In a couple of silly posts, I'd uncritically repeated a Bob Cringely piece in the December 10th InfoWorld (plus various other sources) without adequately verifying the facts. I hope this will clear some things up. First, NT was C2-certified in a specific configuration as a standalone workstation only, not as a network server. So any points about NT's C2 security being compromised by the following problems are *moot* and should be ignored. 1. NetWare Services lets you know when you try to log on as a user that doesn't exist, rather than asking for a password. Real NetWare servers do the right thing. 2. Because of a common user error, documentation errors, and a couple bugs, it is possible to gain read-only access to the root directory of many NT FTP servers (20% of the known NT servers at Stanford when I checked -- this has been fixed) by giving a nonexistent username and password, for example, cypherpunks/cypherpunk, to Microsoft's FTP server. These aren't important, because Microsoft does not claim that NT Server, as a server, is C2-secure; only many authorized distributors do. Also, the note that NetWare was C2-certified is misleading. I've been told and find credible (but have not verified) that NetWare was only certified in an unusual environment with packet-encrypting NICs. The rest was true. The main point was that Microsoft continues to make statements that are clearly at variance with the truth concerning the acknowledged .PWL, IPX SAP, and SMB bugs, among others. Microsoft has yet to revise several known incorrect pertinent articles in their "Knowledge" Base technical/marketing database, which you can search via: http://www-leland.stanford.edu/~llurch/win95netbugs/kb.html Incorrect articles include Q92588, Q90210, Q36634, Q103887, Q120554, and especially Q90271. The specific URL for each of these articles is: http://www.microsoft.com/kb/peropsys/windows/{ID}.htm For example, the article that purports to contain technical information on why you can trust the security of .PWL files is: http://www.microsoft.com/kb/peropsys/windows/Q90271.htm Also, http://www.windows.microsoft.com/windows/software/mspwlupd.htm, the PR on the "fix" for the acknowledged .PWL bugs in Win95 (the same bugs exist in Windows 3.11, but Microsoft has not acknowledged this or committed to fixing it), is clearly incorrect. It says that the new algorithm is 2^96 times more secure because it uses a larger key. Besides the fact that the extreme weakness of the .PWL algoritm has nothing whatsoever to do with the key size, the new algorithm does not use 128 random bits. Like many other exportable algorithms, the key size is 128 bits, but only 40 bits are random. By the way, neither I nor the comp.risks moderator have heard a peep from any Microsoft source in any newsgroup or mailbox. This I find somewhat disheartening. We know that there are at least five microsoft.com addresses on cypherpunks because we all got bounced email when Microsoft broke their mail gateway. Cat got your tongue? -rich owner-win95netbugs@lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ ftp://ftp.demon.co.uk/pub/mirrors/win95netfaq/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html http://www.mari.su/guide/win95/faq.html rich@c2.org http://www.c2.org/hackmsoft/