Counterpane Cracks MS's PPTP
-----BEGIN PGP SIGNED MESSAGE----- In <Version.32.19980601122218.00fbc410@pop.pipeline.com>, on 06/01/98 at 12:23 PM, John Young <jya@pipeline.com> said:
Thanks to GM
<sig> when will people learn? Microsoft is *incapable* and *unwilling* to provide even nominal security for it's platforms. Several problems that exist: Technical Ability -- Microsoft is seriously lacking in the technical know-how when it comes to cryptology and data security. Corporate Mentality -- Microsoft does not have the mentality needed to produce secure products. This is a company that has historically shipped poorly designed, bug filled products out the door. Bugs are not seen as a problem but as an opportunity to sell upgrades. While this has done them well in selling their overpriced GameBoys (the sheeple never cease to disappoint me) it is *not* the environment for developing secure products. Previous security foobars by M$: NT C2 <---- LOL!!! Active X <---- Who was the brain child that though *that* up? Auto-Launch attached binaries in E-Mail <-- Can we say GoodTimes? Crypto-API <--- Right I would *trust* that. Honest. :) TCP/IP Stack <--- Too many flaws to list. Why would anyone trust these simpletons to produce any type of security product? - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://users.invweb.net/~whgiii/pgp.html - --------------------------------------------------------------- Tag-O-Matic: I love running Windows! NOT! -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNXMgd49Co1n+aLhhAQHmjAQArwgJj4kG8O+MYYCag4Xc8vr4zK4XDdGX niqu8nzfsJPfA2TisyFFyuFv9gejXQ6QhO7+tT2KQbbWJllPBIqIjjIqH8XkhcEW XhtMV/CoWprOp3tAHZi/n2LLn1kqtdhWG4FewGHn6R0Tzy6vq74ygk+qo9BeZNAd F92bia6qGio= =Cvy6 -----END PGP SIGNATURE-----
This has got to be the scariest crypto-related paper I've ever read. Detailed therein is just an unnatural amount of screwing up for any one company, much less one product. How many of us had to explain to a sci.crypt newbie why we can't use the same one-time-pad string or cipher stream repeatedly? Here we have Microsoft re-using RC4 keys in OUTPUT FEEDBACK MODE. In the same session, fer God's sake, you and the server both use the same XOR stream to encrypt? This is not a subtle, excusable boo-boo. It's not even a crypto mistake: it's a basic inability to comprehend what the exclusive-or operation does. I gotta admit, my first impression was that Schneier, et al, were engaging in a heapin' helpin' of MS-bashing on their page. Having read the paper, however, I'm now convinced that they brushed too (po-)lightly over some real howlers. One might get the false impression that these are subtle flaws, rather than gaping holes from Hell. We gotta convince Bill to fire his crypto people, for the good of humanity. I suggest we get the message across by sending MS a bunch of t-shirts reading, "Everything I ever needed to know about crypto I learned from the LANMAN hash." -Xcott ==- Xcott Craver -- Caj@niu.edu -- http://www.math.niu.edu/~caj/ -== "This is a different thing: it's spontaneous and it's called 'wit.'" -The Black Adder
At 03:23 PM 6/2/98 +1200, Chris Wedgwood wrote:
On Mon, Jun 01, 1998 at 04:24:44PM -0500, William H. Geiger III wrote:
Previous security foobars by M$:
NT C2 <---- LOL!!!
Standard marketroid talk, I think M$ still tout this, but not so loudly these days. Last I heard they were trying to get C2 with network connectivity, but that was a while ago (2 years?) so they may have given up. I'm sure I would have heard if it had.
That said, C2 doesn't necessarily buy you all that much.
Is this not what they claimed when they sold NT to the Air Force? Judging by some of the Air Force software I have seen, this frightens me more than most things.
Active X <---- Who was the brain child that though *that* up?
Sure it sucks, it sucks for lots of reasons. But for the average luser it still better than plugins so thats why its taken off. And what make downloading a plugin and installing that any better?
You have a little more control over plug-ins.
Auto-Launch attached binaries in E-Mail <-- Can we say GoodTimes?
Can anyone confirm that this has indeed been fixed yet?
I should also point out that buffer overflow bugs have been known for some time (years?) with various unix mailers and their handling of .mailcap which essentially amounts to the same thing.
But those are specific to the client. Most Unix users know better.
Crypto-API <--- Right I would *trust* that. Honest. :)
Does anyone have a list of design and implementation flaws for CAPI? I've had discussions with a couple of people about these, but never seen anything published.
I know of one, but I cannot release details yet. (I did not discover it and i need to wait until the non-beta version of the product is released.) Besides, I have been told I will be killed if I reveal it before it is time.
TCP/IP Stack <--- Too many flaws to list.
Yeah... its crap, but not necessarily that much worse that some of the others out there. If someone were keeping score on which stacks help up the best against all the attacks of the last two years it probably wouldn't be the worst.
A great deal of this blame can be placed on the WinSock spec. The spec was quite "loose" in many details of the implementation. You could be complient and still not be able to deal with much of the software out there. My vote for bad PC stack of the century was the one put out by Sun. Not even close to compatible...
Why would anyone trust these simpletons to produce any type of security product?
Sure. 95% of the population does.
Sturgeon's law applies to people as well...
People need to be educated about important issues, and using lots of complicated gobbledygook doesn't help. If you, like me, have a loved one that isn't terribly interested in computers or encryption, then see if the phrase 'modular exponentiation' doesn't kick there eye-glaze-secreting gland into over drive.
Most everything involving computers tends to do that.
I guess this is something Bruce Schneier has done well - a report for technical people who will read it, laugh and say they aren't surprised, and press releases with LOTS OF BIG LETTERS AND SMALL WORDS for the rest of the population including morons that are the media.
You can type it out in clear, short sentences and the media will still screw it up. If you have no clue as to what you are writing about, the accuracy of what you write will suffer.
I think everyone is waiting for NT5. Multi-user NT is at best an interesting concept. I remember at university using (arguably buggy) unix boxen with 200+ users simultaneously, with relatively few problems, but I'll be really surprised if NT could get close to this....
Multi-user NT is available now. Citrix and NCD both have versions out now. (Both are based on NT 3.51. They would have released a 4.0 product long ago, but Microsoft wanted the product for themselves.) The server load seems to be about 50 users per box. Depends on what you are running.
I am so looking forward to NT5, it should prove to be very entertaining and perhaps a really good opportunity to educate the public.
Assuming that they can be educated. Better to offer them a choice. It is hard to say "X is bad" unless you have an alternative.
On Mon, Jun 01, 1998 at 10:03:43PM -0700, Alan wrote:
That said, C2 doesn't necessarily buy you all that much.
Is this not what they claimed when they sold NT to the Air Force? Judging by some of the Air Force software I have seen, this frightens me more than most things.
Either M$ lied, or the Air Force should no better. In the former, the Air Force should sue M$, but more likely its the latter. Why should the Air Force have clue-full people when most large corporates, banks, governments, IT companies and software companies do not? Governments with large databases full of all your personal details and banks with all your financial details are two really good examples of organizations which should do a good job with system security and reliability but invariably do the worst (some exceptions apply).
Sure it sucks, it sucks for lots of reasons. But for the average luser it still better than plugins so thats why its taken off. And what make downloading a plugin and installing that any better?
You have a little more control over plug-ins.
It doesn't really buy much. Most people will blindly download anything and install it. If it doesn't install the first time by finding all the right file locations, etc. and allowing the use to click Next every time, they will start deleting files at random trying to remove it. Perhaps I'm over stating things, but I'm a tad jaded from having to make documentation and software work for morons (the public at large).
But those are specific to the client. Most Unix users know better.
The M$ example is confined to a specific client. Many unix users use unix because they are required too, these people are probably as clue-less and luse95 users. On average the number of clue-full 95 users against the number of clue-full unix users is probably 10:1 despite luse95 large user base, quoting numbers which I just made up of course and clue-full being defined by me, and able to be redefined whenever I feel like it. This is all beside the point - someone mentioned that a M$ mailer had a very nasty bug, I just pointed out that can and has also occurred elsewhere.
Does anyone have a list of design and implementation flaws for CAPI? I've had discussions with a couple of people about these, but never seen anything published.
I know of one, but I cannot release details yet. (I did not discover it and i need to wait until the non-beta version of the product is released.) Besides, I have been told I will be killed if I reveal it before it is time.
It can wait. It seems plenty of others are waiting....
Yeah... its crap, but not necessarily that much worse that some of the others out there. If someone were keeping score on which stacks help up the best against all the attacks of the last two years it probably wouldn't be the worst.
