Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Are software cracks also a form of security vulnerabilities?
From: Scott Herbert <scott.a.herbert () googlemail com>
Date: Thu, 17 Jan 2013 18:05:24 +0000


Firstly anything that can be done in software can be broken via
software, and so nothing is non-tamper-proof, it may take a long time
but at some point someone will break it.

So to get back to the question, Are software cracks also a form of
security vulnerabilities? IMHO No.

to draw an analogy with the physical world...
safety issues (car breaks, wheels falling off etc.) could be said to be
akin to security vulnerabilities, both are preventable at the design
stage, both cause the system to fail and both have serious implications
for the end user.  The battery on the 787 is a safety issue, Lithium ion
batteries apparently have a number of known safety drawbacks (as per the
BBC, see http://www.bbc.co.uk/news/business-21054089 ), and it's right
that the FAA has grounded the 787 because of it, and Boeing is working
on a patch.

However cracks aren't like that, the vendor has no control over what
happens to them, I could write a patch that would prevent any windows
program from working (just f**k with the PE header or overwrite every
byte with 90h), is this the vendors fault? clearly not. can they stop
me? clearly not, as long as I've access to the executive file (which is
an OS not application issue) I can screw it up.

IMHO it's as if you where to say the fact someone could take out a 787
with a surface to air missile is a safety issue and we should class them
the same as battery fire's.



On 17/01/2013 09:20, COPiOUS wrote:
Hello,

First of all, the question is in the subject. Should say enough.

In my opinion they are, since a software crack allows unauthorized use of software and the exposure of (possible) 
trade secrets, but I want to know how other people think about this. Also, by cracking software packages, other 
issues pop up quite often - quite a lot of applications aren't tamper-proof. But does "not tamper-proof" mean that 
the software is flawed? 

Since we're moving to a smartphone/app-centric world, application security (and especially mobile application 
security) is an important topic, since many developers think that a walled garden is safe. It's not because you can't 
get out, that others can't get in.

COPiOUS

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault