Proxy 2.0 secure?

Aleph One aleph1@dfw.net
Tue, 23 Jun 1998 20:15:56 -0500 (CDT)


On Thu, 18 Jun 1998, Stout, Bill wrote:

> Recently mnemonix discovered that various applications can be renamed to
> \winnt\system32\logon.scr (the logon screen saver) which run either with
> file owner privs or 'system' privs.  Applications such as usermanager
> can be used to add a user to local admin groups and then domain admin
> groups.  That's an example of so simple a thing that should've been
> discovered long ago.  (Research on the behaviour still being conducted).

And if you followed the discussion you know that he must have been an
admin because no one could reproduce his results as a regular user.

> See: http://www.counterpane.com/pptp.html or postings by Aleph One in
> NTBugtraq.  PPTP is going away in NT5.0 anyway.

Actually, as far as I know PPTP will be in NT5.0. They will probably try
to deploy L2FP but they must keep backwards compatability.

> Too many firewalls are reviewed and judged as if they were desktop user
> products instead of security products, then given points for
> feature-bloat rather than penalized for opening too many holes.  I place
> the blame directly on magazine reviewers and the managers who swear by
> them.
> 
> Bill Stout

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01