lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 07 May 2008 21:26:05 -0500
From: Paul Schmehl <pauls@...allas.edu>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsot DID DISCLOSE potential Backdoor

--On May 7, 2008 6:45:12 PM -0500 "J. Oquendo" <sil@...iltrated.net> wrote:

> On Wed, 07 May 2008, Paul Schmehl wrote:
>
>> Please point to the part where they are "relying on IP" when they
>> explicitly state "No identifiable personal information that is related
>> to you ***or to the computer*** is sent...."
>
> What's going on Paul. You're right. "No identifiable personal information
> that is related to you ***(adding more stars for empashis)****** or to
> the computer ******* is sent..."
>
> Mea culpa. For a moment here I thought LEA's used IP as an identifier in
> courts of law. Silly me.

And that relates to the MSRT how?
>
> So before you argue back with "but your IP information is not sent!"
> really? And how did the information from your machine get there? Smoke
> signals?
>

Now you're being silly.  You're claiming that *realtime connection 
information* is included in the data that is sent but without any grounds 
to do so and despite Microsoft's claims to the contrary.  And without any 
proof.

> As for "sniffing the wire" to see what MS is sending. Sort of difficult
> to do. 1) I'm not on Windows that much. 2) When I am on Windows, the
> machines I use are sanitized.
>

You might try it some time.  Getting the facts beats wild speculation and 
hyperbole every time.  I just installed MSRT on my laptop and ran it while 
Wireshark was monitoring all external communications.  It sent exactly 
*zero* information to MS.

I'm no Microsoft fan by any stretch of the imagination (my preferred 
platforms are FreeBSD and Mac OS X), but I'm also not a paranoid fool.

> Furthermore, if you go back to the original article in PC World, I
> don't know about you but to me its in black and white the correlation.
> I don't know anyone who begins to talk about one thing, then goes off
> into a complete different tangent in the next paragraph: "Information
> obtained from WMSRT etc, etc, etc,..." ... "Officials were able to
> identify..."
>
> If at any point anyone here including LEA's believe wholeheartedly
> there is nothing wrong with this in the sense it doesn't have a huge
> potential for abuse (not the information sent by WMSRT but the
> concept of using data WITHOUT NOTIFYING THE USER), if none have
> qualms with this, you're in the wrong business (security).
>

Not all of us are consumed by paranoia and unfounded fears.  Some of us 
actually approach security from a rational, intelligent perspective and 
attempt to mitigate risks to the best of our abilities while accepting the 
fact that we can't stop every attack.

> I should make it a point to point out the flaws in the system but
> alas that would lead to a complete misunderstanding of it. With this
> said, here is a scenario for you Paul... Let's say I despised you.
> Let's say I AM A BOTNET operator. Let's say I take my EXISTING botnet
> and tweak the logged information being sent to Microsoft. I don't
> know... I guess I'll make it look as YOUR NETWORK is a CNC for a
> large botnet. I can only imagine 1) You will be going through an
> insane ghost analysis for something that doesn't exist after being
> raided... 2) Frustrated as an engineer since you know for a fact
> there is no damn reason a LEA should be even talking to you.
>

Again, this has *what* to do with the MSRT?

> Look I can think of the horrors behind this. If you can't see it
> again, perhaps you and I aren't on the same level of thinking
> outside of the box. The abusive side of "hacking" and I won't go
> into the political bs of what a hacker is or does or is supposed
> to be.

I don't consider fantasizing about bogeymen "thinking outside the box".

Paul Schmehl (pauls@...allas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