Passport Passwords Stored in Plaintext
P.J. Ponder
ponder at freenet.tlh.fl.us
Fri Oct 5 17:51:14 EDT 2001
The original proposal for dot-net was to *centralize* all of the personal
information on at one location. This part may be changing with recent
capitulations regarding, of all things, interoperability. This idea of
centralizing everyone's personal information is the scary part of all this
to me, even recognizing how permeable and abuse-ready the company's
software seems to be.
on another topic -
Has anyone thought about how a scheme like .Net could be aided by
'reasonable and non-discriminatory (RAND)' licensing terms creeping into
W3C Recommendations? Now there is a scary thought....
IIS (Ignorance Is Strength)
On Fri, 5 Oct 2001, Joseph Ashwood wrote:
> ----- Original Message -----
> From: "bernie" <metaphone at eudoramail.com>
>
> > Some of the people here wants to use the .NET for critical applications.
>
> I'm sorry.
>
> > How secure is the .NET?
>
> The short answer is that it isn't secure. There are two main problems with
> it being secure. The first is the password vulnerability that you replied
> to. The second is that it uses a custom blended Kerberos-esque
> implementation. I say Kerberos-esque because it has some significant
> problems. First it uses RC4, a cipher which is increasingly being considered
> insecure, and in using it windows doesn't take the precautions necessary to
> make it secure. They are the only company foolish enough to have embedded
> access control information in the kerberos ticket, this adds even more
> leaking information, and just enough of it to determine the users password.
> Basicly they have made nearly every effort to eliminate the security of the
> system while making it appear secure to a layman. For further evidence that
> Microsoft can't do anything secure I point to (in no particular order) IIS,
> pptp, pptp2, Internet Explorer, Outlook Express, Windows 95, Windows98,
> WindowsME, WindowsNT, Windows2000, and while I haven't verified it yet I
> believe also WindowsXP. Some of these probably need some explaination, IIS
> is the script kiddie choice it has more holes than a pound of Swiss cheese.
> pptp was severely broken, pptp2 was slightly less severely broken. Internet
> Explorer has had so many security vulnerabilities I can't even count that
> high. Outlook Express is a virus writers dream. Windows95 offered no
> security, same with 98 and ME. WindowsNT is subject to extremely basic
> attacks on the password system that Microsoft refused to recognise, same
> with 2000, and probably the same with XP. In 2000 MS introduced a "secure"
> encrypted filesystem which lacked any reasonable ability to encrypt
> documents securely (it put the keys in a file in plaintext, the file is
> easily readable). Even the cryptoAPI that Microsoft designed and offered has
> holes in it, allowing arbitrary code to be run in the place of what the
> programmer intended. I am unaware of anything microsoft has ever written
> that could be considered secure and there is evidence that they plan to
> continue this less than stellar performance with .NET.
> Joe
>
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list