Bugtraq mailing list archives

L0pht Security Advisory on NT Password Appraiser

From: djsd100 () cam ac uk (David Damerell)
Date: Fri, 22 Jan 1999 16:22:28 +0000


I have been in communication with Mr. Quakenbush. He says that only
the demo version sends passwords in plaintext (I clearly have no
mechanism to confirm this); bought versions use SSL. He has not yet
addressed the issue of impersonating the server. He says that the Web
site will be updated to reflect recent developments.

It looks like this is better than it looks; presumably the l0pht folks
only had access to a demo version. The Quakenbush Web site does make
it clear that the 'full' version uses SSL, but not prominently.

Assuming that the issue of impersonating the server is addressed,
Quakenbush seem to be better than first portrayed here - although
clearly the demo version should be more obviously marked as to how
extremely dangerous it is.

[There was the usual marketing blurb about how they write tools for
crackers and we write them for good guys and so our tools must be
better.]

--
David Damerell, Computer Officer, Department of Chemistry, Cambridge
Work: djsd100 () cam ac uk    Personal: damerell () chiark greenend org uk

Current thread:

L0pht Security Advisory on NT Password Appraiser Dr. Mudge (Jan 20)
- Re: L0pht Security Advisory on NT Password Appraiser Chris Maresca (Jan 21)
- L0pht Security Advisory on NT Password Appraiser David Damerell (Jan 22)
- Microsoft Critical Updater Security Erik Parker (Jan 23)
  - Re: Microsoft Critical Updater Security Lucky Green (Jan 24)
- linux crashes irix6.3 II Philipp Schott (Jan 23)