Full Disclosure mailing list archives

RE: Microsoft confirms source code leak

From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 13 Feb 2004 14:35:41 -0600 (CST)

On Fri, 13 Feb 2004, Bernie, CTA wrote:

On 13 Feb 2004 at 7:32, Edward W. Ray wrote:

"Does it not appear that the leak could have been done to ensure
that M$ has a legal argument to abate liability in case they are
sued?"

I think their EULA which you accept when installing covers their
ass for just about anything.

<<<
This may be true where WIN OS based box is deployed in a
commercial environment. However, I think their EULA is trumped
by the new US Federal Regulations (HIPAA, DHS, CFR, etc) if the
Microsoft knew or should of known that their Win OS was going to
be deployed in a solution that was designed to ensure the
security (integrity, confidentiality, accessibility) of people,
premises, critical infrastructure, systems, resources or data
and knew or should have known that their Win OS had
flaws/vulnerabilities which could be exploited to threaten such
security and failed to disclose such flaws/vulnerabilities to
the buyer.

At minimum, the new regulations require that all known
Privacy/Security Risks be disclosed and safeguards, policies and
procedures be put in place to mitigate these risks.

--


Yes, but, remember NT was<is?> c2 level certified <COUGH>.

And the M$ stance is going to be that the systems were not properly
admin'ed and locked down prior to the 'code leak'.  But, one has to love
how well security thru obscurity has worked for redmond all these years.

Proprietary code has not really had any affect in well over 10+ years of
the discovery, poc/info release, virus/trojan, patch-to-late cycle...

okay whose been violating all those NDA's to help perpetuate this mess?

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Microsoft confirms source code leak Thor Larholm (Feb 12)
- Re: Microsoft confirms source code leak Bernie, CTA (Feb 13)
  - RE: Microsoft confirms source code leak Edward W. Ray (Feb 13)
    - Re: Microsoft confirms source code leak Valdis . Kletnieks (Feb 13)
    - RE: Microsoft confirms source code leak Bernie, CTA (Feb 13)
    - Re: Microsoft confirms source code leak Cael Abal (Feb 13)
    - RE: Microsoft confirms source code leak Ron DuFresne (Feb 13)
    - RE: Microsoft confirms source code leak Roy M. Silvernail (Feb 13)
    - Re: Microsoft confirms source code leak Jeremiah Cornelius (Feb 13)
    - Re: Microsoft confirms source code leak Valdis . Kletnieks (Feb 13)
  - Re: Microsoft confirms source code leak Clint Bodungen (Feb 13)
- <Possible follow-ups>
- RE: Microsoft confirms source code leak Andre Ludwig (Feb 12)
  - RE: Microsoft confirms source code leak Byron Copeland (Feb 12)
    - Re: Microsoft confirms source code leak Benjamin Meade (Feb 13)