Norman,
Very good point. When those functions were "found" the only security concern
I heard was that you should protect those functions from unauthorized use.
No one questioned how they were found, and I didn't hear much of stink over
why they were never released before. It was treated almost like an Easter
egg or a feature for the hardcore developer. This is hypocritical on
Allaire/Macromedia's part, in my opinion, because it flies in the face of
their stance on CFDecrypt. How so? Well, CFDecrypt works by using an
industry standard encryption algorithm, DES, and a known, static password
that is imbedded into every copy of CF Server. The DES algorithm is not
owned by Allaire/Macromedia so they have no claim against that portion of
CFDecrypt. The password is embedded in the server code but, doesn't require
any sort of decompiling to get, much like the Administrator functions are
part of the code and require nothing more than knowledge of them to use. I
think that a good parallel to this is the imbedded backdoor password that is
part of IIS 4.0. When that was found you didn't hear Microsoft raising hell
about _how_ someone discovered a plain-text backdoor into the web server
used by upwards of 70% of commercial companies. They were too busy
backpedaling and sending up smoke in an effort to not look as irresponsible
and unprofessional as they were. Imagine if they had simply said, "Our
license agreement states that end-users aren't allowed to make use of this
backdoor, so we aren't going to fix it. And by the way, we're going to send
our lawyers against the person who discovered this." I don't condone the use
of reverse engineering for malicious purposes but, it is ludicrous to
villainize a piece of code, which is really only an idea, in a blanket
fashion without regard to beneficial use. Just because it doesn't meet
Allaire/Macromedia's corporate plans or shows a weakness in their product
doesn't mean that the idea has no value. "Oh, but, if you call us
(Allaire/Macromedia) and possibly pay an incident fee we will be happy to do
it for you." In other words, these tools are too much for _you_ to have.
The suggestion to "have it taken off the 'Net" is really scary to me. A
computer programs start as an idea, and code is the manifestation of that
idea. The idea may not be successful or the implementation may not be
successful, operationally or commercially, but that doesn't mean it doesn't
have value or a right to exist. The "right" to exist in effect is inherited
from the rights of the developer as a person to think and create. Written
human language is used to convey and distribute ideas. Sometimes those ideas
are successful, sometimes not. Many times one persons opinion or idea
conflicts with those of others but, here in the US we typically defend the
individuals right to express themselves. If existing ideas can't stand up to
the test of new ideas then those old ones fall by the wayside while the new
idea prospers ... and the cycle repeats itself. The same holds true in
computer science. Existing ideas should be challenged and new ideas should
be allowed to reach their potential. When an existing idea is challenged the
immediate reaction shouldn't be to silence the new idea. Imagine what life
would really be like if something as trivial as this were enough to drive a
global search and destroy mission against what ... an idea?
If development shops really _need_ a strong encryption tool for ColdFusion
code then demand that Macromedia provide such. If Macromedia is truly
concerned about this then they will take the time and resources to provide a
replacement for an encryption scheme that had an implementation problem to
begin with. Maybe along the way they will realize that decryption capability
is important to developers and it is shortsighted and patronizing to treat
the customer as if they can't handle the responsibility or that
Allaire/Macromedia has decided _for_ you that you don't need to decrypt CF
code. I would ask that Macromedia implement a stronger encryption scheme
along with a decryption tool for developers and stop villainizing an idea
that simply shows that your previous idea wasn't perfect. Get over it, no
idea is perfect. Adapt and overcome.
Steve
p.s. In answer to the inevitable, "We're using our licensing rules against
decryption to protect our customers", response I ask, "If an effective
mechanism was in place why would they need your _protection_?"
-----Original Message-----
From: Norman Elton [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 08, 2001 12:07 PM
To: CF-Talk
Subject: RE: Need decryptor tag for CFUG presentation
>>Is it illegal to have such a utility or is it illegal to use the utiltiy.
Or perhaps illegal/unethical to use it for the purpose of then using someone
else's code?
Here's another issue...
Is it bad/unethical to use the undocumented tags/functions found in the CF
Administrator? These have been "documented" elsewhere (webpages, allaire
forums, etc), although the only way people found them was by decrypting the
administrator.
Norman
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
