[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Counterpane Cracks MS's PPTP



As reguards:

> Previous security foobars by M$:
>
> NT C2 <---- LOL!!!

I beleive that no operating system has ever been given a C2 certification,
and that only indiviual installations can be certifed.

This requries that each installation be transported and conducted under
armed guard, which is case with certain US government Microsoft NT
Workstation installations.

It is also stated (somewhere, but I don't have the details to hand) that no
C2 rated system should be plugged in to an external network connection (i.e.
the internet), and that only connections to secure LAN's/WAN's are permitted
(otherwise the C2 certification is meaningless, hence why NT Sever has never
been C2 certified IIRC).

I would be grateful if anyone can categorically deny or in any way support
this.

> Auto-Launch attached binaries in E-Mail <-- Can we say GoodTimes?

The GoodTimes virus was, according to the DOE's CAIC a hoax. This is also my
personal opinion. This is what DOE's CAIC have to say:
http://ciac.llnl.gov/ciac/CIACHoaxes.html#goodtimes
Or, more amusingly.
http://ciac.llnl.gov/ciac/CIACHoaxes.html#goodspoof

However All E-mail readers that support HTML & JavaScript/Java/Active-X are
inherantly insecure. This inlcudes Netscape Navigator and Microsoft Outlook,
where mearly the act of previewing a malicious message can cause adverse
effects.

If anyone were to include a embed a malicious Java or Active-X control then
the supposed sandbox in Windows 9X/NT would be ineffectual as one could
conceviably create a control which could execute software anywhere on the
hard disk (this has already been done using both Active-X and IE under
Windows 95). Thus it follows that it could determain what viewer it is being
read under and execute any other attachments in the same e-mail from where
the are stored (in Netscape/Outlook) which could then... <please complete
this sentence using your own words>

Iain Collins, [email protected]