Bugtraq mailing list archives
L0pht Security Advisory on NT Password Appraiser
From: djsd100 () cam ac uk (David Damerell)
Date: Fri, 22 Jan 1999 16:22:28 +0000
I have been in communication with Mr. Quakenbush. He says that only the demo version sends passwords in plaintext (I clearly have no mechanism to confirm this); bought versions use SSL. He has not yet addressed the issue of impersonating the server. He says that the Web site will be updated to reflect recent developments. It looks like this is better than it looks; presumably the l0pht folks only had access to a demo version. The Quakenbush Web site does make it clear that the 'full' version uses SSL, but not prominently. Assuming that the issue of impersonating the server is addressed, Quakenbush seem to be better than first portrayed here - although clearly the demo version should be more obviously marked as to how extremely dangerous it is. [There was the usual marketing blurb about how they write tools for crackers and we write them for good guys and so our tools must be better.] -- David Damerell, Computer Officer, Department of Chemistry, Cambridge Work: djsd100 () cam ac uk Personal: damerell () chiark greenend org uk
Current thread:
- L0pht Security Advisory on NT Password Appraiser Dr. Mudge (Jan 20)
- Re: L0pht Security Advisory on NT Password Appraiser Chris Maresca (Jan 21)
- L0pht Security Advisory on NT Password Appraiser David Damerell (Jan 22)
- Microsoft Critical Updater Security Erik Parker (Jan 23)
- Re: Microsoft Critical Updater Security Lucky Green (Jan 24)
- linux crashes irix6.3 II Philipp Schott (Jan 23)