VPN Client Security

I'm interested in client security from the VPN.

For example if a VPN is established on a client (say either via a DLL or
Microsoft VPN), how does the client configure their machine to keep the
server side from using the VPN to browse or copy files from the client
machine?

Thanks
David

Dan
Fri Aug 29 12:52:01 CDT 2008

VPN is very tricky and the computers on your end must be properly configured
and tightened down all with custom settings. I would suggest a special brand
of varying computers to be given to clients that have automatic updates
locked. The clients must know these are the company's computers and if taken
off campus then the client is fully responsible for the computer. The
computer must not have any special and/or confidential information and should
be used only as needed. VPN is too easy to hack if a system admin. leaves
settings too weak and not properly configured. I hope never to have to use
VPN again because it sucks when the business does not have the proper
settings and they are hacked and you are hacked and you lose your identity as
well as your clients who happen to be 1st grade students. Just my 2 cents
and please forgive the rant but it felt good. <smile>

"David" wrote:

> I'm interested in client security from the VPN.
>
> For example if a VPN is established on a client (say either via a DLL or
> Microsoft VPN), how does the client configure their machine to keep the
> server side from using the VPN to browse or copy files from the client
> machine?
>
> Thanks
> David
>
>
>

Paul
Fri Aug 29 13:20:23 CDT 2008

On Fri, 29 Aug 2008 10:52:01 -0700, Dan wrote:

> VPN is very tricky and the computers on your end must be properly configured
> and tightened down all with custom settings.

What does this mean exactly?

> I would suggest a special brand
> of varying computers to be given to clients

What exactly is a "special brand of varying computers"? That makes
absolutely no sense at all.

> that have automatic updates
> locked.

Again, what does that mean?

> The clients must know these are the company's computers and if taken
> off campus then the client is fully responsible for the computer. The
> computer must not have any special and/or confidential information and should
> be used only as needed.

You don't live in the real world Dan. I have customers with 10's of
thousands of road warriors who use secure VPNs every day, both with
corporate computers and home computers.

> VPN is too easy to hack if a system admin. leaves
> settings too weak and not properly configured.

Anything is easy to hack if it is not properly configured. This statement
does nothing at all to help anyone.

> I hope never to have to use
> VPN again because it sucks when the business does not have the proper
> settings and they are hacked and you are hacked and you lose your identity as
> well as your clients who happen to be 1st grade students. Just my 2 cents
> and please forgive the rant but it felt good. <smile>

More weird nonsensical ramblings.
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Computer programmers do it byte by byte.

David
Fri Aug 29 13:26:07 CDT 2008

Glad you got that off your chest -- but doesn't answer my question.

My interest lies on the client side Not the server side.
I've been trying for some time to get an answer to "How" or "If" the client
can protect themselves from the server side.

For example if as a client you are provided a DLL or VPN to link to a
specific server, what keeps someone from the server side from using the DLL
or VPN to view or manipulate the client system????





"Dan" <Dan@discussions.microsoft.com> wrote in message
news:6B2A184A-2DF2-4215-87F9-421D30EABA2B@microsoft.com...
> VPN is very tricky and the computers on your end must be properly
> configured
> and tightened down all with custom settings. I would suggest a special
> brand
> of varying computers to be given to clients that have automatic updates
> locked. The clients must know these are the company's computers and if
> taken
> off campus then the client is fully responsible for the computer. The
> computer must not have any special and/or confidential information and
> should
> be used only as needed. VPN is too easy to hack if a system admin. leaves
> settings too weak and not properly configured. I hope never to have to
> use
> VPN again because it sucks when the business does not have the proper
> settings and they are hacked and you are hacked and you lose your identity
> as
> well as your clients who happen to be 1st grade students. Just my 2 cents
> and please forgive the rant but it felt good. <smile>
>
> "David" wrote:
>
>> I'm interested in client security from the VPN.
>>
>> For example if a VPN is established on a client (say either via a DLL or
>> Microsoft VPN), how does the client configure their machine to keep the
>> server side from using the VPN to browse or copy files from the client
>> machine?
>>
>> Thanks
>> David
>>
>>
>>

Paul
Fri Aug 29 13:36:57 CDT 2008

On Fri, 29 Aug 2008 14:26:07 -0400, David wrote:

> For example if as a client you are provided a DLL or VPN to link to a
> specific server, what keeps someone from the server side from using the DLL
> or VPN to view or manipulate the client system????

That isn't a client side setting, it is a server side setting. How it gets
set depends entirely on the VPN device in question.
Configuring security on the client side can mitigate this "issue". How you
go about that depends on the OS being used on the client. Whether or not it
is really an issue depends to a large degree on who owns the client
computer and whose VPN you're connecting to. If you're using a corporate
owned computer to access the corporation's VPN server then you really don't
have any expectation of privacy.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
This screen intentionally left blank.

Steve
Fri Aug 29 14:22:33 CDT 2008

Think of the VPN'ed client as being a full member of the remote network it
connected to. Clients locally-attached to that network can be accessed by
anything on that network. That's why I'm a big fan of using the Windows
firewall even on LANs. VPN clients are no different, really. Anything on the
remote network can connect to the VPN'ed client -- so proper client-side
security remains essential.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Paul Adare - MVP" <pkadare@gmail.com> wrote in message
news:1uwrwvyzt2w$.kgppzhqfsozo.dlg@40tude.net...
> On Fri, 29 Aug 2008 14:26:07 -0400, David wrote:
>
>> For example if as a client you are provided a DLL or VPN to link to a
>> specific server, what keeps someone from the server side from using the
>> DLL
>> or VPN to view or manipulate the client system????
>
> That isn't a client side setting, it is a server side setting. How it gets
> set depends entirely on the VPN device in question.
> Configuring security on the client side can mitigate this "issue". How you
> go about that depends on the OS being used on the client. Whether or not
> it
> is really an issue depends to a large degree on who owns the client
> computer and whose VPN you're connecting to. If you're using a corporate
> owned computer to access the corporation's VPN server then you really
> don't
> have any expectation of privacy.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> This screen intentionally left blank.

David
Fri Aug 29 17:14:21 CDT 2008

From responses it appears I'm either misunderstanding the response OR not
properly phrasing my question.

If I am a Independent client (not affiliated or an employee of the company
that owns the server) , and provided a DLL or VPN setup by a company to
access their server, how do I (as the client) protect myself under Windows
XP Pro from someone on the server side gaining access to my computer
(client) directories -- In other words can I keep them within their own
directory or user account -- details please on how to set up?





"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:7C09F566-6BC0-4C2C-AB3E-9A82E97F0654@microsoft.com...
> Think of the VPN'ed client as being a full member of the remote network it
> connected to. Clients locally-attached to that network can be accessed by
> anything on that network. That's why I'm a big fan of using the Windows
> firewall even on LANs. VPN clients are no different, really. Anything on
> the remote network can connect to the VPN'ed client -- so proper
> client-side security remains essential.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Paul Adare - MVP" <pkadare@gmail.com> wrote in message
> news:1uwrwvyzt2w$.kgppzhqfsozo.dlg@40tude.net...
>> On Fri, 29 Aug 2008 14:26:07 -0400, David wrote:
>>
>>> For example if as a client you are provided a DLL or VPN to link to a
>>> specific server, what keeps someone from the server side from using the
>>> DLL
>>> or VPN to view or manipulate the client system????
>>
>> That isn't a client side setting, it is a server side setting. How it
>> gets
>> set depends entirely on the VPN device in question.
>> Configuring security on the client side can mitigate this "issue". How
>> you
>> go about that depends on the OS being used on the client. Whether or not
>> it
>> is really an issue depends to a large degree on who owns the client
>> computer and whose VPN you're connecting to. If you're using a corporate
>> owned computer to access the corporation's VPN server then you really
>> don't
>> have any expectation of privacy.
>>
>> --
>> Paul Adare
>> MVP - Identity Lifecycle Manager
>> http://www.identit.ca
>> This screen intentionally left blank.
>

Shenan
Fri Aug 29 17:40:38 CDT 2008

David wrote:
> From responses it appears I'm either misunderstanding the response
> OR not properly phrasing my question.
>
> If I am a Independent client (not affiliated or an employee of the
> company that owns the server) , and provided a DLL or VPN setup by
> a company to access their server, how do I (as the client) protect
> myself under Windows XP Pro from someone on the server side gaining
> access to my computer (client) directories -- In other words can
> I keep them within their own directory or user account -- details
> please on how to set up?

