VPN Client Security

[Guest David]

I'm interested in client security from the VPN.

 

For example if a VPN is established on a client (say either via a DLL or

Microsoft VPN), how does the client configure their machine to keep the

server side from using the VPN to browse or copy files from the client

machine?

 

Thanks

David

[Guest Dan]

VPN is very tricky and the computers on your end must be properly configured

and tightened down all with custom settings. I would suggest a special brand

of varying computers to be given to clients that have automatic updates

locked. The clients must know these are the company's computers and if taken

off campus then the client is fully responsible for the computer. The

computer must not have any special and/or confidential information and should

be used only as needed. VPN is too easy to hack if a system admin. leaves

settings too weak and not properly configured. I hope never to have to use

VPN again because it sucks when the business does not have the proper

settings and they are hacked and you are hacked and you lose your identity as

well as your clients who happen to be 1st grade students. Just my 2 cents

and please forgive the rant but it felt good. <smile>

 

"David" wrote:

<span style="color:blue">

> I'm interested in client security from the VPN.

>

> For example if a VPN is established on a client (say either via a DLL or

> Microsoft VPN), how does the client configure their machine to keep the

> server side from using the VPN to browse or copy files from the client

> machine?

>

> Thanks

> David

>

>

> </span>

[Guest Paul Adare - MVP]

On Fri, 29 Aug 2008 10:52:01 -0700, Dan wrote:

<span style="color:blue">

> VPN is very tricky and the computers on your end must be properly configured

> and tightened down all with custom settings.</span>

 

What does this mean exactly?

<span style="color:blue">

> I would suggest a special brand

> of varying computers to be given to clients</span>

 

What exactly is a "special brand of varying computers"? That makes

absolutely no sense at all.

<span style="color:blue">

> that have automatic updates

> locked.</span>

 

Again, what does that mean?

<span style="color:blue">

> The clients must know these are the company's computers and if taken

> off campus then the client is fully responsible for the computer. The

> computer must not have any special and/or confidential information and should

> be used only as needed.</span>

 

You don't live in the real world Dan. I have customers with 10's of

thousands of road warriors who use secure VPNs every day, both with

corporate computers and home computers.

<span style="color:blue">

> VPN is too easy to hack if a system admin. leaves

> settings too weak and not properly configured. </span>

 

Anything is easy to hack if it is not properly configured. This statement

does nothing at all to help anyone.

<span style="color:blue">

> I hope never to have to use

> VPN again because it sucks when the business does not have the proper

> settings and they are hacked and you are hacked and you lose your identity as

> well as your clients who happen to be 1st grade students. Just my 2 cents

> and please forgive the rant but it felt good. <smile></span>

 

More weird nonsensical ramblings.

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

Computer programmers do it byte by byte.

[Guest David]

Glad you got that off your chest -- but doesn't answer my question.

 

My interest lies on the client side Not the server side.

I've been trying for some time to get an answer to "How" or "If" the client

can protect themselves from the server side.

 

For example if as a client you are provided a DLL or VPN to link to a

specific server, what keeps someone from the server side from using the DLL

or VPN to view or manipulate the client system????

 

 

 

 

 

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:6B2A184A-2DF2-4215-87F9-421D30EABA2B@microsoft.com...<span style="color:blue">

> VPN is very tricky and the computers on your end must be properly

> configured

> and tightened down all with custom settings. I would suggest a special

> brand

> of varying computers to be given to clients that have automatic updates

> locked. The clients must know these are the company's computers and if

> taken

> off campus then the client is fully responsible for the computer. The

> computer must not have any special and/or confidential information and

> should

> be used only as needed. VPN is too easy to hack if a system admin. leaves

> settings too weak and not properly configured. I hope never to have to

> use

> VPN again because it sucks when the business does not have the proper

> settings and they are hacked and you are hacked and you lose your identity

> as

> well as your clients who happen to be 1st grade students. Just my 2 cents

> and please forgive the rant but it felt good. <smile>

>

> "David" wrote:

><span style="color:green">

>> I'm interested in client security from the VPN.

>>

>> For example if a VPN is established on a client (say either via a DLL or

>> Microsoft VPN), how does the client configure their machine to keep the

>> server side from using the VPN to browse or copy files from the client

>> machine?

