5 June 1998


Date: Fri, 5 Jun 1998 07:58:58 -0400 (EDT)
From: "Andrew W. Gray" <agray@opengroup.org>
To: cypherpunks@algebra.com
Subject: FW:[bud@checkmaster.com: A violation of basic security protocol]

This came to the cert-talk mailing this a.m.
Figured everyone would get a kick out of this one.
Interesting cc list.

A/.!

------- Start of forwarded message -------
>From owner-cert-talk@mail.structuredarts.com  Fri Jun  5 03:53:10 1998
From: "Bud" <bud@checkmaster.com>
To: <schneier@counterpane.com>
Cc: "Scott Fallon" <scottfal@microsoft.com>,
        "Producer@Sciencefriday. Com" <producer@sciencefriday.com>,
        "Paul Thurrott" <thurrott@bigtent.com>,
        "Nicholas. Petreley@Wpi. Com" <nicholas.petreley@wpi.com>,
        "Michael Werner" <mikewe@microsoft.com>,
        "Michael Vizard" <Michael_Vizard@infoworld.com>,
        "Jim Louderback" <Jim_Louderback@zd.com>,
        "Jesse Berst's AnchorDesk" <anchordesk@zdnet.zdlists.com>,
        "Jeff Koch" <jeffko@microsoft.com>,
        "Dan Frumin" <dfrumin@microsoft.com>,
        "Cert-Talk@Structuredarts. Com" <cert-talk@structuredarts.com>,
        "Bradley Fikes" <fikes@ns.nctimes.com>, "Beth45" <Beth45@aol.com>
Subject: A violation of basic security protocol
Date: Fri, 5 Jun 1998 00:17:58 -0700

Dr. Schneier,
Up to last week I had a great deal of respect and
admiration for you and your accomplishments. Without
knowing you, your Applied Cryptography and your
accomplishments engendered firm respect and trust.

Then I learned that you had announced to the world
in blaring headlines that Microsoft's implementation of
PPTP was badly flawed. At your web site you went to
considerable trouble to explain both the flaw as you
view it and the methods for mounting attacks!
[See: Crack-PPTP]

Now I'm NOT a renown cryptographer, just a reasonably
established writer. I have also, in my 50 plus year career,
been involved to projects where security was extremely
important (US Nuclear Weapons programs and testing).

One thing I learned was that security problems are
communicated to the party with the problem with as little
fanfare as possible to the purpose of curing the breach
without announcing its existence to the world large - just
very sound security protocol. You, sir, have totally violated
that simple protocol with what looks to me like an attempt
to improve sales of your books and services.

Now, without using the old saw that, "Microsoft is unresponsive
to reported security problems" can you please explain to
me the rational behind putting perhaps thousands of users of
VPN at risk by exposing this flaw so publicly?

Would you also express to me your view of the following
statement. If a company security policy implements the use
of randomly generated passwords and frequent changes of
password, the reported problem is vastly diminished to the
point where it is "practically" impossible to break Microsoft's

PPTP. Or is all of this just another swipe at what you perceive
as a vulnerable target to obtain publicity advantageous to you?

You can examine my credentials at:

http://www.checkmaster.com/bud.htm

Bud Aaron
CheckMaster Corporation

http://www.checkmaster.com/
760-757-6635
bud@checkmaster.com



+-------------------------------------------------------------+
+ For information about the cert-talk mailing list, including +
+ archives and how to subscribe and unsubscribe, visit:       +
+          http://mail.structuredarts.com/cert-talk           +
+-------------------------------------------------------------+
------- End of forwarded message -------