This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Security

The Black Hat Wi-Fi exploit coverup

By Joe Barr on August 08, 2006 (8:00:00 AM)

Share    Print    Comments   

Commentary -- You've probably heard of full disclosure, the security philosophy that calls for making public all details of vulnerabilities. It has been the subject of debates among researchers, vendors, and security firms. But the story that grabbed most of the headlines at the Black Hat Briefings in Las Vegas last week was based on a different type of disclosure. For lack of a better name, I'll call it faux disclosure. Here's why.

Security researchers Dave Maynor of ISS and Johnny Cache -- a.k.a. Jon Ellch -- demonstrated an exploit that allowed them to install a rootkit on an Apple laptop in less than a minute. Well, sort of; they showed a video of it, and also noted that they'd used a third-party Wi-Fi card in the demo of the exploit, rather than the MacBook's internal Wi-Fi card. But they said that the exploit would work whether the third-party card -- which they declined to identify -- was inserted in a Mac, Windows, or Linux laptop.

UPDATED: A reader has pointed out that Maynor recently left ISS and is now at SecureWorks. As a matter of fact, SecureWorks is trumpeting the faux disclosure as a major news event, listing 29 different sites reporting on it. You can even watch the tape of the video on their site.

How is that for murky and non-transparent? The whole world is at risk -- if the exploit is real -- whenever the unidentified card is used. But they won't say which card, although many sources presume the card is based on the Atheros chipset, which Apple employs.

It gets worse. Brian Krebs of the Washington Post, who first reported on the exploit, updated his original story and has reported that Maynor said, "Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet."

That's part of what is meant by full disclosure these days -- giving the vendor a chance fix the vulnerability before letting the whole world know about it. That way, the thinking goes, the only people who get hurt by it are the people who get exploited by it. But damage to the responsible vendor's image is mitigated somewhat, and many in the security business seem to think that damage control is more important than anything that might happen to any of the vendor's customers.

Big deal. Publicly traded corporations like Apple and Microsoft and all the rest have been known to ignore ethics, morality, any consideration of right or wrong, or anything at all that might divert them from their ultimate goal: to maximize profits. Because of this, some corporations only speak the truth when it is in their best interest. Otherwise, they lie or maintain silence.

I asked Lynn Fox, Apple's director of Mac public relations, two very direct questions.

1. Are Apple MacBook users at risk using their built-in Wi-Fi capability?

2. Is Krebs' Washington Post report about Apple pressuring researchers not to reveal a MacBook Wi-Fi vulnerability/exploit accurate?

I've received no response to that query. Nor do I expect one.

Why don't the researchers disclose what they know anyway? They are not, as far as we know, on the payroll of Apple or the hardware vendor making the Wi-Fi gear. I got a clue about a possible reason while chatting with "dead addict," one of the original organizers of DEFCON.

"dead addict" reminded me of the big blow-up at Black Hat last year, when Cisco was threatening to shut down the conference in its entirety if part of a scheduled presentation on a Cisco exploit wasn't removed. By a strange coincidence, ISS and one of its employees was involved in that situation, too. The researcher, Michael Lynn, resigned from ISS and then gave the presentation anyway.

That act threw Cisco and ISS into a stone cold fury. Injunctions were filed, and the FBI was called in. To me it looks like every legal maneuver those bad boys at corporate could dream up were hurled at Lynn and Black Hat.

To protect Cisco's customers? I don't think so. Cisco's customers would have been better served with the truth, not a coverup.

The point "dead addict" was making is that some researchers can afford to leave their jobs, or be fired, or be arrested, and some can't. Those are pretty good reasons not to speak out. They are also a testament to how corrupt and rotten our system is, when corporate greed and gluttony trump virtue, and the FBI acts as corporate muscle.

I tried to query Maynor on the subject, to ask him if Krebs' reporting that pressure from Apple kept him from identifying the MacBook hardware as being vulnerable to the exploit he demoed at Black Hat was correct. He hasn't answered either, and I can't say that I blame him. Not everyone can afford to act like Michael Lynn.

At press time, millions of end users may be using Wi-Fi so insecure that an attacker could install a rootkit on their system in less than a minute. Those who know, or at least claim to know -- the researchers, Apple, and perhaps ISS -- are keeping mum, for reasons known only to Baud and their lawyers. So at the moment, Apple's current ad campaign about being more secure than Windows is being kept safe from harm.

But what about the users? Who speaks for them? Remember, we are not talking about a matter of a few days. This exploit has been trumpeted in the press at least since June 22, when Robert McMillan first reported on it and the fact that it would be disclosed at Black Hat. Presumably, the researchers, or ISS, would have notified the responsible vendors prior to publication of that story.

If any laptops are compromised as a result of the cone of silence that apparently has been slapped down on this issue, their lawyers may choose to call it something other than faux disclosure. Maybe something like depraved indifference.

Share    Print    Comments   

Comments

on The Black Hat Wi-Fi exploit coverup

Note: Comments are owned by the poster. We are not responsible for their content.

I don't think that's the reason

Posted by: Prototerm on August 09, 2006 04:59 AM
I think the author's being a little too paranoid here. While it's true that any company will care about its reputation, the real reason companys don't want news of a vulnerability to get out before they can fix it is really very simple: the more people who know the details of the flaw, the greater the chance some script kiddie will exploit it, and the greater the chance that their customers will get hurt as a result.
Unless it contains a work-around to allow the user to immediately secure their machine (other than turning the thing off or pulling a piece of equipment), information in this case *doesn't* want to be free.
To insist otherwise implies that the author is either reckless or has an axe to grind.

#

Re:I don't think that's the reason

Posted by: Anonymous Coward on August 09, 2006 07:02 AM
I think that you are under impression, that once the vulnerability in question is uncovered by a security researcher, nobody else (including criminal types and script kiddies) are going to do anything in that field. As long as the vulnerability exists, every second there is a chance that some bastard will uncover it and use it for profit or senseless destruction. If Apple laptops have a remotely exploitable vulnerability allowing for installing a rootkit inside a minute, they better know and they better turn off their wi-fi. And Apple is trying to stop them from protecting themselves in order to save its reputation.

#

Re:I don't think that's the reason

Posted by: Anonymous Coward on August 09, 2006 07:12 AM
I wish the author were being too paranoid, but I'm afraid that he isn't. Having worked in information security, I've learned--a few times the hard way--that the only real way to get some vendors to patch their holes is to disclose the vulnerability publicly and, at times, *loudly*. Then, since they are afraid of egg on their face, they get busy and actually fix it, usually within a few days. The Cisco Black Hat example is a case in point, as are the many Windows/IE holes over the years.

Maybe, if more of these exploits were disclosed publicly, it'd get Microsoft off of its duff and actually (gasp!) start coding correctly again. There was a time, long ago, that they actually did a decent job of that. If the OpenBSD team can do it with their limited resources, then so can MS/Apple/etc with their much larger resources.

I must, therefore, respectfully disagree with the notion that the author "is either reckless or has an axe to grind." I don't see that here; I just see a spade being called a spade, and sometimes vendors don't like that.

#

think harder

Posted by: Anonymous Coward on August 14, 2006 08:55 PM
> I think the author's being a little too paranoid here.
He isn't.

> the real reason companys don't want news of a vulnerability to get out
[...]
> the greater the chance some script kiddie will exploit it,
> and the greater the chance that their customers will get hurt as a result.
Corporations don't care of their customers.

You should have been following e.g. bugtraq@ for several years to understand this quite clearly.

> information in this case *doesn't* want to be free.
Information can't want anything.

--
Michael Shigorin

#

You're joking, right?

Posted by: Anonymous Coward on August 09, 2006 05:02 AM
How old are you? 12? I'm sorry to flame you, but you totally deserve it. The only reason the ISS researcher felt the need to quit his job and post the exploit anyway is because Cisco had known of the flaw for a long time and refused to do anything about it. In other words, Cisco was being extremely irresponsible, and he essentially forced Cisco to step up and be a good company.

This isn't the case with the Apple wifi card. It's not even close. We have no reason to suspect that Apple knew about the exploit before ISS told them, and they deserve the professional courtesy of having some time to develop a fix for the problem before the exploit is released into the wild.

Thank goodness for computer security researchers with half a head on their shoulders...or researchers without a giant chip on their shoulder, like the one you seem to have.

