lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: Valdis.Kletnieks at (
Subject: Microsoft win2003server phone home 

On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <>  said:

> > 3.  Could it be considered as a security risk to let a newly installed server,
> > request information from an arbitrary server that I have no control over ?
> security in the way that your server might end up getting exploited because
> of it?
> no, i dont think so..
> security in a way that you might get caught using an illegal copy of a
> win2003 server?
> yup.

You *do* realize that was hit by CodeRed, right?

You *do* realize that Apple's 'Software Update' had issues with failing to use PKI
to identify the download server, resulting in a possible MITM attack, right?

You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all* had
trojan'ed distributions put on their *official* download site?

Still don't think there's a security risk in downloading an unverified patch from
a server not under your control?

Closing down *most* of these exposures is why the 'rpm' package manager
supports using PGP to sign the packages...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url :

Powered by blists - more mailing lists