Hello, welcome to the Wednesday, February 19th, 2020 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich.

I'm recording from Jacksonville, Florida.

Error messages leaking information is probably a concept that's very popular to people who have done any kind of network reconnaissance

or intrusion detection.

For example, if you do get a port unreachable error message back, you still know that the

host that sent the message exists.

But similar concepts also apply to operating systems and file systems.

And Jan looks at the particular interesting feature in Windows.

In Windows, if you don't have read access to a folder, you're not supposed to be able

to see which files exist in this particular folder. But turns out you get different error messages

depending on whether the file exists or doesn't exist. If the file doesn't exist, the

operating system will tell you the file doesn't exist. If the file exists, then you get

a permission denied error. So Jan actually wrote a little C sharp script in order to take

advantage of this and prude force folder names. A reader pointed out that Jan wasn't actually

the first one to come across this. Actually no real surprise like this. A fairly common problem

where error messages leak information.

John Page also did write up on this issue back in September of last year.

The issue has been reported to Microsoft, but it didn't sort of meet the threshold where Microsoft is going to come up with a patch

for the problem.

And the Amazon security camera subsidiary ring has of course been in the news in bad ways

in recent month, typically with attackers just prude-forcing users' passwords.

...