Slashdot Mirror
MS Security: On A Path As Clear As It Is Reliable
bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence."
Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)
Jamie adds:
In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."
I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:
fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.
this guy should upload the code to freenet where, hopefully, it is impossible to remove the program or discover the author. This is the exact kind of thing freenet was designed for, so if the author is out there in slashland, go for it! Civil Disobedience ra ra ra!
The unfortunate thing is, that while it seems "M$ software gets hacked every other month", the general consumer isn't making security (or I should the lack of it? :) a big deal.
... but that headline is simply hitting way below the belt. There's plenty of security holes in every stock Linux distro too, you know.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Everytime I read about hailstorm, I am in shock but at the same time scared.
First, off I can't believe that Mircosoft thinks they should be in control of so much personal information.
Second, that Microsoft thinks they can somehow keep it safe.
Third, and this is what scares me. A lot of John Q. Public will give them all this information.
Better them than me I guess.
Comment removed based on user account deletion
With new forms of active content being added to web pages all the time, it is amazing that anything with dynamic content. I know that's vague, but that sounds like the gist of it.
Freenet is not really the only solution if the programmer chose to release the program and not reveal his identity. There are numerous other channels available which will let him preserve his anonymity. The only advantage to freenet is that is at least has a somewhat legitimate charter, where as other methods are typically underground and shady.
But still, if done properly, it could be released and spread without anyone finding out who the author is. The danger is if that person ever told ANYONE about it. If he did, then he's not truely anonymous, and given enough of an incentive, someone might be tempted to talk. At least, without releasing any code, then its technically all heresay and a lot less likely to be in violation of some strange law.
I fear however that this is how it will have to be done in the future if the silly laws don't get overturned. Either that, or some REALLY important sensitive document will have to be cracked and released publicly to the embarrasment of a large organization with a lot of people chanting "we told you so" before those in power might take a second glance and realize that perhaps peer review for security is a good idea after all.
-Restil
Play with my webcams and lights here
Did anyone ever wonder whether M$ do this deliberately?
;)
Recently they've had some holes (much like this) that you'd have to be out of your head smoking crack to miss.
Quality assurance at Microsoft is better than this when it comes to other areas. Could it just be that it's easier and cheaper to have somebody else find the holes and then, as the mega-funded publicity department goes into top gear issue a patch (where appropriate)?
Either that or Microsoft buys a lot of crack!
"How much truth can advertising buy?" - iNsuRge - AK47
Oh, great! Looks like what people have been saying will come true -- The DMCA will stifle innovation, quality, security,.... etc. Now whenever there's a flaw in something, people will be too afraid to report it, for fear of being prosecuted under the DMCA. Back to the Dark Ages for us!
while true; do telnet www.hotmail.com 80 <
Then just sit back and wait.
On a related note, i'd like to dispel a common myth. Real Programmers don't use 'cat > a.out' or 'cat
--
Mod up a post Rob doesn't like and you'll never mod again
So, let's say that MS Hailstorm is implemented and within a couple of years, a good portion of users have their data and software settings stored on .Net servers, and can access it with their Passport login and password.
Now let's say that someone finds another flaw in passport (I know, hard to believe, but go with me here). Needless to say, Hailstorm users will be left vulnerable. The question is, will the Hailstorm and Passport EULA protect MS when it comes to legal liability for a) lost data, and b) copied or stolen data (loss of intellectual property, etc...)
My guess is that even if they are to blame, MS won't be legally liable. Doesn't sound like a good choice for users...
Buy Hex-Rated Stuff, fight the DMCA!
A year ago I would have been much more inclined to agree with you... but it's kinda funny. As time goes on, Windows seems to have more network services, and more problems, while Linux distros are becoming more sane and simple, follwoing OpenBSD's lead...
And the line after that reads:
Well, at least you tried to read the article... that's more than most of the Slashbots.
To within half a percent, pi seconds is a nanocentury. -- Tom Duff
the program doesn't exist.
