Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: Critics blast Windows 2000 security and quiet use of bad encryption

From: Declan McCullagh <declan () well com>
Date: Tue, 16 May 2000 08:55:24 -0400

http://www.wired.com/news/technology/0,1282,36336,00.html

   Critics Blast MS Security
   by Declan McCullagh (declan () wired com)

   3:00 a.m. May. 16, 2000 PDT
   If you're a Windows 2000 user, be warned: Your security software may
   not work the way you think it does.

   Microsoft intentionally designed Windows 2000 so that export versions
   can use a notoriously weak encryption method to scramble information
   sent over the Internet and intranets, leaving sensitive data exposed
   to hackers and eavesdroppers.

   This design choice has alarmed security experts, not least because so
   many Microsoft products recently have had so many problems. The
   company spent the last week acknowledging embarrassing security holes
   in its Hotmail service, Internet Explorer browser, and Outlook mail
   client.

   A Microsoft manager on Monday defended why Windows 2000 computers in
   some circumstances switch from the highly secure triple-DES algorithm
   to the notoriously weak single-DES variant. Triple-DES is up to 70,000
   trillion times stronger.

   Ron Cully, lead program manager for Windows networking, said that
   companies might have thousands of machines and some might not have
   triple-DES installed. Because of U.S. export and other import
   restrictions, Microsoft ships triple-DES in a separate "high
   encryption pack."

   "It's somewhat expected behavior that someone will misconfigure an end
   system and not install the high-security pack," Cully said. Having at
   least some encryption is better than nothing, he said.

   That's not the point, charge Cully's peers at other companies that are
   working on the same security standard, called IPsec. In a
   no-holds-barred critique that began last week on the IPsec mailing
   list -- run by the Internet Engineering Task Force -- they argued it
   was another example of slipshod Microsoft security.

   Their beef: If two Windows 2000 computers without triple-DES are
   talking and the system administrator has configured triple-DES-only
   links, only single-DES gets used. The only error shown is an invisible
   one -- in an audit log file -- so users may have a false sense of
   security.

   "From an administrator perspective, it is hard to imagine how a
   security hole could be worse: Windows lets you think all is OK but in
   reality something else happens on the wire," wrote Sami Vaarala of
   NetSeal Technologies, an information security firm in Espoo, Finland.

   "This is *seriously* brain-damaged. I've given up expecting good
   software design from Microsoft (actually, from most vendors), since
   they (and everyone else) are far too arrogant about their abilities to
   design and write error-free code," Steve Bellovin, a cryptologic
   researcher at AT&T, wrote on the IPsec list last week.

   [...]

--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: