Re: Microsoft continues to mislead public about Windows security bugs (a bitlong, with references)
At 12:01 1/8/96, James A. Donald wrote:
At 07:15 PM 1/8/96 -0800, Rich Graves wrote:
As Microsoft well knows, this is completely untrue. [...]
[...]
Microsoft has not even admitted that this bug in both Windows 95 and Windows for Workgroups affects Windows for Workgroups, apparently because they have decided not to fix it.
[...]
We believe that it would be highly irresponsible to release the full version of this hack, but we will soon release a crippled demonstration-only version
Is anybody listening?
They will listen if you start to release full uncrippled exploits, after a reasonable delay.
Very true. But why does it always seem to take an exploitable crack before companies pay attention to security flaws? Is it because they are unable to admit that they have made a mistake? Everybody makes mistakes. What's the big deal? I really don't understand it. Any psychologists on this list? -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred.
[Cc'd outsiders can browse this thread on the cypherpunks list via the public news://nntp.hks.net/hks.lists.cypherpunks; please drop the Cc line on followups] I just made a couple of updates to http://www.c2.org/hackmmsoft/ after reviewing the responses trolled up in the last several hours; take a gander. On further review, I don't think Peter's latest, which you run from the DOS command prompt to email a randomly chosen password to your email address of choice, is that serious a threat. I don't have it on a machine I can get to now, and I'm going to be offline tomorrow, but I'd suggest that Sameer go ahead and post the binary soon. Btw, Peter hasn't given us the source code, and I wouldn't post it anyway, because it would make it too easy for someone without the proper ethic to "improve" the hack. I just don't want us to look like the bad guys here. I think a little patience and bending over backwards to be nice encourages non-cypherpunk types like Peter Miller (the Access crack) to come down on the right side. By the way, in response to my newsgroup posting, I got a few messages that Bill Gates had been interviewed somewhere and had said that all the problems with Windows security were the result of the US Government's restrictions on the export of strong cryptography. It's nice to see the richest man in the world on the right side of at least one issue, but this is of course complete bullshit. ITAR has nothing whatsoever to do with these bugs. Any press who cover the issue incorrectly should be educated about the difference between a good implementation that can be brute-forced in X amount of time with Y amount of computing power because the guvmint puts limits on the key size, and a stupid implementation that is far, far less secure than (X,Y) because of poor programming. -rich
participants (2)
-
Rich Graves -
shamrock@netcom.com