The Turkey Curse
fukamis terror chatroom

n.runs, Sophos, German laws, and customer safety

Setting Orange, 21st Bureaucracy, 3173.

Steven M. Christey from [MITRE][mitre] gave a good example on Bugtraq mailing list where the new “anti hacker laws” in Germany regarding publishing of exploits are back firing badly. Here’s his full posting:

Subject: n.runs, Sophos, German laws, and customer safety

The n.runs-SA-2007.027 advisory claims code execution through a UPX file. This claim is inconsistent with the vendor’s statement that it’s only a “theoretical” DoS:

   ”A corrupt UPX file causes the virus engine to crash and Sophos
   Anti-Virus to return ‘unrecoverable error. leading to scanning being
   terminated. It should not be a security threat although repeated
   files could cause a denial of service.”

It is unfortunate that Germany’s legal landscape prevents n.runs from
providing conclusive evidence of their claim. This directly affects
Sophos customers who want to know whether it’s “just a DoS” or not.
Many in the research community know about n.runs and might believe
their claim, but the typical customer does not know who they are
(which is one reason why I think the Pwnies were a good idea). So,
many customers would be more likely to believe the vendor. If the
n.runs claim is true, then many customers might be less protected than
they would if German laws did not have the chilling effect they are

It should be noted that in 2000, a veritable Who’s Who of computer
security - including Bruce Schneier, Gene Spafford, Matt Bishop, Elias
Levy, Alan Paller, and other well-known security professionals -
published a statement of concern about the Council of Europe draft
treaty on Crime in Cyberspace, which I believe was the predecessor to
the legal changes that have been happening in Germany:

Amongst many other things, this letter said:

   ”Signatory states passing legislation to implement the treaty may
   endanger the security of their computer systems, because computer
   users in those countries will not be able to adequately protect
   their computer systems… legislation that criminalizes security
   software development, distribution, and use is counter to that goal,
   as it would adversely impact security practitioners, researchers,
   and educators.”

If I recall correctly, we were assured by representatives that such an
outcome would not occur.

- Steve

Thanks to Steve for pointing it out.



Setting Orange, 21st Bureaucracy, 3173.

The new location of “The Turkey Curse” is [][]. All requests to the old location are redirected.



H.264 and AAC support for Flash and Open Source Media Server

Setting Orange, 21st Bureaucracy, 3173.

[Tinic Uro][tinic], an engineer at Adobe working on the Flash Player, [blogged][blogentry] about the [announcement][announcement] that Adobe will support H.264 and AAC with the Flash Player.

Reading the [blog post][blogentry], I was very upset reading this part at the end of the article:

I am not in a position able to explain to you why we will not allow 3rd party streaming servers to stream H.264 video or AAC audio into the Flash Player. What I can tell you is that we do not allow this without proper licensing. Refer to Adobe’s friendly Flash Media Server sales staff for more information.

Someone on the OSFlash mailing list came up with the entry in [Wikipedia regarding H.264][wikipedia h264]:

Conversely, shipping a product in the U.S. which includes an LGPL H. 264 decoder/encoder would be in violation of the software license of the codec implementation. In simple terms, the LGPL and GPL licenses
require that any rights held in conjunction with distributing and using the code also apply to anyone receiving the code, and no further restrictions are put on distribution or use. If there is a requirement for a patent license to be sought, this is a clear violation of both the GPL and LGPL terms. Thus, the right to distribute patent-encumbered code under those licenses as part of the product is revoked per the terms of the GPL and LGPL.

But a server isn’t encoding/decoding anything, just streaming. More interesting, there is an [announcement of the MPEG LA][mpegla] back from 2003:

Decoder-Encoder Royalties

  • Royalties to be paid by end product manufacturers for an encoder, a decoder or both (”unit”) begin at US $0.20 per unit after the first 100,000 units each year. There are no royalties on the first 100,000 units each year. Above 5 million units per year, the royalty is US $0.10 per unit.
  • The maximum royalty for these rights payable by an Enterprise (company and greater than 50% owned subsidiaries) is $3.5 million per year in 2005-2006, $4.25 million per year in 2007-08 and $5 million per year in 2009-10.
  • In addition, in recognition of existing distribution channels, under certain circumstances an Enterprise selling decoders or encoders both (i) as end products under its own brand name to end users for use in personal computers and (ii) for incorporation under its brand name into personal computers sold to end users by other licensees, also may pay royalties on behalf of the other licensees for the decoder and encoder products incorporated in (ii) limited to $10.5 million per year in 2005-2006, $11 million per year in 2007-2008 and $11.5 million per year in 2009-2010.
  • The initial term of the license is through December 31, 2010. To encourage early market adoption and start-up, the License will provide a grace period in which no royalties will be payable on decoders and encoders sold before January 1, 2005.

Participation Fees

  • Title-by-Title – For AVC video (either on physical media or ordered and paid for on title-by-title basis, e.g., PPV, VOD, or digital download, where viewer determines titles to be viewed or number of viewable titles are otherwise limited), there are no royalties up to 12 minutes in length. For AVC video greater than 12 minutes in length, royalties are the lower of (a) 2% of the price paid to the licensee from licensee’s first arms length sale or (b) $0.02 per title. Categories of licensees include (i) replicators of physical media, and (ii) service/content providers (e.g., cable, satellite, video DSL, internet and mobile) of VOD, PPV and electronic downloads to end users.
  • Subscription – For AVC video provided on a subscription basis (not ordered title-by-title), no royalties are payable by a system (satellite, internet, local mobile or local cable franchise) consisting of 100,000 or fewer subscribers in a year. For systems with greater than 100,000 AVC video subscribers, the annual participation fee is $25,000 per year up to 250,000 subscribers, $50,000 per year for greater than 250,000 AVC video subscribers up to 500,000 subscribers, $75,000 per year for greater than 500,000 AVC video subscribers up to 1,000,000 subscribers, and $100,000 per year for greater than 1,000,000 AVC video subscribers.
  • Over-the-air free broadcast – There are no royalties for over-the-air free broadcast AVC video to markets of 100,000 or fewer households. For over-the-air free broadcast AVC video to markets of greater than 100,000 households, royalties are $10,000 per year per local market service (by a transmitter or transmitter simultaneously with repeaters, e.g., multiple transmitters serving one station).
  • Internet broadcast (non-subscription, not title-by-title) – Since this market is still developing, no royalties will be payable for internet broadcast services (non-subscription, not title-by-title) during the initial term of the license (which runs through December 31, 2010) and then shall not exceed the over-the-air free broadcast TV encoding fee during the renewal term.
  • The maximum royalty for Participation rights payable by an Enterprise (company and greater than 50% owned subsidiaries) is $3.5 million per year in 2006-2007, $4.25 million in 2008-09 and $5 million in 2010.
  • As noted above, the initial term of the license is through December 31, 2010. To encourage early marketplace adoption and start-up, the License will provide for a grace period in which no Participation Fees will be payable for products or services sold before January 1, 2006.

So I don’t get why Adobe cares about OS media server. Isn’t it the problem of content providers?

The only thing I can think: Patents suck!

[wikipedia h264]:


24C3 CfP

Sweetmorn, 17th Bureaucracy, 3173.

The Chaos Commnunication Camp is over, so it’s time to announce the [Call for Participation][cfp] of the 24th Chaos Communication Congress 2007 (24C3). The Chaos Communication Congress is the annual four-day conference organized by the [Chaos Computer Club][ccc] (CCC) and taking place in Berlin, Germany. The 24C3s slogan is Volldampf voraus! _– the German equivalent of “full steam ahead” – a particular request for talks and projects featuring forward looking hands-on topics. The Chaos Computer Club has always encouraged creative and unorthodox interaction with technology and society, in the good tradition of the real meaning of “hacking”.

This years congress introduces a new category for talks called “Making”. This category is all about making and breaking things and the wonderful stuff you can build in your basement or garage. Most welcome are submissions dealing with the latest in electronics, 3D-fabbing, climate-change survival technology, robots and drones, steam machines, alternative transportation tools and guerilla-style knitting.

As always, the date of this event is December 27th to 30th.



Chaos Communication Camp Roundup

Setting Orange, 11st Bureaucracy, 3173.

