Regarding http://www.nwfusion.com/news/0111ntcrypt.html
Mike Batchelor thus spake unto me:
> This page now says:
>
> ----
> Note
>
> Microsoft has raised issues with our original story. Pending an
> investigation into its claims, we have pulled the original story offline.
> ----
>
> Very interesting... MS didn't like it, must be true. :)
Since I first saw her articles in NetworkWorld back in August, Messmer's
reporting has been flawed in almost every case. The first was an uneven
treatment of DefCon attendees. I also recall an article on hacking tools
that included an inset provided by Ernst & Young. The inset contained
descriptions of a half dozen or so NT "hacking" tools like l0phtcrack,
pwdump, and BackOrifice with completely inaccurate summaries for at least
half of them. pwdump was described as a trojan. Credibility went right out
the window for both Messmer and E&Y. Between this and some of the nonsense
from Winn Schwartau in NetworkWorld I do not have any confidence that the
magazine can provide solid, accurate security information.
Now this does not get Microsoft completely off the hook. I can understand
the distinction between NT and the FIPS Crypto Provider. However, the
statements from Microsoft I have seen only say that NT itself had not failed
anything. They don't mention the status of the FIPS module itself. The FIPS
evaluation may not be complete as Microsoft claims so it may not have
received a final failure but that does not mean that issues were not
discovered in the implementation. I would suspect that Microsoft is being
allowed to address any issues discovered within a certain period of time
before a final verdict is handed out.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
