Rubber hose attack
Rick Smith at Secure Computing
rick_smith at securecomputing.com
Fri Nov 2 17:03:14 EST 2001
At 11:59 AM 11/2/2001, vertigo wrote:
>I'm sorry, but I think I entered this thread a little late. What was
>being said about .NET? I know very little about it, but from what you
>have said it sounds pretty scary.
The thread started with an op-ed piece by Diffie and Landau about MS .Net,
briefly noting vulnerability reports about Microsoft's latest 'wallet'
(called "Passport" and produced as part of .Net). Evidently the early
version was storing passwords in a format that made them trivial to recover.
I think we can all agree that this is a Bad Idea, and that MS might have
faced a good deal of liability and negative press if the system had been
on-line and their .Net partners had been offering anything worth stealing.
While I prefer to see enterprises deploy strong security measures
(especially ones they buy from us :->) it's important to acknowledge how
much risk we routinely take, both personally and when operating businesses.
We all settle for less than cosmically perfect automobiles, and they pose
far more serious risks to us than credit card fraud.
Rick.
smith at securecomputing.com roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list