A Good Reason To Go Full-Time SSL For Gmail 530
Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."
Good thing Slashdot is safe... (Score:5, Funny)
Or else someone could hijack my accBILL GATS SI TEH DEVLI!!!!!!!!!
Re:Good thing Slashdot is safe... (Score:5, Funny)
Good thing Slashdot is safe...
Or else someone could hijack my accBILL GATS SI TEH DEVLI!!!!!!!!!
Yep, looks like slashdot is unaffected for the moment.
Just for Google? (Score:5, Insightful)
Is there any reason to not use SSL every time one sends a password?
Unfortunately, the general public still seems entirely uneducated about SSL, figuring that passwords must be secure because they appear as bullets on the screen, right?
Re:Just for Google? (Score:5, Informative)
Like when you read slashdot?
Re: (Score:3, Insightful)
Obg link to bash.org
http://www.bash.org/?244321 [bash.org]
Explains user-unsecurity.
Bash.org has been down for a couple weeks now.
Re:Just for Google? (Score:4, Informative)
The password is sent over SSL, the problem is that it will happily send your cookie over HTTP which is for all intensive purposes just as good as a password.
Re:Just for Google? (Score:5, Informative)
Re:Just for Google? (Score:5, Funny)
Re:Just for Google? (Score:5, Funny)
Re: (Score:3, Informative)
Why is it that everyone piles on this guy for saying "intensive purposes", yet when someone corrects the incorrect usage of "begs the question" English is all of a sudden a descriptive language with meanings that evolve?
Re: (Score:3, Funny)
I think you're begging the question a bit there.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
YOU'RE
Re: (Score:3, Interesting)
Easy. The lexicogrammar of "begs the question" makes far more sense in its common usage as being synonymous with "raises the question." Some situation seems to be begging for someone to ask a particular question. The original meaning of this idiomatic expression, having to do with circular logic, does not as clearly follow from the individual meanings of those words. Also, to be honest, I have never, ever heard a usage of the original meaning. Ever.
I am an applied linguist by training and trade, and
Redundant? Yes - Normans and Saxons (Score:5, Informative)
Amateur lexicographer? (Score:4, Informative)
"Cease" and "desist" do not mean the same thing. Neither do "will" and "testament," nor do "intents" and "purposes." Use a dictionary to verify.
To start you off: "cease" means "to stop" while "desist" means "to refrain from doing."
Re: (Score:3, Informative)
stop means "to stop" while stop means "to refrain from doing."
Re:Redundant? Yes - Normans and Saxons (Score:5, Informative)
The phrase has come to mean that the statement it refers to applies generally (i.e., in a multitude of conditions).
Re:Just for Google? (Score:4, Funny)
I know this is being pedantic, but you are missing a period after the quote or you should have moved it outside the quotes. The urge is too strong since you seem to be so happy harping on missing periods...
My girlfriend has been missing her period. Should I be worried?
Re:Just for Google? (Score:5, Funny)
It depends; will the father be financially supporting the baby, or will you be stuck paying the bills?
Re:Just for Google? (Score:5, Informative)
Re:Just for Google? (Score:4, Interesting)
So why the fuck haven't I had mod points? This might be one of the most interesting things I've read on /. in a long time. If ever.
Yeah, so sue me. I don't get out much.
Re: (Score:3, Informative)
Re:Just for Google? (Score:5, Funny)
Re: (Score:3, Funny)
"Fuck The What" ?
Ow ow ow. (Score:4, Insightful)
Is this the road we're going down? Pseudo-homophones of idiomatic phrases?
Yeah, yeah, grammar pedantry is bad. Nevertheless, this stuff hurts to read.
Re:Ow ow ow. (Score:5, Funny)
Re:Ow ow ow. (Score:5, Funny)
I could care less.
Re:Ow ow ow. (Score:5, Funny)
I could careless
Re:Ow ow ow. (Score:5, Funny)
Most people "could care less."
Which hurts on many levels...
Re: (Score:2)
Just floating a unlikely hypothesis here, but could it be that cetan's use of a well-known pseudo-homophone of an idiomatic phrase, in a thread on that very subject, might be intentional?
Re:Ow ow ow. (Score:4, Funny)
People who use "could" instead of "could not" do so out of ignorance or laziness
...but NEVER sarcasm.
Re:Ow ow ow. (Score:5, Funny)
Its a waist of time to corect peoples gramar and speling. Your simply not going to brake there bad habits irregardless of how you feal.
Re:Ow ow ow. (Score:5, Funny)
Re:Ow ow ow. (Score:4, Funny)
waist of time
Mmm... ourglass...
Re: (Score:3, Funny)
I reed slashdot, witch is why I spell gooder than any won els.
Re: (Score:3, Funny)
depends on the version of the neural compiler, and customizations etc
Re: (Score:3, Insightful)
There should still be some part of a person's brain that stops and says, "That doesn't make any sense..." when the write something like that.
After listening to (and reading) managerese for so long, that part of the brain shuts down in self defense. If it didn't, managers and marketing people would wonder why tech employees were always running out of meetings screaming.
Re:Just for Google? (Score:4, Interesting)
Not quite ALL intents and purposes. If I want to change my password, I still need to know my current password. Although somebody who steals my SID can read my mail they can't change my password and lock me out.
Re:Just for Google? (Score:5, Informative)
Gmail always uses SSL for logins.
Previously if you wanted to maintain SSL for the whole session you had to login via https://mail.google.com/ [google.com] otherwise it dropped back to http after login. Now you can set it to always use SSL regardless of the URL you visit it from.
But it was NOT secure... (Score:3, Informative)
Until Google added the option, it never actually set the GX cookie as secure, so you could do an active-hijack of any OTHER connection they make so that it does a redirect to http://mail.google.com/ [google.com] and spits out the cookie in the clear for the attacker to capture.
Re:But it was NOT secure... (Score:5, Funny)
How to turn it ON ALWAYS (Score:3, Informative)
Look under "Settings" --> "General" then at the very bottom it says "Always use https". (It doesn't mention SSL so searching the page for SSL turns up nothing).
Re: (Score:3, Informative)
From what I've read, a MITM attack could still inject a packet asking for "http://gmail.google.com" and the server would send back the unencrypted cookie. This setting would tell the server that the cookie isn't to be transmitted over an unencrypted connection.
Re:Just for Google? (Score:5, Informative)
Is there any reason to not use SSL every time one sends a password?
Firefox 3, and I think other newer browsers, lie to people by strongly implying that HTTPS with self-signed certificates is far more dangerous than bare unencrypted HTTP.
Re:Just for Google? (Score:5, Insightful)
They don't lie, they assume that if a site is self-signed it has been hijacked which is very resonable, if my bank suddenly changed to self-signed I'd want a proper warning.
Re: (Score:3, Interesting)
But if a site is not signed at all, then it must be safe, huh?
An unencrypted site is less dangerous than a self-signed one because the former isn't advertising that it's safe; the latter is. It's presenting the appearance of security, with the reality of none. You're much better off thinking you're insecure, and acting appropriately, than assuming you're secure, and not realizing you've just given your bank account information to a phisher.
Re:Just for Google? (Score:4, Informative)
You are mixing up security and identity.
Not really. Had you said that he was mixing up encryption and identity, I'd have agreed, but for secure communication with some other party you need to both secure the channel (encryption) and verify that the other party is who you want to talk to (identity). Without that identity verification step, you're very vulnerable to man-in-the-middle attacks.
There are many ways to handle the identity problem (e.g. by using a shared secret key) but SSL is elegant in that it uses public key cryptography to set up a secret session key and ensure that the other party is who you think they are. That all works great and is straight-forward if you know each other's public keys, but that really doesn't scale. Think about it: how do you find out my public key and ensure that it really is my public key? You've probably not got the time or resources to meet me in person.
There are two solutions to this, both of which rely on adding cryptographic signatures to public keys to allow you to determine whether someone you trust knows the key is right. PGP and GPG use a "web of trust" scheme, and SSL uses "certificate authorities". When done properly, CAs are an excellent solution since they can require really strong proof of identities before signing anything, and there are CAs about who do this sort of thing for real. (HTTPS uses an additional check over basic SSL in that it requires the server to have its DNS name signed into the public certificate, which stops additional types of spoofing peculiar to some types of web interactions.) Web browsers are seeded with the public certificates of CAs believed (through analysis of their published policies) to be well-run.
