[svlug] PPTP?

Rick Moen rick at linuxmafia.com
Sat Jul 21 19:54:01 PDT 2001


begin George Bonser quotation:

> Imagine they have a VPN solution and 100 employees.  Their solution
> works for 98 of them and requires no training of employees about
> packets and such.  

So, you sit back and wait for the inevitable security meltdown, and then
introduce the concept of real technology after the dust settles.  Or, if
you're not that patient, move to a more-clueful firm.  Or, if you
prefer, stay there and learn to work within a really lousy WAN
architecture.  Naturally, different people will prefer different
alternatives.

Those who prefer the latter choice:  Good luck to you -- but I certainly
am not going to help you implement what I consider a botched protocol
design.

There are apparently some on this list who don't like that answer, and
demand from me one more to their liking.  They're going to be disappointed.

> Most people are not handling national security information. Unless
> they are handling financial data ( such as processing credit card
> numbers or other account numbers ) weak encryption for data transfer
> is probably fine.  You are mostly trying to stop people from idly
> snooping network traffic for passwords.  Anyone that has already
> penetrated your net enough to watch your 40-bit encrypted traffic and
> decrypt it can probably also decrypt 128-bit traffic too.

This is not true.  Even the revised, this-time-for-surce Microsoft PPTP
version 2 implementation is trivially vulnerable to off-line password
guessing attacks using l0phtcrack -- even though the LANMAN has is no
longer sent along with the NT hash.

But many sites are, of course, still using the original MS-PPTP v. 1
implementation, which is just ridiculously vulnerable, in a multitude of
ways.

-- 
Cheers,      "Transported to a surreal landscape, a young girl kills the first 
Rick Moen     woman she meets, and then teams up with three complete strangers
rick at linuxmafia.com       to kill again."  -- Rick Polito's That TV Guy column,
              describing the movie _The Wizard of Oz_




More information about the svlug mailing list