If they setup your computer - and did it so you do not have administrative
rights and it is technically theirs - you are probably between a rock and a
hard place.

If it is your computer (or a computer provided by another company) and you
are an administrator - put anything you don't want them accessing in some
encrypted format (using Windows EFS or TrueCrypt or something else.)

Basically - what you seem to be asking has nothing to do with VPN in
particular - as you would have the same issue if using their wireless, their
wired networking, etc... You should secure your computer with file/folder
permissions and a Software Firewall if you will be using it on other
people's networks. Just connecting to another network (VPN or otherwise)
does not change your security settings or how they work. Your software
firewall should keep them from accessing your computer. Your file and
folder permissions are still in effect. Any other protection you have
(antivirus, antispyware, intrusion detection, etc) all still work the same.

If you are setup to stay protected - connecting to a VPN should just add to
that and encrypt the data you send/receive over said VPN connection. It
does not (or should not) eliminate or bypass your other protections.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Anteaus
Sat Aug 30 03:04:01 CDT 2008

I don't see how this situation differs from the client being directly
connected to the server. If the client has unsecured shares, or unsecured
remote-registry access, this is the problem, not VPN.

The key security issue (as I see it) with MS VPN is the very heavy reliance
it places on user-passwords to keep intruders out. I would be inclined to
supplement that with a requirement for fixed IP addresses on all clients, and
a suitable set of firewall rules on the server or gateway which will
lock-down access from unauthorised locations.

If you need true roaming access, then I would think in terms of secure
tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit
key instead of, or as well as, a user password.

"David" wrote:

> I'm interested in client security from the VPN.
>
> For example if a VPN is established on a client (say either via a DLL or
> Microsoft VPN), how does the client configure their machine to keep the
> server side from using the VPN to browse or copy files from the client
> machine?

Dan
Sat Aug 30 03:34:01 CDT 2008

So using a multi-layered security and safety approach is good. BTW, why do
we still only use 128 bit cipher strength so frequently and why not upgrade
the entire industry to start using 168 bit cipher strength as a new bare
minimum. One thing I do like about Windows Live One Care is the ability to
customize what you let in and out of your computer with the firewall by
allowing or blocking it. In addition, shouldn't all company networks have
the sort of firewall that Zone Alarm Professional reporting has so at least
the company can try to figure out where the port scan is coming from even if
the port scan is being hidden through numerous points throughout the world

"Anteaus" wrote:

> I don't see how this situation differs from the client being directly
> connected to the server. If the client has unsecured shares, or unsecured
> remote-registry access, this is the problem, not VPN.
>
> The key security issue (as I see it) with MS VPN is the very heavy reliance
> it places on user-passwords to keep intruders out. I would be inclined to
> supplement that with a requirement for fixed IP addresses on all clients, and
> a suitable set of firewall rules on the server or gateway which will
> lock-down access from unauthorised locations.
>
> If you need true roaming access, then I would think in terms of secure
> tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit
> key instead of, or as well as, a user password.
>
> "David" wrote:
>
> > I'm interested in client security from the VPN.
> >
> > For example if a VPN is established on a client (say either via a DLL or
> > Microsoft VPN), how does the client configure their machine to keep the
> > server side from using the VPN to browse or copy files from the client
> > machine?
>

Paul
Sat Aug 30 04:17:43 CDT 2008

On Sat, 30 Aug 2008 01:34:01 -0700, Dan wrote:

> So using a multi-layered security and safety approach is good. BTW, why do
> we still only use 128 bit cipher strength so frequently and why not upgrade
> the entire industry to start using 168 bit cipher strength as a new bare
> minimum.

What do you mean "upgrade the entire industry"? No one uses 168-bit
encryption and for good reason. Vista supports AES128, AES256, and 3DES.

> One thing I do like about Windows Live One Care is the ability to
> customize what you let in and out of your computer with the firewall by
> allowing or blocking it.

And your point is? The Vista firewall by itself provides this ability, no
need for OneCare on top of it.

> In addition, shouldn't all company networks have
> the sort of firewall that Zone Alarm Professional reporting has so at least
> the company can try to figure out where the port scan is coming from even if
> the port scan is being hidden through numerous points throughout the world

And in your vast experience company networks don't have this already? BTW -
what you're talking about is an Intrusion Detection System (IDS) and not a
firewall, however, any enterprise level firewall will have good reporting
features.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Transistor: A sibling, opposite of transbrother.

Paul
Sat Aug 30 04:21:16 CDT 2008

On Sat, 30 Aug 2008 01:04:01 -0700, Anteaus wrote:

> The key security issue (as I see it) with MS VPN is the very heavy reliance
> it places on user-passwords to keep intruders out.

There is no suck reliance. Microsoft's VPN solutions have supported
authentication methods other than user names and passwords, including but
not limited to certificate based authentication for years now.

> I would be inclined to
> supplement that with a requirement for fixed IP addresses on all clients,

That simply isn't possible in the real world. I travel all over the world
and need to connect to my corporate network. You're going to tell me that I
can't connect from my hotel? Well, guess what, the bad guys just won as I
can't do my work.

> and
> a suitable set of firewall rules on the server or gateway which will
> lock-down access from unauthorised locations.

This is possible now but as above is completely impractical in the real
world.

>
> If you need true roaming access, then I would think in terms of secure
> tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit
> key instead of, or as well as, a user password.

Again, in the real world, pre-shared keys are not secure and even if they
were, they are simply unmanageable on a large scale.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Nice computers don't go down.

Paul
Sat Aug 30 04:23:49 CDT 2008

On Sat, 30 Aug 2008 05:21:16 -0400, Paul Adare - MVP wrote:

> suck

such
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)

Dan
Sat Aug 30 05:33:01 CDT 2008

3 DES --- 168 bit encryption according to Mozilla Firefox

Vista still has some issues and why do you think the FAA for the pilots
taking the flight exam would not allow Vista to be used if it has indeed been
perfectly perfected? I still hear from so many users that they hate Vista
because it is so complicated and they do not understand it and these users
just want the simplicity of an os like Windows 98 Second Edition.

"Paul Adare - MVP" wrote:

> On Sat, 30 Aug 2008 01:34:01 -0700, Dan wrote:
>
> > So using a multi-layered security and safety approach is good. BTW, why do
> > we still only use 128 bit cipher strength so frequently and why not upgrade
> > the entire industry to start using 168 bit cipher strength as a new bare
> > minimum.
>
> What do you mean "upgrade the entire industry"? No one uses 168-bit
> encryption and for good reason. Vista supports AES128, AES256, and 3DES.
>
> > One thing I do like about Windows Live One Care is the ability to
> > customize what you let in and out of your computer with the firewall by
> > allowing or blocking it.
>
> And your point is? The Vista firewall by itself provides this ability, no
> need for OneCare on top of it.
>
> > In addition, shouldn't all company networks have
> > the sort of firewall that Zone Alarm Professional reporting has so at least
> > the company can try to figure out where the port scan is coming from even if
> > the port scan is being hidden through numerous points throughout the world
>
> And in your vast experience company networks don't have this already? BTW -
> what you're talking about is an Intrusion Detection System (IDS) and not a
> firewall, however, any enterprise level firewall will have good reporting
> features.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> Transistor: A sibling, opposite of transbrother.
>

Dan
Sat Aug 30 05:38:01 CDT 2008

Why not require all keys to be updated more frequently and if the
corresponding key is lost then the user has no access === period? I ran into
an expired key recently at boards.live.microsoft.com and wondered to myself
why Microsoft had not updated the key. I emailed Microsoft and got the
response --- oh, that is a msn problem so you need to contact them -- contact
them -- nope it is not our problem and you need to contact Microsoft --- this
shifting of responsibility is stupid because no one wants to own up and be a
man or woman and say this is a problem that needs to be remedied and I if
they do indeed have the skills then let them say that I have the skills so I
can take action with the proper approval and fix the problem and then it is
no longer a problem

"Paul Adare - MVP" wrote:

