We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor.  We ask that you disable ad blocking while on Silicon Investor in the best interests of our community.  If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

   Technology StocksNovell (NOVL) dirt cheap, good buy?

Previous 10 Next 10 
To: PJ Strifas who wrote (27994)9/4/1999 11:00:00 PM
From: Frederick Smart
   of 42771
Microsoft, the NSA, and You

>>Here is the press release; for the full details, look here.

A sample program which replaces the NSA's key is here, at the bottom of the page.>>


Does this mean Microsoft cooperated with NSA to allow for the inclusion of an NSA public key??

Feedback appreciated. Help!



Microsoft Installs US Spy Agency with Windows

Research Triangle Park, NC - 31 August 1999 - Between Hotmail hacks andbrowser bugs, Microsoft has a dismal track record in computer security. Most of us accept these minor security flaws and go on with life. Buthow is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft may have installed a 'back door' for the National Security Agency (NSA - the USA's spy agency) making it orders of magnitude easier for the US government to access their computers?

While investigating the security subsystems of WindowsNT4, Cryptonym's Chief Scientist Andrew Fernandes discovered exactly that - a back door for the NSA in every copy of Win95/98/NT4 and Windows2000. Building on the work of Nicko van Someren (NCipher), and Adi Shamir (the 'S' in
'RSA'), Andrew was investigating Microsoft's "CryptoAPI" architecture for security flaws. Since the CryptoAPI is the fundamental building block of cryptographic security in Windows, any flaw in it would open Windows to electronic attack.

Normally, Windows components are stripped of identifying information. If the computer is calculating "number_of_hours = 24 * number_of_days", the only thing a human can understand is that the computer is multiplying "a = 24 * b". Without the symbols "number_of_hours" and "number_of_days", we may have no idea what 'a' and 'b' stand for, or even that they calculate units of time.

In the CryptoAPI system, it was well known that Windows used special numbers called "cryptographic public keys" to verify the integrity of a CryptoAPI component before using that component's services. In other words, programmers
already knew that windows performed the calculation "component_validity =
crypto_verify(23479237498234...,crypto_component)", but no-one knew exactly
what the cryptographic key "23479237498234..." meant semantically.

Then came WindowsNT4's Service Pack 5. In this service release of software
from Microsoft, the company crucially forgot to remove the symbolic
information identifying the security components. It turns out that there are
really two keys used by Windows; the first belongs to Microsoft, and it allows
them to securely load CryptoAPI services; the second belongs to the NSA. That
means that the NSA can also securely load CryptoAPI services... on your
machine, and without your authorization.

The result is that it is tremendously easier for the NSA to load unauthorized
security services on all copies of Microsoft Windows, and once these security
services are loaded, they can effectively compromise your entire operating
system. For non-American IT managers relying on WinNT to operate highly secure
data centers, this find is worrying. The US government is currently making it
as difficult as possible for "strong" crypto to be used outside of the US;
that they have also installed a cryptographic back-door in the world's most
abundant operating system should send a strong message to foreign IT managers.

There is good news among the bad, however. It turns out that there is a flaw
in the way the "crypto_verify" function is implemented. Because of the way the
crypto verification occurs, users can easily eliminate or replace the NSA key
from the operating system without modifying any of Microsoft's original
components. Since the NSA key is easily replaced, it means that non-US
companies are free to install "strong" crypto services into Windows, without
Microsoft's or the NSA's approval. Thus the NSA has effectively removed export
control of "strong" crypto from Windows. A demonstration program that replaces
the NSA key can be found on Cryptonym's website.

Cryptonym: Bringing you the Next Generation of Internet Security,
using cryptography, risk management, and public key infrastructure.

Interview Contact:
Andrew Fernandes
Telephone: +1 919 469 4714
Fax: +1 919 469 8708

Cryptonym Corporation
1695 Lincolnshire Boulevard
Mississauga, Ontario
Canada L5E 2T2

# # #

Share RecommendKeepReplyMark as Last Read

To: PJ Strifas who wrote (27994)9/4/1999 11:19:00 PM
From: PJ Strifas
   of 42771
It's interesting that someone finally makes sense in an article and actually tells some truth about an upcoming MSFT product.

