[Fwd: Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup]

Sharing with this list in the interest of Full Disclosure. My response to Thor was rejected from bugtraq, supposedly because the thread was killed... but we all know the real reason. Since Thor was (is?) a "temporary security focus moderator" it's OK for him to flame and berate other posters (he began his post with "I won't respond anymore until there is an intelligent response" or something along those lines.) but when someone corrects him for his rant it gets bounced because they have to protect their own.

With all the noise on this list, there's one thing that we should be happy about -- there is no "protect your own" mentality here like there is on other mailing lists.

As far as the content, I think that regarding the thread (which also happened here) it's germane to point out that one benefit that Microsoft derives from having the functionality of those hostnames hardcoded to avoid the hosts file is clearly in tracking and verification of licenses, regardless of whether it was their primary intent or not. So Thor's statements here are entirely inappropriate.


-------- Original Message --------
Subject: Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
Date: Wed, 03 May 2006 14:15:06 -0400
From: bkfsec <bkfsec@xxxxxxxxxxxxxxxx>
To: Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx>
CC: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
References: <C07247C6.31D5%thor@xxxxxxxxxxxxxxx>

Thor (Hammer of God) wrote:

It's not Microsoft's job to protect Symantec customers.

No it's not, it's Microsoft's job to protect windows users, millions of who
use NortonAV. But it would seem that MS is more interested in protecting
their user tracking information than the users.

Oh, I see now. It's about tracking users now, is it? So you're saying that
the exception list in dnsapi.dll is not only there for some super-secret
Passport "functionality" but now Microsoft is using it to protect "their
user tracking information?" Brilliant. I suppose that the next argument
will be that dnsapi.dll contains the secret as to where that one sock goes
after it's lost in the dryer, right? Hey! Maybe that's what winsock really

Umm... Thor...

It's not quite as nuts of a proposition as you're making it out to be. They are starting to roll out their "genuine advantage" program and that does coordinate and do some installation via WindowsUpdate. Right now, it's a "volunteer" program, but the logical next step is required and automatic monitoring of system licensing, and the infrastructure is clearly being created for that.

So before you go calling people conspiracy theorists, you might want to check out the reality of what the company's doing first.

My opinion on the DNS change: I think it's obviously a "security" fix, though probably a poor one. It has the added benefit of making it harder for people to block automatic license checking tools, and I don't think that's a coincidence either. In fact, I think they would call that a security benefit as well... at least from their perspective.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/