MS Security: On A Path As Clear As It Is Reliable 360
bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence."
Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)
Jamie adds:
In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."
I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:
fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.
this is what freenet was made for! (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Cheap testing... (Score:3, Insightful)
Recently they've had some holes (much like this) that you'd have to be out of your head smoking crack to miss.
Quality assurance at Microsoft is better than this when it comes to other areas. Could it just be that it's easier and cheaper to have somebody else find the holes and then, as the mega-funded publicity department goes into top gear issue a patch (where appropriate)?
Either that or Microsoft buys a lot of crack!
Shooting ourselves in the foot? (Score:3, Insightful)
Re:3 == 1 ?! (Score:0, Insightful)
Brilliant reporting. Whatever generates page hits I guess...
Brilliant reading. Why don't you go back and look again, nitwit.
Re:this is what freenet was made for! (Score:5, Insightful)
Why does anyone bother with e-book encryption? (Score:3, Insightful)
I thought one of the golden rules of any sort of engineering is that before you try to do something, work out whether you can do it or not. Then try. Otherwise, it's all just wasted effort.
Am I the only person who thinks the whole concept of e-book encryption with the goal of stopping dedicated piracy is pointless?
Encrypting the contents of a transmission between two parties so that no 3rd party can read it is do-able, and has always been the main thrust of encryption. But what people like Adobe and Microsoft are essentially trying to do is make it impossible for the second party to read the message - because as soon as you read the message, you can reproduce it.
Assume that Adobe/Microsoft encrypt this with something that will provably take an untenable amount of time to crack - say 1024-bit public key encryption (sorry, IANACryptologist, I don't know the proper term.). I won't be able to crack the book itself, but since it appears on the screen at some point, I'm going to be able to read it sooner or later - and I can copy it.E-book encryption is the equivalent of the club lock - it'll stop casual copiers, not the dedicated copier - and this approach will only work until the first dedicated copier writes a program to let everyone else do it.
The same is true of sound files, though maybe not to the same level, as the concept of digital watermarking can be applied. I still think the same rules apply. As a result, I can't help but think of the whole e-book and sound-file encryption push as smoke and mirrors, meant to convince people that bits can be made uncopyable.
Re:Security: Antonyms: See Microsoft (Score:5, Insightful)
Actually, they are.
The other day, I was on the hall where a good chunk of my professors [uah.edu] have offices. I got into a discussion with a few of them, and the gist was this:
Of course, I got to wondering about that; we talk about White Hats and Black Hats, but even the Black Hats serve a purpose, if your goal is to rid the world of Microsoft. I'm not sure that it is for me--I'd be happy to use their products if they would code good stuff. [Posted from IE6 on Win2K, but only because I have to have a Windows box to do my school crap...]
But to the point, the end users are getting frustrated with all the security holes. In this case, these guys don't want their research exposed by something like SirCam, which could very easily happen. I think they'd happily go for a switch if solid interoperability with those Left Behind in the Microsoft world could exist.
And hey, remember that these are aerospace engineering professors, who aren't always at the vanguard of computing technology. I mean, I've had to do research with them using F77...
Re:Security: Antonyms: See Microsoft (Score:2, Insightful)
Re:What's American Express thinking? (Score:3, Insightful)
Now, AMEX isn't going down because of MS or anything, but what they are doing is putting themselves in a very vulnerable position. They are basically hitching their entire online effort to Hailstorm if they go through with this, which will be a pretty big chunk of revenue someday.
Say MS decides to screw them out of Hailstorm 3 or 5 years down the line, what do they do then? AMEX may be big, but they're certaintly not capable of deploying their own version of Hailstorm. Getting in to bed with MS is a risky proposition at best, even if you're a big company.
Re:I'm normally not one to hate on Microsoft stori (Score:5, Insightful)
> But, unlike with M$ products, you can plug them, since you have the SOURCE.
And increasingly important, you can talk about them without fear of drawing a Go To Jail card.
I suppose what you are trying to say is... (Score:3, Insightful)
If Jim wants to send Carol some information that they BOTH don't want Bob to see, no problem. This is the intent of crypto.
However, as soon as Carol decides that she doesn't mind Bob also getting the information, it is all over. No amout of crypto can prevent that transaction.
Given this quite obvious fact, it suprises me that ANY real crypto guy would even bother touching this problem.
Evidence? (Score:3, Insightful)
Hell, I could claim that I just broke into the CIA. I know where Elvis is and I know who killed JFK, but the DMCA won't let me tell you.
Re:3 == 1 ?! (Score:2, Insightful)
Ironically enough you don't say a single thing that isn't true. Everybody responding seems to be overlooking that fact. People are inferring that you are claiming they never get around to the third line in the article. The fact is, it is bad writing even if for different reasons.
The author should have lead with the single line reference and then 'flashed back' to tell of earlier longer exploits, like the three liner(s).
Sorry all 10 or so of you, but the jokes on you! 8^} Don't feel so bad. Even the "professionals" can't write well anymore, so it's no great surprise that you can't recognize bad writing when you see it. After all, if you read the paper or watch/listen to TV news then bad writing is pretty much the norm, and so your conditioned to find bad reporting to be quite satisfactory. It's too bad really.
