Worst Products on the Internet



  • I'll start with a classic: Right Click Revenue.

    Wrong on so many levels-

    • People actually buy it
    • It really does nothing
    • You don't really have to buy it, you can find a link to the .js file in the source


     



  • I'm next: Music



    Wrong on so many levels:

    • People actually buy it
    • It really does nothing (at least not how you want it to [coughDRMcough])
    • You don't really have to buy it, you can just find it on P2P



  • Porn.

    Wrong on so many levels:

    • People actually buy it
    • It really does nothing (it's still just your own hand, dude)
    • You don't really have to buy it, you can just find it, uhm, every fucking where on the internet.

     



  • @lgeekery said:

    Wrong on so many levels-

    • People actually buy it

    So are you suggesting that a good product would be one that no-one bought at all?


  • Discourse touched me in a no-no place

    @lgeekery said:

    I'll start with a classic: Right Click Revenue.

     
    For those that missed it the first time: http://forums.worsethanfailure.com/forums/thread/123236.aspx 



  • food

    Wrong on so many levels-

    • People actually buy it
    • It really does nothing (you die eventually anyway)
    • You don't really have to buy it, you can grow your own



  • Oh, I know a product way, way worse than this...
    phpCodeLock: http://www.phpcodelock.com/

     

    Just for fun, I downloaded the free demo. It took me only minutes to find out how to get back the original code. Yeah, it's just a bunch of eval's with some easy encryption schema. There is, however, a function to put a password on a script. This could make it a bit tougher if used properly, but of course, it's not: it generates some hash and only looks at a tiny bit of the value and replaces only some part. If I remind correctly, there were exactly 2^3 = 8 different combinations. So, basically, 1 out of 8 passwords would be considered right.

    But now let's move on. Not about talking about how badly your code will be secured. No, let's talk about how much worse it makes the security. See, it extracts all arguments into the global space, and then starts to use variables for file inclusions or opening files, etc. Like I said, it's been a while since I've looked into it, but I remember you could actually run ANY CODE you wanted remotely, through your web browser (ok, you needed some http daemon to upload some file to).

    Yes, secure. Really secure. It just installs about 5 backdoors into your scripts. And that for only 55 dollar! 

    It's been a while ago, I don't know how much has changed since, though. And besides, it was the demo version. Maybe it's different from the full version? Otherwise, however, it would surely be frontpage material...



  • Ok, I just spend some time looking into it again. Just for fun. And it was still as bad as I remember.

    In this text, I will disclose 3 vulnerabilities. Zero day. I won't, however, give you the full description as of how to use it. So script-kiddies; it's useless for you to read to exploit phpCodeLock.

    Keep this in your head: 55 dollars for this product...

    /me prays the forum doesn't screw up this post... 

     

    Installation
    First, you download a .zip file. Fine, fine. Extracting it into some (protected, localhost only) directory of my apache server and launching a text editor with the setup.txt file, the fun begins. Instruction 1:
    1. Extract the files into a folder (eg. codelockv2) and CHMOD 2777 the 'codelockv2'
       folder (note the 2 in front for GID (drwxrwsrwx). This means "world-writable with the
       setGID bit enabled").  In most cases, CHMOD 777 should work OK if you're unsure

    Right. How secure. Anyway, let's just do that... Then, as stated in step 3, let's chmod "encrypted" and "projects" to 777, too. Oh, and the file codelock_dec.php. Right. Then, to use the demo, I have to use "15codelock-trial" as password.


    Usage
    I get presented with a screen with, in my opinion, way too many options. But fine, it has many options, that's good. Let's code a small PHP file to test the encrypting, shall wel? So here's test1.php:
    <?php
    // This function simply displays the variable; this will test for obfuscated names
    function displayVar($var)
    {
       echo $var;
    }

    displayVar("Testing");
    ?>

    I didn't enter an unlock key, I didn't make it ask for a key, no expiry time, no IP address, no encrypted browser output, no disable rightclick. So, except for the "ask for key", I left everything in it's default state.
    Unlock key required, even if you don't make it ask for one. Fine! So let's use "IHateCodeLock". Obviously, it's displayed in the text field; it's a textbox, no password box. Fine, fine with me...
    Then I was presented with more crappy options. I didn't bother to change any of them, I just selected the file to encrypt. /tmp/test1.php. And the output folder name "test1".
    Within a fraction of a second, I was presented with a message that "test1.php" had been encrypted. And: "Don't forget! Your unlock key is: IHateCodeLock". Right...


