[NTSEC] SKIPJACK / NT4.0 (SP3?) (fwd)
Now this is interesting! :) (Either that or JA is smoking crack... - no idea on JA's reputation capital though...) =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ========================== ---------- Forwarded message ---------- Date: Wed, 24 Dec 1997 01:29:07 -0600 From: "J.A. Terranson" <sysadmin@mfn.org> To: 'NT Security Listserv' <ntsecurity@iss.net> Subject: [NTSEC] SKIPJACK / NT4.0 (SP3?) -----BEGIN PGP SIGNED MESSAGE----- I was rooting around in the registry tonight, (looking to repair my own stupidity!), and guess what I saw? SKIPJACK is installed, and ENABLED! I have NOT (now would I EVER) installed it voluntarily, and Micro$loth only advertises the "standard" ciphers (which I also found). Is anyone else aware of this? Is it safe to delete the key (and code? Hopefully this is DLL driven: I'm still looking!). Also, anyone know what it was put there for? It's certainly not what I would consider an SSL issue! J.A. Terranson sysadmin@mfn.org A small fading light in a vast and obscure universe... PROTECT YOUR RIGHT TO PRIVACY - ENCRYPT! PGP/DSS: 0x12896749 FP: 63F2 1777 BC38 AC1E 3359 0B0E C6C0 ED6B 1289 6749 PGP/RSA: 0x9D85DF05 FP: 810C 25E9 7DD3 C157 3081 A202 DDFD 4245 If Government wants us to behave, it should set a better example! -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNKC5wqAMF5Wdhd8FAQFsDQgAkietW1awMFDE9ZY5d9B+Zc0cGuGxlPC+ XzVy6+RleDngUecSAf8MbZZlTDDyN69liKG2Of0n+pZnlJSbKZWZiG0cRN592bbL xCF/cwgNdJi1/HTA/mDZ7fpRT1phCMi/b2U3XXyV3QG2fv+Z8M5o4LjykYT+u4Lt aEkfedFZKjkURO+artvGFnISfVxAMwpW0TfdbxE2Izw8iSjX2w+4aT0ub+Ck3OA4 X3Bek8ZPhbmsf9lIfBSe38ZPMZGrk7VwTPaMo7JiU5MM58OmCMaodKlwyxfsptKf khLnbWJbwHrlbW2yXL7nh7Ttnxv1WJ6BHaaJhxX/5EWSU4xAc/FjaQ== =jsvV -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In <Pine.SUN.3.96.971226114446.17857A-101000@beast.brainlink.com>, on 12/26/97 at 11:45 AM, Ray Arachelian <sunder@brainlink.com> said:
Now this is interesting! :) (Either that or JA is smoking crack... - no idea on JA's reputation capital though...)
Well to be honest anyone who would trust the M$ crypto API get what they deserve. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Comment: COMMENT Charset: cp850 iQA/AwUBNKPk9Lki0dXBotN0EQK0twCg2d11Co4YoNOQ9ciISsYcOE+aFZ4AoL5d TGu4cnp80+dgObS/yVxcdfxm =tpkE -----END PGP SIGNATURE-----
Skipjack can't be installed, since there is no generally available software implementation of the cipher. I would guess the person has some software installed that supports Fortezza cards, that would explain the registry entry. On Fri, 26 Dec 1997, Ray Arachelian wrote:
Now this is interesting! :) (Either that or JA is smoking crack... - no idea on JA's reputation capital though...)
=====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
---------- Forwarded message ---------- Date: Wed, 24 Dec 1997 01:29:07 -0600 From: "J.A. Terranson" <sysadmin@mfn.org> To: 'NT Security Listserv' <ntsecurity@iss.net> Subject: [NTSEC] SKIPJACK / NT4.0 (SP3?)
-----BEGIN PGP SIGNED MESSAGE-----
I was rooting around in the registry tonight, (looking to repair my own stupidity!), and guess what I saw? SKIPJACK is installed, and ENABLED! I have NOT (now would I EVER) installed it voluntarily, and Micro$loth only advertises the "standard" ciphers (which I also found).
Is anyone else aware of this? Is it safe to delete the key (and code? Hopefully this is DLL driven: I'm still looking!).
Also, anyone know what it was put there for? It's certainly not what I would
consider an SSL issue!
J.A. Terranson sysadmin@mfn.org A small fading light in a vast and obscure universe...
PROTECT YOUR RIGHT TO PRIVACY - ENCRYPT! PGP/DSS: 0x12896749 FP: 63F2 1777 BC38 AC1E 3359 0B0E C6C0 ED6B 1289 6749 PGP/RSA: 0x9D85DF05 FP: 810C 25E9 7DD3 C157 3081 A202 DDFD 4245 If Government wants us to behave, it should set a better example!
-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv
iQEVAwUBNKC5wqAMF5Wdhd8FAQFsDQgAkietW1awMFDE9ZY5d9B+Zc0cGuGxlPC+ XzVy6+RleDngUecSAf8MbZZlTDDyN69liKG2Of0n+pZnlJSbKZWZiG0cRN592bbL xCF/cwgNdJi1/HTA/mDZ7fpRT1phCMi/b2U3XXyV3QG2fv+Z8M5o4LjykYT+u4Lt aEkfedFZKjkURO+artvGFnISfVxAMwpW0TfdbxE2Izw8iSjX2w+4aT0ub+Ck3OA4 X3Bek8ZPhbmsf9lIfBSe38ZPMZGrk7VwTPaMo7JiU5MM58OmCMaodKlwyxfsptKf khLnbWJbwHrlbW2yXL7nh7Ttnxv1WJ6BHaaJhxX/5EWSU4xAc/FjaQ== =jsvV -----END PGP SIGNATURE-----
-- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred. "Tonga? Where the hell is Tonga? They have Cypherpunks there?"
At 11:12 AM 12/26/97 -0600, William H. Geiger III wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In <Pine.SUN.3.96.971226114446.17857A-101000@beast.brainlink.com>, on 12/26/97 at 11:45 AM, Ray Arachelian <sunder@brainlink.com> said:
Now this is interesting! :) (Either that or JA is smoking crack... - no idea on JA's reputation capital though...)
Well to be honest anyone who would trust the M$ crypto API get what they deserve.
Is this just random MS-baiting or do you have a real point re the API? The API describes an interface to things you'd need for a cryptosystem. I believe it is up to implementors to instantiate the functions appropriately. ------------------------------------------------------------ David Honig Orbit Technology honig@otc.net Intaanetto Jigyoubu "Windows 95 is a technologically complex product that is best left alone by the government..." ---MSFT Atty B. Smith
-----BEGIN PGP SIGNED MESSAGE----- In <3.0.5.32.19971229094401.007a7570@otc.net>, on 12/29/97 at 12:44 PM, David Honig <honig@otc.net> said:
At 11:12 AM 12/26/97 -0600, William H. Geiger III wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In <Pine.SUN.3.96.971226114446.17857A-101000@beast.brainlink.com>, on 12/26/97 at 11:45 AM, Ray Arachelian <sunder@brainlink.com> said:
Now this is interesting! :) (Either that or JA is smoking crack... - no idea on JA's reputation capital though...)
Well to be honest anyone who would trust the M$ crypto API get what they deserve.
Is this just random MS-baiting or do you have a real point re the API?
The API describes an interface to things you'd need for a cryptosystem. I believe it is up to implementors to instantiate the functions appropriately.
1. The sorce code for the crypto API is not available for peer review. I would not recomend using any crypto API where I was unable to review if it performend as advertised. 2. If one does not have the ability of peer-review then one must rely on trust. Through past actions MS has shown to be an untrustworthy company (IMHO trust is not a sufficient replacement for peer review). 3. The MS crypto API can not be modified nor replaced. Export version of the MS API contain only export apporved algrothms of export approved strength. I think the 3 reasons above should be sufficient reason not to use the API. This is not soly an attack against M$. The same argument can be used against SUN, IBM, RSADSI, Lotus, ...ect. I wouldn't trust any of them to tell me that water was wet let alone tell me that their crypto API's were secure. No Code = No Trust!! - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNKfqxI9Co1n+aLhhAQFf9gP/e3gdjHaiRPcZeeSHJj/zaOF2On3EncPR kfvuVL83zoa2MzBeMaQAskkXn+j4B7mDPBKhbn6tbK5da7JXgvZxEFPTc3WIaxMk Y9KIZLHmzSbQZGQn/pKD+63Naw6apZMaNLM8i2cEhuGbavURXLl5lSnnVsSgIVCk RD5FIhr9vQU= =TwPk -----END PGP SIGNATURE-----
participants (4)
-
David Honig -
Lucky Green -
Ray Arachelian -
William H. Geiger III