The clear waters that flowed from the Smoky Mountains drew trout fishermen and families on canoe trips past historic Cherokee village sites, and the rich farmlands of 300 local families.įor six years, we carried our case through a fog of rancid national debate and finally, to a landmark victory in the U.S. The Tennessee Valley Authority had proposed a dam that would threaten the fish's last natural habitat.Īfter 68 dams had been built on that river system, the snail darter lived in the last remaining 33 miles of cool, clear, flowing waters in the Little Tennessee River. We were trying to save a little fish, the snail darter, which was known to live only in a single place: the Little Tennessee River. (John Duricka/AP)įifty years ago last week, President Richard Nixon signed the Endangered Species Act of 1973, a conservation law that quickly became one of the most politically attacked of all time.Ī few months later, my students and I at the University of Tennessee Law School launched a lawsuit under the ESA, the first big test of the new law. He and others were in Washington to meet with members of Congress to discuss the dam project. You can compare Faronics' behavior and response time to other software companies and make your own conclusions.Facebook Email The author speaks to reporters near the Capitol in Washington, D.C., June 20, 1978. 2016-Jan-12 - Meltdown is updated with another round of xor encryption and 2 new calls to DeviceIoControl API.They introduce 2 new vulnerabilities in this version. Changelog says "Secured One-Time Password functionality from potential vulnerability." No security bulletins published. 2015-Dec-31 - Changes in DeepFreeze Enterprise 8.31 break existing versions of Meltdown.It took me few hours to add that new round of "extra secure" xor encryption. 2015-May-11 - User reported that Meltdown wasn't working anymore.Release notes say "Resolved a security issue that could result in the user accessing Deep Freeze without authorization." No security bulletins published. 2014-Jun-24 - Changes in DeepFreeze Enterprise v8.11 break existing versions of Meltdown.To me, it indicates that Faronics was aware of Meltdown at this moment of time. This vulnerability had existed since very early versions of DeepFreeze and it suddenly got fixed. No mention of any security issues in the changelog. 2014-Mar-31 - Faronics closes the vulnerability in DeepFreeze Standard v8.10.But I'd rather not say anything and let the facts speak for themselves. And even some reverser friends have asked me that. IT managers who bought DeepFreeze ask that. It's so good, it deserves a separate blog post. Where have I seen this design before? smile So, I updated Meltdown to obtain information necessary for OTP generation from DeepFreeze driver. However, Faronics added a new feature to the driver: So, Meltdown didn't even have to communicate with the driver.īut in the latest version (v8.31) the information to generate OTP is not present in dfserv.exe or other executables. But all the information necessary to generate OTP was present in dfserv.exe and other executables. End of story.ĭeep Freeze Enterprise is a different story: Makes total sense, right? I looked at the communication protocol and concluded that the issue is fixed. That's what Meltdown originally did.įaronics fixed that in Deep Freeze Standard v8.10: Obviously, it's easy to extract password from the information provided by driver. Communication between UI ( frzstate2k.exe) and the driver goes like this: So, let's start with the Deep Freeze Standard versions 5.x to 7.x. However, the overall communication protocol is badly designed. It's done using DeviceIoControl calls and data are encrypted using changing XOR key. The problem is in data exchange between driver and the UI component. While doing so, they created a new local privilege escalation vulnerability. Second, they added a licensing mechanism that requires each workstation to be activated. While doing so, they added a new vulnerability - similar to the one that Meltdown used to obtain password for Deep Freeze Standard version 7.x and older. Download link: What was changed in DeepFreeze version 8.31?įirst, they made an attempt to stop Meltdown from generating correct One Time Passwords (OTP). Tl dr - DeepFreeze is still buggy and one-time passwords can be easily generated.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |