On Friday 25 July 2003 09:14, Federico Sevilla III wrote: > Just note that SMB isn't really secure, either. Most setups (not saying > all because I don't know how the newer authentication things work) will > have passwords sent in NT4 hashes going over the wire, and from what > I've read NT4 hashes are "good as plaintext".
yeah, i saw a thread on that in full-disclosure the last few days. the gist was that windows (didn't specify, but i assume SMB hashed passwords so they're sniffable) don't have a salt, so they're always the same hash going over the wire and (worse) the same password on any windows box hashes to the same hash, so it's possible to pre-calculate hashes. another recent exploit involved editing the samba source (or a handcrafted program that sends the samba password) to send the sniffed hash (instead of calculating the hash from the user's password). >You have to trust your local network with these things. i guess so, but see, i don't trust myself, let alone anyone else. but seriously, i prefer not to leave things to trust if it's not necessary. e.g., in any company, there will ALWAYS be a motivated person who will want to sneak a look into the accounting/personnel/salary information. > Luckily, a number of projects that aim to fix the security problems of > NFS exist. The most obvious is SFS[1] which stands for "Self-Certifying > File System". thanks! that's very interesting. i'm definitely looking into that :). tiger -- Gerald Timothy Quimpo gquimpo*hotmail.com tiger*sni*ph http://bopolissimus.sni.ph an xcdngl nntrstng jrnl Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78" Don't belong. Never join. Think for yourself. Peace. http://fourstones.net -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
