Microsoft has hit back at claims that Windows 2000 users are exposed to a loophole in the operating system's random number generator, a flaw researchers claim allows hackers to retrieve users' personal information. Dr Benny Pinkas from the Department of Computer Science at the University of Haifa, said CryptGenRandom can be exploited by hackers to access information such as email, password and credit card details.
"This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," he said. However, Mark Miller, Microsoft's director for security response communications, said after further investigation into the claims by Dr Pinkas, the company found that there is no security vulnerability.
View: Full Article @ PC Advisor
"This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers," he said. However, Mark Miller, Microsoft's director for security response communications, said after further investigation into the claims by Dr Pinkas, the company found that there is no security vulnerability.
View: Full Article @ PC Advisor
The claim is that the random number generator isn't random enough. Oh, and XP/Vista haven't been analyzed, so they are 'unknown', per the report.
The claim is that the random number generator isn't random enough. Oh, and XP/Vista haven't been analyzed, so they are 'unknown', per the report.
Oh, I read it. I still have trouble comprehending accessing info that's no longer there. That's all. BTW, I was being snarky with the Vista bit. Recalibrate your sarcasm detector.
As far as the info that is no longer on the PC, I surmise that they are talking about encrypted emails that were sent. If I were to capture these, and crack the specific machine's number generator, I can decode the email, even though it is no longer on the computer I cracked.
Sort of a sensational-sounding claim when worded like it is.
As far as the info that is no longer on the PC, I surmise that they are talking about encrypted emails that were sent. If I were to capture these, and crack the specific machine's number generator, I can decode the email, even though it is no longer on the computer I cracked.
Sort of a sensational-sounding claim when worded like it is.
Ahhh.. OK. I get it. You're right, it is sensational-sounding. Thanks for helping me understand that.
/no sarcasm
well, that depends on how you look at it. I for one still follow their first stance, namely that it is the responsability of the receiving application to check the incoming URI parameters for strange characters or possible buffer overflows.
For the generation of numbers to be truly random you'd have to use a quantum computer that makes use of Heisenburg uncertainty when it generates random numbers. And that doesn't exist yet.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.