Politech mailing list archives
FC: Critics blast Windows 2000 security and quiet use of bad encryption
From: Declan McCullagh <declan () well com>
Date: Tue, 16 May 2000 08:55:24 -0400
http://www.wired.com/news/technology/0,1282,36336,00.html Critics Blast MS Security by Declan McCullagh (declan () wired com) 3:00 a.m. May. 16, 2000 PDT If you're a Windows 2000 user, be warned: Your security software may not work the way you think it does. Microsoft intentionally designed Windows 2000 so that export versions can use a notoriously weak encryption method to scramble information sent over the Internet and intranets, leaving sensitive data exposed to hackers and eavesdroppers. This design choice has alarmed security experts, not least because so many Microsoft products recently have had so many problems. The company spent the last week acknowledging embarrassing security holes in its Hotmail service, Internet Explorer browser, and Outlook mail client. A Microsoft manager on Monday defended why Windows 2000 computers in some circumstances switch from the highly secure triple-DES algorithm to the notoriously weak single-DES variant. Triple-DES is up to 70,000 trillion times stronger. Ron Cully, lead program manager for Windows networking, said that companies might have thousands of machines and some might not have triple-DES installed. Because of U.S. export and other import restrictions, Microsoft ships triple-DES in a separate "high encryption pack." "It's somewhat expected behavior that someone will misconfigure an end system and not install the high-security pack," Cully said. Having at least some encryption is better than nothing, he said. That's not the point, charge Cully's peers at other companies that are working on the same security standard, called IPsec. In a no-holds-barred critique that began last week on the IPsec mailing list -- run by the Internet Engineering Task Force -- they argued it was another example of slipshod Microsoft security. Their beef: If two Windows 2000 computers without triple-DES are talking and the system administrator has configured triple-DES-only links, only single-DES gets used. The only error shown is an invisible one -- in an audit log file -- so users may have a false sense of security. "From an administrator perspective, it is hard to imagine how a security hole could be worse: Windows lets you think all is OK but in reality something else happens on the wire," wrote Sami Vaarala of NetSeal Technologies, an information security firm in Espoo, Finland. "This is *seriously* brain-damaged. I've given up expecting good software design from Microsoft (actually, from most vendors), since they (and everyone else) are far too arrogant about their abilities to design and write error-free code," Steve Bellovin, a cryptologic researcher at AT&T, wrote on the IPsec list last week. [...] -------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ --------------------------------------------------------------------------
Current thread:
- FC: Critics blast Windows 2000 security and quiet use of bad encryption Declan McCullagh (May 16)