lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 7 Jan 2004 12:46:10 -0800
From: "Eric Lawrence" <ericlaw@...den.com>
To: "'Thorsten Delbrouck-Konetzko'" <Thorsten.Delbrouck@...rdeonic.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Microsoft Word Protection Bypass


Umm... What exactly prevents you from just typing up your own "contract" and
then claiming they sent it to you?  Or printing a changed contract out and
claiming it was mailed to you?  Or taking of any of a million other
fraudulent actions?

The standard Office protection mechanisms aren't designed (and shouldn't be
expected) to be tamper-proof against a determined adversary.  For more
serious levels of protection, use the new DRM mechanisms in Office 2003.

-Eric

-----Original Message-----
From: Thorsten Delbrouck-Konetzko [mailto:Thorsten.Delbrouck@...rdeonic.com]

Sent: Wednesday, January 07, 2004 12:57 AM
To: bugtraq@...urityfocus.com
Cc: joop gerritse
Subject: Re: Microsoft Word Protection Bypass

joop gerritse <jjge@...all.nl> wrote on 03.01.2004 12:34:45:

> A much simpler trick is to write the document out
> in RTF form, and use a text editor.

There are several methods to extract the contents of a protected document, 
but that fails to be the point here.

Equipped with a method to unprotect/change/reprotect a document (with the 
original, unknown password) it becomes (close to) impossible to prove that 
the document actually *has* been modified. If a senders relies on the 
protection mechanism (like some corporations which send out offers as 
"protected" docs do) this might actually have legal consequences.

Example: Upon your request a vendor e-mails an offer for product foo to 
you, price 100,00 EUR (Word format, protected forms). To form a legally 
binding contract you are asked to print the doc, sign it and send it back. 
In most legal systems (and among merchants who have been entered as such 
in a commercial register) this process is suitable to form a legally 
binding contract between the two parties involved.

Now you could easily decide to change the price within the original 
document to 80,00 EUR, print it, sign it and send it back to the vendor 
(thus forming a legally binding contract between the vendor and you!).

They will of course insist on the 100 EUR version, you will insist on the 
80 EUR version. You'll take them to court. An expert will be asked to 
analyse the original electronic document you received and will most likely 
find that it's protected by a password which is highly likely to be known 
by the vendor only and that you could not have changed the document. They 
lose. You win. :-)

regards,
/tdk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