[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Part 1: RE: An update on MS private key (in)security issues
From:       Russ <Russ.Cooper () RC ! ON ! CA>
Date:       1998-02-11 12:32:37
[Download RAW message or body]

>First, Russ Cooper (moderator of the NT Bugtraq mailing list) made some
>wildly inaccurate claims about the article.  I've had a bit of feedback
>which indicated that it wasn't even worth dignifying this stuff with a
>response but I've written one anyway, at least for the original NT
>Bugtraq messages he posted (the stuff he put on a web page is just more
>of the same).  You can find it at
>http://www.cs.auckland.ac.nz/~pgut001/pubs/breakms2.txt (even if you
>don't want to plough through the whole thing, you might want to read
>the last two paragraphs for a giggle).

This is the first of a two-part response. This part contains
acknowledgements of errors I made in my response to Peter's original
post.

I definitely made some mistakes in my original response to Peter's
claims, and I'm happy to acknowledge them here and now.

1. I stated that no CryptoAPI function could be called by any
application which was not digitally signed by Microsoft. This was a
definite error. The CryptoAPI functions cannot be used as a
Cryptographic Service Provider (CSP) unless they are signed, but
applications calling CSPs have no signature prerequisite. My mistaken
understanding of the documentation led to my incorrect statement.

2. I stated that Peter must have been referring to Windows '95 only, not
Windows NT. This was based on several assumptions made after reading all
of Peter's message (yes Peter, I did read it all). Peter states that he
has, in fact, tested Windows NT and found it subject to his proposed
exploits.

3. I made some assumptions about the browser Peter was referring to (I
stated he must have been talking about IE 3.0). Again, those assumptions
were based on my understanding of Peter's claims. Peter, again, has
confirmed that he made no such assertions.

Cheers,
Russ Cooper
R.C. Consulting, Inc. - NT/Internet Security
Owner and Moderator of the NTBugTraq mailing list - see
http://www.ntbugtraq.com

[prev in list] [next in list] [prev in thread] [next in thread]