... and this little number, which seems to suggest that Windows XP
somehow subverts egress filtering (SOAP over HTTP?):
A Cautionary Story of Vulnerability Research in the 21st Century
or
A Super-DMCA Fairy Tale
Once upon a time, in a Kingdom in the Midwest, there lived a young
man who wrote software. One day, while writing a program that he
hoped would make his life easier, he happened to find out something
very, very bad about an operating system developed by a Large
Corporation located in another Kingdom on the West Coast. This
operating system (let's call it Doors YQ) was designed very
differently from its predecessors (Doors 95 and Doors 98). In fact,
it was designed so differently that it broke nearly every single
instance of some very special protective programs (let's call them
waterwalls) in a very specific way. Waterwall software was supposed
to protect the computers from people who wanted to hurt them from the
outside and from malicious programs that wanted to send out
information from the inside.
The Large Corporation didn't do anything wrong. They didn't mean to
break the waterwall software. The waterwall software vendors didn't
even know that their waterwalls were broken.
But they were.
It wasn't a truly horrible thing. The waterwalls still worked to keep
bad people from hurting computers from the outside, but those changes
by the Large Corporation to Doors YQ made it so that the waterwalls
didn't work very well at keeping malicious programs from sending
information out from the inside.
The young man was a good-hearted soul. He tried as best he could to
tell all the waterwall vendors about the problem. He didn't tell
anyone else about the problem so that bad people couldn't take
advantage of it before the waterwall vendors had a chance to fix
things. Most of the waterwall vendors were good-hearted people too,
but some didn't listen.
Then, one day, the young man discovered that the Kingdom in the
Midwest frowned upon what he was doing. In fact, the Kingdom had
passed a law, on January 1st of that very year, that said that what
he was doing was bad and that if he were caught doing it, he would be
thrown into the Royal dungeons for between two and five years and
would be called a felon for all of his life. He could also be forced
to turn over all of his worldly goods in what was known as a civil
judgement (even though there was very little about it that could be
considered civil.)
And now the young man became afraid. He had told the waterwall
vendors about the problem on the 14th of January, well after the
Kingdom had passed the law, and he was now living as a free and non-
felon person only at the waterwall vendor's discretion. If they
decided that he wasn't good-hearted enough, or that he hadn't been
helpful enough, or even if they were just particularly grumpy one
day, they could report him to the Kingdom and have him arrested.
And what of the waterwall vendors that had ignored his warnings? What
if he had missed one? Even if he could consider all of the waterwall
vendors who had willingly worked with him as friends, he knew that he
could never safely even say anything about what he had found.
And so the young man decided to never speak of the problems that he
had found. He decided that from that day forward, until the Kingdom
repealed its law, he would never again speak of any problem with any
type of protective software again.
search: