| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <133659.1229962600@turing-police.cc.vt.edu>
Date: Mon, 22 Dec 2008 11:16:40 -0500
From: Valdis.Kletnieks@...edu
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft issues out-of-band patch
On Fri, 19 Dec 2008 20:23:57 GMT, n3td3v said:
> You're giving the bad guys clues on what to avoid or will the bad guys
> be aware of all the possible attack vectors the government might be
> using already?
Hint: Think about the attack vectors the government can use to deliver
what is essentially malware, and the attack vectors the bad guys can use
to do the same thing.
They're essentially the same, except that the government has a few more
options on how to implement "cause a major vendor to ship a backdoored
update". Note that OpenSSH, Sendmail, and recently Redhat/Fedora (among
many others) have all had issues in the past with this, even without
governmental interference.
However, note that although the government *could* possibly pull off such a
trick, their hands are somewhat tied, for the exact same reason why in WWII,
the Allies couldn't take full advantage of having broken Enigma, going so far
as to intentionally let some convoys get sunk rather than letting the Germans
know Enigma had been broken.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists