lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200310062314.h96NEXai078672@grenada.globat.com>
From: mvp at joeware.net (Joe)
Subject: Half-Life 2 source code stolen through IE       exploit

Actually no, this isn't a "*clear cut* case where Microsoft is completely at
fault and the admins are completely innocent". They don't know what the hole
was. 

They are, in Gabe's word's, "SPECULATING" that it was a preview pane
overflow in Outlook that got key loggers onto the machines. That plus a
"customized" version of RemoteAnywhere. 

Again, speculation. They don't know. If they don't know, certainly neither
do you nor I. What we do know is that the overall security was extremely lax
and that they can't tell you who downloaded a copy of the company cirtical
source tree or even what day it occurred just that it was "around" 9/19. A
source tree that 

A. Shouldn't be available to the internet
B. Should require very special LOGGED authentication to touch
C. Should have every access whether read or write logged in triplicate.

And actually, the only OS that is known to be involved is for a desktop, the
server could have been something else that actually contained the source
tree. 

Even if I said for arguments sake, the compromise of the desktop was
entirely the fault of MS, that data never should have been able to be pulled
through the firewall and that is not MS's fault. 


If you didn't look at the link I posted last time with Gabe's comments, they
are worth looking at -
http://www.neowin.net/comments.php?id=14171&category=gamers. Plus the
additional comments at the bottom which are:


Update: An email transcript dated the 27th of September (that I won't link
to) highlights security flaws in Valve's operations, and mentions that some
members of Valve were pushing for a peer-to-peer distribution method for
Half-Life 2 shortly before release, in the hope of not crippling the direct
download servers, and leaving Steam customers without their game. 

In the email, the owner of a Half-Life 2 fan site tricked another Valve
employee into thinking he was someone else, and then got confidential
information from him. Significantly, the Valve employee stated that they -
at the time - had no email verification software, and so emails could be
faked by a skillful hacker. Presumably security has now been tightened.


    joe




-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Schmehl, Paul L
Sent: Monday, October 06, 2003 2:32 PM
To: full-disclosure@...ts.netsys.com
Cc: nick@...us-l.demon.co.uk

<SNIP>

So this is a *clear cut* case where Microsoft is completely at fault and the
admins are completely innocent (other than the side issues of whether or not
they should have development servers on the Internet or not and whether or
not they should use Microsoft products at all.)

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