Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

MS Security: On A Path As Clear As It Is Reliable 360

bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence." Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)

Jamie adds:

In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."

I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:

fuck USA Government
fuck PoizonBOx

This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.

This discussion has been archived. No new comments can be posted.

MS Security: On A Path As Clear As It Is Reliable

Comments Filter:
  • by ywwg ( 20925 ) on Thursday August 30, 2001 @11:52PM (#2237751) Homepage
    this guy should upload the code to freenet where, hopefully, it is impossible to remove the program or discover the author. This is the exact kind of thing freenet was designed for, so if the author is out there in slashland, go for it! Civil Disobedience ra ra ra!
    • by danheskett ( 178529 ) <danheskettNO@SPAMgmail.com> on Friday August 31, 2001 @12:02AM (#2237774)
      No. No. No.

      Civil Disobedience is done in the name of change, and therefore *requires* accountability. Doing this like an anonymous coward, distributing it and not letting yourself be known is lame, and will be seen rightly as an act of cowardice. Granted, the cowardice is justified as a certain russian programmer can tell you.

      If the author is out there in slashland email me, and I will publish the app for you publically and with my name. I will accept all responsibility for writing the program and distributing.

      I've got nothing better to do than to protect the constitution and help invalidate an evil malformed law. Bring it on.
      • Civil Disobedience is done in the name of change, and therefore *requires* accountability. Doing this like an anonymous coward, distributing it and not letting yourself be known is lame, and will be seen rightly as an act of cowardice. Granted, the cowardice is justified as a certain russian programmer can tell you.
        You are mistaking cowardice with discretion. One must be very careful under today's laws with what one releases. Not wanting to fight is not cowardice, it is picking your battles. If source is released, or a name is released, there are serious legal reprocussions - which cost millions of dollars to fend off - while, on the other hand, just letting people know it is possible creates the same community sentiment without ending up in jail for the rest of your life.
        • Umm, civil disobedience REQUIRES submitting oneself to the legal repurcussions of one's actions. Otherwise, its just vandalism.

          Try reading Martin Luther King Jr.'s papers. "Letter from a Birmingham Jail" is textbook legal philosophy on civil disobedience.


      • If the author is out there in slashland email me, and I will publish the app for you publically and with my name. I will accept all responsibility for writing the program and distributing.

        No, don't email to him, he's using hotmail! :)
      • Well, if the alternatives are, doing something anonymous, or standing up for it and daring a lawsuit this may be right. But if the alternatives are, doing something anonymous, or not doing anything at all for fear of a lawsuit, doing something might be the better path of action.

        I think, that in the case in question the anonymous programmer has done enough to make the security flaw public (he demonstrated it to the author of the article AFAIK) while opening himself not too wide to lawsuits. Now releasing the code (even on freenet) wouldn't be a good course of action, since this might give microsofts lawyers enough of a lever to subpoena his name from MIT Tech. Rev. It would be inconsistent with his previous course of action too.

        Maybe an even better course of action would be, to anounce a security hole but refusing to let out anything else about it "for fear of being sued". One might even go as far as saying that an exploit was never implemented, since even that would be against the DMCA. But one would surely need some lawyers to test the grounds of this.

        Maybe the security experts should just leave it up to the writers of trojan horses, worms and virii to find security holes in products whose manufacturers decide to rely on the DMCA for their security and then just point out the number of exploits. I don't know how better to get home the point, that a security hole exists, regardless if it's made public or not.
      • Civil Disobedience is done in the name of change, and therefore *requires* accountability. Doing this like an anonymous coward, distributing it and not letting yourself be known is lame, and will be seen rightly as an act of cowardice.

        Yeah. I'm sure that's how people in other police states (I mean outside the US) see it.

        They all realize that if they disobey, say, the Chinese government, that they need to do it in full public view and be accountable. Otherwise, it is pointless.

        Don't assemble and meet in secret. Don't exchange information secretly. You need to be accountable.

        Heck, FreeNet should be illegal. It destroys the accountability part of civil disobedience. I'll write my congresscritter.
      • "Civil Disobedience is done in the name of change, and therefore *requires* accountability. Doing this like an anonymous coward, distributing it and not letting yourself be known is lame, and will be seen rightly as an act of cowardice. Granted, the cowardice is justified as a certain russian programmer can tell you.

        If the author is out there in slashland email me, and I will publish the app for you publically and with my name. I will accept all responsibility for writing the program and distributing.

        I think yours is a reasonable but incomplete view of "civil disobedience." If emulating the campaigns (or at least the non-violent parts) of King and Gandhi and Biko is what someone wishes to do, then they do need to be willing to face the consequences.

