On Wed, 11 Jun 1997, Vin McLellan wrote:
> Craig Brozefsky <craig @
onshore .
com> replied:
>
> >I hope they have other types of strong auth, they do right? SecureID is
> >known to be weak, papers have been published exposing the lameness of
> >it's auth scheme, and it also does not do stream level encryption last I
> >heard.
>
> For a professional who has an impressive command of the particulars
> in your other discussions, Craig, you slither right over the details in
> your grumpy references to ACE/SecurID. Have you actually read PeiterZ's
> paper? SDTI's response? Adam Shostack's paper? (And the note he prepended
> just before he presented it?)
SecurID is lame, I'll say it again. Why pay for a OTP password system with
no encryption capabilities, and a non-published cryptographic method for
generating the tokens, when I can use ssh for free, or purchase it from
F-Prot if I need that commercial feeling? There are Mac and Windows as
well as Unix clients. Not only is ssh free, but source is freely
available for the Unix versions of both the client and server and is open
for peer review.
<Vin McLellan SDTI marketing screed elided>
> If you'd like to discuss any particular issue or threat -- on the
> List or in e-mail -- I'm more than willing. You're obviously a pro, so
> please, if you are worried about a product, cite specific concerns rather
> than gratuitously smear this or any tech. Knock it down if you can,
> certainly -- but don't just piss in the general direction. The wind can
> blow it back on you.
OTP systems by themselves are near worthless when used over the Internet,
and non published proprietary mechanisms based on closed cryptographic
methods and code bases are even worse off. We both agree that OTP and
crypto need to be used together, you even say so in your posts to
BUGTRAQ, and other mailing lists. So why should I pay for a product that
is proprietary and only gives me one part of the real security equation,
when I can get an open, free solution that gives me the whole equation,
as well as my choice of stream crypto and alot of other features? I
would say the commercial product only providing half the solution is a
lame-duck.
If you would like to post another multi-page press release feel free,
seem to do it everywhere else.
Craig Brozefsky craig @
onshore .
com
onShore Inc. http://www.onshore.com/~craig
Development Team p_priority=PFUN+(p_work/4)+(2*p_cash)
Follow-Ups:
References:
|
|
