Critics Blast MS Security

[William Knowles <wk () C4I ORG>]

http://www.wired.com/news/print/0,1294,36336,00.html

by Declan McCullagh
3:00 a.m. May. 16, 2000 PDT

If you're a Windows 2000 user, be warned: Your security software may
not work the way you think it does.

Microsoft intentionally designed Windows 2000 so that export versions
can use a notoriously weak encryption method to scramble information
sent over the Internet and intranets, leaving sensitive data exposed
to hackers and eavesdroppers.

This design choice has alarmed security experts, not least because so
many Microsoft products recently have had so many problems. The
company spent the last week acknowledging embarrassing security holes
in its Hotmail service, Internet Explorer browser, and Outlook mail
client.

A Microsoft manager on Monday defended why Windows 2000 computers in
some circumstances switch from the highly secure triple-DES algorithm
to the notoriously weak single-DES variant. Triple-DES is up to 70,000
trillion times stronger.

Ron Cully, lead program manager for Windows networking, said that
companies might have thousands of machines and some might not have
triple-DES installed. Because of U.S. export and other import
restrictions, Microsoft ships triple-DES in a separate "high
encryption pack."

"It's somewhat expected behavior that someone will misconfigure an end
system and not install the high-security pack," Cully said. Having at
least some encryption is better than nothing, he said.

That's not the point, charge Cully's peers at other companies that are
working on the same security standard, called IPsec. In a
no-holds-barred critique that began last week on the IPsec mailing
list -- run by the Internet Engineering Task Force -- they argued it
was another example of slipshod Microsoft security.

Their beef: If two Windows 2000 computers without triple-DES are
talking and the system administrator has configured triple-DES-only
links, only single-DES gets used. The only error shown is an invisible
one -- in an audit log file -- so users may have a false sense of
security.

"From an administrator perspective, it is hard to imagine how a
security hole could be worse: Windows lets you think all is OK but in
reality something else happens on the wire," wrote Sami Vaarala of
NetSeal Technologies, an information security firm in Espoo, Finland.

"This is *seriously* brain-damaged. I've given up expecting good
software design from Microsoft (actually, from most vendors), since
they (and everyone else) are far too arrogant about their abilities to
design and write error-free code," Steve Bellovin, a cryptologic
researcher at AT&T, wrote on the IPsec list last week.

"Users who request 3DES do so because (rightly or wrongly) they
perceive a threat model that DES can't counter. Why is their reasoning
invalid?" Bellovin asked.

Microsoft dismisses the criticism, attributing it to a philosophical
difference and arguing that its large customers don't appear to mind.

"No one has disputed this or questioned this," Cully said. "Clearly
the customers must think this is a proper approach, rather than some
people who come from a philosophical background that you manage policy
from the end system and not the directory." He said the behavior is
well documented in online and offline manuals.

"This sounds like par for the course," said William Knowles, a
consultant for c4i Secure Solutions. "You're talking about an
operating system that leaves all the security holes wide open and
makes the customer close them."

A private-sector effort led by the Electronic Frontier Foundation and
distributed.net in January 1999 broke a single-DES message in 22
hours, and government spy agencies are known to have much more
muscular computers.

Microsoft said that as of May 1, there had been 1.5 million Windows
2000 licenses sold.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".