What would be the point of releasing the exploit before there was a fix? To prove how 'bad' proprietary software and drivers are? Cry me a freaking river already. This is capitalism, not communism, and if you don't like it, vote with your dollar and buy (or not buy, as the case may be) something else.

#

Re:You're joking, right?

Posted by: Joe Barr on August 09, 2006 06:04 AM
The point of releasing the _vulnerability_ before there is a fix is to prevent harm to users. If that concept doesn't jell with your brand of capitalism, fine.


Anyone who assumes ISS and Maynor and Johnny Cache are the only ones who have found the vulnerability doesn't have the sense Baud gave an animal cracker, and for sure should not be giving security advice of any kind to anybody.


As for my age, well, I normally don't divulge that on the first date.

#

No, *you* must be joking...or an Apple employee

Posted by: Anonymous Coward on August 09, 2006 06:56 AM
Nope, you clearly have no understanding of information security, and I'm damned glad that people with the attitude that you've presented here aren't working for my company.

Vulnerability disclosure is a very important thing, and sadly, corporations who purvey closed source are notorious about *not* disclosing vulnerabilities when they know about them. I also used to work for Microsoft years ago, so I saw this first-hand (remember the original WordBasic Concept Virus and what happened to that guy?).

Joe Barr is absolutely correct here. Apple isn't being "singled out" any more than Microsoft or Cisco are "singled out" when they hide vulnerabilities and get caught pressuring others to do the same. But given the corporate track record, I don't doubt for even a second that Apple 1.) was advised about this, and 2.) chose to play hush-hush. I'm sure that Microsoft would've done the same thing if ISS had advised them.

Even *you* admit that at least ISS told them about it. They should've come up with a patch *RIGHT AWAY*, not wait a month and a half. When security vulnerabilities are discovered in open source software, they're generally fixed *THAT DAY*, not a month and a half (or more) later. That's proof right there that Apple could've fixed it, at least for their platform.

Had this vulnerability been fully disclosed, you can bet that all the Linux distros out there, as well as Free/Net/OpenBSD, would've had patches within hours. Unfortunately, it was not fully disclosed. Shame on Apple for pressuring those security analysts; Apple's just as bad as Microsoft and Cisco.

Right on, Joe!

#

Re:No, *you* must be joking...or an Apple employee

Posted by: Joe Klemmer on August 10, 2006 12:20 PM
Even *you* admit that at least ISS told them about it. They should've come up with a patch *RIGHT AWAY*, not wait a month and a half. When security vulnerabilities are discovered in open source software, they're generally fixed *THAT DAY*, not a month and a half (or more) later. That's proof right there that Apple could've fixed it, at least for their platform.

Ah, this reminds me of the day way back when the packet size bug was found in ping. The maintainer published a fix for the bug within 30 to 45 minutes of the exploits discovery. Then apologized for it taking so long to get the patch out. Think about how long it would take for a closed source vendor to make a fix like this.

#

Re:You're joking, right?

Posted by: Anonymous Coward on August 10, 2006 03:04 AM
First you ask what the point of releasing the exploit would be; then you complain that we should vote with our dollar...because we are all horrible COMMIES, who don't pay for crappy software. So if the 'wonderful' proprietary company doesn't have to let us know they opened us up to attack, how would I know who to vote for with my dollar? Ohhhhhhhhhhhhh I know, I should just TRUST them to do the right thing...in fact why do we even have independent security firms? Oh that's right, companies are about the dollar! Not providing me with a bullet proof product. Your the one that deserves to be flamed. I'm a registered libertarian and even I know that you can't have completely unrestrained capitalism.

#

How old are *you*? 10?

Posted by: Anonymous Coward on August 14, 2006 09:04 PM
Hey an american. Drop your hamburger and listen here.

> This is capitalism, not communism
This isn't either. You there live a lot like we lived here right before SU began crashing (80s). A few friends of mine who lived here and moved there told that it was surprizing how much a "sovok" US is *right now*. Same methods, same propaganda.

> vote with your dollar<nobr> <wbr></nobr>...while it can buy a matchbox...

> and buy (or not buy, as the case may be) something else.
There might be as well _nothing_ else. Or those producing "else" might have succeeded better at harassing researchers.

With this attitude, you are steadily moving into "all decisions made for us". Chips... it's you who are humanoid chips. You, who sold freedom and conscience for hamburgers and teenage sex. Don't bother the rest of the world, die yourself.

--
Michael Shigorin
Kiev, Ukraine
27

#

pshh

Posted by: Robert Otlowski on August 09, 2006 06:20 AM
While I agree about Apple, Microsoft, and hardware manufacturer irresponsibility I take offense to the attempts to single out Apple here. Their commercials (which definitely qualify as misleading) have nothing to do with this. As has been stated this isn't an Apple issue, and the only reason Apple was targeted is because of its reputation for security.

Proving that Apple systems aren'ts perfect is absolutely pointless since it is true by default. Proving that Apple systems are less secure than Windows would be another matter entirely, but that clearly is not the case here at all.

#

Re:pshh

Posted by: Joe Barr on August 09, 2006 06:25 AM

"Proving that Apple systems aren'ts perfect is absolutely pointless since it is true by default. Proving that Apple systems are less secure than Windows would be another matter entirely, but that clearly is not the case here at all."


I agree.

#

Re:pshh

Posted by: Anonymous Coward on August 09, 2006 09:37 PM
Apple does not have any security. Their whole plan is to hope and pray no one cares to start exploiting OSX. If they do, Apple wouldn't know where to begin.

#

You're totally off on that...

Posted by: Anonymous Coward on August 09, 2006 10:12 PM
not only is it delicious irony to all of us who have been getting irritated with the constant barrage of false eliteism from Mac fanboys, the Apple commercials are as you say misleading.

They're not misleading to anyone with a little bit of experience in information security, but that's not the point. They're misleading to Apple's target audience - consumers that don't know a difference. Those consumers deserve to be made aware of the security risks of their Apple devices, just as they deserve the same information about any other product they own.

#

Forget the moral, mind the legal.

Posted by: Impius Nex on August 09, 2006 09:34 AM
I have a different perspective on why a company would want to keep a lid on security flaws. Legal Liability. What's stopping a company from taking legal action against Microsoft/Apple/etc. al. if one of these security flaws was used to inflict damages against a company?

By keeping a lid on security flaws software companies are buying time to fix a known issue, while simultaneously minimizing their legal coulpability.

#

Re:Forget the moral, mind the legal.

Posted by: Joe Barr on August 09, 2006 09:47 AM

Are you sure? It seems to me that failure to notify users of the danger not only invites harm to visit them, it prolongs the unwitting exposure.


Hence the "depraved indifference" on the part of the vendor, who is only worried about the possible harm to themselves.

#

Re:Forget the moral, mind the legal.

Posted by: Impius Nex on August 09, 2006 04:20 PM
You do make a valid though somewhat flawed point about exposure. I say flawed because, in my opinion 'unwitting exposure' does not strike me as an entirely acurate evaluation of the situation. My arguement to support this is thus; The system(s) are not truly exposed if the security flaw is not known.

For example lets look at the (somewhat recent) Windows WMF security issue.
Until this flaw was known, there was no 'exposure' posed to systems.
As soon as Microsoft was aware of the issue it did what Microsoft normally does, the schedule a release date for the patch. At this point in time Microsoft would have had a valid defense against a 'depraved indifference' suit, had it been able to keep the flaw under wraps all would have been fine and dandy. However, as we all know, Microsoft failed to do so. And what happened in that time? Known exploits were found in the wild.As well as a third-party software vendor releasing their own patch to solve the issue. In my opinion it was at this point that Microsoft was most at risk of not being able to defend itself against a 'depraved indifference' suit.

And that is the point I'm trying to make.
Software companies need to be given a chance to fix security flaws not only to minimize 'Bad PR', but to minimize their legal liability as well.

I've seen many a story about this issue, though I've never seen a thorough examination of the legal side and felt it was high time someone point out that there maybe something other than Company reputations and Bad PR at risk.

#

Re:Forget the moral, mind the legal.

Posted by: WarPengi on August 11, 2006 12:40 AM
So as long as the vulnerability is not released to the public the company can CLAIM that it was not known so they had no legal responsibility.

#

Re:Forget the moral, mind the legal.

Posted by: Anonymous Coward on August 09, 2006 08:16 PM
"What's stopping a company from taking legal action against Microsoft/Apple/etc. al. if one of these security flaws was used to inflict damages against a company?"

