Real Player totally insecure or?

Good Morning,

I wanted to get the real facts about Real Player, and there must be
thousands of posts,
well at least many hundreds. I don't have 10 hours to pour over them,
and I think my
Thread name might save others a lot of time as well.

Is Real Player the functional equivalent of spyware? In other words
does it pass credit
card info over the Internet in the clear, or does it use authentication
and encryption
for the data, or at least the personal information such as credit card
info etc. It does
use https... If one opens and closes the proper ports on their
router/firewall can it be
used safely, or is it an open hole that blackhats can drive a truck
through?

Please don't flame me, there is far too much flaming going on in this
group already.
I don't understand why people who believe in firewalls, and want
security need to start
off posts by calling each other names!?!

Can't we work together? (no need to post an answer to that question )

Could someone who knows post the actual threats, weakness, etc... Just
the facts
please!

Thanks, DRyan

Re: Real Player totally insecure or?

On 9 Nov 2006 09:36:02 -0800, DrSpock wrote:

> Could someone who knows post the actual threats, weakness, etc... Just
> the facts
> please!

The fact is you neither need or want Realplayer. There are plenty of
better, free, alternatives. Look around, or ask in alt.comp.freeware.

Cheers,

Roy

Re: Real Player totally insecure or?

Post removed (X-No-Archive: yes)

Re: Real Player totally insecure or?

Post removed (X-No-Archive: yes)

Re: Real Player totally insecure or?

On Fri, 10 Nov 2006 05:22:04 +0100, Sebastian Gottschalk wrote:

>> There are plenty of better, free, alternatives.
>
> And which of those play realmedia files without invoking an instance of
> RealPlayer? Only VLC and mplayer.

I think you've answered your own question.

As to RealAlt, I've seen that issue discussed time after time here and
elsewhere. It certainly uses the Realplayer engine, but i've never seen any
conclusive evidence to show anything about malicious or unwanted side
effects. It does leave some 'interesting' registry entries though. Try
searching for the word 'rotuma'. These sometimes appear afer usage,
particulary if you've been to the BBC pages. Figure that one out. It
doesn't deter me from using it though.I'd be very interested to hear if you
know more or better though.

Cheers,

Roy

Re: Real Player totally insecure or?

Post removed (X-No-Archive: yes)

Re: Real Player totally insecure or?

On Fri, 10 Nov 2006 19:17:44 +0100, Sebastian Gottschalk wrote:

>> As to RealAlt, I've seen that issue discussed time after time here and
>> elsewhere. It certainly uses the Realplayer engine, but i've never seen any
>> conclusive evidence to show anything about malicious or unwanted side
>> effects.
>
> Well, it inherits almost any security problem from RealPlayer.

Not in my experience. And I've been using it rather a long while now
through many versions.

Cheers,

Roy

Re: Real Player totally insecure or?

Sebastian Gottschalk wrote:
> DrSpock wrote:
>
> > Is Real Player the functional equivalent of spyware?
>
> No. Why do you think so?

I didn't think that it was necessarily, but when I saw all those
hundreds of posts
it caught my attention.
..
A few weeks ago I used a "free wireless Internet" here in the Silicon
Valley and
had to remove 150 spyware/addwares and trojans from my brand new
notebook. Last week I installed PalTalk with similar results. There
were hundreds of postings about
RealPlayer and I wanted to get one technical summary of the
vunerabilities.

Thank You for taking the time to reply!

>
> > In other words does it pass credit card info over the Internet in
> > the clear, or does it use authentication and encryption for the data,
> > or at least the personal information such as credit card info etc.
>
> It doesn't pass any data at all, expect if you want it. If so, then paying
> information for the costy variants of RealPlayer are secured via SSL.

This was another concern of mine, as I was updating my personal info on
one screen and noticed that it was using http rather than https. I
assume
from what you said that you get carried to an SSL session for credit
card
info.

>
> > If one opens and closes the proper ports on their router/firewall can it
> > be used safely, or is it an open hole that blackhats can drive a truck
> > through?
>
> Yes, it is safe. Why do you think it would be different? RealPlayer
> sometimes has some very strange and critical holes, but they're rare and
> usually patched very fast.
>
> > I don't understand why people who believe in firewalls, and want
> > security need to start off posts by calling each other names!?!
>
> Actually you should provide your real name in the From: header

Why? I have personal reasons for not wanting to do that. And please
don't
take offense but when I clicked on your profile it was blank... :-)

Is this a standard that the majority on this list follow, or a feeling
of yours?
If it is some kind of new emerging "standard" I will consider it, but
it does seem
like an infringment on my freedom.

>
> > Could someone who knows post the actual threats, weakness, etc...
>
> Why don't you make a little search on SecurityFocus and alikes? Gives you a
> good clue about RealPlayer's bug history.

That was where I discovered the hundreds of posts. I am gratefull for
your post
but for all I know you work for RealPlayer, or wrote the program.
Sorry, but it is
my job to be suspicious. ;-) AT any rate thank you again for your
post!


DRyan

Re: Real Player totally insecure or?

Post removed (X-No-Archive: yes)

Re: Real Player totally insecure or?

DrSpock wrote:
> A few weeks ago I used a "free wireless Internet" here in the Silicon
> Valley and
> had to remove 150 spyware/addwares and trojans from my brand new
> notebook.

This is your problem, not the Real Player. By default many PFW will
treat unprotected wireless networ as safe network i.e. your firewall
doesn't protect you. So if you have sharing enabled (admin shares as
well) and your admin accounts are not password protected you are very
easy target to hacker.
I'm not an expert, I'm home user, but this is what I do, when I work on
a unprotected wireless network.
Protect your accounts with password (including built in acc. as well),
turn off simple sharing and configure permissions, use limited account.
Turn off file and printer sharing, NetBIOS over TCP from your wireless
cnnection, after you are connected make sure your firewall treats
wireless network as internet, much more can be done but that should be
enought. You are already hard target.
But this is not all, your communication can be sniffed (Kismet,
Ethereal) so if you are transmiting confidental data (better is not to
transmit them at all) make sure you are using SSL, HTTPS i.e.
secure/encrypted protocol.
Inform yourself about wireless phishing.

Re: Real Player totally insecure or?

Sebastian Gottschalk wrote:

> Oh no, not again a Google Groups dummy who
> doesn't understand the difference between Usenet and a web forum...

Oh Sebastian! LOL you have it confused. I have been managing Usenet
news
since 1984, I'm one of the last of the breed of UNIX folks who
remembers when
being called a "hacker" meant you really knew how to code... it's
Google Gmail
that I'm new to. LOL

Now on to your next statement.... spyware rarely exists at all???
please
read at least some of what Wikipedia has to say about spyware:
(but of course they are all dummies over there right?)

> course, the competent people do understand that spyware rarely exists at
> all.

Spyware is computer software that collects personal information about
the user of a computer without his or her informed consent. Coined in
1995, but not widely used until after 2000, the term is often used
interchangeably with adware and malware. Spyware is itself a form of
malware, which is software designed to infiltrate and intentionally or
otherwise damage a computer system without the owner's informed
consent.

Spyware utilises a range of techniques in order to record personal
information, including logging keystrokes, recording Internet web
browsing history, and scanning documents on the computer's hard disk.
Spyware is employed for a range of motives, from the overtly criminal
(stealing of passwords and financial details) to the merely annoying
(recording Internet search history for the purposes of targeted
advertising, while consuming computer resources). Spyware can collect
many different types of information about a user. Some variants attempt
to track what types of websites a user visits and then send this
information to an advertising agency. More malicious variants attempt
to intercept passwords or credit card numbers as a user enters them
into a web form or other application.

An entire industry has built up around combating spyware. There are
many programs designed to control spyware by preventing the
installation, or if encountered, by detecting then removing it from
email or other sources. A number of companies have incorporated forms
of spyware into their software, primarily for purposes of advertising.
While these types of programs are not considered to be malware, they
are still spyware in the sense of watching and observing with
advertising in mind, making them a cross between spyware and adware.
However such applications are still spying (hence spyware) and
advertising (hence adware). It is somewhat arguable whether such
'legitimate' uses of adware/spyware are malware, since the user often
has no control over whether these 'legitimate' programs are installed
on their computers, are generally unaware that these programs are
infringing on their privacy, and in any case these programs still use
the computing resources of the host's computer without permission.

Re: Real Player totally insecure or?

Post removed (X-No-Archive: yes)

Re: Real Player totally insecure or?

Sebastian Gottschalk wrote:

>
> This is, of course, bullshit. A user has full control over what he
> installs.
>
>(dude, it's written in the EULA and the privacy policy).

Good point Sebastian.

Re: Real Player totally insecure or?

Post removed (X-No-Archive: yes)