{"id":7213,"date":"2012-07-04T07:00:00","date_gmt":"2012-07-04T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2012\/07\/04\/the-continuing-battle-between-people-who-offer-a-service-and-others-who-want-to-hack-into-the-service\/"},"modified":"2012-07-04T07:00:00","modified_gmt":"2012-07-04T07:00:00","slug":"the-continuing-battle-between-people-who-offer-a-service-and-others-who-want-to-hack-into-the-service","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20120704-00\/?p=7213","title":{"rendered":"The continuing battle between people who offer a service and others who want to hack into the service"},"content":{"rendered":"<p>In  <a href=\"https:\/\/www.youtube.com\/watch?v=GsMFyo8DWs4\">  the history of the Internet<\/a>, there have been many cases  of one company providing a service, and others trying to  piggyback off the service through a nonstandard client.  The result is usually a back-and-forth where the provider changes  the interface, the piggybacker reverse-engineers the interface,  back and forth, until one side finally gives up.\n  Once upon a time, there was one company with a well-known service,  and another company that was piggybacking off it.  (I first heard this story from somebody who worked at the  piggybacking company.)  The back-and-forth continued for several rounds, until the provider  made a change to the interface that ended the game:  They exploited a buffer overflow bug <i>in their own client<\/i>.  The server sent an intentional buffer overflow to the client,  resulting in the client being pwned by the server.  I&#8217;m not sure what happened next, but presumably the server  sent some exploit code to the client and waited for the client to  respond in a manner that confirmed that the exploit had executed.\n  With that discovery, the people from the piggybacking company gave up.  They weren&#8217;t going to introduce an intentional security flaw into  their application.  The service provider could send not only the exploit but also some  code to detect and disable the rogue client.\n  By an amazing stroke of good fortune,  I happened to also hear the story of this battle from somebody  who worked at the provider.  He said that they had a lot of fun fighting this particular battle  and particularly enjoyed timing the releases so they caused  maximum inconvenience for their adversaries,  like, for example, 2am on Saturday.<\/p>\n<p>  <b>Reminder<\/b>: The  <a href=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2004\/02\/21\/77681.aspx\">  ground rules<\/a>  prohibit  &#8220;trying to guess the identity of a program whose name I did not reveal.&#8221;  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the history of the Internet, there have been many cases of one company providing a service, and others trying to piggyback off the service through a nonstandard client. The result is usually a back-and-forth where the provider changes the interface, the piggybacker reverse-engineers the interface, back and forth, until one side finally gives up. [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[2],"class_list":["post-7213","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-history"],"acf":[],"blog_post_summary":"<p>In the history of the Internet, there have been many cases of one company providing a service, and others trying to piggyback off the service through a nonstandard client. The result is usually a back-and-forth where the provider changes the interface, the piggybacker reverse-engineers the interface, back and forth, until one side finally gives up. [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/7213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=7213"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/7213\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=7213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=7213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=7213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}