lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Jan 13 21:57:52 2006
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: Steve Gibson smokes crack?

Jason Coombs wrote:

>
> The Microsoft corporate entity may not be malicious in terms of 
> purposefully planting backdoors with knowledge and consent of Gates et 
> al (this assertion is of course questionable) however, individual 
> programmers at Microsoft have probably planted backdoors on purpose. 
> This happens frequently in many software shops.
>
Oh I'm quite certain that it happens...

> The corporate culture at Microsoft made it easy to do so, and get away 
> with it, as you so accurately described. Individual product managers 
> who encouraged the least safe configurations and least safe 
> feature/code designs might have done so for the purpose of preserving 
> widespread access to such backdoors.
>
Perhaps... it's really tough to tell the difference.  My assertion would 
be that it can be difficult to tell the difference between an accidental 
bug, a design flaw, and an intentionally planted bug.  Of course, that 
would depend on the bug and any evidence in the code regarding the bug, 
but unless there's something that says "My exploit here", as sort of 
happened with the NSA backdoor fiasco, it still might be difficult to 
prove.  Even then, we still don't know that that was an NSA backdoor 
beyond a shadow of a doubt.  There are worms out there with copyright 
notices listing the government of China.  Did China actually create the 
worm?  Why would it put a copyright notice in the code?  More likely 
that data is there for the purpose of deception.  So even comments and 
symbols aren't 100% trustworthy.  (Not the same scenario, but still 
illustrates that trust is difficult)

I think we need to be careful about making accusations without solid 
evidence.

I know that you don't like the concept of prosecution without solid 
evidence.  :)

> It would be relatively simple for Microsoft to determine whether any 
> particular individuals were responsible for writing the bad code and 
> deploying flawed architectures over and over again through the years.
>
Assuming they made more than a handful of blatant and patterned holes 
that had been found.  There are ways to circumvent the infrastructure 
such that they're not obvious.   Inserting extra code into an old code 
tree parser, for instance, so that the native code is trojaned but the 
source isn't.  That's only the first method that comes to mind.

It would depend on the intelligence and planning of the individual.

> Perhaps Microsoft has bothered to look into this by now, and has 
> quietly dismissed the perpetrators.
>
Again, hard to say.  Without being personally privy to any information 
saying as much from a source who can claim to have been there to witness 
it, I can't even speculate.

> Beware of ex-Microsoft programmers.
>
I would say that this is true for any ex-programmer of any widely used 
program.  Even if they didn't maliciously insert a backdoor, it's still 
entirely possible for that person to know and understand the weaknesses 
in the infrastructure.  All infrastructures have weaknesses somewhere.

             -bkfsec

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