2009 03 11 Wednesday

Another thing...

Another thing regarding Hamster/Ferret below... Using SSL doesn't always protect against this kind of attack. See here for examples...
SSL is not always complete. A good example is Gmail. In theory, using the HTTPS version of Gmail should protect you by going to https://mail.google.com/mail, but this doesn't work as you think. The JavaScript code uses an XMLHttpRequest object to make HTTP requests in the background. These are also SSL encrypted by default - but they become unencrypted if SSL fails.

When you open your laptop and connect to a WiFi hotspot, it usually presents you with a login page, or a page that forces you to accept their terms and conditions. During this time, SSL will be blocked. Gmail will therefore backoff and attempt non-SSL connections. These also fail - but not before disclosing the cookie information that allow hackers to sidejack your account.
tags: , ,
comment

2009 03 05 Thursday

staple / unstaple

staple / unstaple
It gets more interesting if Bob wants to distribute Alice's content, A. Since he doesn't own the copyright, he probably can't do such distribution legally. Suppose Bob creates an archive file containing both A and B, the latter of which he owns the copyright to. He then runs staple 2 or staple 4 on the archive and publicly distributes it. Bob's friend, Charlie, who doesn't care about copyrights, runs unstaple, brute-forces the key, and recovers both A and B. Alice, however, is stuck. If she wants to prove that Bob is violating the DMCA, she must violate the DMCA herself since the only way for her to verify the contents of the stapled archive is for her to brute-force the key (thereby circumventing Bob's copyright protection mechanism) and recover its entire contents, which includes Bob's copyrighted file, B.

via Schneier on Security.

Using the RIAA/MPAA's weapons against themselves?

tags: , , ,
comment