You are right. No one is talking about absolute 100% security here. The top 25 is the most egregious and easily remedied defects. These are the easy ones folks. Ones we know alot about and know how to prevent.
We need software to be free of them because organizations are under attack through application vulnerabilities. Has anyone heard of Google/Aurora or Heartland Payment Systems? Both organizations were breached through software defects.
When the environment changes software needs to change. You wouldn't take a regular car off road into a military usage and expect it to perform well. We are expecting the software process to not change (too expensive, too hard, 100% security is impossible) yet perform well under constant scrutiny and attack.
We need to change how we build software and having customers set security requirements is the best way to do it.
The technology trend is for government to afford it and then within 10 years typically upper class citizens can afford it, and then within 20 years middle class citizens can afford it. This means soon we will have wealthy people or well funded criminals battling these robots with their own robot armys. This is going to get crazy.
Will countermeasures become illegal? Can I EMP these suckers?
Its not your skill level but your employability. Auto assembly line workers are much more skilled than burger flippers. But if there is an economic downturn in their sector their rates should go up. If computer programmer jobs keep getting sent overseas then computer programmer unemployment insurance should go up. If you get trained in a field that has job growth your rates would go down. This way you can think of retraining before you lose your job as free because otherwise you would be paying in to the insurance pool.
He should burn the fuel to make electricity and then charge an electric car with that. Then he can get around the tax but of course this isn't as efficient, so not as good for the environment.
In other news a man was convicted of stealing oxygen which could be clearly traced to a neighbors beautiful garden. The man had paved over his lot and was not producing any oxygen at all from his property. His neighbors all were producing a net surplus of oxygen and he was clearly producing none and consuming quite a bit himself. Oh yeah this is news from 2050. Nevermind.
What are they thinking over at Sony? A copy protection scheme that doesn't stop the latest popular ripping programs like DVDfab but causes the disk not to play in their own latest DVD players. Some one should be fired. What is the point of a copy protection scheme that lets popular rippers copy it? Am I missing something?
I wouldn't trust USB stick security unless there was a 3rd party assessment of the security from a reputable security firm and that assessment was published. Customers need to start demanding this. What track record do these companies have on security?
The bad thing about hardware is how do you patch the security hole? All hardware these days should have the ability to do a USB firmware upgrade. These devices have a USB port build in already but can't be upgraded.
What about pointing an HD camera at your screen
on
AMD's New DRM
·
· Score: 1
How are they going to stop someone from pointing an HD camera at a 1920x1080 LCD screen. Consumer HD camcorders are only $1000 (not 1080p yet). And some record straight to hard disk for easy transfer. Sure there would be some degradation but clearly this would be a better picture than a DVD. The PC's SP/DIF digital audio could be recorded directly as this has no encryption. Ideally you would want an HD camcorder that recorded straight to Divx.
I was interviewed for this article by Scott Berinato. I have added some thoughts on the topic to my blog. A rich and robust vulnerability research community needs legal access to the software we are researching. As more and more software becomes web 2.0 instead of running on our desktops we will have less and less independent vulnerability research.
Let the customer decide how to use the wireless instead of crippling it. Dell didn't design the wireless with a particular use in mind. They don't know that I use it to move songs from my desktop to my laptop.
I don't have to enter a long crypto key on my blackberry but it is doing triple DES for all my syncing. They figured this out years ago. Why can't MS?
Its ridiculous that they add DRM to a song file when traded wirelessly but not image files. As a photographer I would love to be able to share some of my photos and not have to worry about the being posted to the net. But they only care about protecting the copyrights of large corporations, not creators of content.
Doesn't matter what is fair use. They have a patent restriction on the HDCP chips plus you need a license to get a valid key to decrypt content. They are not going to give a valid key to a manufacturer that doesn't down rez. End of story.
Why not just put a filter that blocks IR light on the digital camera. If no IR light hits the CCD sensor than how can it spoil the picture. I thought that Canon DSLRs already had this type of filter built in because they are not good for IR photography.
If anyone is collecting sensitive information from you: SSN, biometric data, etc. you need to get a data retention and privacy policy in writing.
Will they transfer this data if the company is sold or goes out of business? Remember eToys had a privacy policy that went out the window during bankrupcy. Will they destroy the data when you cancel your membership. What security mechanisms and audit procedures do they have in place?
When you bring it up it may be the first time they have thought of it so be prepared to wait.
No way man. Some Taiwanese factory will crank out no-bit HDTV cards and they will sell like hotcakes. Any card with the bit will be DOA. Who wants to buy crippled hardware when non-crippled is available?
