Full Disclosure mailing list archives
RE: RE: W2K source "leaked"?
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 13 Feb 2004 20:22:32 -0600
--On Saturday, February 14, 2004 1:35 AM +0100 Tobias Weisserth <tobias () weisserth de> wrote:
No, that's not what I meant at all. The fact is almost all software has weaknesses and flaws in it. Unless you happen to be one of those with enough time and skill to hunt down these flaws, you won't know about them until they either become public knowledge, a patch is released or you experience a compromise.Hi Paul,Odd. I would have thought the answer was self evident. You take the standard precautions that every security person should know.So just because the source code hasn't been leaked until now means people were not obliged to take these precautions? A weak point, don't you think?
In the meantime, what can you do? The same thing you always have to do. Take the appropriate security precautions. Unfortunately far too many wait until they have a problem to take those steps.
Yes, unless you are able to determine what, if any, flaws are in the software. Not many can do that.So what you are saying here, reduced to the essence, is that the only "preparation" we can do as an answer to the leaking are the same precautions we are doing all the time anyway?!
I have to agree the initial doubting question then that there is hardly anything we can do but sit and wait and apply standard security precautions we would have anyway. We're talking about closed source software here. Everything customers can do is to sit and wait for patches from MS if there's a problem. Personally I don't think this leak will unavoidably lead to a serious increase of heavy and even more sneakier exploits. We already have them. The last week has been evidence enough. Maybe this will even lead to more security as customers with the capacity will have the potential to identify possible threats themselves and point them out to MS ;-)
I suspect that flaws will probably be found. After all, they already have been found without the source. It's only logical that with the source in hand more flaws will be found.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: RE: W2K source "leaked"?, (continued)
- Re: RE: W2K source "leaked"? madsaxon (Feb 13)
- Re: RE: W2K source "leaked"? Sebastian Dietz (Feb 13)
- RE: Re: W2K source "leaked"? Otero, Hernan (EDS) (Feb 13)
- RE: RE: W2K source "leaked"? John . Airey (Feb 13)
- RE: RE: W2K source "leaked"? Nick Jacobsen (Feb 13)
- Re: W2K source "leaked"? SMORRIS (Feb 13)
- RE: W2K source "leaked"? Drew Copley (Feb 13)
- RE: RE: W2K source "leaked"? Schmehl, Paul L (Feb 13)
- RE: RE: W2K source "leaked"? Tobias Weisserth (Feb 13)
- Re: RE: W2K source "leaked"? Valdis . Kletnieks (Feb 13)
- RE: RE: W2K source "leaked"? Paul Schmehl (Feb 13)
- Re: RE: W2K source "leaked"? Valdis . Kletnieks (Feb 13)
- RE: RE: W2K source "leaked"? Tobias Weisserth (Feb 13)
- RE: Re: W2K source "leaked"? Drew Copley (Feb 13)
- RE: Re: W2K source "leaked"? Nick FitzGerald (Feb 14)
- RE: W2K source "leaked"? Joe Quigley (Feb 13)
- Re: RE: W2K source "leaked"? Ake Nordin (Feb 13)
- RE: RE: W2K source "leaked"? Drew Copley (Feb 13)
- Re: W2K source "leaked"? somenym81 (Feb 16)