lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: daniele at muscetta.com (Daniele Muscetta)
Subject: Interesting side effect of the new IE patch

Stefan Esser said:
> Hello,
>
>> FIAT (the famous Italian CAR producer) invested quite an amount of
>> money and effort in lauching the promotional site:
>> http://www.buy@...t.com
>>
>> ....I think they must not be very happy now..... :(
>
> Of course they are not happy now. Like a lot of other people who relied
> on this standard. It is really sad, that Microsoft removes features
> because they are to lazy to think up other solutions.

They are just RUSHING to close as may bugs as possible.... and as always
happens when fixing things afterwards intead of designing them in from the
beginning, things either break, or settings that get closed have to be
re-opened again.
Another issue I personally encountered some days ago was an application
which all of a sudden stopped working after having applied SP4 (on a
windows 2000 server), because of the NEW user rights they introduced:
http://support.microsoft.com/default.aspx?kbid=821546


which might have been nice to have from the beginning, so that people
would have not written applications that require that right in the first
place.Now, while waiting for a new version of that application to be released
(if and when this is going to happen)... all one has to do is to
EXPLICITLY GRANT that right to all of the users on that machine.....
practically reverting the machine to the inseure setting it had before
SP4.
Same applies for the 'security enhanced configuration'  of IExplore in
Windows 2003.... which is SO tight that not even their own windowsupdate
works..... which results in people uninstalling it....



> (Oh yeah and this is not a Microsoft only problem, or why do f.e.
> openssh/openssl allow RSA keys without passphrases?)

Indeed.
But it is the continuos struggle between security and usability....




> Ohh yes and I choose the word standard, because standard is not what
> some RFC/paper dictates, but what the majority of people (or browsers)
> use (support). NTSC would not exist otherwise, because NTSC was NOT the
> official standard for color television in the beginning.

I don't know, we have PAL ;)

Regards,

Daniele Muscetta





Powered by blists - more mailing lists