This is why the industry invented HDCP. This secures all high quality digital output over DVI or HDMI. The MPAA will not allow HD quality to be transmitted in the clear over digital. In the future it may be possible to build an affordable component capture card for HD rates (they are in the $10Ks now) so I bet MPAA will mandate devices not allow better than 480p resolution to be output from component.
I think 480p looks pisser on an HD display though. Most people would be happy with this level of quality. So I think we will see a repeat of what is happening in audio. MP3s are good enough for most people even though red book CD audio sounds better. 480p with AC3 sound will be plenty fine for most and this will be supported to remain compatible with the millions of devices out there now.
Microsoft can solve this problem by distributing Firefox alongside of IE with Windows. That way it comes in the box and you don't even need to use potentially insecure IE to download Firefox and get hit with a malicious website.
BTW, I grabbed Firefox via ftp.exe so I didn't need to use IE and there was a nice MD5SUMS on the ftp site to validate.
Panasonic plasmas 4000:1 contrast ratio actually is watchable in dark movies. LCD looks awful in dark scense. It's just a gray mess.
Why do you think all the professional users at TV News studios use Panasonic plasma and not LCD? Because it looks much better for video. Black is black not gray.
You don't need HDTV resolution at 42" if you are sitting 10 feet away. Why pay for it?
Panasonic's latest generation has a 60,000 hour life on brightness and burn in is similar to CRT.
I am a software publisher. I am pretty sure that college students are pirating my warez. I even have evidence of it. Now with the MPAA precedent I can get Internet2 access and be able to police the network for people pirating my warex.
To exploit this you need to code up your own client. It has to do with overflowing the password field by sending invalid packets. You can't do this with any of the standard clients.
The AFP process runs as root so when the stack overflows you can run code as root. AFP wisely won't let you authenticate as roote even though it is running as root.
Advisory Name: AppleFileServer Remote Command Execution Release Date: 05/03/2004 Application: AppleFileServer Platform: MacOS X 10.3.3 and below Severity: A remote attacker can execute arbitrary commands as root Authors: Dave G. Dino Dai Zovi Vendor Status: Informed, Upgrade Available CVE Candidate: CAN-2004-0430 Reference: www.atstake.com/research/advisories/2004/a050304-1.txt
Overview:
The AppleFileServer provides Apple Filing Protocol (AFP) services for both Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. There is a pre-authentication, remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges and execute commands as root.
Details:
The AppleFileServer provides Apple Filing Protocol (AFP) services for both Mac OS X and Mac OS X server. AFP is a protocol used to remotely mount drives, similar to NFS or SMB/CIFS. AFP is not enabled by default. It is enabled through the Sharing Preferences section by selecting the 'Personal File Sharing' checkbox.
Thereis a pre-authentication remotely exploitable stack buffer overflow that allows an attacker to obtain administrative privileges. The overflow occurs when parsing the PathName argument from LoginExt packet requesting authentication using the Cleartext Password User Authentication Method (UAM). The PathName argument is encoded as one-byte specifying the string type, two-bytes specifying the string length, and finally the string itself. A string of type AFPName (0x3) that is longer than the length declared in the packet will overflow the fixed-size stack buffer.
The previously described malformed request results in a trivially exploitable stack buffer overflow. @stake was able to quickly develop a proof-of-concept exploit that portably demonstrates this vulnerability across multiple Mac OS X versions including Mac OS X 10.3.3, 10.3.2, and 10.2.8.
>The way things work change just *SLIGHTLY* with every minor release of iTunes, causing all the De-Fairplay utilities to have to be updated with every minor release
This should be part of any modern DRM scheme. Media players should ask the vendors web site if their version's DRM scheme has been cracked, and if so, download a new scheme. The media player vendor should have a constant supply of ready made new slightly different DRM schemes to constantly keep the crackers busy.
Its a cat and mouse game of attrition. Get used to it.
Slashdot Mirror
You are right. No one is talking about absolute 100% security here. The top 25 is the most egregious and easily remedied defects. These are the easy ones folks. Ones we know alot about and know how to prevent.
We need software to be free of them because organizations are under attack through application vulnerabilities. Has anyone heard of Google/Aurora or Heartland Payment Systems? Both organizations were breached through software defects.
When the environment changes software needs to change. You wouldn't take a regular car off road into a military usage and expect it to perform well. We are expecting the software process to not change (too expensive, too hard, 100% security is impossible) yet perform well under constant scrutiny and attack.
