lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: jasonc at (Jason Coombs)
Subject: Microsoft win2003server phone home 

> Closing down *most* of these exposures is why the 'rpm' package manager
> supports using PGP to sign the packages...

You *do* realize that digital signatures can be forged with theft of private
keys, right?

You *do* realize that Microsoft deployed a bunch of PKI code that accepts
arbitrary certificate chains and allows any certificate, even an End Entity
certificate, to be used as an intermediate CA certificate for the purpose of
issuing new arbitrary certificates including those that are used to digitally
sign code, right?

You *do* realize that CAs made serious mistakes in the past, including issuing
authentic certificates to unauthorized people (VeriSign) and issuing End
Entity certificates without the End Entity bit present (Thawte,,
others), right?

You *do* realize that bugs may exist in rpm's client socket routines that
would allow remote-exploitable buffer overflows to be mounted by a MITM,

And surely you *must* realize that we can spend days making lists of known
threats and *still* fail to identify *all* possible threats.

No communication that crosses organizational boundaries should *ever* be
automated. Least of all code updates.

Jason Coombs

-----Original Message-----
[]On Behalf Of
Sent: Monday, August 04, 2003 8:43 AM
To: martin scherer
Subject: Re: [Full-Disclosure] Microsoft win2003server phone home

On Mon, 04 Aug 2003 13:15:26 +0200, martin scherer <>  said:

> > 3.  Could it be considered as a security risk to let a newly installed
> > request information from an arbitrary server that I have no control over ?
> security in the way that your server might end up getting exploited because
> of it?
> no, i dont think so..
> security in a way that you might get caught using an illegal copy of a
> win2003 server?
> yup.

You *do* realize that was hit by CodeRed, right?

You *do* realize that Apple's 'Software Update' had issues with failing to use
to identify the download server, resulting in a possible MITM attack, right?

You *do* realize that OpenSSH, Sendmail, tcpdump, and tcp_wrappers have *all*
trojan'ed distributions put on their *official* download site?

Still don't think there's a security risk in downloading an unverified patch
a server not under your control?

Closing down *most* of these exposures is why the 'rpm' package manager
supports using PGP to sign the packages...

Powered by blists - more mailing lists