Bring me a rock
The Crack a Mac Challenge , which was broken Sunday , was reinstated 24 hours later after a Macintosh development company, Blue World Communications, worked around the clock to fix the bug in their CGI product that allowed the crack. Below is the note from Joakim Jardenberg <joakim at infinit dot se> announcing the reopening of the challenge.
Crack a Mac is back again! It's true!!!
The crack that was made possible due to a combination of
different functions on the server has now been blocked by a
patch for Lasso.
Blue World did an amazing effort and released a patch for
Lasso in less then 24 hours, and on a Sunday as well. The
patch is recommended for all Lasso users running both versions
1.2 and 2.0 and can be found here .
Blue World also proves what a great company it is by
sponsoring the reward to Starfire, who found out how this
combination could be exploited.
More details on the combination will be posted soon.
So the bottom line is -- Crack a Mac is back, we all have
learned a lot, and we now have an even more secure server
Apple's Chuq Von Rospach <chuqui at plaidworks dot com> sent the following details of the cracker's method.
The site ran two third-party CGIs -- SiteEdit and Lasso. The
first is, as you might think, a way to edit and update a web
site through a CGI instead of FTP. Think of it as Netscape's
file upload on steroids. Rather nice product. Lasso is a CGI
database interface to FileMaker Pro.
The latter was used to implement a guestbook on the site.
Lasso... [leaves] a pointer to its "error" html file in the
html available to the user. [The cracker] noticed that, and
rewrote the form so that the error file field now pointed to
the filename of the password file for SiteEdit. Then he quer-
ied a non-existant file, and Lasso happily sent him the pass-
Oops. SiteEdit kept everything cleartext. Because obviously,
there's no need to protect it: WebStar has a special MacOS
signature byte which says "never download this, period." So
there was no way to get the file without cracking the machine,
so... Except Lasso didn't sanity-check its filenames and
didn't honor the "no download" file restriction.
So this crack has nothing to do with MacOS or Webstar. It's a
problem in Lasso that takes advantage of something SiteEdit
did. Lasso's patch is already on Blue World's website.
Nice hack. A bunch of CGI authors need to go rethink their
security. If Lasso does this, I'm sure others will too, and
people will go snooping now that someone's thought of it. And
it's another great reminder that passwords ought never to be
cleartext, even if you keep them in your shorts.
And I'm waiting for the first writer to make the assumption
that this means the MacOS is insecure.
Win a million
A couple of years back Elementrix claimed  to offer encryption based on the cryptographers' holy grail, the one-time pad. But the claim proved hollow . Now a startup called Crypto-Logic Corp.  has the genuine article. It's offering a $1M prize to anyone who can decipher a simple English challenge message within a year's time. Sure, why not a million, the encryption technique is provably unbreakable. Each message is encrypted by a key as long as the message itself and the keys are used once only. The software, Ultimate Privacy, runs on Windows 95 and NT. It costs $99 and includes two software pads, which allow you to encrypt 2000-4000 messages between yourself and a single recipient. The company sells pads for use if you exhaust the first pair, or if you wish to encrypt messages to a second recipient, but I could not find a price on their Web site.
Here are highlights from the thoughtful responses of three serious organizations.
Policy Oversight Committee  -- the body carrying forward the proposals of the International Ad Hoc Committee offered a detailed response. The document gives some insight into the thought behind the positions that emerged in the gTLD Memorandum of Understanding. The POC points out the sheer volume of Internet community input the IAHC considered and worked into its proposals, implicitly calling into question the wisdom of the NTIA's decision to start the comment process all over again.
Computer Professionals for Social Resopnsibility  -- CSPR wants to pull back and allow time for far wider input into the IAHC process. "Whatever its merits, the IAHC process was closed, rushed and unbalanced," the CSPR opines. They believe that there is "no current crisis" needing immediate resolution.
Electronic Frontier Foundation -- The EFF's position paper had not been posted at this writing; when it is it will probably appear here . The EFF generally supports the gTLD Memorandum of Understanding, but is not a signatory to it. EFF's views diverge from the IETF position over the question of the balance of rights. EFF regards the IAHC proposal as highly skewed toward the rights of the holders of intellectual property, at the expense of other Net stakeholders. The EFF paper slaps NSI for trying to claim the original top-level domains as their own property.
|ActiveX (www.activex.com)||Java (www.gamelan.com)|
|Browser Enhancements||34||Arts and Entertainment||259
||Online Applications ||20 ||Business and Finance ||215
||Tools & Utilities ||240 ||Commercial Java ||449
||Site Development ||56 ||Educational ||813
||Application Development ||250 ||Games ||1204
||Database Connectivity ||30 ||How-to and Help ||71
||Control Development ||13 ||Java-Enhanced Sites ||787
||total ||643||JavaBeans ||48
||Network / Communications ||414
||Programming in Java ||1302
||Related Technologies ||1398
||Special Effects ||829
||Tools & Utilities ||676
In Cyberspace, Nobody can see you fall asleep in your soup
It's Monday evening. The IETF meeting ended last Friday, at approximately 11:30 AM, local time.
So why am I writing this on Monday? Well, as the techies would say, "the IETF doesn't scale well."
It seems that, traditionally, IETF meetings were always four days in length. However, due to the number of groups meeting, that became difficult. They even went to evening meetings (thus interfering with the important business of schmoozing with one's fellows) and still four days wasn't enough. So it finally dawned on them to expand the meeting to five days. This was a fine idea, except that the traditional thing to do was to shut down the network in the terminal room late Thursday or early Friday. This meant that the network connection went away moments after the end of the last meeting, thus I was stuck (gasp!) without an Internet feed.
Add to this the non-compatability of German telephones and my US modem, plus a day's travel to get back to my office, and you end up with me writing the Day Five report on Monday.
But back to my IETF story.
On Friday, we had the IPsec meeting. Now at this meeting we had one mild disagreement, one calmly worded surprise, and a couple of relatively new observations. Since we have nineteen documents actually, I count 21, but what's two drafts among 175 debating Internet folk?), this is considered a mild meeting. There are drafts for architecture, packet formats, almost a dozen encryption ciphers (don't blame me, my name's only on four of the documents), and miscellaneous other proposals.
The good news is, people are definitely realizing that [Attention news flash here] people are currently using the Internet without encryption. Since this is happening, there is agreement -- "rough consensus" as the mantra says -- that we need to get this stuff done as soon as possible.
There are still problems. The main document that isn't done is the architecture spec. This means we wrote 20 or so documents based on an old architecture spec and some notes written on the back of an envelope. Some have characterized this as "firing a gun and then running ahead of the bullet to paint a target where it's going to hit." This may be true, but in all fairness this is the third generation of the architecture document, so at least for those hardy folk who have been around for a while the architecture is known.
The scary thing is, there was consensus on another point: with all those documents, we realized that sometime soon we are bound to hear that someone has written "IP Security For Dummies."
It's appropriate not only for Myrmidion but also because the animation used to draw graphical selections is known as "marching ants" -- so coined by the programmer who first coded them. (Bill Atkinson, in MacPaint.) And the name of the tool that makes graphical selections is the same as the database CGI described this week: "Lasso."
TBTF home and archive at http://www.tbtf.com/ . To subscribe send the message "subscribe" to firstname.lastname@example.org. TBTF is Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com- mercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit. _______________________________________________ Keith Dawson dawson dot tbtf at gmail dot com Layer of ash separates morning and evening milk.