[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Counterpane Cracks MS's PPTP



On Mon, Jun 01, 1998 at 10:03:43PM -0700, Alan wrote:

> >That said, C2 doesn't necessarily buy you all that much.
> 
> Is this not what they claimed when they sold NT to the Air Force?  Judging
> by some of the Air Force software I have seen, this frightens me more than
> most things.

Either M$ lied, or the Air Force should no better. In the former, the Air
Force should sue M$, but more likely its the latter. Why should the Air
Force have clue-full people when most large corporates, banks, governments,
IT companies and software companies do not?

Governments with large databases full of all your personal details and banks
with all your financial details are two really good examples of
organizations which should do a good job with system security and
reliability but invariably do the worst (some exceptions apply).

> >Sure it sucks, it sucks for lots of reasons. But for the average luser it
> >still better than plugins so thats why its taken off. And what make
> >downloading a plugin and installing that any better?
> 
> You have a little more control over plug-ins.

It doesn't really buy much. Most people will blindly download anything and
install it. If it doesn't install the first time by finding all the right
file locations, etc. and allowing the use to click Next every time, they
will start deleting files at random trying to remove it.

Perhaps I'm over stating things, but I'm a tad jaded from having to make
documentation and software work for morons (the public at large).

> But those are specific to the client.  Most Unix users know better.

The M$ example is confined to a specific client. Many unix users use unix
because they are required too, these people are probably as clue-less and
luse95 users.

On average the number of clue-full 95 users against the number of clue-full
unix users is probably 10:1 despite luse95 large user base, quoting numbers
which I just made up of course and clue-full being defined by me, and able
to be redefined whenever I feel like it.

This is all beside the point - someone mentioned that a M$ mailer had a very
nasty bug, I just pointed out that can and has also occurred elsewhere.

> >Does anyone have a list of design and implementation flaws for CAPI? I've
> >had discussions with a couple of people about these, but never seen
> >anything published.
> 
> I know of one, but I cannot release details yet.  (I did not discover it
> and i need to wait until the non-beta version of the product is released.)
> Besides, I have been told I will be killed if I reveal it before it is
> time.

It can wait. It seems plenty of others are waiting.... 
 
> >Yeah... its crap, but not necessarily that much worse that some of the
> >others out there. If someone were keeping score on which stacks help up
> >the best against all the attacks of the last two years it probably
> >wouldn't be the worst.
> 
> A great deal of this blame can be placed on the WinSock spec.  The spec
> was quite "loose" in many details of the implementation.  You could be
> complient and still not be able to deal with much of the software out
> there.  

The issues most people complain about are not related to the WinSock API,
but poor coding in the stack that make stack overflows and memory buffer
curruption trivial. Similar bugs used to exist in the *BSD and linux stacks,
as with the streams library used by SCO and Solaris (although maybe solaris
has something funny there).

> My vote for bad PC stack of the century was the one put out by Sun.
> Not even close to compatible...

No, my shit-stack-off-the-week (I just decided now) goes to Ultrix stack
which barfs on unknown tcp options and hence is complete fucked when tying
to comminicate with a recent *BSD or linux boxes, solaris and possible
Win98/NT5.

> Sturgeon's law applies to people as well...

?

Sorry... don't know it.
 
> >People need to be educated about important issues, and using lots of
> >complicated gobbledygook doesn't help. If you, like me, have a loved one
> >that isn't terribly interested in computers or encryption, then see if
> >the phrase 'modular exponentiation' doesn't kick there
> >eye-glaze-secreting gland into over drive.
> 
> Most everything involving computers tends to do that.

Only because people are fed bullshit and lies by 80% of the industry
'consultants' who don't know much and use big words to cover this up.

I really think people would be much more willing if they weren't feed so
much crap at times.

> You can type it out in clear, short sentences and the media will still
> screw it up.  If you have no clue as to what you are writing about, the
> accuracy of what you write will suffer.

Again, the above applies, but bear in mind that most people in the modern
media have little interest in the truth unless it helps sales, and if not
then just 'modify the story a bit'. 

It also helps to consider that most reporters are pretty dumb and lack any
real qualifications to talk about the things that they do, PC rag. editors
being a really good example.


Lets face it, we use the 'net and crypto, so we are dirty filthy prevented
peadophile unabomber criminals who are going to pervert the youth and
corrupt the America way. If you deny this it just proves what an
untrustworthy person you are.

> Multi-user NT is available now. Citrix and NCD both have versions out now.
> (Both are based on NT 3.51. They would have released a 4.0 product long
> ago, but Microsoft wanted the product for themselves.) The server load
> seems to be about 50 users per box. Depends on what you are running.

Slightly different that NT5 though... I know people working on large Citrix
boxes with 2GB of ram and they speak quite highly of it, but their 40+ users
are running custom apps. with an NT4 like gui.

I'm not so sure it would work so great with 10+ people running Visual C++ to
compile and debug code.... where as unix boxen have been doing this for
years with 500+ people.

What really sucks is there is some nice ideas in bits of NT, only what
little kewl stuff there is has lost all credibility because of the
atrociously large bloated buggy code that constitutes the other 99% of it.

> Assuming that they can be educated.  Better to offer them a choice.  It is
> hard to say "X is bad" unless you have an alternative.

The real shame in all this is there is no really viable choice to the evil
borg. Not yet anyhow....



-Chris