Jokes aside, the CCCP was created to replace the video playback packs provided by several anime fansub groups in favor of a single reliable pack capable of decoding practically any groups' files - without breaking compatibility for other formats.
Finally, there is the fact that the only videos that have existed in the wild that ever needed it were anime fansubs designed to need it (as we'd already discussed above).
CCCP has the warning signs of a dangerous product. At best, it's likely to cause system problems. It has evangelism from non-technical people to the point of actually using exploits to attempt to make it "necessary" for anime fansubs, It suggests you remove other codecs you have installed and doesn't appear to play nice with the registry and other system components. It appears to be able to mess up content creation tools depending on how it's installed. It has few technical citations from anyone (compared to VLC or mplayer). It has a small userbase centered primarily around a particular community (anime fansubbers and fans). It's not open source (VLC is).
VLC may not be the best, but it's at least trustworthy. I wouldn't trust the software available from CCCP's site one shit. I stand by my professional opinion. There is no reason to install CCCP.
The fact that it was designed to resolve bullshit with fansubbers does not mean it was created by fansubbers. one would think that the impetus for such a solution would have come from the desire for people who actually wanted to watch the anime not to have to deal with all the fansubbers' bullshit.
On the other hand, given the way fansubbers typically act, they probably wanted you to only use their files with their player in order to inflate their egos, so many of them would likely have been against the initial introduction of CCCP.
In any case, even if there was fansubber involvement, the rest of your claims go entirely unsupported.
CCCP is made by fansubbers, not technologists. It's bad software, and they would go out of their way to trick people into thinking they needed it.
Also, I still ask you this:
Also, Rym, with respect to CCCP, is it the pack you have a problem with, or the components?
Do you have a problem with MPC-HC? Do you have a problem with ffdshow?
I have a problem with the pack as a whole (completely unnecessary), as well as the distribution methodology and the way it installs.
You're free to install it. I think it's a stupid thing to do. Give one good reason why, today, anyone should install it over mplayer or VLC.
The pack is mostly just a tool for convenience to save you the effort of installing all of the components separately, though admittedly this does come with the disadvantage of not being able to individually update those components.
You're free to install it. I think it's a stupid thing to do. Give one good reason why, today, anyone should install it over mplayer or VLC
I might have no reason to install CCCP or anything else over VLC, but there has been times when videos haven't played well with VLC and if I ever encounter those situations again I'm glad to know that there are alternatives that I can try.
I have a problem with the pack as a whole (completely unnecessary), as well as the distribution methodology and the way it installs.
You're free to install it. I think it's a stupid thing to do. Give one good reason why, today, anyone should install it over mplayer or VLC.
The pack is mostly just a tool for convenience to save you the effort of installing all of the components separately, though admittedly this does come with the disadvantage of not being able to individually update those components.
Which is a HUGE security hole. No one studies it because it's not commonly used, let alone by technologists, but I would wager CCCP is a vector for infection.
You're free to install it. I think it's a stupid thing to do. Give one good reason why, today, anyone should install it over mplayer or VLC
I might have no reason to install CCCP or anything else over VLC, but there has been times when videos haven't played well with VLC and if I ever encounter those situations again I'm glad to know that there are alternatives that I can try.
Between VLC and mplayer, you should be able to play every video. If you can't, said video is probably encoded incorrectly, at which point you should re-encode it to be more standard or find another source of the file.
The pack is mostly just a tool for convenience to save you the effort of installing all of the components separately, though admittedly this does come with the disadvantage of not being able to individually update those components.
Which is a HUGE security hole. No one studies it because it's not commonly used, let alone by technologists, but I would wager CCCP is a vector for infection.
It's definitely something that ought to be done better, but I think you're exaggerating severely. Considering that this is a piece of software that has absolutely no use for an internet connection, the only significant security concern is whether malware is already included in the installation. Also, with regards to updating, CCCP still updates about as frequently as, say, mplayer anyway, so your point is moot.
Between VLC and mplayer, you should be able to play every video. If you can't, said video is probably encoded incorrectly, at which point you should re-encode it to be more standard or find another source of the file.
Why should you need to have two media players? Also, if your only purpose is to play the file once and another player plays it just fine, how is it not advantageous to do so rather than having to bother to re-encode it or re-download it?
VLC still has some annoying quirks, too. I just tried the latest version and with a default installation of it on my system it still has the issue of the audio stuttering and popping when you pause it, which has been around for quite a while - why haven't they fixed it yet!?
VLC still has some annoying quirks, too. I just tried the latest version and with a default installation it still has the issue of the audio stuttering and popping when you pause it, which has been around for years. That alone is enough to turn me off VLC, to be honest - there is no excuse for it to do that.
What are you even talking about? I have never seen or heard this issue.
VLC still has some annoying quirks, too. I just tried the latest version and with a default installation it still has the issue of the audio stuttering and popping when you pause it, which has been around for years. That alone is enough to turn me off VLC, to be honest - there is no excuse for it to do that.
What are you even talking about? I have never seen or heard this issue.
I messed around a bit and it only happens for certain files, and it could be specific to my system - although I have had it happen on other computers too.
There may well be a simple fix, but what reason do I have to go to the effort of dealing with this bullshit?
VLC still has some annoying quirks, too. I just tried the latest version and with a default installation it still has the issue of the audio stuttering and popping when you pause it, which has been around for years. That alone is enough to turn me off VLC, to be honest - there is no excuse for it to do that.
What are you even talking about? I have never seen or heard this issue.
I messed around a bit and it only happens for certain files, and it could be specific to my system - although I have had it happen on other computers too.
There may well be a simple fix, but what reason do I have to go to the effort of dealing with this bullshit?
My co-worker came up with the best way of describing this.
Just to give VLC a fair shake, I did the whole uninstalling and restarting shebang, and the problem remains; it's also more than just one set of files that the problem occurs on. Sure, I could go do some research and try to find a fix, but why bother?
Considering that this is a piece of software that has absolutely no use for an internet connection, the only significant security concern is whether malware is already included in the installation. Also, with regards to updating, CCCP still updates about as frequently as, say, mplayer anyway, so your point is moot.
How do you think exploits work? The type of exploit I would use against something like CCCP would involve a malformed video file, not a network connection.
How do you think exploits work? The type of exploit I would use against something like CCCP would involve a malformed video file, not a network connection.
Yes, I realised you were suggesting attack via video files, but I see little reason to believe this is a major threat, nor do I see reason to think CCCP would be significantly more susceptible to such.
For comparison purposes, I also tried mplayer. Apparently, they don't really put much effort at all into making Windows distributions; the most up-to-date version I could find was the one bundled with SMPlayer. My first impression of it is that it's definitely better than VLC - it doesn't do the Michigan J. Frogging, and it also has the additional feature of using the arrow keys to skip back and forth a small amount, which is a feature that I use occasionally and find useful. One thing I noticed was that it doesn't switch to fullscreen very cleanly; if you fullscreen it when paused, rather than displaying the same frame in fullscreen it trips out and typically keeps displaying the previous smaller size. There was also slight but noticeable dropping of frames on a ~6GB 1080p movie file.
So, why should I use either of these alternatives when CCCP has never had any of these issues for me? On a Linux system I'd be using command-line mplayer, but on this PC I don't see why it's worth it for me to deal with minor issues that I don't have to deal with.
However, since I do respect your knowledge and your advice, Rym: If you think CCCP is legitimately dangerous and your argument isn't just hyperbole, I'd be perfectly willing to take your advice if you suggest a good alternative.
How do you think exploits work? The type of exploit I would use against something like CCCP would involve a malformed video file, not a network connection.
Yes, I realised you were suggesting attack via video files, but I see little reason to believe this is a major threat, nor do I see reason to think CCCP would be significantly more susceptible to such.
Small, unprofessional project that's a not open source and is a hodge-podge of packages from other projects, written only for Windows? And you don't see how it would be more susceptible to exploits?
Also, video is considered "completely safe" by almost all computer users. It's the perfect vector for attack, as people download the shadiest shit without care. PDFs were the same way for most people, as were Excel spreadsheets.
Also, video is considered "completely safe" by almost all computer users. It's the perfect vector for attack, as people download the shadiest shit without care. PDFs were the same way for most people, as were Excel spreadsheets.
Indeed. It was an exploit-laden Excel spreadsheet that got RSA hacked.
How do you think exploits work? The type of exploit I would use against something like CCCP would involve a malformed video file, not a network connection.
Yes, I realised you were suggesting attack via video files, but I see little reason to believe this is a major threat, nor do I see reason to think CCCP would be significantly more susceptible to such.
