From: "What we're dealing with here is a blatant disrespect of the law!" <mudge@l0pht.com>
Date: Sun, 11 Aug 1996 20:31:06 +0800
To: Vin McLellan <vin@shore.net>
Subject: Re: F2 hash?
In-Reply-To: <v02130503ae313d72ccb8@[206.243.160.206]>
Message-ID: <Pine.BSD/.3.91.960811054832.7724C-100000@l0pht.com>
MIME-Version: 1.0
Content-Type: text/plain





On Fri, 9 Aug 1996, Vin McLellan wrote:

>        As Cerridwyn Llewyellyn <ceridwyn@wolfenet.com> reported, Mudge --
> posed and celebrated on page 40-something of last month's WiRed -- told the
> DefCon audience that SDTI's lawyers were after him, threatening something
> dire, so he was not going to release his "white paper" on weaknesses in the
> ACE/SecurID system for several months.  Instead, he delivered a talk on
> s/key vulnerabilities.
> 
>         This was weird, because I *knew* Security Dynamics had neither
> consulted nor asked their lawyers to do anything about Mudge's speech on
> SecurID vulnerabilities.  It would have been a fool's ploy: silly and
> counterproductive.
> 
>         John and I took Mudge out for dinner right after that speech. He
> told us then that he had inadvertently misspoken when he blamed his
> temporary silence on SDTI's lawyers. The real problem, he said, was with
> bullying lawyers from two corporate clients he is now under contract to in
> his day job.
> 
>         (He didn't explain this further, but I understood that Mudge is
> working for two firms which have access to SDTI plans and trade secrets
> under non-disclosure agreements.  The firms were apparently worried about
> their liability -- given their promises to SDTI and Mudge's work in their
> employ.  Mudge may want to elaborate on this.  Or not.)
> 

Hrmmm. Let me set the record straight here. Lest people think I would 
violate nda agreements upon end of contracts. sigh.

First, I am not under any NDA agreement with STDTI. All of my research 
and work on the SecurID token cards was done independently from any of 
the companies I am currently contracting for (I noticed that there were 
several problems with the system and that's enough to set me off on 
something).

Second, while I did refrain from going into specifics on SecurID 
vulnerabilities at the talk - I did give one on some of the problems with 
OTP's in general. S/Key happened to be a good example to use in 
illustration as a large portion of the audience there was familiar with 
it. Many of the vulnerabilities mentioned there hold true to SecurID.

Third, and most important, the reason I refrained from giving the SecurID 
talk was that the two companies I am doing some security related contract 
work for both employ this technology in varying degrees. I have explained 
the problems that I have found to these companies and they are quite 
concerned. I believe it would be un-ethical to give out instructions on 
how to break through SecurID, thus leaving networks vulnerable that I am 
being paid to help secure before the problem has been addressed locally 
(I like being able to put food on the table). The information will be made 
public in the near future. SDTI has been made aware of these problems 
(some of which were presented to them almost a year ago).

I don't dislike SecurID. I am quite happy to have made Vin and John's 
acquaintance as they are both wonderfull people. I do feel that there are 
problems with SecurID that exist largely due to the card being sold into 
an environment that it was not designed for (a little thing called the 
internet).

I just wanted to set the record straight as I realised that the inital 
statements that Vin made could be mis-interpreted and potentially impact my 
image to future employers (though I know that this was not his intention).

cheers,

.mudge

PS I do not currently read / keep up with the cypherpunks list. So I 
probably will only see the bits of this thread that are forwarded to me.