A great deal of this blame can be placed on the WinSock spec. The spec was quite "loose" in many details of the implementation. You could be complient and still not be able to deal with much of the software out there.
The issues most people complain about are not related to the WinSock API, but poor coding in the stack that make stack overflows and memory buffer curruption trivial. Similar bugs used to exist in the *BSD and linux stacks, as with the streams library used by SCO and Solaris (although maybe solaris has something funny there).
My vote for bad PC stack of the century was the one put out by Sun. Not even close to compatible...
No, my shit-stack-off-the-week (I just decided now) goes to Ultrix stack which barfs on unknown tcp options and hence is complete fucked when tying to comminicate with a recent *BSD or linux boxes, solaris and possible Win98/NT5.
Sturgeon's law applies to people as well...
? Sorry... don't know it.
People need to be educated about important issues, and using lots of complicated gobbledygook doesn't help. If you, like me, have a loved one that isn't terribly interested in computers or encryption, then see if the phrase 'modular exponentiation' doesn't kick there eye-glaze-secreting gland into over drive.
Most everything involving computers tends to do that.
Only because people are fed bullshit and lies by 80% of the industry 'consultants' who don't know much and use big words to cover this up. I really think people would be much more willing if they weren't feed so much crap at times.
You can type it out in clear, short sentences and the media will still screw it up. If you have no clue as to what you are writing about, the accuracy of what you write will suffer.
Again, the above applies, but bear in mind that most people in the modern media have little interest in the truth unless it helps sales, and if not then just 'modify the story a bit'. It also helps to consider that most reporters are pretty dumb and lack any real qualifications to talk about the things that they do, PC rag. editors being a really good example. Lets face it, we use the 'net and crypto, so we are dirty filthy prevented peadophile unabomber criminals who are going to pervert the youth and corrupt the America way. If you deny this it just proves what an untrustworthy person you are.
Multi-user NT is available now. Citrix and NCD both have versions out now. (Both are based on NT 3.51. They would have released a 4.0 product long ago, but Microsoft wanted the product for themselves.) The server load seems to be about 50 users per box. Depends on what you are running.
Slightly different that NT5 though... I know people working on large Citrix boxes with 2GB of ram and they speak quite highly of it, but their 40+ users are running custom apps. with an NT4 like gui. I'm not so sure it would work so great with 10+ people running Visual C++ to compile and debug code.... where as unix boxen have been doing this for years with 500+ people. What really sucks is there is some nice ideas in bits of NT, only what little kewl stuff there is has lost all credibility because of the atrociously large bloated buggy code that constitutes the other 99% of it.
Assuming that they can be educated. Better to offer them a choice. It is hard to say "X is bad" unless you have an alternative.
The real shame in all this is there is no really viable choice to the evil borg. Not yet anyhow.... -Chris
On Mon, Jun 01, 1998 at 04:24:44PM -0500, William H. Geiger III wrote:
Previous security foobars by M$:
NT C2 <---- LOL!!!
Standard marketroid talk, I think M$ still tout this, but not so loudly these days. Last I heard they were trying to get C2 with network connectivity, but that was a while ago (2 years?) so they may have given up. I'm sure I would have heard if it had. That said, C2 doesn't necessarily buy you all that much.
Active X <---- Who was the brain child that though *that* up?
Sure it sucks, it sucks for lots of reasons. But for the average luser it still better than plugins so thats why its taken off. And what make downloading a plugin and installing that any better?
Auto-Launch attached binaries in E-Mail <-- Can we say GoodTimes?
Can anyone confirm that this has indeed been fixed yet? I should also point out that buffer overflow bugs have been known for some time (years?) with various unix mailers and their handling of .mailcap which essentially amounts to the same thing.
Crypto-API <--- Right I would *trust* that. Honest. :)
Does anyone have a list of design and implementation flaws for CAPI? I've had discussions with a couple of people about these, but never seen anything published.
TCP/IP Stack <--- Too many flaws to list.
Yeah... its crap, but not necessarily that much worse that some of the others out there. If someone were keeping score on which stacks help up the best against all the attacks of the last two years it probably wouldn't be the worst.
Why would anyone trust these simpletons to produce any type of security product?
Sure. 95% of the population does. People need to be educated about important issues, and using lots of complicated gobbledygook doesn't help. If you, like me, have a loved one that isn't terribly interested in computers or encryption, then see if the phrase 'modular exponentiation' doesn't kick there eye-glaze-secreting gland into over drive. I guess this is something Bruce Schneier has done well - a report for technical people who will read it, laugh and say they aren't surprised, and press releases with LOTS OF BIG LETTERS AND SMALL WORDS for the rest of the population including morons that are the media. I think everyone is waiting for NT5. Multi-user NT is at best an interesting concept. I remember at university using (arguably buggy) unix boxen with 200+ users simultaneously, with relatively few problems, but I'll be really surprised if NT could get close to this.... I am so looking forward to NT5, it should prove to be very entertaining and perhaps a really good opportunity to educate the public. OK, getting bored with this reply now, so here it goes, errors and all.... -Chris P.S. How does M$ sidestep the ITAR with ipsec code in Win98/NT5?
As reguards:
Previous security foobars by M$:
NT C2 <---- LOL!!!
I beleive that no operating system has ever been given a C2 certification, and that only indiviual installations can be certifed. This requries that each installation be transported and conducted under armed guard, which is case with certain US government Microsoft NT Workstation installations. It is also stated (somewhere, but I don't have the details to hand) that no C2 rated system should be plugged in to an external network connection (i.e. the internet), and that only connections to secure LAN's/WAN's are permitted (otherwise the C2 certification is meaningless, hence why NT Sever has never been C2 certified IIRC). I would be grateful if anyone can categorically deny or in any way support this.
Auto-Launch attached binaries in E-Mail <-- Can we say GoodTimes?
The GoodTimes virus was, according to the DOE's CAIC a hoax. This is also my personal opinion. This is what DOE's CAIC have to say: http://ciac.llnl.gov/ciac/CIACHoaxes.html#goodtimes Or, more amusingly. http://ciac.llnl.gov/ciac/CIACHoaxes.html#goodspoof However All E-mail readers that support HTML & JavaScript/Java/Active-X are inherantly insecure. This inlcudes Netscape Navigator and Microsoft Outlook, where mearly the act of previewing a malicious message can cause adverse effects. If anyone were to include a embed a malicious Java or Active-X control then the supposed sandbox in Windows 9X/NT would be ineffectual as one could conceviably create a control which could execute software anywhere on the hard disk (this has already been done using both Active-X and IE under Windows 95). Thus it follows that it could determain what viewer it is being read under and execute any other attachments in the same e-mail from where the are stored (in Netscape/Outlook) which could then... <please complete this sentence using your own words> Iain Collins, icollins@sol.co.uk
Iain Collins wrote: <<snip>>
I beleive that no operating system has ever been given a C2 certification, and that only indiviual installations can be certifed.
Both Right and WrongC2 (or other) certification is given to a product system, not an OS nor an installation. NT on a specific configuration of a specific manufacturer, fo instance. (and with a specific mix of other software) The intent was to make available Commercial Off The Shelf (COTS) systems for gov purchase.) But the concept was generated in the mainframe/Mini frame of mind.
This requries that each installation be transported and conducted under armed guard, which is case with certain US government Microsoft NT Workstation installations.
It is also stated (somewhere, but I don't have the details to hand) that no C2 rated system should be plugged in to an external network connection (i.e. the internet), and that only connections to secure LAN's/WAN's are permitted (otherwise the C2 certification is meaningless, hence why NT Sever has never been C2 certified IIRC).
The network issue is one with deep ramifications and not as simple as listed in the above Para. Two totally secure nets can be not secure when connected to each other because of the data interface for security levels, user permisisions etc.
I would be grateful if anyone can categorically deny or in any way support this.
NCSC has a whole line of books on it all. Red is the Network Interpretation, Orange is the Criteria itself.
<<SNIP>>
PHM author, NOT the Orange Book -- A Guide to the Definition, Specification, Tasking, and Documentation for the Development of Secure Computer Systems -- Including Condensations of the Memebers of the Rainbow Series and Related Documents, Merlyn Press, WPAFB, 1992 NTOB is available for those who want it.
Windows NT4.0 has been tested under the red book spec published by the NCSC. That means in effect, NT is C2 compliant in a stand alone environment. Howver, NT does NOT comply with the orange book spec which defines additional requirements when the machine is used in a networked environment. It *IS* possible for an operating system that is on a networked machine to be C2(Orange Book) compliant. Microsoft has never stated that it is C2 compliant on a network, however their page about C2 and NT is poorly worded, and effectively discounts the importance of the Orange Book spec. It would be fun to get ahold of the specs from the NCSC. -Jim
-----BEGIN PGP SIGNED MESSAGE----- In <Pine.GSO.3.93.980602185641.27020B-100000@chemistry.mps.ohio-state.edu>, on 06/02/98 at 07:09 PM, Jim Tatz <jtatz@chemistry.ohio-state.edu> said:
Windows NT4.0 has been tested under the red book spec published by the NCSC. That means in effect, NT is C2 compliant in a stand alone environment. Howver, NT does NOT comply with the orange book spec which defines additional requirements when the machine is used in a networked environment. It *IS* possible for an operating system that is on a networked machine to be C2(Orange Book) compliant. Microsoft has never stated that it is C2 compliant on a network, however their page about C2 and NT is poorly worded, and effectively discounts the importance of the Orange Book spec.
It would be fun to get ahold of the specs from the NCSC.
You have this backward, The "Red Book": NCSC-TG-005 "Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria" The "Orange Book": DOD 5200.28-STD "DOD Trusted Computer System Evaluation Criteria" A NT machine to meet DOD 5200.28 C2 rating needs to be seriously crippled when comapired to normal operation. No removable media, No Modem, No Network Connection, hell pluging the dam thing and turning it on probably puts it's C2 rating in jepordy. The reason M$ downplays their C2 rating is that in average day to day use of this OS it does not meet this rating. NT has never had any RedBook rating and is not certified for use in a secure network. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://users.invweb.net/~whgiii/pgp.html - --------------------------------------------------------------- Tag-O-Matic: OS/2 means...CURTAINS for Windows! -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNXSQ/I9Co1n+aLhhAQH0/AQAmuhCSKG8mogzfbvq9x7Z90vghRWPOKzJ 4AMffpsPh4mpUnx6VHPLBksa4j3lyUh/67WwqozILzDna1fXfbYu/7eFsWltjw2n yb1YQKOIhJU+SgbO5kSfakc3oGaKAXElmHDcdTWJdl+g6PShDTM6KXRPgqcMi55I jfnqVPDKics= =CPFu -----END PGP SIGNATURE-----
A NT machine to meet DOD 5200.28 C2 rating needs to be seriously crippled when comapired to normal operation. No removable media, No Modem, No Network Connection, hell pluging the dam thing and turning it on probably puts it's C2 rating in jepordy.
The reason M$ downplays their C2 rating is that in average day to day use of this OS it does not meet this rating.
NT has never had any RedBook rating and is not certified for use in a secure network.
In addition to the converstaion, MS says: Microsoft has opted not to include certain components of Windows NT in the evaluation process, not because they would not pass the evaluation, but to save time by reducing the load on the NSA. Additionally, the MS-DOS/Windows on Windows (WOW) system may be treated as a Win32 application and would therefore not need to be evaluated as part of the Trusted Computer Base (TCB). Networking on NT may not have to go through the "Red Book," or "Trusted Network Interpretation." It may be enough to consider networking to be another subsystem, and therefore only the Orange Book would apply. New or modified components and other hardware platforms can go through a "RAMP" process to be included in the evaluation at a later time. http://support.microsoft.com/support/kb/articles/q93/3/62.asp [Isn't it great, you have to register for FREE support?] -Jim
-----BEGIN PGP SIGNED MESSAGE----- In <Pine.GSO.3.93.980602200540.28995A-100000@chemistry.mps.ohio-state.edu>, on 06/02/98 at 08:14 PM, Jim Tatz <jtatz@chemistry.ohio-state.edu> said:
In addition to the converstaion, MS says: Microsoft has opted not to include certain components of Windows NT in the evaluation process, not because they would not pass the evaluation, but to save time by reducing the load on the NSA. Additionally, the MS-DOS/Windows on Windows (WOW) system may be treated as a Win32 application and would therefore not need to be evaluated as part of the Trusted Computer Base (TCB). Networking on NT may not have to go through the "Red Book," or "Trusted Network Interpretation." It may be enough to consider networking to be another subsystem, and therefore only the Orange Book would apply. New or modified components and other hardware platforms can go through a "RAMP" process to be included in the evaluation at a later time.
