http://www.wired.com/news/technology/0,1282,36336,00.html
Critics Blast MS Security
by Declan McCullagh ([EMAIL PROTECTED])
3:00 a.m. May. 16, 2000 PDT
If you're a Windows 2000 user, be warned: Your security software may
not work the way you think it does.
Microsoft intentionally designed Windows 2000 so that export versions
can use a notoriously weak encryption method to scramble information
sent over the Internet and intranets, leaving sensitive data exposed
to hackers and eavesdroppers.
This design choice has alarmed security experts, not least because so
many Microsoft products recently have had so many problems. The
company spent the last week acknowledging embarrassing security holes
in its Hotmail service, Internet Explorer browser, and Outlook mail
client.
A Microsoft manager on Monday defended why Windows 2000 computers in
some circumstances switch from the highly secure triple-DES algorithm
to the notoriously weak single-DES variant. Triple-DES is up to 70,000
trillion times stronger.
Ron Cully, lead program manager for Windows networking, said that
companies might have thousands of machines and some might not have
triple-DES installed. Because of U.S. export and other import
restrictions, Microsoft ships triple-DES in a separate "high
encryption pack."
"It's somewhat expected behavior that someone will misconfigure an end
system and not install the high-security pack," Cully said. Having at
least some encryption is better than nothing, he said.
That's not the point, charge Cully's peers at other companies that are
working on the same security standard, called IPsec. In a
no-holds-barred critique that began last week on the IPsec mailing
list -- run by the Internet Engineering Task Force -- they argued it
was another example of slipshod Microsoft security.
Their beef: If two Windows 2000 computers without triple-DES are
talking and the system administrator has configured triple-DES-only
links, only single-DES gets used. The only error shown is an invisible
one -- in an audit log file -- so users may have a false sense of
security.
"From an administrator perspective, it is hard to imagine how a
security hole could be worse: Windows lets you think all is OK but in
reality something else happens on the wire," wrote Sami Vaarala of
NetSeal Technologies, an information security firm in Espoo, Finland.
"This is *seriously* brain-damaged. I've given up expecting good
software design from Microsoft (actually, from most vendors), since
they (and everyone else) are far too arrogant about their abilities to
design and write error-free code," Steve Bellovin, a cryptologic
researcher at AT&T, wrote on the IPsec list last week.
[...]
