Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Creative Labs spying ... and now this?

By BillX in Internet
Fri Jun 29, 2001 at 03:01:49 AM EST
Tags: Security (all tags)
Security

Having spyware installed on my system is bad enough. Having it installed by legitimately paid-for hardware is worse. But having it compromise my system for malicious hackers...now that's just unacceptable.


Remember the recent news about spyware programs coming with Creative Labs products? Brace yourselves, it gets worse. Seems at least one of the servers that the spyware "phones home" to--http://tg.creativeinspire.com--is infected with the Sadmind/IIS worm. This worm infects Solaris systems and Microsoft IIS, cracking root privileges on the server, changing the homepage, then trying to spread itself to other servers.

Connecting to the server listed using a Web browser returns the following message, which will display in MS Internet Explorer and some other browsers:

--
fuck CHINA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
--

In short, Creative's NewsUpd.exe spyware is now connecting thousands (or many more) blissfully unsuspecting users to a compromised server. The truly disturbing part is if the following two conditions are met:

  1. The worm has opened a 'backdoor' on the compromised server, allowing a third party access to the root privileges it has obtained
  2. The spyware program that contacts this server has an AutoUpdate capability

then this third party could in practice compromise every internet user that has the spyware running on their machine. The third party would be able to execute arbitrary code on these users' systems, installing any software or Trojan horses, or even turning their PCs into "zombies" for use in distributed denial-of-service attacks.

In this particular case condition (1) is met, as the same vulnerability used by the Sadmind worm to break into the system can be used by any malicious user. However, I have no information as to whether NewsUpd.exe posseses AutoUpdate capabilities.

AutoUpdate capabilities have increasingly become a standard feature in spyware programs. The idea behind this feature is that the spyware vendor can update the program remotely, without making the user download any new files. Instead, the spyware periodically checks for updates and downloads them as they become available.

But if the vendor's server comes under the control of a malicious third party, this party can send updates as well.

It would work like this:

1) The third party places an executable file, containing malicious payload, on the server

2) The third party instructs the client software to download and run the file using an AutoUpdate feature built into the software. This is typically accomplished by adding the proper directive to a file on the server, which the software periodically checks for instructions

3) The malicious "update" is then downloaded and executed on the user's PC.

The hostile takeover of Creative's server hammers home an important lesson about the hazards of spyware. This has got to stop! You would be amazed how many hidden spyware programs are tucked away in the software we download--or even buy off the shelf. Now it appears they have the power to do more than send private information OUT of your PC. They can be used to send malicious payloads IN as well.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Yahoo
o recent news
o http://tg. creativeinspire.com
o Sadmind/II S worm
o distribute d denial-of-service attacks
o Also by BillX


Display: Sort:
Creative Labs spying ... and now this? | 68 comments (67 topical, 1 editorial, 0 hidden)
Convenience vs. Security (3.76 / 13) (#1)
by ToneHog on Fri Jun 29, 2001 at 12:14:16 AM EST

Many software packages and hardware driver packages (nowadays more "bell and whistle" software than drivers) are taking up this trend.

This could be a very dangerous feature to put in said software. Common users aren't going to care about having much control over their systems, and most likely will welcome the automatic update of their systems. They most likely won't care about the security issues the software has until they experience the ramifications first-hand.

Companies surely won't be too concerned about these issues. The EULA for the software and drivers will have a solid boilerplate to prevent them from getting sued, so why should they care?

I'm firm on my standpoint about "network pollution." I want as little as possible. We've got enough bandwidth issues as it is, and it seems corporations aren't taking this into account when they write this software. Perhaps the EPA should have a TCP/IP branch? ;)
Breeze,
TH

you know. (4.70 / 10) (#9)
by QuantumG on Fri Jun 29, 2001 at 03:28:17 AM EST

Autoupdate can be secure. Cryptographic signing, not exactly hard. Yer, the vendor has to protect the private key, woo, big deal, there's these things call "smart cards" which make it so you have to have physical access to "steal" the key. Yes. That means they would have to break into Creative to "hack" people. Shya. We all know how to protect physical objects. You aint going to see any Tom Cruise hangin' from the ceiling shit from the people who lurk on bugtraq.

Gun fire is the sound of freedom.
[ Parent ]
"smart cards" aren't. (5.00 / 1) (#51)
by ellF on Mon Jul 02, 2001 at 09:49:23 AM EST

up to this point, no smart card has been released which has offered any sort of real security. in essence, the idea that a piece of hardware sending a certain electrical pattern offers security is flawed - those patterns can be generated, the software looking for the presence of the card can be fooled, etc.

smart cards are interesting, sure - take a look at a few of the advisories released kingpin (@stake/l0pht hardware guy) on smart cards:


what needs to be kept in mind is that smart cards are no panacea. it is a myth propogated by the vendors of these devices that you need physical access to the card to obtain the data it "protects" - physical presence of a hardware device is simply another step in a process of security. if one offers a criminal of suffcient motive and talent a system of distributing whatever software they like to all of a company's customers, one should not expect that said criminal will not go to great lengths to exploit that opportunity. the notion of the bored 13 year old controlling massive DOS attacks, even in light of steve gibson's writeup on his experience with such (which stands as "the" DOS attack most people are currently familiar with, and is a case where a teenager wreaked havoc), is generally a false one. what deters a child - such as a hardware token - will not necessarily detere a dedicated team of hackers who have illegal goals.



[ Parent ]
People who care. (4.75 / 4) (#35)
by gromm on Fri Jun 29, 2001 at 07:17:58 PM EST

They most likely won't care about the security issues the software has until they experience the ramifications first-hand.

Except that when your computer has been turned into a zombie, noone gives a tinker's damn. All the user would notice is that all available bandwidth is being used during a DOS attack, and more likely than not they're just going to complain to their technical support about how "their internet is slow", who furthermore wouldn't know jack about what's going on. (your ping times are fine, and there's nothing wrong with the network!) Even if the user actually manages to find out that their computer is being used in a DOS attack, they're not in the least bit liable. After all, it was the 13 year old who is controlling it that's at fault. The end user knows little more than how to check their e-mail, so you certainly can't expect them to make sure their computer is secure from such attacks. At most, you'd get a whiny "why does this always happen to me?!" in response to being repeatedly comprimised. Basically, people don't care enough, and I highly doubt they ever will, because for the past 6 years, people have been reminded again and again that stupid passwords are sitting ducks, yet most passwords are easily cracked even today.
Deus ex frigerifero
[ Parent ]

Another Source? (2.66 / 12) (#2)
by duxup on Fri Jun 29, 2001 at 01:22:37 AM EST

Please correct me if I'm missing some important information here. This is what I thought when I read the article.

Ok I see Creative's spyware (that's a bummer). I see the worm. However, other than your accusation I'm not seeing a connection, other than your claim that creative's software is infected. Is there another source (at the time I'm posting there doesn't appear to be one) you can sight to show that the software is infected with this worm?

Visit that server (or rather not as it's infected) (4.75 / 8) (#5)
by Ordieth on Fri Jun 29, 2001 at 02:32:39 AM EST

If you visit http://tg.creativeinspire.com/ (at least with IE5.5) then you will quickly find that it is indeed infected as was said in the article, infact I'd probably recommend not visiting it unless you have some AV/Personal firewall software running.

When I visited just now there was a black webpage with big red text saying

fuck CHINA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
and NAV popped up a dialog saying that it has detected the Backdoor.Sadmind.Dr virus in my Browser's Cache!



[ Parent ]
AV/personal firewall? (3.66 / 6) (#11)
by delmoi on Fri Jun 29, 2001 at 03:46:49 AM EST

A firewall won't do anything, and you can't get viruses by visiting web pages (Allthough I suppose that if you were running an insecure version of IIS on your box it could propagate...)
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
maybe not *that* virus (4.80 / 5) (#12)
by QuantumG on Fri Jun 29, 2001 at 03:52:20 AM EST

But if you are using IE (and if you're on a windoze box you probably are) then it is well known that IE can be made to execute arbitary code without user intervention. Upgrading your browser will give you some protection from the publically known stuff but there is only one way to protect yourself from the zero day stuff and that is to not use IE -- it is likely to be the target of any browser utilizing worm.

Gun fire is the sound of freedom.
[ Parent ]
Yeah OK then. (4.00 / 4) (#15)
by Ordieth on Fri Jun 29, 2001 at 04:05:47 AM EST

I'll admit that the firewall would'nt do anything to that webpage, and that the AV software was just Hyping it up given that this is the source of the webpage

<html><body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p align="center"><font size=7 color=red>fuck CHINA Government</font><tr><td><p align="center"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</html>

but I would not explicitly trust that a webpage

  1. could launch an attack on my PC (php4 has got a sockets API)
  2. potentially execute arbitary code on my PC given the insecurity of IE



[ Parent ]
Just go to the page (4.28 / 7) (#10)
by delmoi on Fri Jun 29, 2001 at 03:44:19 AM EST

If you hit the creative server you can see that it's been infected, unless creative decided it hated the Chinese government and poisonbox (a strange position to take for a company in singapore)

The server is obviously compromised, and it's website has been defaced.
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
Software might be infected, might not. (3.00 / 2) (#33)
by 0xA on Fri Jun 29, 2001 at 06:47:28 PM EST

Creative's binaries might be infected, they might not. I would guess not, this worm is automated, the guy who unleased it probably doesn't know he got this server. On the other hand how the hell are you supposed to *TRUST* that its' not? This is actually pretty scary stuff. In this case I'm not very worried, but what if somebody with some brains cracked that box and patched the binaries? Imagine that, no page defacement, logs cleaned up. If Creative's security team couldn't patch this hole, how do I trust taht they'll find the traces of a skilled, careful cracker. You can do your best to train people about email attachments but how do you explain to the average person that their sound card software exposes them to this kind of risk? I will never buy something from Creative again. I was anoyed with the amount of crap I had to go through to remove the brain dead stuff that came with my SB Live! as it was. Now I'm just disgusted.

[ Parent ]
Software might be infected, might not v2. (4.80 / 5) (#34)
by 0xA on Fri Jun 29, 2001 at 06:49:04 PM EST

Damn, I forgot to preview.....

Creative's binaries might be infected, they might not. I would guess not, this worm is automated, the guy who unleased it probably doesn't know he got this server.

On the other hand how the hell are you supposed to *TRUST* that its' not?

This is actually pretty scary stuff. In this case I'm not very worried, but what if somebody with some brains cracked that box and patched the binaries? Imagine that, no page defacement, logs cleaned up. If Creative's security team couldn't patch this hole, how do I trust taht they'll find the traces of a skilled, careful cracker.

You can do your best to train people about email attachments but how do you explain to the average person that their sound card software exposes them to this kind of risk?

I will never buy something from Creative again. I was anoyed with the amount of crap I had to go through to remove the brain dead stuff that came with my SB Live! as it was. Now I'm just disgusted.

[ Parent ]
solution.... (3.83 / 12) (#4)
by univgeek on Fri Jun 29, 2001 at 02:15:09 AM EST

A) Use some OS which does not need creative drivers.
B) Else - Use a good firewall like ZoneAlarm (free).
c) Use a firewall anyway :-)


Arguing with an Electrical Engineer is liking wrestling with a pig in mud, after a while you realise the pig is enjoying it!

he-he... (2.25 / 8) (#6)
by silpol on Fri Jun 29, 2001 at 03:03:20 AM EST

The very use of firewalls in this particular case is stupid - it is merely the same as putting a storng armored door in a wooden house ;) If a beast is inside of the stronghold, the use of firewall doesn't have a serious value just because of vitrual transparency of firewall from inside of network.

[ Parent ]
transparent firewalls (4.28 / 7) (#7)
by QuantumG on Fri Jun 29, 2001 at 03:06:40 AM EST

are a god send for blackhats. Woo, I cant connect in? no problem, I'll just send you a trojan and get you to connect out. It's not like it isn't trivial to put a proxy on your firewall box that is only bound to the localnet. Then you know exactly what your machines is connecting to and what is trying to connect to you.

Gun fire is the sound of freedom.
[ Parent ]
zonealarm protects the inside too...? (4.25 / 8) (#13)
by tekk on Fri Jun 29, 2001 at 03:53:50 AM EST

I might be wrong, but when a program requests connection to the network, Zone Alarm ask you if you allow it. It goes for any program you run and you allow access by executable internal name. Wouldn't this stop this worm?
-- [tek.] a brand new way to peel an orange.
[ Parent ]
zonealarm is not a firewall (3.33 / 6) (#16)
by QuantumG on Fri Jun 29, 2001 at 04:19:50 AM EST

yer, we were talking about real firewalls, you know machines that gateway your network and do packet filtering? Toy programs like zonealarm will be detected by any half decent worm and disabled.

Gun fire is the sound of freedom.
[ Parent ]
in defense of zonealarm (4.25 / 4) (#18)
by ellF on Fri Jun 29, 2001 at 08:28:15 AM EST

i'm no *huge* fan of zonealarm, but...

Toy programs like zonealarm will be detected by any half decent worm and disabled

most worms aren't "half decent" - and to the best of my knowledge (I've not hung my Security Professional shingle in about 6 months), no malicious code has yet been encountered that in any way interacts with zonealarm.

also: even in a network that has a border firewall, it makes a good deal of sense to install a software-based firewall (like zonealarm) on all of the internal win32 machines. as a few other posts have mentioned, zonealarm checks all outgoing packets and prompts as to whether or not the sending program should be allowed - something that only *might* get caught by the border hardware system.

on of the maxims i developed whilst doing this professionally seems to ring true here: effective redundancy is one of the keys to effective security.



[ Parent ]
Not to mention the obvious ... (3.80 / 5) (#20)
by magullo on Fri Jun 29, 2001 at 09:06:56 AM EST

Don't expect many surfers to install a dedicated computer to act as a firewall to their home (cable/dial up/DSL) connection.

[ Parent ]
And even more obvious is (3.83 / 6) (#21)
by Tim C on Fri Jun 29, 2001 at 09:09:34 AM EST

...that most can't afford to.

Yeah, I know if I hunted around, I could probably pick up an old 486/Pentium box for next to nothing, but with a mortgage, a car, a kid and a partner to support, I can't even afford next to nothing :)

Cheers,

Tim

[ Parent ]
RE: zonealarm is not a firewall (4.66 / 3) (#25)
by Shimmer on Fri Jun 29, 2001 at 09:49:14 AM EST

Correct me if I'm wrong, but under Win2K the ZoneAlarm "True Vector" filter runs as a service. This means that a program lacking administrator privileges can't disable it (even if it manages to turn off the ZoneAlarm GUI).

This assumes, of course, that your everyday Win2K account has no admin privs (this is how I work) and that the "worm" runs under this account. If so, you're safe.

-- Brian

Wizard needs food badly.
[ Parent ]
The term firewall is too vague. (4.00 / 3) (#27)
by theboz on Fri Jun 29, 2001 at 10:09:45 AM EST

Is a firewall a standalone box? Is it a software application? What is it? The term firewall is used to describe a lot of different things. In my opinion, ZoneAlarm is a type of firewall that resides locally on the person's machine. I wish there were better words to describe the various types because ZoneAlarm is nothing like a Pix Firewall, etc.

To address your comment about the half-decent worms disabling it, ZoneAlarm seems to run like a Service on NT so only if it already has administrator access (and if so, you're already screwed) can it disable it.

As far as on Windows 9x/ME it runs in the tray, but if you try to do the windows equivalent of a kill -9 on it (I use a program called winkill) it will still prompt you to make sure you want to close it. Obviously, there is nothing that will fully protect you, but having that, a virus scanner, and maybe a gui netstat-like application is fairly good. Although it's not difficult to keep a MS-DOS window open and type "netstat 30" either.

Stuff.
[ Parent ]

What would be reasonably amusing... (4.25 / 4) (#22)
by Nurgled on Fri Jun 29, 2001 at 09:14:08 AM EST

Is if one of these backdoor/trojan programs had their name set to "mIRC Internet Relay Chat Client" or "Personal Web Server", or even... "Internet Explorer". I wonder how many Joe Blow users would twig as to what's going on then...



[ Parent ]
The information it gives you should clue you in. (4.00 / 3) (#26)
by theboz on Fri Jun 29, 2001 at 10:02:49 AM EST

ZoneAlarm tells you the path that the file is located on, so in this case it would have to overwrite the previous .exe in which case you would know there's a problem when you try to load mIRC and nothing happens...or, if it appears that mIRC tries to load itself, you would notice something wrong.

Of course, there is no substitute for the ability to think, so we can never truly fix the problems on the internet since most of the users are gullible morons.

Stuff.
[ Parent ]

It's easy to make a path look valid (4.66 / 6) (#28)
by keenan on Fri Jun 29, 2001 at 10:55:56 AM EST

What if the executable name was 'Internet Explorer' and the path was 'C:\Program Files\Internet Explorer\ie.exe' for example. I'm sure a lot of people looking at that would assume it's a valid exe, even though the real exe is iexplore.exe. People might question why IE would need access again, but it's likely this would go unnoticed.

Or, for another example, how about 'Zone Alarm' and 'C:\Program Files\ZoneAlarm\zonealarm.exe' (where the real path in a default install is C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe'.)


[ Parent ]
ZoneAlarm uses a cryptographic hash... (4.00 / 4) (#29)
by aziegler on Fri Jun 29, 2001 at 11:13:07 AM EST

ZA uses a crypto-hash as well as the full pathname and filename of the file to identify. It requires that you 'recertify' an application when you upgrade it.

[ Parent ]
Missing the point (4.50 / 6) (#30)
by simon farnz on Fri Jun 29, 2001 at 11:25:50 AM EST

The idea here is not to replace an existing app, but to add a new app that appears to Joe User as a legitimate app; ideally it would run at the same time as the legit one, and confuse the user into certifying it.
--
If guns are outlawed, only outlaws have guns
[ Parent ]
Good point (4.50 / 4) (#31)
by Steeltoe on Fri Jun 29, 2001 at 01:58:17 PM EST

A hole is a hole is a hole, no matter what firewalls and whatnot you have. A gullible user is still a gullible user. There are never a final word in a war.

