Real Player totally insecure or?

Good Morning,

I wanted to get the real facts about Real Player, and there must be thousands of posts, well at least many hundreds. I don't have 10 hours to pour over them, and I think my Thread name might save others a lot of time as well.

Is Real Player the functional equivalent of spyware? In other words does it pass credit card info over the Internet in the clear, or does it use authentication and encryption for the data, or at least the personal information such as credit card info etc. It does use https... If one opens and closes the proper ports on their router/firewall can it be used safely, or is it an open hole that blackhats can drive a truck through?

Please don't flame me, there is far too much flaming going on in this group already. I don't understand why people who believe in firewalls, and want security need to start off posts by calling each other names!?!

Can't we work together? (no need to post an answer to that question )

Could someone who knows post the actual threats, weakness, etc... Just the facts please!

Thanks, DRyan

Reply to
DrSpock
Loading thread data ...

The fact is you neither need or want Realplayer. There are plenty of better, free, alternatives. Look around, or ask in alt.comp.freeware.

Cheers,

Roy

Reply to
Slarty

No. Why do you think so?

It doesn't pass any data at all, expect if you want it. If so, then paying information for the costy variants of RealPlayer are secured via SSL.

Yes, it is safe. Why do you think it would be different? RealPlayer sometimes has some very strange and critical holes, but they're rare and usually patched very fast.

Actually you should provide your real name in the From: header

Why don't you make a little search on SecurityFocus and alikes? Gives you a good clue about RealPlayer's bug history.

Reply to
Sebastian Gottschalk

IBTD. What would you use to play realmedia files on your webbrowser? VLC's plugin isn't any good alternative. RealAlternative/Lite is basically the RealPlayer core.

For general playback, of course, RealPlayer is just one bad of many alternatives.

And which of those play realmedia files without invoking an instance of RealPlayer? Only VLC and mplayer.

Reply to
Sebastian Gottschalk

I think you've answered your own question.

As to RealAlt, I've seen that issue discussed time after time here and elsewhere. It certainly uses the Realplayer engine, but i've never seen any conclusive evidence to show anything about malicious or unwanted side effects. It does leave some 'interesting' registry entries though. Try searching for the word 'rotuma'. These sometimes appear afer usage, particulary if you've been to the BBC pages. Figure that one out. It doesn't deter me from using it though.I'd be very interested to hear if you know more or better though.

Cheers,

Roy

Reply to
Slarty

Two are not plenty, but rather few.

Well, it inherits almost any security problem from RealPlayer.

Reply to
Sebastian Gottschalk

Not in my experience. And I've been using it rather a long while now through many versions.

Cheers,

Roy

Reply to
Slarty

I didn't think that it was necessarily, but when I saw all those hundreds of posts it caught my attention. . A few weeks ago I used a "free wireless Internet" here in the Silicon Valley and had to remove 150 spyware/addwares and trojans from my brand new notebook. Last week I installed PalTalk with similar results. There were hundreds of postings about RealPlayer and I wanted to get one technical summary of the vunerabilities.

Thank You for taking the time to reply!

This was another concern of mine, as I was updating my personal info on one screen and noticed that it was using http rather than https. I assume from what you said that you get carried to an SSL session for credit card info.

Why? I have personal reasons for not wanting to do that. And please don't take offense but when I clicked on your profile it was blank... :-)

Is this a standard that the majority on this list follow, or a feeling of yours? If it is some kind of new emerging "standard" I will consider it, but it does seem like an infringment on my freedom.

That was where I discovered the hundreds of posts. I am gratefull for your post but for all I know you work for RealPlayer, or wrote the program. Sorry, but it is my job to be suspicious. ;-) AT any rate thank you again for your post!

DRyan

Reply to
DrSpock

Because it's written in an RFC. Of course, there have been discussions what a "real name" actually is. In de.* hierarchy, this is supposed to be the full name. In general hierarchies, the prename should be sufficient. You may add pseudonyms or nicknames as well. In any case, you're already quite competent to provide a real eMail address.

What profile? Clicked where? Oh no, not again a Google Groups dummy who doesn't understand the difference between Usenet and a web forum...

