Full Disclosure mailing list archives
RE: Half-Life 2 source code stolen through IE exploit
From: "Joe" <mvp () joeware net>
Date: Mon, 6 Oct 2003 19:13:59 -0400
Actually no, this isn't a "*clear cut* case where Microsoft is completely at fault and the admins are completely innocent". They don't know what the hole was. They are, in Gabe's word's, "SPECULATING" that it was a preview pane overflow in Outlook that got key loggers onto the machines. That plus a "customized" version of RemoteAnywhere. Again, speculation. They don't know. If they don't know, certainly neither do you nor I. What we do know is that the overall security was extremely lax and that they can't tell you who downloaded a copy of the company cirtical source tree or even what day it occurred just that it was "around" 9/19. A source tree that A. Shouldn't be available to the internet B. Should require very special LOGGED authentication to touch C. Should have every access whether read or write logged in triplicate. And actually, the only OS that is known to be involved is for a desktop, the server could have been something else that actually contained the source tree. Even if I said for arguments sake, the compromise of the desktop was entirely the fault of MS, that data never should have been able to be pulled through the firewall and that is not MS's fault. If you didn't look at the link I posted last time with Gabe's comments, they are worth looking at - http://www.neowin.net/comments.php?id=14171&category=gamers. Plus the additional comments at the bottom which are: Update: An email transcript dated the 27th of September (that I won't link to) highlights security flaws in Valve's operations, and mentions that some members of Valve were pushing for a peer-to-peer distribution method for Half-Life 2 shortly before release, in the hope of not crippling the direct download servers, and leaving Steam customers without their game. In the email, the owner of a Half-Life 2 fan site tricked another Valve employee into thinking he was someone else, and then got confidential information from him. Significantly, the Valve employee stated that they - at the time - had no email verification software, and so emails could be faked by a skillful hacker. Presumably security has now been tightened. joe -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Schmehl, Paul L Sent: Monday, October 06, 2003 2:32 PM To: full-disclosure () lists netsys com Cc: nick () virus-l demon co uk <SNIP> So this is a *clear cut* case where Microsoft is completely at fault and the admins are completely innocent (other than the side issues of whether or not they should have development servers on the Internet or not and whether or not they should use Microsoft products at all.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Half-Life 2 source code stolen through IE exploit Trey Mujakporue/UK/Tesco (Oct 06)
- <Possible follow-ups>
- RE: Half-Life 2 source code stolen through IE exploit Brown, Rodrick (Oct 06)
- Re: Half-Life 2 source code stolen through IE exploit Valdis . Kletnieks (Oct 09)
- RE: Half-Life 2 source code stolen through IE exploit Schmehl, Paul L (Oct 06)
- RE: Half-Life 2 source code stolen through IE exploit Joe (Oct 06)