Re: [NOISE] Microsoft continues to mislead public about Windows security
-----BEGIN PGP SIGNED MESSAGE----- In article <199601100451.UAA13211@infinity.c2.org>, <kolivet@alpha.c2.org> wrote:
On Tue, 9 Jan 1996, Frank Willoughby wrote:
When a system is breached or a CERT Advisory is issued, this is a major embarassment for the company.
What are CERT's criteria for a bulletin to be issued? Would the previously mentioned Windows NT and Windows 95 security bugs qualify?
CERT normally won't publish a security warning until the manufacturers have fixed the bug & offered a patch. So I doubt the Win95/NT bugs will be announced by CERT tomorrow. If you want to publish a bug, CERT is probably not the best place to go. CERT often ends up sitting on bugs for ages, because nobody knows about the hole, so nobody can pressure the vendors to fix 'em, so CERT refuses to release a bulletin-- a vicious cycle. IMHO, embarassing public pressure often seems to be the quickest way to get attention & fixes from uncooperative vendors... But then again, that's the old "full disclosure" (and "security through obscurity") debate(s). - -- Dave "a believer in security through caffeine" Wagner - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMPWugyoZzwIn1bdtAQFYrgGAyQhuXiFCK36qFdJzEw4PSp2f/oIvpoi+ 8peJmKjle86aBlY20SGYQBQoactyKcza =3NOo -----END PGP SIGNATURE-----
In a couple of silly posts, I'd uncritically repeated a Bob Cringely piece in the December 10th InfoWorld (plus various other sources) without adequately verifying the facts. I hope this will clear some things up. First, NT was C2-certified in a specific configuration as a standalone workstation only, not as a network server. So any points about NT's C2 security being compromised by the following problems are *moot* and should be ignored. 1. NetWare Services lets you know when you try to log on as a user that doesn't exist, rather than asking for a password. Real NetWare servers do the right thing. 2. Because of a common user error, documentation errors, and a couple bugs, it is possible to gain read-only access to the root directory of many NT FTP servers (20% of the known NT servers at Stanford when I checked -- this has been fixed) by giving a nonexistent username and password, for example, cypherpunks/cypherpunk, to Microsoft's FTP server. These aren't important, because Microsoft does not claim that NT Server, as a server, is C2-secure; only many authorized distributors do. Also, the note that NetWare was C2-certified is misleading. I've been told and find credible (but have not verified) that NetWare was only certified in an unusual environment with packet-encrypting NICs. The rest was true. The main point was that Microsoft continues to make statements that are clearly at variance with the truth concerning the acknowledged .PWL, IPX SAP, and SMB bugs, among others. Microsoft has yet to revise several known incorrect pertinent articles in their "Knowledge" Base technical/marketing database, which you can search via: http://www-leland.stanford.edu/~llurch/win95netbugs/kb.html Incorrect articles include Q92588, Q90210, Q36634, Q103887, Q120554, and especially Q90271. The specific URL for each of these articles is: http://www.microsoft.com/kb/peropsys/windows/{ID}.htm For example, the article that purports to contain technical information on why you can trust the security of .PWL files is: http://www.microsoft.com/kb/peropsys/windows/Q90271.htm Also, http://www.windows.microsoft.com/windows/software/mspwlupd.htm, the PR on the "fix" for the acknowledged .PWL bugs in Win95 (the same bugs exist in Windows 3.11, but Microsoft has not acknowledged this or committed to fixing it), is clearly incorrect. It says that the new algorithm is 2^96 times more secure because it uses a larger key. Besides the fact that the extreme weakness of the .PWL algoritm has nothing whatsoever to do with the key size, the new algorithm does not use 128 random bits. Like many other exportable algorithms, the key size is 128 bits, but only 40 bits are random. By the way, neither I nor the comp.risks moderator have heard a peep from any Microsoft source in any newsgroup or mailbox. This I find somewhat disheartening. We know that there are at least five microsoft.com addresses on cypherpunks because we all got bounced email when Microsoft broke their mail gateway. Cat got your tongue? -rich owner-win95netbugs@lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ ftp://ftp.demon.co.uk/pub/mirrors/win95netfaq/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html http://www.mari.su/guide/win95/faq.html rich@c2.org http://www.c2.org/hackmsoft/
participants (2)
-
daw@quito.CS.Berkeley.EDU -
Rich Graves