lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FD9C45A2@hermes.eCompany.gov>
Date: Thu, 12 Feb 2004 15:50:49 -0800
From: "Drew Copley" <dcopley@...e.com>
To: "Gadi Evron" <ge@...tistical.reprehensible.net>,
   <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.netsys.com>
Subject: RE: W2K source "leaked"?


 

> -----Original Message-----
> From: Gadi Evron [mailto:ge@...tistical.reprehensible.net] 
> Sent: Thursday, February 12, 2004 1:49 PM
> To: bugtraq@...urityfocus.com
> Cc: full-disclosure@...ts.netsys.com; Thor Larholm
> Subject: W2K source "leaked"?
> 
> A couple of days ago a friend of mine drew my attention to the source
> making rounds on the encrypted p2p networks, I was hoping it 
> would take
> a bit longer for it to be "out", but that was just day-dreaming.
> 
> Thor Larholm just gave me this URL, as you can notice, the 
> server is busy:
> http://www.neowin.net/comments.php?id=17509
> 
> I never believed in 0-days. "New" or more to the point
> un-known-to-the-public exploits and vulnerabilities exist and 
> are being
> used.
> In my opinion "0-days" virtually don't exist. It's usually either some
> vulnerability that is long known and a COP or a worm is created. Or
> exploits that will nearly never see the "public" but exist 
> and are used
> by few individuals.. but now... I don't know.
> 
> How often does a brand new exploit come out without prior warning and
> "attack" the net?
> 
> *If* this really is the.. _real_ source code for W2K (and according to
> the article NT4 as well).... we'll see what happens next.
> 
> People didn't need help finding vulnerabilities in Windows before, but
> it just became a whole lot easier and a lot less demanding on the "m4d
> #4x0r 5k111z".

This assumption reveals a lot about the merits of open source, doesn't
it.

Why should any of this be surprising to anyone? Haven't we all seen how
screeners make it onto the net, even screeners sent to eighty something
old Oscar judges? So, of course someone leaked this. It would have
happened sooner or later.

As for your comments on zero day, I have some strong opinions on that:

First, I recall two massive zero day exploits being used last year. One
in IE being used by spammers and one in IIS.

We should expect this trend to advance exponentially, I would think,
just considering the amount of people coming online, the natural
progression of security, the infiltration time required for the market
to meet the demand and such other natural factors. 

Read: organized crime, corrupt governments and corporations and such...
have yet to really understand the unorthodox ways of bugfinding or the
power of the field. But that they will... That is simply a force of
nature. It is inevitable. 

We should prepare for this now.

But, like most events similar to this in history, we won't. Or, we won't
do a very good job of it. Maybe others are more optimistic.


> 
> I can't really say that the article is right and the source 
> was "leaked"
> or "stolen". The source is being sold/given (?) for years now to EDU's
> and commercial companies for research purposes (not to 
> mention China..).
> I suppose foul play is always possible.
> 
> Can anyone confirm this is the real source code? How about a press
> release? :)
> 
> 	Gadi Evron
> 
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