lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <50F83D64.2020808@googlemail.com>
Date: Thu, 17 Jan 2013 18:05:24 +0000
From: Scott Herbert <scott.a.herbert@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Are software cracks also a form of security
 vulnerabilities?


Firstly anything that can be done in software can be broken via
software, and so nothing is non-tamper-proof, it may take a long time
but at some point someone will break it.

So to get back to the question, Are software cracks also a form of
security vulnerabilities? IMHO No.

to draw an analogy with the physical world...
safety issues (car breaks, wheels falling off etc.) could be said to be
akin to security vulnerabilities, both are preventable at the design
stage, both cause the system to fail and both have serious implications
for the end user.  The battery on the 787 is a safety issue, Lithium ion
batteries apparently have a number of known safety drawbacks (as per the
BBC, see http://www.bbc.co.uk/news/business-21054089 ), and it's right
that the FAA has grounded the 787 because of it, and Boeing is working
on a patch.

However cracks aren't like that, the vendor has no control over what
happens to them, I could write a patch that would prevent any windows
program from working (just f**k with the PE header or overwrite every
byte with 90h), is this the vendors fault? clearly not. can they stop
me? clearly not, as long as I've access to the executive file (which is
an OS not application issue) I can screw it up.

IMHO it's as if you where to say the fact someone could take out a 787
with a surface to air missile is a safety issue and we should class them
the same as battery fire's.



On 17/01/2013 09:20, COPiOUS wrote:
> Hello,
>
> First of all, the question is in the subject. Should say enough.
>
> In my opinion they are, since a software crack allows unauthorized use of software and the exposure of (possible) trade secrets, but I want to know how other people think about this. Also, by cracking software packages, other issues pop up quite often - quite a lot of applications aren't tamper-proof. But does "not tamper-proof" mean that the software is flawed? 
>
> Since we're moving to a smartphone/app-centric world, application security (and especially mobile application security) is an important topic, since many developers think that a walled garden is safe. It's not because you can't get out, that others can't get in.
>
> COPiOUS
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Download attachment "signature.asc" of type "application/pgp-signature" (554 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