[14514] in bugtraq
Re: TB2 Pro sending NT passwords cleartext
daemon@ATHENA.MIT.EDU (Dan Kaminsky)
Thu Apr 13 17:53:50 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <00c501bfa448$92e5d680$1aac44ab@cisco.com>
Date: Wed, 12 Apr 2000 16:30:19 +1000
Reply-To: Dan Kaminsky <dankamin@CISCO.COM>
From: Dan Kaminsky <dankamin@CISCO.COM>
X-To: tbenzion@NETOPIA.COM, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> Netopia's proprietary graphic protocol is complicated
> enough to prohibit the decoding and display of data.
No, it isn't.
Tal, I mean no disrespect, but it's just not technically correct to state
this. No propietary graphic protocol is too complicated to decode,
particularly when the code necessary to decode the datastream ships with
every copy of your product.
A claim like this is somewhat of an open challenge to interface with your
DLLs with the packet stream, or to create a mangler to cause the client to
believe it's watching someone at the desktop console manipulating their own
machine(when of course it's really someone else manipulating the console
over the net.)
I cannot say I completely disagree with you about which layer security
should be implemented at--it's far preferable to have one *good* security
architecture rather than a dozen *bad* ones that ship with each app.
Somebody did say your protocol exclusively worked over UDP though, and for
the purposes of SSH redirection, it might be useful to those of us who are
concerned about being able to ad-hoc VPN for you to allow TCP-only
transmission if you do not already. This also makes life easier for those
of us behind firewalls.
I speak for myself, not my company.
Yours Truly,
Dan Kaminsky
Cisco Systems, Network Supported Accounts
http://www.doxpara.com
