[svlug] PPTP?

George Bonser george at shorelink.com
Sat Jul 21 20:22:01 PDT 2001

> So, you sit back and wait for the inevitable security meltdown, and then
> introduce the concept of real technology after the dust settles.  Or, if
> you're not that patient, move to a more-clueful firm.  Or, if you
> prefer, stay there and learn to work within a really lousy WAN
> architecture.  Naturally, different people will prefer different
> alternatives.

Sadly, yes, on all accounts. You either have to accept the conditions
under which you are working and try to make the best of it or move
on.  The thing Linux would allow one to do is to build a better PPTP
server/client that interoperates well with Microsoft. Simply disagreeing
about a WAN implementation might not be enough to make one leave an
otherwise OK company. An alternative might be to try to work with the IT
group and see if they will allow you (not YOU, Rick... you know what I
mean here) to install a Linux solution if you support it. It might be a
neat experiment if you have the time.

My personal opinion is that Microsoft is a national security threat. (yeah
that might be my post on FC :) When you have a monolithic software
infrastructure throughout business, government, and academia, you are
vulnerable to a single attack doing tremendous damage. We need a diversity
of operating systems and hardware platforms to make us resistant to any
single attack. Kind of like having millions of acres of the same plant,
they can all be wiped out by the same pest.

> This is not true.  Even the revised, this-time-for-surce Microsoft PPTP
> version 2 implementation is trivially vulnerable to off-line password
> guessing attacks using l0phtcrack -- even though the LANMAN has is no
> longer sent along with the NT hash.

That is a password security issue. You can probably always guess one or
two because some idiots will always set their password to something

> But many sites are, of course, still using the original MS-PPTP v. 1
> implementation, which is just ridiculously vulnerable, in a multitude of
> ways.

True enough but again, you are probably now going to stop a determined
attacker of any appreciable means. They might break in to the shop and
steal the computers or the disks, etc. In some networks the goal of the
authentication is not to try to provide ironclad security, it is to just
make reasonable sure that the people in the network are the people that
are supposed to be in the network. Authentication being more important
than encryption.

More information about the svlug mailing list