Re: Microsoft continues to mislead public about Windows security bugs (a bit long, with references)

[Rich Graves <llurch@networking.stanford.edu>]

[Cc'd outsiders can browse this thread on the cypherpunks list via the
public news://nntp.hks.net/hks.lists.cypherpunks; please drop the Cc line
on followups]

I just made a couple of updates to http://www.c2.org/hackmmsoft/ after
reviewing the responses trolled up in the last several hours; take a 
gander.

On further review, I don't think Peter's latest, which you run from the
DOS command prompt to email a randomly chosen password to your email
address of choice, is that serious a threat. I don't have it on a machine
I can get to now, and I'm going to be offline tomorrow, but I'd suggest
that Sameer go ahead and post the binary soon. Btw, Peter hasn't given us
the source code, and I wouldn't post it anyway, because it would make it
too easy for someone without the proper ethic to "improve" the hack. 

I just don't want us to look like the bad guys here. I think a little
patience and bending over backwards to be nice encourages non-cypherpunk
types like Peter Miller (the Access crack) to come down on the right side. 

By the way, in response to my newsgroup posting, I got a few messages that
Bill Gates had been interviewed somewhere and had said that all the
problems with Windows security were the result of the US Government's
restrictions on the export of strong cryptography.

It's nice to see the richest man in the world on the right side of at
least one issue, but this is of course complete bullshit. ITAR has nothing
whatsoever to do with these bugs. Any press who cover the issue
incorrectly should be educated about the difference between a good
implementation that can be brute-forced in X amount of time with Y amount
of computing power because the guvmint puts limits on the key size, and a
stupid implementation that is far, far less secure than (X,Y) because of
poor programming. 

-rich