My response to something appearing in today's CRYPTO-GRAM: > The Doghouse: Internet Security Foundation > <http://www.schneier.com/blog/archives/2004/12/the_doghouse_in.html> > > This organization wants to sell their tool to view passwords in > textboxes "hidden" by asterisks on Windows. They claim it's "a glaring > security hole in Microsoft Windows" and a "grave security risk." Their > webpage is thick with FUD, and warns that criminals and terrorists can > easily clean out your bank accounts because of this problem. > > Of course the problem isn't that users type passwords into their > computers. The problem is that programs don't store passwords > securely. The problem is that programs pass passwords around in > plaintext. The problem is that users choose lousy passwords, and then > store them insecurely. The problem is that financial applications are > still relying on passwords for security, rather than two-factor > authentication. > > But the "Internet Security Foundation" is trying to make as much noise > as possible. They even have this nasty letter to Bill Gates that you > can sign (36 people signed, the last time I looked). I'm not sure what > their angle is, but I don't like it. > > <http://www.internetsecurityfoundation.org/>
Any website, I don't care WHO it is, that asks people to "email their friends about the problem" and or has a form-letter generator to send complaints to Bill Gates is not worth its weight in my mind as a competent security entity. Also note that despite its claims as a "foundation" it seems to be nothing more than a pet project by its founder, who is the CEO of a small software company and who has no security experience whatsoever. FUD-filled website indeed: " According to a poll released by ISF, 86% of those polled believed that passwords disguised as asterisks were securely protected, when in fact, they aren't normally protected and can be easily viewed by using software like SeePassword." Asterisks don't protect passwords from anything more than a clueless shoulder-surfer....Bruce is right -- this has FUD written all over it. -rick Infowarrior.org You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
