lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Paul Schmehl)
Subject: RE: W2K source "leaked"?

--On Saturday, February 14, 2004 1:35 AM +0100 Tobias Weisserth 
<tobias@...sserth.de> wrote:

> Hi Paul,
>>
>> Odd.  I would have thought the answer was self evident.  You take the
>> standard precautions that every security person should know.
>
> So just because the source code hasn't been leaked until now means
> people were not obliged to take these precautions? A weak point, don't
> you think?
>
No, that's not what I meant at all.  The fact is almost all software has 
weaknesses and flaws in it.  Unless you happen to be one of those with 
enough time and skill to hunt down these flaws, you won't know about them 
until they either become public knowledge, a patch is released or you 
experience a compromise.

In the meantime, what can you do?  The same thing you always have to do. 
Take the appropriate security precautions.  Unfortunately far too many wait 
until they have a problem to take those steps.
>
> So what you are saying here, reduced to the essence, is that the only
> "preparation" we can do as an answer to the leaking are the same
> precautions we are doing all the time anyway?!
>
Yes, unless you are able to determine what, if any, flaws are in the 
software.  Not many can do that.

> I have to agree the initial doubting question then that there is hardly
> anything we can do but sit and wait and apply standard security
> precautions we would have anyway. We're talking about closed source
> software here. Everything customers can do is to sit and wait for
> patches from MS if there's a problem.
>
> Personally I don't think this leak will unavoidably lead to a serious
> increase of heavy and even more sneakier exploits. We already have them.
> The last week has been evidence enough. Maybe this will even lead to
> more security as customers with the capacity will have the potential to
> identify possible threats themselves and point them out to MS ;-)

I suspect that flaws will probably be found.  After all, they already have 
been found without the source.  It's only logical that with the source in 
hand more flaws will be found.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