- Steeltoe
Explore the Art of Living

[ Parent ]
I think you haven't *used* zonealarm. (4.85 / 7) (#14)
by ti dave on Fri Jun 29, 2001 at 03:58:25 AM EST

Since if you had, you would know that it can be configured to block/pass any traffic on your LAN/Intranet/Whatever, as well as Internet bound traffic. It also allows intuitive approve/deny policies for trojans attempting to establish an outbound connection.
I've caught several spyware trojans attempting to "phone home" since I installed it.
hell, I even caught Windows Explorer trying to establish a connection, and I put the Smackdown on that crap pronto...

www.zonelabs.com

Cheers,

ti dave
"If you dial," Iran said, eyes open and watching, "for greater venom, then I'll dial the same."

[ Parent ]
Spy app disables hardware? (4.20 / 5) (#17)
by Iam on Fri Jun 29, 2001 at 07:50:40 AM EST

Let's say I have a Creative Lab CD-ROM. Let's also say that I insert a CD that contains copyrighted material (The Matrix VCD). Could it be possible that this spy app recognizes the content and disables my hardware. ...or is it just a really bad coincedence that my CD-ROM fried a few days before this story came out.

[ Parent ]
ZoneAlarm? Momma NO! (4.42 / 7) (#41)
by Legolas on Sat Jun 30, 2001 at 03:06:01 PM EST

Actually, based on my experience, ZoneAlarm isn't a very good firewall by any stretch of the imagination. It's pretty bloaty, and inflexable.

What I use on my Win9x boxes is a product called "Tiny Personal Firewall". I find it better, because it's much smaller and much more powerful. You can set rules based on incoming/outgoing packets to ports, programs, IPs, etc., it has a realtime rule update system, keeps MD5 hashes of the program you're using, you can monitor connections, set up ICMP rules, and a lot more. And it's free.

My brother set up a page on setting up Tiny Personal Firewall, which has the link to get the free download, screenshots, and instructions on setting it up.

Again, I highly recommend using this firewall. We use it on all of our Win9x boxes, and it runs very well.

--Legolas Greenleaf

[ Parent ]
needed Accountability (3.78 / 14) (#8)
by QuantumG on Fri Jun 29, 2001 at 03:13:57 AM EST

Marcus J. Ranum is famous for saying many inflammatory things about the security industry and "full disclosure" including this one: In moments of idle daydreaming I imagine how fun it would be to ask a judge to issue a restraining order blocking the release of some new version of a major product that was known to contain fundamental security flaws. - from here His keynote at the BlackHat Briefings 2000 is littered with disses to half the people in the room. He's a man who says what he thinks.

Gun fire is the sound of freedom.
um... WHOIS -- creativeinspire.com (1.52 / 25) (#19)
by freq on Fri Jun 29, 2001 at 09:04:14 AM EST

yhbt. This domain isn't in any way related to creative labs. duh...

Registrant:
Creative Technology Limited (CREATIVEINSPIRE-DOM)
31 International Business ParkSingapore
609921,
SG

Domain Name: CREATIVEINSPIRE.COM

Administrative Contact:
Koh, Cher Wen (CWK21) cwkoh@CREATIVEINSPIRE.COM
Creative Technology Ltd
31 International Business Park
Creative Resource
Singapore 609921,
SG
(65)8954464 (FAX) (65)5698327

"Tension is the great integrity" -R. Buckminster Fuller
Re: um... WHOIS -- creativeinspire.com (4.75 / 12) (#23)
by CrimsonDeath on Fri Jun 29, 2001 at 09:41:51 AM EST

Um ... Creative Labs is actually a company from Singapore, and it's legally called 'Creative Technology Limited' http://asia.creative.com/jobs/hq.html

[ Parent ]
That IS Creative Labs! (4.72 / 11) (#24)
by demon on Fri Jun 29, 2001 at 09:45:04 AM EST

Creative Technology Ltd. is the parent company to Creative Labs. The name "Creative Technology Ltd." is stamped in the docs for my DVD kit and soundcard (both from Creative).

[ Parent ]
Product registration: be careful... (3.60 / 5) (#32)
by sto0 on Fri Jun 29, 2001 at 04:53:05 PM EST

Why is it that personal privacy is so compromised? From applications like this to other rather dodgy libraries which come with applications like CuteFTP, every company seems to be out to get your personal data. Windows programs usually come with an automatic "register product"-type box when they are installed. I know that I'm sensible enough to never fill them in with information (i.e. attempt to skip registration), but many people who are not so involved with computers and the computing world in general may well not know any better.

I'm not saying that all product registration is malicious. What we need to do is educate users as to the risks of entering personal data into any old shareware/freeware/licenseware program. So many programs want this kind of information, and due to the fact that they are often closed-source, the actual use of the data cannot be established. A great number of decent products from good software houses do use the information to the user's advantage, and I don't mean to attack the support which is often accompanied by registering a program.

This also happens with things like realmail, but many people seem to treat personal data as not being dangerous to give out over the internet, whereas realmail sources are always questioned naturally by many people when they receive a "special offer" or the like.

Stuart

Users are responsible... (3.12 / 8) (#36)
by Alhazred on Fri Jun 29, 2001 at 08:32:00 PM EST

for the security of their systems. Yes the usual argument that they are too ignorant or busy etc. Well if your too ignorant or busy to lock your door, then believe me neither the cops nor your insurance co. is going to be too sympathetic when your house gets looted!

People pay to have locks installed, so basically why shouldn't they pay for computer security too?

Naturally I think the problem should be solved, and I hate spyware too, but it IS pretty simple to disable 99% of it, and the other 1%, well, that software goes in the trash!

Put up a firewall. I mean NO machine should be allowing packets out on any ports except the ones you really WANT being used, and in fact you should be able to easily configure which applications can connect where too. Standard setups should be available for those who aren't up to building their own (most of the world admittedly).

The only OS I've used extensively that has all of this functionality is, you guessed it, Linux. I expect the BSDs are on a par as well. To my knowledge, there is no spyware on Linux. If there IS any, its stuff thats been ported over from WinXX[XX].