Check my next post for more on why I think this is important.

Peter J Strifas
A flaw in Active Directory?

By Dave Kearns
Network World, 08/16/99

In Network World Fusion's "Windows NT" newsletter I've been taking a close look at Active Directory as it is implemented in Windows 2000. In the August 2 newsletter, I outlined the Active Directory replication and synchronization strategy. But the more I think about it, the more afraid I become.

Active Directory uses multimaster replication. No more Primary Domain Controllers (PDC) and Backup Domain Controllers (BDC) - all Domain Controllers are equal peers. Objects can be manipulated on any Domain Controller, and the changes are then propagated to the remaining domain controllers. While this is easier on the administrator than the PDC-BDC mode of NT 4 (where all changes had to be made on the PDC), it means that there needs to be a way to reconcile changes which might be made to the same object on different Domain Controllers.

There is no time synchronization among the Domain Controllers, so changes based on time stamps won't work. Instead, a concept called the Update Sequence Number (USN) is used. Each Domain Controller holds a table containing entries for its own USN and the USNs of its replication partners. During replication, the Domain Controller compares the last known USN of its replication partner (saved in the table) with the current USN that the replication partner provides. If there have been recent changes (that is, if the replication partner provides a higher USN), the data store requests all changes from the replication partner. After receiving the data, the directory store sets the USN to the same value as that of the replication partner. This only guarantees that all changes made on a single Domain Controller will be propagated in the correct order.

If properties on the same object are changed from different domain controllers, a series of comparisons must be made by Active Directory to decide which is the correct order of changes.

The first decider is the version number. All properties carry a version number that is incremented with each change, and the higher version always takes precedent. But if I make two changes to an object on one Domain Controller (+2 to the version number), then make a change to the same object on another Domain Controller (+1 to the version number) before the first changes are propagated, my second change - not the third one, which would be correct - is the one accepted as final.

If the version numbers on the changed object are the same, then the timestamps on the changes are used. But because there is no time synchronization between Domain Controllers, this could lead to wrong information being propagated.

If both version number and timestamp are the same, Active Directory performs a binary memory copy operation and compares the buffer size. The higher buffer size wins. If the two buffers are equal, the data is the same, and one can be discarded. If they're not the same, though, there's nothing to guarantee that the correct information is chosen - just the one with a bigger buffer size!

Because none of these methods guarantees that correct information is propagated, all possible changes are logged. You can peruse the logs, then make further changes to correct the errors - and hope that they get propagated correctly.

Share RecommendKeepReplyMark as Last ReadRead Replies (1)

To: PJ Strifas who wrote (27996)9/4/1999 11:25:00 PM
From: PJ Strifas
   of 42771
Now I'd like to point out that Mr. Kearns point is a very important one. It's not just a semantics play on what one company is doing versus what another is doing. It goes to a fundamental "flaw" in a product that has been touted to take over the world once (if and when?) it's released.

He does well to describe the problem in simple terms but let's just say that if a product can not synchronize the distributed parts effectively, then just how reliable is the information stored within?

Peter J Strifas
Here's the "fallout" from the article:

Active Directory: agree to disagree

By Dave Kearns
Network World, 08/30/99

There was a fair amount of fallout from my column "A flaw in Active Directory?" (Aug. 16, page 28). But, most people agreed with my assessment of potential problems with Microsoft's Active Directory replication and synchronization strategy.

[Aside: For the user at Microsoft, whose name may be Shawn but signs his e-mail "LCA Dude" and who uses a host machine called com - you need to learn how to create truly anonymous e-mail. At least when employees at Novell or IBM disagree with me, they sign their real names.]

I did spend an enjoyable hour talking to Pete Houston, Active Directory's lead product manager. Houston came to Microsoft from IBM and has a very solid grounding in databases. In particular, he appears quite knowledgeable about distributed, replicated databases.

There was very little we disagreed on but, alas, the item that was the focus of my last column was at the top of the list.

