>From: James Wilkinson [mailto:[EMAIL PROTECTED]]
>
>On Fri, 27 Oct 2000, chesty generated:
>
>>On Fri, Oct 27, 2000 at 10:12:12AM +0100, Jim Hague wrote:
>>> Today's food for thought. You have obtained the entire
>source for, say, W2k and
>>> O2k. What do you do with it?
>>
>>Fix some bugs and send patch back to MS? maybe not :)
>
>Actually, I'd prolly browse some of it when really really
>bored, looking
>for programming errors (and finding many)... "they use _what_ for a
>character input??... and this buffer has a hardcoded size?"
>
>The number of exploits that could be found for W2K given the source. A
>crax0rs dream.
My understanding of the hack was:
They didn't get NT/9x/Office source. They got "new unreleased projects"
(probably .NET stuff by the sound of it).
If they did get NT source, I really doubt they could find bugs by inspecting
the code. Where do you start in 50 million lines of layered calls? Hell,
people find bugs in Linux sources that have been there for ages and that
source code is looked at all the time.
I don't even know that anything better than social engineering was used to
hack the system - get someone to run an untrusted executable and you're
there. Under a non-MS system the 'hack' is exactly the same: get someone to
run the untrusted executable and crawl around for .cvsrc files with the
passwords in them. Make the assumption that cvs passwords may be the same
as other passwords and work from there.
Note also the article on /. that any use of this code will probably sink an
OSS project. Realistically I'm not so sure that this hack has any real
positive benefit of OSS other than embarassing M$ and giving the media
something to go nuts about for a while.
John Wiltshire
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
