I believe many modems use it simply for encapsulation.
You're right. When I explicitly enabled encryption to the ADSL modem, the connection failed. (The Dutch PTT used to have an ADSL service where you could get 4 IP addresses. Had encryption worked, I would have been able to securely share the ADSL subscription with neighbours and share the costs;-)
I don't think DSL users are at risk in this situation. But of course I can't be sure, but
it seems like it's a completely unrelated use of the PPTP protocol...
Interesting. I guess DSL users being at risk depends on whether the buffer overflow is in PPTP's encryption part or not...
But the overflow could also be in the compression part (happened to zlib recently). I don't know if the modems support compression, but it seems unlikely. In that case you could also work around the problem by explicitly disabling compression on PPTP servers (Windows, Linux etc.).
it might be doing
something tricky like wrapping your IPSec packets in a standard UDP packet and then shipping those
off. These will pass through the NAT unmolested, and are then unwrapped at the other end and
forwarded to the IPSec target host.
Correct. Note that the IPSEC over UDP standard has not been ratified yet. It also adds some overhead.
For FreeS/WAN you'd need the unofficial NAT-T patch.
I can walk a remote user through a VPN setup with the 2K PPTP setup in under 5 minutes with my eyes closed. I'm not sure I can walk myself through the 2K ipsec setup without some external docs to setup.
Setting up L2TP/IPSEC is basically the same routine. Only you have to install a certificate as well, using MMC (XP/2000) or IE (95/98/ME/NT4).
Also, I think most of the security vulnerabilities of PPTP were specific to an older, unpatched MS client or server.
I don't think a modern (2k/XP) PPTP stream is particularly vulnerable.
What does the Windows version have to do with this? Is the implementation in, say, Win95 flawed, compared to Win2000/XP? What do you know that we don't know?:-)
Here's
an article by Microsoft on this matter. It basically says that Microsoft will solve all your problems if only you would buy into the latest Microsoft offerings (XP, ActiveDirectory etc).
Would you rather use a solution based on open standards, try Wavesec. It is mostly based on IPSEC, DHCP and DDNS.
This page [techviet.com] provides mandrake rpms for it.
Did Microsoft use the same EULA for these fonts? If so, packaging them into a tar ball may not be allowed. Someone better post the original.exe files...
'640K RAM is enough for anyone'
on
First Man To Mars?
·
· Score: 3, Insightful
Bill Gates [never] said we'll only ever need 640K.
('Never' added, as implied on the supplied link to urbanlegends.com).
This reminds me of the Dutch phone network Kermit
from the nineties (later renamed to Greenpoint because they did not want to be associated with a Muppet after all).
It failed.
Mainly because its transmitters were often installed next to
public phone booths (argh), and GSM turned out to have a much better coverage.
Nevertheless, I don't see what this has to do with WiFi failing or not.
The whole article is a bit silly, pushing relatively unproven standards (EAP) which have been extended (LEAP) and extended (PEAP) over VPN standards with a good trackrecord (IPSEC).
The client is always the weakest link, for both VPN and wireless access. Basically, the author's argument boils down to saying that most IPSEC clients do not block access from other clients while they are connected (split tunneling), whereas the [LP]EAP clients do.
It's a matter of configuration. There is no way one can claim that one client is more secure that the other. Clients are always unsafe, and if not, its user is:-). I'm sure a determined recalcitrant enduser can always hack his [LP]EAP client to enable split tunneling, or other unsafe settings.
The only way to fix this (for both VPN and wireless) is to supply the user with trusted hardware. But that would mean a lot of money and a revolt of endusers because their PCs will be taken away...
By the way, here's an article by Microsoft on this matter. It basically says that Microsoft will solve all your problems if only you would buy into the latest Microsoft offerings.
Would you rather use a solution based on open standards, try Wavesec. It is mostly based on IPSEC, DHCP and DDNS.
Everybody is already refering to the Linux TS project, but here is a related project: a HOWTO for diskless Windows Terminal Server thin clients, based on Linux. It may be a lot of work, but it seems to me that once you have gone through the trouble, rolling out new terminals will be a breeze.
That's because NAI doesn't know what to do with it. Could they be dumping the product for $39? They want to sell off some parts currently included with PGPnet. There's some uncertainty if you buy the product. Will they update it? Will they fix bugs?
PPTP is often used for 'road warrior' setups, i.e. people working from home or on the road. It's cheap because there are free (as in speech) PPTP servers for Linux and the Windows PPTP clients are free too (as in beer). In contrast, Windows IPSEC clients are often expensive.
So, what's wrong with it then? Well, the security of PPTP apparently depends on the password.
A German student has written software which can crack the password in a couple of hours on a Pentium II.
Slashdot Mirror
Hm, come to think of it, this might actually be useful!
Fair enough, but are you still allowed to call it KDE then?
