Home
2008:
January
February
March
April
May
June
July
August
2007:
January
February
March
April
May
June
July
August
September
October
November
December
2006:
January
February
March
April
May
June
July
August
September
October
November
December
2005:
January
February
March
April
May
June
July
August
September
October
November
December
2004:
January
February
March
April
May
June
July
August
September
October
November
December
2003:
January
February
March
April
May
June
July
August
September
October
November
December
2002:
January
February
March
April
May
June
July
August
September
October
November
December
2001:
January
February
March
April
May
June
July
August
September
October
November
December
2000:
April
May
June
July
August
September
October
November
December

(keitai-l) Re: Tricking a server or Tricking yourself. (Long!)

From: Kyle Barrow <kyle_at_X-9.com>
Date: 03/17/01
Message-ID: <NDBBIBLMOEECJPBNJNKCKEBHCHAA.kyle_at_X-9.com>
The second point is a copyright issue that doesn't just apply to emulators -
although it is easier to capture screens - but also handsets as there is
nothing to stop someone taking a photo of the handset i-mode screen. If
anyone is concerned about the possibility of copyright and lacks the legal
resources to pursue infringement, they should not put content on Web.

I agree the may be situations where you only want actual i-mode phones to
access a site. Although i-MIMIC does send the P209is user agent, it does not
attempt to mimic a DoCoMo gateway address or user ID. Unofficial sites can
prevent non-i-mode devices by detecting the former, official sites can do
the same by detecting the latter.

I disagree with the first points implication that emulators (or iCab)
somehow make it easier to compromise a servers security as the full URL
including query strings is also available from i-mode phone sub menus.
Sending confidential information via a URL query string is just bad security
design and for everyone's Saturday enlightenment is one of my favourite
quotes on the subject:

"If I take a letter, lock it in a safe, hide the safe somewhere in New York,
then tell you to read the letter, that's not security. That's obscurity. On
the other hand, if I take a letter and lock it in a safe, and then give you
the safe along with the design specifications of the safe and a hundred
identical safes with their combinations so that you and the world's best
safecrackers can study the locking mechanism - and you still can't open the
safe and read the letter - that's security"
    Bruce Schneier,  "Applied Cryptography", Wiley, 1996

Kyle

X-9 DESIGN LAB
http://www.X-9.com

-----Original Message-----
Hm. Sometimes I wonder how far can you go...Imagine a
company developes something FOR a mobile phone and has
to fight with the following scenarios:

1) Some people write 'fake' headers to request the content
   outside of mobile phones.

2) Some people make screengrabs of content and publish them
   without a basic knowledge of copyright.

<CUT FOR BREVITY>

Juergen


[ Did you check the archives?   http://www.appelsiini.net/keitai-l/ ]
Received on Sat Mar 17 08:34:43 2001