Ever read a EULA?

#

Get it correct.

Posted by: Anonymous Coward on August 09, 2006 10:54 AM
"David Maynor is a Senior Researcher, SecureWorks. He was formerly a research engineer with the ISS Xforce..."

Get it right, retard, and enough with the FUD.

#

Re:Get it correct.

Posted by: Joe Barr on August 09, 2006 11:57 AM
Thanks, I'll correct the story.

#

Re:Get it correct.

Posted by: Anonymous Coward on August 09, 2006 11:15 PM
typical sloppy NF non-journalism. quick with the opinions and loose with the facts. you guys used to be unique. now you're just irrelevant.

#

Re:Get it correct.

Posted by: Joe Barr on August 10, 2006 03:31 AM

The story was corrected, but evidently your 'tude is beyond repair. We'll try to live with it.


Are you from SecurityWorks PR?

#

what a load of crap

Posted by: Anonymous Coward on August 09, 2006 02:25 PM
The presenters clearly got paid off by apple.. in the defcon talk they were whinging about the metasploit guys being offered $80,000 to $120,000 for unreleased exploits and they weren't prepared to release the code to the emails they got offering $10, $100, $1000 for the copies of the exploit

That's why in the video they used a "generic" wifi card when they admitted the standard apple wifi driver is broken as well

They said they haven't released the code because "they need to check all the apple platforms that are effected" IE they are waiting for apple to deliver them a whole bunch of free hardware

These guys were complete sell outs -- no live demonstration because they were afraid that the WIFI would be sniffed at DEFCON..... so coming to a full disclosure conference they are basically saying they don't trust disclosing to the attendees...

In the video they call the script "bad seed" so it's probably something to do with a PRNG in the crypto somewhere (or IV)

#

Re:what a load of crap

Posted by: Anonymous Coward on August 09, 2006 11:03 PM
In the defcon talk didn't they clearly say the exploit was not for sale?

#

Re-hack it!

Posted by: Anonymous Coward on August 09, 2006 03:46 PM
I would like to encourage all the hackers out there to simply redo the hack and then release a PoC with full source on the various full disclosure lists so the genie gets let out of the bottle. That way Apple is forced to both acknowledge the issue and more importantly fix it pretty damned quickly.

They had their chance to acknowledge the issue and fix it before PoC release but they chose to ignore and suppress. Bad and stupid move because it should be obvious that when the hacking community knows the hack is possible, they will repeat it (for fun or profit) and the next success might be kept within the truly black hat community to be exploited in the worst possible way.

Also Apple will be grilled as to why they suppressed the issue in the first place, the methods in doing so, and obviously why their quality control didn't catch this issue themselves.

All in all a double whammy entirely due to flaws within Apple (people and policies). Other companies have learned to work with the security hackers to get things fixed before the knowledge of it spreads, but Apple still needs to learn a few things. Too bad the price of this may be pretty high.

#

No Linux fixes

Posted by: Anonymous Coward on August 09, 2006 08:34 PM
Too bad there won't be any Linux fixes for a long time as the researchers only notified the manufacturers and most Linux drivers are written by a third party. The other thing is that since most Linux drivers are open source, the fix would reveal the security flaw (which the researchers don't want) so expect Linux to stay vulnerable until the fix can be reverse engineered from the fixed Windows drivers.

#

Re:No Linux fixes

Posted by: Anonymous Coward on August 10, 2006 02:01 AM
Most Linux drivers are binaries not developed by the Open Source community, but often made by the manufacturer from Windows drivers.

#

Re:No Linux fixes

Posted by: Anonymous Coward on August 10, 2006 06:59 AM
No, most existing linux wireless drivers are wholly or mostly open. Only few drivers are closed.

However, (almost) any wireless card can be made to work using ndiswrapper with windows drivers.

#

Exploit was faked!

Posted by: Anonymous Coward on August 09, 2006 09:28 PM
In the video, David Maynor says they will be hacking a 3rd party wireless card and holds up a PCMCIA wirless card. He the procedes to "insert" this card into the left side of a black MacBook. You never actually see him put the card int he machine.

There are no black MacBooks that have a expansion slot for 3rd party wireless cards. Let me repeat that. There are no black MacBooks that have a expansion slot for 3rd party wireless cards. The closest thing to a PCMCIA slot in the MacBook is the new ExpressCard/34 slot which is only available on the MacBook Pro and are not available in black.

Maynor faked the whole thing.

#

Re:Exploit was faked!

Posted by: Anonymous Coward on August 09, 2006 10:47 PM
It was a USB card you jackass...

#

Re:Exploit was faked!

Posted by: Anonymous Coward on August 09, 2006 11:00 PM
Maynor and Ellch both said in the Defcon preso that it was a usb card. In the video you can clearly see its a USB card with paper wrapped around it, what is your deal?

#

USB Card

Posted by: Anonymous Coward on August 09, 2006 10:51 PM
It was a USB card you jackass.

#

video mirror

Posted by: jestabear on August 09, 2006 11:57 PM
Here's another source for the video:

<a href="http://www.kaneva.com/asset/8469.storeItem" title="kaneva.com">http://www.kaneva.com/asset/8469.storeItem</a kaneva.com>

I wasn't able to get C|Net's video to display because its preroll got in the way. Lame.

#

It's all part of the conspiracy

Posted by: Anonymous Coward on August 10, 2006 01:21 AM
Everyone is out to get you! Big brother, Big Apple, Big Cisco, Big Oil, and Big Tobacco are all part of a conspiracy to ruin your life. George Bush personally ordered them to not show the hacking of the Mac's internal NIC. Because Dick Cheney told him to.

#

Re:It's all part of the conspiracy

Posted by: Joe Barr on August 10, 2006 01:32 AM

Oh, well, that explains it. I'm changing right now and adopting your philosophy: trust me, it's for your own good.

#

This article is dead on.

Posted by: Anonymous Coward on August 10, 2006 02:04 AM
If the public was told about which card was at risk they could simply pull it out, or if the built in wifi was at fault disable it. Security by obscurity has fatal flaws, and Apple which advertises to be more security conscience is employing unsound practices. Apple deserves this burn as much as Microsoft deserves all of theirs. I have one question as well. Who actually believes "kiddies" are responsible for most of the viruses? Competing companies and governments with multibillion dollar budgets aren't more likely suspects?

#

Re:This article is dead on.

Posted by: Joe Klemmer on August 10, 2006 12:04 PM
Ah, the virus game. It's long been known that if an anti-virus program says it can catch 210 viruses, 201 of them will have been written by the AV company in their labs. The list of viruses in the wild is far, far less than the AV companies would make you think.

#

So what did the script actually do?

Posted by: Anonymous Coward on August 10, 2006 02:50 AM
Being a systems admin staff, I watched the video for any clues as to what I can do with the fleet of laptops we have with integrated Wi-Fi chips. Some manufacturers are kind and include a power-off switch for the WiFi card - if only all of them did.

So, with the MacBook he had - was he able to elevate privledges via the network card's drivers, or was it a two-pronged attack (I couldn't hear all of what he was saying) with another script to elevate. Did he elevate at all, or just run as whichever user was logged into the machine already? It's one thing to get root and do whatever with the system, it's another to just get access to a non-privledged user account.

#

Re:So what did the script actually do?

Posted by: Anonymous Coward on August 10, 2006 06:51 AM
Drivers run in ring 0 so there is no higher level to elevate to. He caused the victim to send a root shell back to the attacking machine.

#

Ha

Posted by: Anonymous Coward on August 10, 2006 03:49 AM
"In my opinion full disclosure is a good idea."

Why didn't you just write that instead of complaining for a page and a half?

#

Yet another rant...

Posted by: Anonymous Coward on August 10, 2006 04:02 AM
Publicly traded corporations like Apple and Microsoft and all the rest have been known to ignore ethics, morality, any consideration of right or wrong, or anything at all that might divert them from their ultimate goal: to maximize profits. Because of this, some corporations only speak the truth when it is in their best interest.

Some do, but many more individuals do the same. Only, in that case, it's for income or fame.

Try not being a victim, you might actually find yourself being happy...

#

Re:Yet another rant...

Posted by: Joe Barr on August 10, 2006 04:16 AM

Thanks for the good wishes. I am happy to report that I've been happy for a long time now, and hope you are too.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya