Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: TB2 Pro sending NT passwords cleartext
From: dankamin () CISCO COM (Dan Kaminsky)
Date: Wed, 12 Apr 2000 16:30:19 +1000


Netopia's proprietary graphic protocol is complicated
enough to prohibit the decoding and display of data.


No, it isn't.

Tal, I mean no disrespect, but it's just not technically correct to state
this.  No propietary graphic protocol is too complicated to decode,
particularly when the code necessary to decode the datastream ships with
every copy of your product.

A claim like this is somewhat of an open challenge to interface with your
DLLs with the packet stream, or to create a mangler to cause the client to
believe it's watching someone at the desktop console manipulating their own
machine(when of course it's really someone else manipulating the console
over the net.)

I cannot say I completely disagree with you about which layer security
should be implemented at--it's far preferable to have one *good* security
architecture rather than a dozen *bad* ones that ship with each app.
Somebody did say your protocol exclusively worked over UDP though, and for
the purposes of SSH redirection, it might be useful to those of us who are
concerned about being able to ad-hoc VPN for you to allow TCP-only
transmission if you do not already.  This also makes life easier for those
of us behind firewalls.

I speak for myself, not my company.

Yours Truly,

    Dan Kaminsky
    Cisco Systems, Network Supported Accounts
    http://www.doxpara.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]