> On Sat, 30 Aug 2008 01:04:01 -0700, Anteaus wrote:
>
> > The key security issue (as I see it) with MS VPN is the very heavy reliance
> > it places on user-passwords to keep intruders out.
>
> There is no suck reliance. Microsoft's VPN solutions have supported
> authentication methods other than user names and passwords, including but
> not limited to certificate based authentication for years now.
>
> > I would be inclined to
> > supplement that with a requirement for fixed IP addresses on all clients,
>
> That simply isn't possible in the real world. I travel all over the world
> and need to connect to my corporate network. You're going to tell me that I
> can't connect from my hotel? Well, guess what, the bad guys just won as I
> can't do my work.
>
> > and
> > a suitable set of firewall rules on the server or gateway which will
> > lock-down access from unauthorised locations.
>
> This is possible now but as above is completely impractical in the real
> world.
>
> >
> > If you need true roaming access, then I would think in terms of secure
> > tunnelling or suchlike, which will allow the use of a pre-shared 128/256 bit
> > key instead of, or as well as, a user password.
>
> Again, in the real world, pre-shared keys are not secure and even if they
> were, they are simply unmanageable on a large scale.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> Nice computers don't go down.
>

Dan
Sat Aug 30 05:39:00 CDT 2008

What are you trying to say Paul?

"Paul Adare - MVP" wrote:

> On Sat, 30 Aug 2008 05:21:16 -0400, Paul Adare - MVP wrote:
>
> > suck
>
> such
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)
>

David
Sat Aug 30 07:49:45 CDT 2008

Thanks for response Mr. Stanley:
My computer, one user Administrator, me.
Have several computer programs I wrote which include DLL's
(API's) furnished by the hosting server companies.

You should secure your computer with file/folder
> permissions

Makes sense. Newbie to User Accounts, File/Folder Permissions.

Anyway to do this easily? For example if I create a user account and set
permissions on the file/folders under that account, will that limit the VPN
or DLL within the file/folders within that account

OR

Do I need the reverse where all file/folders NOT in that account have
permissions set.

put anything you don't want them accessing in some
> encrypted format (using Windows EFS or TrueCrypt or something else.)

I assume you mean within the same file/folder

===========================

With all the password breaking programs around, and basically a continuous
open line to the server, are file/folder permissions really secure?

Thanks
David


"Shenan Stanley" <newshelper@gmail.com> wrote in message
news:%23oOWEhiCJHA.5196@TK2MSFTNGP04.phx.gbl...
> David wrote:
>> From responses it appears I'm either misunderstanding the response
>> OR not properly phrasing my question.
>>
>> If I am a Independent client (not affiliated or an employee of the
>> company that owns the server) , and provided a DLL or VPN setup by
>> a company to access their server, how do I (as the client) protect
>> myself under Windows XP Pro from someone on the server side gaining
>> access to my computer (client) directories -- In other words can
>> I keep them within their own directory or user account -- details
>> please on how to set up?
>
> If they setup your computer - and did it so you do not have administrative
> rights and it is technically theirs - you are probably between a rock and
> a hard place.
>
> If it is your computer (or a computer provided by another company) and you
> are an administrator - put anything you don't want them accessing in some
> encrypted format (using Windows EFS or TrueCrypt or something else.)
>
> Basically - what you seem to be asking has nothing to do with VPN in
> particular - as you would have the same issue if using their wireless,
> their wired networking, etc... You should secure your computer with
> file/folder permissions and a Software Firewall if you will be using it on
> other people's networks. Just connecting to another network (VPN or
> otherwise) does not change your security settings or how they work. Your
> software firewall should keep them from accessing your computer. Your
> file and folder permissions are still in effect. Any other protection you
> have (antivirus, antispyware, intrusion detection, etc) all still work the
> same.
>
> If you are setup to stay protected - connecting to a VPN should just add
> to that and encrypt the data you send/receive over said VPN connection.
> It does not (or should not) eliminate or bypass your other protections.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>

Paul
Sat Aug 30 07:52:42 CDT 2008

On Sat, 30 Aug 2008 03:38:01 -0700, Dan wrote:

> Why not require all keys to be updated more frequently and if the
> corresponding key is lost then the user has no access === period?

What in the world are you talking about? This makes no sense.

