Re: BackOrifice == DDoS Server???

[11a () GMX NET (Bluefish)]

> Didn't bo2k impliment an IDEA crypto module. I thought the lame crypto
> packages were only included due to US export restrictions at the time of
> the release.

1. the keys are derived from a password (this is concider rather weak
   by most cryptographers).
2. at least two BO2K plugins did so using a broken MD5 implementation.
   this was however fixed.

The MD5 bug obviously made the ciphers insecure no matter what algorithm
the MD5-generated key was used with. If people are overly interrested I
could try to find some old emails regarding which plugins have had this
problem, don't have available at the moment.

This "lame crypto" isn't due to US standards, it was a direct flaw in the
plugins. As far as I know, NSA wants things to be 40 - 56 bits secret so
they can easily decode it, and not others. The flaw in the original BO2K
plugins made it far weaker.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team