Former Soviet republic Estonia has been under constant cyber-attack since it removed a Russian statue a month ago. Estonia claims that the attacks are from the Russian government. Journalists love the story and have been blindly repeating it, such as John Markoff reporting: "In Estonia, what may be the first war in cyberspace.
This is not the first such incident in cyberspace. Such incidents have been going on all the time. For example, two years ago when a Japanese prime minister offended China and South Korea by visiting a shrine containing the remains of convicted WW II war criminals. Along with street protests, there were extensive cyber-attacks against Japan sites from Korea and China. Back in 1999, while opponents to the WTO (World Trade Organization) were in the streets demonstrating against their meeting in Seattle, hacktivists were conducting a "cyber sit-in" against their website. This involved running JavaScript that would cause a user's browser to regularly refresh their homepage. Hacktivists have since used such sit-ins successfully in protests against oil companies, animal testing companies, and financial firms.
Like the attacks against Estonia, these attacks in cyberspace coincided with physical protests in the streets. Russia has an unusually large hacking underground with many people controlling large botnets. Any issue that brings Russian protests to the streets is therefore almost certain to bring with it DoS attacks. Thus, using Occam's Razor, it's unreasonable to believe that the Russian government itself had any direct influence on the cyber-attacks.
This story reflects the general paranoia of the Internet. Whenever anything happens, people seek to uncover the "plan" behind it. In reality, most bad things that happen on the Internet occur by happenstance, without any plan or conspiracy behind them.
An example of this is the Slammer worm of 2003. It hit South Korea especially hard. This is likely due to the fact that South Korea had unusually high bandwidth, and an unusually high percentage of vulnerable servers. There is absolutely no evidence that they were targeted by the worm, yet many in South Korea still believe the worm targeted them. Another example is the Witty worm of 2004. It hit the US military hard. This was due to the fact that the military controls the largest block of the world's IP address space and monitored it with vulnerable promiscuous systems. There is no evidence that they were targeted by the worm, but most people believed that the Army was the target.
Unfortunately, "happenstance" is not a legitimate story angle that reporters can report on. It's always something like "is this cyberterrorism" or "is this cyberwarfare".
EDIT: I just noticed this story on Slashdot, where the awesome guys at Arbor describe their analysis. They point out a few other examples, such as cyberattacks from Korea protesting a decision by an Olympic judge against a Korean athlete. Another example was a nationalistic cyberattacks traded between Packistan and India. Again, these incidents show evidence of popular protest rather than government directed cyberwarfare.
EDIT: Here's a link from Ars Technica that refuses to give up on the cyberwar theory.
Tuesday, May 29, 2007
Monday, May 21, 2007
Life imitating art?
That is interesting. Not so long ago Rob and I spoke at Microsoft’s Bluehat conference about a variety of topics under the heading of “Breaking and Breaking into Microsoft Security tools”. One of the sections covered how easy it is to reverse an Anti-virus tools rule set and modify it which concluded with a live demo of a popular tool causing a Windows XP SP2 machine to crash.
I open my rss reader this morning and b00m, Whitedust has an article about something similar happening in China. It may not have been malicious but it still shows something that Rob and I have been talking about for years: security problems exist because code has gotten so complex it’s hard to get right. The solution for this is not layering more complex code on top of the already broken code and hoping the dam holds.
A leading industry analyst I know said “it’s amusing that since blaster, we've had bigger outages from bad AV signatures on most major products than the viruses themselves”. Can anybody else see the sun setting on these products?
UPDATE: Infoworld is also running a story on it.
I open my rss reader this morning and b00m, Whitedust has an article about something similar happening in China. It may not have been malicious but it still shows something that Rob and I have been talking about for years: security problems exist because code has gotten so complex it’s hard to get right. The solution for this is not layering more complex code on top of the already broken code and hoping the dam holds.
A leading industry analyst I know said “it’s amusing that since blaster, we've had bigger outages from bad AV signatures on most major products than the viruses themselves”. Can anybody else see the sun setting on these products?
UPDATE: Infoworld is also running a story on it.
Friday, May 18, 2007
Public wifi vs 3G mobile broadband
Wireless sans wifi
In my last post, I pointed out that public wifi is too dangerous to use. Web/2.0 is fundamentally insecure around eavesdroppers. It allows hackers to break into your accounts and/or your computer.
One option is "mobile broadband", or "tethering" your computer to a 3G mobile phone's Internet connection. The speeds are competitive with public access points. It's a bit of security-through-obscurity, though. It's safer because robust hacking tools to eavesdrop and interact with 3G don't exist. However, since hackers haven't been testing it, 3G is likely no more secure than wifi was in the early days with WEP. Thus, it's not really a good long term security solution.
Anyway, I signed up for a 3G phone service with a Blackjack from Cingular. It's not going to be the first thing that hackers attack when I go to conferences, and it's actually a lot more convenient. I can hook-up/tether the Blackjack mobile phone to my computer, then surf the web from my computer like I was connected to a public wifi.
Setting up tethering was a bit of a pain. Even though this feature has been around for many years, phone companies don't really support it well. While going through the support process, I found some poorly (or not all at) documented features. Typing *#1234# is the secret code to get your version on the Blackjack, *#2222# is the secret code for getting the hardware revision, and pressing the "up" button on the nav-wheel while powering on will completely reset the device (wiping out your data).
I wanted to be able to tether with Bluetooth as well as USB, which was particularly problematic. I could only do so after removing the Toshiba Bluetooth stack and replacing it with Microsoft's Bluetooth stack on WinXP SP2. Then, following the instructions found on the Internet, I was able to get it to work. Tethering via Bluetooth is a bit slower than USB, and of course, a lot less safe. However, I lose cables quiet often while traveling, so having that as an option is pretty important to me. Otherwise, I was going to buy a new computer with 3G like HSDPA or EVDO built in.
Speed is good. I suppose I should measure ping times and DSLtest reports, but I'm too lazy. All I want to know is that I can surf the web, pull up maps, read mail, and do my normal activity. It does this quiet well. It seems that the latency is a bit higher, but the bandwidth is just as good. I'll have to wait until I get into crowded areas like airports to see how well it degrades as more people are using it. EDIT: Most importantly, the phone works while surfing (most other tethered phones cannot both receive a call and surf the web at the same time).
I'm exploring other options than just changing from wifi to 3G. A lot of Web/2.0 companies support SSL for full access, they just don't advertise it because they don't have enough crypto acceleration. You can often find the SSL option if you search enough. Another option that doesn't seem to be used much on the public Internet is automatically establishing an IPsec session between two machines: this is well supported in Windows, but it's never turned on. VPNing back to home, then surfing out from there is really a desperate measure: Web/2.0 should really be secure enough such that it's not necessary.
As a side note, Cingular wanted to my SSN, and of course I didn't give it to them. I got the same reaction I usually get. It's usually an option to provide a deposit instead of an SSN, but they consider that so unreasonable they never tell me about it. They aren't hiding the option, they just assume that nobody would ever choose it. In the case of Cingular, when the sales guy told me that I had to give him my SSN, I said "ok, then I won't buy the service" and was walking out the door before I remembered to ask about the deposit. He was willing to let me go rather than suggest the option. I often wonder why customers think that paying a deposit is such an unreasonable alternative to disclosing your SSN. Does anybody know? Also: everyone in the cybersecurity community refuses to disclose their SSN, right?
In my last post, I pointed out that public wifi is too dangerous to use. Web/2.0 is fundamentally insecure around eavesdroppers. It allows hackers to break into your accounts and/or your computer.
One option is "mobile broadband", or "tethering" your computer to a 3G mobile phone's Internet connection. The speeds are competitive with public access points. It's a bit of security-through-obscurity, though. It's safer because robust hacking tools to eavesdrop and interact with 3G don't exist. However, since hackers haven't been testing it, 3G is likely no more secure than wifi was in the early days with WEP. Thus, it's not really a good long term security solution.
Anyway, I signed up for a 3G phone service with a Blackjack from Cingular. It's not going to be the first thing that hackers attack when I go to conferences, and it's actually a lot more convenient. I can hook-up/tether the Blackjack mobile phone to my computer, then surf the web from my computer like I was connected to a public wifi.
Setting up tethering was a bit of a pain. Even though this feature has been around for many years, phone companies don't really support it well. While going through the support process, I found some poorly (or not all at) documented features. Typing *#1234# is the secret code to get your version on the Blackjack, *#2222# is the secret code for getting the hardware revision, and pressing the "up" button on the nav-wheel while powering on will completely reset the device (wiping out your data).