> I ran into
> an expired key recently at boards.live.microsoft.com and wondered to myself
> why Microsoft had not updated the key. I emailed Microsoft and got the
> response --- oh, that is a msn problem so you need to contact them -- contact
> them -- nope it is not our problem and you need to contact Microsoft --- this
> shifting of responsibility is stupid because no one wants to own up and be a
> man or woman and say this is a problem that needs to be remedied and I if
> they do indeed have the skills then let them say that I have the skills so I
> can take action with the proper approval and fix the problem and then it is
> no longer a problem

You can't even distinguish between a pre-shared key and certificate and you
expect anyone to take you seriously when it comes to your whacked out views
on what constitutes computer security? Man, I feel sorry for whomever is
employing you if your job involves anything at all to do with computer
security.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
A computer program does what you tell it to do, not what you want it to do.

FromTheRafters
Sat Aug 30 09:02:49 CDT 2008


"Dan" <Dan@discussions.microsoft.com> wrote in message
news:4C0BE077-BAD2-4A32-8349-1E31C3ECB825@microsoft.com...
> So using a multi-layered security and safety approach is good. BTW, why
> do
> we still only use 128 bit cipher strength so frequently and why not
> upgrade
> the entire industry to start using 168 bit cipher strength as a new bare
> minimum.

I want to use 129 bits - gee...nearly twice strength of the
128 bit version and I only buy one more bit. :o)

Dan
Sat Aug 30 09:56:00 CDT 2008

LOL

"FromTheRafters" wrote:

>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:4C0BE077-BAD2-4A32-8349-1E31C3ECB825@microsoft.com...
> > So using a multi-layered security and safety approach is good. BTW, why
> > do
> > we still only use 128 bit cipher strength so frequently and why not
> > upgrade
> > the entire industry to start using 168 bit cipher strength as a new bare
> > minimum.
>
> I want to use 129 bits - gee...nearly twice strength of the
> 128 bit version and I only buy one more bit. :o)
>
>
>

Dan
Sat Aug 30 10:55:01 CDT 2008

You had better make mine 147 bit ---- :-) Thanks for your comment, From the
Rafters and I do appreciate it.

The real or should I say reel (movie) deal is that b_nice is too serious
about security and needs to relax. I used to be like b_nice and not be able
to relax but now computer security and safety is just all a game to me. You
people should be really thankful that I am a good hacker and not a bad one
because I could really wreck havoc if I so wanted to but I obey the law and I
guess that just is not appreciated that I don't fit into the box method of
your usual security person because I am not. I have used computers since
before 1984 with an IBM PCjr and began BASIC programming with a BASIC
cartridge and have worked with computers ever since so no I am not some
newbie and I even plan on getting my A+ certification this year so there go
ahead and continue the mockery, Paul and b_nice. BTW, I am justified in
being rude to b_nice because b_nice is a total jerk and wound up so tight
that the b_nice only cares about security and is not willing to talk about
anything else. We all need to lighten up the mood folks and kick back and
relax and remember it is Saturday and a Labor Day weekend to boot. Finally,
Paul does know what he is talking about and is recognized with the mvp status
by Microsoft but I have no desire to meet him in person either. I will tell
you folks there are a lot of nice mvps out there and they are Robear Dyer,
mvp, Chris Quirke, mvp, Alan Edwards, mvp, etc. and these nice folks usually
hang out in the Windows 98 general newsgroup where the mood is much lighter
than here.

"FromTheRafters" wrote:

>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:4C0BE077-BAD2-4A32-8349-1E31C3ECB825@microsoft.com...
> > So using a multi-layered security and safety approach is good. BTW, why
> > do
> > we still only use 128 bit cipher strength so frequently and why not
> > upgrade
> > the entire industry to start using 168 bit cipher strength as a new bare
> > minimum.
>
> I want to use 129 bits - gee...nearly twice strength of the
> 128 bit version and I only buy one more bit. :o)
>
>
>

Dan
Sat Aug 30 10:57:00 CDT 2008

I am saying have keys expire much more frequently so they can be updated more
and this would lesson the chance that the key could be stolen or compromised.
The security certificate is what I am referring to.

