Posted on 01/03/2007 11:04:31 AM PST by newgeezer
The Month of Apple Bugs project kicked off Monday by posting a zero-day vulnerability in Apple's QuickTime media player. It also posted an exploit that could be used by attackers to compromise, hijack, or infect computers running either Windows or Mac OS X.
The Month of Apple Bugs (MoAB), which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign, and is co-hosted by that project's poster, a hacker who goes by the initials "LMH," and a partner, Kevin Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.
The debut vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol); the protocol is used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could find their PCs or Macs compromised. It also may be possible to automatically trigger an attack simply by enticing users to a malicious Web site.
"Exploitation of this issue is trivial," said LMH in the vulnerability's write-up on the MoAB Web site. The associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player, LMH and Finisterre said.
Other security researchers rang alarms Tuesday. Danish vulnerability tracker Secunia, for example, pegged the bug as "highly critical," the second-from-the-top threat in its five-step score, and Symantec alerted customers of its DeepSight threat network of the vulnerability.
An Apple spokesman declined to confirm the vulnerability, or, if it was legitimate, when the flaw might be fixed. In an e-mail, he said that "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
LMH, who didn't immediately reply to several questions sent via e-mail, said on the MoAB site that Apple's Mac OS X operating system was chosen as the target for the month of vulnerabilities because "we like to play with OS X, we enjoy hate e-mail, and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out."
He also said that Apple -- and other vendors whose Mac OS X applications might be the focus of a bug posted during the month's run -- would not be notified in most cases before the information went live, and dismissed that practice. "The point is releasing them without vendor notification. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
LMH, Finisterre, and commercial security vendors recommended that users cripple QuickTime's ability to process rtsp:// links. In Windows, launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor." In Mac OS X, select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies and clear the "RTSP stream descriptor" box.
Apple's QuickTime was last in the news during December, when a bug in the player was exploited by fraudsters on MySpace. That vulnerability remains unpatched.
LMH expects to see more QuickTime attacks now that his newest flaw has gone public. He said, "It's a matter of time to see this getting abused in the wild."
Elcomsoft is a legitimate Russian software company. You do realize that Russia has an economy, don't you? That Russia actually has companies that do legitimate business? You seem to think it's an entire country full of evil hackers.
And you still fail to spot the legal difference between these two cases. I'll give you a hint: It's in the DMCA. Of course, why am I having to hint? I've cited this law to you before, and you just ignored it instead of researching for your self in order to factually counter my statements.
LOL what a meltdown you're suffering! Accusing me of sex with goats is all you have left. Classic!
Exactly how long have you been using the WWW?
Would someone care to explain the end of post #360 to GE?
GE a liar? Say it ain't so.
Why, because you think accusing me of sex with goats will somehow excuse your admitted lies and endless and still ongoing defense of criminal Russian hackers? Good luck LMAO.
...except that these guys weren't hackers.
They are a software company that happens to be based in Russia, and apparently the U.S. Government, as well as state and local authorities have bought and use this software.
So, you're saying that the Federal Government uses software written by "hackers" to nab tax cheats, hackers, and other criminals. And IIRC, you've worked as a civil servant.
Oh, the Horrors!!
Seriesly, Iggle. Put down the pipe and step away from the keyboard.
I never said they were, and still exposed 2 more lies by antiRepublican, where were you? He keeps claiming the hackers who cracked OSX can't be criminal, since it's a copyright infringement case. Low and behond, the DMCA ("C" is for "copyright") does in fact allow for criminal prosecution, and I found a criminal case against Russians for only cracking the code and only distributing the crack, not the software that was cracked, another lie he claimed couldn't happen.
You better learn to keep up, or your chances of ever becoming a half way decent lawyer are toast. I'm sure you're more interested in being a defense lawyer than seeing justice done, but if you can't even see how pitifully antiRepublican has defended himself, you have no chance of actually defending anyone else.
In any case, you literally picked the wrong case. The law in play is correct--you've finally got that right (for a change).
Specifically, the parts involved are sections 1201.2(a) and (c), which prohibits "manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof" that is primarily designed to circumvent a copy protection.
However, the law does not define "copy protection." I can, in theory, form a front company, write a little C program that basically says "Foo," write another little program that basically says "Hello World," claim that the Hello World program is really a copy protection on my original program, thereby making anybody using "Hello World" in technical violation of this statute.
Second, it was (and is) legal pretty much everywhere in the world. Just not for Joe American--and that's only because of a vague clause in the DMCA, which itself is seen by many conservatives as being facially unconstitutional (at the bare minimum). Yet, the Federal Government itself violates its own act by buying the software in question.
Is it a legal challenge? Probably. An exercise in hypocrisy? Definitely.
Further, I see no evidence that antiRepublicrat is defending Russian hackers. What he did was point out that the DOJ was prosecuting a guy whose products are a.) legal practically everywhere else in the world, and b.) software that the government itself has purchased and currently uses. Hardly a fair shake for the guy who wrote the software--under a law that has been constitutionally shady from the get-go.
No it was the perfect case, as it exposed two distinct lies he is always attempting to make: that copyright cases can't be criminal, and that only distributing the crack and not the copyrighted material wasn't breaking copyright law. He has repeatedly and endlessly uttered these lies, along with many others, that he has outright admitted to perpetuating for months at a time, in his defense of the criminal hackers. The fact that this case was about Russians, was not necessarily material, but undoubtedly fitting.
"Even a fool is thought wise if he keeps silent, and discerning if he holds his tongue." Proverbs 17:28
Exactly, which is why the fool at hand continues to spew more lies in his defense of criminals.
"Most every one of your posts are lies, as I've shown countlessly on other threads."