[Lenin wore a hula skirt and a flower garland][lenin] — do I have to say more? The [Chaos Communication Camp 2007][cccamp] of the [Chaos Computer Club][ccc] at Finowfurt Airport was a totally outstanding event. The whole crew, especially Julia and fh, did a great job organizing it. In the first place the setting was awesome. Camping on the historic Russian airport somewhere in Brandenburg, sitting next to old planes and listening to interesting talks in bunkers were unique experiences. It was fun for me to spend the first hours and days just walking around and discovering the area.

When at night the whole place changed into an illuminated party zone, I wondered once again, how an event like that was possible at all. The two thousand attendees had a quite fast and mostly working internet in the middle of nowhere. Everybody around was helpful and even the short rainstorms couldn’t spoil the fun.

There were a lot of interesting talks — shame on me that I only listened to few of them: Lisa`s talk on [finding and exploiting concurrency issues in software][lisa], Seth Hardy’s excellent talk [”A Crash Course In The Math of Public Key Cryptography”][seth], Dan’s [Black Ops 2007][black ops], Fefe’s [”Know your compiler”][fefe] and Gil’s talk about [ZERT and binary patches][zert]. Unfortunately, I missed the talk about the [A5 Cracking Project][a5] — well, all the talks have been recorded, so I will see it online in a few weeks. Update: [kuza55][] notified me that the [recording is already][a5 video] online :)

It was so much fun hanging around with all the Italians (especially [ascii][ascii], [Alessio][alessio] and [Fabio][fabio]), the guys from [Leiwandville][metalab], the Illuminats from Entropia, the crowd from Berlin, Dresden and Cologne, the Americans at [Camp Anaconda][anaconda] and all the other dudes from all over Europe. I had some great conversations, for example with [Dan Kaminsky][dan] regarding attacks using [DNS rebinding][rebinding] with a very cool private presentation of his [”Suckets”][suckets] and I talked with [FX][fx] regarding so-called [Security 2.0][rant] and other funny things.

I was somewhat unsatisfied by my own talk entitled [”Testing and Exploiting Flash Applications”] [flashtalk]. Since I’m not a native speaker, I was extremely nervous in the beginning. Funny thing is that especially the German listeners were upset about my poor language skills and some even claimed that I should have held the presentation in German. But in the aftermath I had quite a few interesting conversations, i.e. with Rob (the maintainer of [Gnash][gnash], a free and open Flash Player alternative) about Flash security models. I would not have had this chance if I had held my lecture in German.

Well, I guess badly spoken English is one of the most spoken languages in the world =)

Since one hour is a short period of time, I only explained the basics and demonstrated some funny but harmless example exploits with XML.load functions like CNNs [v0te teh l33t][cnn], Nokias [OpenMoko support][nokia] and RTLs [feature of the camp talks][rtl] (Update: fixed by RTL. Update 2: They didn’t get it right: It’s only fixed if variable ‘’xmldata'’ starts with “http://”). I also explained a [flaw in AS3 socket handling][scan], mainly discovered by David Neu after a discussion we had a while ago. Adobe has already acknowledged the problem and told us they will patch it by end of October. We decided to release the info to the public before then, since it is less dangerous than buffer overflows in their player or media server.

During my talk I introduced a Flash Security Project called [FlashSec][flashsec]. This project aims at developing testing methods and tools for Flash/AIR security auditing and documentation.

I found it very funny to get applause after showing how one can use simple LocalConnections to let Flash movie talk to each other cross domain. For attackers it is especially useful to build Flash based attack back channels. By the way: In this context I`d also like to mention [Thai Duong][vnhacker], who notified me about his lecture at [VNSECON07][VNSECON07] where he [demonstrated how to zombify a browser with Flash][zombie] just a couple of days before.

Nonetheless, both the positive and the negative feedback I got was very useful for preparing and extending my talk for [FrOSCON][froscon] next week.

[a5 video]:
[black ops]:


"If this were a dictatorship, it'd be a heck of a lot easier, just so long as I'm the dictator." - George W. Bush

The Turkey Curse is powered by WordPress, template idea by Priss

Entries (RSS) and Comments (RSS).
Generated in 0.068 seconds.