It is a social manner to talk to people by their names. After all, you're always free to not follow these rules, but then you have to accept that more people are filtering out your postings.

Well, strictly pseudonymous or even anonymous are tolerated at specific places, f.e. when talking about sexuality, various not widely tolerated activities, or when living in a country that doesn't care much about human rights.

Hint: The ones with "Re:" are just answers to the original posting. Anyway, RealPlayer seems to have a good bug history. Most bugs only exist in optional components and are fixed soon.

And none of these are discussions about RealPlayer being spyware. Of course, the competent people do understand that spyware rarely exists at all.

Reply to
Sebastian Gottschalk

This is your problem, not the Real Player. By default many PFW will treat unprotected wireless networ as safe network i.e. your firewall doesn't protect you. So if you have sharing enabled (admin shares as well) and your admin accounts are not password protected you are very easy target to hacker. I'm not an expert, I'm home user, but this is what I do, when I work on a unprotected wireless network. Protect your accounts with password (including built in acc. as well), turn off simple sharing and configure permissions, use limited account. Turn off file and printer sharing, NetBIOS over TCP from your wireless cnnection, after you are connected make sure your firewall treats wireless network as internet, much more can be done but that should be enought. You are already hard target. But this is not all, your communication can be sniffed (Kismet, Ethereal) so if you are transmiting confidental data (better is not to transmit them at all) make sure you are using SSL, HTTPS i.e. secure/encrypted protocol. Inform yourself about wireless phishing.

Reply to
alf

Oh Sebastian! LOL you have it confused. I have been managing Usenet news since 1984, I'm one of the last of the breed of UNIX folks who remembers when being called a "hacker" meant you really knew how to code... it's Google Gmail that I'm new to. LOL

Now on to your next statement.... spyware rarely exists at all??? please read at least some of what Wikipedia has to say about spyware: (but of course they are all dummies over there right?)

Spyware is computer software that collects personal information about the user of a computer without his or her informed consent. Coined in

1995, but not widely used until after 2000, the term is often used interchangeably with adware and malware. Spyware is itself a form of malware, which is software designed to infiltrate and intentionally or otherwise damage a computer system without the owner's informed consent.

Spyware utilises a range of techniques in order to record personal information, including logging keystrokes, recording Internet web browsing history, and scanning documents on the computer's hard disk. Spyware is employed for a range of motives, from the overtly criminal (stealing of passwords and financial details) to the merely annoying (recording Internet search history for the purposes of targeted advertising, while consuming computer resources). Spyware can collect many different types of information about a user. Some variants attempt to track what types of websites a user visits and then send this information to an advertising agency. More malicious variants attempt to intercept passwords or credit card numbers as a user enters them into a web form or other application.

An entire industry has built up around combating spyware. There are many programs designed to control spyware by preventing the installation, or if encountered, by detecting then removing it from email or other sources. A number of companies have incorporated forms of spyware into their software, primarily for purposes of advertising. While these types of programs are not considered to be malware, they are still spyware in the sense of watching and observing with advertising in mind, making them a cross between spyware and adware. However such applications are still spying (hence spyware) and advertising (hence adware). It is somewhat arguable whether such 'legitimate' uses of adware/spyware are malware, since the user often has no control over whether these 'legitimate' programs are installed on their computers, are generally unaware that these programs are infringing on their privacy, and in any case these programs still use the computing resources of the host's computer without permission.

Reply to
DrSpock

No, it's rather a big hype.

Now for the question: Does any such exist?

This is, of course, bullshit. A user has full control over what he installs.

And there is at best one proven case where a legitimate of pseudolegitimate software 'spys' on the user without his consent: ZoneAlarm.

After all, all other known examples are easily debunked as a lack of configuration (hint: if you leave the "allow sending anonymous information" checkbox checked, it will send such information, of course) or lack of information (dude, it's written in the EULA and the privacy policy).

Reply to
Sebastian Gottschalk

Good point Sebastian.

Reply to
DrSpock

Do I smell irony? Of course it's the user's responsibility to inform himself what he installs, even though reading an EULA is cumbersome. Isn't that why tools like EULAlyzer were developed?

After all, one can always chose to install FOSS.

Reply to
Sebastian Gottschalk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.