On Mon, Jun 01, 1998 at 04:24:44PM -0500, William H. Geiger III wrote:
Previous security foobars by M$:
NT C2 <---- LOL!!!
Standard marketroid talk, I think M$ still tout this, but not so loudly these days. Last I heard they were trying to get C2 with network connectivity, but that was a while ago (2 years?) so they may have given up. I'm sure I would have heard if it had. That said, C2 doesn't necessarily buy you all that much.
Active X <---- Who was the brain child that though *that* up?
Sure it sucks, it sucks for lots of reasons. But for the average luser it still better than plugins so thats why its taken off. And what make downloading a plugin and installing that any better?
Auto-Launch attached binaries in E-Mail <-- Can we say GoodTimes?
Can anyone confirm that this has indeed been fixed yet? I should also point out that buffer overflow bugs have been known for some time (years?) with various unix mailers and their handling of .mailcap which essentially amounts to the same thing.
Crypto-API <--- Right I would *trust* that. Honest. :)
Does anyone have a list of design and implementation flaws for CAPI? I've had discussions with a couple of people about these, but never seen anything published.
TCP/IP Stack <--- Too many flaws to list.
Yeah... its crap, but not necessarily that much worse that some of the others out there. If someone were keeping score on which stacks help up the best against all the attacks of the last two years it probably wouldn't be the worst.
Why would anyone trust these simpletons to produce any type of security product?
Sure. 95% of the population does. People need to be educated about important issues, and using lots of complicated gobbledygook doesn't help. If you, like me, have a loved one that isn't terribly interested in computers or encryption, then see if the phrase 'modular exponentiation' doesn't kick there eye-glaze-secreting gland into over drive. I guess this is something Bruce Schneier has done well - a report for technical people who will read it, laugh and say they aren't surprised, and press releases with LOTS OF BIG LETTERS AND SMALL WORDS for the rest of the population including morons that are the media. I think everyone is waiting for NT5. Multi-user NT is at best an interesting concept. I remember at university using (arguably buggy) unix boxen with 200+ users simultaneously, with relatively few problems, but I'll be really surprised if NT could get close to this.... I am so looking forward to NT5, it should prove to be very entertaining and perhaps a really good opportunity to educate the public. OK, getting bored with this reply now, so here it goes, errors and all.... -Chris P.S. How does M$ sidestep the ITAR with ipsec code in Win98/NT5?