Ejovi was prevented from giving his talk by the Japanese Ministry of Internal Affairs and Communications. Ejovi did the security audit on the local government system connected to the Japanese National ID system (Jyukinet) for the prefecture of Nagano. I audited his audit and wrote an opinion for Governor of Nagano last December. It does suck that they blocked is talk, which I think would have been fair and balanced as Ejovi says. However, I can easily imagine the government taking a hard stance on this considering all of the trouble they are having controlling the spin. Anyway, welcome to my world Ejovi. Ejovi, if you really want to give this talk, I think you need to do it with some political backup like Nagano or another local government.
Recently in Computer and Network Risks Category
I wonder who would launch such an attack and what the motivation would be? Would it be, "because I can" sort of hacking or someone hired or with more purpose. In any event, this is clearly a risk. Take a look at the other stuff going on on the Black Box Voting site. I think it's quite important.
MONDAY Nov 1 2004: New information indicates that hackers may be targeting the central computers counting our votes tomorrow. All county elections officials who use modems to transfer votes from polling places to the central vote-counting server should disconnect the modems now.
There is no down side to removing the modems. Simply drive the vote cartridges from each polling place in to the central vote-counting location by car, instead of transmitting by modem. “Turning off” the modems may not be sufficient. Disconnect the central vote counting server from all modems, INCLUDING PHONE LINES, not just Internet.
In a very large county, this will add at most one hour to the vote-counting time, while offering significant protection from outside intrusion.
It appears that such an attack may already have taken place, in a primary election 6 weeks ago in King County, Washington -- a large jurisdiction with over one million registered voters. Documents, including internal audit logs for the central vote-counting computer, along with modem “trouble slips” consistent with hacker activity, show that the system may have been hacked on Sept. 14, 2004. Three hours is now missing from the vote-counting computer's "audit log," an automatically generated record, similar to the black box in an airplane, which registers certain kinds of events.
via David Weinberger
Take a look at the site for details, but you can imagine how much fun they had. The picture above is Windows Media Player running on the ATM. As they point out, the scary thing is that Diebold are also making the voting machines.Midnight Spaghetti & The Chocolate G-StringsDiebold ATM Media Player
March 17, 2004
Midnight Spaghetti causing a ruckus as always.
The Scene: Carnegie Mellon University
The Event: A newly installed Diebold Opteva 520 ATM crashes, then reboots. Suprizingly, it's vanilla-style Windows XP operating system initialized without the actual ATM software.
The Result: A desktop computer with only a touch screen interface is left wide open for the amusement of the most wired university in the U.S.
When the WiFi network went down at FiRe and Max quickly mapped out the network, grabbed a free IP address and started hunting for the rogue network, it was useful and cool. I hadn't messed around with "security tools" recently so I decided to spend one hour searching for some tools that would work on my Mac.
First I downloaded trusty nmap which scans your network for computers, does an OS fingerprint and will often find the name, revealing the owner. It will also do quiet portscans to see what services are running on the machines.
Then I found ettercap. (Lastest version doesn't run properly on the OS X, use version 0.6.7.) This is a full-featured packet sniffer with an easy to use interface. It is unique in that instead of doing IP sniffing, it uses ARP hacking and MAC address spoofing to allow you to sniff across switches. It has a variety of "plug-ins" that let you easily capture email, passwords and keyword filtered bits and pieces into files or onto the screen. It lets you insert your own text into connections so you could for instance type a command into someone's telnet session. Of course you can also terminate other people's sessions and connections. Another interesting feature in the recent release is that you can now sniff SSH1 sessions. (Lucky for Dan we installed SSH2 on his computer.)
ettercap README5.4.4 SSH1 MAN-IN-THE-MIDDLE
When the connection starts (remember that we are the master-of-packets, all packets go through ettercap) we substitute the server public key with one generated on the fly and save it in a list so we can remember that this server has been poisoned before.
Then the client send the packet containing the session key ciphered with our key, so we are able to decipher it and sniff the real 3DES session key. Now we encrypt the packet with the correct server public key and forward it to the SSH daemon.
