[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

.PWL spin



The Seattle Times has a rather large article this morning (12/9/95) about
Microsoft's .PWL encryption weakness.  Selected quotes are provided for your
entertainment and enlightenment (give yourself one point for each piece of
inaccurate/incomplete  information or spin you can find).

Security flaw in Windows 95 to be fixed

Microsoft got word of the flaw from an Internet e-mail exchange last week
that included a short computer program for "hacking," or decrypting,
passwords contained in .pwl (password list) files.  The company immediately
began working on a fix.

"We wanted to be proactive on this before it became a problem," said Rob
Bennett, Windows 95 product manager.  The company has received no customer
complaints related to the issue and knows of no security breaches, Bennett said.

"There are people out there who will stay up all night cranking out code to
break any encryption," Bennett said.

(This was followed by some good quotes from Frank Stevenson, who wrote the
cracking code, on the seriousness of the weakness.  I was a little surprised
to see the reporter listed Frank's e-mail address in the article.  Frank, if
you're reading this, did you give Paul Andrews permission?  To me, this
seems like listing someone's telephone number and address in the body of an
article.)

Microsoft said it plans to strengthen the encryption, Bennett said.
Password data will be stored randomly, making it harder to find on the
computer, he added.

Microsoft recommends that information-systems directors disable password
storage until the fix is released.

One system administrator said the problem would have a greater effect on
less-secure environments, such as universities and other institutions, than
on corporations.