lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4235F7CA.9050600@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: Re: Microsoft to give holes info to Uncle Sam
	first

Nick FitzGerald wrote:

>And does anyone really think it's entirely coincidental that the 
>creator of the Morris worm (Robert Tappan (sp?) Morris Jr.) was the son 
>of Robert T. Morris, the chief scientist of the NSA's National Computer 
>Security Center?  (No conspiracy theory here, but the old adage "like 
>father, like son" springs to mind...)
>
>
>  
>
Well, it goes back even further than that.  In a sense breaking cyphers 
during the various wars can be considered finding holes in algorithms, 
just not the kind we're thinking of.

Aside from donning my own tin-foil hat (which, as much as I would like 
to put it on), there are numerous legitimate reasons that I can think of 
why the US government would want to have the patches and exploits before 
the public:

       - Early warning.
       - Early patch planning.  (Though not wide-spread, it would never 
remain a secret.)
       - Access to the data early enough in the Q&A cycle to begin 
looking for groups that might use that hole to attack US infrastructure.

Now, donning my own tin-foil hat, I can say that I wouldn't doubt if 
they were collecting these exploits for their own early-use scenarios... 
having said that, I also am quite sure that the military has their own 
bug finders that they can train and employ at length to look for 
exploitable code, and access to more of the code than most security 
community members have... so I wouldn't think that they'd be terribly 
handicapped if deprived of information from vendors.

                   -Barry



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