Apple did this, not once but twice. Why is Redmond so afraid of trading out the basic underpinnings? I guess they married the concept of permenant backwards compatibility when they used that very stick to beat OS/2 into the ground.
Is Rosetta Stone a good technology? No, but it got users over the hump. (It was, however, a great hack...) How about Fat Binaries? Good lord, Win binaries are fat enough already!
There's no good solution, so Redmond has to go with "good enough" to get users over to "the other side". Hey Bill! Maybe they don't want to go...
As a creator, you have complete discretion with regard to your work, until you publish it. As long as you don't publish it, you can do with it whatever you want, as you have complete and utter control of the work. When you publish it, however, you lose some of that control. Copyright is not a complete "charge of their own work."
Why is this? Because a copyright is a limited grant (not complete control!) for a limited time (not complete control!). This is granted to the creator in order to promote the science and useful arts for everyone.
So no, a copyright does not mean a creator has complete control. In fact, it's a trade. You (the creator) get some control for a limited time in exchange for a benefit to society at large. If you don't like it, don't publish.
While all of your comments about decompiling are true, the output of this particular decompiler is quite good. Var names remain intact, logical constructs appear valid, etc. I'm no Flash dev, but this looks like the it could be the same code before compilation.
It makes sense if you consider that Flash is an Adobe proprietary "platform" and they can make the compiler and interpreter in any way they please. I really don't know what's involved in the compilation process, but my guess is that it's no where near as complex as a C compiler, for instance. They need to obfuscate the output to prevent reverse engineering (like it did them much good), and make it easier for the client side, and that's about it. To my almost untrained eye, the output looks dead on for the original source.
I think BSA gives bounties to whistleblowers, and the size varies on how much stolen software they discover... Depending on the size of your company it could run to years worth of salary.
Bullhockey. Show me one instance within which the BSA paid anything sizable. You can't because thay haven't. They are lieing cheating scum, just like the software vendors they represent.
And for the submitter, if the BSA shows up at your door, tell them to come back with a warrant. (Then leave out the backdoor.)
As a somewhat random aside, I believe that most software is not directly copyrightable, as it is a derivative work of the source code. If the source code isn't copyrighted, then how can the compiled source code be copyrightable?
The source code can't be copyrighted, as doing so would require the publishing of the source, and that would reveal all kinds of secrets. Since the secrets are obfuscated in the compiled code, they are safe to publish (until they get reverse engineered, such as this example). But is compiled code copyrightable? I don;'t think so!
So how might you blacklist a cert you've never seen? Only victims see it. And if you see it, you're already a victim. Add to this that any number of bogo-signing certs can be made, sitting in reserve, ready to pull out whenever one fails. No, the only confusion here is yours.
"If the signature for any cert in the world signed by MD5 could be stolen, then you couldn't trust anything with an MD5 signture and we'd therefore have to treat every web site serving up an MD5 cert as bad, which would cost lots of people time and money."
And that is exactly the situation. Thanks for putting it so well. Actually, it's bigger than that, since I can fake any cert (with my magic bogotized signing cert).
"With this attack, there's a very good chance that no bad guy will ever use the attack in real life, and even if they do, it is not too hard to identify and blacklist the few rogue CAs that will exist, which will automatically invalidate any fake certificates."
Could you explain this to me please? I have a fake signing cert. I use it to make other certs for any site I please. You can't blacklist the cert, because it's apparently "signed" by a trusted CA. You would have to remove any trusted CA that uses MD5 to sign certs. They've already been identified. How likely is Microsoft to push "Updated Root Cert" patch to Windows users, effectively removing the value of all certs from:
RapidSSL C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 FreeSSL (free trial certificates offered by RapidSSL) C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications TC TrustCenter AG C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de RSA Data Security C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority Thawte C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com verisign.co.jp O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Until this issue hits enough people to come up on their radar, everyone is vulnerable to MitM attacks. When it does hit the radar, there will be massive finger-pointing, and victims will be screwed.
The root of the problem is this: Certs are about trust. Microsoft trusts those that are untrustworthy. I am forced to assume the risk of Microsoft's trust decisions. I therefore do not trust Microsoft. Lesson: You can't trust anyone who doesn't have skin in the game.
