Full Disclosure mailing list archives

RE: RE: W2K source "leaked"?

From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 13 Feb 2004 20:22:32 -0600

--On Saturday, February 14, 2004 1:35 AM +0100 Tobias Weisserth<tobias () weisserth de> wrote:

Hi Paul,


Odd.  I would have thought the answer was self evident.  You take the
standard precautions that every security person should know.


So just because the source code hasn't been leaked until now means
people were not obliged to take these precautions? A weak point, don't
you think?

No, that's not what I meant at all. The fact is almost all software hasweaknesses and flaws in it. Unless you happen to be one of those withenough time and skill to hunt down these flaws, you won't know about themuntil they either become public knowledge, a patch is released or youexperience a compromise.

In the meantime, what can you do? The same thing you always have to do.Take the appropriate security precautions. Unfortunately far too many waituntil they have a problem to take those steps.


So what you are saying here, reduced to the essence, is that the only
"preparation" we can do as an answer to the leaking are the same
precautions we are doing all the time anyway?!

Yes, unless you are able to determine what, if any, flaws are in thesoftware. Not many can do that.

I have to agree the initial doubting question then that there is hardly
anything we can do but sit and wait and apply standard security
precautions we would have anyway. We're talking about closed source
software here. Everything customers can do is to sit and wait for
patches from MS if there's a problem.

Personally I don't think this leak will unavoidably lead to a serious
increase of heavy and even more sneakier exploits. We already have them.
The last week has been evidence enough. Maybe this will even lead to
more security as customers with the capacity will have the potential to
identify possible threats themselves and point them out to MS ;-)

I suspect that flaws will probably be found. After all, they already havebeen found without the source. It's only logical that with the source inhand more flaws will be found.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: RE: W2K source "leaked"?, (continued)
- - - Re: RE: W2K source "leaked"? madsaxon (Feb 13)
  - Re: RE: W2K source "leaked"? Sebastian Dietz (Feb 13)
- RE: Re: W2K source "leaked"? Otero, Hernan (EDS) (Feb 13)
- RE: RE: W2K source "leaked"? John . Airey (Feb 13)
- RE: RE: W2K source "leaked"? Nick Jacobsen (Feb 13)
- Re: W2K source "leaked"? SMORRIS (Feb 13)
- RE: W2K source "leaked"? Drew Copley (Feb 13)
- RE: RE: W2K source "leaked"? Schmehl, Paul L (Feb 13)
  - RE: RE: W2K source "leaked"? Tobias Weisserth (Feb 13)
    - Re: RE: W2K source "leaked"? Valdis . Kletnieks (Feb 13)
    - RE: RE: W2K source "leaked"? Paul Schmehl (Feb 13)
    - Re: RE: W2K source "leaked"? Valdis . Kletnieks (Feb 13)
- RE: Re: W2K source "leaked"? Drew Copley (Feb 13)
  - RE: Re: W2K source "leaked"? Nick FitzGerald (Feb 14)
- RE: W2K source "leaked"? Joe Quigley (Feb 13)
- Re: RE: W2K source "leaked"? Ake Nordin (Feb 13)
- RE: RE: W2K source "leaked"? Drew Copley (Feb 13)
- Re: W2K source "leaked"? somenym81 (Feb 16)