On the bad news front, somebody has produced a proof of concept program that steals every one of those programs, free or paid for, from the Windows Phone Marketplace and downloads them for you to use free of charge.  Admitted no Windows Phone has enough installed memory to run them all, and who would want to, but for those few people who like pirating stuff and getting everything for free, this will be tempting.

Fortunately the developer of the hack is actively working with Microsoft on this to block the hack and the beginning of the new year should see changes made to the underlying architecture of the Marketplace which will see this blocked.  This is a white hat hack and will not be released into the wide world.

What’s concerning though is that Microsoft have, for their online services at least, a formidable reputation for security.  Hotmail has only faced 1 or 2 major exploits in its entire 15 year life and their server products and server security products are better than they’ve ever been before.

This crack for the marketplace was apparently put together very quickly and easily however, which raises serious questions about Microsoft’s security for the marketplace.  It’s not just apps that are kept here but details of the app developers, including financial information used to transfer royalty payments to them.

Hopefully Microsoft will act quickly over this holiday period to avoid a serious data leak.  In the mean time a video demonstrating the software used to crack the marketplace is available at NeoWin.

Engadget reported the news shortly after it first appeared in Twitter.  HDCP is configured in such a way that should any particular key be cracked it can be wiped and replaced.  What’s now been discovered apparently is a master key that can permanently unlock the content.

The key is described as being a  ”a forty times forty element matrix of fifty-six bit hexadecimal numbers” and so far, and quite understandably, nobody knows who has created the crack or how effective it will be, even if it works at all.

No doubt this will generate enormous interest over the next few weeks and caus great concern for the movie companies, who were banking on the enhanced security of Blu-Ray after the encryption of HD-DVD was cracked.

The upshot is that if the key is made public, and works, there will be little to stop people copying high definition content to play anywhere, and little to stop them except another costly format change the public might not accept so recently after Blu-Ray’s introduction.

That said there can be no doubt that with higher capacity Blu-Ray discs already on the way, the movie studios and technology companies behind the format will already be looking at ways of beefing up the security, and will no doubt have anticipated this news.

The race is now on as to who succeeds first.

A message posted by MuscleNerd on Twitter said…

Jailbreaking, the process of unlocking the iPhone, has received a great deal of attention due to the fact that doing so allows users to install non-approved software on the device.

Apple has publicly said that such a process would present security risks for users and have tried to bar jailbroken devices from updates and support.  This is a Battle that’s set to run and run.

The interesting thing to note about this however is will it go the way of the corporation or the consumer?  Clearly there is a growing Apple use-base out there who don’t want to be tied exclusively within the Apple eco-system.  You only have to look at the growing ranges of software to help you sync your iPod or iPhone with your PC or Mac without needing to have iTunes installed.

There’s no official release yet for the jailbreaking patch for iOS 4.1, but iPhone and iPod Touch users who upgrade can no doubt expect something to be made available soon.  Please bear in mind however that unlocking a device in this manner could invalidate any warranty or guarantee on your device.

Source : Engadget

Now, NeoWin is reporting that the new licensing scheme for Android apps has been cracked less than a month after coming on-line.

The “Licensing Service for Android Applications” was supposed to provide developers a “secure mechanism to manage access to all Android Market paid applications.”  In theory, the new licensing system would verify against the Android Market licensing server, which would in turn verify the application against existing sales records. If no sales records were found, the application would show an error explaining that it was not properly licensed.

The man responsible for cracking the security has published a paper on his websitein which he details how to reprogram a Java app, which is the language most Android apps are written in, to change its status from unlicensed to licensed.

He says…

I am very much against piracy, and very much pro-Google. I have spent more time researching copy protection for my applications than development of the applications themselves.  Our findings show that most (any?) apps can be easily patched and stripped of licensing protection, making them an easy target for off-Market, pirated distribution. By corollary, this means that sites dedicated to pirating apps can continue to do so, using a few automated scripts mixed with some smarts.

He also provides a video demonstrating his findings.  Google have not yet commented on the crack.

The software package consists of three components which can act independently from each other: The agent, the server and the console. The server is started at the beginning of the password recovery process. Then a new task is created using the console (on the same or a different computer) and Agents that connect to the server are assigned parts of the work that has to be done.

Agents then report back to the server once their work is done and receive another part until the password is recovered. The Agents post a status message to the server once every 60 seconds.

The server receives its task from the console and distributes it among the agents. The console in its turn is designed to manage the server it is connected to and the agents that are registered on the server. The agents are registered on the server when they connect to it for the first time.

Among other formats Microsoft Office 2007 and prior documents, PGP, Adobe Acrobate PDF documents, Windows NT, XP, Vista logon passwords, Windows syskey passwords and several other are supported by Distributed Password Recovery.

The product comes at a price though which is only affordable to companies. I still thought it would be nice to write about it due to its hardware acceleration feature that I never heard about before.

The article examines the WPA protection in detail and demonstrates how it can be cracked. The first part gives a good overview of WPA and compares it to WPE. The second part goes into detail how WPA can be cracked.