RE: [inbox] Re: [Full-Disclosure] Cisco LEAP exploit tool...

From: Ng, Kenneth (US) (
Date: 04/14/04

  • Next message: OpenPKG: "[Full-Disclosure] [OpenPKG-SA-2004.013] OpenPKG Security Advisory (cvs)"
    To: "'Dave Howe'" <>, "Email List: Full Disclosure" <>
    Date: Wed, 14 Apr 2004 12:25:08 -0500

    Depends on what kind of break you want. If you want to break into the
    connection (ala add/modify/delete traffic in real time), yes a 10 minute
    cycle time makes it difficult. If all you want is the data afterwards (ie:
    see the login id and password), then all the 10 minute cycle time does is
    force you to do multiple breaks. But, the login and password are almost
    always in the start of a connection, so that is all you need to break.

    Outside of quantum crypto and one time keys, nothing is unbreakable. Its
    just a matter of time and resources. The tricks are to make them
    prohibitive, and make sure there is no back door like looking at power
    consumption. And I kind of wonder if there is anything in superstring
    theory that could cause problems with quantum crypto.

    -----Original Message-----
    []On Behalf Of Dave Howe
    Sent: Wednesday, April 14, 2004 11:19 AM
    To: Email List: Full Disclosure
    Subject: Re: [inbox] Re: [Full-Disclosure] Cisco LEAP exploit tool...

    Curt Purdy wrote:
    > Agreed. If the packets/hashes can be accessed it can be compromised.
    > "Unbreakable" has been touted from the 48-bit Netscape encryption
    > that took USC's distributed network a week to crack, to Oracle 9i
    > that took one day to compromise, I believe.
    You are preaching to the choir there - however, my boss is preferring to
    believe the consultant's claims that the 10 minute key cycle (communicated
    by TLS) makes the system unbreakable.... so it doesn't need to be on a DMZ
    and can work "just like they were on the lan"

    Full-Disclosure - We believe in it.

    The information in this email is confidential and may be legally privileged.
    It is intended solely for the addressee. Access to this email by anyone else
    is unauthorized.

    If you are not the intended recipient, any disclosure, copying, distribution
    or any action taken or omitted to be taken in reliance on it, is prohibited
    and may be unlawful. When addressed to our clients any opinions or advice
    contained in this email are subject to the terms and conditions expressed in
    the governing KPMG client engagement letter.

    Full-Disclosure - We believe in it.

  • Next message: OpenPKG: "[Full-Disclosure] [OpenPKG-SA-2004.013] OpenPKG Security Advisory (cvs)"

    Relevant Pages

    • Re: kern/60889 - zero IP id change issues in 5.2RC2
      ... > No need for monotonic increase, it's a nonce and can cycle in any order. ... > I suspect Windows VJ compression is easiest to get going with PPP ... > on the connection, as TCP options defeat VJ compression. ...
    • Re: Seperate Database and Data
      ... is doing a cycle of the results twice, ... I guess if you a "plugable" type struct that's the best to do ... > This wouldn't work because you don't have a database connection open... ... > ArrayList myData = new ArrayList; ...
    • Re: I love USB displays!
      ... enough to keep the software robust. ... cycle, especially in connection with using teletext. ...
    • Re: Cycling in parliament
      ... resources for the building of special cycle facilities. ... stations) and law enforcement (raised by David Drew in connection to ... Enabling cycling through making destinations cycle-accessible. ...