lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FD9C495B@hermes.eCompany.gov>
Date: Fri, 13 Feb 2004 10:53:44 -0800
From: "Drew Copley" <dcopley@...e.com>
To: "Joe Quigley" <joe.quigley@...um.com>, <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.netsys.com>
Subject: RE: W2K source "leaked"?


 

> -----Original Message-----
> From: Joe Quigley [mailto:joe.quigley@...um.com] 
> Sent: Friday, February 13, 2004 9:00 AM
> To: Drew Copley; Gadi Evron; bugtraq@...urityfocus.com
> Cc: full-disclosure@...ts.netsys.com
> Subject: RE: W2K source "leaked"?
> 
> Drew Copley once said:
> 
> > We should prepare for this now.
> 
> 
> Anyone care to comment how we can prepare for this?? Except for moving
> from the Windows platform, I don't see how we can. Please do not take
> this as knock against Drew and his opinion. It most certainly isn't. I
> really would like to hear others thoughts on this.
> 
> Thanks in advance.


What is knocking my opinion? I just said there is a problem. There are a
lot of potential solutions. And, it isn't a Windows only problem. 

Some solutions are class based anomaly detection, kernel level hooking
(systrace), hardware and software protection against exploit code like
dll rebasing or secure compilers,  etc, etc.  

A lot of companies have already been protecting their clients against
new vulnerabilities. This isn't a new issue at all. But, I don't think a
lot of people really think about it as they should.



> 
> 
>  
> 
> > -----Original Message-----
> > From: Gadi Evron [mailto:ge@...tistical.reprehensible.net] 
> > Sent: Thursday, February 12, 2004 1:49 PM
> > To: bugtraq@...urityfocus.com
> > Cc: full-disclosure@...ts.netsys.com; Thor Larholm
> > Subject: W2K source "leaked"?
> > 
> > A couple of days ago a friend of mine drew my attention to 
> the source
> > making rounds on the encrypted p2p networks, I was hoping it 
> > would take
> > a bit longer for it to be "out", but that was just day-dreaming.
> > 
> > Thor Larholm just gave me this URL, as you can notice, the 
> > server is busy:
> > http://www.neowin.net/comments.php?id=17509
> > 
> > I never believed in 0-days. "New" or more to the point
> > un-known-to-the-public exploits and vulnerabilities exist and 
> > are being
> > used.
> > In my opinion "0-days" virtually don't exist. It's usually 
> either some
> > vulnerability that is long known and a COP or a worm is created. Or
> > exploits that will nearly never see the "public" but exist 
> > and are used
> > by few individuals.. but now... I don't know.
> > 
> > How often does a brand new exploit come out without prior 
> warning and
> > "attack" the net?
> > 
> > *If* this really is the.. _real_ source code for W2K (and 
> according to
> > the article NT4 as well).... we'll see what happens next.
> > 
> > People didn't need help finding vulnerabilities in Windows 
> before, but
> > it just became a whole lot easier and a lot less demanding 
> on the "m4d
> > #4x0r 5k111z".
> 
> This assumption reveals a lot about the merits of open source, doesn't
> it.
> 
> Why should any of this be surprising to anyone? Haven't we 
> all seen how
> screeners make it onto the net, even screeners sent to eighty 
> something
> old Oscar judges? So, of course someone leaked this. It would have
> happened sooner or later.
> 
> As for your comments on zero day, I have some strong opinions on that:
> 
> First, I recall two massive zero day exploits being used last 
> year. One
> in IE being used by spammers and one in IIS.
> 
> We should expect this trend to advance exponentially, I would think,
> just considering the amount of people coming online, the natural
> progression of security, the infiltration time required for the market
> to meet the demand and such other natural factors. 
> 
> Read: organized crime, corrupt governments and corporations 
> and such...
> have yet to really understand the unorthodox ways of bugfinding or the
> power of the field. But that they will... That is simply a force of
> nature. It is inevitable. 
> 
> We should prepare for this now.
> 
> But, like most events similar to this in history, we won't. 
> Or, we won't
> do a very good job of it. Maybe others are more optimistic.
> 
> 
> > 
> > I can't really say that the article is right and the source 
> > was "leaked"
> > or "stolen". The source is being sold/given (?) for years 
> now to EDU's
> > and commercial companies for research purposes (not to 
> > mention China..).
> > I suppose foul play is always possible.
> > 
> > Can anyone confirm this is the real source code? How about a press
> > release? :)
> > 
> > 	Gadi Evron
> > 
> > 
> > 
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