Full Disclosure mailing list archives
Re: InfoSec sleuths beware ...
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Thu, 19 Feb 2004 13:31:37 -0800
All, I do not have the source code (and who needs hundreds of Megs of bad code anyway). Therefore I cannot reference *which* parts of W2K/WXP were stolen/leaked. Has anyone who knows anyone who has seen the legit (203M) file an insight into which portions/components of the code are in the leaked distribution? Me thinks that would provide a clue as to whether the breach was real/intentional. For example, if what was leaked is the "core code" then I would think that the leak is likely intentional (since who here, without knowing, could look at the source and grab the pertinent modules, unless Microsoft's CVS tree is much more organized thatn the rest of their operation :-). However if the source is all over the map - i.e. core/active directory/DHCP server/whatever maybe the leak is legit. Who knows? Just trying to help brainstorm the topic ~%-O G On or about 2004.02.18 20:39:46 +0000, madsaxon (madsaxon () direcway com) said:
You missed the thread: From: Exibar exibar () thelair com Sun, 15 Feb 2004 12:39:25 -0500 Subject: Microsoft source code "leak" Anyone ever think that perhaps Microsoft "leaked" this section of code on purpose? Right now there are 1,000's of hacker types and curious types pouring over that code looking for flaws. Sounds like there was already a flaw found using a signed integer as an offset, I've also heard that there is an exploited version of Notepad floating around now too... Microsoft can't pay to have this kind of QA done in house (who could?), so why not release a piece of source and let everyone do it for them? Could be that it's a clever way to distract from the ASN.1 flaw that was found too... release a bit of code that is meaningless and the exploit writers will be too busy looking through that code to write a huge exploit for ASN.1? Ok, sounds like a conspiracy theroys doesn't it? And it probably isn't true, but stranger things have happened :-)
-- Gregory A. Gilliss, CISSP E-mail: greg () gilliss com Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: InfoSec sleuths beware ..., (continued)
- RE: InfoSec sleuths beware ... Aditya, ALD [Aditya Lalit Deshmukh] (Feb 19)
- Re: InfoSec sleuths beware ... madsaxon (Feb 18)
- Re: InfoSec sleuths beware ... Byron Copeland (Feb 18)
- Re: InfoSec sleuths beware ... madsaxon (Feb 18)
- Re: InfoSec sleuths beware ... Exibar (Feb 19)
- Re: InfoSec sleuths beware ... Dave Horsfall (Feb 19)
- Re: InfoSec sleuths beware ... Exibar (Feb 19)
- Re: InfoSec sleuths beware ... michael williamson (Feb 19)
- Re: InfoSec sleuths beware ... Calum (Feb 19)
- Re: InfoSec sleuths beware ... Dave Horsfall (Feb 20)
- Re: InfoSec sleuths beware ... Gregory A. Gilliss (Feb 19)