[19975] in bugtraq
Re: Microsoft Security Bulletin MS01-019
daemon@ATHENA.MIT.EDU (Dan Harkless)
Sat Mar 31 22:01:06 2001
Message-ID: <200103310109.RAA19402@dilvish.speed.net>
Date: Fri, 30 Mar 2001 17:09:41 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from Attonbitus Deus <Thor@HammerofGod.com> of "Fri, 30
Mar 2001 06:40:32 PST."
<062c01c0b927$6c1e1db0$af05a8c0@anchorsign.com>
Attonbitus Deus <Thor@HammerofGod.com> writes:
> > Considering how frequently most people tend to reuse passwords, this is
> > a pretty strong statement. Since Microsoft states that the folder
> > password is "not related in any way to the user's network logon
> > password" with such confidence, that would seem to imply a mechanism
> > that prohibits password reuse when establishing the folder compression
> > password.
>
> What would you have them say? "... the folder password is not related in any
> way to the user's network logon, unless of course they use the same
> password, which technically would still be unrelated, but stupid. It is
> also not related to the users' ATM PIN number, unless of course they use
> their PIN as their password which would again be unrelated, but even more
> stupid."
Their ATM PIN number has nothing to do with Windows. Not so for their logon
password.
I think the point is that "not related in any way" is an overstatement.
Microsoft loves to use phrasing like that in their security bulletins to try
to minimize perceived severity (like how they'll always say "allows
attackers to view BUT NOT CHANGE any file on the local machine").
They should have just said something like "The password at issue here is
distinct from the user's network logon password."
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
