From: Alan <alan@ctrl-alt-del.com>
Date: Mon, 1 Jun 1998 22:23:25 -0700 (PDT)
To: Chris Wedgwood <chris@cybernet.co.nz>
Subject: Re: Counterpane Cracks MS's PPTP
In-Reply-To: <199806012143.QAA018.23@geiger.com>
Message-ID: <3.0.5.32.19980601220343.04443930@ctrl-alt-del.com>
MIME-Version: 1.0
Content-Type: text/plain


At 03:23 PM 6/2/98 +1200, Chris Wedgwood wrote:
>
>On Mon, Jun 01, 1998 at 04:24:44PM -0500, William H. Geiger III wrote:
>
>> Previous security foobars by M$:
>> 
>> NT C2 <---- LOL!!!
>
>Standard marketroid talk, I think M$ still tout this, but not so loudly
>these days. Last I heard they were trying to get C2 with network
>connectivity, but that was a while ago (2 years?) so they may have given up.
>I'm sure I would have heard if it had.
>
>That said, C2 doesn't necessarily buy you all that much.

Is this not what they claimed when they sold NT to the Air Force?  Judging
by some of the Air Force software I have seen, this frightens me more than
most things.

>> Active X <---- Who was the brain child that though *that* up?
>
>Sure it sucks, it sucks for lots of reasons. But for the average luser it
>still better than plugins so thats why its taken off. And what make
>downloading a plugin and installing that any better? 

You have a little more control over plug-ins.

>> Auto-Launch attached binaries in E-Mail <-- Can we say GoodTimes?
>
>Can anyone confirm that this has indeed been fixed yet?
>
>I should also point out that buffer overflow bugs have been known for some
>time (years?) with various unix mailers and their handling of .mailcap which
>essentially amounts to the same thing.

But those are specific to the client.  Most Unix users know better.

>> Crypto-API <--- Right I would *trust* that. Honest. :)
>
>Does anyone have a list of design and implementation flaws for CAPI? I've
>had discussions with a couple of people about these, but never seen anything
>published.

I know of one, but I cannot release details yet.  (I did not discover it
and i need to wait until the non-beta version of the product is released.)
Besides, I have been told I will be killed if I reveal it before it is time.

>> TCP/IP Stack <--- Too many flaws to list.
>
>Yeah... its crap, but not necessarily that much worse that some of the
>others out there. If someone were keeping score on which stacks help up the
>best against all the attacks of the last two years it probably wouldn't be
>the worst.

A great deal of this blame can be placed on the WinSock spec.  The spec was
quite "loose" in many details of the implementation.  You could be
complient and still not be able to deal with much of the software out
there.  My vote for bad PC stack of the century was the one put out by Sun.
 Not even close to compatible...

>> Why would anyone trust these simpletons to produce any type of security
>> product?
>
>Sure. 95% of the population does.

Sturgeon's law applies to people as well...

>People need to be educated about important issues, and using lots of
>complicated gobbledygook doesn't help. If you, like me, have a loved one
>that isn't terribly interested in computers or encryption, then see if the
>phrase 'modular exponentiation' doesn't kick there eye-glaze-secreting gland
>into over drive.

Most everything involving computers tends to do that.

>I guess this is something Bruce Schneier has done well - a report for
>technical people who will read it, laugh and say they aren't surprised, and
>press releases with LOTS OF BIG LETTERS AND SMALL WORDS for the rest of the
>population including morons that are the media.

You can type it out in clear, short sentences and the media will still
screw it up.  If you have no clue as to what you are writing about, the
accuracy of what you write will suffer.

>I think everyone is waiting for NT5. Multi-user NT is at best an interesting
>concept. I remember at university using (arguably buggy) unix boxen with
>200+ users simultaneously, with relatively few problems, but I'll be really
>surprised if NT could get close to this....

Multi-user NT is available now.  Citrix and NCD both have versions out now.
 (Both are based on NT 3.51.  They would have released a 4.0 product long
ago, but Microsoft wanted the product for themselves.)  The server load
seems to be about 50 users per box.   Depends on what you are running.

>I am so looking forward to NT5, it should prove to be very entertaining and
>perhaps a really good opportunity to educate the public.

Assuming that they can be educated.  Better to offer them a choice.  It is
hard to say "X is bad" unless you have an alternative.