|
-
January 21st, 2005, 08:30 PM
#4
Originally posted here by mohaughn
I think it is moreso a misuse of the product.
How is it a misuse of the product? Microsoft sell's that product with one of the features being touted as the ability to protect a document from being opened (or modified...more on this below...) with a password.
It's not mis-use of the product...if anything, it's mis-representation of the products capabilities. If Ford-rolet designs, builds, and sells a car, advertising all its advantages including a "Big-Gulp sized cup holder", someone buys the car and puts a Big-Gulp in the cup holder, which then drops the cup and spills it on the new-car carpet and they get mad, is it reasonable to tell that person "you shouldn't be buying a car just for the cup holder!" It was advertised that way!
Does Word really need to do 256 AES encryption when there are so many other tools that do it so well? Word isn't a security product, it is a word processor. Leave the encryption to true encryption packages. It just amazes me that the experts in the field still love to find products that are not intended for secure use and then bash them. I guess they have to keep their name in the media somehow.
No, I don't think many of us would legitimately argue with you that word needs 256bit AES to protect the documents. And yes, those in the know WOULD use one of the much better products, I'd think. But when Microsoft sells a product with "Security Features" they've built in, then it's not a matter of whether it "needs" the features...they're already there. And some companies are buying it because the spec sheet reflects these "features" exist.
I just checked the MS Office 2k3 help file and this is what it says- "Note Requiring a password to modify a file does not encrypt the contents of the file."
So if we mark a document for modify-only-with-password, we shouldn't expect encryption? Thanks. Much appreciated. But I never did. Modify-only has *nothing* to do with encryption except the fact that they both use a password. We're talking about encrypting the whole document...i.e. password needed to open/view/read/print the document.
So why the hell are these guys even writing the articles when the product documentation says it is not really encrypting the contents??????? The help file doesn't make a distinction between the weak XOR that is default and the MS Strong encryption that they used in this article, but either way. I'm not going to use a product for security purposes when the help file clearly says what I posted above.
Go back to my last statement. They are reviewing the use of an accepted and approved encryption algorithm by the single most recognized software firm in the world in a product stated to have security features to protect the users content. The use of this algorith is incorrect, and this is the point of the article. If you really think this is about MS bashing, think again. It's about saying "this is done wrong", proving it, and opening discussion so the industry can learn from this mistake. Will they learn from the mistake? That's another discussion.
/* edited for grammatical errors */
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote