Full Disclosure mailing list archives

Re: InfoSec sleuths beware ...

From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Thu, 19 Feb 2004 13:31:37 -0800

All,

I do not have the source code (and who needs hundreds of Megs of bad code
anyway). Therefore I cannot reference *which* parts of W2K/WXP were
stolen/leaked. Has anyone who knows anyone who has seen the legit (203M)
file an insight into which portions/components of the code are in the
leaked distribution? Me thinks that would provide a clue as to whether the
breach was real/intentional. For example, if what was leaked is the
"core code" then I would think that the leak is likely intentional
(since who here, without knowing, could look at the source and grab
the pertinent modules, unless Microsoft's CVS tree is much more organized
thatn the rest of their operation :-). However if the source is all over 
the map - i.e. core/active directory/DHCP server/whatever maybe the leak 
is legit. Who knows?

Just trying to help brainstorm the topic ~%-O

G

On or about 2004.02.18 20:39:46 +0000, madsaxon (madsaxon () direcway com) said:

You missed the thread:

From: Exibar  exibar () thelair com
Sun, 15 Feb 2004 12:39:25 -0500
Subject: Microsoft source code "leak"

Anyone ever think that perhaps Microsoft "leaked" this section of code on
purpose?  Right now there are 1,000's of hacker types and curious types
pouring over that code looking for flaws.  Sounds like there was already a
flaw found using a signed integer as an offset, I've also heard that there
is an exploited version of Notepad floating around now too...

  Microsoft can't pay to have this kind of QA done in house (who could?), 
so why not release a piece of source and let everyone do it for them?

  Could be that it's a clever way to distract from the ASN.1 flaw that was
found too... release a bit of code that is meaningless and the exploit
writers will be too busy looking through that code to write a huge exploit
for ASN.1?

  Ok, sounds like a conspiracy theroys doesn't it?  And it probably isn't
true, but stranger things have happened :-)


-- 
Gregory A. Gilliss, CISSP                              E-mail: greg () gilliss com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: InfoSec sleuths beware ..., (continued)
- - - RE: InfoSec sleuths beware ... Aditya, ALD [Aditya Lalit Deshmukh] (Feb 19)
    - Re: InfoSec sleuths beware ... madsaxon (Feb 18)
    - Re: InfoSec sleuths beware ... Byron Copeland (Feb 18)
    - Re: InfoSec sleuths beware ... madsaxon (Feb 18)
    - Re: InfoSec sleuths beware ... Exibar (Feb 19)
    - Re: InfoSec sleuths beware ... Dave Horsfall (Feb 19)
    - Re: InfoSec sleuths beware ... Exibar (Feb 19)
    - Re: InfoSec sleuths beware ... michael williamson (Feb 19)
    - Re: InfoSec sleuths beware ... Calum (Feb 19)
    - Re: InfoSec sleuths beware ... Dave Horsfall (Feb 20)
    - Re: InfoSec sleuths beware ... Gregory A. Gilliss (Feb 19)
  - Re: InfoSec sleuths beware, Microsoft's attorneys may be knocking at your door Bernie, CTA (Feb 18)