Vulnerability Development mailing list archives

Re: BackOrifice == DDoS Server???

From: 11a () GMX NET (Bluefish)
Date: Sat, 1 Jul 2000 14:22:21 +0200

Would you also know if the encryption plugins for BO2K are also flawed? They
come in various flavors.


Pine.GSO.4.05.9908021606360.4451-100000 () www securityfocus 
com">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-1&msg=Pine.GSO.4.05.9908021606360.4451-100000
 () www securityfocus com</A>

Bugtraq on the subject. At least Bo2k plugins foor CAST-256 and IDEA has
been suffering from this problem. Any other code derived from the flawed
MD5 is obviously also vulnerable ;-)

Although this group hardly is aimed for theoretical vulernabilities, how
do you use MD5 to get 256 bits? (I assume CAST-256 to use 256 bit keys) I
suspect that CAST-256 with a MD5-hack never recieves more than 128 bits of
entropy. I most certainly don't trust people who deploy untested, flawed
MD5's to come up with a secure way to derive more than 128 bits from it
...

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Current thread:

Re: BackOrifice == DDoS Server??? Ex Machina (Jun 30)
- Re: BackOrifice == DDoS Server??? Bluefish (Jul 01)
- <Possible follow-ups>
- Re: BackOrifice == DDoS Server??? Ryan Permeh (Jun 30)
- Re: BackOrifice == DDoS Server??? Bluefish (Jul 01)
- Re: BackOrifice == DDoS Server??? Brooke, O'Neil (Jul 05)