On Fri, Feb 13, 2004 at 03:44:55PM -0500, Mark Renouf wrote: > >Click here, then OPEN the file: > >http://torrent.spyderlake.com/download.php?info_hash=f03fc1e04869294d5644d3c8c5d0fb8f2d26aa59 > Um, now was that really necessary? Yeah, because, you know, this isn't full-disclosure or anything. Why would it be appropriate to discuss security vulnerabilities to which the vendor has not yet responded, and yet inappropriate to discuss files that are now in the public domain? (It doesn't matter if they were stolen: the cat's out of the bag. If they were leaked against contract language, that's an argument between MSFT and the leaker.) > Granted, at this point most anyone who bothered to look now has a copy > of it, but still... I wouldn't be posting public links. To what end? So that those in the infosec community who weren't on their favorite p2p or IRC network on Thursday evening don't have the opportunity to see and be prepared for the results of what the black hat community is already using to write new exploits? How could it benefit anyone to keep this secret at this point? The "bad" guys already have this information. The sooner responsible individuals also review the source and notify MSFT, the better. On Fri, Feb 13, 2004 at 07:28:51PM +0100, B3r3n wrote: > I would like to recall 99% of what peer to peer tools are sharing are > illegal copies. Huh? That sentence doesn't even make sense. Copies of what? > Could you please simply indicate us what is the file behind this hash? I don't think you understand how BitTorrent functions. It's not possible to provide an answer to that question. On Sat, Feb 14, 2004 at 02:44:08AM +0100, Diego Calleja wrote: > Microsoft is obviously going to attack any site doing that. in fact, just > look at the previous links given in this list: they've already dissapeared. > And their lawyers will call your phone soon, if you own that site. That's FUD. Earlier sites are far more likely to have stopped carrying these files because of the bandwidth pain they experienced. Posting a torrent publicly is a great way to reduce everyone's bandwidth usage. > Sincerely, I'd try to think in the consequences. Ie, how many time is going > to take hackers to start looking for vulnerabilities. They already are. How about the respectable security folks get the opportunity to do so as well? > How everybody outside the internet is going to ACK making P2P > and other things illegal if worms start to appear. FUD again. > And mainly, what market strategies is going to follow Microsoft > with NT, now that it's just *NOT* possible to stop the leak....(ie: now that > they fucked up us and everybody has it, why not just open all the code) What color is the sky where you live? It is, in no way, in Microsoft's best interest for more of their code to become public. It's fine (and easily supportable) that OSS is more secure in the long run because of the greater number of eyes on it. That's true because that source has always been publicly available. Exposing more of MSFT's secure-through-obscurity source will only expose more security problems than anyone could hope to fix quickly enough. -- gabriel rosenkoetter gr@eclipsed.net
Attachment:
pgp00062.pgp
Description: PGP signature