We need to change how we build software and having customers set security requirements is the best way to do it.
-Chris
The technology trend is for government to afford it and then within 10 years typically upper class citizens can afford it, and then within 20 years middle class citizens can afford it. This means soon we will have wealthy people or well funded criminals battling these robots with their own robot armys. This is going to get crazy.
Will countermeasures become illegal? Can I EMP these suckers?
Its not your skill level but your employability. Auto assembly line workers are much more skilled than burger flippers. But if there is an economic downturn in their sector their rates should go up. If computer programmer jobs keep getting sent overseas then computer programmer unemployment insurance should go up. If you get trained in a field that has job growth your rates would go down. This way you can think of retraining before you lose your job as free because otherwise you would be paying in to the insurance pool.
-weld
He should burn the fuel to make electricity and then charge an electric car with that. Then he can get around the tax but of course this isn't as efficient, so not as good for the environment.
In other news a man was convicted of stealing oxygen which could be clearly traced to a neighbors beautiful garden. The man had paved over his lot and was not producing any oxygen at all from his property. His neighbors all were producing a net surplus of oxygen and he was clearly producing none and consuming quite a bit himself. Oh yeah this is news from 2050. Nevermind.
What are they thinking over at Sony? A copy protection scheme that doesn't stop the latest popular ripping programs like DVDfab but causes the disk not to play in their own latest DVD players. Some one should be fired. What is the point of a copy protection scheme that lets popular rippers copy it? Am I missing something?
Lexar Discussion: http://www.securityfocus.com/bid/11162/discuss3 2
This was also on slashdot: http://slashdot.org/article.pl?sid=04/09/14/18552
I wouldn't trust USB stick security unless there was a 3rd party assessment of the security from a reputable security firm and that assessment was published. Customers need to start demanding this. What track record do these companies have on security?
The bad thing about hardware is how do you patch the security hole? All hardware these days should have the ability to do a USB firmware upgrade. These devices have a USB port build in already but can't be upgraded.
How are they going to stop someone from pointing an HD camera at a 1920x1080 LCD screen. Consumer HD camcorders are only $1000 (not 1080p yet). And some record straight to hard disk for easy transfer. Sure there would be some degradation but clearly this would be a better picture than a DVD. The PC's SP/DIF digital audio could be recorded directly as this has no encryption. Ideally you would want an HD camcorder that recorded straight to Divx.
I was interviewed for this article by Scott Berinato. I have added some thoughts on the topic to my blog. A rich and robust vulnerability research community needs legal access to the software we are researching. As more and more software becomes web 2.0 instead of running on our desktops we will have less and less independent vulnerability research.
Vulnerability Disclosure in the new "Software in the Cloud" World
http://www.veracode.com/blog/?p=11
-Chris
Let the customer decide how to use the wireless instead of crippling it. Dell didn't design the wireless with a particular use in mind. They don't know that I use it to move songs from my desktop to my laptop.
I don't have to enter a long crypto key on my blackberry but it is doing triple DES for all my syncing. They figured this out years ago. Why can't MS?
Its ridiculous that they add DRM to a song file when traded wirelessly but not image files. As a photographer I would love to be able to share some of my photos and not have to worry about the being posted to the net. But they only care about protecting the copyrights of large corporations, not creators of content.
Its all wrong in so many ways.
-weld
Doesn't matter what is fair use. They have a patent restriction on the HDCP chips plus you need a license to get a valid key to decrypt content. They are not going to give a valid key to a manufacturer that doesn't down rez. End of story.
Why not just put a filter that blocks IR light on the digital camera. If no IR light hits the CCD sensor than how can it spoil the picture. I thought that Canon DSLRs already had this type of filter built in because they are not good for IR photography.
-weld
If anyone is collecting sensitive information from you: SSN, biometric data, etc. you need to get a data retention and privacy policy in writing.
Will they transfer this data if the company is sold or goes out of business? Remember eToys had a privacy policy that went out the window during bankrupcy. Will they destroy the data when you cancel your membership. What security mechanisms and audit procedures do they have in place?
When you bring it up it may be the first time they have thought of it so be prepared to wait.
-weld
No way man. Some Taiwanese factory will crank out no-bit HDTV cards and they will sell like hotcakes. Any card with the bit will be DOA. Who wants to buy crippled hardware when non-crippled is available?