When changes are propagated throughout the replicas of the directory, it's important that they be applied to all copies in the same order. Active Directory uses a serial number sequence to decide the order of changes and when there's a discrepancy, falls back on a number of so-called tiebreaker decision points to decide which changes will be made and which will be rejected.

Houston and I agree that consistency among all copies of the directory is important. We differ in that Houston believes consistency is all that matters, while I believe that consistency is important, but accuracy is almost as important.

It's a classic confrontation between a database manager and a network manager. We agreed to disagree.

We went on, though, to imagine the next generation of directory service - a generation that would use rules and policies to determine which update succeeds and which doesn't. Imagine setting up a hierarchy so that anytime there is a discrepancy in updates, the higher ranking person's changes would "win." I'd like to hear your thoughts on how that might work.

Share RecommendKeepReplyMark as Last ReadRead Replies (1)

To: PJ Strifas who wrote (27997)9/4/1999 11:27:00 PM
From: PJ Strifas
   of 42771
As I was catching up on recent news and email (been a busy week) this article is a real interesting one. This makes the 3rd company (or part of one) that CSCO as bought out in the last month.

Makes for interesting dynamics:

IBM has all but thrown in the towel on its Networking Hardware Division

By Marc Songini
Network World Fusion, 08/31/99

RESEARCH TRIANGLE PARK, N.C. - In a surprise move, IBM today announced a far-reaching product, service and support agreement with long-time archrival Cisco that takes Big Blue out of the routing and switching marketplace.

In a joint release, Cisco says it will be acquiring IBM Networking Hardware Division's portfolio of switching and routing patents for an undisclosed sum. IBM says it is providing "a smooth transition for customers to implement Cisco network products."

For its part, IBM says it will provide ongoing support of existing routing and switching implementations and will continue to support Systems Network Architecture products such as front-end processors as well as Token Ring and Ethernet adapters. Beyond that, IBM will no longer make router or switching products.

IBM Global Services and Cisco also plan to expand their existing relationship to enable e-business for their customers. As part of the agreement, Cisco will buy some $2 billion of IBM technology over then next five years, which will probably include IBM network chips and other OEM components.

The move may come as a surprise to some industry observers, as IBM over the past two years has worked diligently to offer a complete lineup of Ethernet, ATM and IP hardware. IBM was even starting to gain market share. So now, while NHD will continue to improve and develop its front-end processors and other SNA gear, its role in the market will continue to shrivel as the industry migrates to Ethernet and IP.

On the other hand, according to one analyst, IBM's move makes perfect sense as the entire network hardware industry becomes commoditized. It's the bottom line with IBM, says Frank Dzubeck, president of Communications Network Architects, a Washington, D.C. consultancy. "IBM's looking at everything like a margin. Margins are king." Dzubeck says this move is probably "a harbinger of the future at IBM" with the PC division being slated for phaseout next.

Share RecommendKeepReplyMark as Last ReadRead Replies (2)

To: Howard t Anderson who wrote (27984)9/6/1999 3:53:00 PM
From: Paul Fiondella
   of 42771
Don't Cry For Me Argentina.....

Stewart Nelson, Christopher Stone, and the now departed Slitz are shown dumping very large numbers of shares in June of this year.

Share RecommendKeepReplyMark as Last ReadRead Replies (2)

To: Paul Fiondella who wrote (27999)9/6/1999 6:26:00 PM
From: Steve Hufnagle
   of 42771
Other insiders waited a sold their shares for larger amounts in July.

Share RecommendKeepReplyMark as Last Read

To: Paul Fiondella who wrote (27999)9/6/1999 10:21:00 PM
From: ToySoldier
   of 42771

What are your theories on why they might have been dumping what seems to be a large position of stock in NOVL? Could they be actively assisting with NOVL's share buy-back or would that not be legal?

Up-front that large quantity of share sales by the senior management would give a NOVL stockholder an uneasy feeling on why they are getting out of their our company.


