Slashdot Mirror
MS Security: On A Path As Clear As It Is Reliable
bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence."
Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)
Jamie adds:
In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."
I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:
fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.
The unfortunate thing is, that while it seems "M$ software gets hacked every other month", the general consumer isn't making security (or I should the lack of it? :) a big deal.
Everytime I read about hailstorm, I am in shock but at the same time scared.
First, off I can't believe that Mircosoft thinks they should be in control of so much personal information.
Second, that Microsoft thinks they can somehow keep it safe.
Third, and this is what scares me. A lot of John Q. Public will give them all this information.
Better them than me I guess.
With new forms of active content being added to web pages all the time, it is amazing that anything with dynamic content. I know that's vague, but that sounds like the gist of it.
Freenet is not really the only solution if the programmer chose to release the program and not reveal his identity. There are numerous other channels available which will let him preserve his anonymity. The only advantage to freenet is that is at least has a somewhat legitimate charter, where as other methods are typically underground and shady.
But still, if done properly, it could be released and spread without anyone finding out who the author is. The danger is if that person ever told ANYONE about it. If he did, then he's not truely anonymous, and given enough of an incentive, someone might be tempted to talk. At least, without releasing any code, then its technically all heresay and a lot less likely to be in violation of some strange law.
I fear however that this is how it will have to be done in the future if the silly laws don't get overturned. Either that, or some REALLY important sensitive document will have to be cracked and released publicly to the embarrasment of a large organization with a lot of people chanting "we told you so" before those in power might take a second glance and realize that perhaps peer review for security is a good idea after all.
-Restil
Play with my webcams and lights here
So, let's say that MS Hailstorm is implemented and within a couple of years, a good portion of users have their data and software settings stored on .Net servers, and can access it with their Passport login and password.
Now let's say that someone finds another flaw in passport (I know, hard to believe, but go with me here). Needless to say, Hailstorm users will be left vulnerable. The question is, will the Hailstorm and Passport EULA protect MS when it comes to legal liability for a) lost data, and b) copied or stolen data (loss of intellectual property, etc...)
My guess is that even if they are to blame, MS won't be legally liable. Doesn't sound like a good choice for users...
Buy Hex-Rated Stuff, fight the DMCA!
I don't really know why any large company would sign on for Hailstorm. No one really wants to be tied to any specific vendor for such an important part of their business. Granted, they're already tethered via their desktop PC's, but incorporating Hailstorm in to your business plan? You're basically putting your chance of profit in the hands of MS, who has a well known history of screwing over its own partners.
The problem, as I see it, is that American Express and others can beat their competitors to the punch by being a part of Hailstorm, providing services no one else does, but that goes with extreme risk. I guess that's why they haven't signed a contract with MS yet. It's a tough one for any company.
"I may not have morals, but I have standards."
Well, this is strange. I'm sitting on a Windows 98 box with McAfee VShield v4.0.3 installed and virus definition files from 2001/06/13. Whenever I try to go to http://www.veridian.com/upload/ with either IE 4.01 or Netscape 4.70, McAfee pops a warning dialogue saying I have just downloaded a worm called "SunOS/BoxPoison.worm". I also have a small Perl program I can use to perform command-line HTTP downloads, and with it, I can download the page at http://www.veridian.com/upload/ without any problems.
I'm probably getting the warning because something in the HTML code matches the signature for a known worm. But still, if the message on the site isn't enough to scare people, the warning from their virus scanner certainly will!
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: http://www.veridian.com/upload/index.htm
Date: Fri, 31 Aug 2001 03:51:47 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 09 May 2001 12:53:30 GMT
ETag: "6a8163c87d8c01:943"
Content-Length: 289
(Slashcode has inserted a few spaces into the following HTML... I hope this doesn't trip your virus scanner...)
<html><body bgcolor=black><br><br><br>< ;br><br><br><table width=100%><td><p align
="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="cen
ter"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</htm l>
...was the actual content of the page, which coincides with strings in the actual virus itself that VirusShield is looking for. The virus that infected the machine must carry a copy of the page verbatim inside itself, and that is one of McAffee's clues to finding it.
Black holes are where the Matrix raised SIGFPE
Microsoft's favorite security model - security through obscurity - has vary little to do with Hailstorm and everything to do with the DMCA. Not only does the producer of the security mechanism simply not publish the details of that mechanism, but through the wonders of the DMCA, Microsoft is empowered to enforce their security model by preventing the publication of holes discovered in the security system, thereby maintaining the obscurity.
Sarcasm aside, does it really matter how secure hailstorm really is, ig Microsoft can sue into oblivion anyone who publicizes or even researches security exploits related to the system...?
--CTH
--Got Lists? | Top 95 Star Wars Line
I used to work as Microsoft, MS Press and MS Research. While at research I needed to hack IE so it would forget about ActiveX security, I managed to reckon the registry settings but still had some questions.
The place to ask questions to other developers internally is via Outlooks groups (like usenet), it's surprising there isn't a better channel to converse with other Microsoft developers, maybe there is, but that's all I knew about. Anyway, so I posted a question to the IE-dev group about my problem. The response was surprising, the lead PM of IE started flaming me, telling me about how Microsoft can not have any more exploits in IE, how I my manager would be informed etc..
I guess I should have mentioned that what I was doing was only going to go out to a few select terminal ill users.
The point I'm trying to make is that Microsoft is a large company made up many small groups which don't necessarily talk to each other, I'm not saying this in there defense, but it helps explain how so many problems can arise over and over again. Even if I had just went ahead and implemented this IE hack into something major I don't who would have held me accountable, as far as I know software does not need to go through a standard security audit, each group has there own QA which will vary wildly.
-Jon
this is my sig.
Suppose a company hates someone. It can invent a kind of "e-book" security using, say, a modified ROT-13 algorithm. Then challenge openly the guy to crack it. He does that and publishes his results. Now, can the company can use DMCA to put that person in jail?
¦ ©® ±
http://www.apache.org/info/css-security/ has a good explanation and some links.
The basic example is that you have a web page that asks for the user's name in a text entry field and then displays "Hi [name]"
I come along and instead of entering my name I end the text entry with "> and then proceed to write javascript or whatever that performs some function on the server. It gets more interesting that that though.
While I agree with you in principle, this does tickle something in the back of my brain. If the DMCA causes so many people to wish to remain anonymous when they discover a vulnerability, why not FLOOD the media with bogus exploit reports? Just claim you won't release it due to the DMCA. Eventually, if enough random hackers do this, and enough people buy it, there will be so much paranoia of "hidden" exploits, that eventually somebody will call for mass disclosure. And the only way this can happen is for global DMCA amnesty.. similar to what brought about whistle blower legislation.
My company (nameless for now). We are a MS "partner". A few weeks ago, they suddenly decided to tell us that they were developing the exact same software as our product, and they thanked us for all the help we had given them. If we want, they will let us continue to be a "partner" and give them our great ideas for as long as we still have funding (which runs out in December).
"Your superior intellect is no match for our puny weapons!"
Keep in mind not everyone agrees with that sentiment. Some would argue that, if you discount the numerous security issues, Microsoft has perhaps the strongest track record of innovation in the industry. <----- Read it and see what I mean.
We know it's bunk. They ought to know it's bunk, and yet they don't.
sigh.
I'm outside the US, and have no intention of ever visiting it as long as the DMCA remains in place.
If anybody would like to publish some code that violates the DMCA, forward it to me and I'll publish it immediately on a subdomain of tech-mad.org. No need to supply your identity or any other details.
Bzzzzzt..."AAAAaaaaarrrgh!!!" Thud.
Does anyone know how Hailstorm fits in with the UK's Data Protection Act legislation? Does MS become the owner of the data? If so it's up to them to take "reasonable measures" to guarantee the security of the information. If they fsck up, then - IANADPL - they could be in deep shit. Similarly, the physical location is important. Sending personal data outside of the EU without permission is against the DPA - that could happen just in a server replication.
Any DPA experts out there?
Is there similar legislation stateside?
This sig made only from recycled ASCII