lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1077163836.11503.13.camel@Stargate>
From: nodialtone at comcast.net (Byron Copeland)
Subject: InfoSec sleuths beware ...

Mad,

OK, you have a good point there, but its only a fraction of the code
anyway.  If they really wanted it audited, by releasing it on purpose as
you and others have eluded, then why not release the entire
distribution?

Here, I have released some of my distribution and like I have said, you
find something wrong, you fix it! Or, re-write it.

http://home.comcast.net/~nodialtone


On Wed, 2004-02-18 at 21:39, madsaxon wrote:
> At 01:45 PM 2/18/2004 -0800, you wrote:
> 
> >Did I miss the thread or has no one yet postulated that the Microsoft
> >source code subset was leaked intentionally in order to afford M$ the
> >free services of hundreds or thousands of security researchers auditing
> >their code for them?
> 
> You missed the thread:
> 
> From: Exibar  exibar@...lair.com
> Sun, 15 Feb 2004 12:39:25 -0500
> Subject: Microsoft source code "leak"
> 
> Anyone ever think that perhaps Microsoft "leaked" this section of code on
> purpose?  Right now there are 1,000's of hacker types and curious types
> pouring over that code looking for flaws.  Sounds like there was already a
> flaw found using a signed integer as an offset, I've also heard that there
> is an exploited version of Notepad floating around now too...
> 
>    Microsoft can't pay to have this kind of QA done in house (who could?), 
> so why not release a piece of source and let everyone do it for them?
> 
>    Could be that it's a clever way to distract from the ASN.1 flaw that was
> found too... release a bit of code that is meaningless and the exploit
> writers will be too busy looking through that code to write a huge exploit
> for ASN.1?
> 
>    Ok, sounds like a conspiracy theroys doesn't it?  And it probably isn't
> true, but stranger things have happened :-)
> 
>   Exibar
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