RE: Half-Life 2 source code stolen through IE exploit

["Joe" <mvp () joeware net>]

Actually no, this isn't a "*clear cut* case where Microsoft is completely at
fault and the admins are completely innocent". They don't know what the hole
was. 

They are, in Gabe's word's, "SPECULATING" that it was a preview pane
overflow in Outlook that got key loggers onto the machines. That plus a
"customized" version of RemoteAnywhere. 

Again, speculation. They don't know. If they don't know, certainly neither
do you nor I. What we do know is that the overall security was extremely lax
and that they can't tell you who downloaded a copy of the company cirtical
source tree or even what day it occurred just that it was "around" 9/19. A
source tree that 

A. Shouldn't be available to the internet
B. Should require very special LOGGED authentication to touch
C. Should have every access whether read or write logged in triplicate.

And actually, the only OS that is known to be involved is for a desktop, the
server could have been something else that actually contained the source
tree. 

Even if I said for arguments sake, the compromise of the desktop was
entirely the fault of MS, that data never should have been able to be pulled
through the firewall and that is not MS's fault. 


If you didn't look at the link I posted last time with Gabe's comments, they
are worth looking at -
http://www.neowin.net/comments.php?id=14171&category=gamers. Plus the
additional comments at the bottom which are:


Update: An email transcript dated the 27th of September (that I won't link
to) highlights security flaws in Valve's operations, and mentions that some
members of Valve were pushing for a peer-to-peer distribution method for
Half-Life 2 shortly before release, in the hope of not crippling the direct
download servers, and leaving Steam customers without their game. 

In the email, the owner of a Half-Life 2 fan site tricked another Valve
employee into thinking he was someone else, and then got confidential
information from him. Significantly, the Valve employee stated that they -
at the time - had no email verification software, and so emails could be
faked by a skillful hacker. Presumably security has now been tightened.


    joe




-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Schmehl, Paul L
Sent: Monday, October 06, 2003 2:32 PM
To: full-disclosure () lists netsys com
Cc: nick () virus-l demon co uk

<SNIP>

So this is a *clear cut* case where Microsoft is completely at fault and the
admins are completely innocent (other than the side issues of whether or not
they should have development servers on the Internet or not and whether or
not they should use Microsoft products at all.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html