I just released a Blowfish plugin that doesn't use MD5, and should be a fast encryption substitue. It is availible from a link on the bo2k site. As a note, both the cast and IDEA plugins are now fixed. talis Alfred Huger wrote: > ---------- Forwarded message ---------- > Date: Sun, 01 Aug 1999 21:29:40 -0500 > From: Irwan Amir Widjaja <irwanwat_private> > To: vuldbat_private > Subject: bo2k plugins > > Hi, > > I recently (July 31st) discovered that the CAST-256 plugin v2.2 which > allows any user to connect to any CAST256 server with any password. > After reporting the bug to Daniel (the author), he fixed the plugin > within a few hours and found that the problem lied within Maw~'s MD5 > module, which he used for his plugin (Dan later found that MAW~'s IDEA > plugin has the same flaw). > > This is obviously a very big security risk for administrators who use > bo2k as a legit remote administration tool (as opposed to a 'cracking & > hacking' tool). > > Currently CAST-256 and IDEA are the only strong encryption plugins which > are internationally available for bo2k (the only ones I'm aware of at > least). > > There were over 1000 downloads of the faulty CAST256 plugin alone. > > Both of these plugins have been updated by their authors. > > Sincerely, > > Amir
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:07 PDT