The problem is that not all CAs are scrupulous. OK, a black-hat operated CA will always be bad, but some others are looking more and more grey due to their pursuit of the almighty buck at all costs. In effect, they're breaking their own policies and hoping that nobody will notice. The only solution for this is to revoke the trust of those CAs who do this, either by getting their master CA to revoke the signature (why do you think CRLs/OCSP is important?) or by removing a particular trust root from browsers. That last option is very much the "nuclear option" since it will harm a lot of perfectly innocent bystanders, but I reckon that unless and until someone is publicly crucified like that, the siren call of the extra cash will win more often than it should.
(Yes, I know I've simplified things a lot. This message is long enough!)
Re: (Score:3, Insightful)
The true problem is that, in true techie style, the concepts covered by HTTPS aren't properly separated and this results in confusion for people that don't understand what's going on technically. For better or for worse, HTTPS is a leaky abstraction.
HTTPS solves two distinct problems and yet it's depicted as a single problem. Because the need for an encrypted transport layer is obvious, people forget that the other purpose of HTTPS is to verify the identity of the server you're communicating with. It can ev
Re: (Score:3, Interesting)
Re:Just for Google? (Score:4, Informative)
Self-signed raise the level of complexity from "passive snooping at any point along the data path" to "active interception of traffic, either directly or via a secondary exploit".
Saying that self-signed certificates are worthless is like saying that a fence at a prison is worthless unless it's electric -- sure, the electric fence is better, and it provides additional security, but the plain old fence is a good place to start, and I don't think a lot of wardens would call it "worthless" just because it can be climbed.
That's not to say that users shouldn't be warned about the lower level of security, but it's a little disingenuous to pretend that a MitM attack is significantly more likely that say, someone getting a perfectly legitimate, CA-signed certificate for a typo-squatting site.
My big beef here is that unencrypted traffic produces no such warnings. If I didn't bother to provide a certificate for my website we'd be talking in the clear, and your browser wouldn't even mention it to you (other than maybe that one-time warning about sending data). Meanwhile if I offer a certificate from an authority you don't trust your browser will act as if I'm trying to steal from you rather than protect you. Email clients are just as bad -- regular email has no integrity guarantees, but S/MIME-signed messages are flagged as bad if the CA is untrusted, in spite of the relatively good security compared to messages with no signature.
The long and the short of it is security is more complicated than an on/off indication, and users will eventually have to deal with that if they want to be secure. I'm not suggesting grandma needs to know how SSL works, but if we replaced with lock with a multi-level system to indicate "plaintext", "signed", "signed and authenticated", "encrypted", "encrypted, signed, and authenticated" -- still a pretty small number of states, all of which could be described in a short hover tooltip -- users could make more informed decisions about the security in place and whether or not is is sufficient for the task at hand.
Re: (Score:3, Insightful)
So you encrypt and tell them "it's not secure," just like you do when you don't encrypt and tell them it's not secure. What's so bad about that?
If the user demands a black-or-white answer, then tell them the worst-case scenario: black. But be consistent about it. Behind the scenes, despite the user's wish that things are black or white, the reality is that there are degrees of security, and encrypted-but-not-a
Re: (Score:3, Interesting)
There's a sizable portion of the general public that doesn't want to be bothered having to remember any passwords for anything. They simply want to click a button and have it work.
You'd have better luck explaining the security implications of such a system to a chimp.
Re:Just for Google? (Score:5, Insightful)
God, I've had some insane conversations with retarded people.
*me**: You know doing what you're doing is terribly terribly insecure, someone might get into your email account! .... ah well, it's not like there's anything important in there. I mean what are they gonna do, email someone in my name? ....You have a paypal account right?
*Him*:
*me**:
*Him*: Ya...
*me**: And it's linked to your email account right?
*Him*: Ya...
*me**: And if you forget your paypal password you can have them send you an email to change it right?
*Him*: Ya....
*me**: And your credit card is linked to your paypal account isn't it?
*Him*: Hmmm...
*me**: So someone with access to your mail account could get hold of your paypal and run up some insane charges buying horse porn.
*Him*: Oh....
It's depressing how people will set up accounts with things like paypal, link them to their email and then dismiss anything about security since "sure my email isn't that important"
Re:Just for Google? (Score:4, Insightful)
Re: (Score:2)
I don't know about Rogers' webmail (it's outsourced to Yahoo) but their DNS servers are still vulnerable to the DNS security issue that was plastered in the news a few weeks ago.
I guess non-maroons are a minority.
Re: (Score:2)
I have a feeling that won't last much longer ;)
Re: (Score:2)
Run away slaves?
http://en.wikipedia.org/wiki/Maroon_(people) [wikipedia.org]
3 clicks (Score:5, Informative)
Re: (Score:3, Informative)
I'm admin for a few domains that use gmail apps. None of mine have that option yet. It may be a rolling update.?
Re: (Score:2)
That's actually pretty typical. I use an e-mail address on such a domain and I've noticed this in the past. Typically the updates take a while to get to the hosted domains.
In the meantime, I think I'm going to use the info I gleaned here and use the https: address to keep my connection secured throughout my sessions... although I wonder if the exploit wouldn't work if I just didn't use the 'remember me' feature. Firefox remembers my password, so the 'remember me' isn't necessary anyway.
Re: (Score:3, Informative)
Once you're signed into Gmail:
Settings -> Always use https -> Save changes
And then you need to reload the page otherwise you're still on http. At least that's what my browser showed.
Re: Better, yet, zero clicks! (Score:3, Informative)
mutt -f imaps://imap.gmail.com
Re:3 clicks (Score:4, Informative)
Google Announcement (Score:5, Informative)
A few notes... (Score:5, Insightful)
Mike Perry did a great public service by making this tool and making it available.
This attack also works against yahoo mail, hotmail, etc. Just Yahoo, hotmail, etc don't even OFFER SSL, so well, if you use them, your FSCKed.
And Google has known about this problem for a LONG time. EG, see my blog post from last february! [icir.org].
Google waited for a year before even giving users the OPTION to be protected when SSL is used, and notice that it was only after they found out about Mike Perry's talk that the option was even added.
Also, as I argue, they got it wrong. The checkbox is good, but most users don't know about it. But if a user MANUALLY enters https://mail.google.com/ [google.com] I argue that google should INFER that the user wants to be SSL-only, at least until they explicitly log out.
Re:A few notes... (Score:5, Insightful)
So he's going to release a tool that lets people break into Gmail accounts. And unless you read slashdot, you'd have no idea to go into preferences and flip a switch.
How is this a public service? For the 99% of the world who dont read SD every day, they're pretty much screwed.
It's good I'm a nerd and will now flip the magic switch on my gmail account...but it seems like a big f-u to everyone else.
D
Re:A few notes... (Score:5, Insightful)
Too expensive (Score:3, Insightful)
Using SSL for everything is too expensive in terms of computing resources. Gmail gets a staggering amount of traffic as it is, I don't know that they could handle all of it being run through the SSL hardware. I'm just happy the setting is there at all.
-B
Re:A few notes... (Score:5, Interesting)
Mike Perry did a great public service by making this tool and making it available.
WTF? No he didn't. Pointing out the vulnerability is a a public service, yes. Giving a talk where he outlines the problem? Also a public service. Distributing the means for anyone to make use of this vulnerability (ESPECIALLY when so many major vendors aren't prepared for it yet) is not a public service anymore. It's just arming script kiddies. Ralph Nader was able to do plenty of good without going around ramming into Chevy Corvairs to somehow "drive home" the need for a fix.
Re: (Score:2)
Actually, that doesn't work.
You see, Google doesn't set GX as secure unless you manually select the preference to "Always use secure".
Thus even if you are a good user and always type in https, unless you changed the preference, Mike's tool can read your mail!
UNLESS YOU CHECK, you are insecure! (Score:5, Informative)
Unless you SET THE PREFERENCE, you are insecure, even if you MANUALLY type in https://mail.google.com/ [google.com] always.
Because unless you SET THE PREFERENCE, google does NOT set the session cookie to be SECURE.
This is what Mike Perry's tool does: it takes any of your OTHER connections, redirects it to http://mail.google.com/ [google.com] so your browser spits out the session cookie anyway, and then can redirect you back (so you don't know what happened).
Google's SSL mode for gmail, UNLESS YOU SET THE PREFERENCE, offers you NO protection against an active adversary. And since someone snooping your traffic at starbucks can just as easily inject packets, IT OFFERS NO PROTECTION EVEN IF YOU MANUALLY TYPE IN HTTPS ALL THE TIME, UNLESS YOU SET THE PREFERENCE!!!!
Re: (Score:2)
What if you don't use the 'remember me' checkbox? Does the exploit still work?
Re:UNLESS YOU CHECK, you are insecure! (Score:5, Funny)
YES IT STILL WORDS! Unless you SET THE PREFERENCE, you DIE!
Mike Perry will COME IN TO YOUR HOME and MURDER you, UNLESS YOU SET THE PREFERENCE!
Even CHUCK NORRIS will get haxx0r3d UNLESS YOU SET THE PREFERENCE.
ALL YOUR PREFERENCE ARE BELONG TO US.
Re:UNLESS YOU CHECK, you are insecure! (Score:5, Funny)
Thank you for WARNING US but DO YOU THINK you really need to SHOUT that much in your SENTENCES?
I mean, it's not like WE DON'T APPRECIATE your tips, but IT CAN GET A BIT ANNOYING when people keep SHOUTING every other WORDS.
Re:UNLESS YOU CHECK, you are insecure! (Score:5, Funny)
javascript:void(document.body.style.textTransform="lowercase");
Gmail Notifier (Score:5, Informative)
This still drives me nuts with Google Apps (Score:2)
If I direct people to mail..com via http it forwards them to the insecure version after login. Unfortunately you can't hit mail..com with https and as a result to be secure people who use my Google Apps mail have to type the long drawn out mail.google.com/a/ to connect to it. I can't seem to find a setting anywhere to force security.... I first submitted the https->http thing to Google when I started using it in like 2004.... about damn time they started doing something about it.
Why can't the whole web be HTTPS? (Score:5, Interesting)
I can understand that back in the web's "stone age" (mid 1990s), having HTTPS for every web site would have seriously slowed down all the computers due to CPU usage, but nowadays is there any real good reason that the whole web can't be HTTPS?
With all the government and ISP snoopings going on, I'm surprised that at least some sites haven't gone that way.
(or is it that embedded browsers like on cell phones can't do SSL?)
TDz.
the first step to this (Score:2)
Re:Why can't the whole web be HTTPS? (Score:5, Informative)
Interestingly, net-wide HTTPS would probably make IPv6 a bit more important (since a great deal of web hosting services put dozens of sites on the same machine and same IP address, charging significantly more if you want SSL due to the requirement of having a unique IP address).
Re:Why can't the whole web be HTTPS? (Score:5, Informative)
Re: (Score:3, Informative)
An SSL Certificate can match multiple hostnames in SSLv3 and TLS, which are both old enough to be in use everywhere.
There are two methods, depending on what you want (and your level of paranoia): wildcards (match *.example.com) and "Subject Alternative Names" which can match any from a list of domain names.
The subject alt name is incredibly useful, as the certificate for a physical host can enumerate alternative names for each of its virtual hosts, even if they aren't subdomains of the host's domain.
Re:Why can't the whole web be HTTPS? (Score:4, Informative)
Author's site (Score:5, Informative)
Mike Perry's site [fscked.org] might (or might not) be a better source than some random blog post that doesn't even link to it.
Uhm? It's Google Mail! (Score:3, Insightful)
I mean it's Google Mail, Google stores your e-mails till all ethernity and will surely hand it out to any dictator waving something which looks like an official document.
It doesn't matter much how secure the login is as the service itself is designed to be a gapping security hole.
don't freak out, requires packet sniffing (Score:5, Informative)
Yes, this is a vulnerability. But it isn't like every person out there on the internet is going to be able to steal your session cookies in two weeks when the tool is released.
In order to execute this attack, a person would have to be able to sniff your packets and steal the cookies. And since the vast majority of people on the internet have no ability to intercept your traffic, this means in practice, the average person is pretty safe without having to worry about all this.
Re:don't freak out, requires packet sniffing (Score:5, Informative)
This is true, except for every wireless access point the attacker can access -- like the ones where people sit in a coffee shop and check their e-mail.
Cache relevancy depletion (Score:4, Interesting)
One thing that I find somewhat counterproductive is that browsers do not save files sent over SSL in their caches.
It's sensible, I suppose, to assume that if something's sent over an SSL channel that it's sensitive and therefore shouldn't be saved, but it would give a speed and bandwidth efficiency hit which would deter usage of SSL for everyday browsing.
You could, of course, have the HTML transmitted over SSL and the supporting images over plain HTTP, but then the browser will scare people by warning that not all content on the page is secure..
I think browsers should start looking at encrypting their cache files, so that stuff such as SSL can be accommodated without breaking caching.