    Encryption
    Time to look at the directory the file got encrypted to. encrypted/test1/. The directory had three files: codelock.php, codelock_test1.zip and test1.php.
    --------- test1.php ---------
    <?PHP 

    /* WARNING: This script is protected. Any attempt to reverse engineer, debug or de-code this file or its dependent files is strictly prohibited /

    $codelock_file="test1.php"; $codelock_filed=dirname(FILE); include("codelock.php"); return; ?>

    PD9waHAKLy8gVG)pcyBmdW5jdGlvbiBzaW1wbHkgZGlzcGx)eXMgdG)lIHZ)cml)YmxlOyB0aGlzIHdpbGwgdGVzdCBmb3Igb2JmdXNjYXRlZCBuYW1lcwpmdW5jdGlvbiBkaXNwbGF5VmFyKCR2YXIpCnsKICAgZWNobyAkdmFyOwp9CgpkaXNwbGF5VmFyKCJ(ZXN0aW5nIik7Cj8+Cg==
    --------- End of test1.php ---------

    Oh dear, oh dear, I'm about to do something illegal, the comment says. I somehow doubt it really is illegal though... And still, people have the right to know the security of a product they buy.
    So all the interesting that happens is the inclusion of codelock.php. There's some crap at the bottom (let's guess: our program? It looks a hell of a lot like a slightly modified base64, since it ends with "==").
    So let's look at codelock.php.

    --------- codelock.php ---------
    <?PHP

    /
    WARNING: This script is protected. Any attempt to reverse engineer, debug or de-code this file or its dependent files is strictly prohibited /

    $codelock_rfiled=dirname(FILE); if ($codelock_file == '') { echo "<font face='verdana' size='2'><br><b>Error!</b> You cannot run codelock directly...</font>"; die(); } else {}  $codelock_lock="[DATA]"; eval(base64_decode($codelock_lock)); return; ?>
    [MORE DATA]
    --------- End of codelock.php ---------

    [DATA] and [MORE DATA] has been stripped away; it's just too much to copy. But let's look at the base64 decoded data of $codelock_lock, shall we?
    Well, that was easy. A simple copy of the line with a base64_decode, running it with php, and I was presented with a lot more php code. True, it was all put on a single line and there were no comments and "if(TEST) { } else { actions; }" was used in stead of "if(!TEST) { actions; }", but the rest seemed in tact.
    So in a few minutes, I coded something ugly to make the file more readable. True, the file was still junk, but at least a bit improved. Here's the code (which is more of a WTF than the entire phpCodeLock itself, but it was written optimized for programming it as quickly as possible):

    --------- uglyashell.php ---------
    <?php--------- End of decrypted ---------
    $codelock_lock = "[DATA]";
    $data = base64_decode($codelock_lock);

    $depth = 0;
    $inpar = false;
    $instr = false;
    $escaped = false;
    for($i = 0; $i < strlen($data); $i++) {
       $cchar = $data{$i};

       if($instr) {
          echo $cchar;
          switch($cchar) {
           case '\':
             $escaped = !$escaped;
             break;
           case $strtype:
             $instr = false;
             break;
           default:
             $escaped = false;
          }
          continue;
       }

       switch($cchar) {
        case '(':
          $escaped = false;
          echo "(";
          $inpar = true;
          break;
        case ')':
          $escaped = false;
          echo ")";
          $inpar = false;
          break;
        case '{':
          $escaped = false;
          echo "{\n";
          $depth++;
          echo str_repeat(" ", 3 * $depth);
          break;
        case '}':
          $escaped = false;
          echo "}\n";
          $depth--;
          echo str_repeat(" ", 3 * $depth);
          break;
        case ';':
          $escaped = false;
          echo ";";
          if(!$inpar) {
             echo "\n";
             echo str_repeat(" ", 3 * $depth);
          } else
             echo " ";
          break;

        case '\':
          $escaped = !$escaped;
          echo '\';
          break;
        case '"':
        case ''':
          echo $cchar;
          if($escaped) {
             $escaped = false;
             break;
          }

          $instr = true;
          $strtype = $cchar;

          break;

        case ' ':
        case '\r':
        case '\n':
        case '\t':
          if(ord($lastchar) < ord('a') || (ord($lastchar) > ord('z') && ord($lastchar) < ord('A')) || ord($lastchar) > ord('Z'))
             echo " ";
          $escaped = false;
          break;

        default:
          $escaped = false;
          echo $cchar;
       }
       $lastchar = $cchar;
    }
    ?>

    --------- End of uglyashell.php ---------


    [DATA] will have to be replaced with the data from the codelock.php file.
    It won't copy the entire result. However, the second line was "@extract($_REQUEST);". Right. That can't be good. And no, it isn't. Later, the following line can run with the parameters completely specified by the user. Yes, remotely:
    @copy("$codelock_rfiled/$codelock_enc","$codelock_filed/$codelock_enc");

    That is, the following request variables must be set for that: codelock_act="0", and the rest of the variables in the copy command must be set. However, codelock_rfiled and codelock_filed may not be the same!
    So, we can copy a file. For instance; of a remote server to the local server. Let it contain some php code if you like.
    So vulnerability #1. Rating: critical if there's an HTTP directory you can write to, otherwise moderate, I'd say.

    Some function that made me chuckle:
        function codelock_dec($codelock_v){
           switch($codelock_v){
              case "A":$dv=0;
             break;
              case "B":$dv=1;
             break;
              case "C":$dv=2;
    [Stripped many lines]
              case "+":$dv=62;
             break;
              case "/":$dv=63;
             break;
              case "=":$dv=64;
             break;
              default: $dv=0;
             break;
              }
           return $dv;
           }
        }
    Right. Must be some form of loop unrolling.

    Somewhere halfway the file I found:
    $codelock_unlock="IHateCodeLock";
    Our key! Sweet.

    Just after that, it opened the file specified in codelock_enc. Yes, that means any file you put in the codelock_enc file request argument. You may have to add some more arguments, I couldn't be bothered to figure out. It then reads three lines (using fgets), it read the rest of the file into the memory.
    This is it... It has the data... Time to decrypt! That's done in codelock_run which has the data and the key to unlock as parameter. Note that this key may be asked, so the algorithm to decrypt is essential for the security.
    Also note that the decrypted data will be executed. Yes, you can execute anything you want through this, by specifying your own PHP file. It requires a bit more playing around, though. But I'm not going to waste my time figuring out how exactly to exploit it only to give script kiddies a new weapon. If you want to exploit it, you have a look at it. You can use my script, and the interesting part starts at line 264. If you don't know what it does, then you shouldn't be exploiting it anyway.
    So there's vulnerability #2. Rating: extremely critical. Well, the highest rating that can be given for a php application anyway.

    Time for the decrypt part:
    $codelock_key_data=codelock_dec_int($codelock_key_data,$codelock_active_key);
    Here's the function, written a bit more readable:
    --------- codelock_dec_int ---------
    function codelock_dec_int($code, $key)
    {
       if($key != "") {
          $key = base64_encode($key);

          // Read the first three characters of the base64ed key
          $key_char1 = $key{0};
          $key_char2 = $key{1};
          $key_char3 = $key{3};

          // Replace $ by the first key of the base64ed key, ( by the second, ) by the third
          $code = str_replace('$', $key_char1, $code);
          $code = str_replace('(', $key_char2, $code);
          $code = str_replace(')', $key_char3, $code);
       }

       return base64_decode($code);
    }
    --------- End of codelock_dec_int ---------

    So it's decrypted based only on the first two characters of the password and the upper two bits of the third character. Of course, we can assume every most-significant bit to be 0, since it's ascii... So there are only 95
    95*2 = 18050 different possible passwords.
    But now let's say you have the file, but not the key. Want to get the key? Well, easy: look at all characters used in the entire base64 code. Since all occurances of one character will be replaced by $, ( or ), these characters will no longer be available in the text. Most encrypted PHP files will use all 64 ("=" not counted) different characters, so that will leave three unused characters. The only thing you'd need to brute force is the order of the characters, which are a total number of 3! = 6 tries. Just check the PHP code for each try, and it should leave you only one valid file.
    So, vulnerability #3: Extremely weak key protection. Severity: Low - Medium.

    There you have it. The security of phpCodeLock. Do you still even want to know how well your code is ubfuscated? Let's try to decrypt the original test1.php file:
    --------- test2.php ---------
    <?PHP 

    $data = "PD9waHAKLy8gVG)pcyBmdW5jdGlvbiBzaW1wbHkgZGlzcGx)eXMgdG)lIHZ)cml)YmxlOyB0aGlzIHdpbGwgdGVzdCBmb3Igb2JmdXNjYXRlZCBuYW1lcwpmdW5jdGlvbiBkaXNwbGF5VmFyKCR2YXIpCnsKICAgZWNobyAkdmFyOwp9CgpkaXNwbGF5VmFyKCJ(ZXN0aW5nIik7Cj8+Cg==";

     
    function dec($code, $key)

    {

       if($key != "") {

          $key = base64_encode($key);

     
          // Read the first three characters of the base64ed key

          $key_char1 = $key{0};

          $key_char2 = $key{1};

          $key_char3 = $key{3};

     
          // Replace $ by the first key of the base64ed key, ( by the second, ) by the third

          $code = str_replace('$', $key_char1, $code);

          $code = str_replace('(', $key_char2, $code);

          $code = str_replace(')', $key_char3, $code);

       }

     
       return base64_decode($code);

    }

     
    echo dec($data, "IHateWorkingInvalidKeys");

    ?>
    --------- End of test2.php ---------

    And the result? Easy guess:
    --------- decrypted ---------
    <?php
    // This function simply displays the variable; this will test for obfuscated names
    function displayVar($var)
    {
       echo $var;
    }

    displayVar("Testing");
    ?>
    --------- End of decrypted ---------



  • That product sounds amazing!! I wonder how many people encrypt their PHP code on their own Web sites just to make sure people who view the site can't download/steal the code? It sounds like a great way to trick suckers. :)



  • @Evo said:


    <?PHP 

    /* WARNING: This script is protected. Any attempt to reverse engineer, debug or de-code this file or its dependent files is strictly prohibited */

    This post is protected. Reading it is a crime punishable by PHP. 



