break microsoft!!!
re: the recent message that windows 95 has weak password encryption due to a 32 bit random seed sent to RC4-- this seems like another EXCELLENT opportunity for some major cypherpunks press coverage and feather-in-the-cap accolades. remember, the last break of the Netscape RC4 algorithm (or was it MD5?) got front page NYT coverage and reverberated throughout the entire media. a "cypherpunk" accomplishing the same thing for Microsoft would potentially get *major* notice. I imagine a short .exe file that when run on the proper computer prints out passwords as it cracks them. this would get the attention of a LOT of people. I have the MS C++ compiler, and if someone could discuss the difficulty of writing this proposed "exe" file, the rough time required to break the keys, and other considerations (physical access to server computer required?) and maybe point to code pieces on the net (RC4 etc.) to pull it off, I might start the effort myself.
Be careful not to sound too gleeful, lest you play into the evil nasty hacker stereotype. Keep the focus on the fact that real encryption is both possible and highly desired; the bad guys are lazy programmers and the US Government. I have sent a pointer to the sci.crypt article to the win95netbugs list, which currently has eight Microsoft employees and nine major computer magazines on it. I might mention it to Microsoft's "technical people" when they drop by next week to address our networking concerns. The answer, for anyone desiring one, is to turn off Win95's "multiple user profiles" features, turn off "encrypted password caching," and advertise the fact that Win95 is a totally insecure single-user OS, and will continue to be so as long as it uses the 1970's-vintage FAT file system. If real security is not available, the goal should be to eliminate the false sense of security that encourages people to leave sensitive files out in the open. -rich
participants (2)
-
Rich Graves -
Vladimir Z. Nuri