This is why the industry invented HDCP. This secures all high quality digital output over DVI or HDMI. The MPAA will not allow HD quality to be transmitted in the clear over digital. In the future it may be possible to build an affordable component capture card for HD rates (they are in the $10Ks now) so I bet MPAA will mandate devices not allow better than 480p resolution to be output from component.
I think 480p looks pisser on an HD display though. Most people would be happy with this level of quality. So I think we will see a repeat of what is happening in audio. MP3s are good enough for most people even though red book CD audio sounds better. 480p with AC3 sound will be plenty fine for most and this will be supported to remain compatible with the millions of devices out there now.
-weld
Ummmm. You can't make a copy of this. The whole point of DRM is to not let a cleartext version of the content reside on disk.
-weld
Microsoft can solve this problem by distributing Firefox alongside of IE with Windows. That way it comes in the box and you don't even need to use potentially insecure IE to download Firefox and get hit with a malicious website.
BTW, I grabbed Firefox via ftp.exe so I didn't need to use IE and there was a nice MD5SUMS on the ftp site to validate.
-weld
Who says plasma is horribly expensive. $1850 for a 42" screen is nice:
9 3- EVEREST-22213DKMLK838&ic=TH42PWD7UY
http://www.plasmahouse.com/itemdesc.asp?CartId=
Panasonic plasmas 4000:1 contrast ratio actually is watchable in dark movies. LCD looks awful in dark scense. It's just a gray mess.
Why do you think all the professional users at TV News studios use Panasonic plasma and not LCD? Because it looks much better for video. Black is black not gray.
You don't need HDTV resolution at 42" if you are sitting 10 feet away. Why pay for it?
Panasonic's latest generation has a 60,000 hour life on brightness and burn in is similar to CRT.
-weld
I am a software publisher. I am pretty sure that college students are pirating my warez. I even have evidence of it. Now with the MPAA precedent I can get Internet2 access and be able to police the network for people pirating my warex.
-weld
Wouldn't an IR filter in front of the camcorder lens defeat this?
-weld
FullDisclosure: ADODB.Stream object
Any attack vector that relies on an ActiveX control can be stopped by setting the killbit. This is IE security 101.
-weld
To exploit this you need to code up your own client. It has to do with overflowing the password field by sending invalid packets. You can't do this with any of the standard clients.
-weld
The AFP process runs as root so when the stack overflows you can run code as root. AFP wisely won't let you authenticate as roote even though it is running as root.
Make sense?
-weld
If you have AFS turned on, patch now.
1 .txt
@Stake Security Advisory
Advisory Name: AppleFileServer Remote Command Execution
Release Date: 05/03/2004
Application: AppleFileServer
Platform: MacOS X 10.3.3 and below
Severity: A remote attacker can execute arbitrary
commands as root
Authors: Dave G.
Dino Dai Zovi
Vendor Status: Informed, Upgrade Available
CVE Candidate: CAN-2004-0430
Reference: www.atstake.com/research/advisories/2004/a050304-
Overview:
The AppleFileServer provides Apple Filing Protocol (AFP) services for
both Mac OS X and Mac OS X server. AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS. There is a
pre-authentication, remotely exploitable stack buffer overflow that
allows an attacker to obtain administrative privileges and execute
commands as root.
Details:
The AppleFileServer provides Apple Filing Protocol (AFP) services
for both Mac OS X and Mac OS X server. AFP is a protocol used to
remotely mount drives, similar to NFS or SMB/CIFS. AFP is not
enabled by default. It is enabled through the Sharing Preferences
section by selecting the 'Personal File Sharing' checkbox.
Thereis a pre-authentication remotely exploitable stack buffer
overflow that allows an attacker to obtain administrative
privileges. The overflow occurs when parsing the PathName argument
from LoginExt packet requesting authentication using the Cleartext
Password User Authentication Method (UAM). The PathName argument
is encoded as one-byte specifying the string type, two-bytes
specifying the string length, and finally the string itself. A
string of type AFPName (0x3) that is longer than the length declared
in the packet will overflow the fixed-size stack buffer.
The previously described malformed request results in a trivially
exploitable stack buffer overflow. @stake was able to quickly
develop a proof-of-concept exploit that portably demonstrates this
vulnerability across multiple Mac OS X versions including Mac OS X
10.3.3, 10.3.2, and 10.2.8.
This should be part of any modern DRM scheme. Media players should ask the vendors web site if their version's DRM scheme has been cracked, and if so, download a new scheme. The media player vendor should have a constant supply of ready made new slightly different DRM schemes to constantly keep the crackers busy.
Its a cat and mouse game of attrition. Get used to it.
-weld