Thanks to Bud Aaron for pointing out an interesting subplot in the recent announcement about a new security flaw in Windows NT VPN (Virtual Private Networking). As you may recall from a WinInfo article earlier this week, Dr. Bruce Schneier broke the news to the world that there was a new security problem in NT, an announcement that is sure to get the attention of all kinds of computer press these days. It turns out that there are some side issues in this story, however, and the security problem, as it were, may be less threatening than previously thought.
First, some background. Schneier is the author of "Applied Cryptography," which is considered a cryptography bible of sorts in those circles. It seems that Schneier might have been looking for a little publicity at Microsoft's expense, since the charges don't add up in many ways. Consider, for example, that any security is only as good as the implementation: Anyone who writes their password on their monitor or uses a common word as a password is the weak link in that security scheme. Schneier charges that Microsoft's PPTP implementation is so weak that it's susceptible a "dictionary" attack, where a hacking program throws millions of known words at the system, hoping to find one that matches a password. The reason it is "susceptible" to this type of attack is that Microsoft "allows" users to use common words, but it is typically the responsibility of an IS department to determine what sorts of passwords are acceptable. That's why passwords are generally a collection of letters (both cases), punctuation marks, numbers, and other characters, not words like "bob" and "secret".
As Bud points out, most security flaws are not the result of poor planning, but rather are unseen things that someone accidentally trips over. NT has been in the spotlight recently for security problems, but that's because its a relatively new system that is suddenly getting very popular. The hackers that were wreaking havoc over on UNIX (and VMS before that) are now working on NT. Yes, problems are going to come up, but that's more an indication of NT's popularity than any inherent weakness.
Anyway, that's just an opposing view on the NT security issue, specifically the recent charges brought by Mr. Schneier. I'm not trying to start a debate on the subject, but it's always nice to see both sides of the story. If you are interested in this security issue, however, Microsoft has posted a whitepaper about PPTP security.
--Pau