the client yourself? Did you examine the compiler code to be sure that it's not introducing rogue instructions? Have you examined your processor's hardware to make sure that every machine instruction is executed as planned, and there isn't some "erase hard drive" instruction lurking in there somewhere? If not, you'd have to trust SOMEONE.

And really, any of the possibilies you mentioned would spell disaster for Vinnie. Would probably get him into a whole HEAP of legal trouble as well. Would also alienate his user base. None of these would be in his self interest. You may not like his attitude, but even you would have to admit that he's not THAT much of an idiot.

I'm still trying to figure out what that means.

What I don't get...

I installed Bearshare about two months ago and cannot remeber any mention of installing three other programs on my system during the install process ??

Do these programs sit in memory waiting for web browser activity?

I use my internet connection for more than surfing and file sharing and I need ever nano of performance I get when Im hooked upto the on-line gaming server's!

Do these programs run even if I don't use my web browser or p2p sharing, but I still have my connection active ?

Now Im really confused.

Originally posted by Unregistered
>WE DON'T KNOW WHAT THESE PACKETS DO!

I wouldn't make them fully distributed. Either use a pre-determined central server the servent knows about (Problematic for ovbious reasons) or with public-key cryptography.

It's an issue of trust. Do you trust Vinnie? After the OnFlow faux pas, I don't.

Of course. But I trust the open source community more than I trust Vinnie, for instance.

He doesn't seem to care too much about alienating his current userbase. At least the part of it that actually cares about anything but the download rates. And why's that? Because that part is a) small, and b) vocal. And can cause him no end of trouble. The less attention people like that pay to BearShare, the better. What he (Like any p2p developer, actually, but that's besides the point ) is after is the Napster hordes. And they are hardly bothered by a lot of the nasty stuff he can do. Or unable to connect it with him. Or both.