lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue May 24 10:59:12 2005
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: Defeating Microsoft WGA Validation Check

Justin, 

I have been working on WGA since past 2 months and this particular issue was
found by me in the first week of April, 2005. It seems that you too
discovered this issue and posted it before me. I am absolutely not surprised
that it has been posted by you 2 weeks before I posted for which I was not
unaware. However, claiming that you are the only person who discovered it,
is something I believe is unfair. 

>> The timestamp they are referring to has nothing to do with the 
>> application you download, WGA does not do anything to the application.

The timestamp also play a good role here. Just incase if you are not aware
of then try changing the dates to advance date atleast 8 to 12 months then
you will see the differences. However, a small trick can be used to
circumvent it. I have my test machines configured with all those public
betas since 1.5 months which are still up and running. 


>> Do not claim this as your own, I discovered this weeks ago.

After going through the link mentioned by you, I now don't rule out the case
that you posted this issue earlier to me but however it is unfair on your
part to claim that you are the only one who discovered it. 

There could be possibility that there are guys around who might have
discovered this issue much before me and you but has never bothered to bring
it to the public.

I am not so much interested in getting credits infact my idea of posting a
bug is always to share my findings with the entire security community. That
is what FD and other security lists are all about. One thing I must say,
neither way I was aware that someone else has posted this issue before I
posted otherwise won't I have posted it. 

Before posting any of my findings, I always make sure I report it to the
vendor and other security sites like idefense, securiteam etc etc... Verify
it with the vendor and then make it public if the vendors are ok with it.

It also happened once earlier that I reported one bug on "MAP tag url
spoofing" to idefense but then later on the same day while surfing few
security sites I found that the same issue was already discovered and posted
by someone else. I had to stop my posting to FD and other sec sites. It is
still lying as a hidden info on my site. 

You can find it here: 
http://www.hackingspirits.com/vuln-rnd/map-urlspoof-demo.html

Hence, it can also happen that a particular issue / bug can be found by
multiple researchers who are unaware of others findings but that doesn't
mean the one who posted first is the first one and the only one to find it. 

If you have discovered this issue before me then definitely you deserve the
credits but however it can now become a debate who found it first. I am not
so much interested in the credits rather I am more interested in uncovering
such issue to this community. 


>> Justin Allen (a.k.a. poedguy)

Debasis Mohanty (a.k.a. Tr0y)
www.hackingspirits.com



-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Justin Allen
Sent: Tuesday, May 24, 2005 8:27 AM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Defeating Microsoft WGA Validation Check

This was posted on xillioncomputers.com on May 9 and can be found at: 
http://www.xillioncomputers.com/modules.php?name=News&file=article&sid=336

The timestamp they are referring to has nothing to do with the 
application you download, WGA does not do anything to the application. 
It simply "verifies" your copy of windows and allows you to download the 
application. The timestamp is quite simply to make sure you do not use 
the same code over and over and that you generate a new one each time 
you want to download something from the Microsoft download center.

Do not claim this as your own, I discovered this weeks ago.

Justin Allen (a.k.a. poedguy)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