lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Jan 13 22:28:37 2006
From: william at lefkovics.net (William Lefkovics)
Subject: Steve Gibson smokes crack

Notwithstanding the high probability that there was an unintended bug in the
intentionally planted bug.  (Which bug do they patch?)

And no matter, the subject line of the thread remains true regardless.

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of bkfsec
Sent: Friday, January 13, 2006 1:58 PM
To: jasonc@...ence.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Steve Gibson smokes crack?

Jason Coombs wrote:

>
> The Microsoft corporate entity may not be malicious in terms of 
> purposefully planting backdoors with knowledge and consent of Gates et 
> al (this assertion is of course questionable) however, individual 
> programmers at Microsoft have probably planted backdoors on purpose.
> This happens frequently in many software shops.
>
Oh I'm quite certain that it happens...

> The corporate culture at Microsoft made it easy to do so, and get away 
> with it, as you so accurately described. Individual product managers 
> who encouraged the least safe configurations and least safe 
> feature/code designs might have done so for the purpose of preserving 
> widespread access to such backdoors.
>
Perhaps... it's really tough to tell the difference.  My assertion would be
that it can be difficult to tell the difference between an accidental bug, a
design flaw, and an intentionally planted bug.  Of course, that would depend
on the bug and any evidence in the code regarding the bug, but unless
there's something that says "My exploit here", as sort of happened with the
NSA backdoor fiasco, it still might be difficult to prove.  Even then, we
still don't know that that was an NSA backdoor beyond a shadow of a doubt.
There are worms out there with copyright notices listing the government of
China.  Did China actually create the worm?  Why would it put a copyright
notice in the code?  More likely that data is there for the purpose of
deception.  So even comments and symbols aren't 100% trustworthy.  (Not the
same scenario, but still illustrates that trust is difficult)

I think we need to be careful about making accusations without solid
evidence.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