[PLUG] Windows and Cryptography

Eric Wilhelm scratchcomputing at gmail.com
Mon Feb 12 22:55:12 UTC 2007


# from Alan Olsen
# on Monday 12 February 2007 01:52 pm:

>> http://biznix.org/articles/wincrypt.html
>>
>> Please let me know if anything is incorrect or it needs
>> to be improved.
>
>The biggest problem with Cryptography under Windows is that you are
> not considered the owner of your machine.  (Especially Vista.)

Right, but Vista is just another step in the long-running story of users 
refusing to take responsibility for their own security and privacy.  m$ 
will (of course) happily help with that blissful ignorance.

However, Linux is not bulletproof, just transparent.  Mac might be 
better than windows, but they are definitely moving away from 
transparent at a rapid rate (and, what's it take to get sudo privileges 
on a Mac anyway?  Just a dialog box (heh. "Web 2.0: get rooted with 
javascript?"))  In short, all the user data on the computer is only as 
secure as root/sudo, which means "as secure as your laziest priveleged 
user."  What distinguishes windows here is that there is practically no 
root, but if m$ is root, so is apple, sun, adobe, nvidia, and red hat 
for that matter.  In short, anything for which you cannot get the 
source should not be run as root.  Otherwise, the only answer to the 
"are we secure?" question has to be shrugging your shoulders and saying 
"maybe."  Might as well just drop what you're doing right now and 
e-mail all of your keys and passwords to the above vendors for safe 
keeping.  (Note, I trust RH more than MS, but I'm not about to mail 
either of them anything.)

Why are users so complacent about computer privacy/security?  There is 
nothing analogous.

How careful are you with the keys to your house?  Ok, but what if you 
lose your keys and have to break into your house?  Most people don't 
rig their house to explode on forced entry, but given strong 
cryptography, a lost key means lost data.  I wager this is unacceptable 
for many users and they will therefore keep a hide-a-key rock somewhere 
(a while back, I was at a mid-sized local retail chain and noticed 
about 3-4 banking and etc username/passwords in plain view on a 
laminated card next to every customer service terminal.)

Most law enforcement is predicated on the idea of recovering stolen 
goods or otherwise punishing the infraction.  Doesn't work so well for 
stolen data, does it?

--Eric
-- 
If the collapse of the Berlin Wall had taught us anything, it was that
socialism alone was not a sustainable economic model.
--Robert Young
---------------------------------------------------
    http://scratchcomputing.com
---------------------------------------------------



More information about the PLUG mailing list