Author Archives: wunderbarb

Red Hat compromised

Posted on by
Reply

In august, Red Hat informed that some packages of OpenSSH have been illegally signed. An intruder succeeded to penetrate Red Hat’s IT infrastructure and to access the signing computer of Red Hat. Thus, he succeeded to sign his/her own variants of OpenSSH. There was no evidence that they leaked out. Nevertheless, Red Hat provided tools to detect these variants and issued a new clean version signed with a new signature key. the old one will be revoked.

This is extremely serious. Today, most trust models are based on the assumption that the access to signing key is secured. Three main events may shatter this assumption for company X:
– company X’s private key leaks out. Then Alice, Bob, Eve are able to sign on the behalf of company X
– Alice is able to get company X to sign without controlling the data
– Alice is able to get a trusted certification authority to issue a digital certificate with the name of company X. Then Alice can impersonate company X. This is what happened in March 2001 with Verisign and Microsoft (see http://news.cnet.com/2100-1001-254586.html.

In this case, it is second attack.

Signature key is the core of many security system. It is the most important asset to protect. Red Hat probably protected correctly it (there is no evidence that the key leaked out), but not its usage. Security policy definition and implementation is a big problem.

Academic research and free speech

Posted on by
Reply

As usual,a company attempted to stop the disclosure of weaknesses at a security conference. This time, Massachusetts Bay Transportation Authority seeked to restrain Zack Anderson, R.J. Ryan and Alessandro Chiesa, students at MIT, to present a paper about the weaknesses of the RFID and magnetic stripes card. The targeted conference was Defcon, one of the great hacking conference. Nothing especially new.

The interesting fact is that the District judge Douglas Woodlock granted such temporary restrain. He backed up his decision with the Computer Fraud and Abuse Act. This law targets hackers who “knowingly causes the transmission of a program, information, code, or command to a computer or computer system.” In other words, according to this judge, presenting a paper disclosing weaknesses is equivalent to using a software to penetrate a system.

Obviously, Electronic Frontier Foundation (EFF) immediately fought back invoking the first amendment about free speech. Once more, we have this legal battle between academic researchers who find a flaw and a company that doe not want this flaw to be disclosed. One of the first example was the Felten versus RIAA case (#CVB-01-2669 (GEB)) about SDMI. The team of Ed Felten broke the watermarks scheme proposed by SDMI in an open challenge. RIAA attempted Ed to restrain to disclose it at Information Hiding 2000. Finally, RIAA withdrew its objection and the paper was presented at ICASP2001.

Once more, this case highlights the same questions and remarks

  • What should be done when discovering a security flaw? Typical ethical procedure is to inform the company abut the flaw, give them sometimes to react and then publish. The problem is often on the definition of the reaction time.
  • What is the right reaction of the company? Often they react badly. In believe it is more beneficial to have been informed by white hats who disclose the weakness than to attacked by black hats who will keep it secret. Once informed, you may at least monitor to find eventual attackers. I prefer a flaw in my product that everybody is aware of (and myself) then one present that I am not aware.
  • Are judges sufficiently prepared to deal with high technological issues? Should there not be a special type of technological judge? They rely on experts, but do they understand what experts are explaining. We have even sometimes difficulty to understand our peer experts!

In any case, it is mandatory that researchers continue to look for weaknesses and disclose them. No security by obscurity.

Security and Facebook like

Posted on by
Reply

Greek researchers will present tomorrow a attack using Facebook as vector. The idea is that they provide an applet that displays nice picture from National Geographic. Unfortunately, the applet in addition to its benign display request to download a big file from one server. If this applet spreads within social network, it may end up in thousands of applets downloading big file from one given server, in other words in a Distributed Denial Of Service (DDOS)

And all journalists discover that there is a risk with social network. I am always amazed to see when people discover the obvious. Why should Web 2.0 be different from “old” computing time? Anybody is expected to understand that it is not safe to execute a piece of software from a an unknown publisher. It may be a malware. It is expected to be accepted by users as a good practice.

And now on the sudden comes Web 2.0. And any body is happy to add nice widget to his/her site, web page, desktop, … Why should widget be different from normal application? Why should widget not carry lethal payload? Why should Web 2.0 be secure? (at least not by construction). I am only amazed that there are not more plagued widgets today.

Using social network is even worse. You may trust your friends in your social network. thus, you may eagerly accept nice widgets from them. But how do they know it is a safe widget. Imagine a widget with a delayed bomb inside (as it is used in virus). It spreads nicely within facebook, and then it is triggered… :Sad:

Am I too paranoid? Why did web 2.0 escape common sense? Any idea?

Prison Break and P2P

Posted on by
Reply

What is currently the hottest hit on P2P trackers? Not the last Hollywood movie. It is the first episode of new season of PrisonBreak. According to TorrentFreak, more than 1 million people downloaded the torrent using BitTorrent. The broadcast audience for this episode was 6.5 million viewers according to Fox. This means that at least 20% of the audience will not use the official channel.

Like ABC, Fox has proposed a catchup TV service where users can stream legally and for free the latest episodes. Why do people prefer to use P2P?