>>

>> Thanks

>> David

>>

>>

>> </span></span>

[Guest Paul Adare - MVP]

On Fri, 29 Aug 2008 14:26:07 -0400, David wrote:

<span style="color:blue">

> For example if as a client you are provided a DLL or VPN to link to a

> specific server, what keeps someone from the server side from using the DLL

> or VPN to view or manipulate the client system????</span>

 

That isn't a client side setting, it is a server side setting. How it gets

set depends entirely on the VPN device in question.

Configuring security on the client side can mitigate this "issue". How you

go about that depends on the OS being used on the client. Whether or not it

is really an issue depends to a large degree on who owns the client

computer and whose VPN you're connecting to. If you're using a corporate

owned computer to access the corporation's VPN server then you really don't

have any expectation of privacy.

 

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

This screen intentionally left blank.

[Guest Steve Riley [MSFT]]

Think of the VPN'ed client as being a full member of the remote network it

connected to. Clients locally-attached to that network can be accessed by

anything on that network. That's why I'm a big fan of using the Windows

firewall even on LANs. VPN clients are no different, really. Anything on the

remote network can connect to the VPN'ed client -- so proper client-side

security remains essential.

 

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

 

 

 

"Paul Adare - MVP" <pkadare@gmail.com> wrote in message

news:1uwrwvyzt2w$.kgppzhqfsozo.dlg@40tude.net...<span style="color:blue">

> On Fri, 29 Aug 2008 14:26:07 -0400, David wrote:

><span style="color:green">

>> For example if as a client you are provided a DLL or VPN to link to a

>> specific server, what keeps someone from the server side from using the

>> DLL

>> or VPN to view or manipulate the client system????</span>

>

> That isn't a client side setting, it is a server side setting. How it gets

> set depends entirely on the VPN device in question.

> Configuring security on the client side can mitigate this "issue". How you

> go about that depends on the OS being used on the client. Whether or not

> it

> is really an issue depends to a large degree on who owns the client

> computer and whose VPN you're connecting to. If you're using a corporate

> owned computer to access the corporation's VPN server then you really

> don't

> have any expectation of privacy.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> This screen intentionally left blank. </span>

[Guest David]

From responses it appears I'm either misunderstanding the response OR not

properly phrasing my question.

 

If I am a Independent client (not affiliated or an employee of the company

that owns the server) , and provided a DLL or VPN setup by a company to

access their server, how do I (as the client) protect myself under Windows

XP Pro from someone on the server side gaining access to my computer

(client) directories -- In other words can I keep them within their own

directory or user account -- details please on how to set up?

 

 

 

 

 

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message

news:7C09F566-6BC0-4C2C-AB3E-9A82E97F0654@microsoft.com...<span style="color:blue">

> Think of the VPN'ed client as being a full member of the remote network it

> connected to. Clients locally-attached to that network can be accessed by

> anything on that network. That's why I'm a big fan of using the Windows

> firewall even on LANs. VPN clients are no different, really. Anything on

> the remote network can connect to the VPN'ed client -- so proper

> client-side security remains essential.

>

> --

> Steve Riley

> steve.riley@microsoft.com

> http://blogs.technet.com/steriley

> http://www.protectyourwindowsnetwork.com

>

>

>

> "Paul Adare - MVP" <pkadare@gmail.com> wrote in message

> news:1uwrwvyzt2w$.kgppzhqfsozo.dlg@40tude.net...<span style="color:green">

>> On Fri, 29 Aug 2008 14:26:07 -0400, David wrote:

>><span style="color:darkred">

>>> For example if as a client you are provided a DLL or VPN to link to a

>>> specific server, what keeps someone from the server side from using the

>>> DLL

>>> or VPN to view or manipulate the client system????</span>

>>

>> That isn't a client side setting, it is a server side setting. How it

>> gets

>> set depends entirely on the VPN device in question.

>> Configuring security on the client side can mitigate this "issue". How

>> you

>> go about that depends on the OS being used on the client. Whether or not

>> it

>> is really an issue depends to a large degree on who owns the client

>> computer and whose VPN you're connecting to. If you're using a corporate

>> owned computer to access the corporation's VPN server then you really

>> don't

>> have any expectation of privacy.

>>

>> --

>> Paul Adare

>> MVP - Identity Lifecycle Manager

>> http://www.identit.ca

>> This screen intentionally left blank.</span>

> </span>

[Guest Shenan Stanley]

David wrote:<span style="color:blue">

> From responses it appears I'm either misunderstanding the response

> OR not properly phrasing my question.

>

> If I am a Independent client (not affiliated or an employee of the

> company that owns the server) , and provided a DLL or VPN setup by

> a company to access their server, how do I (as the client) protect

> myself under Windows XP Pro from someone on the server side gaining

> access to my computer (client) directories -- In other words can

> I keep them within their own directory or user account -- details

> please on how to set up?</span>

 

If they setup your computer - and did it so you do not have administrative

rights and it is technically theirs - you are probably between a rock and a

hard place.

 

If it is your computer (or a computer provided by another company) and you

are an administrator - put anything you don't want them accessing in some

encrypted format (using Windows EFS or TrueCrypt or something else.)

 

Basically - what you seem to be asking has nothing to do with VPN in

particular - as you would have the same issue if using their wireless, their

wired networking, etc... You should secure your computer with file/folder

permissions and a Software Firewall if you will be using it on other

people's networks. Just connecting to another network (VPN or otherwise)

does not change your security settings or how they work. Your software

firewall should keep them from accessing your computer. Your file and

folder permissions are still in effect. Any other protection you have

(antivirus, antispyware, intrusion detection, etc) all still work the same.

 

If you are setup to stay protected - connecting to a VPN should just add to

that and encrypt the data you send/receive over said VPN connection. It

does not (or should not) eliminate or bypass your other protections.

 

--

Shenan Stanley

MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

[Guest Anteaus]

I don't see how this situation differs from the client being directly

connected to the server. If the client has unsecured shares, or unsecured

remote-registry access, this is the problem, not VPN.

 

The key security issue (as I see it) with MS VPN is the very heavy reliance

it places on user-passwords to keep intruders out. I would be inclined to

supplement that with a requirement for fixed IP addresses on all clients, and

a suitable set of firewall rules on the server or gateway which will

lock-down access from unauthorised locations.

 

If you need true roaming access, then I would think in terms of secure

tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit

key instead of, or as well as, a user password.

 

"David" wrote:

<span style="color:blue">

> I'm interested in client security from the VPN.

>

> For example if a VPN is established on a client (say either via a DLL or

> Microsoft VPN), how does the client configure their machine to keep the

> server side from using the VPN to browse or copy files from the client

> machine?</span>

[Guest Dan]

So using a multi-layered security and safety approach is good. BTW, why do

we still only use 128 bit cipher strength so frequently and why not upgrade

the entire industry to start using 168 bit cipher strength as a new bare

minimum. One thing I do like about Windows Live One Care is the ability to

customize what you let in and out of your computer with the firewall by

allowing or blocking it. In addition, shouldn't all company networks have

the sort of firewall that Zone Alarm Professional reporting has so at least

the company can try to figure out where the port scan is coming from even if

the port scan is being hidden through numerous points throughout the world

 

"Anteaus" wrote:

<span style="color:blue">

> I don't see how this situation differs from the client being directly

> connected to the server. If the client has unsecured shares, or unsecured

> remote-registry access, this is the problem, not VPN.

>

> The key security issue (as I see it) with MS VPN is the very heavy reliance

> it places on user-passwords to keep intruders out. I would be inclined to

> supplement that with a requirement for fixed IP addresses on all clients, and

> a suitable set of firewall rules on the server or gateway which will

> lock-down access from unauthorised locations.

>

> If you need true roaming access, then I would think in terms of secure

> tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit

> key instead of, or as well as, a user password.

>

> "David" wrote:

> <span style="color:green">

> > I'm interested in client security from the VPN.

> >

> > For example if a VPN is established on a client (say either via a DLL or

> > Microsoft VPN), how does the client configure their machine to keep the

> > server side from using the VPN to browse or copy files from the client

> > machine?</span>

> </span>

[Guest Paul Adare - MVP]

On Sat, 30 Aug 2008 01:34:01 -0700, Dan wrote:

<span style="color:blue">

> So using a multi-layered security and safety approach is good. BTW, why do

> we still only use 128 bit cipher strength so frequently and why not upgrade

> the entire industry to start using 168 bit cipher strength as a new bare

> minimum.</span>

 

What do you mean "upgrade the entire industry"? No one uses 168-bit

encryption and for good reason. Vista supports AES128, AES256, and 3DES.

<span style="color:blue">

> One thing I do like about Windows Live One Care is the ability to

> customize what you let in and out of your computer with the firewall by

> allowing or blocking it.</span>

 

And your point is? The Vista firewall by itself provides this ability, no

need for OneCare on top of it.

<span style="color:blue">

> In addition, shouldn't all company networks have

> the sort of firewall that Zone Alarm Professional reporting has so at least

> the company can try to figure out where the port scan is coming from even if

> the port scan is being hidden through numerous points throughout the world</span>

 

And in your vast experience company networks don't have this already? BTW -

what you're talking about is an Intrusion Detection System (IDS) and not a

firewall, however, any enterprise level firewall will have good reporting

features.

 

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

Transistor: A sibling, opposite of transbrother.

[Guest Paul Adare - MVP]

On Sat, 30 Aug 2008 01:04:01 -0700, Anteaus wrote:

<span style="color:blue">

> The key security issue (as I see it) with MS VPN is the very heavy reliance

> it places on user-passwords to keep intruders out.</span>

 

There is no suck reliance. Microsoft's VPN solutions have supported

authentication methods other than user names and passwords, including but

not limited to certificate based authentication for years now.

<span style="color:blue">

> I would be inclined to

> supplement that with a requirement for fixed IP addresses on all clients,</span>

 

That simply isn't possible in the real world. I travel all over the world

and need to connect to my corporate network. You're going to tell me that I

can't connect from my hotel? Well, guess what, the bad guys just won as I

can't do my work.

<span style="color:blue">

> and

> a suitable set of firewall rules on the server or gateway which will

> lock-down access from unauthorised locations. </span>

 

This is possible now but as above is completely impractical in the real

world.

<span style="color:blue">

>

> If you need true roaming access, then I would think in terms of secure

> tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit

> key instead of, or as well as, a user password.</span>

 

Again, in the real world, pre-shared keys are not secure and even if they

were, they are simply unmanageable on a large scale.

 

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

Nice computers don't go down.

[Guest Paul Adare - MVP]

On Sat, 30 Aug 2008 05:21:16 -0400, Paul Adare - MVP wrote:

<span style="color:blue">

> suck</span>

 

such

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

[Guest Dan]

3 DES --- 168 bit encryption according to Mozilla Firefox

 

Vista still has some issues and why do you think the FAA for the pilots

taking the flight exam would not allow Vista to be used if it has indeed been

perfectly perfected? I still hear from so many users that they hate Vista

because it is so complicated and they do not understand it and these users

just want the simplicity of an os like Windows 98 Second Edition.

 

"Paul Adare - MVP" wrote:

<span style="color:blue">

> On Sat, 30 Aug 2008 01:34:01 -0700, Dan wrote:

> <span style="color:green">

> > So using a multi-layered security and safety approach is good. BTW, why do

> > we still only use 128 bit cipher strength so frequently and why not upgrade

> > the entire industry to start using 168 bit cipher strength as a new bare

> > minimum.</span>

>

> What do you mean "upgrade the entire industry"? No one uses 168-bit

> encryption and for good reason. Vista supports AES128, AES256, and 3DES.

> <span style="color:green">

> > One thing I do like about Windows Live One Care is the ability to

> > customize what you let in and out of your computer with the firewall by

> > allowing or blocking it.</span>

>

> And your point is? The Vista firewall by itself provides this ability, no

> need for OneCare on top of it.

> <span style="color:green">

> > In addition, shouldn't all company networks have

> > the sort of firewall that Zone Alarm Professional reporting has so at least

> > the company can try to figure out where the port scan is coming from even if

> > the port scan is being hidden through numerous points throughout the world</span>

>

> And in your vast experience company networks don't have this already? BTW -

> what you're talking about is an Intrusion Detection System (IDS) and not a

> firewall, however, any enterprise level firewall will have good reporting

> features.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> Transistor: A sibling, opposite of transbrother.

> </span>

[Guest Dan]

Why not require all keys to be updated more frequently and if the

corresponding key is lost then the user has no access === period? I ran into

an expired key recently at boards.live.microsoft.com and wondered to myself

why Microsoft had not updated the key. I emailed Microsoft and got the

response --- oh, that is a msn problem so you need to contact them -- contact

them -- nope it is not our problem and you need to contact Microsoft --- this

shifting of responsibility is stupid because no one wants to own up and be a

man or woman and say this is a problem that needs to be remedied and I if

they do indeed have the skills then let them say that I have the skills so I

can take action with the proper approval and fix the problem and then it is

no longer a problem

 

"Paul Adare - MVP" wrote:

<span style="color:blue">

> On Sat, 30 Aug 2008 01:04:01 -0700, Anteaus wrote:

> <span style="color:green">

> > The key security issue (as I see it) with MS VPN is the very heavy reliance

> > it places on user-passwords to keep intruders out.</span>

>

> There is no suck reliance. Microsoft's VPN solutions have supported

> authentication methods other than user names and passwords, including but

> not limited to certificate based authentication for years now.

> <span style="color:green">

> > I would be inclined to

> > supplement that with a requirement for fixed IP addresses on all clients,</span>

>

> That simply isn't possible in the real world. I travel all over the world

> and need to connect to my corporate network. You're going to tell me that I

> can't connect from my hotel? Well, guess what, the bad guys just won as I

> can't do my work.

> <span style="color:green">

> > and

> > a suitable set of firewall rules on the server or gateway which will

> > lock-down access from unauthorised locations. </span>

>

> This is possible now but as above is completely impractical in the real

> world.

> <span style="color:green">

> >

> > If you need true roaming access, then I would think in terms of secure

> > tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit

> > key instead of, or as well as, a user password.</span>

>

> Again, in the real world, pre-shared keys are not secure and even if they

> were, they are simply unmanageable on a large scale.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> Nice computers don't go down.

> </span>

[Guest Dan]

What are you trying to say Paul?

 

"Paul Adare - MVP" wrote:

<span style="color:blue">

> On Sat, 30 Aug 2008 05:21:16 -0400, Paul Adare - MVP wrote:

> <span style="color:green">

> > suck</span>

>

> such

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

> </span>

[Guest David]

Thanks for response Mr. Stanley:

My computer, one user Administrator, me.

Have several computer programs I wrote which include DLL's

(API's) furnished by the hosting server companies.

 

You should secure your computer with file/folder<span style="color:blue">

> permissions</span>

 

Makes sense. Newbie to User Accounts, File/Folder Permissions.

 

Anyway to do this easily? For example if I create a user account and set

permissions on the file/folders under that account, will that limit the VPN

or DLL within the file/folders within that account

 

OR

 

Do I need the reverse where all file/folders NOT in that account have

permissions set.

 

put anything you don't want them accessing in some<span style="color:blue">

> encrypted format (using Windows EFS or TrueCrypt or something else.)</span>

 

I assume you mean within the same file/folder

 

===========================

 

With all the password breaking programs around, and basically a continuous

open line to the server, are file/folder permissions really secure?

 

Thanks

David

 

 

"Shenan Stanley" <newshelper@gmail.com> wrote in message

news:%23oOWEhiCJHA.5196@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> David wrote:<span style="color:green">

>> From responses it appears I'm either misunderstanding the response

>> OR not properly phrasing my question.

>>

>> If I am a Independent client (not affiliated or an employee of the

>> company that owns the server) , and provided a DLL or VPN setup by

>> a company to access their server, how do I (as the client) protect

>> myself under Windows XP Pro from someone on the server side gaining

>> access to my computer (client) directories -- In other words can

>> I keep them within their own directory or user account -- details

>> please on how to set up?</span>

>

> If they setup your computer - and did it so you do not have administrative

> rights and it is technically theirs - you are probably between a rock and

> a hard place.

>

> If it is your computer (or a computer provided by another company) and you

> are an administrator - put anything you don't want them accessing in some

> encrypted format (using Windows EFS or TrueCrypt or something else.)

>

> Basically - what you seem to be asking has nothing to do with VPN in

> particular - as you would have the same issue if using their wireless,

> their wired networking, etc... You should secure your computer with

> file/folder permissions and a Software Firewall if you will be using it on

> other people's networks. Just connecting to another network (VPN or

> otherwise) does not change your security settings or how they work. Your

> software firewall should keep them from accessing your computer. Your

> file and folder permissions are still in effect. Any other protection you

> have (antivirus, antispyware, intrusion detection, etc) all still work the

> same.

>

> If you are setup to stay protected - connecting to a VPN should just add

> to that and encrypt the data you send/receive over said VPN connection.

> It does not (or should not) eliminate or bypass your other protections.

>

> --

> Shenan Stanley

> MS-MVP

> --

> How To Ask Questions The Smart Way

> http://www.catb.org/~esr/faqs/smart-questions.html

> </span>

[Guest Paul Adare - MVP]

On Sat, 30 Aug 2008 03:38:01 -0700, Dan wrote:

<span style="color:blue">

> Why not require all keys to be updated more frequently and if the

> corresponding key is lost then the user has no access === period? </span>

 

What in the world are you talking about? This makes no sense.

<span style="color:blue">

> I ran into

> an expired key recently at boards.live.microsoft.com and wondered to myself

> why Microsoft had not updated the key. I emailed Microsoft and got the

> response --- oh, that is a msn problem so you need to contact them -- contact

> them -- nope it is not our problem and you need to contact Microsoft --- this

> shifting of responsibility is stupid because no one wants to own up and be a

> man or woman and say this is a problem that needs to be remedied and I if

> they do indeed have the skills then let them say that I have the skills so I

> can take action with the proper approval and fix the problem and then it is

> no longer a problem</span>

 

You can't even distinguish between a pre-shared key and certificate and you

expect anyone to take you seriously when it comes to your whacked out views

on what constitutes computer security? Man, I feel sorry for whomever is

employing you if your job involves anything at all to do with computer

security.

 

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

A computer program does what you tell it to do, not what you want it to do.

[Guest FromTheRafters]

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:4C0BE077-BAD2-4A32-8349-1E31C3ECB825@microsoft.com...<span style="color:blue">

> So using a multi-layered security and safety approach is good. BTW, why

> do

> we still only use 128 bit cipher strength so frequently and why not

> upgrade

> the entire industry to start using 168 bit cipher strength as a new bare

> minimum.</span>

 

I want to use 129 bits - gee...nearly twice strength of the

128 bit version and I only buy one more bit. style_emoticons/)

[Guest Dan]

LOL

 

"FromTheRafters" wrote:

<span style="color:blue">

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:4C0BE077-BAD2-4A32-8349-1E31C3ECB825@microsoft.com...<span style="color:green">

> > So using a multi-layered security and safety approach is good. BTW, why

> > do

> > we still only use 128 bit cipher strength so frequently and why not

> > upgrade

> > the entire industry to start using 168 bit cipher strength as a new bare

> > minimum.</span>

>

> I want to use 129 bits - gee...nearly twice strength of the

> 128 bit version and I only buy one more bit. style_emoticons/)

>

>

> </span>

[Guest Dan]

You had better make mine 147 bit ---- :-) Thanks for your comment, From the

Rafters and I do appreciate it.

 

The real or should I say reel (movie) deal is that b_nice is too serious

about security and needs to relax. I used to be like b_nice and not be able

to relax but now computer security and safety is just all a game to me. You

people should be really thankful that I am a good hacker and not a bad one

because I could really wreck havoc if I so wanted to but I obey the law and I

guess that just is not appreciated that I don't fit into the box method of

your usual security person because I am not. I have used computers since

before 1984 with an IBM PCjr and began BASIC programming with a BASIC

cartridge and have worked with computers ever since so no I am not some

newbie and I even plan on getting my A+ certification this year so there go

ahead and continue the mockery, Paul and b_nice. BTW, I am justified in

being rude to b_nice because b_nice is a total jerk and wound up so tight

that the b_nice only cares about security and is not willing to talk about

anything else. We all need to lighten up the mood folks and kick back and

relax and remember it is Saturday and a Labor Day weekend to boot. Finally,

Paul does know what he is talking about and is recognized with the mvp status

by Microsoft but I have no desire to meet him in person either. I will tell

you folks there are a lot of nice mvps out there and they are Robear Dyer,

mvp, Chris Quirke, mvp, Alan Edwards, mvp, etc. and these nice folks usually

hang out in the Windows 98 general newsgroup where the mood is much lighter

than here.

 

"FromTheRafters" wrote:

<span style="color:blue">

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:4C0BE077-BAD2-4A32-8349-1E31C3ECB825@microsoft.com...<span style="color:green">

> > So using a multi-layered security and safety approach is good. BTW, why

> > do

> > we still only use 128 bit cipher strength so frequently and why not

> > upgrade

> > the entire industry to start using 168 bit cipher strength as a new bare

> > minimum.</span>

>

> I want to use 129 bits - gee...nearly twice strength of the

> 128 bit version and I only buy one more bit. style_emoticons/)

>

>

> </span>

[Guest Dan]

I am saying have keys expire much more frequently so they can be updated more

and this would lesson the chance that the key could be stolen or compromised.

The security certificate is what I am referring to.

 

"Paul Adare - MVP" wrote:

<span style="color:blue">

> On Sat, 30 Aug 2008 03:38:01 -0700, Dan wrote:

> <span style="color:green">

> > Why not require all keys to be updated more frequently and if the

> > corresponding key is lost then the user has no access === period? </span>

>

> What in the world are you talking about? This makes no sense.

> <span style="color:green">

> > I ran into

> > an expired key recently at boards.live.microsoft.com and wondered to myself

> > why Microsoft had not updated the key. I emailed Microsoft and got the

> > response --- oh, that is a msn problem so you need to contact them -- contact

> > them -- nope it is not our problem and you need to contact Microsoft --- this

> > shifting of responsibility is stupid because no one wants to own up and be a

> > man or woman and say this is a problem that needs to be remedied and I if

> > they do indeed have the skills then let them say that I have the skills so I

> > can take action with the proper approval and fix the problem and then it is

> > no longer a problem</span>

>

> You can't even distinguish between a pre-shared key and certificate and you

> expect anyone to take you seriously when it comes to your whacked out views

> on what constitutes computer security? Man, I feel sorry for whomever is

> employing you if your job involves anything at all to do with computer

> security.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> A computer program does what you tell it to do, not what you want it to do.

> </span>

[Guest Brian Komar \(MVP\)]

You are making absolutely no sense.

Please learn some basics about PKI before posting on this topic

 

Thanks,

Brian

 

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:6DD213CF-A89D-4B3F-ABC6-37EB9E4B833E@microsoft.com...<span style="color:blue">

>I am saying have keys expire much more frequently so they can be updated

>more

> and this would lesson the chance that the key could be stolen or

> compromised.

> The security certificate is what I am referring to.

>

> "Paul Adare - MVP" wrote:

><span style="color:green">

>> On Sat, 30 Aug 2008 03:38:01 -0700, Dan wrote:

>><span style="color:darkred">

>> > Why not require all keys to be updated more frequently and if the

>> > corresponding key is lost then the user has no access === period?</span>

>>

>> What in the world are you talking about? This makes no sense.

>><span style="color:darkred">

>> > I ran into

>> > an expired key recently at boards.live.microsoft.com and wondered to

>> > myself

>> > why Microsoft had not updated the key. I emailed Microsoft and got the

>> > response --- oh, that is a msn problem so you need to contact them --

>> > contact

>> > them -- nope it is not our problem and you need to contact

>> > Microsoft --- this

>> > shifting of responsibility is stupid because no one wants to own up and

>> > be a

>> > man or woman and say this is a problem that needs to be remedied and I

>> > if

>> > they do indeed have the skills then let them say that I have the skills

>> > so I

>> > can take action with the proper approval and fix the problem and then

>> > it is

>> > no longer a problem</span>

>>

>> You can't even distinguish between a pre-shared key and certificate and

>> you

>> expect anyone to take you seriously when it comes to your whacked out

>> views

>> on what constitutes computer security? Man, I feel sorry for whomever is

>> employing you if your job involves anything at all to do with computer

>> security.

>>

>> --

>> Paul Adare

>> MVP - Identity Lifecycle Manager

>> http://www.identit.ca

>> A computer program does what you tell it to do, not what you want it to

>> do.

>> </span></span>

[Guest ~BD~]

He made a typo, Dan! "There is no suck reliance"

 

Dave

 

--.

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:CD68B3DB-C45F-4AC9-BF2F-3AAAF76582C1@microsoft.com...<span style="color:blue">

> What are you trying to say Paul?

>

> "Paul Adare - MVP" wrote:

><span style="color:green">

>> On Sat, 30 Aug 2008 05:21:16 -0400, Paul Adare - MVP wrote:

>><span style="color:darkred">

>> > suck</span>

>>

>> such

>> --

>> Paul Adare

>> MVP - Identity Lifecycle Manager

>> http://www.identit.ca

>> HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

>></span>

> </span>

[Guest Paul Adare - MVP]

On Sat, 30 Aug 2008 08:55:01 -0700, Dan wrote:

<span style="color:blue">

> You

> people should be really thankful that I am a good hacker and not a bad one

> because I could really wreck havoc if I so wanted</span>

 

Most hilarious thing I've read here for ages.

 

--

Paul Adare

MVP - Identity Lifecycle Manager

http://www.identit.ca

The attention span of a computer is only as long as its power cord.