From: Chris Wedgwood <chris@cybernet.co.nz>
Date: Mon, 1 Jun 1998 20:24:24 -0700 (PDT)
To: "William H. Geiger III" <jya@pipeline.com>
Subject: Re: Counterpane Cracks MS's PPTP
In-Reply-To: <Version.32.19980601122218.00fbc410@pop.pipeline.com>
Message-ID: <19980602152326.B32084@caffeine.ix.net.nz>
MIME-Version: 1.0
Content-Type: text/plain


On Mon, Jun 01, 1998 at 04:24:44PM -0500, William H. Geiger III wrote:

> Previous security foobars by M$:
> 
> NT C2 <---- LOL!!!

Standard marketroid talk, I think M$ still tout this, but not so loudly
these days. Last I heard they were trying to get C2 with network
connectivity, but that was a while ago (2 years?) so they may have given up.
I'm sure I would have heard if it had.

That said, C2 doesn't necessarily buy you all that much.

> Active X <---- Who was the brain child that though *that* up?

Sure it sucks, it sucks for lots of reasons. But for the average luser it
still better than plugins so thats why its taken off. And what make
downloading a plugin and installing that any better? 

> Auto-Launch attached binaries in E-Mail <-- Can we say GoodTimes?

Can anyone confirm that this has indeed been fixed yet?

I should also point out that buffer overflow bugs have been known for some
time (years?) with various unix mailers and their handling of .mailcap which
essentially amounts to the same thing.

> Crypto-API <--- Right I would *trust* that. Honest. :)

Does anyone have a list of design and implementation flaws for CAPI? I've
had discussions with a couple of people about these, but never seen anything
published.

> TCP/IP Stack <--- Too many flaws to list.

Yeah... its crap, but not necessarily that much worse that some of the
others out there. If someone were keeping score on which stacks help up the
best against all the attacks of the last two years it probably wouldn't be
the worst.

> Why would anyone trust these simpletons to produce any type of security
> product?

Sure. 95% of the population does.

People need to be educated about important issues, and using lots of
complicated gobbledygook doesn't help. If you, like me, have a loved one
that isn't terribly interested in computers or encryption, then see if the
phrase 'modular exponentiation' doesn't kick there eye-glaze-secreting gland
into over drive.

I guess this is something Bruce Schneier has done well - a report for
technical people who will read it, laugh and say they aren't surprised, and
press releases with LOTS OF BIG LETTERS AND SMALL WORDS for the rest of the
population including morons that are the media.

I think everyone is waiting for NT5. Multi-user NT is at best an interesting
concept. I remember at university using (arguably buggy) unix boxen with
200+ users simultaneously, with relatively few problems, but I'll be really
surprised if NT could get close to this....

I am so looking forward to NT5, it should prove to be very entertaining and
perhaps a really good opportunity to educate the public.


OK, getting bored with this reply now, so here it goes, errors and all....


-Chris

P.S. How does M$ sidestep the ITAR with ipsec code in Win98/NT5?