The Geek Forum

  • May 11, 2024, 10:13:19 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

Due to the prolific nature of these forums, poster aggression is advised.

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Squid

Pages: [1]
1
Hardware, Software, and Other Imperialist Crap / Can You Say Monopoly?
« on: July 21, 2003, 02:35:12 PM »
Quote
Earlier this month, Microsoft outlined their plans for their next generation of operating systems, codenamed Longhorn/Palladium. Among the features touted were the "secure networking" functions that OS would offer.


Firstly:
Microsoft plans to implement Palladium DRM (digital rights management) in a hardware chip, initially implanted on the mobo, but later on embedded in the CPU, and employing hardwired encryption throughout. The purpose of this is to flag every file on the computer with a digital signature telling a remote server what it is. If it's an unauthorised file, the remote server will tell your computer not to let you execute it.

This is basically an attempt to stop the trading of mp3's and/or warez.

Secondly:
Before an application can run, it too must have a digital signature remotely verified by another server. If the program binary doesn't match with any of the authenticated binaries, your computer won't run it. This, again, is meant to stop your computer running "unauthorised" software - which might be warez, or it might just be a nifty freewrae program that the authors acn't afford to have certified. Microsoft will be able to control exactly what your computer can and can't run.

Thirdly:
As most of you know, Microsoft employ a strategy of making their software deliberately obsolete - they make it forwrd compatible, but not backward compatible. With the laws of the DMCA, it will soon be illegal to try to make a software product that is compatible with another programs file types (for example, take the many office applications there are for Linux which have had some success in translating their arcane file formats).
This has the effect of killing any competition in the water - since you're not allowed to make your new product compatible with any of the others, no-one will use it. And eventually people will give up using any of the others instead, since no-one else can read their documents. So the entire world will be left with one choice only for software - Microsoft.

Fourthly:
Palladium will effectively ban free software, not just free stuff for Windows platforms, but free stuff for Linux, Mac, in fact every OS that runs on a Palladium enabled motherboard/processor. Why?
In order to get the program to run on a palladium platform, you will need to pay to have your binary certified as "safe" by Microsoft's software authentification branch. And who in their right mind is going to pay for a piece of software they spent hours working on? It just wouldn't be worth it.

It gets worse when it comes to open source projects, such as Linux and BSD. Those of you who know about these things will know that open source projects are created by freelance coders all over the world who create programs in their spare time and then give them to the rest of the world for free. Many of them also release the source code for free too, so that if you wish you can alter the program (such as to fix bugs, add features etc).
Now, it would be bad enough if the owner has to pay a certification fee. But EVERY CHANGE that is made to the source code will require a new, seperate certificate to be created. Those of you who use Linux will know that so many things get updated so quickly, that this just isn't practical, and would cost the open source developement people millions of dollars. This is money they just don't have, and Microsoft knows it.

Fifthly:
The "secure network". This is the real clincher for Palladium. At first, they're going to make it so that it is possible to turn Palladium off at the hardware level. But it is created in such a way so that, if you try to connect to a Palladium web server, you won't be allowed to. Palladium machines will only be able to talk to other Palladium machines, and non-Palladium machines won't be able to talk to any Palladium machines.
Hence, if Palladium reaches critical mass, there will be thousands of people the world over who won't be able to access the internet or even work on a network with Palladium machines, so by extension they will be forced to "upgrade" to Palladium machines.

Sixthly:
At first I thought: what the hell, this is only going to apply to x86 architecture (namely Athlon and Pentium chips, since it's only AMD and Intel who are involved at the moment). So, I could try another hardware architecture: such as the Mac/PPC, or the Sun Sparc, or an ARM, or any other kind of processor.
But then I realside that even if I did, I wouldn't be able to access the "Palladium network" which could encompass the entire internet if this concept goes far enough. So all you Mac users would be effectively locked out; you too would have adopt a Palladium machine if you wanted your computer to actually do anything.

Seventhly:
Palladium will enable all your documents to be controlled remotely. No, this is not a joke. If Microsoft find you are using an outdated version of Office, all they need to do is send a message to your computer and it will no longer let you read any of your documents that were created with that application.

MS WILL BE ABLE TO CONTROL YOUR COMPUTER!

Even more sinister is that if Microsoft take offence at any of the documents on your machine ( it could be a simple document containing DeCSS information or anti-Palladium information) then they can delete or alter it not just from your PC but from every other Palladium PC on the network.
This has a remarkable similarity to the "Ministry of Truth" in George Orwell's "1984" where the government continually faked information, both new and old, the entire country over to make themsleves appear "correct" all the time.


