"We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective," King said in an interview with eWEEK. "If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem."

Researchers at the University of Illinois at Urbana-Champaign

 

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms - Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

 

...[T]here is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over.

 

A new SSL attack has been revealed at the Black Hat conference. This new attack is the latest twist on the venerable man-in-the-middle (MITM) attack. MITM depends on a user being fooled into going to the wrong Web site...

 

Spammers harvesting emails from Twitter - in real time

 

"Web application vulnerabilities account for almost half the total number of vulnerabilities being discovered."

 

The Twitter account belonging to venture capitalist and Mac evangelist Guy Kawasaki was hijacked yesterday and used to push malware to some 140,000 Twitter users.

 

Hackers have broken into more than 20,000 legitimate Web sites to plant malicious code to be used in drive-by malware attacks.

 

...flaw with almost all Web browsers that undermined the protocol used to secure online banking transactions and other sensitive transmissions...

 

Number of Crimeware Websites Surge in Largest Jump Ever in Dec. 2008 - The number of crimeware-spreading sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December, and 827% increase from January 2008.

 

SSL broken! Hackers create rogue CA certificate using MD5 collisions

 

Independent hacker Moxie Marlinspike has unveiled new techniques to defeat SSL encryption, which would leave common web applications such as online banking or secure website logins vulnerable to attack.

This would mean that the padlock icon in the corner of supposedly 'safe' websites and touted as optimal security by companies like Verisign may not be as safe as people generally believe.

 

EV certificates [Extended Validation SSL Certificates] don't work. They don't stop phishing, they don't communicate well to users, they do away with the SSL padlock, and the whole thing is so easily spoofed, it may as well not be there.

John C Sharp
Founder and Chairman of Authentium, a leading security software developer

 

Web application security tests show that 60% of UK sites are plagued with internet encryption and cross-site scripting vulnerabilities.

 

...the UN and UK government websites are being attacked in a mass JavaScript injection attack.

 

Security researchers have discovered a flaw affecting Google's Chrome browser that exposes it to clickjacking - where an attacker hijacks a browser's functions by substituting a legitimate link with a link of the attacker's choice.

 

McAfee, widely recognized as one of the leading providers of online security software for both home and business, appears to be struggling to secure its own Web sites, which at the time of writing this post, allow anyone with enough tech savvy to covertly do whatever they want on, and with, the site.

 

More bad news for McAfee, HackerSafe certification. More than three months after security bugs were documented in more than 60 ecommerce sites certified by McAfee as "Hacker Safe", a security researcher has unveiled a fresh batch of vulnerable websites.

 

...auditors have identified thousands of vulnerabilities in the FAA's Web-based air traffic control applications - 763 of them high-risk.

 

Web attack that poisons Google results gets worse. The Gumblar attack has already infected more than 3,000 legitimate Web sites and is spreading quickly.

 

More than 40,000 websites worldwide have fallen under the spell of a sneaky piece of attack code that silently tries to install malware on the machines of people who visit them, security experts from Websense have warned.

 

Apple has shipped a whopper of a Safari browser update to fix more than 50 vulnerabilities, some rated extremely critical.

 

Microsoft Patches seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer.

 

The Ruby programming language, which has become popular as the basis for web 2.0 sites such as Twitter, contains serious security flaws that could allow attackers to take over an organization's web server, according to the Ruby development team. The "disturbing" flaws, which were disclosed on Friday, could affect nearly any typical Ruby-based web application, according to Thomas Ptacek, founder of security firm Matasano.

 

Martin Nystrom of Cisco comments that as many as 95 per cent of the Web applications have serious flaws.

 

Symantec Corporation issues a semi-annual report on Internet security trends, called the Internet Security Threat Report. The September 2007 edition calls out web applications as a major risk area.

 

"All Web frameworks (PHP, .NET, J2EE, Ruby on Rails, ColdFusion, etc) and all types of Web applications are at risk from web application security defects."

 

The Web Application Security Problem...vulnerabilities in web applications account for a huge part of real world information security incidents and virtually all those related to the data center security.

 

Breach Security announced that web attackers unleashed a new type of SQL injection attack in 2008 that successfully compromised more than 500,000 web sites...

 

Man-in-the-browser attacks are more sinister than man-in-the-middle attacks because they use Trojan Horses that invisibly install themselves on users' systems through a Web browser. The attacks modify users' financial transactions when they visit a legitimate Web site, such as their personal online banking accounts.