There are a lot of ways to address these issues, code signing, secure protocols, etc. We are years from having a totally secure infrastructure however, and in the mean time, people should just be glad they can use the net as it is. I mean an insecure net is better than none in my mind. At least people KNOW its insecure!
That is not dead which may eternal lie And with strange aeons death itself may die.
Are you kidding ? (3.66 / 6) (#38)
by urgan on Fri Jun 29, 2001 at 11:36:52 PM EST

I expect the BSDs are on a par as well. In packet management linux is always a step behind BSD's.

[ Parent ]
Re: Are you kidding? (4.50 / 2) (#39)
by Ubiq on Sat Jun 30, 2001 at 12:34:03 PM EST

What do you mean by that? How is ipfilter/ipfirewall better than ipfwadm/ipchains/iptables?

Not flaming, just curious. I just migrated my home firewall from ipfilter to ipfirewall, but I miss apt-get so was considering to install linux instead.

[ Parent ]

No significant advantages... (4.00 / 3) (#40)
by noahm on Sat Jun 30, 2001 at 01:29:36 PM EST

What do you mean by that? How is ipfilter/ipfirewall better than ipfwadm/ipchains/iptables?

You're just being trolled. There is very little difference between the flexibility, security, and performance of packet filtering/forwarding between Linux and *BSD.

The few comparisons that have shown any significant performance difference have only been able to do so under unrealistically heavy loads. Both Linux and *BSD can do stateful packet filtering and full NAT. Configurations similar. For 99.9% of the firewall using world there is no functional difference between Linux packet filtering and *BSD packet filtering.

As always, your best bet is to go with what's most comfortable. You mentioned missing apt-get, so you're obviously pretty comfortable with Debian. Use it.

noah

[ Parent ]

firewall product not as important as platform !!!! (4.00 / 2) (#43)
by lazerus on Sun Jul 01, 2001 at 12:26:50 PM EST

This is a common mythunderstanding. The firewall product that you run is only one aspect of the total security product that you are trying to implement. You can spend thousands of dollars on firewall software, but if you run it on an old system there are still a lot of security risks that you open yourself up to. A system with known vulernabilities in the kernel itself, such as unpredictable race conditions, VM instability, and I/O problems will NOT be a secure system. Linux is known for a lot of these problems! Not to mention the TCP/IP stacks of various systems. What ISN generator code do they use? Is it truly random or at least pseudo-random? Not pseudo-incremental? Look at that! Seriously! NT 4 and Solaris are known for problems in this area! Look at this! Do research! Don't just suggest that you "use whatever OS you like with your firewall". Sheesh.

The fact is that the firewalling code of various systems, especially the new ones, ARE roughly on par. I will agree with you there - but the system that you run it on is also vital. The OS, the hardware and the firewalling code must work together to create a stable security product... BUT... Even a good combination of these is not enough to ensure that your security product is truly secure. You also have to take application level firewalling products into consideration. Circuit level (packet filtering) products are not always enough to ensure that you are safe from malicious code.

However, setting that discussion aside for now (it's a big area), if you are SERIOUS about firewall products as part of a bigger security product, you would have recommended OpenBSD. The ingrained cryptography and kernel security make for a solid system. The entire system has gone through a code audit. There have been fewer exploits available for it than other systems. Overall, while no product can be said to be bulletproof, OpenBSD is currently the best solution for a firewall AS PART OF A LARGER SECURITY PRODUCT. Debian is great, it's a good product, but it is NOT a good security product!!! The Unix philosophy states "Use the right tool for the job". In this case, OpenBSD is it. Unless you subscribe to the Linux school of thought which dictates: "Use the best tool for the job, as long as it's Linux", you will agree with this.

[ Parent ]
That is bullshit (3.33 / 3) (#52)
by noahm on Mon Jul 02, 2001 at 10:26:47 AM EST

A system with known vulernabilities in the kernel itself, such as unpredictable race conditions, VM instability, and I/O problems will NOT be a secure system. Linux is known for a lot of these problems!

Umm, no. You really don't know what you're talking about. Have you experience with such matters? I have. I have spent a significant amount of time using Linux and FreeBSD in heavily loaded production environments, and I assure you, there is no noticable difference. At my former workplace, a large ISP with several POPs around the state of Maine, it was not at all uncommon to see our Linux based web servers with triple digit uptime (no, I mean hundreds of days, not hundreds of minutes). We ran Linux on our secure commerce web server. We ran heavily loaded news and email servers on Linux. We ran a shell server on Linux. Not once did we experience a security breach or any of the "unpredictable race conditions, VM instability, and I/O problems" you talk about. This was not luck, this is what you should expect from Linux.

At my current workplace, we use a large number of FreeBSD servers. I can say the same thing about these server that I can say about the Linux machines at the ISP. They don't crash. They perform exactly as expected all the time.

I have run my own domain for personal use by myself and friends for years now. The primary server is Linux based and never have I seen a software related crash, nor has the machine been cracked or otherwise compromized.

So I emphasize again, go with what you're familiar with. I've heard it said that security is 1% software and 99% system administration. I strongly agree with that.

noah

[ Parent ]

Not bullshit. I have done research in this area. (5.00 / 1) (#57)
by lazerus on Tue Jul 03, 2001 at 07:20:07 AM EST

You sound like Linux apologist. I have actually done research in this area for IP billing and accounting, I examined several TCP/IP stacks and underlying systems to determine which would be the most robust, and did heavy testing in a lab enviroment. In addition to that, I have been in the firewall game for many years and everything that I said in my previous post stands.

When you have written a whitepaper of the calibre of this one:

http://www.ipmeter.com/download/techpaper.pdf

and you have been in the firewall game for mroe than 2 years, Then perhaps we can talk again. By that time, however, I suspect you will agree with me.



[ Parent ]
Research vs. Practice (5.00 / 1) (#58)
by noahm on Tue Jul 03, 2001 at 11:12:41 AM EST

You sound like Linux apologist.

Grr, I hate it when people say stupid things like that. As I mentioned, I use mostly FreeBSD at my workplace. I have used Linux at previous jobs. I run Debian Linux on many of my systems, and am a developer for the project. I have been a Unix admin on some level for several years at this point. I don't see how defending a technology into which I've put a great deal of time and energy, and which has proven itself to be rock solid in terms of stability and perform comparably to anything else available makes me a "Linux apologist".

When you have written a whitepaper of the calibre of this one:
http://www.ipmeter.com/download/techpaper.pdf

Sadly, at least half of the paper is written in a language that I do not understand (German, my limited linguistic experience tells me). If an English translation is available, I'd be happy to read it. In the meantime, I stand firm by what I said before: Any system is secure if properly administered. I have experience to back me up.

and you have been in the firewall game for mroe than 2 years, Then perhaps we can talk again. By that time, however, I suspect you will agree with me.

If you want to argue credentials, I'd be happy to send you a copy of my resume.

noah

[ Parent ]

Context incorrect (my fault) (5.00 / 1) (#59)
by lazerus on Tue Jul 03, 2001 at 12:35:32 PM EST

You sound like Linux apologist.

Grr, I hate it when people say stupid things like that. As I mentioned, I use mostly FreeBSD at my workplace. I have used Linux at previous jobs. I run Debian Linux on many of my systems, and am a developer for the project. I have been a Unix admin on some level for several years at this point. I don't see how defending a technology into which I've put a great deal of time and energy, and which has proven itself to be rock solid in terms of stability and perform comparably to anything else available makes me a "Linux apologist".

Ok, I'm sorry about that - when you highlight that statement alone it does look kind of bad and I apologise if you took it in the wrong context, my commando of the English language is not the best.

The fact is that Linux is an excellent product, for certain tasks. Load intensive tasks do not fall into this category. I haven't tried 2.4.5 kernel yet, but as for the previous kernels (last I tried was 2.4.3), it stands. I guess we'll never agree about the high load issue, but I can say that from my testing, in the lab, extensively with 2.2.x and Free/OpenBSD, my findings were clear: BSD handles load better than Linux 2.2.x. The packet capture mechanism especially concerned us and we could not get it to work reliablity, despite conferring with high-profile members of the Linux kernel core team. Overall, it wasn't a terrible product, but it failed to stand up to the kind of testing we did. (I say "we" even thou gh I have moved on to a different company since then).

Sorry if I offended you, it wasn't my intention for you to take the sentence in that context. (Anyway, what this has to do with security is a bit beyond me....I was arguing OpenBSD security vs Other Systems Security in my previous posts...but I'll still stand by the BSD vs Linux load argument anyway! :)

[ Parent ]
if I may summarize (5.00 / 1) (#62)
by kubalaa on Wed Jul 04, 2001 at 03:35:14 PM EST

You can argue indefinitely about relative technical merits. But the best firewall is useless if improperly configured. That's why projects like Bastille are necessary, because almost all of the time, the skill and knowledge of the administrator is the limiting factor, not the software.

I think noahm is saying, and I agree, that the differences between Linux and BSD may exist but are outweighed by human concerns. (Just like C++ is faster than Java, but if you're doing something network-intensive it doesn't matter because the network determines the speed, and both are fast enough.) Or to put it another way, an administrator who's not a security professional will probably be creating more holes than the software in either case.

[ Parent ]

Users trust Creative not to have security holes... (5.00 / 1) (#49)
by ryancooley on Mon Jul 02, 2001 at 06:42:01 AM EST

Users are responsible... for the security of their systems. Yes the usual argument that they are too ignorant or busy etc. Well if your too ignorant or busy to lock your door, then believe me neither the cops nor your insurance co. is going to be too sympathetic when your house gets looted!

That's absolute crap. False logic at it's worst. A Firewall is essentially like having a fence around your house. Creative's auto-update problem is like buying a garage door opener that automatically opens when it detects motion! It may be convenient, but you are opening a security hole. But even more sinister is that you get this feature automatically even if you don't ask for it. Now having that firewall may or may not protect you against this single hole in your system, but it certainly doesn't keep you completely safe. This problem is comparable to 'The Club' selling steeringwheel locks with masterkeys available to anyone (whooopps!).

[ Parent ]

analogy considered harmful (5.00 / 1) (#50)
by QuantumG on Mon Jul 02, 2001 at 07:01:07 AM EST

Please, no more door/fence/garage analogies for you. We all understand the issue, we dont need some stupid analogy. Users may very well trust Creative but they shouldn't (obviously). The general public is going to start getting real pissed off over security soon. They're going to call their congressman and demand things like tougher laws on hackers and software companies to be fined for security flaws. They aren't going to get it, but what they will quickly find out is they dont need it. Civil suits are a lot more viable and average joe is going to start seeing banner ads for lawyers. "Just got owned? Fight back! No win, no pay."

Gun fire is the sound of freedom.
[ Parent ]
No analogies here (5.00 / 1) (#63)
by ryancooley on Thu Jul 05, 2001 at 05:00:50 AM EST

Fine, I'll avoid the analogies, but they were there because you made things sound like there users are at fault, or could do something to stop it. You say they shouldn't trust creative, but they don't have much choice. There may be a way not to expose yourself to this problem, but then the problem will just get more difficult next time. We actually need consumer protection laws in place to stop this practice.

I've been waiting for people to start contacting their congressmen, but it's just not happening. People are dumb and unhappy, and the masses aren't in the same boat as the skilled pros (i.e. I don't use creative's drivers so I'm not going to get pissed off and lead the masses to revolt) so the ignorant don't know who caused the problems, what should be done, or that anything can be done, and even if they do, they don't have any legal recourse.

As far as civil suits, they are not an option. There are no consumer protection laws in place applying to software. If you agree to a EULA that says they can't be held responsible, that's just what it means.

As far a suits for flaws, good luck... that's like suing your barber when your hair isn't cut exactly how you like it. If you can show intent, you have a case, but the payoff will be so insignificant that the judgement isn't worth the cost of proving your case.

(Yeah, so sue me, I used a barber analogy which contradicts the subject of the message.)

[ Parent ]
People are going to start suing.. (5.00 / 1) (#65)
by QuantumG on Thu Jul 05, 2001 at 09:21:32 PM EST

the people who break into their computers. They are going to show damage and method and that is all they are going to have to show to win. They are going to start suing people who write exploits and post them to bugtraq, and these are going to be class actions.

Gun fire is the sound of freedom.
[ Parent ]
People who write exploits (5.00 / 1) (#66)
by simon farnz on Fri Jul 06, 2001 at 05:24:19 AM EST

Suing the people who write exploits and post them to bugtraq will be interesting; showing damage is hard in those cases.

