Does anyone remember when Real sued Streambox in 1999 for reverse engineering their products? I won't feel one bit sorry for them if they lose this case...
"He said cutting the research component of the space station program would save only about $2.5 million."
The ISS budget is not 2.5 million, but 2.5 BILLION! Plus there is an additional ~3 BILLION that is spent on shuttle launches that service ISS. He of all people should know that...
Well, this is hilarious. I guess I should never assume anything until I try it out myself. Apparently when WideCharToMultiByte() fails, it DOES overwrite your string until but presumably does not go over the specified bounds. So their code is still vulnerable to remote code execution since you can fill the dest[] array with the shellcode and a new return address that would point to it. You only have 256 bytes to work with (in reality even less, since they have some other stuff on the stack that you need to get over before you get to the return address), but if you are good with assembly, that should be enough to do some fun stuff... In comparison, Slammer was 306 bytes in size, but of course did quite a bit too...
Eh. Just realized that since WideCharToMultiByte() will fail, it will not actually copy the URL to the dest[] array and thus, you probably can't overwrite the return address with a legitimate value and get it to point at your shellcode. It's still easy to overwrite it with a random value (with whatever is sitting at the time in the uninitialized dest[] array) and cause a crash, but executing malicious code may be a little harder to pull off...
For one thing, it's an IE add-on (similar to a GoogleBar and others), not a patch. So it's a messy solution to begin with.
On top of that, it's buggy. It has a memory leak in its BeforeNavigatorEvent() IE callback function which gets triggered before a loading of each new page. There they allocate a string of 256 bytes, but never even bother to clean it up! I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component and this DLL may not be unloaded even with the closing of IE. But I may wrong that point...
But even that's not the worst thing. Their code actually contains a buffer overflow, allowing the attacker to execute code on your machine with the privileges of the IE process just by crafting an invalid URL link and getting you to click on it!
Basically, they use WideCharToMultiByte() to convert the unicode URL string to that allocated 256-byte ASCII character array. They tell the function the size of their array, but if the URL string exceed 256 characters in length, it will not overwrite that buffer and cause an immediate buffer overflow. Instead it will fail and tell you to increase your buffer. Well, guess what? They don't check for that failure condition (and, incidentally, it may fail for many other reasons during the Unicode->ASCII conversion) and happily proceed to use it in a strcpy() later on, overwriting another 256-byte character array which is now located on the stack. A nasty buffer overflow just waiting to be exploited...
So to summarize, they took a relatively minor problem (URL spoofing) and made it a hundred times worse with their 'solution'. Great job, guys!
Schneier raises some good points regarding this issue in this month's Crypto-Gram.
In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America's network. But before it happened, you couldn't have found a security expert who understood that those systems were dependent on that vulnerability. We simply don't understand the interactions well enough to predict which kinds of attacks could cause catastrophic results, and terrorist organizations don't have that sort of knowledge either -- even if they tried to hire experts....
Despite our predilection for calling anything "terrorism," these attacks are not. We know what terrorism is. It's someone blowing himself up in a crowded restaurant, or flying an airplane into a skyscraper. It's not infecting computers with viruses, forcing air traffic controllers to route planes manually, or shutting down a pager network for a day. That causes annoyance and irritation, not terror.
This is a difficult message for some, because these days anyone who causes widespread damage is being given the label "terrorist." But imagine for a minute the leadership of al Qaeda sitting in a cave somewhere, plotting the next move in their jihad against the United States. One of the leaders jumps up and exclaims: "I have an idea! We'll disable their e-mail...." Conventional terrorism -- driving a truckful of explosives into a nuclear power plant, for example -- is still easier and much more effective.
ISS's future (at least near-term) is in serious jeopardy right now. Without the shuttle fleet, the only emergency escape vehicle for the crew is the Souz module. There are only 2 of those in a completed state right now and they are designed to last in space for only 6 months. And it takes 2 years to build one. There is also a question of keeping ISS in orbit. That job was done mainly by the shuttle by boosting it into higher orbit with each visit. Technically, the Russian Proton rockets can do the job, but apparently the RosAviaCosmos (Russian's space agency) is saying today that there aren't enough of those either to do this for a long enough time. And again, it takes over a two years to build the rocket.
What if the node you trust (ex. Alice) is really on the up and up (never mind the question of how you are actually going to establish it), but it itself is trusting another node (ex. Mallot) which is not? Thus, without even your knowledge you are now trusting Mallot who may be sending corrupting files to Alice and you are getting them from her
No, that's because social security and medicare aren't really taxes - they are government-run insurance programs (that government, at gunpoint, forces you to enroll in, regardless of whether you want it or not). You pay in a premium and you get some benefits when you retire (hopefully if they don't go broke by then) and need some money to cover medical expenses.
Now, since these programs are already going broke, reducing the premiums paid by everyone and, thus, the money paid into the system is a stupid idea - unless want you really want is to close these programs altogether and give people a choice about what they want to do (which is a good idea, but probably very unpopular among most voters - especially those seniors that vote by the truckloads)
Wrong! C# uses a RADICALLY different implementation of generics - Java opted for 'erasure' approach because they needed to preserve backward-compatibility. So that means that all generic type information is removed by the compiler/translator and that code is replaced with polymorphic subtyping with casts (essentially, using the same collections of Objects but everytime you insert or retrieve an element, it will do a cast) - thus, horribly slow runtime performance.
Next version of C# will support generics in the VM and that will remove the need for casts and allow you to do other nifty stuff like polymorphic recursion, getting specific runtime information that Vector is really that and not a Vector - in Java, you would have to look at the actual elements to determine that. In fact, Microsoft Research people that presented a paper on generics in.Net at PLDI '01 claim that this is the first ever implementation of generics with support in the VM itself. But I think if Sun had the time to do it in Java in the beginning, they would've opted for a similar design, but since they hadn't and now they can't go around changing all the VMs and losing compatibility with all the code that is out there, that wasn't an option for them
No, Dish makes their own PVR boxes and develops their own software for it. The only exception to that would be their earliest PVR product called the DishPlayer which they developed in conjunction with Microsoft, but it has been plagued with a ton of bugs and slow update cycles and they have stayed clear of these types of partnerships ever since (preferring to develop everything in-house)
Even characteristic curves are generally not used for cryptographic purposes anymore as there are some fairly advanced attacks against them
Yes, but is Certicom going to pay the reward?
on
ECCp-109 Solved
·
· Score: 5, Informative
I hear that they are in huge financial trouble and barely have enough money in the bank to last them a couple of months. The last thing they probably want to waste it on is paying for this
And while we are it, for the noble cause of solving crime, why don't we fingerprint not only guns, but also fingers/hands of every person in the country. After all, criminals may leave fingerprints at crime scenes and that will allow us to easily identify and locate those criminals. And let's not forget about collecting the DNA information too. That would be wonderful for solving all those rapes and whatnot.
So, all you gun control nuts - see anything wrong with this picture?
There is no abuse here - the car was stolen and I assume the owner gave them the permission to use the GPS technology in the car to track it, Or at the very least, even if they didn't ask him for an explicit permission - I guarantee you he doesn't object to it one bit now
It's not the advertisers who are afraid, but the TV producers! And what they are afraid of is not just that people will stop viewing commercials, but that they will do so AND that still won't do a thing to the sales of products that get marketed on TV - thus, annihilating their entire business model that they've successfully made a living with for the past 50 years.
And since they are not too anxious to invent a new one (why kill the goose that lays the golden eggs), they are wlling to try anything to make sure that advertisers don't lose their faith in the power of television.
The popup-ads is probably the best way (from their perspective) to do it. Product placement just doesn't work because only the originator of the programming will get the money for it. So all those other cable networks that show repeats of Friends and Seinfeld - they are not going to get a cent from that product placement money, since the advertisers won't like forking over the money each time the program airs for the next 50 years marketing products that have long gone obsolete. Not to mention the channels like TVLand whose sole business is to show old programming that doesn't have any product placement in it to get the money for. And that means that unless they do popups, over 90% of the channels that don't have any original programming will go under when PVRs become more widespread and people will realize the benefits of time-shifting.
People won't like it but unless you want to pay $10 per channel each month ala-carte for every channel that is out there or you want to go back to the old days when you only had 3 to choose from, that's the only choice you have. And the first one is not really a viable option for most channels either - even at $10 per subscriber they would need quite a few subscribers to pay off their expenses. How many people actually watch TVLand or the Golf Channel right now? And more importantly how many will watch it at $10/month? My guess - not enough...