I understand not wanting to be the next DMCA victim, but really, if the code isn't out there, then, it doesn't exist in my eyes.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
I don't really know why any large company would sign on for Hailstorm. No one really wants to be tied to any specific vendor for such an important part of their business. Granted, they're already tethered via their desktop PC's, but incorporating Hailstorm in to your business plan? You're basically putting your chance of profit in the hands of MS, who has a well known history of screwing over its own partners.
The problem, as I see it, is that American Express and others can beat their competitors to the punch by being a part of Hailstorm, providing services no one else does, but that goes with extreme risk. I guess that's why they haven't signed a contract with MS yet. It's a tough one for any company.
"I may not have morals, but I have standards."
From the article:
-jacob
Well, this is strange. I'm sitting on a Windows 98 box with McAfee VShield v4.0.3 installed and virus definition files from 2001/06/13. Whenever I try to go to http://www.veridian.com/upload/ with either IE 4.01 or Netscape 4.70, McAfee pops a warning dialogue saying I have just downloaded a worm called "SunOS/BoxPoison.worm". I also have a small Perl program I can use to perform command-line HTTP downloads, and with it, I can download the page at http://www.veridian.com/upload/ without any problems.
I'm probably getting the warning because something in the HTML code matches the signature for a known worm. But still, if the message on the site isn't enough to scare people, the warning from their virus scanner certainly will!
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: http://www.veridian.com/upload/index.htm
Date: Fri, 31 Aug 2001 03:51:47 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 09 May 2001 12:53:30 GMT
ETag: "6a8163c87d8c01:943"
Content-Length: 289
(Slashcode has inserted a few spaces into the following HTML... I hope this doesn't trip your virus scanner...)
<html><body bgcolor=black><br><br><br>< ;br><br><br><table width=100%><td><p align
="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="cen
ter"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</htm l>
I thought one of the golden rules of any sort of engineering is that before you try to do something, work out whether you can do it or not. Then try. Otherwise, it's all just wasted effort.
Am I the only person who thinks the whole concept of e-book encryption with the goal of stopping dedicated piracy is pointless?
Encrypting the contents of a transmission between two parties so that no 3rd party can read it is do-able, and has always been the main thrust of encryption. But what people like Adobe and Microsoft are essentially trying to do is make it impossible for the second party to read the message - because as soon as you read the message, you can reproduce it.
Assume that Adobe/Microsoft encrypt this with something that will provably take an untenable amount of time to crack - say 1024-bit public key encryption (sorry, IANACryptologist, I don't know the proper term.). I won't be able to crack the book itself, but since it appears on the screen at some point, I'm going to be able to read it sooner or later - and I can copy it.E-book encryption is the equivalent of the club lock - it'll stop casual copiers, not the dedicated copier - and this approach will only work until the first dedicated copier writes a program to let everyone else do it.
The same is true of sound files, though maybe not to the same level, as the concept of digital watermarking can be applied. I still think the same rules apply. As a result, I can't help but think of the whole e-book and sound-file encryption push as smoke and mirrors, meant to convince people that bits can be made uncopyable.
-- This post is about truth, beauty, freedom, and above all things, Karma
Pure genuis, gizmo. Pretend to be an idiot, and get lots of people to flame you for not reading the article before posting.
Then after they post the flames, they finally read the other replies to your post, and realize how redundant they are and, more importantly, that they're guilty of the exact thing that they flamed you for.
Brilliant.
--
Mod up a post Rob doesn't like and you'll never mod again
Just so we're clear - is this the ISO with the unique identifier that The Reg talked about the other day?
...was the actual content of the page, which coincides with strings in the actual virus itself that VirusShield is looking for. The virus that infected the machine must carry a copy of the page verbatim inside itself, and that is one of McAffee's clues to finding it.
Black holes are where the Matrix raised SIGFPE
Microsoft's favorite security model - security through obscurity - has vary little to do with Hailstorm and everything to do with the DMCA. Not only does the producer of the security mechanism simply not publish the details of that mechanism, but through the wonders of the DMCA, Microsoft is empowered to enforce their security model by preventing the publication of holes discovered in the security system, thereby maintaining the obscurity.
