MS Security: On A Path As Clear As It Is Reliable

bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence." Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)

Jamie adds:

In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."

I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:

fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn

This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.

Re: Linux distros getting *much* better

[peterw]

...most notably, Red Hat Linux 7.1 and 7.2 (beta) default to setting up a packet filter (albeit a somewhat lame ipchains-based filter even though they could have used iptables/netfilter) at install time. A standard/default RH 7.1 install (even a "full" install) would be in pretty good shape, at least vis-a-vis network attacks. Local/console attacks are another matter, as they are for any system.

A year ago I would have been much more inclined to agree with you... but it's kinda funny. As time goes on, Windows seems to have more network services, and more problems, while Linux distros are becoming more sane and simple, follwoing OpenBSD's lead...

Re:Hack hotmail in one line of code

connet to the hotmail web server and send it a completely random string of bytes. over long enough period of time (like age of universe) it will everntually hit the bytes whioch hack hotmail

like the infinite monkey / typewriters thing

Re:Cross-site scripting??

[Ramses0]

A lot of interactive websites can take user input (like slashdot did when you typed in your comment). A lot of times, they'll even redisplay it for you (like when you click preview).

Most of the time, when you let users type something, you don't mind showing it back to them (they typed it after all). But with cross-site scripting, when you visit www.haxor.com, they'll provide you a link to www.phpnuke.org, but take advantage of the fact that phpnuke.org will display whatever that user has typed in.

Normally this isn't a problem, but there are people who are really good with javascript that can basically email your cookies to somebody@haxor.com after you've clicked that link. Once they've got your cookies, they can usually pretend to be you- submitting comments, stories, etc. Changing passwords. On PHPNuke, this isn't such a bad thing, but I wouldn't want anybody messing with me on my online banking site.

Take a look at the previous example. I mailed the Nuke authors about 3 months ago telling them about the above problem. No response. Don't use Nuke for anything you want to be secure. The explanation of what just happened is that search.php displayed whatever "query" contained. I stuck a few special bits of html (ie a close bracket) into their search box. When it got re-displayed, I prematurely exited their input field. This gave me free reign to put nifty red font tags onto their page. Imagine that it was evil javascript instead.

To prevent cross-site scripting attacks, you must remember to escape all untrusted data before displaying it to a user. For PHP, it would be something like: [input type=text value="[?PHP echo htmlspecialchars($their_input); ?]"]

The htmlspecialchars function automagically kills all dangerous characters before writing the data, making it much more difficult to attack.

--Robert

Re:History of screwing over partners?

[krmt]

Most prominent is IBM. Enough said there.

Intel. Remember Wintel? Why is Intel so pro Linux now that they're bailing out SuSE?

Another is Apple. Yes, they were very much in bed together during the development of the Mac. These days it's knife the baby.

Sun. Java got twisted by Microsoft quite nicely.

There was also the bootloader story the other day, in which the article talked about the OEMs who got preassured by MS in to only having Windows on their computers.

I'm sure there are others, I'm not so up on the history of MS (I know more about Apple). But I hope this justifies things to you enough.

The fact is, all the companies you mentioned are small fish, and the small fish are what MS plays nice with or buys out. They're no threat. But when it's a big company that could potentially hold some power over MS, they get fucked over big time. American Express is a big company that's rolling in both money and brand name. As such, they actually have something to worry about in a partnership with MS.

Up close and personal with the WIPO treaties

[hillct]

From the cover sheet of the DMCA legislation:Basically, the DMCA is simply the mechanism withing the United States, of implementing the WIPO treaty. Any country that is a signatory to this treaty will be implementing DMCA-like legislation. Just give it some time...

For those, who are unfamiliar with the history of Intellectual property law, the EFF has a good primer.

--CTH