From: "W. Kinney" <kinney@bogart.Colorado.EDU>
Date: Sun, 11 Sep 94 12:59:25 PDT
To: cypherpunks@toad.com
Subject: Re: Lame security software
In-Reply-To: <aa96a7ef010210032ab4@[130.214.233.14]>
Message-ID: <9409111958.AA00309@bogart.Colorado.EDU>
MIME-Version: 1.0
Content-Type: text/plain



Jamie Lawrence writes:

> I found one of the worst examples
> I've ever run across, and I'm in a sharing mood today. For those
> Mac users out there, get ahold of Norton Partition, which ships
> with Norton Utilities 2.0. I was demoing the only way it should
> be counted on for anything, and then not much, by setting up a
> non-automounting DES encrypted soft partition. I chose the password
> 'cheesetoast', and explained why this was a bad choice, etc. Well,
> upon mounting the disk to demo something else, I misstyped 'cheeseto "
> (that last character is a space), and whad do you know, it mounted. I
> suspect it checks a hash of the first eight characters, tossing the
> rest, but don't have time to check and see if that is the case.

Oh, it's worse than that. Try it out and you'll find that Norton Partition
gets 56 bits from 64 by throwing away the _low_ bit in each of the eight
characters of your password. 

Worse still, Norton Partition includes a block of data
at the beginning of the disk partition you create, which encrypts your
password with an xor cipher. I haven't had time to work out the complete
mapping as of yet, but change one bit in your password, and one bit
in the header block changes. This goes beyond a poor implementation and
into the territory of a deliberate back door.

Damned irresponsible.

                                   -- Will