Sarcasm aside, does it really matter how secure hailstorm really is, ig Microsoft can sue into oblivion anyone who publicizes or even researches security exploits related to the system...?
--CTH
--Got Lists? | Top 95 Star Wars Line
Linux manages to sucessfully use the same OS for both workstation and server purposes. In fact, I'm quite glad that my workstation doubles as a server for testing purposes, and that I am able to work on my servers in a pinch. Linux sucessfully combines all the good aspects of both workstations and servers; why can't M$ do the same?
Even Slashdot wants to hide some things
I used to work as Microsoft, MS Press and MS Research. While at research I needed to hack IE so it would forget about ActiveX security, I managed to reckon the registry settings but still had some questions.
The place to ask questions to other developers internally is via Outlooks groups (like usenet), it's surprising there isn't a better channel to converse with other Microsoft developers, maybe there is, but that's all I knew about. Anyway, so I posted a question to the IE-dev group about my problem. The response was surprising, the lead PM of IE started flaming me, telling me about how Microsoft can not have any more exploits in IE, how I my manager would be informed etc..
I guess I should have mentioned that what I was doing was only going to go out to a few select terminal ill users.
The point I'm trying to make is that Microsoft is a large company made up many small groups which don't necessarily talk to each other, I'm not saying this in there defense, but it helps explain how so many problems can arise over and over again. Even if I had just went ahead and implemented this IE hack into something major I don't who would have held me accountable, as far as I know software does not need to go through a standard security audit, each group has there own QA which will vary wildly.
-Jon
this is my sig.
Suppose a company hates someone. It can invent a kind of "e-book" security using, say, a modified ROT-13 algorithm. Then challenge openly the guy to crack it. He does that and publishes his results. Now, can the company can use DMCA to put that person in jail?
¦ ©® ±
Can anyone clearly explain cross-site scripting?
I've seen a few explanations of it but they didn't make any sense. I'm slow like that.
> > There's plenty of security holes in every stock Linux distro too, you know.
> But, unlike with M$ products, you can plug them, since you have the SOURCE.
And increasingly important, you can talk about them without fear of drawing a Go To Jail card.
Sheesh, evil *and* a jerk. -- Jade
"who has a well known history of screwing over its own partners."
Care to provide some examples?
The company I work for has partnered with Microsoft last year on their homeadvisor.com website. The section we worked on turned into a failure and the plug was pulled less than a year later, but Microsoft refunded to our company our investment into the site.
I knew someone else back in '94 who started a small company that was partnered with Microsoft and writing utilities for Windows NT. Microsoft helped them startup, paid for an ISDN hookup into their office so they could more easily communicate with Redmond, and then two years later bought out the company and moved them all to Redmond. The guys were more than happy to make that move!
Every company I'm aware of that has partnered with Microsoft has been treated very fairly.
Even Seattle Computing which provided the original MS-DOS was treated very well. While the initial contract was for only a few thousand, they received much more than that over time, and many of the companies employees ended up working at MS and becoming some of their early millionaire programmers.
I guess I'm curious about this well known history.
This seems like a case of "I hate Microsoft, and I'm going to say whatever I can to try to make them look bad, even though I can't really justify it."
I think that's my cue to succumb to my sleep deprivation and go to bed.
What's worse is I read the damn thing twice. Long week, long day.
Not brilliant, just way too tired. Don't have the cleverness at this hour for such a good troll.
Using the Jim/Carol/Bob terminology...
If Jim wants to send Carol some information that they BOTH don't want Bob to see, no problem. This is the intent of crypto.
However, as soon as Carol decides that she doesn't mind Bob also getting the information, it is all over. No amout of crypto can prevent that transaction.
Given this quite obvious fact, it suprises me that ANY real crypto guy would even bother touching this problem.
While I agree with you in principle, this does tickle something in the back of my brain. If the DMCA causes so many people to wish to remain anonymous when they discover a vulnerability, why not FLOOD the media with bogus exploit reports? Just claim you won't release it due to the DMCA. Eventually, if enough random hackers do this, and enough people buy it, there will be so much paranoia of "hidden" exploits, that eventually somebody will call for mass disclosure. And the only way this can happen is for global DMCA amnesty.. similar to what brought about whistle blower legislation.