Good God what kind of double talk is this? It doesn't need Red Book eval. and networking can be treated as a sub-system?!? Well I guess the guys down at NSA just wrote the Red Book (which is significantly larger than the Orange Book) because they were board. I would not trust Micky$lop to tell me that the sky was blue and water was wet let alone trust them to provide *any* form of security product. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://users.invweb.net/~whgiii/pgp.html - --------------------------------------------------------------- Tag-O-Matic: Get OS/2 - the best Windows tip around! -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNXSmHI9Co1n+aLhhAQEdowP9FsXmZOEk8KMKvgVun8wbMQqIUoGjB3wj e+dXsPglA/ya2S2+/wwdQFW2UEXvqHYR4MNV8Af/jqnxQgOk//4ZJVUrf+dkd65u dOfa2eICbFyRg8OgZZgWDXFr1IvgLpcS36U0V+LyebaoyCqI/WsMnx6zcx8qEzHs iiF7kDJJPmE= =HBxD -----END PGP SIGNATURE-----
Windows NT4.0 has been tested under the red book spec published by the NCSC. That means in effect, NT is C2 compliant in a stand alone environment. Howver, NT does NOT comply with the orange book spec which defines additional requirements when the machine is used in a networked environment. It *IS* possible for an operating system that is on a networked machine to be C2(Orange Book) compliant. Microsoft has never stated that it is C2 compliant on a network, however their page about C2 and NT is poorly worded, and effectively discounts the importance of the Orange Book spec.
Do you know the Redbook specs? From my understanding of the specs to have a C2 rateing you can't have a NIC card or Disk Drive. But I think you can have a NIC card in the machine connected to a network that is enrycpted network. But I could be wrong but I don't forget most of what I read..
It would be fun to get ahold of the specs from the NCSC.
You have this backward,
The "Red Book": NCSC-TG-005 "Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria"
The "Orange Book": DOD 5200.28-STD "DOD Trusted Computer System Evaluation Criteria"
A NT machine to meet DOD 5200.28 C2 rating needs to be seriously crippled when comapired to normal operation. No removable media, No Modem, No Network Connection, hell pluging the dam thing and turning it on probably puts it's C2 rating in jepordy.
The reason M$ downplays their C2 rating is that in average day to day use of this OS it does not meet this rating.
NT has never had any RedBook rating and is not certified for use in a secure network. MS is haveing problems meeting the standards and they have alot of work to do on NT when it comes to Secuirty. Any was see MSN.com today?
|)ark |(night DEFINITION. Windows 95: n. 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company, that can't stand 1 bit of competition. Http://www.EliteHackers.org/DarkKnight
-----BEGIN PGP SIGNED MESSAGE----- In <Pine.LNX.3.96.980602172921.21860A-100000@Nigger.EliteHackers.org>, on 06/02/98 at 12:35 PM, Dark Knight <DarkKnight@EliteHackers.org> said:
Do you know the Redbook specs? From my understanding of the specs to have a C2 rateing you can't have a NIC card or Disk Drive. But I think you can have a NIC card in the machine connected to a network that is enrycpted network. But I could be wrong but I don't forget most of what I read..
You are making the same mistake the previous poster made on this. Orange Book == Standalone Red Book == Network The numerious criteria for the various levels of trusted systems are too numerious to list here. I *strongly* recomend obtaining copies of the Rainbow Series from the NSA (they will mail a copy for free) and studying the documentation. They are well written and easy to read (unlike many such papers which are techno-bable filled). There are aprox. 30 manuals in the Rainbow Series that cover a wide range of topics related to Trusted Systems of which the Orange Book is a small part. I doubt you could find more than 5 M$ employees that have read more than a quarter of the manuals let alone are able to implement their principals. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 5.0 at: http://users.invweb.net/~whgiii/pgp.html - --------------------------------------------------------------- Tag-O-Matic: I love running Windows! NOT! -----BEGIN PGP SIGNATURE----- Version: 2.6.3a-sha1 Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNXSr2Y9Co1n+aLhhAQGtDAQApkDb/TiweTEuMnijTqOVcwcFuqQGKh/7 wZjiBu6S+VcyVUj/dcTyUwszqD1vuBUuevD8W9+dGdqjxRz/P8nxYelqaZfza997 sraI5Wc3MjGxp64plbRAt6qOzZjfFCXOv/ZSuRrf9tXjHFJeZz0KSkNex3Haz54j zmxljrbnmB8= =J5Mg -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
In <Pine.LNX.3.96.980602172921.21860A-100000@Nigger.EliteHackers.org>, on 06/02/98 at 12:35 PM, Dark Knight <DarkKnight@EliteHackers.org> said:
Do you know the Redbook specs? From my understanding of the specs to have a C2 rateing you can't have a NIC card or Disk Drive. But I think you can have a NIC card in the machine connected to a network that is enrycpted network. But I could be wrong but I don't forget most of what I read..