I wanted to be able to tether with Bluetooth as well as USB, which was particularly problematic. I could only do so after removing the Toshiba Bluetooth stack and replacing it with Microsoft's Bluetooth stack on WinXP SP2. Then, following the instructions found on the Internet, I was able to get it to work. Tethering via Bluetooth is a bit slower than USB, and of course, a lot less safe. However, I lose cables quiet often while traveling, so having that as an option is pretty important to me. Otherwise, I was going to buy a new computer with 3G like HSDPA or EVDO built in.
Speed is good. I suppose I should measure ping times and DSLtest reports, but I'm too lazy. All I want to know is that I can surf the web, pull up maps, read mail, and do my normal activity. It does this quiet well. It seems that the latency is a bit higher, but the bandwidth is just as good. I'll have to wait until I get into crowded areas like airports to see how well it degrades as more people are using it. EDIT: Most importantly, the phone works while surfing (most other tethered phones cannot both receive a call and surf the web at the same time).
I'm exploring other options than just changing from wifi to 3G. A lot of Web/2.0 companies support SSL for full access, they just don't advertise it because they don't have enough crypto acceleration. You can often find the SSL option if you search enough. Another option that doesn't seem to be used much on the public Internet is automatically establishing an IPsec session between two machines: this is well supported in Windows, but it's never turned on. VPNing back to home, then surfing out from there is really a desperate measure: Web/2.0 should really be secure enough such that it's not necessary.
As a side note, Cingular wanted to my SSN, and of course I didn't give it to them. I got the same reaction I usually get. It's usually an option to provide a deposit instead of an SSN, but they consider that so unreasonable they never tell me about it. They aren't hiding the option, they just assume that nobody would ever choose it. In the case of Cingular, when the sales guy told me that I had to give him my SSN, I said "ok, then I won't buy the service" and was walking out the door before I remembered to ask about the deposit. He was willing to let me go rather than suggest the option. I often wonder why customers think that paying a deposit is such an unreasonable alternative to disclosing your SSN. Does anybody know? Also: everyone in the cybersecurity community refuses to disclose their SSN, right?
Monday, May 14, 2007
Blogging Toorcon/Seattle
The San Diego cybersecurity convention Toorcon has branched northwards with a cool concept. This year, they had a small con (150 people) on the weekend after BlueHat (Microsoft's internal cybersecurity con). It was in a small bar, talks lasted 20 minutes, and ended in with an hour of 5 minute "lightning" talks. The format rocked, hard.
I want to apologize for my talk. My talk was later in the day, so in the time leading up to the talk I was sniffing the wireless. (I wasn't alone, MANY other people were also sniffing the wireless). I started my talk by showing the sorts of things I could sniff about somebody, such as their AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth. The person I showed was somebody that had a diverse set of information, but not somebody who was doing anything embarrassing. I specifically chose NOT to 'out' the attendee who was surfing gay porn during the talks (although I probably should have, since virtually nobody who goes to cybersecurity cons would be embarrassed by surfing gay porn). However, even if nothing embarrassing is shown, it's still embarrassing feeling a bit exposed like that (although, I should repeat: a lot of people will sniffing the traffic as well, my talk just exposed it).
The moral of the story is: DON'T USE OPEN WIFI AT CYBERSECURITY CONVENTIONS. Seriously, any wifi is dangerous. The dangers are:
1. I can sniff more interesting bits out of your traffic than you realize
2. I can hijack (or "sidejack") the web accounts you log onto
3. I can grab control of your browser (download history, cached passwords, etc.)
4. I can probably break into your machine
5. This works on Internet Explorer and Firefox on Mac, Linux, and Windows
6. …all using well-known, unpatched (and often unpatchable) techniques
I've already released my Ferret tool that sniffs interesting info (like I showed at the start of my talk). I'm going to be releasing my "sidejacking" tool that sniffs Web/2.0 session IDs, allow other people on the same wifi to gain access to your accounts even without man-in-the-middle attacks. I'm going to be releasing a "man-in-the-middle" tool that inserts JavaScript into your browser, essentially making every website you visit vulnerable to Cross Site Scripting (XSS) attacks against your browser.
There are two good alternatives to public wifi. The first is to setup a box at home and VPN to it, and harden the wifi adapter so that none of your normal system applications (e.g. NetBIOS) are bound to it.
The second alternative is mobile broadband like GPRS, EDGE, HSDPA, or EVDO. You can often access the Internet by "tethering" your mobile phone, or get one of the new notebooks with built-in adapters.
It's interesting to see that public wifi is still growing fast, with cities all across the United State creating municipal wifi networks. This means that more and more hackers will be attacking it. Now is a good time to start weaning yourself off of it.
I want to apologize for my talk. My talk was later in the day, so in the time leading up to the talk I was sniffing the wireless. (I wasn't alone, MANY other people were also sniffing the wireless). I started my talk by showing the sorts of things I could sniff about somebody, such as their AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth. The person I showed was somebody that had a diverse set of information, but not somebody who was doing anything embarrassing. I specifically chose NOT to 'out' the attendee who was surfing gay porn during the talks (although I probably should have, since virtually nobody who goes to cybersecurity cons would be embarrassed by surfing gay porn). However, even if nothing embarrassing is shown, it's still embarrassing feeling a bit exposed like that (although, I should repeat: a lot of people will sniffing the traffic as well, my talk just exposed it).
The moral of the story is: DON'T USE OPEN WIFI AT CYBERSECURITY CONVENTIONS. Seriously, any wifi is dangerous. The dangers are:
1. I can sniff more interesting bits out of your traffic than you realize
2. I can hijack (or "sidejack") the web accounts you log onto
3. I can grab control of your browser (download history, cached passwords, etc.)
4. I can probably break into your machine
5. This works on Internet Explorer and Firefox on Mac, Linux, and Windows
6. …all using well-known, unpatched (and often unpatchable) techniques
I've already released my Ferret tool that sniffs interesting info (like I showed at the start of my talk). I'm going to be releasing my "sidejacking" tool that sniffs Web/2.0 session IDs, allow other people on the same wifi to gain access to your accounts even without man-in-the-middle attacks. I'm going to be releasing a "man-in-the-middle" tool that inserts JavaScript into your browser, essentially making every website you visit vulnerable to Cross Site Scripting (XSS) attacks against your browser.
There are two good alternatives to public wifi. The first is to setup a box at home and VPN to it, and harden the wifi adapter so that none of your normal system applications (e.g. NetBIOS) are bound to it.
The second alternative is mobile broadband like GPRS, EDGE, HSDPA, or EVDO. You can often access the Internet by "tethering" your mobile phone, or get one of the new notebooks with built-in adapters.
It's interesting to see that public wifi is still growing fast, with cities all across the United State creating municipal wifi networks. This means that more and more hackers will be attacking it. Now is a good time to start weaning yourself off of it.
Saturday, May 12, 2007
Toorcon Beta
I am sure you expect me to post about Bluehat as both Rob and I talked there. We are currently sitting in the Last Supper Club watching the Toorcon Beta.
Beetle is up now talking about Wi-Fight Club. He is a great speaker and the concept s super cool!
Beetle is up now talking about Wi-Fight Club. He is a great speaker and the concept s super cool!
UPDATE: The next talk I really dug was the Pusscat talk on automating exploitation. The lowdown on is that Pusscat (mad reverse engineer badass) and lin0xx have combined Metasploit fuzzing and Windbg debugging to do automated exploit analysis. This stuff is super cool.
Lin0xx has more information on his site, here.
Wednesday, May 09, 2007
Liability of reverse engineering
Christopher Hoff asks an admittedly naïve question: "If I ... engage in reverse engineering of a product that is covered by patent/IP protection and/or EULA's that expressly forbids reverse engineering, how would I deflect liability for violating these tenets ...".
There are actually few issues with reverse-engineering itself. Reverse-engineering is LEGAL, PROTECTED BY LAW, and ETHICAL. Many of the issues people think are due to reverse-engineering are actually due to other problems.
Hoff mentions the recent HID case, where the company sued a researcher on patent grounds to prevent him from disclosing their problems. The details of the case had nothing to do with reverse engineering. In order to demonstrate cracking of HID's keys, the researcher had to build a device. That device MAY have been covered by HID's patents. Therefore, HID claims were about patent infringement; they had nothing to do with reverse-engineering.
In the Mike Lynn case, Cisco claimed that Mike did something more than simple reverse-engineering. For example, Cisco suspected the Mike was going to disclose the source-code that was rumored to be stolen a couple years ago. Therefore, it wasn't reverse-engineering itself that was at the crux of the suit.
There have been other famous cases of reverse engineering, from printer cartridges to video game compatibility. In virtually every instance, the right to reverse engineer products has been protected.