The connection is established normally, but we have the session key !! Now we can decrypt all the traffic and sit down watching the stream ! The connection will remain active even if we exit from ettercap, because ettercap doesn't proxy it (like dsniff). After the exchange of the keys, ettercap is only a spectator... ;)
I also googled around a bit and found a wep key cracker for WiFi wep keys and a password cracker for unix and windows passwords that all seemed easy enough to run.
My point is, an old fart like me with a some curiosity and an hours works was able to load up enough gear onto my Mac to do the basics. With a bit more time and skill, I could probably find the exploits so I could break into the computers I found on the network instead of just watching and messing with their connections.
I was just appointed committee member of the Committee for the Protection of Identification Information for the City of Yokohama. I was appointed by Hiroshi Nakada, the mayor of Yokohama. Yokohama is one of the most active opponents of the Japanese Basic Resident Code system and has made it optional for the residents of the City of Yokohama. Mayor Nakada argues (rightly) that the current Basic Resident Code law is illegal because there is not sufficient privacy protection as originally mandated in the law. This argument is quite valid until the privacy bill passes. The privacy bill is being deliberated in the Diet at this moment. I believe, and have said publicly, that this privacy bill currently being drafted is too strong on business and too lenient on bureaucrats and would not constitute strong privacy vis a vis the issue of National ID.
Currently of the 3,450,000 residents of Yokohama, 845,000 people have opted out of receiving national ID's. When the privacy bill passes, it is likely that Yokohama will have to hook its network up to the national network. Yokohama has passed a local bill and created this small committee of five people to advise the mayor who has made it clear in the bill that Yokohama would disconnect their local system from other prefectures and the national system in the event that there was evidence of privacy failures in the system. The bill states that the mayor will seek the advice of the committee to judge whether such privacy breaches have occurred and what they should do about it.
The press conference just ended so there is no press yet, but I will provide links if there is any press coverage.
Mayor Nakada is 38 year old, young for a Japanese mayor. He was selected as a Global Leader for Tomorrow by the World Economic Forum this year.
It will also be fun to have Chris around Tokyo for awhile.
I wrote about Chris before here.
Yu Serizawa and her team worked on some great slides including the problems that we all traditionally talk about, a picture of Koizumi-san trying to attack the difficult problems on the surface, and the dysfunctional democracy which resists change.
The members of the panel were Carlos Ghosn, President of Nissan, Nobuyuki Idei, Chairman and CEO of Sony, Jiro Tamura Professor of Law, Keio University, Motohisa Furukawa, politician, Oki Matsumoto, the CEO of Monex and me. The Moderator was Karl T. Greenfeld, Editor of Time Asia.
Here are some of my thoughts from the panel.
Japan has tended to talk about problem in Japan that are easy to understand in the Western context and doesn't generally discuss domestic issues at Davos. Today, discussed some of the more complex issues that are very important and are the cause of some of the more well known problems. Japanese tend to feel to feel that social issues are best discussed and solved at home in a more gradual way and that the West would never understand them. I think that trying to help the world understand the issues that Japanese believe only Japanese would understand is an important step in opening up Japan.
After we spent close to 40 hours trying to come up with a blueprint for Japan, we realized that the plan was the same plan that everyone always comes up with. Actually, most people in Japan agree on the plan. The problem (as Mr. Ghosn pointed out later) is that 95% of the issue is execution. The problem is that Japan has a system that is resistant to change and has given most of its execution authority to the administrative branch. (As Tamura-san explained eloquently.) We need to focus on the basic cause of the problems which we have identified as a dysfunctional democracy and a lack of diversity. We must also understand the reason Japan has such execution problems. Idei-san talked about Japan being a refrigerator where domestic companies and the administration freeze change. He also talked about Japan's "middle age crisis". I thought this was a great phrase.
Tamura-san and I talked a lot about democracy. Multiple points of authority, competition of ideas, critical debate. Tamura-san mentioned that the judiciary in Japan is neutral and fair, but so small that it is weak.
Carlos Ghosn said that he thought the problem was that the vision for Japan was not clear.
