New Moxie Marlinspike Tool Cracks Crypto Passwords

Gunkerty Jeb writes "Moxie Marlinspike, the security and privacy researcher known for his SSLStrip, Convergence and RedPhone tools, has released a new tool that can crack passwords used for some VPNs and wireless networks that rely on encryption using Microsoft's MS-CHAPv2 protocol. Marlinspike discussed the tool during a talk at DEF CON over the weekend, and it is available for download."

Re:so what?

[BagOBones]

PPTP is a type of VPN still used by some companies and included with windows...
MS-CHAPv2 is the default / most common authentication option when using PPTP with windows. Thus organizations still using PPTP for remote access may be at risk.

Moxie Marlinspike

[MyLongNickName]

I read the headline and wondered why a crack was released for Ubuntu only and such an old version...

Re:Nice hack, but...

Actually, lots of companies still use MS PPTP precisely because it's cheaper and easier than the alternatives. MS PPTP server is built into RRAS, so it's free, and the client is built into every version of Windows since XP.

Who uses MS-CHAPv2?

[D3]

I was there and he answered this in his talk. There were hundreds of VPN services that still supported using it. He pointed out that iPredator (VPN service for the Pirate Bay) ONLY supports MS-CHAPv2. The ubiquity of use and support has created a loop where people keep using it (another point of his talk).

Re:I admire this guy

[Penurious+Penguin]

If I remember correctly, he also developed Google-Sharing, a firefox extension to garble the data google collects on its users. Basically, all users with the extension share their tracks, which are fed to google to help confuse it. Futile, perhaps, but a great idea and an important concept no doubt. I dig the guy too.