An equivalent real world analogy is suing a locksmith for teaching his apprentices(sic). No damage has been done by the smith, even if an apprentice uses his knowledge to break into my house.
--
If guns are outlawed, only outlaws have guns
[ Parent ]

stupid analogies (5.00 / 1) (#67)
by QuantumG on Sat Jul 07, 2001 at 10:24:38 PM EST

No, it's the equivilent of standing on a street corner and handing out "how to break into cars" complete with slim jim and alarm defeating hardware and it's not hard to prove damage, someone stole my car and when I got it back I discovered a copy of the book in the back seat.

Gun fire is the sound of freedom.
[ Parent ]
How to avoid Creative Spyware (4.66 / 9) (#37)
by mrsam on Fri Jun 29, 2001 at 10:56:05 PM EST

It's probably too late if your machine is already infested with their crap, but if you ever have to reinstall 'dows, you can easily avoid dealing with Creative's crapware ever again.

Just don't run their install program off their installation CD. All it does is infect your machine with a whole bunch of totally useless shit. Just run the 'doze "Add Hardware" wizard, from Control Panel. It'll find the soundcard, and ask you for the driver. *Now* stick the creative CD in. I forget the exact layout of the install CD, but if you browse it (from the add hardware wizard), you should easily find the directory with the sound card driver. The "Ok" button is initially grayed out. When you hit the right directory, it'll ungray itself. Hit it, then 'doze will copy only the sound card driver that 'doze needs to run the sound card, and skip all of the unnecessary Creative shitware.

Good riddance to bad rubbish. I find that this trick works with other stuff too, not just Creative. There's an annoying tendency on the part of OEMs to include all sorts of useless garbage with the device drivers for their hardware. If you run the OEM's installation disk, more often than not you just end up fscking up your machine without any good reason. Just run the hardware install wizard, and let it copy just the two or or three driver files that are needed to run the hardware, that's all.

newsupd.exe (5.00 / 3) (#42)
by adewhite on Sun Jul 01, 2001 at 01:02:12 AM EST

In addition to the previous post, I did noticed that this one particular shit always freeze my w2k during shutdown. Heck, just do a search in the registry for newsupd.exe and delete the whole string. Then you can also delete the exe itself if you want to.

What Also To Do... (5.00 / 1) (#64)
by inquisitor on Thu Jul 05, 2001 at 03:14:51 PM EST

If you like LiveWare! software like the Creative Launcher, go to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Creative Tech\Creative Launcher\IWantTo2

and set the option "StartNews" to 0. Also nuke it from your RUN keys, and preferably from your hard drive. Voila: spyware solved, and you can still run LiveWare!. No contact back to base seen yet (I'm using Tiny Personal Firewall.) Easy.

Also, it might not be the news update freezing your Win2K system, although news update is the spyware in question. LiveWare uses a series of kludges to implement EAX and other mechanisms, including running a program called "devldr32.exe" quite high in the operating system hierachy. This does not do your system much good, as Creative can't write software for toffee. If you rename devldr32.exe to (say) devldr_bak.exe, and add it to your Windows "Run" key, your system will work much better - without crashing. I've found this too many times. YMMV.

[ Parent ]
Sensational...!!! (2.28 / 7) (#44)
by frogg on Sun Jul 01, 2001 at 09:42:54 PM EST

Today in the news: Creative hit by Sadmind

To understand what may have happened to Creative's server requires a greater understanding of how Sadmind works than is presented in the above article.

Sadmind is a worm that uses Solaris systems as its host, and it cannot run under any other OS. Once it has infected a host, the worm performs several distinct functions:-

a) It tries to locate other Solaris hosts to infect (replication mechanism)

b) It roots NT/IIS web servers using the 'folder traversal' vulnerability and attempts to deface various web pages (payload #1). The worm uses the vulnerability to copy cmd.exe to another location/filename, thus gaining its own private command shell (running under the same system privs as the webserver, which in practice is often as good as 'root'). Once it has done this, it uses 'echo' to create new html files at various (preset) locations.

c) having defaced a few thousand (2000?) NT/IIS servers, the worm attempts to deface web pages on its host (payload #2).

So unless there is a new Sadmind derivative which phones-home with info about the boxes it has rooted (so someone/thing else can actually do the hard work described in the above article) or a new derivative that can specifically hack certain executable files on the Creative site, it is unlikely (although not impossible, granted) that the Creative server has had anything more than some web content defaced through the use of this backdoor. (This worm changes more files on the Solaris system it compromises/infects).

...I gotta admire the way that the above article uses a sensationalism beyond that of slashdot (maybe more approaching the levels of FUD used by Microsoft in their recent public GPL/opensource bashing?) to link together nearly all of the individual concerns raised by Steve Gibson (...without credit), but the reality of the Sadmind worm is nowhere near as exciting as wild speculations (in general). (FWIW, one of our partner's had their servers hit by Sadmind about a month ago)

Furthermore, auto-update is not the same as spyware -- and today's new stories do not always embrace and extend previous news stories (even if they are about the same company)... ;0)

(...is it officially that 'slow news' time of year again?)

it's guys like you (5.00 / 4) (#45)
by QuantumG on Mon Jul 02, 2001 at 12:27:35 AM EST

who dont understand the technical issues and tell people to not worry about security issues. Note, that although the worm doesn't do anything the fact that it defaces the web site tells anyone who goes to that web site that they can use the same bug to execute whatever they want. Which is what the story here is about. Thank you for pretending you know something when you dont.

Gun fire is the sound of freedom.
[ Parent ]
Quit talking out of your ass. (5.00 / 2) (#46)
by kwsNI on Mon Jul 02, 2001 at 12:56:13 AM EST

I really get tired of people that think they know what they're talking about. If you would have even bothered to read the provided link, you could have read that the worm allows the intruder to execute code. From section II. Impact:
Intruders can use the vulnerabilities exploited by this worm to execute arbitrary code with root privileges on vulnerable Solaris systems, and arbitrary commands with the privileges of the IUSR_machinename account on vulnerable Windows systems.


kwsNI
I can picture in my mind a world without war, a world without hate. And I can picture us attacking that world, because they'd never expect it. -Jack Handy
[ Parent ]
Well... (3.00 / 2) (#53)
by mindstrm on Mon Jul 02, 2001 at 10:32:48 AM EST

actually what it said is that poeple could use the same vulnerabilities that the worm used to run arbitrary code (like the worm).

