1995-12-08 - Re: Micro$oft and Java

Header Data

From: Rich Graves <llurch@networking.stanford.edu>
To: Joel McNamara <joelm@eskimo.com>
Message Hash: 814732befed0749ee278fb9a66714817ddfecead2ed1be21955ee6bb2a04a40c
Message ID: <Pine.ULT.3.91.951207190400.15814G-100000@Networking.Stanford.EDU>
Reply To: <199512080205.SAA02898@mail.eskimo.com>
UTC Datetime: 1995-12-08 03:31:26 UTC
Raw Date: Thu, 7 Dec 95 19:31:26 PST

Raw message

From: Rich Graves <llurch@networking.stanford.edu>
Date: Thu, 7 Dec 95 19:31:26 PST
To: Joel McNamara <joelm@eskimo.com>
Subject: Re: Micro$oft and Java
In-Reply-To: <199512080205.SAA02898@mail.eskimo.com>
Message-ID: <Pine.ULT.3.91.951207190400.15814G-100000@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 7 Dec 1995, Joel McNamara wrote:

> I was at the Microsoft presentation.  Crypto-relevant info:
> 
> A patch will be published in the next few days to address the weak .PWL
> encryption.  I got a rather lame excuse about how the encryption was first
> implemented in 1991, and how it was sufficient then.  They will supposedly
> be changing the seed.

I do believe the word "lame" is in order, yes.

Microsoft has issued a public statement on the "issue" at 
http://www.microsoft.com/windows/pr/password.htm

As usual, the inaccuracies begin with the first sentence. Password caching
is not optional. It is on by default. Instructions for turning it off are
not even included with the floppy disk or OEM versions of Win95, and
they're not easy to find in the Resource Kit help file on the install CD,
which is neither installed nor referenced by default. 

Some rather astute people spent days looking for a way to disable password 
caching, and they couldn't find it. Their messages are on my list archive.

There is currently *no way* for the administrator of a public Windows 95 
lab to have any confidence that password caching has been turned off. All 
it takes is one malicious user -- or one innocent user who wants to 
disable system policies for other reasons -- and all passwords used from 
that machine are compromised.

We started whining about this on November 1; see 
gopher://quixote.stanford.edu/1m/win95netbugs.

-rich





Thread