        OTOH, a single person cannot succeed. All of the civil rights campaigns that succeeded did so because of their numbers. The campaign takes a long time and needs to pile small victory upon small victory.

        If you do it by yourself, you stick up like a nail and get hammered down. So instead of one person publishing it, try to get hundreds. Perhaps the EFF or EPIC or some such group can help lay the strategy for a test case. It may be that reader software is not the appropriate vehicle to bring a DMCA challenge. These sorts of changes don't just happen, they are made. The landmark Brown v. Board of Education was the ultimate school desegregation case but dozens of earlier cases were brought at the lower levels to lay the groundwork that made the Supreme Court decision inevitable.

        Finally, anonymous action is not the same thing as cowardice. It isn't traditional civil disobedience, but it isn't cowardice either. Similarly, rushing in may be foolish rather than brave. Pick the fights you have a chance to win and then prepare as thoroughly as you can. You need to be able to risk failure, but you don't have to seek it out.

    • Microsoft's favorite security model - security through obscurity - has vary little to do with Hailstorm and everything to do with the DMCA. Not only does the producer of the security mechanism simply not publish the details of that mechanism, but through the wonders of the DMCA, Microsoft is empowered to enforce their security model by preventing the publication of holes discovered in the security system, thereby maintaining the obscurity.

      Sarcasm aside, does it really matter how secure hailstorm really is, ig Microsoft can sue into oblivion anyone who publicizes or even researches security exploits related to the system...?

      • by ichimunki ( 194887 ) on Friday August 31, 2001 @08:59AM (#2238529)
        Yes, it does matter. The most important issue here is that the DMCA protects bad security. I can't wait for MS to say "there have been no published or known exploits to XYZ Security Package, so it is secure", then later selling the US Government some NT-based, web-based nuclear missile launcher running off IIS. Or they sell systems to Citibank or the Federal Reserve.

        Then some well-paid foreign hacker can crack the server, launch the missile at Canada and all heck breaks loose. Or some terrorist sympathizer can funnel money to his buddies, or simply cause havoc in major US financial systems.

        Do you really think the best hackers in the world are all boring enough to work for the NSA, or even born in the US? Are we really supposed to feel secure knowing that the main obstacle preventing our "secure" systems all over from being cracked is the danger of being cracked? Talented hackers are not script kiddies. Talented hackers won't be leaving little notes like "j00 4r3 0wn3d". Talented hackers just might not care about the things the rest of us care about-- and they may be largely immune to legal action.

        I think it's important that we consider the DMCA not only an affront to our traditional rights as consumers (i.e. Fair Use), but a danger to national security.

        The whole thing is a bit like making it illegal to publish reviews of various locks from the hardware store. Yeah, it will keep consumer reports from telling shoppers which locks are high grade titanium or alloys and which locks are flimsy plastic, but it won't keep crooks from figuring out which is which and having a field day breaking into houses secured with the plastic locks.
        • Then some well-paid foreign hacker can crack the server, launch the missile at Canada and all heck breaks loose.

          I'm not too worried about that. Most of Canada is nearly uninhabited, so you'd probably only kill some deer and the rednecks who were hunting them. Given the average American's knowledge of Canadian geography, I'm not too worried about you guys finding our major population centres, even though they're pretty much all within a 100 kilometres of the US border (and yes, that's how we spell "centres" here). :-)

          Seriously, though, I must urge my fellow Canadians to visit this government site [ic.gc.ca] and send them your comments on the proposed DMCA-like revisions to Canadian copyright law.
    • by why-is-it ( 318134 ) on Friday August 31, 2001 @09:56AM (#2238790) Homepage Journal
      this guy should upload the code to freenet where, hopefully, it is impossible to remove the program or discover the author. This is the exact kind of thing freenet was designed for, so if the author is out there in slashland, go for it! Civil Disobedience ra ra ra!

      No. The whole point of civil disobedience is that a law or regulation is openly defied in a very public manner, and the transgressors challenge the authorities to enforce the law. The belief is that should the larger public become aware of the law and the inappropriate punishment that comes from breaking it, the government will feel compelled to change the law. As well, if enough people are openly breaking this law, the system will get clogged up with trivialities.

      Civil disobedience is not hiding in the shadows and skulking around under cover of anonymity.

      And this gets a +5 insightful? WTF?
      • You're right, of course. Traditional civil disobedience would be the way to go in an ordinarily democratic society, in which the will of the people prevails.

        Here. Read this. [actupny.org]

        Their concept of civil disobedience is a little different than Thoreau's in that they don't seem to favor individual acts. They are talking about public mass demonstrations. But what demonstrations are we talking about here? A million man march on Redmond? I am not sure that would do a thing.

