[9765] in cryptography@c2.net mail archive
Re: Rubber hose attack
daemon@ATHENA.MIT.EDU (Rick Smith at Secure Computing)
Fri Nov 2 17:46:41 2001
Message-Id: <5.1.0.14.0.20011102141543.0281cff8@STPNTMX03.sctc.com>
Date: Fri, 02 Nov 2001 16:03:14 -0600
To: vertigo <vertigo@panix.com>
From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
Cc: JohnE37179@aol.com, <Jason.Gruber@btinternet.com>,
<cryptography@wasabisystems.com>
In-Reply-To: <Pine.NEB.4.40.0111021252510.18527-100000@panix1.panix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 11:59 AM 11/2/2001, vertigo wrote:
>I'm sorry, but I think I entered this thread a little late. What was
>being said about .NET? I know very little about it, but from what you
>have said it sounds pretty scary.
The thread started with an op-ed piece by Diffie and Landau about MS .Net,
briefly noting vulnerability reports about Microsoft's latest 'wallet'
(called "Passport" and produced as part of .Net). Evidently the early
version was storing passwords in a format that made them trivial to recover.
I think we can all agree that this is a Bad Idea, and that MS might have
faced a good deal of liability and negative press if the system had been
on-line and their .Net partners had been offering anything worth stealing.
While I prefer to see enterprises deploy strong security measures
(especially ones they buy from us :->) it's important to acknowledge how
much risk we routinely take, both personally and when operating businesses.
We all settle for less than cosmically perfect automobiles, and they pose
far more serious risks to us than credit card fraud.
Rick.
smith@securecomputing.com roseville, minnesota
"Authentication" in bookstores http://www.visi.com/crypto/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
