Thursday, 21 June 2007
You’ve probably never heard of Fyodor, or insecure.org. I expect you will over the next few days as the mainstream media begins to pick up on a Harry Potter story. Fyodor is a very gifted programmer who created an extremely valuable security analysis program called nmap over 10 years ago, and has been maintaining and improving it ever since. nmap is one of the most widely-used vulnerability scanners, and was even featured in the second Matrix movie (pictures are at the bottom of the insecure.org home page. Geek trivia: the versions of nmap, the target computer system, and the actual vulnerability are historically accurate.)
What does this have to do with Harry Potter? Well, Fyodor also hosts a number of extremely useful computer security discussion lists on his site. And on one of those, a day ago, someone posting as “Gabriel” posted a message entitled “Harry Potter 0day”. (“0day” is jargon for “zero day”, and is used to denote a file — originally software, but more commonly now films or music — that is released onto the underground scene on the day of its public release. This kind of piracy gives bragging rights to the crackers.) In the post, Gabriel claims to give spoilers as to the ending of the upcoming Harry Potter and the Deathly Hallows book.
Interestingly, the post claims a religious motive (which fits with the poster’s choice of name):
We did it by following the precious words of the great Pope Benedict XVI when he still was Cardinal Josepth Ratzinger.
He explained why Harry Potter bring the youngs of our earth to Neo Paganism faith.
So we make this spoiler to make reading of the upcoming book useless and boring.
More worryingly, the poster claims to have gotten the information through a malicious email sent to an employee of Bloomsbury Press:
The attack strategy was the easiest one.
The usual milw0rm downloaded exploit delivered by email/click-on-the-link/open-browser/click-on-this-animated-icon/back-connect to some employee of Bloomsbury Publishing, the company that’s behind the Harry crap.
It’s amazing to see how much people inside the company have copies and drafts of this book.
Curiosity killed the cat.
Even if this particular incident is not true, this illustrates the dangers that poor computer security can pose to a business, as well as an individual, because this kind of thing can indeed happen. When software is in a state where a single click on an email can allow a cracker access to the files stored locally on the computer (or on accessible network shares) you have a clear chance of this kind of thing happening. It only takes one foolish click, or error (or — the most dangerous — an exploit that triggers without this kind of action). Software security is boring, but the consequences of poor security can be devastating. Its marketing hyperbole aside, Apple does have a valid claim to significant superiority here, owing to Mac OS X’s Unix underpinnings.
If this incident is true, I don’t see it particularly hurting sales. Kids (and adults) will still want to buy the book, and this kind of information will be all over the web 1 minute after the books go on sale. It would however suggest the importance of quarantining critical information on a “need-to-know” basis, and storing it on a system not accessible to the public.
In any event, I don’t recommend reading Gabriel’s post. If true, it will ruin enjoyment of the book. If false, it will still do so, and you won’t fully realise until you get to the end. Either way, you are giving the poster publicity and credibility. If you really, really must, I will say that the post appears on the “Full Disclosure” discussion list, but that’s it.
Leave a Reply
Do not post material that is defamatory or obscene, that infringes any third party's copyrights, trademarks or other proprietary rights, or that violates any other right of any other person.
We reserve the right to remove or edit any comment for any reason.
Note: Posting more than two links in a comment may cause it not to appear because it will be submitted for moderation. Also, links in comments will not be counted by Google, so spamming is pointless.