|
Posted by Paul Adare - MVP on August 1, 2008, 8:20 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Fri, 1 Aug 2008 14:26:13 -0500, Shenan Stanley wrote:
If you're going to do this:
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
And do this:
> In reference to your last paragraph...
Doesn't it behoove you to follow your own advice?
If you're responding to a specific paragraph, especially the last one, do
you really need to quote the entire article?
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
BPI: A 1960s term used to describe unmentionable parts of the anatomy, as
in
"you bet your bpi".
|
|
Posted by ~BD~ on August 2, 2008, 3:40 am
If you were Registered and logged in, you could reply and use other advanced thread options
Maybe you should put *your* house in order, too, Paul! ;)
This page on your web site is refering to last year:-
http://www.identit.ca/events.html
Dave
|
|
Posted by Shenan Stanley on August 2, 2008, 11:25 am
If you were Registered and logged in, you could reply and use other advanced thread options
Want to read more?
http://groups.google.com/group/microsoft.public.security/browse_frm/thread/d15e6b0861171443/8d82fd27f703e5af#8d82fd27f703e5af
Paul Adare - MVP wrote:
> If you're going to do this:
Shenan Stanley wrote:
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
Paul Adare - MVP wrote:
> And do this:
Shenan Stanley wrote:
> In reference to your last paragraph...
Paul Adare - MVP wrote:
> Doesn't it behoove you to follow your own advice?
>
> If you're responding to a specific paragraph, especially the last
> one, do you really need to quote the entire article?
If by article you mean the "last response in this entire conversation" -
then I can tell you why I left it whole.
Short answer:
You have to know the point-of-view of the person asking the questions being
referred to in order to understand the questions and answers I chose to
give. The background information needed to be left.
Longer answer:
The responder chose to put no reference to the entire conversation they were
responding to. This - to me - was a bad choice - but I respected it as they
made whole points, not really referencing much except to (and they stated
it) summarize the past conversation.
My response was directed at the last paragraph of questions by the poster;
however, the questions (and answers) would have no real context if I had
left out the parts above it (the summarization(s) the poster had written.)
Leaving the posters points in gave the necessary context - as they posted
that as a whole and I fully intended to leave it as a whole.
Many times people do not do this - they choose to pull things out of the
body of the message they are responding to and while their response makes
sense in that microcosm of their own creation - it may not address the
actual points the original person intended to get across. I was addressing
the concerns they had presented as a whole but made sure I pointed out I was
answering the questions they had given clearly in reference to the concerns
they had presented earlier.
After all - If I had only quoted only the last paragraph:
"So -- the people responsible for this at Microsoft have been asleep at the
switch, and nobody has called them to task? Surely this can't be beyond
Microsoft's ability to fix? And surely there's someone up there with enough
of a grasp of the importance of protecting passwords (and protecting user
confidence) to take it on?"
How do you know - out of just that - it is a discussion on (quoting the OP
earlier), "... Windows Explorer is given an FTP URL, prompts for a password,
and unexpectedly retains and displays it in plain text in the Address
history dropdown ..."? How would you know what I was referencing with the
part of my response, '... that you want to dismiss as "beside the
point"....'?
You could argue that if someone wanted to know more - they could find the
posting and read it in its entirety... However - given what I replied to and
quoted was small; that would have been choosing to leave out things, perhaps
for my own purpose, thereby creating my own microcosm from which to
answer... Or - putting it bluntly - I believed it would have been lazy and
inconsiderate to the original posters intentions. Not to mention, not
everyone knows how to locate entire archives of postings - thus why I
sometimes also post the Google Groups link (such as now) to the archival of
the post in its entirety at the beginning of the response. ;-)
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
|
|
Posted by S. Pidgorny on August 1, 2008, 9:28 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Any one of these points should be sufficient to make the case that this is
> improper behavior and has to be fixed. The four taken together are beyond
> compelling. Arguments that "FTP isn't secure anyway, so it's OK for
> Windows to reveal the password," or "Only the logged in user can see the
> password anyway" are completely beside the point. (And wouldn't have been
> so disturbing but for the credentials of their sources).
To me those are quite compelling points, and to the point. Casually
dismissing those is a good sign of the fact there's nothing to counter.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
|
|
Posted by Alun Jones on August 3, 2008, 12:35 am
If you were Registered and logged in, you could reply and use other advanced thread options >> Any one of these points should be sufficient to make the case that this
>> is improper behavior and has to be fixed. The four taken together are
>> beyond compelling. Arguments that "FTP isn't secure anyway, so it's OK
>> for Windows to reveal the password," or "Only the logged in user can see
>> the password anyway" are completely beside the point. (And wouldn't have
>> been so disturbing but for the credentials of their sources).
>
> To me those are quite compelling points, and to the point. Casually
> dismissing those is a good sign of the fact there's nothing to counter.
Whether you feel those are compelling points or not, it's worth noting that
the behaviour for FTP is different from any other protocol for which you can
make similar assertions.
Enter a password into Basic Authentication over HTTP - that's exactly
equivalent to an unprotected password over FTP. And yet the credentials are
not stored, they are not available through the history interface to the
user, and they are not displayed to the user.
It is only the FTP implementation - and only the implementation in Windows
Explorer - where this approach to password storage and display is made,
despite there being numerous other protocols that are at least as weak.
There are two debates here:
1. I disagree with your suggestion that it's fine to display passwords "to
the user", as if there is no concern about shoulder-surfing.
2. The operating system is being inconsistent, when you compare FTP against
similarly unsecure protocol implementations.
Brian's interested in addressing debate 2. Debate 1 is a different issue
altogether.
Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
|
| Similar Threads | Posted | | Should "windows explorer" be in firewall as a security alert | May 27, 2005, 10:03 am |
| Using windows explorer 7 e-mails won't display graphics or web lin | September 6, 2006, 4:29 pm |
| domain tree view in windows explorer | December 4, 2006, 10:27 am |
| explorer opens on startup, C:\WINDOWS\SYSTEM32 | June 5, 2007, 2:36 pm |
| Windows Internet Explorer 7 beta - Security Warnings | June 2, 2006, 11:50 am |
| Can we "stored user names and passwords" in Windows XP Home Edition? | December 16, 2005, 5:57 am |
| The Microsoft Internet Explorer Weblog The Microsoft Internet Explorer Weblog IEBlog | June 4, 2007, 5:52 pm |
| explorer.exe..??? | June 27, 2005, 6:58 pm |
| IE Explorer | November 7, 2005, 6:06 am |
| Internet Explorer 6 | September 28, 2006, 6:09 pm |
|
XML site map