Two sidenotes: This issue applies to all browser vendors, not just MS. And Jesus H. Tap Dancing Christ, what the F is RSA doing on that list?
"That means, you cannot take an arbitrary cert on the internet and feasibly come up with an identical cert that is malicious, where the same signature applies."
No, but I can bogotize a signing cert and use it to sign another arbitrary cert for any site name I please. What's the diff?
Lone Ranger: "Tonto! We have a problem! We're surrounded by Indians!" Tonto: "What do you mean "we" white man?"//Stupid, old, joke...//Not racist...//Well, maybe a little//Stole slashies from fark;)
Today he he works as a legitimate security consultant
I believe the problem word here is "legitimate"... If one has that large of a gap in judgement, most "legitimate" employers won't hire you. And that's the way it should be.
"The simple fact is, I gather from Jones' testimony, Sun could have prevented the harm SCO sought to cause by simply telling us what rights it had negotiated and received from SCO prior to SCO launching its assault on Linux. Yet it remained silent. When I consider all folks were put through, all the unnecessary litigation, and all the fear and the threats and the harmful smears, including of me at the hands of SCO and all the dark little helper dwarves in SCO's workshop, I feel an intense indignation like a tsunami toward Sun for remaining silent."
Slashdot Mirror
Apple did this, not once but twice. Why is Redmond so afraid of trading out the basic underpinnings? I guess they married the concept of permenant backwards compatibility when they used that very stick to beat OS/2 into the ground.
Is Rosetta Stone a good technology? No, but it got users over the hump. (It was, however, a great hack...)
How about Fat Binaries? Good lord, Win binaries are fat enough already!
There's no good solution, so Redmond has to go with "good enough" to get users over to "the other side". Hey Bill! Maybe they don't want to go...
That's not quite right...
As a creator, you have complete discretion with regard to your work, until you publish it. As long as you don't publish it, you can do with it whatever you want, as you have complete and utter control of the work. When you publish it, however, you lose some of that control. Copyright is not a complete "charge of their own work."
Why is this? Because a copyright is a limited grant (not complete control!) for a limited time (not complete control!). This is granted to the creator in order to promote the science and useful arts for everyone.
So no, a copyright does not mean a creator has complete control. In fact, it's a trade. You (the creator) get some control for a limited time in exchange for a benefit to society at large. If you don't like it, don't publish.
While all of your comments about decompiling are true, the output of this particular decompiler is quite good. Var names remain intact, logical constructs appear valid, etc. I'm no Flash dev, but this looks like the it could be the same code before compilation.
It makes sense if you consider that Flash is an Adobe proprietary "platform" and they can make the compiler and interpreter in any way they please. I really don't know what's involved in the compilation process, but my guess is that it's no where near as complex as a C compiler, for instance. They need to obfuscate the output to prevent reverse engineering (like it did them much good), and make it easier for the client side, and that's about it. To my almost untrained eye, the output looks dead on for the original source.
I think BSA gives bounties to whistleblowers, and the size varies on how much stolen software they discover... Depending on the size of your company it could run to years worth of salary.
Bullhockey. Show me one instance within which the BSA paid anything sizable. You can't because thay haven't. They are lieing cheating scum, just like the software vendors they represent.
And for the submitter, if the BSA shows up at your door, tell them to come back with a warrant. (Then leave out the backdoor.)
a Canadian horror film about a virus that adapts to transmit itself through language
I'm still awaiting the movie adaptation of the definitive treatment of language as virus.
You've been waiting for something that came out in 1986?
As a somewhat random aside, I believe that most software is not directly copyrightable, as it is a derivative work of the source code. If the source code isn't copyrighted, then how can the compiled source code be copyrightable?
The source code can't be copyrighted, as doing so would require the publishing of the source, and that would reveal all kinds of secrets. Since the secrets are obfuscated in the compiled code, they are safe to publish (until they get reverse engineered, such as this example). But is compiled code copyrightable? I don;'t think so!
From the Stats-Pulled-From-My-Nether-Regions:
85% of all system intrusions are inside jobs. Why would this be any different?
So how might you blacklist a cert you've never seen? Only victims see it. And if you see it, you're already a victim. Add to this that any number of bogo-signing certs can be made, sitting in reserve, ready to pull out whenever one fails. No, the only confusion here is yours.
