20 replies to this topic

[anubis]

what a stupid story... everybody is talking about it and now i am, too. as it turned out it was all code that m$ gave away to universities (probably thousands of them). this whole thing is a lame pr joke at best. who would want to read that code anyway. windows was easily hacked before without anybody seeing only a smidge of code, so it hardly makes a difference now.
allthough i'd like to know what parts of windows get released to universities, for "research" as microsoft claims. looking at the kazaa search results i got a lot of people seem to be interested in the same thing as i am... also it seems that many many fake zips are floating around allready.
if anybody really downloads this crap let me know what's in it... i'm not nearly curious enough to do it.
i have this theory that all the recent software leaks are a big conspiration conceived by the companies that own the big backbones... imagine the traffic that is generated... i bet such a leak means big bucks for some people

[baldurk]

anubis said:

windows was easily hacked before without anybody seeing only a smidge of code, so it hardly makes a difference now.

AFAIK, this is complete lies. The chances of finding a buffer overflow that can be exploited is greatly increased when you can see, even partial, source.

[anubis]

so what ? the code was available to many people in universities before...
imo this is just a scam by microsoft to pull out of their shared source programm or at least a reason not to extend it

[baldurk]

I shouldn't think that everyone in the university had access to the source.

Plus, I wouldn't think it would be good publicity either. Joe Public is going to think "Microsoft got sloppy and their blueprints [sic] were stolen and now I'm going to get more viruses. I hate MS :(".

[anubis]

hearing pro microsoft words from you seems odd ;)
anyway, it's all a big talk with nothing behind it...

[davepermen]

actually, exactly buffer overruns will not be a problem anymore after sp2 for xp.. anyone not updating is doing it's own fault

(same for server 2003 of course)..

so.. the source you have is rather old, and useless.

it's really nothing big.

[baldurk]

I'd say that what I said about "Joe public" still stands, as he isn't going to install service packs. Besides, I highly doubt that MS is going to catch all the possible bugs in one patch. If they could do that, why not do it in SP1? On top of that they'll need to release service packs for 2k and NT5, AFAIK, as the code is also in them.

Buffer overruns are one example of an exploitable bug, they're not the be all and end all ;).

and anubis, I'm not being pro-microsoft, simply pointing out that I don't think they're going to benefit from this. When HL2 was leaked, they may have benefitted from people seeing the game and going "Wow! I gotta get that game!". People are unlikely to do the same for win2k :/.

[davepermen]

after all the vire-happenings, i don't know of any joe public anymore who does not have automatic update enabled.

the only ones that don't, are freaks that feel 1337. and i don't bother if they get hacked, or get vire on their systems.

but believe me, they are minority.

[davepermen]

baldurk said:

Buffer overruns are one example of an exploitable bug, they're not the be all and end all ;).

you don't know much about what microsoft really does currently, do you?

(just a question:D most linux-fans don't know that much. not sure about you..)

[donBerto]

davepermen's point is that most of the "old bugs" are actually from a backwards-compatibility layer within the newer MS OS's such that if they simply phase out/remove this layer, they'd be fairly secure.

the question then becomes, "then why don't they just do that?". a lot of businesses here in the US are still using win98 as "workstations", ballpark figure, over 30%

I read about that somewhere, maybe at securityfocus, some time back.

:yes:

[davepermen]

actually most vulnerabilities today aren't fo win9x at all..

fact is, the leaked source is a very special one. it is for win2k, with, apparently, internetexplorer5, from then and then, with these patches installed, and these not.

most of the bugs that people can detect in this source are solved and fixed yet. possibly not all. but most are.

people can not move to a new os that simple, yes. but they can, and most do, update their os if it has bugs. the only reason not to, is if the "bug is a feature" :D, means it's not allowed to solve it, it would make a program buggy that relies on it.

this code doesn't really hurt anyone.

[baldurk]

davepermen said:

you don't know much about what microsoft really does currently, do you?

no, in that I'm not that interested so I don't really read about it unless some news comes up about it.

My point wasn't specific, just that there are bugs that can be in code that can be exploited that aren't buffer overruns.

[davepermen]

fact is that microsoft works on a base that dissallows fault at compiler, and even bether, language level.

they recompile xp with vs.net 2003 for sp2, to use all the best they have to by default dissallow all of them (and they still let all sort of patches that where manual in).

this is, why .net exist, and this is, why .net is the base of longhorn.

[baldurk]

surely recompiling xp in .net will have some disadvantages?

plus of course I doubt you could simply patch xp, if there's such a great change. Would MS not wait until they release longhorn, and release that compiled in .net? This means that everyone left using 2000 and XP will still be vulnerable. Maybe I'm missing something here.

[anubis]

fact is that allthough i always install all patches and never got any virus infected mail i still get infected every once in a while. somehow windows seems less and less secure to me as they release more and more patches

[davepermen]

baldurk said:

surely recompiling xp in .net will have some disadvantages?

plus of course I doubt you could simply patch xp, if there's such a great change. Would MS not wait until they release longhorn, and release that compiled in .net? This means that everyone left using 2000 and XP will still be vulnerable. Maybe I'm missing something here.

it will be recompiled with vc.net 2003. that is a c++ compiler. it will not yet get managed (fully), and all. that will be longhorn, yes.

but xp will be recompiled with one of the best c++ compilers out there, wich can detect, and prevent, buffer overruns to be abused, and much more. he does detect tons of those wellknown bugs that programmers do that make such security holes possible, such as integer overruns, buffer overruns, and other stuff.

if you set it to report everything as error, and get something to compile without error, then you have much saver code (if you enable all savety-settings as well:D), as any windows code ever was till now. by default. for the full os.

they don't want to patch individual holes. they patch now their main fault that made such holes. their tools, the way they used c++, and all.

you miss much here, yes. but it's understandable as it's quite complex on whats really going on (and a lot of fuzz gets stated by tons of people who don't have a clue.. even in magazines, on tv.. don't need to mentoin the web, hehe:D)

[davepermen]

anubis said:

fact is that allthough i always install all patches and never got any virus infected mail i still get infected every once in a while. somehow windows seems less and less secure to me as they release more and more patches

first:
hm, never had that issue at all over the last years. i'm 100% save.. fun:D i'm about the only one, hehe..

second:
thats why they recompile windows xp completely. to prevent those patches that only fit one hole. they patched the compiler, and now fix all such holes at once.

more or less:D i wish them best luck at least. i had luck so far with them. my updates install automatically, i never really reboot the os (except some fuzzy drivers from third parties who messed stuff up and .. some funny programming expiriences i created:D)..

and my server has no attack at all since it's online again (thats, since 2004..) and never had before..

[baldurk]

to be honest, I only use linux because I prefer it's general feel to windows. Yes, I'm less likely to be infected by a virus and/or exploit, but that's a bonus rather than a reason to me.

[davepermen]

well.. i can't say much about that.. except i have a different opinion about what feels bether. i simply prefer an os that normally adopts fast to new stuff out. thats drivers, and such.

but then again, it's just opinion.

[baldurk]

that's why I try not to suggest linux for the solution to any computer bugs. I don't agree with the current movement to convert the desktop entirely to linux. I'd rather see linux as a more professional OS, as if we try to cater to the lowest common denominator, we get much of the problems windows has now. (I'm not saying that windows isn't a professional OS, but it does have some niggles about it because it has to work for computer n00bs).