lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: etomcat at freemail.hu (Feher Tamas)
Subject: Re: Microsoft to give holes info to Uncle Sam
	first

Hello,

I already got an e-mail asking why I am a tinfoil-hat
conspiracist and what is the problem with Microsoft giving
fixes to US gov't in advance?

If Microsoft gives fixes info to Uncle Sam first, it gives
USA the exploits first.

I mean you just unpack the hotfix installer first to see
what files got changed and then you compare the new and old
files' code to see what routines were changed. With diligent
effort you can find out why code had to be modified and then
reverse engineer or brute force an exploit. Virus writers do
this almost always.

Considering the vast resources available to US federal govt,
they would have a working exploit in a day, even if MS only
gave them the hotfixes in binary format. They could use the
more serious exploits to illegally access people's computers
in America and abroad (muslims, environmentalists, german
and french people, etc.) and blame it on ordinary
underground hackers if discovered.

If you find a bug and tell MS about it and agree to keep
your mouth shut until the security fixes become public, then
now you essentially give DoD and DoHS 29 days to do whatever
they want and no judge will know if John Doe's PC ever gets
tapped. Maybe it's not even punishable if a commercial
entiry (M$) gave voluntarily them the fixes, which became
the source of exploit.

I think IT people should write "security@...rosoft.com" en
masse and thell Redmond this is an unacceptable practice.

Elsewhere in the news: as for the Windows rootkit  finders I
wrote about yesterday, they do seem to work. At least one
new (yet unknown) rootkit has been found using them. The
problem is these tools are heuristic in nature and user
often thinks: whoaa that many alerts, must be a false alarm!
Well it was not, it was a cracked game distributor
mechanism. If there is an alarm, do sumbit the files to your
AV vendor's sample e-mail to find out exactly what's wrong.

Regards: Tamas Feher

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