Small, unprofessional project that's a not open source and is a hodge-podge of packages from other projects, written only for Windows? And you don't see how it would be more susceptible to exploits?
I said "significantly more", not "more".
Also, video is considered "completely safe" by almost all computer users. It's the perfect vector for attack, as people download the shadiest shit without care. PDFs were the same way for most people, as were Excel spreadsheets.
Indeed - nothing is "completely safe". However, with regards to taking vectors for attack, I think attempting to find security holes in video players would take a lot more effort than just aiming at any other of the myriad ways in which the lowest common denominator expose themselves.
Indeed - nothing is "completely safe". However, with regards to taking vectors for attack, I think attempting to find security holes in video players would take a lot more effort than just aiming at any other of the myriad ways in which the lowest common denominator expose themselves.
I actually think it would be pretty awesome to make a really good exploit of a video player.
Excel spreadsheets and pdfs were dangerous because both Excel and Adobe Reader are interpreters/compilers and executers of code that is in data files. Excel Macros, Postscript, Javascript can all be put in the file to get the software to do all sorts of things.
Video players do not do this. They read frames of data and display them. However, because it is an application where performance is important, video players are usually written in C/C++. Also video players will have elevated privileges and or low/level access to the GPU/video system. It would be pretty cool to buffer overflow a video player and then trick the video card into displaying fake password inputs, or a perfect Windows lock screen, or who knows what else.
Also, there might be fancy features in some video players that do allow some manner of code execution, such as interactive DVD menus or dynamic software subtitles.
The first person to pull this off has to use the Ring video. Watch it and your computer dies!
I actually think it would be pretty awesome to make a really good exploit of a video player.
I haven't heard of any exploits using video players per se, but I have definitely heard of ones going after image viewers with specially formatted JPG files and such. They pretty much fall into the standard "buffer overflow leading to executing code leading to other nastiness" camp.
Interestingly enough, the Excel hack that compromised RSA was a bit more interesting than just a direct Excel exploit. Apparently, Excel had a "feature" where it could execute Flash content embedded in an Excel file (not sure if this was a deliberate feature in Excel or a bug). The hacker sent various targets at RSA an Excel file (with a name like "Hiring goals for this year.xls" or something along those lines) with a malicious embedded Flash file via email. Someone opened the file, Excel executed the Flash content, and the Flash content used a Flash exploit to root the box. Once the local box was rooted, it then opened a back door through the corporate firewall that allowed the hackers to send other malicious payloads through to exploit other systems on RSA's network. While I can't agree with the motivations for this, I have to admire the cleverness of the hackers here for using this combination of vectors to do their damage.
One upon a time (back in the early to mid 90s), I used to tell people that opening image files and such was always safe. Then again, that was the general rule of thumb back then, when people thought only executables could be malicious (with the exception of Word macro viruses, which were known back then and considered the "exception to the rule"). It wasn't until the late 90s/early 2000s that buffer overflows and such starting making the news and demonstrated that even data files could be malicious.
Did a quick search over on Insecure.org/SecLists.org (it's safe -- it's run by the guy who wrote Nmap) for video player exploits out of curiosity. There are a quite a few that turned up. Here's a sampling:
I only picked out a few that were directly exploitable by the video files themselves. There were a few others related to hackers hijacking the codec DLLs with malicious ones, but since these don't work through the video files themselves, I didn't list them here.
Do you think CCCP would notice if one of their developers snuck in some evil codec DLLs as part of a valid patch?
Probably not. Also, given how the DLL hijacking exploits basically came down to insecurely looking up the paths to the various plugins/DLLs/etc., I wouldn't be surprised of many of the CCCP-bundled DLLs and other software were subject to this sort of hijacking due to lazy programming and/or not making sure the actual bundled DLLs are up to date.
Comments
http://www.freewaregenius.com/2007/02/09/cccp-codec-pack/
There's also the notes on their own faq: Finally, there is the fact that the only videos that have existed in the wild that ever needed it were anime fansubs designed to need it (as we'd already discussed above).
CCCP has the warning signs of a dangerous product. At best, it's likely to cause system problems. It has evangelism from non-technical people to the point of actually using exploits to attempt to make it "necessary" for anime fansubs, It suggests you remove other codecs you have installed and doesn't appear to play nice with the registry and other system components. It appears to be able to mess up content creation tools depending on how it's installed. It has few technical citations from anyone (compared to VLC or mplayer). It has a small userbase centered primarily around a particular community (anime fansubbers and fans). It's not open source (VLC is).