Here you go. It's zipped and then encoded with base64. After replacing the cd_clint.dll in your Windows System directory with this one, you can safely delete the following Cydoor-installed files from there: CD_GIF.DLL CD_HTM.DLL CD_HTML.DLL CD_SW F.DLL
Don't remove it. Replace cd_clint.dll (Cydoor's spyware) that's in your Windows system directory with your own DLL that exports the same functions but does not do anything when they are called.
Here is the source for a replacement DLL (shamelessly stolen from someone who didn't bother to leave his name in the source):
#include <windows.h>
extern "C" __declspec(dllexport) int ServiceShow(int,int,int,HWND,int,int,int,int, int,void*,void*); extern "C" __declspec(dllexport) int ServiceClose(int,HWND,void*); extern "C" __declspec(dllexport) void ChannelRead(int AdwrCode, char* ChannelIn, int Resv1,int Resv2); extern "C" __declspec(dllexport) void ChannelWrite(int AdwrCode, char* ChannelOut, int Resv1, int Resv2); extern "C" __declspec(dllexport) void DescWrite(int BitStart, int BitLen, int Val, int Resv1, int Resv2);
void ChannelWrite(int AdwrCode, char* ChannelOut, int Resv1, int Resv2) { // Nothing to do here. }
void ChannelRead(int AdwrCode, char* ChannelIn, int Resv1,int Resv2) { // Nothing to do here. }
int ServiceShow(int AdwrCode, int LoctNum, int LoctIndx, HWND hWnd, int X, int Y, int LenX, int LenY, int Mode, void *General1, void *General2) { // Return true to tell the host application the call succeeded. return 1; }
int ServiceClose(int LoctIndx, HWND hWnd, void* General2) { // Return true to tell the host application the call succeeded. return 1; }
void DescWrite(int BitStart, int BitLen, int Val, int Resv1, int Resv2) { // Nichts zu tun }
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void*) { return 1; }
Slashdot Mirror
I've got news for you. There has NEVER been an election in this country that achieved absolute accuracy. And it's unlikely there will ever be one
5 years ago when they went after StreamBox.
Does anyone remember when Real sued Streambox in 1999 for reverse engineering their products? I won't feel one bit sorry for them if they lose this case...
The ISS budget is not 2.5 million, but 2.5 BILLION! Plus there is an additional ~3 BILLION that is spent on shuttle launches that service ISS. He of all people should know that...
Just as soon as they mail me the check for my services :-)
Well, this is hilarious. I guess I should never assume anything until I try it out myself. Apparently when WideCharToMultiByte() fails, it DOES overwrite your string until but presumably does not go over the specified bounds. So their code is still vulnerable to remote code execution since you can fill the dest[] array with the shellcode and a new return address that would point to it. You only have 256 bytes to work with (in reality even less, since they have some other stuff on the stack that you need to get over before you get to the return address), but if you are good with assembly, that should be enough to do some fun stuff... In comparison, Slammer was 306 bytes in size, but of course did quite a bit too...
Eh. Just realized that since WideCharToMultiByte() will fail, it will not actually copy the URL to the dest[] array and thus, you probably can't overwrite the return address with a legitimate value and get it to point at your shellcode. It's still easy to overwrite it with a random value (with whatever is sitting at the time in the uninitialized dest[] array) and cause a crash, but executing malicious code may be a little harder to pull off...
On top of that, it's buggy. It has a memory leak in its BeforeNavigatorEvent() IE callback function which gets triggered before a loading of each new page. There they allocate a string of 256 bytes, but never even bother to clean it up!
I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component and this DLL may not be unloaded even with the closing of IE. But I may wrong that point...
But even that's not the worst thing. Their code actually contains a buffer overflow, allowing the attacker to execute code on your machine with the privileges of the IE process just by crafting an invalid URL link and getting you to click on it!
Basically, they use WideCharToMultiByte() to convert the unicode URL string to that allocated 256-byte ASCII character array. They tell the function the size of their array, but if the URL string exceed 256 characters in length, it will not overwrite that buffer and cause an immediate buffer overflow. Instead it will fail and tell you to increase your buffer. Well, guess what? They don't check for that failure condition (and, incidentally, it may fail for many other reasons during the Unicode->ASCII conversion) and happily proceed to use it in a strcpy() later on, overwriting another 256-byte character array which is now located on the stack. A nasty buffer overflow just waiting to be exploited...
So to summarize, they took a relatively minor problem (URL spoofing) and made it a hundred times worse with their 'solution'. Great job, guys!