The reason reverse-engineering has a bad odor is because breaks down in two places: EULAs and the DMCA. EULAs are tricky because you agree NOT to reverse-engineer their product. If you reverse-engineer the product, you are breaking a contract. The DMCA forbids reverse-engineering where the effect of the reverse-engineering is to break copyright. It specifically says that you can still reverse-engineer iTunes and the Zune in order to interoperate with it or to find security vulnerabilities, but you may not reverse it in order to bypass the copyright protections.
An illustrative example is the ruling in the Blizzard vs. Bnetd. Bnetd was an open-source server for playing games like Diablo and Starcraft. Bnetd was found guilty of two things. The first was that they were found guilty of breaking the contract with Blizzard. They had purchased the games and agreed that they would not reverse-engineer Blizzard's products, but reversed them anyway. Second, they were found guilty of breaking the law under DMCA. While they were within their rights to create "interoperable" software, the effect was to enable bypassing of copyright. Blizzard servers checked license keys, Bnetd servers did not, so Bnetd enabled software piracy.
Therefore, if you want to do reverse-engineering, you can (probably) ignore the law on reverse-engineering, but you have to pay attention to the EULA and the DMCA.
Bypassing the EULA is usually pretty easy. For example, bought Cisco routers off of eBay. I am reverse-engineering the code I found on those routers. I am not agreeing to Cisco's EULA; I have never agreed to the Cisco EULA. Bypassing the DMCA is even easier: if you aren't helping copyright pirates, then you probably aren't breaking the DMCA law.
Recently, Dave and I posted information about Airtight. This was forbidden by their EULA. However, we did not agree to their EULA, so therefore we did not break their contract. We sat down outside of somebody else's installation and sent wifi packets at them, and monitored the packets sent back from them. We could therefore review their product because we did not actually use it. (BTW, you should wary of company with EULA's like Airtights because nobody can publicly challenge their claims).
Hoff asks "Do you ... simply count on the understanding that if one can show "purity" of non-malicious motivation that nothing bad will occur?". Again, this question is false. There are no "pure" motivations. It's like how guilty criminals in jail believe that they are innocent because their motivations were somehow pure. Publishing advisories to pimp your cleverness is not a "pure" motivation. Mike Lynn's motivation in the Cisco case was not "pure" (How much really has the Internet been made safer by his actions? How much fame and higher wages has he earned??)
Your own justifications are not a legal defense. Remember that justice is blind. It cares about law as written, not whether you are a good person at heart, or what your justification is. The legal system is like computer code, it is largely automatic and inescapable. I often read just justifications on Slashdot and am amused by how they just wouldn't work in the real world.
The real question is whether you can count upon whether it is in a company's best interest. Microsoft, for example, does not sue people like eEye who maliciously reverse their code because it's not in their best interest. Microsoft has had plenty of justification to sue me (even in areas outside of security), but has not because it's not in their best interest. On the other hand, there is a good chance that companies will not recognize their best interests, such as Cisco in the Mike Lynn case.
Note that sometimes companies are forced to act even when it is against their best interests. Microsoft, for example, must sue teenage kids to protect their trademark even though it generates bad publicity. Likewise, ISS was forced to sue Mike Lynn in the Cisco case. However, HID was not required to sue to protect patents. When and why such things are automatically triggered is a bit tricky.
Lastly, the biggest point to take away from this is that people can sue you even when they are wrong and you are right. In the HID case, they were almost certainly wrong, but it would take a lot of money and time by the researchers to prove this to the court. Likewise, websites hosting the recently cracked AACS key comply to takedown notices even though the law may be on their side. It can easily take 100k to defend yourself in court. Companies don't want to spend that much to prosecute you either, and will likely back down if you stand up for yourself, but they are betting that you will blink first.
There are actually few issues with reverse-engineering itself. Reverse-engineering is LEGAL, PROTECTED BY LAW, and ETHICAL. Many of the issues people think are due to reverse-engineering are actually due to other problems.
Hoff mentions the recent HID case, where the company sued a researcher on patent grounds to prevent him from disclosing their problems. The details of the case had nothing to do with reverse engineering. In order to demonstrate cracking of HID's keys, the researcher had to build a device. That device MAY have been covered by HID's patents. Therefore, HID claims were about patent infringement; they had nothing to do with reverse-engineering.