VLC may not be the best, but it's at least trustworthy. I wouldn't trust the software available from CCCP's site one shit. I stand by my professional opinion. There is no reason to install CCCP.
On the other hand, given the way fansubbers typically act, they probably wanted you to only use their files with their player in order to inflate their egos, so many of them would likely have been against the initial introduction of CCCP.
In any case, even if there was fansubber involvement, the rest of your claims go entirely unsupported. Also, I still ask you this:Do you have a problem with MPC-HC? Do you have a problem with ffdshow?
You're free to install it. I think it's a stupid thing to do. Give one good reason why, today, anyone should install it over mplayer or VLC.
There may well be a simple fix, but what reason do I have to go to the effort of dealing with this bullshit?
Your VLC is Michigan J. Frogging.
My first impression of it is that it's definitely better than VLC - it doesn't do the Michigan J. Frogging, and it also has the additional feature of using the arrow keys to skip back and forth a small amount, which is a feature that I use occasionally and find useful.
One thing I noticed was that it doesn't switch to fullscreen very cleanly; if you fullscreen it when paused, rather than displaying the same frame in fullscreen it trips out and typically keeps displaying the previous smaller size.
There was also slight but noticeable dropping of frames on a ~6GB 1080p movie file.
So, why should I use either of these alternatives when CCCP has never had any of these issues for me? On a Linux system I'd be using command-line mplayer, but on this PC I don't see why it's worth it for me to deal with minor issues that I don't have to deal with.
However, since I do respect your knowledge and your advice, Rym: If you think CCCP is legitimately dangerous and your argument isn't just hyperbole, I'd be perfectly willing to take your advice if you suggest a good alternative.
Also, video is considered "completely safe" by almost all computer users. It's the perfect vector for attack, as people download the shadiest shit without care. PDFs were the same way for most people, as were Excel spreadsheets.
Excel spreadsheets and pdfs were dangerous because both Excel and Adobe Reader are interpreters/compilers and executers of code that is in data files. Excel Macros, Postscript, Javascript can all be put in the file to get the software to do all sorts of things.
Video players do not do this. They read frames of data and display them. However, because it is an application where performance is important, video players are usually written in C/C++. Also video players will have elevated privileges and or low/level access to the GPU/video system. It would be pretty cool to buffer overflow a video player and then trick the video card into displaying fake password inputs, or a perfect Windows lock screen, or who knows what else.
Also, there might be fancy features in some video players that do allow some manner of code execution, such as interactive DVD menus or dynamic software subtitles.
The first person to pull this off has to use the Ring video. Watch it and your computer dies!
Interestingly enough, the Excel hack that compromised RSA was a bit more interesting than just a direct Excel exploit. Apparently, Excel had a "feature" where it could execute Flash content embedded in an Excel file (not sure if this was a deliberate feature in Excel or a bug). The hacker sent various targets at RSA an Excel file (with a name like "Hiring goals for this year.xls" or something along those lines) with a malicious embedded Flash file via email. Someone opened the file, Excel executed the Flash content, and the Flash content used a Flash exploit to root the box. Once the local box was rooted, it then opened a back door through the corporate firewall that allowed the hackers to send other malicious payloads through to exploit other systems on RSA's network. While I can't agree with the motivations for this, I have to admire the cleverness of the hackers here for using this combination of vectors to do their damage.
One upon a time (back in the early to mid 90s), I used to tell people that opening image files and such was always safe. Then again, that was the general rule of thumb back then, when people thought only executables could be malicious (with the exception of Word macro viruses, which were known back then and considered the "exception to the rule"). It wasn't until the late 90s/early 2000s that buffer overflows and such starting making the news and demonstrated that even data files could be malicious.
- Microsoft Windows Media Player DVR-MS Buffer Overflow Vulnerability
- Total video player 1.3.7 local buffer overflow universal exploit
- Microsoft Windows Intel Indeo Codec Parsing Heap Overflow Vulnerability
I only picked out a few that were directly exploitable by the video files themselves. There were a few others related to hackers hijacking the codec DLLs with malicious ones, but since these don't work through the video files themselves, I didn't list them here.