Share RecommendKeepReplyMark as Last ReadRead Replies (2)

To: ToySoldier who wrote (28001)9/7/1999 8:18:00 AM
From: EPS
   of 42771
Hi Toy,

some roads lead quickly to Oracle..Looking forward to
see the new CPQ-NOVL announcements today..
Still, if Drew is correct, does that mean Oracle Corp.
should acquire Novell? Should Novell acquire Oracle?
Or will Microsoft take its newly acquired Zoomit metadirectory
and cross it with SQL Server? Stay tuned for the second set on
the online commerce integration dance floor...

Share RecommendKeepReplyMark as Last ReadRead Replies (1)

To: EPS who wrote (28002)9/7/1999 9:19:00 AM
From: Spartex
   of 42771
Going Beyond Dot.Com Is your business truly wired for the Net?

by Rowland Archer
President & CEO
HAHT Software, Inc.

One answer lies in implementing an end-to-end Web application
infrastructure, such as HAHT's HAHTsite Application Server
for Web applications. This type of application infrastructure to
provides real-time integration of your company's back-end
production systems with front-end user interface systems. This
allows companies to create functions such as bill presentment
over the Web, self-service human resource applications,
self-service order tracking, and e-commerce, among others.
When these applications are also enabled with a directory
solution like Novell's NDS, you can secure and manage
information about employees, customers, suppliers and

Share RecommendKeepReplyMark as Last ReadRead Replies (1)

To: PJ Strifas who wrote (27998)9/7/1999 3:43:00 PM
From: Frederick Smart
   of 42771
Microsoft's 'secret link to Big Brother'

September 5

Microsoft's 'secret link to Big Brother'

Is 'Big Brother' lurking in every computer or did a software designer
simply use an unfortunate acronym?

That was the questioning exercising internet chat rooms this weekend
following claims that America's National Security Agency (NSA) had
inserted a secret key into all post-1995 versions of Microsoft's
Windows operating system so that it could read private e-mails and

The claim, furiously denied by Microscoft, follows a chance discovery
by a cryptographer working for a Canadian software firm. While
dissecting Microsoft security software, Andrew Fernandes, Chief
Scientist at the Cryptonym Corporation in Ontario, found an element in

the Windows operating system labelled 'NSA key'.

When Fernandes' discovery was made public on Friday, it sparked a wave

of speculation on the Internet.

Cryptographers say the key is evidence of a long-suspected secret deal

between Microsoft and America's spy agency. Embedded in every copy of
Windows 95, 98, NT4 and 2000, the key could enable the NSA to read
confidential communications at a keystroke, they say.

But Microsoft claims there is no Big Brother in its software and that
the choice of initials reflects the fact the NSA is responsible for
reviewing data-scrambling software and hardware to ensure compliance
with US export regulations.

'These charges are completely false,' said Scott Culp, Microsoft's
security manager for the Windows system. 'These are just used to
ensure that we're compliant with US export regulations. We have not
shared the private keys.'

However, following the discovery last week of a security flaw allowing

hackers into the e-mail of more than 40 million users of Microsoft's
Hotmail service, many experts are skeptical.

They say that Microsoft is a highly compartmentalised firm and that
modifications could have been inserted at the NSA's request without
the knowledge of product managers. They also point out the NSA has a
record of rigging export software.

In the Seventies the NSA had de-encryption devices inserted into
systems sold to Swiss software manufacturer Crypto AG, so the agency
could read the coded diplomatic and military traffic of more than 130

The same technique was re-used in 1995 when the NSA became concerned
about cryptographic security systems being built into Internet and e-
mail software by Microsoft, Netscape and Lotus. The companies agreed
to adapt their software to reduce the level of security for users
outside America.

In Lotus products exported to Sweden, the NSA 'help information'
trapdoor built into Notes software was found to have compromised
confidential mail of Swedish MPs and tax office staff.

Computer security specialists were aware that unusual features were
contained inside the standard Windows key used to authenticate
software components, and two years ago noted the existence of a
'second' key whose existence they could not account for. But the
discovery of the identifying 'NSA' tag, which had been disguised in
earlier versions of Microsoft software, has been seized on by
conspiracy theorists.

Share RecommendKeepReplyMark as Last ReadRead Replies (2)
Previous 10 Next 10