Full Disclosure mailing list archives
RE: Defeating Microsoft WGA Validation Check
From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Tue, 24 May 2005 15:28:43 +0530
Justin, I have been working on WGA since past 2 months and this particular issue was found by me in the first week of April, 2005. It seems that you too discovered this issue and posted it before me. I am absolutely not surprised that it has been posted by you 2 weeks before I posted for which I was not unaware. However, claiming that you are the only person who discovered it, is something I believe is unfair.
The timestamp they are referring to has nothing to do with the application you download, WGA does not do anything to the application.
The timestamp also play a good role here. Just incase if you are not aware of then try changing the dates to advance date atleast 8 to 12 months then you will see the differences. However, a small trick can be used to circumvent it. I have my test machines configured with all those public betas since 1.5 months which are still up and running.
Do not claim this as your own, I discovered this weeks ago.
After going through the link mentioned by you, I now don't rule out the case that you posted this issue earlier to me but however it is unfair on your part to claim that you are the only one who discovered it. There could be possibility that there are guys around who might have discovered this issue much before me and you but has never bothered to bring it to the public. I am not so much interested in getting credits infact my idea of posting a bug is always to share my findings with the entire security community. That is what FD and other security lists are all about. One thing I must say, neither way I was aware that someone else has posted this issue before I posted otherwise won't I have posted it. Before posting any of my findings, I always make sure I report it to the vendor and other security sites like idefense, securiteam etc etc... Verify it with the vendor and then make it public if the vendors are ok with it. It also happened once earlier that I reported one bug on "MAP tag url spoofing" to idefense but then later on the same day while surfing few security sites I found that the same issue was already discovered and posted by someone else. I had to stop my posting to FD and other sec sites. It is still lying as a hidden info on my site. You can find it here: http://www.hackingspirits.com/vuln-rnd/map-urlspoof-demo.html Hence, it can also happen that a particular issue / bug can be found by multiple researchers who are unaware of others findings but that doesn't mean the one who posted first is the first one and the only one to find it. If you have discovered this issue before me then definitely you deserve the credits but however it can now become a debate who found it first. I am not so much interested in the credits rather I am more interested in uncovering such issue to this community.
Justin Allen (a.k.a. poedguy)
Debasis Mohanty (a.k.a. Tr0y) www.hackingspirits.com -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Justin Allen Sent: Tuesday, May 24, 2005 8:27 AM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Defeating Microsoft WGA Validation Check This was posted on xillioncomputers.com on May 9 and can be found at: http://www.xillioncomputers.com/modules.php?name=News&file=article&sid=336 The timestamp they are referring to has nothing to do with the application you download, WGA does not do anything to the application. It simply "verifies" your copy of windows and allows you to download the application. The timestamp is quite simply to make sure you do not use the same code over and over and that you generate a new one each time you want to download something from the Microsoft download center. Do not claim this as your own, I discovered this weeks ago. Justin Allen (a.k.a. poedguy) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Defeating Microsoft WGA Validation Check Debasis Mohanty (May 23)
- <Possible follow-ups>
- Re: Defeating Microsoft WGA Validation Check Justin Allen (May 23)
- RE: Defeating Microsoft WGA Validation Check Debasis Mohanty (May 24)
- Re: Defeating Microsoft WGA Validation Check pictureview (May 23)
- RE: Re: Defeating Microsoft WGA Validation Check Debasis Mohanty (May 24)
- Re: Defeating Microsoft WGA Validation Check Justin Allen (May 23)
- Re: Re: Defeating Microsoft WGA Validation Check Dean Johnson (May 24)