  • Pay wifi

     Wrong on so many levels-

    • People actually buy it
    • You have to send you credit card infos over an unsecured connection
    • You don't really have to buy it, you can find an open connection if you look hard enough.


     



  • That RightClickRevenue was brillant. Hmm, can't copy text, right click = popup. Disable javascript, oh there we go, context menu and text selection are back.

    Of course, even if you didn't try that you could still printscreen and copy what you want that way.....



  • The "author" of Right Click Revenue seems to be arguing on a forum. See it:

    Right Click revenue is not secure, it's designed to make revenue 

    See the "Web Guru" guy. :D 



  • @tchize said:

    The "author" of Right Click Revenue seems to be arguing on a forum. See it:

    Right Click revenue is not secure, it's designed to make revenue 

    See the "Web Guru" guy. :D 

    Fun how he always states that the other claims are false, yet never bothers to give an explanation [i]why[/i] they should be.

    What upsets me is how he [i]still[/i] thinks as of today that this product is a good idea. And how he thinks that apparently all techniques can be morally justified if you just call them "marketing"...
     



  • Not to mention that every script I've ever seen that purports to disallow use of the context menu misses the fact that, with your average 104-key keyboard, there's a context menu button that will call up the context menu and bypass their "protection"...



  • @BPFH said:

    Not to mention that every script I've ever seen that purports to disallow use of the context menu misses the fact that, with your average 104-key keyboard, there's a context menu button that will call up the context menu and bypass their "protection"...

    Whahuh? So [i]that's[/i] what this odd hieroglyph means. And I've been wondering about this for years! I can understand what the Windows keys do - you remap Compose/MultiKey in it - but never quite figured out what possible use this other key would be... obviously, it was all part of Microsoft's ingenious evil plan: When people finally figure out what it does, all anti-right-click-script-makers will go bankrupt!



  • @WWWWolf said:

    @BPFH said:
    Not to mention that every script I've ever seen that purports to disallow use of the context menu misses the fact that, with your average 104-key keyboard, there's a context menu button that will call up the context menu and bypass their "protection"...
    Whahuh? So [i]that's[/i] what this odd hieroglyph means. And I've been wondering about this for years! I can understand what the Windows keys do - you remap Compose/MultiKey in it - but never quite figured out what possible use this other key would be... obviously, it was all part of Microsoft's ingenious evil plan: When people finally figure out what it does, all anti-right-click-script-makers will go bankrupt!
    Why didn't you just press it to see what it does?



  • You don't know that it's dangerous to press that big red button when you don't know what it does ?

     

    I guess someone should tell RCR's author how to use CSS.



  • On CodeLock: I know lots of managers who would pay for stuff like that because instead of hiring good programmers (which are expensive), they'd rather go though "learn PHP in 7 days!" courses and do the company's stuff themselves. Of course, none of said managers are IT managers. Also, said companies are always the small ones which never grow (or which hire actual IT professionals when they do).



  • @Rodyland said:

    Disable javascript, oh there we go, context menu and text selection are back.


    The problem with that method is now ALL scripting is disabled, which can make some sites non-functional.

    The browser I use, Opera 9, solves that problem.

    Tools -> Preferences -> Content -> JavaScript Options... -> Allow script to receive right clicks



  • @Evo said:

    Ok, I just spend some time looking into it again. Just for fun. And it was still as bad as I remember.

    ... really long post

    That is truly worthy of a front page. 

    All I can say: who the hell designed that?

     



  • @AbbydonKrafts said:

    The problem with that method is now ALL scripting is disabled, which can make some sites non-functional.

    The browser I use, Opera 9, solves that problem.

    FFX as well, in a short list of JS allowings.

    I allow JS control over the context menu, though, because otherwise java applications that make use of it will be hell to use.



  • @Welbog said:

    @WWWWolf said:
    @BPFH said:
    Not to mention that every script I've ever seen that purports to disallow use of the context menu misses the fact that, with your average 104-key keyboard, there's a context menu button that will call up the context menu and bypass their "protection"...
    Whahuh? So [i]that's[/i] what this odd hieroglyph means. And I've been wondering about this for years! I can understand what the Windows keys do - you remap Compose/MultiKey in it - but never quite figured out what possible use this other key would be... obviously, it was all part of Microsoft's ingenious evil plan: When people finally figure out what it does, all anti-right-click-script-makers will go bankrupt!
    Why didn't you just press it to see what it does?

    Usually, my first thoughts tend to be "Gee, what does this button do? My guess is that in Windows, it does something annoying and useless, in Linux, it does nothing (and rigs the space-death-ray satellites with deadly explosives)? Better not touch it."

    In IT industry, curiosity is only good if you have good documentation theoretically at hand (as in "after the smoke clears, you read the manual"), otherwise, it's asking for trouble. =)



  • @tchize said:

    Right Click revenue is not secure, it's designed to make revenue 

    The best part is this site, where he clearly says:

    • Now that's security at a price larger then I was willing to pay.
    • I went straight to the drawing board and began developing my own security product.
    • Enhance my website's Security
    • That's exactly what Right Click Revenue does - increases security and Profits!

    So he mentions security at least 4 times there, yet claims it's not about security? Awesome!



  • @lgeekery said:

    @Evo said:
    Ok, I just spend some time looking into it again. Just for fun. And it was still as bad as I remember.

    ... really long post

    That is truly worthy of a front page. 

    All I can say: who the hell designed that?

    All I can say - and I hate to say it - is that a mod should really remove or severely obfuscate that post. I'm betting Alex hosts his servers in the good ol' US of A, where we have rules against posting details of reverse-engineering copyrighted work. All someone from that place needs to do is file a DMCA shutdown request and Alex would be compelled to at least remove it anyway.


     



  • @sootzoo said:

    All I can say - and I hate to say it - is that a mod should really remove or severely obfuscate that post. I'm betting Alex hosts his servers in the good ol' US of A, where we have rules against posting details of reverse-engineering copyrighted work. All someone from that place needs to do is file a DMCA shutdown request and Alex would be compelled to at least remove it anyway.

     

    Say, know what? You AND the people who wrote DMCA can both go F&%* yourselves. Get a grip



  • Say, know what? I never said I agreed with the premise. I happen to like this site and think it'd be nice not to have some jackass from the aforementioned company spoil the party for all of us, including you, Sunshine.
     



  • To paraphrase - the DMCA is The Actual WTF(TM).  I think we can all agree on that one... ;)



  • @sootzoo said:

    @lgeekery said:
    @Evo said:
    Ok, I just spend some time looking into it again. Just for fun. And it was still as bad as I remember.

    ... really long post

    That is truly worthy of a front page. 

    All I can say: who the hell designed that?

    All I can say - and I hate to say it - is that a mod should really remove or severely obfuscate that post. I'm betting Alex hosts his servers in the good ol' US of A, where we have rules against posting details of reverse-engineering copyrighted work. All someone from that place needs to do is file a DMCA shutdown request and Alex would be compelled to at least remove it anyway.


     

    Hmmm sorry about that, didn't know it was illegal. I just think people ought to know how horrible the product is.
     



  • @Evo said:

    Hmmm sorry about that, didn't know it was illegal.

    It isn't, except in the Corporate States of America. 



  • @lgeekery said:

    To paraphrase - the DMCA is The Actual WTF(TM).  I think we can all agree on that one... ;)
    No more "Real WTFs"(R)(C)(TM) any more?



  • @sootzoo said:

    All I can say - and I hate to say it - is that a mod should really remove or severely obfuscate that post. I'm betting Alex hosts his servers in the good ol' US of A, where we have rules against posting details of reverse-engineering copyrighted work. All someone from that place needs to do is file a DMCA shutdown request and Alex would be compelled to at least remove it anyway.

    As I understand it, the DMCA takedown provision doesn't do anything until the IP holder sends a takedown notice. Even then, all it requires is removal of the offending info, not shutting down the site. So let's not get carried away, mmmkay?



  • Ctrl+A, Ctrl+C, Ctrl+V into, say Microsoft Word.

    This gives you the page with lines like: <!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"> <v:stroke joinstyle="miter"/> <v:formulas> <v:f eqn="if lineDrawn pixelLineWidth 0"/> <v:f eqn="sum @0 1 0"/> <v:f eqn="sum 0 0 @1"/> <v:f eqn="prod @2 1 2"/> <v:f eqn="prod @3 21600 pixelWidth"/> <v:f eqn="prod @3 21600 pixelHeight"/> <v:f eqn="sum @0 0 1"/> <v:f eqn="prod @6 1 2"/> <v:f eqn="prod @7 21600 pixelWidth"/> <v:f eqn="sum @8 21600 0"/> <v:f eqn="prod @7 21600 pixelHeight"/> <v:f eqn="sum @10 21600 0"/> </v:formulas> <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/> <o:lock v:ext="edit" aspectratio="t"/> </v:shapetype><v:shape id="_x0000_i1025" type="#_x0000_t75" alt="" style='width:562.5pt; height:143.25pt'> <v:imagedata src="file:///C:\DOCUME~1\HRoss\LOCALS~1\Temp\msohtml1\01\clip_image001.jpg" o:href="http://www.rightclickrevenue.com/images/right-click-revenue-header.jpg"/> </v:shape><![endif]--><!--[if !vml]--><!--[endif]-->
     { INCLUDEPICTURE
    "http://www.rightclickrevenue.com/images/right-click-revenue-header.jpg"
    * MERGEFORMATINET }

     

    Copy that URL into your browser, and right-click copy that image to your heart's content.  <!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"> <v:stroke joinstyle="miter"/> <v:formulas> <v:f eqn="if lineDrawn pixelLineWidth 0"/> <v:f eqn="sum @0 1 0"/> <v:f eqn="sum 0 0 @1"/> <v:f eqn="prod @2 1 2"/> <v:f eqn="prod @3 21600 pixelWidth"/> <v:f eqn="prod @3 21600 pixelHeight"/> <v:f eqn="sum @0 0 1"/> <v:f eqn="prod @6 1 2"/> <v:f eqn="prod @7 21600 pixelWidth"/> <v:f eqn="sum @8 21600 0"/> <v:f eqn="prod @7 21600 pixelHeight"/> <v:f eqn="sum @10 21600 0"/> </v:formulas> <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/> <o:lock v:ext="edit" aspectratio="t"/> </v:shapetype><v:shape id="_x0000_i1025" type="#_x0000_t75" alt="" style='width:562.5pt; height:143.25pt'> <v:imagedata src="file:///C:\DOCUME~1\HRoss\LOCALS~1\Temp\msohtml1\01\clip_image001.jpg" o:href="http://www.rightclickrevenue.com/images/right-click-revenue-header.jpg"/> </v:shape><![endif]--><!--[if !vml]--><!--[endif]--><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"> <v:stroke joinstyle="miter"/> <v:formulas> <v:f eqn="if lineDrawn pixelLineWidth 0"/> <v:f eqn="sum @0 1 0"/> <v:f eqn="sum 0 0 @1"/> <v:f eqn="prod @2 1 2"/> <v:f eqn="prod @3 21600 pixelWidth"/> <v:f eqn="prod @3 21600 pixelHeight"/> <v:f eqn="sum @0 0 1"/> <v:f eqn="prod @6 1 2"/> <v:f eqn="prod @7 21600 pixelWidth"/> <v:f eqn="sum @8 21600 0"/> <v:f eqn="prod @7 21600 pixelHeight"/> <v:f eqn="sum @10 21600 0"/> </v:formulas> <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/> <o:lock v:ext="edit" aspectratio="t"/> </v:shapetype><v:shape id="_x0000_i1025" type="#_x0000_t75" alt="" style='width:562.5pt; height:143.25pt'> <v:imagedata src="file:///C:\DOCUME~1\HRoss\LOCALS~1\Temp\msohtml1\01\clip_image001.jpg" o:href="http://www.rightclickrevenue.com/images/right-click-revenue-header.jpg"/> </v:shape><![endif]--><!--[if !vml]--><!--[endif]-->



  • @Irrelevant said:

    @sootzoo said:
    All I can say - and I hate to say it - is that a mod should really remove or severely obfuscate that post. I'm betting Alex hosts his servers in the good ol' US of A, where we have rules against posting details of reverse-engineering copyrighted work. All someone from that place needs to do is file a DMCA shutdown request and Alex would be compelled to at least remove it anyway.

    As I understand it, the DMCA takedown provision doesn't do anything until the IP holder sends a takedown notice. Even then, all it requires is removal of the offending info, not shutting down the site. So let's not get carried away, mmmkay?

    In fact, that part of the DMCA is the "good" part and the main reason why it was passed. It's more commonly known as the "safe harbour" provision. The essential property of it is that if you follow the safe harbour procedure correctly, then you cannot be prosecuted for any content that was placed on a server you operate, if you yourself did not place it there. It's designed so that ISPs are not liable for things their customers do.

    The procedure says, roughly, that if you receive a takedown notice then you must (a) remove the content named in the notice, and (b) inform the responsible customer what you have done and pass on the notice. If the customer sends you back a counter-notice saying that the takedown notice was wrong, then you must (a) replace the content that you removed, and (b) pass on the counter-notice to the return address on the takedown notice. You must perform all of these steps correctly, including the part about replacing content, in order to be protected from prosecution. You have no obligations if you receive a document that claims to be a takedown notice but does not fulfill the requirements in the DMCA (which contains a list of things the notice must include in order to be valid), and you are free to ignore any notice if you believe that the person who sent it couldn't prosecute you anyway. If you provide any more information than this to the party who sent the takedown notice, your customer may sue you for that - a takedown notice is not a subpoena - so it's a good idea to restrict yourself to forwarding the original documents and otherwise stay out of it.

    You may think of a takedown notice as saying "I pledge not to prosecute you" rather than "I order you to do this". Some of the companies who send them do not understand this and should be derided as publicly as possible. They have absolutely no force when sent to any non-US entity. They do not constitute a cease-and-desist order.

    The rest of the act is evil; they were put in one act in order to get the evil passed, in the usual tradition of US lawmaking abuses.



