5 June 1998
Date: Fri, 5 Jun 1998 07:58:58 -0400 (EDT) From: "Andrew W. Gray" <agray@opengroup.org> To: cypherpunks@algebra.com Subject: FW:[bud@checkmaster.com: A violation of basic security protocol] This came to the cert-talk mailing this a.m. Figured everyone would get a kick out of this one. Interesting cc list. A/.! ------- Start of forwarded message ------- >From owner-cert-talk@mail.structuredarts.com Fri Jun 5 03:53:10 1998 From: "Bud" <bud@checkmaster.com> To: <schneier@counterpane.com> Cc: "Scott Fallon" <scottfal@microsoft.com>, "Producer@Sciencefriday. Com" <producer@sciencefriday.com>, "Paul Thurrott" <thurrott@bigtent.com>, "Nicholas. Petreley@Wpi. Com" <nicholas.petreley@wpi.com>, "Michael Werner" <mikewe@microsoft.com>, "Michael Vizard" <Michael_Vizard@infoworld.com>, "Jim Louderback" <Jim_Louderback@zd.com>, "Jesse Berst's AnchorDesk" <anchordesk@zdnet.zdlists.com>, "Jeff Koch" <jeffko@microsoft.com>, "Dan Frumin" <dfrumin@microsoft.com>, "Cert-Talk@Structuredarts. Com" <cert-talk@structuredarts.com>, "Bradley Fikes" <fikes@ns.nctimes.com>, "Beth45" <Beth45@aol.com> Subject: A violation of basic security protocol Date: Fri, 5 Jun 1998 00:17:58 -0700 Dr. Schneier, Up to last week I had a great deal of respect and admiration for you and your accomplishments. Without knowing you, your Applied Cryptography and your accomplishments engendered firm respect and trust. Then I learned that you had announced to the world in blaring headlines that Microsoft's implementation of PPTP was badly flawed. At your web site you went to considerable trouble to explain both the flaw as you view it and the methods for mounting attacks! [See: Crack-PPTP] Now I'm NOT a renown cryptographer, just a reasonably established writer. I have also, in my 50 plus year career, been involved to projects where security was extremely important (US Nuclear Weapons programs and testing). One thing I learned was that security problems are communicated to the party with the problem with as little fanfare as possible to the purpose of curing the breach without announcing its existence to the world large - just very sound security protocol. You, sir, have totally violated that simple protocol with what looks to me like an attempt to improve sales of your books and services. Now, without using the old saw that, "Microsoft is unresponsive to reported security problems" can you please explain to me the rational behind putting perhaps thousands of users of VPN at risk by exposing this flaw so publicly? Would you also express to me your view of the following statement. If a company security policy implements the use of randomly generated passwords and frequent changes of password, the reported problem is vastly diminished to the point where it is "practically" impossible to break Microsoft's PPTP. Or is all of this just another swipe at what you perceive as a vulnerable target to obtain publicity advantageous to you? You can examine my credentials at: http://www.checkmaster.com/bud.htm Bud Aaron CheckMaster Corporation http://www.checkmaster.com/ 760-757-6635 bud@checkmaster.com +-------------------------------------------------------------+ + For information about the cert-talk mailing list, including + + archives and how to subscribe and unsubscribe, visit: + + http://mail.structuredarts.com/cert-talk + +-------------------------------------------------------------+ ------- End of forwarded message -------