Peter L. Peres wrote: > On Fri, 28 Feb 2003, Larry Reynolds wrote: > > *>Listers, > *> > *> Does anyone here have a clue as to WHY Microsoft is giving > Windows *>source code away??? I have no love for M/S, but this is > just beyond *>me.... > > The main reason is the fear of the clients that there may be backdoors > built in by certain organizations. The secondary fear (and the largest > imho) is that the respective clients (governments) will be exposed to > electronic annihilation by an enemy or terrorists if they do not > discover and plan for problems with that software. > > Then there is law enforcement. As in taxes and kiddie pr0n (did they > register pr0n in hempest or not ?). > > I hope that nobody misses the significance of the frequency of exploit > reports on Windows and major apps (like ie and iis and outlook) in > lists like SecurityFocus. Once a week, at least one, for as long as I > have been subscribed. > > The arithmetics are simple. If random individuals find 1 exploitable > bug per week, basically forever, how many exploitable bugs will a > potentially unfriendly foreign government's experts find within that > time and what will they do to you with what they find. > > *> My gut feeling is that this will come back to haunt them. > > It already does. They are sort of doing it under duress from the open > source community (whose source is accessible, also to foes, and it > does the foes little good so far - the things are robust most of the > time). The L word was mentioned in at least two articles referring to > the release of source code. > > Peter Here is my take on these things, whether you want to hear it or not. ;-D I view the Nimda, Code-Red and Slammer incidents as proof of concept attacks. Nothing really malicious, just a study in timing and human behavior. Nimda demonstrated how few admins actually take the proper preliminary protections, and Code-Red (or was CR first) proved that even after an incident, most admins will not take the proper measures. The correct fix for the first attack was to wipe the drive and start over, CR proved that they wouldn't follow good advice because of laziness. Slammer showed that refining your attack algorithm could shrink the time required to infect a large part of the population by orders of magnitude. (Trivia Fact: Slammer took a whole 10 minutes to do it's job world wide, Code-Red took about 12 hours IIRC) If something like Slammer were released and it packed a nasty, instant acting CIH type payload to drop onto the non-server machines discovered during probing, and then killed the infected server after 15 minutes of infection, it could cause great damage to a vast number of machines, perhaps permanent damage (like BIOS wiping). So in less than 30 minutes, a country (such as the US) could be brought to it's knees thanks to MS's lackadaisical mentality when it comes to taking security seriously. What do you guys think? Am I paranoid? michael brown (I trust Linux, because I can see the code and people fix security problems within 24-48 hours of discovery) "In the land of the blind, he who has one eye is king" -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.