lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: InfoSec sleuths beware ...

All,

I do not have the source code (and who needs hundreds of Megs of bad code
anyway). Therefore I cannot reference *which* parts of W2K/WXP were
stolen/leaked. Has anyone who knows anyone who has seen the legit (203M)
file an insight into which portions/components of the code are in the
leaked distribution? Me thinks that would provide a clue as to whether the
breach was real/intentional. For example, if what was leaked is the
"core code" then I would think that the leak is likely intentional
(since who here, without knowing, could look at the source and grab
the pertinent modules, unless Microsoft's CVS tree is much more organized
thatn the rest of their operation :-). However if the source is all over 
the map - i.e. core/active directory/DHCP server/whatever maybe the leak 
is legit. Who knows?

Just trying to help brainstorm the topic ~%-O

G

On or about 2004.02.18 20:39:46 +0000, madsaxon (madsaxon@...ecway.com) said:

> You missed the thread:
> 
> From: Exibar  exibar@...lair.com
> Sun, 15 Feb 2004 12:39:25 -0500
> Subject: Microsoft source code "leak"
> 
> Anyone ever think that perhaps Microsoft "leaked" this section of code on
> purpose?  Right now there are 1,000's of hacker types and curious types
> pouring over that code looking for flaws.  Sounds like there was already a
> flaw found using a signed integer as an offset, I've also heard that there
> is an exploited version of Notepad floating around now too...
> 
>   Microsoft can't pay to have this kind of QA done in house (who could?), 
> so why not release a piece of source and let everyone do it for them?
> 
>   Could be that it's a clever way to distract from the ASN.1 flaw that was
> found too... release a bit of code that is meaningless and the exploit
> writers will be too busy looking through that code to write a huge exploit
> for ASN.1?
> 
>   Ok, sounds like a conspiracy theroys doesn't it?  And it probably isn't
> true, but stranger things have happened :-)
> 

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@...liss.com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3


Powered by blists - more mailing lists