Part 1: Old Software and the impact of it

Site Announcements
Locked
Toast

Part 1: Old Software and the impact of it

Post by Toast » 25 Jan 2009, 16:24

Well ive been meaning to post about this for months but recent events have taken up some of my time from being active enough to write about it

Old software is the topic that we are going to discuss today (or have a monolog) ;)

Well what is the definition old with Open Source
  • Something that not maintained by a developer
  • Something that has not been updated by user
these are 2 things that are common on DC the up to date standard is fairly "low" (kinda sad) and the general interest is not that high as it could be, aslong as the user can download and upload the user doesn't care even if the software he or she is using contains bugs that can be exploited and yes there has been some over the years
Ohh yes i could make that list longer but that wouldn't be interesting to read instead im gonna focus on CTM again and how its been abused for spamming hubs, websites etc.( reference: http://www.securityfocus.com/news/11466 ) and how a developer can help by starting to think smart.
  • 1. Start paying attention to the community (DC Community)
    2. Talk to other developers about standards for hubsofts, hublists, clients
    3. Dont choose old hublists that still allow CTM exploited hubs to be listed.
    4. Try to keep yourself involved in protocol development.
    5. Ask other developers for ideas on improvments.
Thats just some suggestions that could improve the development now on to the user side.

How can a user benefit from all of this well lets work out the details.

A user wants his or hers stuff fast a smooth without any problems or hassle from hubowners/ops (sometimes OPs and Hubowners can be the most horrible problem there is), most ops and hubowners for some odd reason stay with older versions since they cant seem to manage getting active in new clients (i know this is partial but you can always discuss this in this thread) so they recommends older stuff that they can manage this causes heps of problems for the rest of the community since there are flaws in older clients that are known that can be exploited for malicious use.

So how do we go about with the Operators and the hubowners since they are the ones that need to pass down the information given to them and if they don't understand the changes how can so explain them to them.

Well with sites like this is one good start but its not a total solution, we could make annoying announcements or include popups everytime a new version is released in the software.

Since hubowners wants their hubs to become big etc. they are dependent on hublists to provide them with users now a hublist should have one thing if its nmdc only and thats a CTM checker that checks if the is the same as the ip of the CTM requester this is the minimal requirement at least in my view and if it doesn't, it doesn't appear in hublist.

However there are plenty of hublist that dont have this implemented so i do hope that some example code will appear for any hublist owner so they can implement it.

Well i think ill make this a series of articles so consider this article 1 in a series of many..

The conclusion is that why add to the problems that are already there and why not just give new stuff a chance instead.

if you are more interested in the bugs over the years i recommend that you go to this site
http://www.securityfocus.com/

Catalin
Junior Member
Posts: 12
Joined: 21 Mar 2008, 16:33
Location: Bucharest,Romania
Contact:

Re: Part 1: Old Software and the impact of it

Post by Catalin » 25 Jan 2009, 17:10

In order to detect CTM a hub list owner should do the following:

1. connect to the hub as normal user (without BotINFO in supports)
2. after hand-shake is complete log all messages from the hub for a few seconds
3. disconnect
4. check if $ConnectToMe was received from the hub, if so check how many identical request there were , if more than 1 the hub is probably affected by the exploit and it shouldn't be listed on public lists

or

1. connect to the hub as a pinger (SUPPORTS BotINFO)
2. after hand-shake is complete log all messages from the hub for a few seconds
3. send $BotINFO in order to receive HubINFO
4. disconnect
5. check if $ConnectToMe was received from the hub, if so check how many identical request there were , if more than 1 the hub is probably affected by the exploit and it shouldn't be listed on public lists

You should wait some time before sending BotINFO because some hub softs will close the connection after replying with HubINFO

Hub lists should discourage users to connect to this kind of hubs.


Good article btw.

Toast

Re: Part 1: Old Software and the impact of it

Post by Toast » 25 Jan 2009, 18:39

Thank you catalin for your comments and your post about how to make a CTM Checker :)

Pietry
Senior Member
Posts: 328
Joined: 04 Dec 2007, 07:25
Location: Bucharest
Contact:

Re: Part 1: Old Software and the impact of it

Post by Pietry » 26 Jan 2009, 07:38

The main issue about Open Source software is that it's not written by professionals. Nobody gets paid for this , and nobody does this full time. Also there is not an actual team behind it. People don't understand that.
At windows there are working thousands, and on DC++ mostly 2 people. Though, it's expected to function just as good.
As a dev, I can say we also have our lives and we do this in our spare time for fun, learning or to help the community and friends.
Our software is far from perfect, but the most good part of it is that is free. So if it doesn't cost you anything to update ( just 2 minutes of your time ), why don't do it. We want to improve the software at any time anyway. I think the dev had worked a lot more time so that you could have a better software.
Just someone

Toast

Re: Part 1: Old Software and the impact of it

Post by Toast » 26 Jan 2009, 08:59

Thats why i outlined suggestion since i know most of you are students or just do it for fun, and there are always gonna be bugs the main idea is with this article is to open users to new software so we can get rid of the older bugs that haunts us.

Locked