Forwarded message:

From stugreen@bga.com Tue Jan 27 16:01:14 1998 Sender: root@coney.lsd-labs.com Message-ID: <34CE5A63.9D29DD2@bga.com> Date: Tue, 27 Jan 1998 16:06:27 -0600 From: Stu Green <stugreen@bga.com> X-Mailer: Mozilla 3.01GoldC-Caldera (X11; I; Linux 2.0.33 i586) MIME-Version: 1.0 To: ravage@ssz.com Subject: [Fwd: Check this out!] Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline

Received: from mail1.realtime.net (mail1.realtime.net [205.238.128.217]) by zoom.bga.com (8.6.12/8.6.12) with SMTP id MAA14988 for <stugreen@bga.com>; Tue, 27 Jan 1998 12:39:17 -0600 Received: (qmail 13392 invoked from network); 27 Jan 1998 18:39:14 -0000 Received: from isdn5-69.ip.realtime.net (HELO bga.com) (205.238.160.69) by mail1.realtime.net with SMTP; 27 Jan 1998 18:39:14 -0000 Message-ID: <34CE2AD0.F3822BFE@bga.com> Date: Tue, 27 Jan 1998 12:43:28 -0600 From: David Neeley <dneeley@bga.com> X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: stugreen@bga.com Subject: Check this out! Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit In case you don't get an e-mail newsletter called "Tasty Bits from the Technology Front" I offer for your enjoyment: ..A warning on Microsoft (in)security Basic crypto weakness undermines all claims to security, expert says Longtime readers know that TBTF has been reporting on security weak- nesses in Microsoft's products, particularly Internet Explorer, for more than a year [25]. Now a security expert from New Zealand, Peter Gutmann, has posted a paper [26] claiming that the flaws are so ser- ious that Windows 95 users should entirely refrain from using the Web. Among the problems Gutmann points out is a critical weakness in the way Microsoft software protects (or does not protect) users' master encryption key; this weakness undermines all other encryp- tion components in Web servers and browsers. Gutmann outlines how a cracker could quietly retrieve the private key from a victim's ma- chine and break the encryption that "protects" it in a matter of seconds. The attacker has, Gutmann says, then "effectively stolen [the user's] digital identity, and can use it to digitally sign contracts and agreements, to recover every encryption session key it has ever protected in the past and will ever protect in the future, to access private and confidential email, and so on." TechWeb coverage is here [27]. [25] http://www.tbtf.com/resource/ms-sec-exploits.html [26] http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms.txt [27] http://www.techweb.com/wire/story/TWB19980123S0007