[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040214183441.GI19903@uriel.eclipsed.net>
From: gr at eclipsed.net (gabriel rosenkoetter)
Subject: Re: Windows 2000 Source code .torrent
On Fri, Feb 13, 2004 at 03:44:55PM -0500, Mark Renouf wrote:
> >Click here, then OPEN the file:
> >http://torrent.spyderlake.com/download.php?info_hash=f03fc1e04869294d5644d3c8c5d0fb8f2d26aa59
> Um, now was that really necessary?
Yeah, because, you know, this isn't full-disclosure or anything.
Why would it be appropriate to discuss security vulnerabilities to
which the vendor has not yet responded, and yet inappropriate to
discuss files that are now in the public domain? (It doesn't matter
if they were stolen: the cat's out of the bag. If they were leaked
against contract language, that's an argument between MSFT and the
leaker.)
> Granted, at this point most anyone who bothered to look now has a copy
> of it, but still... I wouldn't be posting public links.
To what end?
So that those in the infosec community who weren't on their favorite
p2p or IRC network on Thursday evening don't have the opportunity to
see and be prepared for the results of what the black hat community
is already using to write new exploits?
How could it benefit anyone to keep this secret at this point? The
"bad" guys already have this information. The sooner responsible
individuals also review the source and notify MSFT, the better.
On Fri, Feb 13, 2004 at 07:28:51PM +0100, B3r3n wrote:
> I would like to recall 99% of what peer to peer tools are sharing are
> illegal copies.
Huh? That sentence doesn't even make sense. Copies of what?
> Could you please simply indicate us what is the file behind this hash?
I don't think you understand how BitTorrent functions. It's not
possible to provide an answer to that question.
On Sat, Feb 14, 2004 at 02:44:08AM +0100, Diego Calleja wrote:
> Microsoft is obviously going to attack any site doing that. in fact, just
> look at the previous links given in this list: they've already dissapeared.
> And their lawyers will call your phone soon, if you own that site.
That's FUD. Earlier sites are far more likely to have stopped
carrying these files because of the bandwidth pain they experienced.
Posting a torrent publicly is a great way to reduce everyone's
bandwidth usage.
> Sincerely, I'd try to think in the consequences. Ie, how many time is going
> to take hackers to start looking for vulnerabilities.
They already are. How about the respectable security folks get the
opportunity to do so as well?
> How everybody outside the internet is going to ACK making P2P
> and other things illegal if worms start to appear.
FUD again.
> And mainly, what market strategies is going to follow Microsoft
> with NT, now that it's just *NOT* possible to stop the leak....(ie: now that
> they fucked up us and everybody has it, why not just open all the code)
What color is the sky where you live?
It is, in no way, in Microsoft's best interest for more of their
code to become public. It's fine (and easily supportable) that OSS
is more secure in the long run because of the greater number of eyes
on it. That's true because that source has always been publicly
available. Exposing more of MSFT's secure-through-obscurity source
will only expose more security problems than anyone could hope to
fix quickly enough.
--
gabriel rosenkoetter
gr@...ipsed.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040214/59f18a67/attachment.bin
Powered by blists - more mailing lists