Firewall Wizards mailing list archives

RE: PPTP (again)

From: "Stout, William" <StoutB () pioneer-standard com>
Date: Fri, 15 May 1998 13:40:35 -0400

First of all, apologies to the list and Weld for replying to the wrong
list.  I kept quiet since I thought no one would notice my dumb mistake
;) .  Secondly, these are borderline firewall issues, and probably are
more appropriate to the firewalls-list than firewall-wizards.  The
thread of PPTP insecurities is on the NTBUGTRAQ list.  Background:

Nial Smart said:

It seems to me that changing the RC4 key each packet is not enough.
Consider the case where an attacker can predict a reasonably large
proportion of the (unencrypted) contents of the packets going in one
direction, in this case the attacker can simply XOR the ciphertexts to
produce the XOR of the plaintexts, then XOR this with the plaintext he
knows to produce the plaintexts of the other packet.


Weld Pond replied:

This is correct.  All that spam you get for "get rich quick" scams is
actually data the NSA floods  mailboxes and USENET with so that they
have known plaintext passing through encrypted tunnels.


Which I challenged, noting a limited number of 'wild but true' items I
know about:

- a funded covert (cyberwar) project to compromise some
encryption/security products for intelligence purposes (clipper
contingency plan), 
From confidential sources internal and external to the gov't - also

makes sense, it's 'what they do', why wouldn't they?

- an overt FBI plan to compromise encryption/security products for 'law
enforcement' purposes (by Lois Freeh),

http://www.jya.com/gakbill-text.htm .

- a project to place sniffers on all Internet backbones (via Janet
Reno),

(CALEA) http://zeus.bna.com/e-law/docs/reno.html,
http://www.usdoj.gov/ag/speeches/mar1998.htm, which was actually passed
as an Act in Congress in 1994 and discussed in an International Law
Enforcement Conference http://www.fbi.gov/dirspch/davos.htm.

- and a plan to put 'Mind control' elements of Psychological Warfare on
Internet sites & postings (Congress, Porter Gross-R Fla.),

CIA Iraq story (password site)
http://www.mercurycenter.com/premium/nation/docs/cia11.htm San Jose
Mercury News "Budget cuts hobbled CIA on Iraq, lawmaker says".

I did find one source for SPAM from the FBI:
http://www.firstbase.com/fbi.htm .

Bill Stout

Current thread:

PPTP (again) Aleph One (May 02)
- <Possible follow-ups>
- RE: PPTP (again) Stout, William (May 13)
- RE: PPTP (again) Barney Wolff (May 14)
- RE: PPTP (again) Shane Mason (May 14)
- RE: PPTP (again) Stout, William (May 16)