[Cc'd outsiders can browse this thread on the cypherpunks list via the public news://nntp.hks.net/hks.lists.cypherpunks; please drop the Cc line on followups] I just made a couple of updates to http://www.c2.org/hackmmsoft/ after reviewing the responses trolled up in the last several hours; take a gander. On further review, I don't think Peter's latest, which you run from the DOS command prompt to email a randomly chosen password to your email address of choice, is that serious a threat. I don't have it on a machine I can get to now, and I'm going to be offline tomorrow, but I'd suggest that Sameer go ahead and post the binary soon. Btw, Peter hasn't given us the source code, and I wouldn't post it anyway, because it would make it too easy for someone without the proper ethic to "improve" the hack. I just don't want us to look like the bad guys here. I think a little patience and bending over backwards to be nice encourages non-cypherpunk types like Peter Miller (the Access crack) to come down on the right side. By the way, in response to my newsgroup posting, I got a few messages that Bill Gates had been interviewed somewhere and had said that all the problems with Windows security were the result of the US Government's restrictions on the export of strong cryptography. It's nice to see the richest man in the world on the right side of at least one issue, but this is of course complete bullshit. ITAR has nothing whatsoever to do with these bugs. Any press who cover the issue incorrectly should be educated about the difference between a good implementation that can be brute-forced in X amount of time with Y amount of computing power because the guvmint puts limits on the key size, and a stupid implementation that is far, far less secure than (X,Y) because of poor programming. -rich