lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <OF235699DD.9F5E0C35-ON00256E14.002F8682-C1256E14.00311FA5@localhost>
Date: Wed, 7 Jan 2004 09:56:34 +0100
From: Thorsten Delbrouck-Konetzko <Thorsten.Delbrouck@...rdeonic.com>
To: bugtraq@...urityfocus.com
Cc: joop gerritse <jjge@...all.nl>
Subject: Re: Microsoft Word Protection Bypass


joop gerritse <jjge@...all.nl> wrote on 03.01.2004 12:34:45:

> A much simpler trick is to write the document out
> in RTF form, and use a text editor.

There are several methods to extract the contents of a protected document, 
but that fails to be the point here.

Equipped with a method to unprotect/change/reprotect a document (with the 
original, unknown password) it becomes (close to) impossible to prove that 
the document actually *has* been modified. If a senders relies on the 
protection mechanism (like some corporations which send out offers as 
"protected" docs do) this might actually have legal consequences.

Example: Upon your request a vendor e-mails an offer for product foo to 
you, price 100,00 EUR (Word format, protected forms). To form a legally 
binding contract you are asked to print the doc, sign it and send it back. 
In most legal systems (and among merchants who have been entered as such 
in a commercial register) this process is suitable to form a legally 
binding contract between the two parties involved.

Now you could easily decide to change the price within the original 
document to 80,00 EUR, print it, sign it and send it back to the vendor 
(thus forming a legally binding contract between the vendor and you!).

They will of course insist on the 100 EUR version, you will insist on the 
80 EUR version. You'll take them to court. An expert will be asked to 
analyse the original electronic document you received and will most likely 
find that it's protected by a password which is highly likely to be known 
by the vendor only and that you could not have changed the document. They 
lose. You win. :-)

regards,
/tdk



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