Re: Micro$oft and Java
I was at the Microsoft presentation. Crypto-relevant info: A patch will be published in the next few days to address the weak .PWL encryption. I got a rather lame excuse about how the encryption was first implemented in 1991, and how it was sufficient then. They will supposedly be changing the seed. I asked about what MS was doing in regard to future strong crypto. Got an interesting response in that that "the government was going to let them implement 768 bit keys." I later asked an MS person if these were RSA session keys or what. He said yes, but I really don't think he knew what he was talking about based on some of his other comments. Visual Basic Script will be MS's response to JavaScript. The interesting thing here is a plan to use digital signatures on controls and scripts as a means of authentication. The comment was made "you'd trust something signed by Lotus or some other big name, but you probably wouldn't be that trustful of a piece of shareware." Hmmm... MS will be releasing a "safe" runtime version of Visual Basic that will supposedly prevent nasty virii and trojan horses from being implemented on Web pages. IMHO, Perry's previous comments on the security of Java apply. Servers and some clients will support end-to-end encryption. No details... I didn't ask about GAK. Bill said there was a white paper explaining Microsoft's position on encryption. Maybe I'll test the search capabilities of the MS Web site later tonight. Overall, the presentation was interesting (but obviously lacking in technical details as the audience was mostly press). MS is going to throw a lot of resources at this in order to maintain its industry dominance. Thought for the day. Bill on the relevance of the briefing being held on Pearl Harbor day quoted Admiral Yamamoto after the 1941 attack, "we have awoken a sleeping giant." Draw your own conclusions on that one... Joel
Another interesting post. The list is really heavy. I end up killing most of the articles. There are some real gems in there though.
"Joel" == Joel McNamara <joelm@eskimo.com> writes:
Joel> I was at the Microsoft presentation. Crypto-relevant info: Joel> A patch will be published in the next few days to address Joel> the weak .PWL encryption. I got a rather lame excuse about Joel> how the encryption was first implemented in 1991, and how it Joel> was sufficient then. They will supposedly be changing the Joel> seed. Joel> I asked about what MS was doing in regard to future strong Joel> crypto. Got an interesting response in that that "the Joel> government was going to let them implement 768 bit keys." I Joel> later asked an MS person if these were RSA session keys or Joel> what. He said yes, but I really don't think he knew what he Joel> was talking about based on some of his other comments. Joel> Visual Basic Script will be MS's response to JavaScript. Joel> The interesting thing here is a plan to use digital Joel> signatures on controls and scripts as a means of Joel> authentication. The comment was made "you'd trust something Joel> signed by Lotus or some other big name, but you probably Joel> wouldn't be that trustful of a piece of shareware." Hmmm... Joel> MS will be releasing a "safe" runtime version of Visual Joel> Basic that will supposedly prevent nasty virii and trojan Joel> horses from being implemented on Web pages. IMHO, Perry's Joel> previous comments on the security of Java apply. Joel> Servers and some clients will support end-to-end encryption. Joel> No details... Joel> I didn't ask about GAK. Bill said there was a white paper Joel> explaining Microsoft's position on encryption. Maybe I'll Joel> test the search capabilities of the MS Web site later Joel> tonight. Joel> Overall, the presentation was interesting (but obviously Joel> lacking in technical details as the audience was mostly Joel> press). MS is going to throw a lot of resources at this in Joel> order to maintain its industry dominance. Joel> Thought for the day. Bill on the relevance of the briefing Joel> being held on Pearl Harbor day quoted Admiral Yamamoto after Joel> the 1941 attack, "we have awoken a sleeping giant." Draw Joel> your own conclusions on that one... Joel> Joel Joel> -- David Wayne Williams dwwillia@cet.co.jp Software Engineer http://www.cet.co.jp Catena Enterprise Technologies Linux, PGP, the Web: I love this Net!
On Thu, 7 Dec 1995, Joel McNamara wrote:
I was at the Microsoft presentation. Crypto-relevant info:
A patch will be published in the next few days to address the weak .PWL encryption. I got a rather lame excuse about how the encryption was first implemented in 1991, and how it was sufficient then. They will supposedly be changing the seed.
I do believe the word "lame" is in order, yes. Microsoft has issued a public statement on the "issue" at http://www.microsoft.com/windows/pr/password.htm As usual, the inaccuracies begin with the first sentence. Password caching is not optional. It is on by default. Instructions for turning it off are not even included with the floppy disk or OEM versions of Win95, and they're not easy to find in the Resource Kit help file on the install CD, which is neither installed nor referenced by default. Some rather astute people spent days looking for a way to disable password caching, and they couldn't find it. Their messages are on my list archive. There is currently *no way* for the administrator of a public Windows 95 lab to have any confidence that password caching has been turned off. All it takes is one malicious user -- or one innocent user who wants to disable system policies for other reasons -- and all passwords used from that machine are compromised. We started whining about this on November 1; see gopher://quixote.stanford.edu/1m/win95netbugs. -rich
participants (3)
-
David Williams -
Joel McNamara -
Rich Graves