  • @lgeekery said:

    To paraphrase - the DMCA is The Actual WTF(TM).  I think we can all agree on that one... ;)

    qft+1bajillion



  • @asuffield said:

    @Irrelevant said:

    @sootzoo said:
    All I can say - and I hate to say it - is that a mod should really remove or severely obfuscate that post. I'm betting Alex hosts his servers in the good ol' US of A, where we have rules against posting details of reverse-engineering copyrighted work. All someone from that place needs to do is file a DMCA shutdown request and Alex would be compelled to at least remove it anyway.

    As I understand it, the DMCA takedown provision doesn't do anything until the IP holder sends a takedown notice. Even then, all it requires is removal of the offending info, not shutting down the site. So let's not get carried away, mmmkay?

    In fact, that part of the DMCA is the "good" part and the main reason why it was passed. It's more commonly known as the "safe harbour" provision. The essential property of it is that if you follow the safe harbour procedure correctly, then you cannot be prosecuted for any content that was placed on a server you operate, if you yourself did not place it there. It's designed so that ISPs are not liable for things their customers do.

    The procedure says, roughly, that if you receive a takedown notice then you must (a) remove the content named in the notice, and (b) inform the responsible customer what you have done and pass on the notice. If the customer sends you back a counter-notice saying that the takedown notice was wrong, then you must (a) replace the content that you removed, and (b) pass on the counter-notice to the return address on the takedown notice. You must perform all of these steps correctly, including the part about replacing content, in order to be protected from prosecution. You have no obligations if you receive a document that claims to be a takedown notice but does not fulfill the requirements in the DMCA (which contains a list of things the notice must include in order to be valid), and you are free to ignore any notice if you believe that the person who sent it couldn't prosecute you anyway. If you provide any more information than this to the party who sent the takedown notice, your customer may sue you for that - a takedown notice is not a subpoena - so it's a good idea to restrict yourself to forwarding the original documents and otherwise stay out of it.

    You may think of a takedown notice as saying "I pledge not to prosecute you" rather than "I order you to do this". Some of the companies who send them do not understand this and should be derided as publicly as possible. They have absolutely no force when sent to any non-US entity. They do not constitute a cease-and-desist order.

    The rest of the act is evil; they were put in one act in order to get the evil passed, in the usual tradition of US lawmaking abuses.

    Great, that sounds like it covers Alex's ISP. What about him? Or the original poster?  I can only assume one of the two is a US citizen and 100% actionable defendant.

    I assume much of what happens here is of little concern to most IP holders, who I doubt would normally even take notice (until perhaps the forum pagerank started to climb). And most small businesses aren't exactly litigious by nature. But this is a site that essentially traffics in trade secrets, and without the relatively small blip this site rates on most companies' radar - and thanks to clever obfuscation, I assume - I have always presumed there's little risk of anyone associated with TDWTF coming under serious legal pressure. But even then, I was somewhat amazed at the level of detail the OP went into when circumventing the product and got worried. And while I recognize that the [i]entire site[/i] would not be shut down thanks to the fucking DMCA, I'd still hate to see Alex or anyone else have spend one penny more on legal advice than they currently do (which I hope is nearly zero). I think it's prudent not to have a "fuck it" attitude about it all, is what I'm saying.

    Some folks (who I assume took me as some USian fascist demanding you
    all cease and desist or I'd have you disappeared) apparently think otherwise. Let me know how that works out for you.



  • @sootzoo said:

    Great, that sounds like it covers Alex's ISP. What about him?

    There is no difference between the two. The safe harbour provision says nothing about ISPs specifically, it applies to anybody acting like a "common carrier".

     

    Or the original poster?

    He is on his own. Not your problem, and I can't say that I care either.


    I can only assume one of the two is a US citizen and 100% actionable defendant.

    If you live in the US, you're screwed. Doesn't matter what you do. If somebody with money hates you, you're going to spend six months giving all your money to lawyers and then go to jail. 

     

    But this is a site that essentially traffics in trade secrets, and without the relatively small blip this site rates on most companies' radar - and thanks to clever obfuscation, I assume - I have always presumed there's little risk of anyone associated with TDWTF coming under serious legal pressure.

    Even in the US, nothing that is normally on this site is even remotely illegal, and it still wouldn't be if people didn't do the silly "protect idiots so they can breed faster" anonymisation thing. The only legal pressure possible is the normal corruption of the US legal system by those with money.

     

    But even then, I was somewhat amazed at the level of detail the OP went into when circumventing the product and got worried. And while I recognize that the [i]entire site[/i] would not be shut down thanks to the fucking DMCA, I'd still hate to see Alex or anyone else have spend one penny more on legal advice than they currently do (which I hope is nearly zero).