"Paul Adare - MVP" wrote:

> On Sat, 30 Aug 2008 03:38:01 -0700, Dan wrote:
>
> > Why not require all keys to be updated more frequently and if the
> > corresponding key is lost then the user has no access === period?
>
> What in the world are you talking about? This makes no sense.
>
> > I ran into
> > an expired key recently at boards.live.microsoft.com and wondered to myself
> > why Microsoft had not updated the key. I emailed Microsoft and got the
> > response --- oh, that is a msn problem so you need to contact them -- contact
> > them -- nope it is not our problem and you need to contact Microsoft --- this
> > shifting of responsibility is stupid because no one wants to own up and be a
> > man or woman and say this is a problem that needs to be remedied and I if
> > they do indeed have the skills then let them say that I have the skills so I
> > can take action with the proper approval and fix the problem and then it is
> > no longer a problem
>
> You can't even distinguish between a pre-shared key and certificate and you
> expect anyone to take you seriously when it comes to your whacked out views
> on what constitutes computer security? Man, I feel sorry for whomever is
> employing you if your job involves anything at all to do with computer
> security.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> A computer program does what you tell it to do, not what you want it to do.
>

Brian
Sat Aug 30 11:45:13 CDT 2008

You are making absolutely no sense.
Please learn some basics about PKI before posting on this topic

Thanks,
Brian

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:6DD213CF-A89D-4B3F-ABC6-37EB9E4B833E@microsoft.com...
>I am saying have keys expire much more frequently so they can be updated
>more
> and this would lesson the chance that the key could be stolen or
> compromised.
> The security certificate is what I am referring to.
>
> "Paul Adare - MVP" wrote:
>
>> On Sat, 30 Aug 2008 03:38:01 -0700, Dan wrote:
>>
>> > Why not require all keys to be updated more frequently and if the
>> > corresponding key is lost then the user has no access === period?
>>
>> What in the world are you talking about? This makes no sense.
>>
>> > I ran into
>> > an expired key recently at boards.live.microsoft.com and wondered to
>> > myself
>> > why Microsoft had not updated the key. I emailed Microsoft and got the
>> > response --- oh, that is a msn problem so you need to contact them --
>> > contact
>> > them -- nope it is not our problem and you need to contact
>> > Microsoft --- this
>> > shifting of responsibility is stupid because no one wants to own up and
>> > be a
>> > man or woman and say this is a problem that needs to be remedied and I
>> > if
>> > they do indeed have the skills then let them say that I have the skills
>> > so I
>> > can take action with the proper approval and fix the problem and then
>> > it is
>> > no longer a problem
>>
>> You can't even distinguish between a pre-shared key and certificate and
>> you
>> expect anyone to take you seriously when it comes to your whacked out
>> views
>> on what constitutes computer security? Man, I feel sorry for whomever is
>> employing you if your job involves anything at all to do with computer
>> security.
>>
>> --
>> Paul Adare
>> MVP - Identity Lifecycle Manager
>> http://www.identit.ca
>> A computer program does what you tell it to do, not what you want it to
>> do.
>>

~BD~
Sat Aug 30 14:39:33 CDT 2008

He made a typo, Dan! "There is no suck reliance"

Dave

--.
"Dan" <Dan@discussions.microsoft.com> wrote in message
news:CD68B3DB-C45F-4AC9-BF2F-3AAAF76582C1@microsoft.com...
> What are you trying to say Paul?
>
> "Paul Adare - MVP" wrote:
>
>> On Sat, 30 Aug 2008 05:21:16 -0400, Paul Adare - MVP wrote:
>>
>> > suck
>>
>> such
>> --
>> Paul Adare
>> MVP - Identity Lifecycle Manager
>> http://www.identit.ca
>> HOST SYSTEM NOT RESPONDING, PROBABLY DOWN. DO YOU WANT TO WAIT? (Y/N)
>>
>

Paul
Sat Aug 30 15:02:08 CDT 2008

On Sat, 30 Aug 2008 08:55:01 -0700, Dan wrote:

> You
> people should be really thankful that I am a good hacker and not a bad one
> because I could really wreck havoc if I so wanted

Most hilarious thing I've read here for ages.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
The attention span of a computer is only as long as its power cord.