 

Banks: Losses From Computer Intrusions Up in 2007. U.S. financial institutions reported a sizable increase last year in the number of computer intrusions that led to online bank account takeovers and stolen funds, according to data obtained by Security Fix. The data also suggest such incidents are becoming far more costly for banks, businesses and consumers alike.

 

Generally Bankpatch.C is a banking trojan that is designed to compromise online banking transactions. It waits silently on the consumer or corporate computer up until it finds an internet request it is interested in (a targeted website it has policies for) and then comes to life. It then has the ability to steal your login details, but also to dynamically inject HTML into the existing login form to capture whatever information they require. Alarmingly HTML can be injected into a secured SSL website without the computer security or the website owner becoming aware that it has been compromised.

 

Microsoft is investigating a newly reported flaw that could put websites at risk of attack.

 

A vulnerability in servers used by EarthLink Inc. to handle mistyped Web page requests may have allowed attackers to launch undetectable phishing attacks against any Internet site, according to a noted Internet security researcher.

 

(PhysOrg.com) -- More than 75 percent of the bank Web sites surveyed in a University of Michigan study had at least one design flaw that could make customers vulnerable to cyber thieves after their money or even their identity.

 

Over 1.5 million pages affected by the recent SQL injection attacks

 

Web browser flaw could put e-commerce security at risk

 

'In-session phishing' the latest Web-based method for phishers to steal users' banking credentials

 

Monster.com is advising its users to change their passwords after data including e-mail addresses, names and phone numbers were stolen from its database.

 

Research: 76% of phishing sites hosted on compromised servers

 

Identity thieves are currently launching a massive attack on Facebook, using fake log-in pages to hijack usernames and passwords.

 

Hacker claims to have phished Steve Jobs Amazon account

 

Microsoft has activated its security response process to deal with the release of a exploit code targeting an unpatched vulnerability affecting [Web Servers] IIS 5.0 through 6.0.

 

A security researcher is warning that the Twitter API can be trivially abused by hackers to launch worm attacks.

The TRA Secure Client and Collaborator Service License Agreement (EULA)

By using this software or the Collaborator service, you are indicating tht you have read, understood and agreed to the following terms. The terms in this EULA exist to benefit you, as well as to benefit TRA. This Client EULA may be found in the Client installation directory, as well as online at http://www.thoughtrealm.com/client/eula/.

Table of Contents

I. Terms and Definitions

"TRA" refers to "ThoughtRealm Alliance, LLC", a company operating in Nixa, Missouri.

"Collaborator" and "Collaborator Service" refer to a service that is provided by TRA to end-users or "Subscribers". This service is offered for the purpose of storing and accessing project related data and files, which may be shared with other users as authorized by a Master Account User. The Collaborator service is provided by software and servers that are located in multiple locations, including this Client software that runs on an end-user's computer.

"Customer" or "Subscriber" refers to an individual or a designee of a business that establishes an account for the use of the Collaborator service.

"Signing Up" refers to the execution of certain steps, by which the customer provides certain information to TRA, installs this Secure Client software and then activates an account. This activation typically occurs during an initial trial period.

"Alliance", "Alliance Name" and "Alliance Account" refer to an individual subscriber's account. In order to distinguish one customer's account from another's, without using a hard to remember sequence of numbers or URIs, Collaborator instead uses an "Alliance Name". This is simply a unique and customer defined name that is composed of any arbitrary textual characters. It does not inherently refer or relate to any internet domain, URI, or company name. Although the Master Account User may request an Alliance name that does indeed refer to a company name, domain or URI, such reference is at the discretion of the Master Account User. TRA reserves the right to require a change to a customer's Alliance name at any time, if such an action is warranted, such as if a customer uses another company's trademark, protected name or protected IP (Intellectual Property) reference, or in the advent of legal action requiring them to do so.

"User" and "User Account" refer to a credential based login to the Collaborator service. It is comprised of at least a user name, two passwords and associated email address. These two passwords are referred to as the "password" and "phrase" in the Client software. Additional information may be provided for a specific user account, such as first and last name and some limited contact information; however, such information is not required. An Alliance Account may have one or more user accounts, as configured by the Master User Account. The total number of allowed user accounts and types of users is specified by the account type that is purchased, as well as additional user licenses that may be purchased.

"Account Master User" and "Master User" refer initially to the customer's user account that setup the Alliance Account. After the account is activated, this Master Account User may be changed to a different user account or their user information may be altered in other ways, such as when a business designee is no longer retained by a business or for other reasons. The Master Account User has the ultimate authority to administer and access all aspects of the Alliance Account, including user setup, data and files. The Master User also has the ability to designate other user accounts as Administrators, giving them the ability to administrate different aspects of the Alliance Account, such as adding users, user rights, etc.

"Client Software" and "Secure Client" refer to all of the software elements that are installed on an end-user's computer. These software elements are used to access and communicate with TRA servers and software that are located at a remote location.

"Server" and "Server Software" refer to a computer or software running on a computer, typically at a separate location from the Client software, which serves the various needs of the Client software. This includes authentication, responding to data requests and other types of Client software requests.

"Caruso" refers to an application hosting architecture (or platform) created by TRA, for the purpose of developing and hosting software applications in a secure and reliable manner, over a TCP/IP based network, such as the internet. It is comprised of Client software and multiple Servers that store and retrieve collections of user data and files. Caruso is NOT a web based solution, in that it uses NO web related components, such as web servers, web browsers, web protocols (SSL, FTP, HTTP, etc) or other web related elements. Instead, Caruso provides its own application centric protocols and encrypted channels that communicate over standard TCP/IP networks, for the purpose of allowing a customer to connect to and use a Caruso based application. Collaborator is an example of a Caruso based application that can be hosted and used by customers using the TRA Secure Client. The TRA Secure Client uses a variety of cryptographic techniques, such as encryption, hashing, random number generators and other cryptographic practices, to establish secure, user authorized channels with a Caruso server, in order to communicate with any Caruso based application. For more information relating to the Caruso architecture, go to http://www.thoughtrealm.com/caruso.php.

II. Product Description

The Collaborator service is comprised of several basic elements: Client software that installs on your computer, multiple instances and types of TRA Servers that run remotely on TRA computers, and electronic data that is communicated between them using the Collaborator protocol over Caruso channels. Using the TRA Client software, you are enabled to login to the TRA Collaborator servers, thereby establishing a secure, encrypted connection. Once you are connected to the TRA servers, you are able to enter data that is stored on TRA servers in a database, such as task and project data, as well as upload and download files over encrypted connections. The purpose of this service is to allow you to securely and reliably store project related data and files online, as well as share that data with other users as you allow.

III. Copyright and Ownership Claims

The Copyrights for all the software elements that provide the Collaborator Service are claimed solely by TRA. Installing this Client software and accessing TRA servers in no way implies or infers transfer of any Copyrights or ownership as regards the software and service itself.

Generally speaking, all software consists of two primary components: the original source code (in various forms) and binaries that are created from them. You are given NO Copyrights or ownership to the original source code. Also, you are given NO Copyrights relating to the distributed binaries created by the original source code. However, you ARE given LIMITED ownership of the binaries, and other installed files, that are distributed in various forms, including the ones in this installation. This ownership is LIMITED by the License terms expressed in this EULA.

IV. Usage of Client Software

With one exception that is described later in this section, installation of the Client software is not restricted, in that you may install it on multiple machines, at multiple locations and as many times as you wish. However, using the Client to access the Collaborator service requires a fee based subscription, where you agree to pay a periodic fee in order to use the Collaborator service.

None of your account data is actually stored on your computer where the Client software is located. It is all stored on the TRA servers. Additionally, no passwords are stored on your computer; they are only used during initial login to the Collaborator servers in order to bind your user identity to the encrypted channel. The only information regarding your user identity that is stored on your computer is the username and Alliance name of the last user that logged in. The reason for storing this is so that you don't have to type your username and Alliance name every time you login; you need only enter your password and phrase.

Therefore, you may use the Client software to connect to any authorized TRA online service, such as Collaborator. Also, other users may also use the same Client software on the installed machine to connect to a different Alliance.

During installation, the Client software creates one or more profiles on your machine, within the directory of the Client software. These profiles contain the necessary information to connect to a Caruso based application, such as the Collaborator, and includes elements such as TCP/IP connection information. These profiles are encrypted on the user's machine during installation and may be modified, created or removed by the Collaborator service, such as during auto-migration to different servers or updates to newer software.

Additionally, in order to increase application performance, the Client software stores some application elements in a local cache database contained within the Profile directory. These elements contain no personal or account data, which is all stored on TRA Servers. The cache is primarily composed of screen elements, such as images, form definitions, etc, and some Client side application scripts. Storing these cached items on your computer results in faster program operation and less data communication over your network. These elements are relatively small and require very little space on your computer's hard drive.