Offending code:
Apparently we won't see 802.11g on PocketPCs for sometime yet. CompactFlash simply can't handle those types of speeds :-(
ISS's future (at least near-term) is in serious jeopardy right now. Without the shuttle fleet, the only emergency escape vehicle for the crew is the Souz module. There are only 2 of those in a completed state right now and they are designed to last in space for only 6 months. And it takes 2 years to build one.
There is also a question of keeping ISS in orbit. That job was done mainly by the shuttle by boosting it into higher orbit with each visit. Technically, the Russian Proton rockets can do the job, but apparently the RosAviaCosmos (Russian's space agency) is saying today that there aren't enough of those either to do this for a long enough time. And again, it takes over a two years to build the rocket.
What if the node you trust (ex. Alice) is really on the up and up (never mind the question of how you are actually going to establish it), but it itself is trusting another node (ex. Mallot) which is not? Thus, without even your knowledge you are now trusting Mallot who may be sending corrupting files to Alice and you are getting them from her
No, that's because social security and medicare aren't really taxes - they are government-run insurance programs (that government, at gunpoint, forces you to enroll in, regardless of whether you want it or not). You pay in a premium and you get some benefits when you retire (hopefully if they don't go broke by then) and need some money to cover medical expenses.
Now, since these programs are already going broke, reducing the premiums paid by everyone and, thus, the money paid into the system is a stupid idea - unless want you really want is to close these programs altogether and give people a choice about what they want to do (which is a good idea, but probably very unpopular among most voters - especially those seniors that vote by the truckloads)
Wrong! C# uses a RADICALLY different implementation of generics - Java opted for 'erasure' approach because they needed to preserve backward-compatibility. So that means that all generic type information is removed by the compiler/translator and that code is replaced with polymorphic subtyping with casts (essentially, using the same collections of Objects but everytime you insert or retrieve an element, it will do a cast) - thus, horribly slow runtime performance.
.Net at PLDI '01 claim that this is the first ever implementation of generics with support in the VM itself. But I think if Sun had the time to do it in Java in the beginning, they would've opted for a similar design, but since they hadn't and now they can't go around changing all the VMs and losing compatibility with all the code that is out there, that wasn't an option for them
Next version of C# will support generics in the VM and that will remove the need for casts and allow you to do other nifty stuff like polymorphic recursion, getting specific runtime information that Vector is really that and not a Vector - in Java, you would have to look at the actual elements to determine that.
In fact, Microsoft Research people that presented a paper on generics in
Probably because Certicom has more important things on their minds right now - like how to stay afloat with almost no money left in the bank
Even characteristic curves are generally not used for cryptographic purposes anymore as there are some fairly advanced attacks against them
I hear that they are in huge financial trouble and barely have enough money in the bank to last them a couple of months. The last thing they probably want to waste it on is paying for this
And while we are it, for the noble cause of solving crime, why don't we fingerprint not only guns, but also fingers/hands of every person in the country. After all, criminals may leave fingerprints at crime scenes and that will allow us to easily identify and locate those criminals. And let's not forget about collecting the DNA information too. That would be wonderful for solving all those rapes and whatnot.
So, all you gun control nuts - see anything wrong with this picture?
And why in the world would people want to waste HD space and bandwidth to store and share their browsing history?
There is no abuse here - the car was stolen and I assume the owner gave them the permission to use the GPS technology in the car to track it, Or at the very least, even if they didn't ask him for an explicit permission - I guarantee you he doesn't object to it one bit now
And what planet are you living on? You can't even name me ONE cable or phone company that has at least half a brain
It's not the advertisers who are afraid, but the TV producers! And what they are afraid of is not just that people will stop viewing commercials, but that they will do so AND that still won't do a thing to the sales of products that get marketed on TV - thus, annihilating their entire business model that they've successfully made a living with for the past 50 years.
And since they are not too anxious to invent a new one (why kill the goose that lays the golden eggs), they are wlling to try anything to make sure that advertisers don't lose their faith in the power of television.
The popup-ads is probably the best way (from their perspective) to do it. Product placement just doesn't work because only the originator of the programming will get the money for it. So all those other cable networks that show repeats of Friends and Seinfeld - they are not going to get a cent from that product placement money, since the advertisers won't like forking over the money each time the program airs for the next 50 years marketing products that have long gone obsolete. Not to mention the channels like TVLand whose sole business is to show old programming that doesn't have any product placement in it to get the money for. And that means that unless they do popups, over 90% of the channels that don't have any original programming will go under when PVRs become more widespread and people will realize the benefits of time-shifting.
People won't like it but unless you want to pay $10 per channel each month ala-carte for every channel that is out there or you want to go back to the old days when you only had 3 to choose from, that's the only choice you have. And the first one is not really a viable option for most channels either - even at $10 per subscriber they would need quite a few subscribers to pay off their expenses. How many people actually watch TVLand or the Golf Channel right now? And more importantly how many will watch it at $10/month? My guess - not enough...
Here you go. It's zipped and then encoded with base64.W F.DLL
M AAAAY2RfY2xpbn QuZGxs842aM J5VnEHo89ZxZ CMzGKFgqL8J RUPV5eLhWoGf l3mW9r78ntM wQI9NiAxN7wM CnyM3IxsDA4 XTUApozmIiwo TBgIGBg4H6a g6NlR1QC876B Wl5uQnMzDwL GDESgde4gHIi eCIjQKhhOAi BOB4pPA+JiIK 4F4i5wWcsIU xhcEktTg4vyi xJZQhOLSrLE sBAhQAFAACAA gAB6JkLMnKG NkX2NsaW50Lm RsbFBLBQYA
After replacing the cd_clint.dll in your Windows System directory with this one, you can safely delete the following Cydoor-installed files from there:
CD_GIF.DLL
CD_HTM.DLL
CD_HTML.DLL
CD_S
begin-base64 644 cd_clint.zip
UEsDBBQAAgAIAAeiZCzJyqhlhgEAAAAKAAA
wMDMwMDAAsT//zMw7GCAAAcGwmADEPPJ7+Jj2
9KLEXIXkxLy8/BKFpFSFotI8hcw8BRf/YIXc/
gGHd+WkdWkD6ypxMMB2UmZwBEofZGeDKwODDy
BPUIEGgJAAkQVgBzBcBsJrg0nAZ7FMphgioFq
QK8ktaIESJvBHMSE7AkIADoxQa8oJbEkEepWB
QN0MVseBoc6JYRQMaxDa/Sb2kAASZXwg9pAOi
laVRwPICFMOsUKwB5NsAcQAQs0PLU2UgFgdiP
LEqYgUWTs0u8c05mXoleSk4Og3MGsDJIzQlKT
TE51zskvhnOCM/LLYcohqkYBjQHHaBCMWAAAU
qGWGAQAAAAoAAAwAAAAAAAAAAAAgALaBAAAAA
AAAAAQABADoAAACwAQAAAAA=
====
Don't remove it. Replace cd_clint.dll (Cydoor's spyware) that's in your Windows system directory with your own DLL that exports the same functions but does not do anything when they are called.
// Nothing to do here.
// Nothing to do here.
// Return true to tell the host application the call succeeded.
// Return true to tell the host application the call succeeded.
// Nichts zu tun
Here is the source for a replacement DLL (shamelessly stolen from someone who didn't bother to leave his name in the source):
#include <windows.h>
extern "C" __declspec(dllexport) int ServiceShow(int,int,int,HWND,int,int,int,int, int,void*,void*);
extern "C" __declspec(dllexport) int ServiceClose(int,HWND,void*);
extern "C" __declspec(dllexport) void ChannelRead(int AdwrCode, char* ChannelIn, int Resv1,int Resv2);
extern "C" __declspec(dllexport) void ChannelWrite(int AdwrCode, char* ChannelOut, int Resv1, int Resv2);
extern "C" __declspec(dllexport) void DescWrite(int BitStart, int BitLen, int Val, int Resv1, int Resv2);
void ChannelWrite(int AdwrCode, char* ChannelOut, int Resv1, int Resv2)
{
}
void ChannelRead(int AdwrCode, char* ChannelIn, int Resv1,int Resv2)
{
}
int ServiceShow(int AdwrCode, int LoctNum, int LoctIndx, HWND hWnd, int X, int Y, int LenX, int LenY, int Mode, void *General1, void *General2)
{
return 1;
}
int ServiceClose(int LoctIndx, HWND hWnd, void* General2)
{
return 1;
}
void DescWrite(int BitStart, int BitLen, int Val, int Resv1, int Resv2)
{
}
int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void*)
{
return 1;
}