Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : Intel Corporation (INTC) -- Ignore unavailable to you. Want to Upgrade?

To: Scumbria who wrote (72236)	1/27/1999 2:32:00 AM
From: Paul Engel	Respond to of 186894

Slippery - Re: "Please call me by my SI name." You have EARNED the name SLICK, and deserve all that is embodied in that term. Like that buddy of yours with the loose zipper. Paul

To: Scumbria who wrote (72236)	1/27/1999 2:44:00 AM
From: Paul Engel	Read Replies (1) \| Respond to of 186894

Slippery - Here's a good example of Software Security Screw Ups as now exist. Perhaps a little hardware security may be called for? Paul {==================} techweb.com Hole Found In NT Password Tester (01/25/99, 6:50 p.m. ET) By Andy Patrizio, TechWeb The security wizards at L0pht Heavy Industries have uncovered a Windows NT security threat in one of the last places you'd expect to find one -- in a password-integrity tester. L0pht set out to test Password Appraiser from Quakenbush Consulting. Quakenbush was positioning the product as competitive with L0pht's own Windows NT security tester, L0phtCrack. Both test the passwords on an NT network to make sure users haven't chosen obvious words that are easily guessed. What it found was that the free demo of Password Appraiser downloaded from the Quakenbush home page was, in addition to its audit, sending user-password hashes over the Internet to Quakenbush's own site. A hash is the password in its encrypted form as stored on the NT server. There, the passwords were compared to a database of commonly used passwords. If it matched a password in the database, it was sent back in plain text, completely unencrypted. Such a glaring error surprised "Dr. Mudge," a L0pht staff member who ran the tests. "They are not demonstrating that they know what they're doing," he said. "This is a really basic mistake." He compared it to a locksmith putting a padlock on the outside of a house instead of a better lock on the inside of the house. Gerald Quakenbush, president of Quakenbush Consulting, defends the product, which was released in December. "We never intended for anyone to use this on a production network," he said. "For the demo, our intention was for someone to run a test on a local system." The L0pht advisory was posted Thursday, and the next day Quakenbush added Secure Socket layer encryption for its Internet transmissions. The plain-text transmission of data was a bug, which has been fixed, said Quakenbush. Both fixes were made available as patches for customers who already had the product in addition to revising the downloadable demo. Quakenbush Consulting does a check on all Internet queries now, so if someone attempts to run the older version with the bug, the test fails and no data is exchanged except for an alert to get the patch from the Quakenbush home page. The downloadable demo has language in its documentation warning people that the passwords are transmitted over the Internet. This has to be done to compare the passwords on the NT server with the database of easily broken passwords. A free demo is also available on CD-ROM from Quakenbush that includes the database on CD, so no Internet transmission has to be done.