Best defense: "How to Remove a Root Certificate from the Trusted Root Store". Remove the RapidSSL cert, and any others that you have reason to mistrust.
Secondarily, hope no crap falls on you when someone you know gets hit.
"If the signature for any cert in the world signed by MD5 could be stolen, then you couldn't trust anything with an MD5 signture and we'd therefore have to treat every web site serving up an MD5 cert as bad, which would cost lots of people time and money."
And that is exactly the situation. Thanks for putting it so well. Actually, it's bigger than that, since I can fake any cert (with my magic bogotized signing cert).
"With this attack, there's a very good chance that no bad guy will ever use the attack in real life, and even if they do, it is not too hard to identify and blacklist the few rogue CAs that will exist, which will automatically invalidate any fake certificates."
Could you explain this to me please? I have a fake signing cert. I use it to make other certs for any site I please. You can't blacklist the cert, because it's apparently "signed" by a trusted CA. You would have to remove any trusted CA that uses MD5 to sign certs. They've already been identified. How likely is Microsoft to push "Updated Root Cert" patch to Windows users, effectively removing the value of all certs from:
RapidSSL
C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1
FreeSSL (free trial certificates offered by RapidSSL)
C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
TC TrustCenter AG
C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailAddress=certificate@trustcenter.de
RSA Data Security
C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
Thawte
C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
verisign.co.jp
O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Until this issue hits enough people to come up on their radar, everyone is vulnerable to MitM attacks. When it does hit the radar, there will be massive finger-pointing, and victims will be screwed.
The root of the problem is this: Certs are about trust. Microsoft trusts those that are untrustworthy. I am forced to assume the risk of Microsoft's trust decisions. I therefore do not trust Microsoft. Lesson: You can't trust anyone who doesn't have skin in the game.
Two sidenotes: This issue applies to all browser vendors, not just MS. And Jesus H. Tap Dancing Christ, what the F is RSA doing on that list?
"That means, you cannot take an arbitrary cert on the internet and feasibly come up with an identical cert that is malicious, where the same signature applies."
No, but I can bogotize a signing cert and use it to sign another arbitrary cert for any site name I please. What's the diff?
"What do you mean "we", white man?"
Explanation for the yung'uns out there...
Lone Ranger: "Tonto! We have a problem! We're surrounded by Indians!" //Stupid, old, joke... //Not racist... //Well, maybe a little //Stole slashies from fark ;)
Tonto: "What do you mean "we" white man?"
Even as a teenager, I had a strong self-preservation instinct. I knew the difference between a felony and a misdemeanor.
Today he he works as a legitimate security consultant
I believe the problem word here is "legitimate"... If one has that large of a gap in judgement, most "legitimate" employers won't hire you. And that's the way it should be.
While you can't polish a turd, you can roll it in glitter!
And I always thought the electrons did what the protons wanted them to...
Agreed. They should save the expense of shipping the drive and just email a drive image instead. Being all zeros, it should compress well...
//Post calling mods a bunch of dumb fcks modded redundant... Priceless!
While I have a hard time believing you actually do this, the idea is brilliant! I may use it.
Hey mods! This was post number two! Redundant? You're a bunch of dumb fcks!
Wow, didn't see you post that before my tirade, but, when it comes to bad caps, Abit is just as guilty as anyone else. I have the boards to prove it.
As I was when my KG7 and KT7 both quit last month with bad caps. To heck with ABIT!
>I'm guessing it was the 'Google is Evil' bit.
google-analytics.com
Ever parse that jscript they push down? Yeah, capital E.
Reply before you mod, jerks...
Sun is still Evil (capital E):
"The simple fact is, I gather from Jones' testimony, Sun could have prevented the harm SCO sought to cause by simply telling us what rights it had negotiated and received from SCO prior to SCO launching its assault on Linux. Yet it remained silent. When I consider all folks were put through, all the unnecessary litigation, and all the fear and the threats and the harmful smears, including of me at the hands of SCO and all the dark little helper dwarves in SCO's workshop, I feel an intense indignation like a tsunami toward Sun for remaining silent."
Pamela Jones, Groklaw.net (Linky.)
Sun is Evil. Google is Evil. Microsoft is Evil, but getting tired and slow.
And I posted it back in August:
http://slashdot.org/~pegr/journal/180007