The one exception to the unrestricted Client installation is related to encryption exports. The TRA Secure Client software contains software elements that provide strong data encryption and other cryptographic primitives for the sole purpose of encrypting data as it is transported to the Collaborator servers. It does not encrypt data on the local machine, with the exception of the profile connection information. As a result of this ability, the TRA Client software is restricted by U.S. Department of Commerce export regulations contained in the E.A.R. (Export Administration Regulations). It may also be further restricted by import and export regulations in foreign countries. The E.A.R. defines strong encryption as key sizes in excess of 56 bits. Since the TRA Client uses symmetric block ciphers with key strengths of 256 bits (and possibly greater), the TRA Client is considered by the E.A.R. to be a strong encryption solution.

Currently, the TRA Client has not been submitted for approval for usage outside of the U.S. Until it is approved for such, you are liable for any un-authorized usage of the Client. This could mean civil or criminal charges if violated. Specifically, the E.A.R. defines countries that are prohibited as export destinations of strong encryption software solutions. Those countries vary periodically and generally associated with supporting terrorist activities. If you have obtained this software and are in one of those countries, you are possibly in violation of U.S. Department of Commerce export regulations; in which case, you would be specifically prohibited from installing or using the TRA Client in any fashion. If that is the case, then please cancel this installation and do not use this software.

V. Usage of Collaborator Online Service

When you initially "Sign Up" for the Collaborator service, you are given a 30 day free trial period. You may activate your account at any point within the trial period. Once activated, you will be billed periodically for your use of the Collaborator service. The amount and period of billing will be determined by your choices at the time you activate your account. Additionally, you may change your account type, as well as add or remove additional features (more users, more space, etc) in the future, which may alter your bill as a result. TRA WILL NOT change your bill without notifying you and giving you the opportunity to confirm the change.

The purpose of the Collaborator service is to facilitate collaboration among small to medium sized teams, by providing the ability to share lists of tasks, discussions, files and similar items. You may store whatever information you wish in your account data, in the form of files and data entry elements, with the following restrictions:

  • You WILL NOT use the Collaborator service to further an illegal or inappropriate enterprise. While TRA does not monitor the specific data elements you enter or upload, reports of inappropriate usage of the Collaborator service may result in immediate suspension of your access to the Collaborator service; in which case, you may or may not receive a refund of your paid fees.

    An example of an inappropriate enterprise would be furthering the goals of: trafficking in the exchange of human beings (abductions, slavery), the exchange of child pornography, racial hate and suppression, religious intolerance, and similar activities. TRA reserves the right to determine usage that is not considered appropriate.

  • You WILL NOT use the Collaborator service to support terrorism in general or further the ends of terrorist goals. Reports of terrorist related speech will result in suspension of services.

  • You will not attempt to intentionally access the data of other users of Collaborator without their consent and knowledge.

VI. How TRA Collects, Uses And Stores Your Data

It is important to first note that, unlike Web based services, all data and files sent to and received from the Collaborator service are encrypted. No data is EVER transferred to a TRA Server in a clear, unencrypted form. This is true regardless of the account type you purchase or how you use the service.

This channel encryption is a foundational characteristic of the TRA Secure Client software. Every connection to a TRA server is established using randomly generated, non repeating channel parameters, in order to establish a trusted, identity based channel session. As a result, identification and authorization occurs BEFORE the application session is actually granted. This is unlike Web based services that simply use SSL to encrypt data in transport and then have to provide a separate authorization mechanism.

For more information on the Caruso security infrastructure, please reference http://www.thoughtrealm.com/caruso.php.

There are five basic types of information that TRA collects from or for you. The following is a description of each type of information.

  • User Account Credentials
    In order to communicate with a TRA Server, you must FIRST login using your user credentials. These include your Alliance, user name and two passwords, referred to as a "password" and "phrase".

    During login, a secure, encrypted channel is established between you and a TRA Server using randomly generated parameters provided by the server. These parameters, in combination with your user credentials, algorithmically determine random channel parameters for every connection. This process allows the Caruso channel architecture to establish a private, encrypted session without exchanging passwords of any kind, while still achieving highly trustable user identification.

    The only element of your credentials that is actually transmitted to the server during login is your user id, referred to as user name. This ID can be a name, number, or whatever you want to use. This ID is initially transmitted to the TRA server in an encrypted state, using a set of server keys that are shared between the connecting Client software and the TRA Server. Once the ID is successfully exchanged, the channel encryption is "promoted" using the random channel parameters.

    Your actual passwords, which are never transmitted during login, are stored in a TRA server database in an obscured state, by using cryptographic primitives that include salting and stretching. This storage technique, as well as the requirement of two separate passwords for every user, assists in the mitigation of password dictionary attacks, should the TRA user database ever be compromised.

    As a result, if you should lose or forget your password, TRA is unable to tell you what your password was. Therefore, you can only be assigned a NEW password, since it is not possible to determine what your password was, given the information that is stored.

  • Personal Information
    TRA requires several items of personal information in order to service you. Those elements are basically:

    1. Name information
    2. Email address
    3. Billing information for the account payments, which may include credit card information.
    This information is NEVER shared with any 3rd party without your approval, with the exception of the credit card processor for the purpose of charging your periodic fees. No email information is shared with or sold to any vendor.

    The only emails you will receive from TRA are limited to occasional emails to our customers and notification emails that you request to be sent to you from the Collaborator service.

  • Files
    One feature of the service is the ability to upload and download files. The files that you upload to Collaborator to store in your account are transferred over a separate, encrypted channel between you and a TRA Server. The transmission channel is secured via the Caruso channel technology, as described above. This transmission does not use FTP or any other web based transfer mechanism. Instead, it uses Caruso's own file transfer protocol with it's own secure channel implementation.

    Before your file is uploaded, it may or may not be compressed, in order to save transfer time and bandwidth usage. Some file types, such as jpg, zip and rar, do not compress well and may actually grow in size as a result of further compression. Those files are not compressed. For files that are compressed, they are compressed on your machine PRIOR to upload and then uncompressed on your machine AFTER they are downloaded.

    After your file is received by the TRA server, it is then encrypted with a randomly generated key and initialization vector on the server. The key is built from two different elements that are stored in a database on a TRA Server. The file itself is encrypted and then stored in a separate file directory for your account. Later, when downloading the file, the random keys are retrieved from the TRA database and the file is then decrypted for your download.

  • Entered data
    The data that you enter is stored in a database on a TRA server. This data is your project info, such as task information, discussion messages, etc. This data can only be accessed remotely using the TRA Client software. This data is never provided to any 3rd party without your approval.

    In order to speed processing of your data for access and storage, this data is NOT currently stored in an encrypted state in the database. It IS encrypted during transmission, just not when it is stored on the server.

  • Backups
    In order to provide a measure of failure recovery, TRA performs several types of data backups. These backups cover at least your entered data, and may also include your uploaded files, depending on account type. Some backups are stored locally on the relevant TRA server. However, some backups are stored in a different location periodically, for redundancy. Those backups that are stored in a different location are encrypted in order to make sure that a data loss or other compromise of backup data will not result in a compromise of your actual data.

VII. Legal Requests for Your Data

While your data is NEVER provided to 3rd party vendors or sold for any reason, appropriate legal requests for your data will be serviced in accordance with legal proceedings, as a result of a criminal or civil investigation. Additionally, TRA makes every effort to comply with city, state, federal or other municipal entities as would be appropriate. These are the only circumstances where your data might be shared with a 3rd party.

VIII. Reliability of Collaborator Service

TRA makes every effort to provide a reliable service. While we do not offer service accessibility contracts or guarantees (e.g. 99.999%, etc), we do recognize that access to your data is of paramount importance. As such, we obviously institute a number of industry standard procedures and policies, such as daily backups of your data entry elements and at least weekly backups to a different location (as per Section VI, item E).

Additionally, our server equipment is housed at our hosting partner's facilities in one of the largest and most reliable server farms in the U.S., located in Dallas, TX. Also, our hosting partner, Server Intellect, provides a 4 hour equipment replacement guarantee, in the unlikely event of an equipment failure.

However, even with all of our efforts to provide a constant and reliable service without interruption, TRA cannot make any guarantees or assertions, implied or expressed, relating to service outages or interruptions. As such, TRA cannot be held liable for any service interruptions.

IX. Evaluation Period Terms

When you first signup, you will be granted a 30 day evaluation trial period. This period is for you to evaluate and test the Collaborator service. You are not required to provide any type of payment information before or during this period. The only requirement to sign up for and use the Caruso trial period is an email address. During this period, you may be limited in some ways as to how you may use the service during your trial period, such as limits on file storage, numbers of users, etc. You may activate your account at any time during this trial period.

During this trial period, you are bound by this license as if you were an active customer. A trial period does not infer or express any exceptions to the terms of this license or waiver of any license requirements.

Since the purpose of this period is to evaluate the software, each user is expected to only take advantage of this period ONCE. Attempting to use numerous evaluation periods to prevent activating a paid account is considered an inappropriate use of the service. If this behavior is detected, your service will be suspended immediately.

X. Customer Terms

Once you activate your account during your trial period, you will be considered a customer. Any product limitations will be removed at that time, as defined by your chosen account type.

Activating your account will require you to provide some payment information. This information is used in accordance with the data usage terms defined in preceding sections.

Once your account is activated and your payment information is provided, your first bill will be processed. Future bills from then on will be processed according to the period you indicated during signup (monthly, etc). You may change your payment period later, if you wish.

XI. Assertions, Assumptions, Guarantees and Liability

As with any software product and software company, it is NOT POSSIBLE that TRA could guarantee that our software is completely devoid of any and all defects. This includes any program or file that is provided by TRA for use with the Collaborator service, as well as any technique for using those files. TRA asserts that this Client software has proven through actual use and testing under reasonable scenarios to not fail in any considerable or harmful way, and has not been found to result in any damage to user systems or data. You can expect that this software and the Collaborator service are quite sufficient for the intended use as described within this EULA. However, you should be aware that your particular use of Collaborator or any related software could involve some unknown or unforeseeable scenario that may result in incorrect or different functionality than you intended, or under rare circumstances, possibly even result in damage to data or systems. This is not expected, nor has it been known to occur, but the rare possibilities do exist.

Additionally, while it is highly unlikely, it IS NOT POSSIBLE to absolutely guarantee that all of the Caruso environmental security measures could NEVER be compromised in any way. The security employed by the Caruso technology uses techniques that are currently considered secure. However, it is not possible to know if new fields of mathematics could be innovated in the future that may render the security within the Caruso architecture vulnerable to compromise. Neither is it possible to know what individuals or governments with UNLIMITED time and resources could accomplish, given sufficient time and effort, as relating to compromising Caruso security. Caruso employs the use of industry standard encryption techniques, such as the BlowFish cipher, which currently has no known exploitable weakness, by which a reasonable protection against data compromise can be assumed. However, TRA cannot guarantee that a compromise could NEVER happen.

If Collaborator or any related software does not appear to be usable as represented, you are entitled to a refund of any fees paid for the use of the Collaborator service. This right is only valid if exercised within a reasonable period of use for determining this. For example, you should not expect to use the software for six months and then ask for a refund under the pretention that it never worked correctly. While TRA may indeed refund your money in that situation, you have no reasonable expectation that it should do so. For this reason, the free 30 day evaluation period is provided prior to account activation. This period should be more than adequate to determine the usability and stability of the Collaborator service and related software for your needs, environment and configuration.

XII. Reverse Engineering and Product Modification

In your particular country, Reverse Engineering may or may not be legal. Where it is not legal, such prohibition extends to this software as well. However, there are specific instances where Reverse Engineering and modification is prohibited by this EULA under any condition, regardless of your country of origin and its laws. They are as follows.

You may not reverse engineer this Client software in order to access restricted data within your Alliance, such as modifying the software to somehow allow you to bypass a configuration by the Master Account user that would prohibit your user login from accessing certain data elements.

You may not reverse engineer this Client software in order to access the data of other Alliances and users, without their consent and approval.

You may NOT use reverse engineering in any way for the purpose of breaking any law, or, for the purpose of damaging or violating the rights of any other individual or company. For example, you may not use reverse engineering for the purpose of stealing data from other companies or attacking another user's system, or in any way compromising their security.

XIII. Litigation and Claims of Venue

If, for some extreme reason, you believe that your rights or privileges have been violated as a customer of TRA, and you are using the Collaborator service as intended and within the bounds of its intended usage, and you should decide to initiate legal action against or relating to TRA or some authorized agency of TRA, then the following terms will apply:

  1. You will be required to make and register all complaints within the local venue of Christian County, Missouri.
  2. All complaints would be subject to Missouri law, particularly as they apply within Christian County.
  3. All proceedings would take place within Christian County, MO, or some other location as specified or required by TRA.
  4. TRA and any authorized, related entity for TRA, will not be required to provide any expenses for the support of your implied right to register complaints against TRA or any authorized, related entity.
  5. No compensation will be requested, awarded or granted in excess of or beyond the fees paid for the usage of the Collaborator service for that single individual.
  6. You will not participate in a class action suit against TRA or any authorized agency of TRA.