lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: tobias at weisserth.de (Tobias Weisserth)
Subject: RE: W2K source "leaked"?

Hi Paul,

Am Fr, den 13.02.2004 schrieb Schmehl, Paul L um 22:22:
...
> > Drew Copley once said:
> > 
> > > We should prepare for this now.
> > 
> > Anyone care to comment how we can prepare for this?? Except 
> > for moving from the Windows platform, I don't see how we can. 
> > Please do not take this as knock against Drew and his 
> > opinion. It most certainly isn't. I really would like to hear 
> > others thoughts on this.
> >
> Odd.  I would have thought the answer was self evident.  You take the
> standard precautions that every security person should know.

So just because the source code hasn't been leaked until now means
people were not obliged to take these precautions? A weak point, don't
you think?

> Shut down unnecessary services, block all incoming ports except those services
> necessary to function, create secure "areas" within which you keep the
> "crown jewels", develop a consistent, effective program of patching,
> security awareness, yada, yada, yada, etc., etc., etc.

So what you are saying here, reduced to the essence, is that the only
"preparation" we can do as an answer to the leaking are the same
precautions we are doing all the time anyway?!

I have to agree the initial doubting question then that there is hardly
anything we can do but sit and wait and apply standard security
precautions we would have anyway. We're talking about closed source
software here. Everything customers can do is to sit and wait for
patches from MS if there's a problem.

Personally I don't think this leak will unavoidably lead to a serious
increase of heavy and even more sneakier exploits. We already have them.
The last week has been evidence enough. Maybe this will even lead to
more security as customers with the capacity will have the potential to
identify possible threats themselves and point them out to MS ;-)

regards,
Tobias W.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