This is not "use SSL" (Score:5, Informative)
The summary (and many, many replies) have it all wrong. The point is not that you need to be encrypting all of your traffic to Gmail (for example) with SSL.
The need for SSL-encrypting your session was known with sidejacking. If you use SSL for credential exchange but not for the whole session, your session cookie is transmitted in the clear, and an attacker can sniff it and use your session (as the cookie acts temporarily as a credential). Encrypting the whole session with SSL prevents this. This is well-known at this point.
The subject of this talk was not sidejacking. If the site (Gmail) does not set the secure bit on the session cookie, then your session cookie can be transmitted in the clear, even if all of your intentional communication with Gmail is over SSL! An attacker need only inject a link to the appropriate domain (e.g., mail.google.com) in some other page you request, and the cookie will be sent with that request over HTTP. Only by marking the cookie as secure will the browser refuse to send it over HTTP.
I was at DEFCON - the author is confused (Score:5, Informative)
The author of this post seems to be really, really confused. There were multiple presentations on ways to hack your Google accounts and Google security flaws, etc.
There was a presentation on howto exploit Google Gadgets (which have access to your local javascript), a few presentations on Cross-Site Request Forgery (CSRF)(which you can do to send your own HTTP requests as the visitor if you have your own image or iframe on the page), and a presentation on hijacking your sessions if you ever access a site over plain-text (non-SSL), and putting the password page on SSL doesn't help (this requires the attacker to be on your local network!!!!!!!).
The title of the post sounds like they're talking about The Middler, a Ruby-based proxy by Jay Beale for intercepting all user data on a shared network, such as a coffee shop, where you can get users to go through your proxy.
If the author is talking about The Middler ... that attacker has to be on your network!!! This is only an issue on untrusted networks.
Jay Beale's talk was the one the mentioned SSL the most, so I'm gonna guess that the author is talking about that, even tho the article seems to mix everything up.
To see the descriptions of the actual talks and whatnot, visit the DEFCON schedule: https://www.defcon.org/html/defcon-16/dc-16-schedule.html [defcon.org]
Gmail but not hosted mail (Score:3, Interesting)
"Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication."
Unfortunately not available for anyone who has their own domain's email hosted at google :(
Re: (Score:2)
Indeed the feature is not new, but it may be unknown to many of gmail's users. The news here, I think, is not that you can use SSL with gmail, but that if you don't you're effectively pwned.
Re: (Score:2)
Given that, the only real news here is that instead of rolling your own scripts, you now have an automated tool that even script kiddies can use.
Breaking news it ain't exactly.
Actually, I consider that pretty major news. There are a helluva lot more script kiddies out there than there experienced black-hats - All eager to show off their l33t skills by "hacking" someone's account and wreaking havoc. If an experienced black-hat cracks my gmail account, most likely he'll see that there's nothing of value there and move on. Worst case, my account becomes part of an army of spam-bots.
If some junior-high kid downloads this script and cracks my gmail account, most likely I'll wind up
Re: (Score:2)
The new feature is to have Gmail use SSL automatically, even if you don't log in from https://mail.google.com./ [mail.google.com]
Re: (Score:2)
I've always used it too. The trick in the past was using "https://mail.google.com/" instead of "http://mail.google.com/" to connect to Gmail.
But now there is an option in Settings - General, "Browser connection: Always use https". I've never seen it before (but maybe it's there for some time already).
Re:Reverse or reverse? (Score:5, Funny)
What is a "reverse engineer?"
A very specialized transmission engineer in Detroit.
Re: (Score:2)
Reverse engineering (RE) is the process of discovering the technological principles of a device, object or system through analysis of its structure, function and operation. It often involves taking something (e.g. a mechanical device, electronic component, or software program) apart and analyzing its workings in detail, usually to try to make a new device or program that does the same thing without copying anything from the original.
http://en.wikipedia.org/wiki/Reverse_engineering [wikipedia.org]
Re:Reverse or reverse? (Score:5, Funny)
It's someone who manufactures a problem using only working solutions.
You might also know them as: "politicians".
Re: (Score:3, Interesting)
Google, etc., were notified of this vulnerability a year ago and have not acted on it. Someone with bad intentions could implement it easily using the description of the vulnerability anyway -- a publicly-available working tool will highlight the importance of fixing this problem.