In the Mike Lynn case, Cisco claimed that Mike did something more than simple reverse-engineering. For example, Cisco suspected the Mike was going to disclose the source-code that was rumored to be stolen a couple years ago. Therefore, it wasn't reverse-engineering itself that was at the crux of the suit.
There have been other famous cases of reverse engineering, from printer cartridges to video game compatibility. In virtually every instance, the right to reverse engineer products has been protected.
The reason reverse-engineering has a bad odor is because breaks down in two places: EULAs and the DMCA. EULAs are tricky because you agree NOT to reverse-engineer their product. If you reverse-engineer the product, you are breaking a contract. The DMCA forbids reverse-engineering where the effect of the reverse-engineering is to break copyright. It specifically says that you can still reverse-engineer iTunes and the Zune in order to interoperate with it or to find security vulnerabilities, but you may not reverse it in order to bypass the copyright protections.
An illustrative example is the ruling in the Blizzard vs. Bnetd. Bnetd was an open-source server for playing games like Diablo and Starcraft. Bnetd was found guilty of two things. The first was that they were found guilty of breaking the contract with Blizzard. They had purchased the games and agreed that they would not reverse-engineer Blizzard's products, but reversed them anyway. Second, they were found guilty of breaking the law under DMCA. While they were within their rights to create "interoperable" software, the effect was to enable bypassing of copyright. Blizzard servers checked license keys, Bnetd servers did not, so Bnetd enabled software piracy.
Therefore, if you want to do reverse-engineering, you can (probably) ignore the law on reverse-engineering, but you have to pay attention to the EULA and the DMCA.
Bypassing the EULA is usually pretty easy. For example, bought Cisco routers off of eBay. I am reverse-engineering the code I found on those routers. I am not agreeing to Cisco's EULA; I have never agreed to the Cisco EULA. Bypassing the DMCA is even easier: if you aren't helping copyright pirates, then you probably aren't breaking the DMCA law.
Recently, Dave and I posted information about Airtight. This was forbidden by their EULA. However, we did not agree to their EULA, so therefore we did not break their contract. We sat down outside of somebody else's installation and sent wifi packets at them, and monitored the packets sent back from them. We could therefore review their product because we did not actually use it. (BTW, you should wary of company with EULA's like Airtights because nobody can publicly challenge their claims).
Hoff asks "Do you ... simply count on the understanding that if one can show "purity" of non-malicious motivation that nothing bad will occur?". Again, this question is false. There are no "pure" motivations. It's like how guilty criminals in jail believe that they are innocent because their motivations were somehow pure. Publishing advisories to pimp your cleverness is not a "pure" motivation. Mike Lynn's motivation in the Cisco case was not "pure" (How much really has the Internet been made safer by his actions? How much fame and higher wages has he earned??)
Your own justifications are not a legal defense. Remember that justice is blind. It cares about law as written, not whether you are a good person at heart, or what your justification is. The legal system is like computer code, it is largely automatic and inescapable. I often read just justifications on Slashdot and am amused by how they just wouldn't work in the real world.
The real question is whether you can count upon whether it is in a company's best interest. Microsoft, for example, does not sue people like eEye who maliciously reverse their code because it's not in their best interest. Microsoft has had plenty of justification to sue me (even in areas outside of security), but has not because it's not in their best interest. On the other hand, there is a good chance that companies will not recognize their best interests, such as Cisco in the Mike Lynn case.
Note that sometimes companies are forced to act even when it is against their best interests. Microsoft, for example, must sue teenage kids to protect their trademark even though it generates bad publicity. Likewise, ISS was forced to sue Mike Lynn in the Cisco case. However, HID was not required to sue to protect patents. When and why such things are automatically triggered is a bit tricky.
Lastly, the biggest point to take away from this is that people can sue you even when they are wrong and you are right. In the HID case, they were almost certainly wrong, but it would take a lot of money and time by the researchers to prove this to the court. Likewise, websites hosting the recently cracked AACS key comply to takedown notices even though the law may be on their side. It can easily take 100k to defend yourself in court. Companies don't want to spend that much to prosecute you either, and will likely back down if you stand up for yourself, but they are betting that you will blink first.
Tuesday, May 01, 2007
Apple Update
http://www.zerodayinitiative.com/advisories/ZDI-07-023.html
The Cansec Apple bug is out. Apple got this done in 8 days which is not to bad.
The Cansec Apple bug is out. Apple got this done in 8 days which is not to bad.
Subscribe to:
Posts (Atom)