Root
Sun Aug 31 00:22:31 CDT 2008

On Sat, 30 Aug 2008 08:55:01 -0700, Dan
<Dan@discussions.microsoft.com> wrote:

>The real or should I say reel (movie) deal is that b_nice is too serious
>about security and needs to relax.

How you can turn a thread about VPN (a thread I did not even
participate in) into a personal attack on me proves what others have
already suggested: You are mentally unbalanced.

> I used to be like b_nice

You were never like me.

>and not be able to relax but now computer security and safety is just all a game to me.

Finally some truth from you. Everyone can see you're just playing
around.

>You people should be really thankful that I am a good hacker and not a bad one
>because I could really wreck havoc if I so wanted

BWA HA HA HA HA. I guess you're right. Just leaving you with a
keyboard is dangerous.

>I have used computers since before 1984 with an IBM PCjr and began BASIC
>programming with a BASIC cartridge and have worked with computers ever since so
>no I am not some newbie and I even plan on getting my A+ certification this year
>so there go ahead and continue the mockery, Paul and b_nice.

I will for sure continue the mockery as long as you keep on posting
stuff which shows you have no clue what you are talking about. Your
credentials means nothing when what you post is complete nonsense.

>BTW, I am justified in being rude to b_nice because b_nice is a total jerk and wound up so tight
>that the b_nice only cares about security and is not willing to talk about
>anything else.

Of course I'm not willing to talk about anything else. It's called
staying on topic. Something which you seem to have a serious problem
with.

>We all need to lighten up the mood folks and kick back and
>relax and remember it is Saturday and a Labor Day weekend to boot.

No we don't. You, on the other hand, need to remember to get your
medication.

>Finally, Paul does know what he is talking about and is recognized with the mvp status
>by Microsoft but I have no desire to meet him in person either. I will tell
>you folks there are a lot of nice mvps out there and they are Robear Dyer,
>mvp, Chris Quirke, mvp, Alan Edwards, mvp, etc. and these nice folks usually
>hang out in the Windows 98 general newsgroup where the mood is much lighter
>than here.

Then go there instead.

Dan
Mon Sep 01 05:46:00 CDT 2008

Sorry, Brian and Paul and et. all and I will try to be more clear and concise
in the future.

"Brian Komar (MVP)" wrote:

> You are making absolutely no sense.
> Please learn some basics about PKI before posting on this topic
>
> Thanks,
> Brian
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:6DD213CF-A89D-4B3F-ABC6-37EB9E4B833E@microsoft.com...
> >I am saying have keys expire much more frequently so they can be updated
> >more
> > and this would lesson the chance that the key could be stolen or
> > compromised.
> > The security certificate is what I am referring to.
> >
> > "Paul Adare - MVP" wrote:
> >
> >> On Sat, 30 Aug 2008 03:38:01 -0700, Dan wrote:
> >>
> >> > Why not require all keys to be updated more frequently and if the
> >> > corresponding key is lost then the user has no access === period?
> >>
> >> What in the world are you talking about? This makes no sense.
> >>
> >> > I ran into
> >> > an expired key recently at boards.live.microsoft.com and wondered to
> >> > myself
> >> > why Microsoft had not updated the key. I emailed Microsoft and got the
> >> > response --- oh, that is a msn problem so you need to contact them --
> >> > contact
> >> > them -- nope it is not our problem and you need to contact
> >> > Microsoft --- this
> >> > shifting of responsibility is stupid because no one wants to own up and
> >> > be a
> >> > man or woman and say this is a problem that needs to be remedied and I
> >> > if
> >> > they do indeed have the skills then let them say that I have the skills
> >> > so I
> >> > can take action with the proper approval and fix the problem and then
> >> > it is
> >> > no longer a problem
> >>
> >> You can't even distinguish between a pre-shared key and certificate and
> >> you
> >> expect anyone to take you seriously when it comes to your whacked out
> >> views
> >> on what constitutes computer security? Man, I feel sorry for whomever is
> >> employing you if your job involves anything at all to do with computer
> >> security.
> >>
> >> --
> >> Paul Adare
> >> MVP - Identity Lifecycle Manager
> >> http://www.identit.ca
> >> A computer program does what you tell it to do, not what you want it to
> >> do.
> >>
>