From: “Iain Collins” <icollins@scotland.net>
To: <cypherpunks@toad.com>
Message Hash: 7bb8b931fd9d274997ee3029db10128d46c59b567d679ee807646ff3e023e8c4
Message ID: <002301bd8e39$c8b18880$c7f3b094@webadmin.sol.co.uk>
Reply To: <19980602152326.B32084@caffeine.ix.net.nz>
UTC Datetime: 1998-06-02 15:20:43 UTC
Raw Date: Tue, 2 Jun 1998 08:20:43 -0700 (PDT)
From: "Iain Collins" <icollins@scotland.net>
Date: Tue, 2 Jun 1998 08:20:43 -0700 (PDT)
To: <cypherpunks@toad.com>
Subject: RE: Counterpane Cracks MS's PPTP
In-Reply-To: <19980602152326.B32084@caffeine.ix.net.nz>
Message-ID: <002301bd8e39$c8b18880$c7f3b094@webadmin.sol.co.uk>
MIME-Version: 1.0
Content-Type: text/plain
As reguards:
> Previous security foobars by M$:
>
> NT C2 <---- LOL!!!
I beleive that no operating system has ever been given a C2 certification,
and that only indiviual installations can be certifed.
This requries that each installation be transported and conducted under
armed guard, which is case with certain US government Microsoft NT
Workstation installations.
It is also stated (somewhere, but I don't have the details to hand) that no
C2 rated system should be plugged in to an external network connection (i.e.
the internet), and that only connections to secure LAN's/WAN's are permitted
(otherwise the C2 certification is meaningless, hence why NT Sever has never
been C2 certified IIRC).
I would be grateful if anyone can categorically deny or in any way support
this.
> Auto-Launch attached binaries in E-Mail <-- Can we say GoodTimes?
The GoodTimes virus was, according to the DOE's CAIC a hoax. This is also my
personal opinion. This is what DOE's CAIC have to say:
http://ciac.llnl.gov/ciac/CIACHoaxes.html#goodtimes
Or, more amusingly.
http://ciac.llnl.gov/ciac/CIACHoaxes.html#goodspoof
However All E-mail readers that support HTML & JavaScript/Java/Active-X are
inherantly insecure. This inlcudes Netscape Navigator and Microsoft Outlook,
where mearly the act of previewing a malicious message can cause adverse
effects.
If anyone were to include a embed a malicious Java or Active-X control then
the supposed sandbox in Windows 9X/NT would be ineffectual as one could
conceviably create a control which could execute software anywhere on the
hard disk (this has already been done using both Active-X and IE under
Windows 95). Thus it follows that it could determain what viewer it is being
read under and execute any other attachments in the same e-mail from where
the are stored (in Netscape/Outlook) which could then... <please complete
this sentence using your own words>
Iain Collins, icollins@sol.co.uk
Return to June 1998
Return to “Xcott Craver <caj@math.niu.edu>”