You are making the same mistake the previous poster made on this.
Orange Book == Standalone Red Book == Network
The numerious criteria for the various levels of trusted systems are too numerious to list here. I *strongly* recomend obtaining copies of the Rainbow Series from the NSA (they will mail a copy for free) and studying the documentation. They are well written and easy to read (unlike many such papers which are techno-bable filled).
There are aprox. 30 manuals in the Rainbow Series that cover a wide range of topics related to Trusted Systems of which the Orange Book is a small part. I doubt you could find more than 5 M$ employees that have read more than a quarter of the manuals let alone are able to implement their principals. I had a copy but like a dumb ass I forgot them where I used to live. I don't think the NSA or DOD I think it's the NSA gives away free copys any more..
|)ark |(night DEFINITION. Windows 95: n. 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company, that can't stand 1 bit of competition. Http://www.EliteHackers.org/DarkKnight
On Tue, 2 Jun 1998, Jim Tatz wrote:
Windows NT4.0 has been tested under the red book spec published by the NCSC. That means in effect, NT is C2 compliant in a stand alone environment. Howver, NT does NOT comply with the orange book spec which defines additional requirements when the machine is used in a networked environment. It *IS* possible for an operating system that is on a networked machine to be C2(Orange Book) compliant. Microsoft has never stated that it is C2 compliant on a network, however their page about C2 and NT is poorly worded, and effectively discounts the importance of the Orange Book spec.
It would be fun to get ahold of the specs from the NCSC.
I believe you've got your colors backwards here.. NT is C2 compliant in standalone format, with Posix disabled. It's an unusable configuration. That's all I can remember off the top of my head though.. Ryan Anderson PGP fp: 7E 8E C6 54 96 AC D9 57 E4 F8 AE 9C 10 7E 78 C9
This is a good paper. It covered almost all of the failures of MS PPTP. However, I think it missed a big one. It is possible to recover all the clear text from a PPTP session, even if most of the traffic is going in one direction only. The failure is in MPPE. When MPPE gets a sequenceing error, it resets the key. This causes the cipher stream to be reset. It is partially covered in section 5.4 . Since RC4 is a stream cipher, it generates the same cipher stream for a given key. This cipher stream is XORed with the clear text. To recover the clear text, an attacker just needs to force a resyncronization by sending a packet that has a bogus coherency count. If the attacker captures the original stream and the resynchronized stream a simple XOR of the two streams results in an XOR of the cleartext. While compression does make it harder to determine what the cleartext is, It is likely that a determined attacker can decrypt and decompress the XORed result. Brad Brad Kemp Indus River Networks, Inc. BradKemp@indusriver.com 31 Nagog Park 978-266-8122 Acton, MA 01720 fax 978-266-8111
On Tue, 2 Jun 1998, Brad Kemp wrote:
It is possible to recover all the clear text from a PPTP session, even if most of the traffic is going in one direction only. The failure is in MPPE. When MPPE gets a sequenceing error, it resets the key. This causes the cipher stream to be reset. It is partially covered in section 5.4.
I really think the XOR weaknesses deserve as much publicity as possible, because they are IMHO the simplest to exploit, and the result of the dumbest mistakes. So far we have three: 40-bit RC4 uses the same key with every session (!!), the client and server seems to encrypt with the same key stream going both ways (!!!), and then this resequencing attack. Are all three of these fixed? The certainly aren't "theoretical." ==- Xcott Craver -- Caj@niu.edu -- http://www.math.niu.edu/~caj/ -== "This is a different thing: it's spontaneous and it's called 'wit.'" -The Black Adder
participants (11)
-
Alan -
Brad Kemp -
Chris Wedgwood -
Dark Knight -
Iain Collins -
Jim Tatz -
John Young -
Paul H. Merrill -
Ryan Anderson -
William H. Geiger III -
Xcott Craver