If Palladium ever becomes widespread enough, the internet as we know it today will be dead. Instead of being controlled by us, it will be controlled by Microsoft, and you will have no choice to do exectly what they say.

Hence why I want to tell as many people about this atrocious idea before it become spopular, and M$ administer their miraculous spin to it to make it sound like the best thing since sliced bread.


If that happens MS pretty much controls every program on your comuter, along with the internet.

2
Hardware, Software, and Other Imperialist Crap / Expert shows M$ hack
« on: August 30, 2002, 09:59:03 AM »
STOCKHOLM--Software security widely used for Internet banking and e-commerce can be easily circumvented, and customer accounts at several of Sweden's largest banks remain at risk as a result, a computer expert said Monday.
The Swedish hacking expert, who is well known in computer security circles, but asked not to be identified, demonstrated to Reuters how it was possible within minutes to break through security on Web server software from Microsoft.

The expert showed how to crack the security systems for Internet banking, breaking into three of Sweden's big four banks in quick succession. He was then able to show how to conceal his tracks, making detection difficult afterward.

While stopping short of breaking into customer accounts, the hacker-turned-consultant said an intruder could have hidden instructions to transfer sums into a separate account when the customer authorizes a payment from his Internet bank account.

He relied on a variation of a weakness that came to light two weeks ago in Microsoft's implementation of Secure Socket Layer (SSL), an industry standard for transmitting credit card numbers and account passwords via the Web.

"It's a protocol which is very easy to break through," the computer expert said. "The protocol doesn't provide the security the users think it does."

The attack technique exploited a combination of vulnerabilities over which Microsoft exerts only partial control. A large share of the blame should fall on network administrators inside banks and other organizations who fail to install Microsoft's software properly, he said.

Using the method, an attacker can log in as a Web site customer using certificate authentication and gain access to the Web site's root directory and, from there, enter the organization's internal network.

Microsoft has responded to recent reports about the SSL flaw by admitting its existence, saying it is working to develop a fix, but also by downplaying the notion that the flaw poses any widespread security threat.

"Such techniques are difficult, temporary, and generally require favorable network (layout)," the company states on a Microsoft technical discussion site.

Microsoft in Sweden denied that SSL could be breached in the way shown to Reuters.

"I can't even see the theoretical possibility for it to happen", said Mats Lindkvist, responsible for security at Microsoft in Sweden.

The unnamed expert said an attacker could breach security via hundreds of computers, making detection of the criminal almost impossible, as it might take the police up to four to five months just to follow a trail through 10 computers.

Mike Benham, the San Francisco privacy advocate and security consultant who first revealed the SSL flaw, offered a technical description of how this works: "An attacker could transparently proxy (invisibly transfer) a victim's traffic to the real secure site, while intercepting and logging all the data."

Microsoft embarked earlier this year on what it called a "trustworthy computing" campaign to improve the security of its software. The company was responding to a mounting outcry over widely publicized software security breakdowns.

The four Swedish banks are not unique. Many of the world's major financial institutions are similarly vulnerable because they rely on software using the industry-accepted SSL protocol, computer experts say.

All four major Swedish banks said they were not aware of any break-ins into their systems. But spokesmen at some of them said no system could be perfect.

"If man can fly to the moon, sooner or later someone will be able to circumvent the security systems," said Jesper Berggren, Swedbank's head of press relations.

"As far as I can tell no system will ever be 100 percent secure. To say that our systems are 100 percent secure would be presumptuous," said Lars Lindmark, Handelsbanken's information director.

But computer experts say banks remain highly vulnerable.

"There's been a lot of denial," said Peter Neumann, principal scientist at Silicon Valley think-tank SRI International and one of the world's authorities on computer security.

Such flaws result from a mix of fatalistic acceptance and technical ignorance, he said. "'Everything is fine,' banks say. That's clearly nonsense. Pretty much everything is vulnerable--certainly more so with a little bit of insider knowledge."

Swedish security firm Deprotect has managed to use hidden instructions to transfer tens of millions of dollars from an account at a leading European bank, said Lars-Olov Guttke, a computer security expert at Deprotect.

The bank had asked Deprotect to test its security systems.

After two weeks, Guttke told the bank about the transfers, which had not been detected. The key factor was that the sums transferred secretly were not big enough to alert the system.

"It might take a few days to figure out how to make the intrusion, but once you've done that it doesn't take very long to break through the systems," Guttke said.

Banks spend huge amounts to secure their customer-facing systems, but tend to neglect internal systems giving access to their networks, Guttke said. Security veteran Neumann agreed, saying that former insiders may pose a bigger threat.

Information about the level of computer-related crime is scarce because few crimes are reported. Companies fear bad publicity and additional costs if the weaknesses of their security systems become known.

Pages: [1]