lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: Computer Sabotage by Microsoft

Besides the XBOX issue discussed in this thread, I think there is some
more relevance to the security industry in it.

While I still have the feeling that in this specific case Microsoft is
operating in what I would call the "expected range", I would like to put
this into a broader picture:

Many say XBOX is the first try/pilot on TCPA, palladium or whatever your
favouorite name is. The bottom line is that there is a movement to not
let you own the hardware you purchased.

I don't see any issue with XBOX in here, because you have the choice to
purchase many other solutions without this "design defect". (In fact, I
don't consider it to be smart to help make XBOX a commercial success if
you dislike TCPA...).

HOWEVER, now let's assume we have a Windows "XP" 2005 (Overlonghorn?;))
that implements TCPA. By design, now the VERY SAME should happen. That
is you install an operating system which effectively denies you right to
use your computer as you want to (ok, it can't stop you from smashing
it...). Of course, there are alternatives to Windows on the desktop AND
I think they will become more popular as the DRM/TCPA issue moves into
the Windows products... BUT in this case I see a big difference. Then it
is not an easy choice to avoid this operating system.

Even if you manage to use some vuln in that OS that will help you
circumvent TCPA, an security update could remove the vuln at any time of
Microsoft's discretion. In fact, that alone is again what I would call
to be in the "expected range", because a vuln in the security system
must be targeted.

The question is only if we like to hand over ownership of our machines
to the software vendors. And thus it is indeed an interesting question
if that can be done via an EULA. 

As of my understanding, it is much more likely to happen in the US, as
the US law system grants you more freedom in what you can agree on in
contracts. In Europe, there are many more things that you can NOT do in
a contract and I assume may of these restrictions would fit in here (and
I don't want to argue which law system is better ;)).

The bottom line, I think, is that we must raise awareness on these issue
not only in the infosec community but the general public. What I
currently see is that Microsoft and other vendors slowly move towards
DRM. So slowly, that customers do not really notice which rights they
loose. It is well known that many small changes over some time period
are often unnoticed while a big change would bring the vendor into
trouble.

Maybe the XBOX case, as weak as I see it, would make up a good sample...

I would also applaud if someone of those being upset would actually try
to bring it to court. Remeber, it doesn't help to complain with legal
issues. It only helps to file a suit ;)  [well, honestly, not in all the
cases....]

Rainer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