RE: PPTP (again)

• Previous message: Perry E. Metzger: "Re: Inside PIX?"
• Maybe in reply to: Aleph One: "PPTP (again)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

First of all, apologies to the list and Weld for replying to the wrong
list.  I kept quiet since I thought no one would notice my dumb mistake
;) .  Secondly, these are borderline firewall issues, and probably are
more appropriate to the firewalls-list than firewall-wizards.  The
thread of PPTP insecurities is on the NTBUGTRAQ list.  Background:

Nial Smart said:
>It seems to me that changing the RC4 key each packet is not enough.
>Consider the case where an attacker can predict a reasonably large
>proportion of the (unencrypted) contents of the packets going in one
>direction, in this case the attacker can simply XOR the ciphertexts to
>produce the XOR of the plaintexts, then XOR this with the plaintext he
>knows to produce the plaintexts of the other packet.  

Weld Pond replied:
>This is correct.  All that spam you get for "get rich quick" scams is
>actually data the NSA floods  mailboxes and USENET with so that they
>have known plaintext passing through encrypted tunnels.

Which I challenged, noting a limited number of 'wild but true' items I
know about:

>- a funded covert (cyberwar) project to compromise some
>encryption/security products for intelligence purposes (clipper
>contingency plan), 
>From confidential sources internal and external to the gov't - also
makes sense, it's 'what they do', why wouldn't they?

>- an overt FBI plan to compromise encryption/security products for 'law
>enforcement' purposes (by Lois Freeh), 
http://www.jya.com/gakbill-text.htm .

>- a project to place sniffers on all Internet backbones (via Janet
>Reno), 
(CALEA) http://zeus.bna.com/e-law/docs/reno.html,
http://www.usdoj.gov/ag/speeches/mar1998.htm, which was actually passed
as an Act in Congress in 1994 and discussed in an International Law
Enforcement Conference http://www.fbi.gov/dirspch/davos.htm.

>- and a plan to put 'Mind control' elements of Psychological Warfare on
>Internet sites & postings (Congress, Porter Gross-R Fla.), 
CIA Iraq story (password site)
http://www.mercurycenter.com/premium/nation/docs/cia11.htm San Jose
Mercury News "Budget cuts hobbled CIA on Iraq, lawmaker says".

I did find one source for SPAM from the FBI:
http://www.firstbase.com/fbi.htm .

Bill Stout

• Next message: Fred Cohen: "DTK"
• Previous message: Perry E. Metzger: "Re: Inside PIX?"
• Maybe in reply to: Aleph One: "PPTP (again)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:21 PDT