        File this one under "Monkey Wrench" [abbeyweb.net]... You can debate the morality and ethical implications at your leisure, but stop calling it civil disobedience, and start calling it what it really is [wordorigins.org](dig the Star Trek reference). It might make it harder to justify, and easier to vilify, n'est ce pas?

  • by UnknownSoldier ( 67820 ) on Thursday August 30, 2001 @11:55PM (#2237760)
    The unfortunate thing is, that while it seems "M$ software gets hacked every other month", the general consumer isn't making security (or I should the lack of it? :) a big deal.
    • by TOTKChief ( 210168 ) on Friday August 31, 2001 @12:40AM (#2237879) Homepage

      Actually, they are.

      The other day, I was on the hall where a good chunk of my professors [uah.edu] have offices. I got into a discussion with a few of them, and the gist was this:

      "We've been telling folks around here for a while that we don't like Microsoft products, but because they're the de facto standard, we're forced to use them. Thank God for all the hackers that find holes and the real jerks that exploit them.

      Of course, I got to wondering about that; we talk about White Hats and Black Hats, but even the Black Hats serve a purpose, if your goal is to rid the world of Microsoft. I'm not sure that it is for me--I'd be happy to use their products if they would code good stuff. [Posted from IE6 on Win2K, but only because I have to have a Windows box to do my school crap...]

      But to the point, the end users are getting frustrated with all the security holes. In this case, these guys don't want their research exposed by something like SirCam, which could very easily happen. I think they'd happily go for a switch if solid interoperability with those Left Behind in the Microsoft world could exist.

      And hey, remember that these are aerospace engineering professors, who aren't always at the vanguard of computing technology. I mean, I've had to do research with them using F77...

    • They do, though to the common user viruses are security breaches not hacking. The common user does *not* realise the implications of box rooting. They're used to IT people doing miracle work to recover lost email, and blame them for the little that they lost instead of being spanked for causing the security breach in the first place.
  • ... but that headline is simply hitting way below the belt. There's plenty of security holes in every stock Linux distro too, you know.

    - A.P.
    • ...most notably, Red Hat Linux 7.1 and 7.2 (beta) default to setting up a packet filter (albeit a somewhat lame ipchains-based filter even though they could have used iptables/netfilter) at install time. A standard/default RH 7.1 install (even a "full" install) would be in pretty good shape, at least vis-a-vis network attacks. Local/console attacks are another matter, as they are for any system.

      A year ago I would have been much more inclined to agree with you... but it's kinda funny. As time goes on, Windows seems to have more network services, and more problems, while Linux distros are becoming more sane and simple, follwoing OpenBSD's lead...

      • ...most notably, Red Hat Linux 7.1 and 7.2 (beta) default to setting up a packet filter (albeit a somewhat lame ipchains-based filter even though they could have used iptables/netfilter) at install time

        A packet filter is better than nothing, but it is not the answer. One should not assume that because they are "protected" by a packet filter that they are secure.

        IMHO, I think that it can be argued that a proxy firewall solution is the most secure. With a proxy, there is no direct connection between a host on the secure network and the internet. The downside of course is that proxy solutions are not transparent.

        The next best alternative would be a firewall that does stateful inspection. That is transparent to the user, but is not a secure as a proxy-based one.

  • Mommy,I'm Scared (Score:4, Interesting)

    by notext ( 461158 ) on Friday August 31, 2001 @12:00AM (#2237767)
    Everytime I read about hailstorm, I am in shock but at the same time scared.

    First, off I can't believe that Mircosoft thinks they should be in control of so much personal information.

    Second, that Microsoft thinks they can somehow keep it safe.

    Third, and this is what scares me. A lot of John Q. Public will give them all this information.

    Better them than me I guess.
    • Third, and this is what scares me. A lot of John Q. Public will give them all this information.

      Indeed. I was helping some neighbors with a computer issue a couple weeks ago and noticed they had a gator.com utility in the toolbar (Slashdot search seems hosed at the moment, but they came up recently). I asked them about it.

      Basically you enter all of your details (name, mailing address, phone number, etc) and it will automatically fill them in on web forms. Now, ignoring the cross-site scripting fun you could have with this little toy, I just had to ask...

      "So, basically, you give them every marketable piece of information they could want so they can provide it to others automatically?"


    • Keep in mind: (Score:3, Interesting)

      by alewando ( 854 )
      Keep in mind not everyone agrees with that sentiment. Some would argue that, if you discount the numerous security issues, Microsoft has perhaps the strongest track record of innovation in the industry. [adequacy.org] <----- Read it and see what I mean.