TorrentFreak proposed the convenience as an explanation. It is true that you have two advantages compared to broadcast or streaming:

  • Possibility to store and play back on any device
  • Skip advertisements

Nevertheless, there is also another factor. What is the proportion of non-US downloaders on P2P? Currently, non-US/Canadian citizens can neither have access to broadcast nor streaming. When attempting to connect, the connection is rejected because the receiving IP address is not located in the US. Not everybody has access to a US proxy that may allow to bypass this limitation. Fans/addicts will do all there possible to get access to the newest episodes. They will not wait several months (even one year for France) to legally get them. They will download them through P2P. Furthermore, they will find subtitled version available a few days after broadcast. (I checked that the latest episode of PrisonBreak was already available with French and Italian subtitles!)

What can content owners do against it? Provide advertisement free content? This is in total contradiction with Free To Air business model based on advertisement revenue. Provide to foreign countries the episodes as soon as they are available in US? This as a cost because it requires dubbing all episodes with the main languages before initial broadcast. Subtitling is not sufficient in many countries. In France, people hate subtitles. M6 attempted to offer as paid VOD season 4 of Desperate Housewives with French subtitles. it did not work.

Unfortunately, for non US addicts, P2P is the most convenient and cheapest solution. :Sad: This may also explain why TV series are the biggest part of P2P trackers (see Mininova reaches 5 billions torrents)

Wizzgo banned from M6 and W9

Posted on by
Reply

In May 2008, the French startup wizzgo launched its service. Mainly, wizzgo offers two functionalities: Electronic Program Guide and Network recorder for the French channels of Free To Air operators so called Télé Numérique Terrestre (TNT). In other words, you are able to explore the guide of all channels, and through one click you “record” an event. You may view recorded events as often as you want through Internet. The downloaded events are not DRM protected and thus can be copied and distributed without restriction.

Unfortunately, wizzgo did not negotiate with broadcasters. M6 and W9 have sued wizzgo for unfair competition and commercial parasitism. Wizzgo claims that it is legal because it performs only a private copy. The judge did not buy in this argument. Private copy is not applicable to commercial application. Although the service is free for users, wizzgo gets money from advertising. Furthermore, it modifies the audience and user viewing habits thus spoiling broadcasters’ advertising revenues.

An interesting information is that M6 and W9 have just launched their catch up TV service (M6 replay). Thus, wizzgo is in direct competition for the same market.

Spore and the DRM fury

Posted on by
Reply

Spore, the long awaited simulation game from Electronic Arts has generated a huge buzz and fury. Probably not from the type EA was expecting.
Spore is protected by SecuROM and requires online authentication of the genuine disc every ten days. Between these 10 days, you do not need to put the disc in the drive for authentication (This is extremely convenient. I hate the games where you need to have the disc in the drive. For frequent travelers it is annoying) The game cannot be installed more than three times, else you would have to phone to EA support. Some people are concerned that their copy would be dead if EA would not anymore operate the authentication server.

The fact that Spore would be protected by “DRM” was known for months (and provoked already some waves in the game community). Nevertheless, since its launch, Spore has been the target of anti-DRM aficionados. Interestingly, they use a new Denial Of Evaluation attack. The evaluation comments on Amazon.com are spoiled by voluntarily negative critics. At the time of editing, the score was less than 1 star for more than 1400 comments. Negative comments were about DRM. At the same time, the evaluation for the Nintendo DS (not affected by the DOE) was 4.75 stars!

Will this “attack” be efficient? I am doubtful. It seems that Spore is a really innovative great game. Thus, gamers who love this type of game (simulation + MMOPG) will go. Negative comments, only about DRM will not reduce the appealing of the game. Will “DRM” block some users? Of course, some people will use it as an excuse to justify the use of illegal version. The ISO file and the crack was available several days before the commercial launch of the game on main P2P tracker sites

Reading forum is instructive. My preferred one is the person who purchases an official copy but install a cracked one for convenience. He uses it with clear conscience.

It will be interesting to see if this campaign will impact the sales of Spore? If other game editors will reduce the use of “DRM”? Is DRM the right language for SecuROM and likes?

In any case, I will soon play Spore. Did someone already test it?

10-sep: An error did display only half of this ticket yesterday. Sorry for the inconvenience. During this night, about 500 additional negative comments were added on amamzon

Comcast, FCC and throttling (2)

Posted on by
Reply

In July, FCC ordered Comcast to stop throttling P2P connections ( See Comcast throttling BitTorrent: trouble). On Thursday, Comcast challenged the decision at in the U.S. District Court of Appeals in Washington. Nevertheless, Comcast will comply with the FCC order. Comcast has to stop discrimination before end of the year.

Meanwhile, two consumer interest groups and a company seek an order of court to have Comcast stopping immediately the throttling. The company is Vuze Inc. that distributes a software Vuze formerly known as Azureus. Azureus is one of the P2P software built on top of BitTorrent. Azureus has a serious “market share”.

Comcast has prepared its next move. On 1st October, Comcast will install a monthly maximum download capacity of 250GB for residential customers. This remains a rather high capacity. It represents 300 SD DiVXed movies and around 100 HD movies. Not too bad.

We could have expected Comcast to announce throttling policy in the usage conditions. This limitation is another answer. What will other ISPs do?