The worm itself doesn't add anything, only points out that the server was insecure.


[ Parent ]
really??? (5.00 / 4) (#48)
by univgeek on Mon Jul 02, 2001 at 01:15:56 AM EST

Once a system can be rooted, it can be rooted again, unless the pactches are applied. And once a black hat knows that by running code on a system he can gain access to 100s if not 1000s of systems do you think he is going to forget about it? He will try his utmost to penetrate the system. This is a problem with all spyware with autoupdate features.
So Sadmind on that system IS a problem. and it will act as an ad for other black hats to try to get onto that system. And having syware autoupdate from an internet server is definitely gooing to be a vehicle of choice for any discriminating hacker.
Think about it, change the code in ONE place and you have 1000s of systems calling in like clock-work to take your code.

Arguing with an Electrical Engineer is liking wrestling with a pig in mud, after a while you realise the pig is enjoying it!
[ Parent ]
The Message May Be Camouflage (3.50 / 2) (#61)
by SEWilco on Tue Jul 03, 2001 at 08:59:53 PM EST

It's also possible that someone attacked the server, put up that particular message to make it appear that a certain attack occured, but also did some other things. All that the message tells the rest of us is that the server can not be trusted.

[ Parent ]
In defense of auto-update features (4.80 / 5) (#47)
by coulson on Mon Jul 02, 2001 at 12:58:19 AM EST

(To acknowledge my bias, my company uses Marimba's Castanet software as an auto-updater.)

More and more internet companies are making a go at the service industry. This is the essential difference between MMORPGs and console games. Companies want to sell services (e.g. cable tv) instead of products (e.g. tv sets). I think this is one of the reasons why auto-updating is so popular.

A product stands on its own; it doesn't require any work from the company (except customer support) after you've purchased it. A service, on the other hand, requires infrastructure: servers, bandwidth, hardware support, etc. Once a product is sold, it costs the company nothing. They aren't required to give you updates; you paid money for what was in the box. If they release a new feature, you'll be asked to pay an upgrade fee. A service charges a subscription fee: you pay a little every month to cover infrastructure costs and improvements. These improvements are the key: how can a service company upgrade its service?

Image for a moment that you run the service company: your users are asking for new features and bug fixes. You can't release version 2.0 and ask them to pay again (as a product company would). They're already paying to subscribe to the service; they need the best software possible. So you need a method for incremental upgrades. You can ask them to come to your site and download a new version every month, but how many will do so?

Now imagine that you find a BUG! Or, want to add a feature! A service cannot remain static in the computer industry and be competitive.

What happens when the provider needs to update the code on the servers that talks to the client? What if the change breaks compatibility with old clients? If you have no facility for auto-updating, you're damned forever to run two versions of the server code. If do have such a mechanism for auto-updating, there's no problem.

The best answer we've found so far is to make feature updates optional, but required updates automatic. No one ever has to visit our site to look for patches; if we have them, you have them.

auto-update can be done securely (5.00 / 2) (#54)
by Kijiki on Tue Jul 03, 2001 at 02:14:43 AM EST

So here is what you do. You put your public key in the application when you distribute it. Now, when it phones home, it only installs the update if it was signed with your private key.

Of course, you only keep your private key on a secured workstation, and do the signing there. Preferably this workstation is not even connected to the internet at all.

So even if some l33t h4x0r compromises your update server, the clients will not apply any malicious updates.

Unfortunately, schemes like this are well beyond the means of your average spyware and/or game company.

[ Parent ]
Beyond the means? (5.00 / 2) (#56)
by srichman on Tue Jul 03, 2001 at 05:42:00 AM EST

Unfortunately, schemes like this are well beyond the means of your average spyware and/or game company.

Are you being sarcastic? There are many widely available algorithms and libraries for asymmetric encryption and cryptographically strong hashing, let alone systems devised specifically for code signing.

[ Parent ]

AdAware (4.50 / 2) (#55)
by jesterzog on Tue Jul 03, 2001 at 03:04:55 AM EST

For windows users, I'd like to recommend a free utility called AdAware, from Lavasoft, which I've found to be very good at scanning, finding and removing spyware on windows systems.

I discovered it after previous comments on kuro5hin and I should credit SbooX, ti dave and Delerium for pointing it out in the past. (Possibly others but I can't find the references.)


jesterzog Fight the light


Got me (3.66 / 3) (#60)
by Zebulun on Tue Jul 03, 2001 at 04:00:04 PM EST

This one got me. I thought someone hacked my puter. Thanks creative, ya jerks.

Disgruntled Employees (4.00 / 1) (#68)
by Potatoswatter on Mon Jul 09, 2001 at 12:20:30 AM EST

If you think about it, this particular occurance is nothing really new. Webservers are infected with worms, and auto-update servers in the same box as web servers could be affected with viruses too.

But for someone to write a malicious program to "infect" the server and put a payload on thousands of client machines, that program would have to be specially written. A virus author can't know enough about where an auto-upate-distributed file is gonna be run to write it properly. And the worm could only affect one type of update server - how many are there out there? This type of thing would take a really determined, experienced programmer targeting a few specific servers.

I think the risk is in some very disgruntled programmer at Creative or wherever posting a malicious driver update. Even if it's slim, it's a possibility. I use Macs, so it's unlikely for *me*, but hey...

And it's prolly pointless to whine about auto-update features in general when it comes to this. Security is needed on the OS side. If OS vendors (Apple, Microsoft, Linux/GNU) had nice secure standard auto-update APIs that could be assuredly limited to updating a few certain files, and those few files didn't have permission to modify anything in the file sys (this should be possible in all but pre-OS X Mac), we'd be secure. Security utilities could be written to find auto-updateable files and determine that they can only be executed with limited permission. Everybody'd be happy, no paranoia in sight :v) .

myQuotient = myDividend/*myDivisorPtr; For multiple languages in the same function, see Upper/Mute in my diary! */;

Creative Labs spying ... and now this? | 68 comments (67 topical, 1 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!