My company (nameless for now). We are a MS "partner". A few weeks ago, they suddenly decided to tell us that they were developing the exact same software as our product, and they thanked us for all the help we had given them. If we want, they will let us continue to be a "partner" and give them our great ideas for as long as we still have funding (which runs out in December).
"Your superior intellect is no match for our puny weapons!"
Keep in mind not everyone agrees with that sentiment. Some would argue that, if you discount the numerous security issues, Microsoft has perhaps the strongest track record of innovation in the industry. <----- Read it and see what I mean.
We know it's bunk. They ought to know it's bunk, and yet they don't.
sigh.
Is there evidence to prove that MS Reader has actually been cracked? I mean, he hasn't shown any code, he haasn't posted an cracked e-book.
Hell, I could claim that I just broke into the CIA. I know where Elvis is and I know who killed JFK, but the DMCA won't let me tell you.
From the cover sheet of the DMCA legislation:Basically, the DMCA is simply the mechanism withing the United States, of implementing the WIPO treaty. Any country that is a signatory to this treaty will be implementing DMCA-like legislation. Just give it some time...
For those, who are unfamiliar with the history of Intellectual property law, the EFF has a good primer.
--CTH
--Got Lists? | Top 95 Star Wars Line
Ironically enough you don't say a single thing that isn't true. Everybody responding seems to be overlooking that fact. People are inferring that you are claiming they never get around to the third line in the article. The fact is, it is bad writing even if for different reasons.
The author should have lead with the single line reference and then 'flashed back' to tell of earlier longer exploits, like the three liner(s).
Sorry all 10 or so of you, but the jokes on you! 8^} Don't feel so bad. Even the "professionals" can't write well anymore, so it's no great surprise that you can't recognize bad writing when you see it. After all, if you read the paper or watch/listen to TV news then bad writing is pretty much the norm, and so your conditioned to find bad reporting to be quite satisfactory. It's too bad really.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Now, IDKAG (I don't know about Gator), but while I admit your point, I'd be damned concerned that any utility like this would be sending alla this info back to Corp. H.Q. each and every time it's used. That, I think, is a legitimate concern.
Carousel is a lie!
- Say you've done it
- Try to do it
- Study feasibility of it
Note that steps 2 and 3 are optional.rooooar
If you want to get rid of those, you'll have to firewall them.
You don't firewall anyway?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Sure, if you're looking for it. But the orig. comment was about people who were just average users and weren't nearly paranoid enough.
aren't all network connections logged?
Not necessarily; just think how much data that would be. You've got a graphical browser, right? Well, each and every picture you see has to be downloaded. That'd all be logged. You'd get tired of looking through it pretty quickly. My point is that it's easy for this sort of thing to get lost in background noise even if you know to look for it.
can multiple apps establish simultaneous connections through the same port, or does each process need it's own?
The latter, I believe...I'm no programmer type either.
Carousel is a lie!
Once the public in general trusts their personal data, credit card numbers etc to MSFT (including politicians), sooner or later they will feel betrayed by this company (when, not if, someone steals their data and misuses it).
This might just be what's necessary to once and for all turn public opinion against this evil empire.
I'm outside the US, and have no intention of ever visiting it as long as the DMCA remains in place.
If anybody would like to publish some code that violates the DMCA, forward it to me and I'll publish it immediately on a subdomain of tech-mad.org. No need to supply your identity or any other details.
Bzzzzzt..."AAAAaaaaarrrgh!!!" Thud.
Does anyone know how Hailstorm fits in with the UK's Data Protection Act legislation? Does MS become the owner of the data? If so it's up to them to take "reasonable measures" to guarantee the security of the information. If they fsck up, then - IANADPL - they could be in deep shit. Similarly, the physical location is important. Sending personal data outside of the EU without permission is against the DPA - that could happen just in a server replication.
Any DPA experts out there?
Is there similar legislation stateside?
This sig made only from recycled ASCII
"God bless the U.S., where moving a book from your home to your office is a federal offence."
That's funny, I recall taking home an industry mag from my IT desk just yesterday. Oh wait, you want me to copy each page in a professional photo-copier, with pictures, rebind it, and include the copyright notice the original publisher placed at the bottom, so I can have an additional copy at home. That seems perfectly legit.
Please...
Anyone? One has to wonder just WTF they do over there, no? This is starting to sound like the detox/rehab/wife beating world of family court. I mean there is what, a daily incident or problem where MS says - um yeah that's messed up too.
Name me another company that has this many security problems.
When did microsoft ever sue anyone for finding a hole in the OS?
I find tons of articles, researches and legit businesses in the us where the sole purpose is to research, discover, patch and fix these risks.
On the other hand, if you break copyright laws it doesn't matter which OS you do it under, it is still "illegal".. not that i agree with the DMCA but your blinded by your beliefs in linux as being a legal place to do illegal work
Try it.
The "source" is:
<script>
alert("This site has a cross-site scripting vulnerability!")
window.open("http://slashdot.org/")
</script>
You can be much more nasty with this, popping up goatse.cx or whatever. Basically, it's possible to do anything JavaScript allows you to do.
You are in a maze of twisty little relative jumps, all alike.
Any computer with a floppy disk or bootable CDRom is at risk.
(or even an ethernet bootable machine)
(or a machine on dhcp with anytype of nis/directory server authentication).
or...
Vintage computer games and RPG books available. Email me if you're interested.
this guy should upload the code to freenet where, hopefully, it is impossible to remove the program or discover the author. This is the exact kind of thing freenet was designed for, so if the author is out there in slashland, go for it! Civil Disobedience ra ra ra!
No. The whole point of civil disobedience is that a law or regulation is openly defied in a very public manner, and the transgressors challenge the authorities to enforce the law. The belief is that should the larger public become aware of the law and the inappropriate punishment that comes from breaking it, the government will feel compelled to change the law. As well, if enough people are openly breaking this law, the system will get clogged up with trivialities.
Civil disobedience is not hiding in the shadows and skulking around under cover of anonymity.
And this gets a +5 insightful? WTF?
*** Where are we going? And what's with this handbasket?
A packet filter is better than nothing, but it is not the answer. One should not assume that because they are "protected" by a packet filter that they are secure.
IMHO, I think that it can be argued that a proxy firewall solution is the most secure. With a proxy, there is no direct connection between a host on the secure network and the internet. The downside of course is that proxy solutions are not transparent.
The next best alternative would be a firewall that does stateful inspection. That is transparent to the user, but is not a secure as a proxy-based one.
*** Where are we going? And what's with this handbasket?
"On a path as clear as it is reliable"
...Certainly true: Zero equals zero.
"How many light bulbs does it take to change a person?" --BMcC-->
Unfortunately, I don't think most people would feel betrayed if their personal information was stolen from a Microsoft server, or any server. They would blame the hackers. The media profile of hackers is so high, and the profile of security experts is so low, that most people don't realise it's possible to secure your data against hackers, and they won't expect the system administrator to be held responsible if a hacker breaks into the system.
Q: Why does anyone bother with e-book encryption?
A: Profit
e-book encryption is not designed to stop dedicated "cracking" attempts. It's not even designed to slow it down. Think about it for a minute. These weak protections are there in conjuction with the DMCA to facilitate the licensingmuch cheaper to produce and distribute.
e-book encryption exists for the sole purpose of proping up an otherwise impossible business case. With physical media (i.e. a soft cover book) if I were to reproduce and distribute the books, I would not be able to sell them for less than the publisher, and still make any kind of a profit. The same is not true with el
Ah yes. Lord knows that outlook isn't an application that can be accessed by the Internet at large by any stretch of the imagination! Why, the very idea that these 'data packets' of which you speak might actually make their way to my email reader is simply preposterous! Thank you for bringing this to my attention. Next time, I'll remember the difference between an Internet server and an Internet client, and why it's permissable for one to have security holes, but not the other.
Vintage computer games and RPG books available. Email me if you're interested.