Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: Microsoft fumes about security bounty

__/ [ rex.ballard@xxxxxxxxx ] on Wednesday 22 February 2006 14:24 \__

> This could turn into a really interesting court case.  Microsoft's EULA
> prohibits any form of reengineering.  In the Stacker case and the
> IBM/Cyrix vs Microsoft cases, Microsoft claimed that disclosures made
> to the court were a violation of the Microsoft EULA.  These disclosures
> included code that proved that Microsoft had deliberately targeted
> Stacker and the Cyrix chip and had created destructive code.  At
> minimum, the code created an appearant malfunction.
> Of course, the judges in these cases ruled that Microsoft was using
> this clause to obstruct justice, and therefore, for that particular
> case, the evidence was admissible.  Microsoft quickly settled the Cyrix
> case - in fact, so quickly that it was pretty obvious they had drafted
> the first version of the settlement.  In the case of Stacker, Microsoft
> lost the case and was ordered to pay 200 million dollars to Stack.
> Unfortunately, not every judge rules against Microsoft. For example,
> Microsoft was able to get a judge to issue an injunction against web
> sites that disclosed the vulnerabilities of ActiveX controls.  There
> were about 8 examples of things that people could do with ActiveX
> controls - including the ability to create, open,read, write, modify,
> hide, delete, and transfer file content via e-mail or http get or post
> transactions - all without the user's knowledge.  In fact, when users
> use outlook express in default settings, all they have to do to execute
> these functions is PREVIEW an e-mail.
> In other cases, Microsoft has relied on "partners".  When a site owner
> in Texas published DVD drivers which included DVD-CSS decoders,
> Microsoft let the MPAA do the dirty work.  Eventually, the site owner
> was aquitted, but only after a very long series of court battles,
> including attempts to move the case to Los Angeles federal court - even
> though the offense was committed in Texas.
> There is even the possibility that Microsoft will use the Department of
> Homeland Security to get and enforce gag orders.  After all, if
> Microsoft has configured back doors in Microsoft which can and have
> been used to "tap" into the computers of suspected terrorists, then
> disclosures of these capabilities could be considered to be an act of
> terrorism.  Given the treatment of "Terrorists" and "Enemy Compatants"
> by the Bush administration, the "prize money" wouldn't even cover the
> first day of "interrogation".

There is a reason why Vista's encrypted filesystem has become notorious
already. Its key to decoding is owned by a closed-source monopoly and not
just the owner of the key (similar issues with DRM). Moreover, given the
ease at which Windows machines can be captured, controlled and sniffed by
the curious hobbyists, you could only imagine that Governments which depend
on Microsoft could access virtually any computer, with Microsoft's help.

Yahoo have committed similar crimes (disclosure of key evidence that had a
Chinese bloke arrested). Given Yahoo's fairly decent history, why would
Microsoft be the exception? The key difference: Microsoft has a desktop
monopoly. They don't control webspaces, log files and cookie-bound data.
They potentially have possession of people's hard-drive, i.e. entire
information. They can exploit their own loopholes, whether deliberate or
accidental back doors.

> Suppose, for example, that Microsoft used the "extensions" they
> implemented in Kerberos to identify specific users, and that this
> identification could be used to get their key using a special
> "disclosure code".  This would allow Microsoft to get the tokens and
> get access to any machine on any workstation or server.
> If Microsoft perceives the code running on your PC as "their" property,
> they might feel that they have a legal right to search your PC for any
> information - ranging from piracy to the content of Microsoft Office
> documents and outlook e-mail.
> Now, suppose, in exchange for favorable treatment from the DOJ,
> Microsoft offered privilidged information to the DHS.  This would be
> information provided by an "informant" acting idependently.  Much the
> same way detectives go to snitches for enough information about drug
> dealers or street gang leaders to get initial search warrants and other
> court orders needed to create the case for conviction.
> In this hypothetical situation, disclosure of this capability could be
> seen as interfering with the business of the DHS.  One could quickly
> find themselves in Guantanimo bay.
> Suppose that this was not the only type of information Microsoft
> provided.  Suppose Microsoft provided damaging information about
> various political candidates to various political campaigns.
> Now, public disclosure could get really nasty.  There would be far too
> many people who would not want anyone interfering with Microsoft's
> abilities.
> Of course, all of this is hypothetical.  But when you consider all of
> Microsoft's efforts to prevent and evade public disclosure of this type
> of information, it's not that hard to believe that they are hiding

These would be serious accusations to make. One needs to be cautious when
making such presumption without corroboration. In fact, I bet some of the
Wintrolls would have soon jumped on this and refute everything, as would
Microsoft. Luckily, long threads put them off.

Given the radical behaviour of the Bush administrator, I can foresee the day
when some absurdity such as a search warrant will have its electronic
equivalent. In such circumstances, closed-source alliances are the
Government's best friend. It's like brainwash or censorship that cannot be
fought, for the source code is concealed.

Best wishes,


Roy S. Schestowitz      |    Software patents destroy innovation
http://Schestowitz.com  |    SuSE Linux     |     PGP-Key: 0x74572E8E
  2:50pm  up 5 days  3:09,  9 users,  load average: 0.19, 0.60, 0.53
      http://iuron.com - Open Source knowledge engine project

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index