Re:I suppose what you are trying to say is... (Score:3, Insightful)
Well,
Jim = Publisher
Bob = Your computer
Carol = You
It works fine as long as your computer is not allowed to work for you, but instead works for the publisher - which is what the DMCA is all about: making it clear who your computer/DVD player/ebook reader actually belongs to and works for, and that you are merely a servant to it (What? You say you bought it? HAHAHAHAHAHA - you probably paid more for it to install the functionality so it would obey us!).
If the forces of evil thought that these technologies could work, they wouldn't have needed to buy the DMCA and WIPO (legislation costs!) Their agenda is very clear - to wrestle the control of the agents away from the users, so that those agents can act against and control them, returning customers (those things that used to be people when they were capable of cognent thought) into their rightful position as passive money pumps in the global economy.
Re:Wait a minute (Score:2, Insightful)
Sure, if you're looking for it. But the orig. comment was about people who were just average users and weren't nearly paranoid enough.
aren't all network connections logged?
Not necessarily; just think how much data that would be. You've got a graphical browser, right? Well, each and every picture you see has to be downloaded. That'd all be logged. You'd get tired of looking through it pretty quickly. My point is that it's easy for this sort of thing to get lost in background noise even if you know to look for it.
can multiple apps establish simultaneous connections through the same port, or does each process need it's own?
The latter, I believe...I'm no programmer type either.
I'm hopeful (Score:3, Insightful)
This might just be what's necessary to once and for all turn public opinion against this evil empire.
Re:this is what freenet was made for! (Score:3, Insightful)
Try reading Martin Luther King Jr.'s papers. "Letter from a Birmingham Jail" is textbook legal philosophy on civil disobedience.
http://www.almaz.com/nobel/peace/MLK-jail.html
Derek
Re:this is what freenet was made for! (Score:1, Insightful)
Until people, and I mean in a number large enough for it to be noticed, are prepared to give up their remaining rights to secure those they once enjoyed, there seems little hope here...
Re:Microsoft Security Model - implemented via DMCA (Score:5, Insightful)
Then some well-paid foreign hacker can crack the server, launch the missile at Canada and all heck breaks loose. Or some terrorist sympathizer can funnel money to his buddies, or simply cause havoc in major US financial systems.
Do you really think the best hackers in the world are all boring enough to work for the NSA, or even born in the US? Are we really supposed to feel secure knowing that the main obstacle preventing our "secure" systems all over from being cracked is the danger of being cracked? Talented hackers are not script kiddies. Talented hackers won't be leaving little notes like "j00 4r3 0wn3d". Talented hackers just might not care about the things the rest of us care about-- and they may be largely immune to legal action.
I think it's important that we consider the DMCA not only an affront to our traditional rights as consumers (i.e. Fair Use), but a danger to national security.
The whole thing is a bit like making it illegal to publish reviews of various locks from the hardware store. Yeah, it will keep consumer reports from telling shoppers which locks are high grade titanium or alloys and which locks are flimsy plastic, but it won't keep crooks from figuring out which is which and having a field day breaking into houses secured with the plastic locks.
Re:this is what freenet was made for! (Score:3, Insightful)
I think yours is a reasonable but incomplete view of "civil disobedience." If emulating the campaigns (or at least the non-violent parts) of King and Gandhi and Biko is what someone wishes to do, then they do need to be willing to face the consequences.
OTOH, a single person cannot succeed. All of the civil rights campaigns that succeeded did so because of their numbers. The campaign takes a long time and needs to pile small victory upon small victory.
If you do it by yourself, you stick up like a nail and get hammered down. So instead of one person publishing it, try to get hundreds. Perhaps the EFF or EPIC or some such group can help lay the strategy for a test case. It may be that reader software is not the appropriate vehicle to bring a DMCA challenge. These sorts of changes don't just happen, they are made. The landmark Brown v. Board of Education was the ultimate school desegregation case but dozens of earlier cases were brought at the lower levels to lay the groundwork that made the Supreme Court decision inevitable.
Finally, anonymous action is not the same thing as cowardice. It isn't traditional civil disobedience, but it isn't cowardice either. Similarly, rushing in may be foolish rather than brave. Pick the fights you have a chance to win and then prepare as thoroughly as you can. You need to be able to risk failure, but you don't have to seek it out.
Civil Disobedience? (Score:5, Insightful)
No. The whole point of civil disobedience is that a law or regulation is openly defied in a very public manner, and the transgressors challenge the authorities to enforce the law. The belief is that should the larger public become aware of the law and the inappropriate punishment that comes from breaking it, the government will feel compelled to change the law. As well, if enough people are openly breaking this law, the system will get clogged up with trivialities.
Civil disobedience is not hiding in the shadows and skulking around under cover of anonymity.
And this gets a +5 insightful? WTF?
Re:Releasing the program is easy. (Score:3, Insightful)
Am I the only one who is reading posts like this parent and mistaking this for a discussion about China? Distributing documents anonymously via FreeNet, fear of identity disclosure, friends turning you in? When the hell did America start to embody everything it is supposed to stand against?