From: Rich Graves <llurch@networking.stanford.edu>
Date: Sat, 13 Jan 1996 01:15:41 +0800
To: cypherpunks@toad.com
Subject: [CORRECTION] Microsoft continues to mislead public about Windows security
In-Reply-To: <199601120042.TAA18188@bb.hks.net>
Message-ID: <Pine.ULT.3.91.960111181406.5422B-100000@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


In a couple of silly posts, I'd uncritically repeated a Bob Cringely piece
in the December 10th InfoWorld (plus various other sources) without
adequately verifying the facts. I hope this will clear some things up. 

First, NT was C2-certified in a specific configuration as a standalone
workstation only, not as a network server. So any points about NT's C2
security being compromised by the following problems are *moot* and should
be ignored.

1. NetWare Services lets you know when you try to log on as a user that 
   doesn't exist, rather than asking for a password. Real NetWare servers 
   do the right thing.

2. Because of a common user error, documentation errors, and a couple bugs,
   it is possible to gain read-only access to the root directory of many 
   NT FTP servers (20% of the known NT servers at Stanford when I checked --
   this has been fixed) by giving a nonexistent username and password,
   for example, cypherpunks/cypherpunk, to Microsoft's FTP server.

These aren't important, because Microsoft does not claim that NT Server,
as a server, is C2-secure; only many authorized distributors do. 

Also, the note that NetWare was C2-certified is misleading. I've been 
told and find credible (but have not verified) that NetWare was only 
certified in an unusual environment with packet-encrypting NICs.

The rest was true. The main point was that Microsoft continues to make
statements that are clearly at variance with the truth concerning the 
acknowledged .PWL, IPX SAP, and SMB bugs, among others. 

Microsoft has yet to revise several known incorrect pertinent articles in
their "Knowledge" Base technical/marketing database, which you can search
via: 

  http://www-leland.stanford.edu/~llurch/win95netbugs/kb.html

Incorrect articles include Q92588, Q90210, Q36634, Q103887, Q120554, and
especially Q90271.

The specific URL for each of these articles is:

  http://www.microsoft.com/kb/peropsys/windows/{ID}.htm

For example, the article that purports to contain technical information on
why you can trust the security of .PWL files is: 

  http://www.microsoft.com/kb/peropsys/windows/Q90271.htm

Also, http://www.windows.microsoft.com/windows/software/mspwlupd.htm, the
PR on the "fix" for the acknowledged .PWL bugs in Win95 (the same bugs
exist in Windows 3.11, but Microsoft has not acknowledged this or
committed to fixing it), is clearly incorrect. It says that the new
algorithm is 2^96 times more secure because it uses a larger key. Besides
the fact that the extreme weakness of the .PWL algoritm has nothing
whatsoever to do with the key size, the new algorithm does not use 128
random bits. Like many other exportable algorithms, the key size is 128
bits, but only 40 bits are random. 

By the way, neither I nor the comp.risks moderator have heard a peep from
any Microsoft source in any newsgroup or mailbox. This I find somewhat
disheartening. We know that there are at least five microsoft.com
addresses on cypherpunks because we all got bounced email when Microsoft
broke their mail gateway. 

Cat got your tongue?

-rich
 owner-win95netbugs@lists.stanford.edu
 ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/
 ftp://ftp.demon.co.uk/pub/mirrors/win95netfaq/
 gopher://quixote.stanford.edu/1m/win95netbugs
 http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html
 http://www.mari.su/guide/win95/faq.html
 rich@c2.org
 http://www.c2.org/hackmsoft/