lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <dv9uvg$tgm$1@sea.gmane.org>
Date: Wed Mar 15 20:55:47 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Re: HTTP AUTH BASIC monowall.

Simon Smith wrote:
> Ok,
>    As suspected... so I am correct; and it is a security threat. I can
> compromise a network, arp poison it, MiTM, access the firewall,
> distributed metastasis, presto... owned...

  Utter garbage.  You haven't the faintest understanding of the concepts you 
are throwing around.  Whatever you do, DO NOT issue a security warning based 
on this thread, or you will look very foolish.

  ARP is no use except to redirect traffic WITHIN THE SAME LAN.  You can't 
use it to redirect traffic across the internet-at-large.

  A base 64 encoded string is not a hash.

  There's nothing wrong with BASIC AUTH.

  Seriously, if you don't understand what arp is, how the layers of the OSI 
stack interrelate, or what a hash is, you are fundamentally unaware of the 
basic concepts of networking and security, how can you possible expect to 
write a worthwhile security warning?


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