Right, and since the "Lie List" is made up of YOUR comments, then those must be lies too, right?
"Just like antiRepublican here, you can't come up with one (1, single, uno) actual lie that I made purposefully. "
I don't know your intentions (willful misrepresentation or ignorance) when you post a lie, but when I look at the lie list, I see a pattern. That pattern is: you love to lie. You'll never convince any rational person that those were all ignorance (which is amazing, because that's something you possess in abundance).
You make statements, get them shot down, then get angry at us for doing it. And your hypocrisy is astounding, e.g., questioning others for their religous beliefs while condemning people to hell and advocating gambling with amounts that could feed a family for years in some countries.
Oh, wait...I forgot. They're not Americans; they don't count. Unless they're in Africa, and have AIDS. Then you want friggin' Planned Parenthood and Microsoft to rush in save them with condoms!
The inconsistencies in your philosophies make my head hurt.
Purposely or not, you are without a doubt one of the most irresponsible posters on Freerepublic. I can say that without reservation. So, even if I agreed with your, "Poor me, I don't mean to say falsehoods, but I just get so darn confused sometimes" excuse (and I don't) you still don't get a pass, because you're a pompous ass.
The only reason why copyright cases have become criminal is because of DMCA, which suffice it to say is unconstitutionally vague and difficult to enforce (see my crude example above).
The guy wrote a product whose application is only illegal because of that single clause in the DMCA. A product that is only illegal for ordinary U.S. citizens to run.
LOL yeah I know it bugs you to have to sit here and watch your blasphemous buddy antiRepublican go down in flames over his endless lies defending Russian hackers, but you're no better with your own lies, you're on record claiming "a Russian wrote Multics" and other laughable BS yourself. Get a life loser, instead of constantly stalking me on this board, your posting history shows nothing but attacks on me for months, and for what, your pitiful defense of leftists and criminals. LOL it's amazing how low some of you freaks are, but the fact that some of you outright admit that you lie quote "for fun" is all that really needs to be known.
I think you may be beginning to understand the irritation your out-of-context quotes cause.
Okay, I'll finally spill the beans since GE isn't likely to get it despite previously being told the law in question.
Background Info:
Before I start, remember that we're going on the information available in the story. And, for reference, the hack in question is essentially the equivalent of the common Windows slipstreaming tools. The software the hackers wrote will let you create an OS X install DVD that will install on a Dell.
To make it really clear, the tool requires that you already have the OS X installation DVD. A modified version of the installation DVD you already own is then copied onto the new install DVD, just like in Windows slipstreaming.
The modifications mostly fall into three categories. One, it emulates the open-standards EFI firmware since most PCs are still on the 80s-technology BIOS. Second, it emulates newer hardware so, for example, you wouldn't have to have a Core Duo to run it (OS X apparently expects only the latest chips). Third, it cracks the hardware-dependent encryption layer to make OS X think it's on a Mac. This is the "circumvention device" discussed below, and it was apparently extremely easy.
The legal stuff:
Copyright infringement used to be criminal if it was done for profit. The copyright cartel got that changed to even if you distributed a certain value worth of copyrighted works without license it becomes criminal. But none of that applies criminally, since they are never claimed to have distributed OS X.
The DMCA's anti-circumvention clauses in 1201 are what apply here since they make "circumvention devices" illegal in many cases (although with many exceptions). And while they do have a spotty legal history, and are internally inconsistent, they are still there and in effect. However, it is still a civil matter by default.
What changes it to criminal, and what got Elcomsoft in trouble, is doing it willfully and for profit, which invokes section 1204. There is absolutely zero indication that this was done for profit. It was hackers (actually one initially) trying to get OS X to run on non-Mac hardware. They released their tool for free with no indication of expectation of financial gain. Plus, willfulness is not assumed in copyright cases, and the plaintiff must prove it. Do we expect a Russian programmer to know the intricacies of US copyright law, especially concerning a clause that has no equivalent in most of the world?
In summary, without both financial gain and willfulness, there is no criminal penalty for circumvention. The article hinted at neither.
Read #376, then retract this statement if you are honest enough. I NEVER said "copyright cases can't be criminal" and I NEVER said "distributing the crack and not the copyrighted material wasn't breaking copyright law" or anything to the effect of either statement.
Lesson #1: Some copyright infringements are criminal, most are civil. There are specific requirements that have to be met for a case of infringement to become criminal.
Lesson #2: Breaking the law doesn't necessarily make the action criminal -- it may be exposing you to civil liability instead. Copyright has always been traditionally a civil law. Criminal prosecution for certain actions in certain cases is a relatively recent addition.
Your claims the hacker didn't know it was illegal to crack OSX are ludicrous, and on par with your other insidious lies you have already admitted to carrying on for months. There was a significant financial benefit for anyone who was illegally using the crack to run OSX on cheap Dells, your ridiculous claims that no Russian hackers anywhere were profiting from this hack are simply further proof of the constant lies you use in your attempts to defend the Russian hacker underworld.
LOL more lies, of course. Even though this is simply an attempt to distract from his other lies, that this couldn't be a criminal case and that distributing just the crack couldn't be prosecuted under copyright law. Guy is apparently sworn to defend criminal hackers, so I'll just keep handing him more rope, sure beats him posting his lies on other threads to trick other unsuspecting posters.
I guess it would depend on "relatively recent." From what I've read, criminal penalties didn't show up until 1909 (remember, this started in the 1700s), and even then it was a misdemeanor with light punishment. Since then, penalties have gone up, and the requirements for criminal penalties have gone way down.
that distributing just the crack couldn't be prosecuted under copyright law
Stop right there with your false witness against me. It just can't be prosecuted criminally unless certain criteria are met -- and the article does not show those criteria.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.