2009-05-27

Analysis of Adobe RTMPE


A recently published analysis of RTMPE comes to the conclusion that, although the algorithm "provides end-to-end secrecy in exactly the same way that SSL provides end-to-end secrecy, it provides no security and uses no authentication of any kind." Nowhere is a secret key, a password or even a pass phrase required in order to decrypt the content: only a 32-byte hash value plus the size of the SWF file and publicly exchanged information, specifically the last 32 bytes of the first response from the streaming server, are involved.

Following this line of argument, it could be concluded that RTMPE is only a proprietary streaming protocol with encrypted transmission. It seems at least questionable whether Adobe could call this a circumvention of copy protection and thus be in a position to invoke the DMCA and prevent distribution of the software.

http://www.h-online.com/open/Adobe-acts-against-Flash-video-stream-recorder--/news/113370

2009-05-16

Windows7 UAC whitelist: code-injection vulnerability (and more)

And when I thought the RC for Windows 7 is going to be a hit, it turns out that while running an administrative account, most of original Windows 7 .exe's auto-eleviate their rights by default, without asking user for a permission. Given that many people are accustomed to run on administrative accounts, this poses a security hole.

More: http://www.pretentiousname.com/misc/win7_uac_whitelist2.html

Enable Alt+Ctrl+Backspace in Jaunty Jackalope

Ubuntu 9.04 comes with updated X.org server, in which Ctrl+Alt+Backspace doesn't work anymore out of the box. Some silly users complained that this (correctly!) resets their sessions, when they accidentally press the aforementioned combination. Even though I used Linux for many years with success, I was NEVER able to press such extraordinary key combo accidentally.

Anyway, Ubuntu devs listened and Ctrl+Alt+Backspace is turned off by default, what a pity. To restore the normal (old?) behaviour you need to modify X.org settings:

1) Open the configuration file in Gedit:

sudo gedit /etc/X11/xorg.conf

2) At the end paste:

Section "ServerFlags"
Option "DontZap" "false"
EndSection

3) Restart the system or just the X subsystem ("sudo /etc/init.d/gdm restart" comes to mind) in order for Ctrl+Alt+Backspace to work again. To return to previous setting, remove or comment out added lines, or change "false" to "true" in "DontZap" flag.

Original tip (in Polish): http://www.ubucentrum.net/2009/05/jak-waczyc-skrot-ctrlaltdelete-w-ubuntu.html

2009-05-05

No One Ever Got Fired For Using Microsoft

I dug out a nice writing by helios, from his old blog. Actually this is one of the best his posts that hook me up into reading them. And they are numerous...

http://blog.lobby4linux.com/index.php?/archives/83-No-One-Ever-Got-Fired-For-Using-Microsoft.-Yes-They-Did..html
(note: original site is inaccessible right now, the above link is provided by the Wayback Machine)

Find more interesting readings on the current Blog of helios.