    You might as well pack up your bags and go home. The fundamental purpose of the site will annoy idiots. No variation in the details will change that. If one of them happens to be rich, any of you living in the US are screwed, and the rest of us will be laughing all the way to a new server somewhere saner. If you don't like it, kill your congresscritter. Preferably slowly.

     

    I think it's prudent not to have a "fuck it" attitude about it all, is what I'm saying.

    My point being that it doesn't matter what attitude you have, so you may as well say fuck it.



  • @WWWWolf said:

    @Welbog said:
    @WWWWolf said:
    @BPFH said:
    Not to mention that every script I've ever seen that purports to disallow use of the context menu misses the fact that, with your average 104-key keyboard, there's a context menu button that will call up the context menu and bypass their "protection"...
    Whahuh? So [i]that's[/i] what this odd hieroglyph means. And I've been wondering about this for years! I can understand what the Windows keys do - you remap Compose/MultiKey in it - but never quite figured out what possible use this other key would be... obviously, it was all part of Microsoft's ingenious evil plan: When people finally figure out what it does, all anti-right-click-script-makers will go bankrupt!
    Why didn't you just press it to see what it does?

    Usually, my first thoughts tend to be "Gee, what does this button do? My guess is that in Windows, it does something annoying and useless, in Linux, it does nothing (and rigs the space-death-ray satellites with deadly explosives)? Better not touch it."

    In IT industry, curiosity is only good if you have good documentation theoretically at hand (as in "after the smoke clears, you read the manual"), otherwise, it's asking for trouble. =)

    Which is why you test it on somebody else's machine. 



  • @WWWWolf said:

    @Welbog said:
    @WWWWolf said:
    @BPFH said:
    Not to mention that every script I've ever seen that purports to disallow use of the context menu misses the fact that, with your average 104-key keyboard, there's a context menu button that will call up the context menu and bypass their "protection"...
    Whahuh? So [i]that's[/i] what this odd hieroglyph means. And I've been wondering about this for years! I can understand what the Windows keys do - you remap Compose/MultiKey in it - but never quite figured out what possible use this other key would be... obviously, it was all part of Microsoft's ingenious evil plan: When people finally figure out what it does, all anti-right-click-script-makers will go bankrupt!
    Why didn't you just press it to see what it does?

    Usually, my first thoughts tend to be "Gee, what does this button do? My guess is that in Windows, it does something annoying and useless, in Linux, it does nothing (and rigs the space-death-ray satellites with deadly explosives)? Better not touch it."

    To be specific:

    In windows, it pops up the right click menu of the currently focused item (in firefox's crazy "almost native" gui, it does so at the insertion point, or at the upper left if there is no caret. In native apps, it does so typically at the center of the control). Shift-F10, incidentally does the same.

    In linux (any unix), by default it emits the keysym "Menu" - which does various application-dependent things (in GNOME/KDE stuff, I suspect it pops up the context menu. In Emacs, it maps to M-x). There's a useless escape code it maps to in some terminal emulators, ESC [ 33 ~ or something. You could map it to something in whatever console app you use, if you figure out the right escape code [I'm not sure 33 is the right number, I typed that from memory, and different terminals are possibly different]



  • @Random832 said:

    In windows, it pops up the right click menu of the currently focused item (in firefox's crazy "almost native" gui, it does so at the insertion point, or at the upper left if there is no caret. In native apps, it does so typically at the center of the control). Shift-F10, incidentally does the same.

    Anecdote:

    I once pressed a context key (or button -- don't remember) while FFX was in the middle of doing some page loady-unloady stuff.

    The result was a super context menu that contained all possible menu items FFX contains. It had the scroll arrows because it didn't fit on screen.



  • @dhromed said:

    @Random832 said:

    In windows, it pops up the right click menu of the currently focused item (in firefox's crazy "almost native" gui, it does so at the insertion point, or at the upper left if there is no caret. In native apps, it does so typically at the center of the control). Shift-F10, incidentally does the same.

    Anecdote:

    I once pressed a context key (or button -- don't remember) while FFX was in the middle of doing some page loady-unloady stuff.

    The result was a super context menu that contained all possible menu items FFX contains. It had the scroll arrows because it didn't fit on screen.

    XUL, baby. The best thing to do is to cross the streams. 



  • @asuffield said:

    @dhromed said:

    @Random832 said:

    In windows, it pops up the right click menu of the currently focused item (in firefox's crazy "almost native" gui, it does so at the insertion point, or at the upper left if there is no caret. In native apps, it does so typically at the center of the control). Shift-F10, incidentally does the same.

    Anecdote:

    I once pressed a context key (or button -- don't remember) while FFX was in the middle of doing some page loady-unloady stuff.

    The result was a super context menu that contained all possible menu items FFX contains. It had the scroll arrows because it didn't fit on screen.

    XUL, baby. The best thing to do is to cross the streams. 

    FFX: "I DON'T KNOW. HERE! TAKE IT! AARGH!"
     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.