      We know it's bunk. They ought to know it's bunk, and yet they don't.

      • I'm not saying that Microsoft or Bill Gates aren't inovative
        • I'm not saying that Microsoft or Bill Gates aren't inovative

          There are a lot of people out there who would suggest that rather than innovate, m$ tends to copy what other people are doing and integrate that into their OS.

          Can someone provide examples of things m$ did that constitute original, innovative work?
          • Can someone provide examples of things m$ did that constitute original, innovative work?

            How about Code Red? First thing that comes to my mind would be the original, innovative PR and possibly the legal work. When it comes to spinning the ugly stuff, these guys beat out Clinton (so far).... since most people believe them.

      • From that article:

        "For instance, Microsoft's testing uncovered the fact that 80% of users never discovered the functionality of the right mouse button"

        Hmmm... Apple's usability and interface people figured that out in... er... well, the early 80s. And they didn't make "a new menu system replicating this [right-click context menu] functionality". They just provided one-button mice and designed the interface accordingly.

        Sigh. I wish Apple had gotten it together.
    • I'm hopeful (Score:3, Insightful)

      by Baki ( 72515 )
      Once the public in general trusts their personal data, credit card numbers etc to MSFT (including politicians), sooner or later they will feel betrayed by this company (when, not if, someone steals their data and misuses it).

      This might just be what's necessary to once and for all turn public opinion against this evil empire.
      • Unfortunately, I don't think most people would feel betrayed if their personal information was stolen from a Microsoft server, or any server. They would blame the hackers. The media profile of hackers is so high, and the profile of security experts is so low, that most people don't realise it's possible to secure your data against hackers, and they won't expect the system administrator to be held responsible if a hacker breaks into the system.
    • Does anyone know how Hailstorm fits in with the UK's Data Protection Act legislation? Does MS become the owner of the data? If so it's up to them to take "reasonable measures" to guarantee the security of the information. If they fsck up, then - IANADPL - they could be in deep shit. Similarly, the physical location is important. Sending personal data outside of the EU without permission is against the DPA - that could happen just in a server replication.

      Any DPA experts out there?

      Is there similar legislation stateside?

  • The MS hack (Score:4, Interesting)

    by MobyDisk ( 75490 ) on Friday August 31, 2001 @12:06AM (#2237781) Homepage
    It sounds like they used a well-known technique of adding javascript/java/some other active code that nabs information such as URL & cookies into an email. It then uses that info to do something like sending it to an anonymous collection account.

    With new forms of active content being added to web pages all the time, it is amazing that anything with dynamic content. I know that's vague, but that sounds like the gist of it.

  • by Restil ( 31903 ) on Friday August 31, 2001 @12:08AM (#2237785) Homepage
    Freenet is not really the only solution if the programmer chose to release the program and not reveal his identity. There are numerous other channels available which will let him preserve his anonymity. The only advantage to freenet is that is at least has a somewhat legitimate charter, where as other methods are typically underground and shady.

    But still, if done properly, it could be released and spread without anyone finding out who the author is. The danger is if that person ever told ANYONE about it. If he did, then he's not truely anonymous, and given enough of an incentive, someone might be tempted to talk. At least, without releasing any code, then its technically all heresay and a lot less likely to be in violation of some strange law.

    I fear however that this is how it will have to be done in the future if the silly laws don't get overturned. Either that, or some REALLY important sensitive document will have to be cracked and released publicly to the embarrasment of a large organization with a lot of people chanting "we told you so" before those in power might take a second glance and realize that perhaps peer review for security is a good idea after all.

    • The danger is if that person ever told ANYONE about it. If he did, then he's not truely anonymous, and given enough of an incentive, someone might be tempted to talk.

      Am I the only one who is reading posts like this parent and mistaking this for a discussion about China? Distributing documents anonymously via FreeNet, fear of identity disclosure, friends turning you in? When the hell did America start to embody everything it is supposed to stand against?

  • Cheap testing... (Score:3, Insightful)

    by Halster ( 34667 ) <haldouglas&gmail,com> on Friday August 31, 2001 @12:08AM (#2237786) Homepage
    Did anyone ever wonder whether M$ do this deliberately?

    Recently they've had some holes (much like this) that you'd have to be out of your head smoking crack to miss.

    Quality assurance at Microsoft is better than this when it comes to other areas. Could it just be that it's easier and cheaper to have somebody else find the holes and then, as the mega-funded publicity department goes into top gear issue a patch (where appropriate)?

    Either that or Microsoft buys a lot of crack! ;)
    • Microsoft's QA program is very heavily slanted towards automated testing of regular builds. If something isn't on the test, it won't be tested. They don't do good design reviews, which is why some of the stupid holes don't get protected from.
  • by phalse phace ( 454635 ) on Friday August 31, 2001 @12:09AM (#2237788)
    Oh, great! Looks like what people have been saying will come true -- The DMCA will stifle innovation, quality, security,.... etc. Now whenever there's a flaw in something, people will be too afraid to report it, for fear of being prosecuted under the DMCA. Back to the Dark Ages for us!

  • while true; do telnet www.hotmail.com 80 < /dev/urandom; done

    Then just sit back and wait.

    On a related note, i'd like to dispel a common myth. Real Programmers don't use 'cat > a.out' or 'cat /dev/audio > a.out' plus some whistling, they type 'chmod +x /dev/urandom' and hope for the best.
  • MS Liability (Score:3, Interesting)

    by 4n0nym0u53 C0w4rd ( 463592 ) on Friday August 31, 2001 @12:12AM (#2237795) Homepage
    So, let's say that MS Hailstorm is implemented and within a couple of years, a good portion of users have their data and software settings stored on .Net servers, and can access it with their Passport login and password.

    Now let's say that someone finds another flaw in passport (I know, hard to believe, but go with me here). Needless to say, Hailstorm users will be left vulnerable. The question is, will the Hailstorm and Passport EULA protect MS when it comes to legal liability for a) lost data, and b) copied or stolen data (loss of intellectual property, etc...)

    My guess is that even if they are to blame, MS won't be legally liable. Doesn't sound like a good choice for users...
  • the program doesn't exist.

    I understand not wanting to be the next DMCA victim, but really, if the code isn't out there, then, it doesn't exist in my eyes.
    • by nyet ( 19118 ) on Friday August 31, 2001 @02:17AM (#2237998) Homepage
      While I agree with you in principle, this does tickle something in the back of my brain. If the DMCA causes so many people to wish to remain anonymous when they discover a vulnerability, why not FLOOD the media with bogus exploit reports? Just claim you won't release it due to the DMCA. Eventually, if enough random hackers do this, and enough people buy it, there will be so much paranoia of "hidden" exploits, that eventually somebody will call for mass disclosure. And the only way this can happen is for global DMCA amnesty.. similar to what brought about whistle blower legislation.
  • by krmt ( 91422 ) <therefrmhere AT yahoo DOT com> on Friday August 31, 2001 @12:16AM (#2237811) Homepage
    I don't really know why any large company would sign on for Hailstorm. No one really wants to be tied to any specific vendor for such an important part of their business. Granted, they're already tethered via their desktop PC's, but incorporating Hailstorm in to your business plan? You're basically putting your chance of profit in the hands of MS, who has a well known history of screwing over its own partners.

    The problem, as I see it, is that American Express and others can beat their competitors to the punch by being a part of Hailstorm, providing services no one else does, but that goes with extreme risk. I guess that's why they haven't signed a contract with MS yet. It's a tough one for any company.
    • I was actually thinking about getting a AMEX card. But after seeing this, that is a lot less likely.
    • "who has a well known history of screwing over its own partners."

      Care to provide some examples?

      The company I work for has partnered with Microsoft last year on their homeadvisor.com website. The section we worked on turned into a failure and the plug was pulled less than a year later, but Microsoft refunded to our company our investment into the site.

      I knew someone else back in '94 who started a small company that was partnered with Microsoft and writing utilities for Windows NT. Microsoft helped them startup, paid for an ISDN hookup into their office so they could more easily communicate with Redmond, and then two years later bought out the company and moved them all to Redmond. The guys were more than happy to make that move!

      Every company I'm aware of that has partnered with Microsoft has been treated very fairly.

      Even Seattle Computing which provided the original MS-DOS was treated very well. While the initial contract was for only a few thousand, they received much more than that over time, and many of the companies employees ended up working at MS and becoming some of their early millionaire programmers.

      I guess I'm curious about this well known history.

      This seems like a case of "I hate Microsoft, and I'm going to say whatever I can to try to make them look bad, even though I can't really justify it."
      • Most prominent is IBM. Enough said there.

        Intel. Remember Wintel? Why is Intel so pro Linux now that they're bailing out SuSE?

        Another is Apple. Yes, they were very much in bed together during the development of the Mac. These days it's knife the baby.

        Sun. Java got twisted by Microsoft quite nicely.

        There was also the bootloader story the other day, in which the article talked about the OEMs who got preassured by MS in to only having Windows on their computers.

        I'm sure there are others, I'm not so up on the history of MS (I know more about Apple). But I hope this justifies things to you enough.

        The fact is, all the companies you mentioned are small fish, and the small fish are what MS plays nice with or buys out. They're no threat. But when it's a big company that could potentially hold some power over MS, they get fucked over big time. American Express is a big company that's rolling in both money and brand name. As such, they actually have something to worry about in a partnership with MS.
        • In each and every case you provide an example of a partner who thought they could screw over Microsoft and turned out they weren't as smart as they thought. IBM, Apple, Sun...

          Except Intel. Anybody who would sit there and argue that Intel has not had a tremendously successful partnership with Microsoft is smoking crack. They support Linux not in a reaction to Microsoft, but rather to expand their markets.

          Your hatred will make you strong... I guess. That's what the Emperor said anyway, right?
          • Your hatred will make you strong... I guess. That's what the Emperor said anyway, right?

            Ok, I don't know where you get this "hatred of Microsoft" thing from on me, but the fact that you keep pushing it even in the face of actual evidence that is contrary to what you have to say makes me question your interests.

            If you want to trust the shark, then go ahead, be my guest. I don't hate sharks any more than I hate Microsoft, but I don't trust sharks any more than I trust Microsoft either. Microsoft does know what it's doing, and what it's doing is making money the best way it knows how. I don't fault them for that, but that doesn't mean I, or American Express, should trust them either.

            You have, of course, failed to even address my initial question, as to why American Express is taking the risk of getting in to bed with Microsoft. Microsoft does have a history of screwing over its partners, as I mentioned, and who's to say AMEX isn't capable of screwing over Microsoft if they want any more than Apple or Sun was? Microsoft is in the service game now, and American Express provides a service. I wouldn't be surprised if, at some point, Microsoft decides to get in to the credit game (hey, they're always expanding in to new markets) in order to keep tight control on their service platform. That's not to say it will happen, but who's to say it won't?

            Now, if you want to go and lambast me for my "hatred" then please, go right on ahead. But I'd also like it if you could try and answer my questions rather than throw names at me.
            • You've still failed to provide evidence of this history of Microsoft screwing over partners.

              You say I shouldn't trust Microsoft, but yet I am having a very difficult time trusting you.

              • Sure I provided evidence. What do you think that post was with the list of companies that you seem to be forgetting? You can't tell me IBM, Apple, etc. weren't partners. Nor can you tell the other posters who provided more companies who got screwed that there's no evidence. I don't know why you refuse to acknowledge that Microsoft has given quite a number of companies the shaft, but if you choose to see the world that way, that's your business.
      • Example: (Score:3, Interesting)

        by gnovos ( 447128 )
        My company (nameless for now). We are a MS "partner". A few weeks ago, they suddenly decided to tell us that they were developing the exact same software as our product, and they thanked us for all the help we had given them. If we want, they will let us continue to be a "partner" and give them our great ideas for as long as we still have funding (which runs out in December).
      • Most companies that announce to partner with MSFT do so out of despair (such as SGI having difficulty in their niche market decided to go Wintel too). This provides a short-term revival, before final death arrives.

        There are numerous examples of that.

        I am always very suspicious of companies that partner with MSFT suddenly. Usually it means they'll be dead soon.
      • "who has a well known history of screwing over its own partners."

        Care to provide some examples?

        A few come to mind:

        Blue Mountain Arts
        TV Host
        STAC Electronics
        Internet Electronics

        This is too easy...

  • by Ferd Lamarche ( 463454 ) on Friday August 31, 2001 @12:20AM (#2237824) Homepage

    Well, this is strange. I'm sitting on a Windows 98 box with McAfee VShield v4.0.3 installed and virus definition files from 2001/06/13. Whenever I try to go to http://www.veridian.com/upload/ with either IE 4.01 or Netscape 4.70, McAfee pops a warning dialogue saying I have just downloaded a worm called "SunOS/BoxPoison.worm". I also have a small Perl program I can use to perform command-line HTTP downloads, and with it, I can download the page at http://www.veridian.com/upload/ without any problems.

    I'm probably getting the warning because something in the HTML code matches the signature for a known worm. But still, if the message on the site isn't enough to scare people, the warning from their virus scanner certainly will!

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.0
    Content-Location: http://www.veridian.com/upload/index.htm
    Date: Fri, 31 Aug 2001 03:51:47 GMT
    Content-Type: text/html
    Accept-Ranges: bytes
    Last-Modified: Wed, 09 May 2001 12:53:30 GMT
    ETag: "6a8163c87d8c01:943"
    Content-Length: 289

    (Slashcode has inserted a few spaces into the following HTML... I hope this doesn't trip your virus scanner...)

