________________________________________________________________________________



        Wired News

        Critics Blast MS Security 

        by Declan McCullagh 

        3:00 a.m. May. 16, 2000 PDT 

        If you're a Windows 2000 user, be warned: Your security software 
        may not work the way you think it does. 

        Microsoft intentionally designed Windows 2000 so that export 
        versions can use a notoriously weak encryption method to 
        scramble information sent over the Internet and intranets, 
        leaving sensitive data exposed to hackers and eavesdroppers.

        This design choice has alarmed security experts, not least 
        because so many Microsoft products recently have had so many 
        problems. The company spent the last week acknowledging 
        embarrassing security holes in its Hotmail service, Internet 
        Explorer browser, and Outlook mail client. 

        A Microsoft manager on Monday defended why Windows 2000 
        computers in some circumstances switch from the highly secure 
        triple-DES algorithm to the notoriously weak single-DES variant. 
        Triple-DES is up to 70,000 trillion times stronger. 

        Ron Cully, lead program manager for Windows networking, said 
        that companies might have thousands of machines and some might 
        not have triple-DES installed. Because of U.S. export and other 
        import restrictions, Microsoft ships triple-DES in a separate 
        "high encryption pack." 

        "It's somewhat expected behavior that someone will misconfigure 
        an end system and not install the high-security pack," Cully 
        said. Having at least some encryption is better than nothing, he 
        said. 

        That's not the point, charge Cully's peers at other companies 
        that are working on the same security standard, called IPsec. In 
        a no-holds-barred critique that began last week on the IPsec 
        mailing list -- run by the Internet Engineering Task Force -- 
        they argued it was another example of slipshod Microsoft 
        security. 

        Their beef: If two Windows 2000 computers without triple-DES are 
        talking and the system administrator has configured triple-DES-
        only links, only single-DES gets used. The only error shown is 
        an invisible one -- in an audit log file -- so users may have a 
        false sense of security. 

        "From an administrator perspective, it is hard to imagine how a 
        security hole could be worse: Windows lets you think all is OK 
        but in reality something else happens on the wire," wrote Sami 
        Vaarala of NetSeal Technologies, an information security firm in 
        Espoo, Finland. 

        "This is *seriously* brain-damaged. I've given up expecting good 
        software design from Microsoft (actually, from most vendors), 
        since they (and everyone else) are far too arrogant about their 
        abilities to design and write error-free code," Steve Bellovin, 
        a cryptologic researcher at AT&T, wrote on the IPsec list last 
        week. 

        "Users who request 3DES do so because (rightly or wrongly) they 
        perceive a threat model that DES can't counter. Why is their 
        reasoning invalid?" Bellovin asked. 

        Microsoft dismisses the criticism, attributing it to a 
        philosophical difference and arguing that its large customers 
        don't appear to mind. 

        "No one has disputed this or questioned this," Cully said. 
        "Clearly the customers must think this is a proper approach, 
        rather than some people who come from a philosophical background 
        that you manage policy from the end system and not the 
        directory." He said the behavior is well documented in online 
        and offline manuals. 

        "This sounds like par for the course," said William Knowles, a 
        consultant for c4i Secure Solutions. "You're talking about an 
        operating system that leaves all the security holes wide open 
        and makes the customer close them." 

        A private-sector effort led by the Electronic Frontier 
        Foundation and distributed.net in January 1999 broke a single-
        DES message in 22 hours, and government spy agencies are known 
        to have much more muscular computers. 

        Microsoft said that as of May 1, there had been 1.5 million 
        Windows 2000 licenses sold. 

        http://www.wired.com/news/technology/0,1282,36336,00.html


________________________________________________________________________________
no copyright 2000 rolux.org - no commercial use without permission. <rolux> is a
moderated mailing list for the advancement of minor criticism. more information:
mail to: majordomo@rolux.org, subject line: <rolux>, message body: info. further
questions: mail to: rolux-owner@rolux.org. <rolux> archive: http://www.rolux.org