You're right. When I explicitly enabled encryption to the ADSL modem, the connection failed. (The Dutch PTT used to have an ADSL service where you could get 4 IP addresses. Had encryption worked, I would have been able to securely share the ADSL subscription with neighbours and share the costs ;-)
I don't think DSL users are at risk in this situation. But of course I can't be sure, but it seems like it's a completely unrelated use of the PPTP protocol...
Interesting. I guess DSL users being at risk depends on whether the buffer overflow is in PPTP's encryption part or not...
But the overflow could also be in the compression part (happened to zlib recently). I don't know if the modems support compression, but it seems unlikely. In that case you could also work around the problem by explicitly disabling compression on PPTP servers (Windows, Linux etc.).
PPTP is often used by Alcatel ADSL modems in Europe.
Correct. Note that the IPSEC over UDP standard has not been ratified yet. It also adds some overhead.
For FreeS/WAN you'd need the unofficial NAT-T patch.
Setting up L2TP/IPSEC is basically the same routine. Only you have to install a certificate as well, using MMC (XP/2000) or IE (95/98/ME/NT4).
Also, I think most of the security vulnerabilities of PPTP were specific to an older, unpatched MS client or server.
Yes, most of them. But how good are your users' PPTP passwords?
I don't think a modern (2k/XP) PPTP stream is particularly vulnerable.
What does the Windows version have to do with this? Is the implementation in, say, Win95 flawed, compared to Win2000/XP? What do you know that we don't know? :-)
Of course, Nokia would rather want you to buy a Nokia UMTS phone which can be used on UMTS networks built by Nokia...
Whoa! What are the changes of a second meteorite hitting a Slashdot reader while he is commenting a meteorite story?!!?
Only if you happen to have the RSA keys. Looks like IPSEC supports authentication too, if you ask me...
Would you rather use a solution based on open standards, try Wavesec. It is mostly based on IPSEC, DHCP and DDNS.
Did Microsoft use the same EULA for these fonts? If so, packaging them into a tar ball may not be allowed. Someone better post the original .exe files...
('Never' added, as implied on the supplied link to urbanlegends.com).
Of course Bill Gates has an excellent memory and never tells any lies.
It failed.
Mainly because its transmitters were often installed next to public phone booths (argh), and GSM turned out to have a much better coverage.
Nevertheless, I don't see what this has to do with WiFi failing or not.
So Comodo spams website owners. As a result, the website owners might get tricked into buying this cert "renewal".
But who makes the Certificate Signing Request for website owners? In most cases the company hosting the web site. (Unless it's co-location).
I expect competent tech support personnel to filter out these bogus certificate renewals immediately.
The whole article is a bit silly, pushing relatively unproven standards (EAP) which have been extended (LEAP) and extended (PEAP) over VPN standards with a good trackrecord (IPSEC).
The client is always the weakest link, for both VPN and wireless access. Basically, the author's argument boils down to saying that most IPSEC clients do not block access from other clients while they are connected (split tunneling), whereas the [LP]EAP clients do.
It's a matter of configuration. There is no way one can claim that one client is more secure that the other. Clients are always unsafe, and if not, its user is :-). I'm sure a determined recalcitrant enduser can always hack his [LP]EAP client to enable split tunneling, or other unsafe settings.
The only way to fix this (for both VPN and wireless) is to supply the user with trusted hardware. But that would mean a lot of money and a revolt of endusers because their PCs will be taken away...
By the way, here's an article by Microsoft on this matter. It basically says that Microsoft will solve all your problems if only you would buy into the latest Microsoft offerings.
Would you rather use a solution based on open standards, try Wavesec. It is mostly based on IPSEC, DHCP and DDNS.
Look again at the Slashdot slogan (top left)... :-)
But fortunately this was not the case. The Slashdot editors would never do such an immature thing, would they? ;-)
Neurodongles are where the action is!
I could find tcpdump, ssh and ftp but not rdesktop. Do you know where it can be found?
Thanks,
Are you by any chance running the new IJBSWA Junkbuster? :-)
#
# Fun stuff
# s/microsoft(?!.com)/MicroSuck/ig
Everybody is already refering to the Linux TS project, but here is a related project: a HOWTO for diskless Windows Terminal Server thin clients, based on Linux. It may be a lot of work, but it seems to me that once you have gone through the trouble, rolling out new terminals will be a breeze.
That's because NAI doesn't know what to do with it. Could they be dumping the product for $39? They want to sell off some parts currently included with PGPnet. There's some uncertainty if you buy the product. Will they update it? Will they fix bugs?
Agreed. Especially trojans. So, how does one secure the terminal? Boot from Read Only media? Use a thin client?
So, what's wrong with it then? Well, the security of PPTP apparently depends on the password. A German student has written software which can crack the password in a couple of hours on a Pentium II.
c't (Heise) reported about this.
-
Certain fonts (including, especially,
Asian language fonts)
- Some sorting functionality (Asian versions)
Now, this will surely be an incentive for Asians to buy StarOffice, instead of the rampant MS Office copying they currently do...