    <html><body bgcolor=black><br><br><br>&lt ;br><br><br><table width=100%><td><p align ="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="cen ter"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</htm l>

  • by The Milky Bar Kid ( 411137 ) on Friday August 31, 2001 @12:28AM (#2237848)

    I thought one of the golden rules of any sort of engineering is that before you try to do something, work out whether you can do it or not. Then try. Otherwise, it's all just wasted effort.

    Am I the only person who thinks the whole concept of e-book encryption with the goal of stopping dedicated piracy is pointless?

    Encrypting the contents of a transmission between two parties so that no 3rd party can read it is do-able, and has always been the main thrust of encryption. But what people like Adobe and Microsoft are essentially trying to do is make it impossible for the second party to read the message - because as soon as you read the message, you can reproduce it.

    Assume that Adobe/Microsoft encrypt this with something that will provably take an untenable amount of time to crack - say 1024-bit public key encryption (sorry, IANACryptologist, I don't know the proper term.). I won't be able to crack the book itself, but since it appears on the screen at some point, I'm going to be able to read it sooner or later - and I can copy it.E-book encryption is the equivalent of the club lock - it'll stop casual copiers, not the dedicated copier - and this approach will only work until the first dedicated copier writes a program to let everyone else do it.

    The same is true of sound files, though maybe not to the same level, as the concept of digital watermarking can be applied. I still think the same rules apply. As a result, I can't help but think of the whole e-book and sound-file encryption push as smoke and mirrors, meant to convince people that bits can be made uncopyable.

    • Using the Jim/Carol/Bob terminology...

      If Jim wants to send Carol some information that they BOTH don't want Bob to see, no problem. This is the intent of crypto.

      However, as soon as Carol decides that she doesn't mind Bob also getting the information, it is all over. No amout of crypto can prevent that transaction.

      Given this quite obvious fact, it suprises me that ANY real crypto guy would even bother touching this problem.

      • Well,

        Jim = Publisher
        Bob = Your computer
        Carol = You

        It works fine as long as your computer is not allowed to work for you, but instead works for the publisher - which is what the DMCA is all about: making it clear who your computer/DVD player/ebook reader actually belongs to and works for, and that you are merely a servant to it (What? You say you bought it? HAHAHAHAHAHA - you probably paid more for it to install the functionality so it would obey us!).
        If the forces of evil thought that these technologies could work, they wouldn't have needed to buy the DMCA and WIPO (legislation costs!) Their agenda is very clear - to wrestle the control of the agents away from the users, so that those agents can act against and control them, returning customers (those things that used to be people when they were capable of cognent thought) into their rightful position as passive money pumps in the global economy.
    • Marketing:
      1. Say you've done it
      2. Try to do it
      3. Study feasibility of it
      Note that steps 2 and 3 are optional.
    • Q: Why does anyone bother with e-book encryption?

      A: Profit

      e-book encryption is not designed to stop dedicated "cracking" attempts. It's not even designed to slow it down. Think about it for a minute. These weak protections are there in conjuction with the DMCA to facilitate the licensingmuch cheaper to produce and distribute.

      e-book encryption exists for the sole purpose of proping up an otherwise impossible business case. With physical media (i.e. a soft cover book) if I were to reproduce and distribute the books, I would not be able to sell them for less than the publisher, and still make any kind of a profit. The same is not true with el
    • I'll tell you exactly why. Because the requirement for ebook protection is born from outside of the technical department. Then it is passed around the techies who either refuse to do it because they know it will be cracked (and don't want to be accountable) or who will do it reluctantly because they don't want to lose their jobs. If they do have the balls and swing to say no, then it gets put out in front of a bunch of contracting companies. Some will know they can't and pass on the contract, others will line up at the teet and milk the cow.
  • by jon_c ( 100593 ) on Friday August 31, 2001 @12:54AM (#2237896) Homepage
    I used to work as Microsoft, MS Press and MS Research. While at research I needed to hack IE so it would forget about ActiveX security, I managed to reckon the registry settings but still had some questions.

    The place to ask questions to other developers internally is via Outlooks groups (like usenet), it's surprising there isn't a better channel to converse with other Microsoft developers, maybe there is, but that's all I knew about. Anyway, so I posted a question to the IE-dev group about my problem. The response was surprising, the lead PM of IE started flaming me, telling me about how Microsoft can not have any more exploits in IE, how I my manager would be informed etc..

    I guess I should have mentioned that what I was doing was only going to go out to a few select terminal ill users.

    The point I'm trying to make is that Microsoft is a large company made up many small groups which don't necessarily talk to each other, I'm not saying this in there defense, but it helps explain how so many problems can arise over and over again. Even if I had just went ahead and implemented this IE hack into something major I don't who would have held me accountable, as far as I know software does not need to go through a standard security audit, each group has there own QA which will vary wildly.

  • Suppose a company hates someone. It can invent a kind of "e-book" security using, say, a modified ROT-13 algorithm. Then challenge openly the guy to crack it. He does that and publishes his results. Now, can the company can use DMCA to put that person in jail?
  • by phutureboy ( 70690 ) on Friday August 31, 2001 @01:04AM (#2237911)
    Can anyone clearly explain cross-site scripting?

    I've seen a few explanations of it but they didn't make any sense. I'm slow like that.
    • by Ramses0 ( 63476 ) on Friday August 31, 2001 @01:56AM (#2237980)
      A lot of interactive websites can take user input (like slashdot did when you typed in your comment). A lot of times, they'll even redisplay it for you (like when you click preview).

      Most of the time, when you let users type something, you don't mind showing it back to them (they typed it after all). But with cross-site scripting, when you visit www.haxor.com, they'll provide you a link to www.phpnuke.org, but take advantage of the fact that phpnuke.org will display whatever that user has typed in.

      Normally this isn't a problem, but there are people who are really good with javascript that can basically email your cookies to somebody@haxor.com after you've clicked that link. Once they've got your cookies, they can usually pretend to be you- submitting comments, stories, etc. Changing passwords. On PHPNuke, this isn't such a bad thing, but I wouldn't want anybody messing with me on my online banking site.

      Take a look [phpnuke.org] at the previous example. I mailed the Nuke authors about 3 months ago telling them about the above problem. No response. Don't use Nuke for anything you want to be secure. The explanation of what just happened is that search.php displayed whatever "query" contained. I stuck a few special bits of html (ie a close bracket) into their search box. When it got re-displayed, I prematurely exited their input field. This gave me free reign to put nifty red font tags onto their page. Imagine that it was evil javascript instead.

      To prevent cross-site scripting attacks, you must remember to escape all untrusted data before displaying it to a user. For PHP, it would be something like: [input type=text value="[?PHP echo htmlspecialchars($their_input); ?]"]

      The htmlspecialchars function automagically kills all dangerous characters before writing the data, making it much more difficult to attack.


      • Or, to make this a little more fun, try the following (it won't do anything nasty if you don't have Javascript enabled, and will just popup a dialog and throw up a new Slashdot window if you do). This is just an example to prove you can do active content :)

        Try it. [phpnuke.org]

        The "source" is:

        alert("This site has a cross-site scripting vulnerability!")

        You can be much more nasty with this, popping up goatse.cx or whatever. Basically, it's possible to do anything JavaScript allows you to do.

    • http://www.apache.org/info/css-security/ has a good explanation and some links.

      The basic example is that you have a web page that asks for the user's name in a text entry field and then displays "Hi [name]"

      I come along and instead of entering my name I end the text entry with "> and then proceed to write javascript or whatever that performs some function on the server. It gets more interesting that that though.
  • Evidence? (Score:3, Insightful)

    by purplemonkeydan ( 214160 ) on Friday August 31, 2001 @03:11AM (#2238043)
    Is there evidence to prove that MS Reader has actually been cracked? I mean, he hasn't shown any code, he haasn't posted an cracked e-book.

    Hell, I could claim that I just broke into the CIA. I know where Elvis is and I know who killed JFK, but the DMCA won't let me tell you.
  • by r_newman ( 40868 )

    I'm outside the US, and have no intention of ever visiting it as long as the DMCA remains in place.

    If anybody would like to publish some code that violates the DMCA, forward it to me and I'll publish it immediately on a subdomain of tech-mad.org. No need to supply your identity or any other details.
  • Another misnomer.

    "God bless the U.S., where moving a book from your home to your office is a federal offence."

    That's funny, I recall taking home an industry mag from my IT desk just yesterday. Oh wait, you want me to copy each page in a professional photo-copier, with pictures, rebind it, and include the copyright notice the original publisher placed at the bottom, so I can have an additional copy at home. That seems perfectly legit.


  • Anyone? One has to wonder just WTF they do over there, no? This is starting to sound like the detox/rehab/wife beating world of family court. I mean there is what, a daily incident or problem where MS says - um yeah that's messed up too.

    Name me another company that has this many security problems.

  • "On a path as clear as it is reliable"

    ...Certainly true: Zero equals zero.

"I have not the slightest confidence in 'spiritual manifestations.'" -- Robert G. Ingersoll