lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8D83B0E9D9120F94D20D9706@utd65257.utdallas.edu>
Date: Thu, 08 May 2008 10:01:12 -0500
From: Paul Schmehl <pauls@...allas.edu>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure@...ts.grok.org.uk, butraq@...urityfocus.com
Subject: Re: Microsot DID DISCLOSE potential Backdoor

--On Wednesday, May 07, 2008 22:49:40 -0500 "J. Oquendo" <sil@...iltrated.net> 
wrote:

> On Wed, 07 May 2008, Paul Schmehl wrote:
>
>> And that relates to the MSRT how?
>
> Relates to MSRT sending your information. It only sends information
> when it finds something. I never stated it sends all your information
> all the time.
>
>> Now you're being silly.  You're claiming that *realtime connection
>> information* is included in the data that is sent but without any grounds
>> to do so and despite Microsoft's claims to the contrary.  And without any
>> proof.
>>
>
> Pick up a dev machine load it with malware, run MSRT, and sniff it. You'll
> see what it sends and remember LEA uses IP as an identifier bottom line.
>

Again, Microsoft states that no information of a personally identifiable 
nature, either for the individual or for the computer, is sent by the tool.  If 
you can prove that it includes the IP address, then you have proven that 
Microsoft is committing fraud.  Call your local LE and notify them of it, or 
contact the FBI.

Otherwise, this is pure speculation, and you know it.

>
> It sent zero information because it did not detect anything malicious.
> As for paranoia, has nothing to do with paranoia. Facts. Fact 1) Is MS
> sending information from your machine to them ... Yes Fact 2) If something
> malicious is detected on your machine will it go to MS. Yes. Fact 3) Will
> they share information obtained from YOUR machine via YOUR IP address
> will they share that information with LEA? According to the MS spokesman
> they will. Fact 4) Can LEA correlate the information sent from your machine
> to an IP address... Yes.
>

Your fact 4 is unproven.  It's pure speculation on your part.

>
> Now according to their article and common logic, in their article they stated
> they obtained samples of the infection to track the CNC of a botnet. How did
> they get this is up in the air, but with their forced update history, its
> possible on detection they can actually send avserve.exe right back to
> themselves.
>

OK.  It's certainly possible.

> Anyhow, so I create something crafted to implicate you - using my previous
> analogy of being a botnet CNC owner, my program implicates your network
> you take the fall. People pull Joe Jobs all the time.
>

To implicate me, you have to find a way to include personally identifiable 
information in the packets sent from MSRT.  That would be a neat trick.

>
> A Joe Job is an unfounded fear? How about poisoning the well. What happens
> if someone reading this decides to put it to the tests nullifying any
> verifiable, concrete snapshots with garbage. Then what will be of the
> tool? e-Garbage truck?
>

You haven't proven this is even possible, much less routinely done.  The only 
Joe job going on here is in your brain.

>> I don't consider fantasizing about bogeymen "thinking outside the box".
>
> Fantasizing has nothing to do with reality. People are paying top dollars
> in life to screw someone all the time whether its online or not. This is
> another stupid mechanism someone can use. Its a flawed concept albeit nice
> idea.

Please describe, in detail, one possible way this can be done using the MSRT 
only.  Vague gesticulations won't get it.  Show packet captures that prove your 
theory.

-- 
Paul Schmehl (pauls@...allas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