Anyway, I said what I usually say here which is that we need a revolution, not reform. To use Idei-san's words, a quantum leap. Democracy requires that you trust the people. Mass media focuses on ratings and then cause a kind of populism that makes people feel negative about the ability for people to be rational. In fact Japanese are rational and all we need is the media (or the Net) to focus on the real problems and wake the people up. Carlos Ghosn said that EVERYONE at Nissan knew that they were on a burning platform. After they got all of the facts out, it was all-hands-on-deck getting the company running. No bullshit. Idei-san suggested we focus on tax issues. I agree that this may be good. Follow the money. Tax is what fuels the administrative power. Shed light on the relationships. Show where peoples' money goes. Then maybe people will wake up and have a Boston tea party. I think that it is, at the end of the day, about trusting the public and empowering them. Tamura-san said that we already have all of the laws of a democracy. Just no power or will to execute.
This is my pgp key transition announcement. If you don't know what this means, you should. You can go to the pgp web site and Rich and Bob explain the key transition process to my on my blog.
The key is here.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE-----
I have made a key transition. This is my new key. This
announcement is signed with both my new key and my old key.
The new key is signed with my old key. You can still send me
email with my old key, but it is safer to use my new key.
The id of my old key is 0x2D9461F1
The id of my new key is 0xC7FC583F
- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 8.0
- - -----END PGP PUBLIC KEY BLOCK-----
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
-----END PGP SIGNATURE-----
Standing at a intersection, nobody else around, you're still stuck behind the red light, and this invisible barrier of governmental guilt has enough power to let you wait there and pollute the air more and more, just for a measly green light. Wouldn't it be leet having a laptop in the car where you could just select the intersection off a list, change the timing or current stream running, and ride off with fewer time wasted and fewer pollutants exhausted and a clear conscience.
Now, enough crap about the reasons, now for the technical shit.
Today's traffic controlling system is a well oiled redundant network that utilizes the same protocols that we are all aware of. Yes it is hackable and it is like in the movies. :) here we go!
I said that the US is taking a very different stance towards security since 9/11 and that many of the new security measures that the US are taking may in the long run end up hurting national security since a great deal of privacy is being breached, agents are being allowed to work with shady characters for short term gains which may end up being long term losses and the whole TIA thing may not work. I suggested that we do an extensive analysis of the US anti-terror measures and identify whether each of the measures are 1) things we should copy, 2) things we should ignore, and 3) things that are bad for the Japanese people. I urged everyone not to allow Japan to get suckered into doing something stupid in response to US pressure. In particular, I pressured the person from the Foreign Ministry to be aware of these risks.
There is a chart that the NPA (Japanese pdf) produced showing which countries many of the portscans and pings were coming from. Yamaguchi-san pointed out that this didn't necessarily reflect the source and I concurred.
I talked a bit about the financial services sector problems with organized crime and hacking and that we should focus on and analysis of organized crime rather than do general surveys of smaller crimes and hacker rings.
I just uploaded my PGP Key because Cyrus mentioned that I didn't have one my web page. It's quite an old key that I created in 1997. The good thing is that it's signed by many people. The bad thing is that since it has been sitting around for a long time, It's more likely to have been stolen. So I'm trying to figure out whether I should dump the key and start using a new one. I have made a new one, but no one has signed it and I never end up using it. It's also kind of a pain for people when you have multiple keys...
Roger Clarke, one of my favorite privacy experts and the person I learned the notion of separation of "entities" and "identities" has written a paper about the problems with ENUM. I wrote about ENUM when Australia announced their initiative. I am on a mission to make sure that Japan doesn't try to link ENUM with the national ID...
Roger ClarkeFrom: Roger Clarke
Subject: Glitterati: ENUM: Case Study in Social Irresponsibility
I've just finished a paper on a proposed Internet scheme that will have extremely serious implications if it's implemented:
ENUM - A Case Study in Social Irresponsibility
As always, constructively negative feedback much appreciated.
ENUM is meant to provide a means of mapping from telephone numbers to IP-addresses: "today, many addresses; with ENUM, only one", as its proponents express it.
Any such capability would be extremely dangerous, providing governments, corporations, and even individuals, with the ability to locate and to track other people, both in network space, and in physical space. The beneficiaries would be the powerful who seek to manipulate the behaviour of others. It would do immense social, sociological and democratic harm.
The astounding thing is that the engineers responsible for it are still adopting the na・e position that its impact and implications are someone else's problem. With converged computing-and-communications technologies becoming ever more powerful and ever more pervasive, engineers have to be shaken out of their cosy cocoon, and forced to confront the implications, along with the technology and its applications.
Outline Description of ENUM
Implications of ENUM
Responses by the ENUM WG
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
This reminds me of the incident where the Ministry of Finance leaked information vital to the market on their web page in August. The other funny similarity is that the newspaper called me the night before the article and asked me for a comment. I guess they wanted something like what David Farber said to the Post. However, I said something more like, "it's not a big deal. I'm much more worried about the leakage of information about citizens," which I guess wasn't realy what the paper was looking for. ;-)
I also love the "Internet enthusiasts" label. Sitting here at 5am on the morning of a national holiday blogging definitely puts me in that category.
Washington PostCourt Posts Microsoft Ruling on Web By Ted Bridis Associated Press Writer Friday, November 1, 2002; 9:41 PM
WASHINGTON –– The landmark decision in the Microsoft antitrust trial was supposed to remain secret until after financial markets closed, but the federal court quietly posted the documents on its Web site nearly 90 minutes before the closing bell.
That discovery by some Internet enthusiasts coincided with a flurry of late-day trading of Microsoft's stock. Its price, which had been falling most of Friday, ticked up just moments after the court placed on its Web site the decision that handed Microsoft a huge victory.
Late-day trading peaked five minutes before markets closed, when $90 million worth of Microsoft shares exchanged hands.
The incident meant tech-savvy Web surfers knew the judge's decision fully one hour before even lawyers for Microsoft and the Justice Department. A glitch in Internet technology – which was at the heart of the antitrust trial – contributed to the early disclosure.
"Somebody wasn't thinking," said David Farber, an Internet expert and former chief technologist for the Federal Communications Commission. "They probably uploaded it just to make sure they wouldn't have any trouble, assuming that no one read it, which was probably naive. They're going to have to be a lot more careful."
Kazuhisa Ogawa is a well known military analyst and appears on Japanese TV quite a bit. He was originally a member of the Japanese Self-Defense Force in the Helicopter Division. He was key in Japan's response to the Peru incident as well as convincing the Japanese disaster relief forces that helicopters could actually be used to put out fires at night when they failed to fly during the Kobe earthquake. He is very smart and outspoken. We met when he was a guest for a magazine column I was involved in and we've kept in touch ever since. Now we have begun to work closely together again as computer privacy and security risks continue to involve physical and military risks more and more. We agree on almost everything and it is great to have a well established military analyst support my opinions. We make a pretty good team during government study group when we need to beat people up with a good combination punch. ;-) Today, we were plotting our next move...
InfoWorldWiFi eyes better wireless LAN security
By Stephen Lawson
October 30, 2002 11:37 am PT
THE WIRELESS ETHERNET Compatibility Alliance (WECA), which certifies IEEE 802.11 wireless LAN products with the WiFi label, on Thursday will announce a new set of mechanisms to combat the security problem that has plagued wireless LANs.
A WECA official did not provide details of the mechanisms but said they are intended to replace the current security system based on WEP (Wireless Encryption Protocol).
WEP, which is built in to products that use the IEEE 802.11b and 802.11a standards, is easy for intruders to break into, according to many analysts and other observers. A task group within the working group that administers 802.11 in the Institute of Electrical and Electronic Engineers Inc. (IEEE) is developing a new security specification that would require equipment to support several different strong algorithms for encrypting traffic. That work is not done yet, and products using it are not expected until the second half of next year.
Duh... This is a pretty big problem. People think that having a WEP key is actually secure. You can crack normal WEP keys in a few minutes by sniffing traffic and using programs such as wepcrack which is available on the web. There are some chipsets out that have better security, but most of the AP's we all use are completely vulnerable. On the other hand, if you aren't worried about people hijacking traffic and if you encrypt everything you do internally, you're fine. Just don't for a moment think that just because you set a WEP key that you're secure. (Kudo's to Chris for telling me about wepcrack. ;-) )
Since then Chris and I have kept in touch and worked together several times where he broke into computers for me. (With permission of course.) He's become a regular in Japan since we started working together and now I get to see him a lot more. He has become quite well known in Japan for his practical manner and his skill. He has a great balance between being extremely professional and loving to break into computers. It's hard to find Japanese with this combination. It's either usually professional with no imagination or childish and imaginative... but I guess Chris is not entirely "unchildish"... Let's call him... "neotenous."
Anyway.. we go drinking occasionally and talk about "the old days", breaking into computers and other things that old hackers always talk about...
Having said that, both he and I have settled down QUITE A BIT since we first met. He's married and sits around watching movies and stuff... ;-)
Now I'm sitting on a panel sponsored by the government about security. The panel is focused on the security of government networks. I am sitting on the far left and the guy in favor of the national ID is sitting on the far left. I just talked about the importance of privacy and the fact that privacy is different from security. I talked about how privacy is not only a right of citizens, but a necessary element for demcracy. I talked about how the OECD guidelines for privacy were written before the Internet and that we needed to look at the future. I talked about Roger Clarke's distinction between entity and identity and the fact that Privacy Enhancing Technologies can make the same networks much more robust from a privacy perspective and that this was a different way of thinking about architecture than just security...
Chris Goggans (aka Erik Bloodaxe) spoke yesterday. I wish I could have heard him. I heard it was a good talk. He is the one that got me invited to this panel. Pretty funny. One of the most famous hackers from American invites me to a government sponsored panel in Japan...
The mic cables look shielded... I wonder if I can stay connected even when I talked on the mic...
Sakiyama-san is a co-founder of the Japan chapter of CPSR and one of the few privacy activists in Japan. He mentioned this issue at the last CPSR meeting, and I've been meaning to look into it. The perp of this whole thing, the Electronic Network Consortium, merged with the Internet Association of Japan (IAJ). I WAS a Councilor of the Internet Association Japan and was on their web page the when I check at the CPSR meeting, but I just checked and noticed that I am no longer on their web page. Hmm... I was going to threaten to quit if they didn't do something about this, but maybe I have already been fired. (or maybe I quit and didn't know it) In that case, threatening to quit is a pretty idle threat. ;-)
In any case, I will call the IAJ and let them know that I think this censorware project is a BAD IDEA and the way that they have been dealing with the criticism is also pretty poor.
Censorware funded by the Japanese Government
Recently, censorware - content filtering software becomes widely used in Japan, particularly on schools, offices, and public libraries. There are already many criticisms against censorware, so I don't repeat the same discussion.
Here in Japan, several commercial censorware products developed in the U.S. are localized and used, but in this article, I focus on a censorware product funded by the Japanese Government. That censorware is developed by an auxiliary organization of the Government and funded by the Government, and its rating database is operated by another industry-based organization which represents Internet Industry in Japan, and the operation business is fully funded by the Government. The feature of the censorware lacks transparency, and the operating organization plainly ignores the accountability. In this August, I released a tool which decrypts the rating labels in the censorware right after the release of the new version of the censorware, because its license did not prohibit reverse-engineering. Now a minor-upgraded version of the censorware was released. That is not compatible with the previous version, and the new license prohibits not only reverse-engineering but also any criticism against the product.
The government-funded censorware project does prohibit criticism by users of the product! So I decided to write a whole story in my poor English.
I just got a call from a Kyodo News reporter asking for a comment about the Ministry of Finance (MOF) leaking (accidentally?) financial metrics on their web page before the official annoucement date. They are apparently going to make some announcement about their mistake and he wanted a quote from me to run in the story. I can't seem to find anything on the web about this. Does anyone know anything? (I thought it was the FSA, but it was the MOF)
Anyway, the comment I made was that comparing Nippon Ham vs. Worldcom the CFO of Worldcom is taken away in handcuffs and in Japan apologies and some shifting around (although I would agree Worldcom is probably worse than Nippon Ham.) is all that happens at Nippon Ham. When US agencies leak information risking national security, it is treason. In Japan, it is just a breach of a confidentiality agreement and the guy might lose his job. When Yamaichi went bust, the CEO cried and the Ministry of Finance which really guided Yamaichi down their path to death, shook their finger at them instead of taking responsibility. My feeling is that accountability in Japan is weak and that the government's use of IT just increases the damage they can cause. Although The Ministry of Public Management, Home Affairs, Posts and Telecommunications is creating the National ID, the risk is to be taken at the local government level. I will be interested to see who takes the blame for this FSA botch up. It probably won't have a huge impact on the economy, but releasing numbers before the official announcement date could impact the market.
Since I've started bashing the National ID publicly, every time there is a government screwup in IT, the reporters call me for comments. That's how I find out about the incidents early. Now that I have a blog, I can scoop them. ;-)
found on Slashdot
An article in Popular Science about what a national ID would look like and contain. On the issue of social security numbers on ID card, they mention that even though social security numbers on ID cards have been rejected by the federal government, "it's a good guess the Department of Homeland Security would manage it".
On smart card technology, they say:
For example, an ER doctor could view medical information and enter data about treatment (if the card's data storage device is read-write capable), but could not see security-related data (such as a traveler's flight history, or a non-citizen's visa status) that an airport or INS official might require. But how secure are smart cards? Detailed instructional hacking sites can be found on the Web, many focusing on European cards. And the more data on a card, the more valuable the card becomes to an identity thief.Yup. This is definitely a risk. I wonder how many terrorists would actually use un-forged ID cards when traveling?
Popular Science | Your ID Please, Citizen
First spotted on David Farber's IP List
So it sounds like the 300 students who receive this grant have to take the MS C# class which replaces the C++ course. Pretty sleazy...
There is a student site about this. Following is a quote from CNET and a link to the CNET article.
Microsoft's grant has strings attached?Microsoft's grant has strings attached? - Tech News - CNET.com
By Margaret Kane
Staff Writer, CNET News.com
August 16, 2002, 9:59 AM PT
update A collegiate grant from Microsoft has created an uproar after one of the recipients agreed to require a class in a Microsoft programming language as part of the deal.
So, does anybody still wonder why I'm protesting our National ID in Japan? It makes it SO much easier to collect random data from things like stolen PC's and aggregate them into a database if every record has a conveniently simple 11 digit ID number tagged onto it...
Thanks for this link Sen!
Audit Shows More PCs At the IRS Are MissingSecurityFocus HOME News: Audit Shows More PCs At the IRS Are Missing
By Albert B. Crenshaw, Washington Post Aug 16 2002 6:40AM
The Internal Revenue Service has lost to thieves or has misplaced another batch of computers, adding to the thousands already missing from that and other government agencies.
In the latest case, there are fears that some of the missing machines might carry private taxpayer information and Social Security numbers.
An audit released yesterday by the Office of the Treasury Inspector General for Tax Administration found that the IRS cannot account for an unknown number of the 6,600 laptop and desktop computers it lends to volunteers who assist low-income, disabled and senior citizen taxpayers in preparing their returns.
Earlier audits found that the Customs Service couldn't account for about 2,000 computers and the Justice Department for about 400. Earlier this summer, the inspector general reported that about 2,300 computers were unaccounted for in other areas of the IRS.
Sounds like the beginning of the end. I definitely will begin to limit my travel to the US. I don't want my fingerprints in some database, I don't want to end up in some INS prison and I can't imagine how this racial profiling can get by all of those human rights advocates in the US. This is really incredible...
Mon Aug 12, 9:46 PM ET
By CHRISTOPHER NEWTON, Associated Press Writer
WASHINGTON - The Justice Department has chosen Sept. 11 as the starting date for a new program that will require tens of thousands of foreign visitors to be fingerprinted and photographed at the border, U.S. officials announced.
The security program, developed by the Immigration and Naturalization Service, will begin at several unnamed ports of entry and will mostly affect those from Muslim and Middle Eastern countries.
After a 20-day testing period, all remaining ports of entry will implement the new system on Oct. 1, 2002, officials announced Monday.
AP - Justice Department to begin fingerprinting some foreign visitors on Sept. 11
First spotted on David Farber's IP List
Microsoft's Internet Explorer has a vulerability in it's implementation of SSL. It allows anyone with a valid CA-signed certificate to generate a fake certificate for any domain. This is because MS IE does not check the "Basic Constraints" which should tell whether a CA has authority to verify another domain.
This is a significant vulnerability which would allow a "man-in-the-middle" attack without any dialog boxes. This means that someone could think they are accessing their bank or online shop securely and directly, but in fact be accessing through a hostile site. The hostile site could watch the transaction or modify the transaction without the user knowing it.
Aparently MS is downplaying it. The link below is a detailed report of the bug on BugTraq.
SecurityFocus HOME Mailing List: BugTraq - Internet Explorer SSL Vulnerability 08/05/02