lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <871080DEC5874D41B4E3AFC5C400611E06B47709@UTDEVS02.campus.ad.utdallas.edu>
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: Half-Life 2 source code stolen through IE       exploit

> -----Original Message-----
> From: Brown, Rodrick [mailto:rbrown@...tt.nyc.gov] 
> Sent: Monday, October 06, 2003 12:01 PM
> To: Trey Mujakporue/UK/Tesco; full-disclosure@...ts.netsys.com
> Cc: nick@...us-l.demon.co.uk
> Subject: RE: [Full-Disclosure] Half-Life 2 source code stolen 
> through IE exploit
>
> I don't see how Microsoft is at fault? This was a known bug 
> released by Microsoft months ago if they had adequate patches 
> or even a decent security protocol in placed this would never 
> have happened. 

You are either terribly confused or mis- or un-informed.  The patch
(MS03-040) that "fixes" this problem (and we won't really know that it
does until people like Thor have had time to test it thoroughly - after
all, past experience tells us that Microsoft *saying* that it's fixed is
unreliable) was just released last Wednesday, well after Valve was
broken into.  The patch that *supposedly* fixed it (MS03-032) was
released a while ago, and I believe I recall Valve saying that they had
applied that one.  But Microsoft has known for months that that patch
did *not* fix the problem, and yet they waited until it was being
actively exploited in a massive way before issuing a "fix".

So this is a *clear cut* case where Microsoft is completely at fault and
the admins are completely innocent (other than the side issues of
whether or not they should have development servers on the Internet or
not and whether or not they should use Microsoft products at all.)

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