[ale] FW: M$ Passport security

Sun Aug 26 21:59:51 EDT 2001

This is from Bruce Schneier's August security newsletter (his newsletters
always are an excellent read as are his books, especially "Secrets and Lies"):

Security problems with Microsoft's Passport protocol.  It's a long article 
and worth reading.  From the conclusion: "The bulk of Passport's flaws 
arise directly from its reliance on systems that are either not trustworthy 
(such as HTTP referrals and the DNS) or assume too much about user 
awareness (such as SSL).  Another flaw arises out of interactions with a 
particular browser (Netscape).  Passport's attempt to retrofit the complex 
process of single sign-on to fit the limitations of existing browser 
technology leads to compromises that create real risks."
<http://avirubin.com/passport.html>

More details on the FBI's bugging of a suspect's computer without a 
wiretap.  Soon we'll find out whether this is constitutional or not.
<http://news.cnet.com/news/0-1003-200-6719544.html>
<http://www.wired.com/news/privacy/0,1848,45684,00.html>
<http://www.wired.com/news/politics/0,1283,45730,00.html>
The FBI says the technology is secret, but the judge asks the FBI for it 
anyway:
<http://www.wired.com/news/politics/0,1283,45851,00.html>
<http://www.wired.com/news/politics/0,1283,45925,00.html>

Risks of spyware.  Some software packages monitor the customers using the 
software.  But what if the servers that the spyware talks to are infected 
by viruses and Trojans?
<http://www.kuro5hin.org/?op=displaystory;sid=2001/6/28/235018/395>

Update on the sentencing of the convicted author of the Melissa virus:
<http://www.securityfocus.com/news/230>

We'll soon have software capable of copying any human voice.  In a world 
where voice is a prevalent means of authentication, this will have serious 
ramifications.
<http://www.nytimes.com/2001/07/31/technology/31VOIC.html>

This story is too weird for words.  Microsoft adds PGP signatures at the 
bottom of its security bulletins, for verification.  But if you try to 
verify the signatures, they fail.  Already there has been at least one 
forged security bulletin, urging people to install a "patch" with a Trojan 
Horse.  Microsoft's reaction to this all simply makes no sense; it's like 
there's no one thinking there.
<http://www.newsbytes.com/news/01/168397.html>

PDF files can contain viruses.  This is 1) another example of the dangers 
of mixing code and data, and 2) a potential rat's nest if Adobe keeps using 
the DMCA to restrict people from reverse-engineering its security.
<http://computerworld.com/nlt/1%2C3590%2CNAV65-663_STO62902_NLTSEC%2C00.html>

If you thought Code Red's infection speed was bad, read about Warhol Worms: 
malware capable of infecting the Internet in 15 minutes.
<http://www.cs.berkeley.edu/~nweaver/warhol.html>
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.