OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Joseph Ashwood (ashwoodmsn.com)
Date: Fri Oct 05 2001 - 13:22:31 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Original Message -----
    From: "bernie" <metaphoneeudoramail.com>

    > Some of the people here wants to use the .NET for critical applications.

    I'm sorry.

    > How secure is the .NET?

    The short answer is that it isn't secure. There are two main problems with
    it being secure. The first is the password vulnerability that you replied
    to. The second is that it uses a custom blended Kerberos-esque
    implementation. I say Kerberos-esque because it has some significant
    problems. First it uses RC4, a cipher which is increasingly being considered
    insecure, and in using it windows doesn't take the precautions necessary to
    make it secure. They are the only company foolish enough to have embedded
    access control information in the kerberos ticket, this adds even more
    leaking information, and just enough of it to determine the users password.
    Basicly they have made nearly every effort to eliminate the security of the
    system while making it appear secure to a layman. For further evidence that
    Microsoft can't do anything secure I point to (in no particular order) IIS,
    pptp, pptp2, Internet Explorer, Outlook Express, Windows 95, Windows98,
    WindowsME, WindowsNT, Windows2000, and while I haven't verified it yet I
    believe also WindowsXP. Some of these probably need some explaination, IIS
    is the script kiddie choice it has more holes than a pound of Swiss cheese.
    pptp was severely broken, pptp2 was slightly less severely broken. Internet
    Explorer has had so many security vulnerabilities I can't even count that
    high. Outlook Express is a virus writers dream. Windows95 offered no
    security, same with 98 and ME. WindowsNT is subject to extremely basic
    attacks on the password system that Microsoft refused to recognise, same
    with 2000, and probably the same with XP. In 2000 MS introduced a "secure"
    encrypted filesystem which lacked any reasonable ability to encrypt
    documents securely (it put the keys in a file in plaintext, the file is
    easily readable). Even the cryptoAPI that Microsoft designed and offered has
    holes in it, allowing arbitrary code to be run in the place of what the
    programmer intended. I am unaware of anything microsoft has ever written
    that could be considered secure and there is evidence that they plan to
    continue this less than stellar performance with .NET.
                        Joe