back to article Marlinspike demos MS-CHAPv2 crack

Security researcher Moxie Marlinspike has turned his attention to VPNs based on Microsoft’s MS-CHAPv2 protocol, demonstrating software at Defcon that can capture and crack passwords. Chapcrack parses the credential information out of MS-CHAPv2 handshakes, which are then sent to Cloudcracker. Cloudcracker will then return a …


This topic is closed for new posts.
  1. Aaron Em

    Time to migrate? Well sure it is -- now!

    Now that this asshole has publicized the exploit and wrapped it up in a package any half-assed script kiddie can screw somebody over with, sure. "Hey, MS-CHAPv2 is fucked" should be sufficient warning for any reasonably clued-in administrator to start moving anyone still on the protocol off of it, without the need to produce both software and hardware which are designed, manufactured, and promulgated expressly for the purpose of carrying out attacks on those who haven't yet migrated.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to migrate? Well sure it is -- now!

      I think the point being raised here, is that it has been time to migrate for the last 10 years... The article explicitly states there have been concerns raised dating back to last century.

    2. DryBones

      Re: Time to migrate? Well sure it is -- now!

      If it's been getting warned about for the past 11 years, and was still worth writing about in a fashion that doesn't come with the phrase "in the past, a rather weak encryption protocol was used... " then no, it wasn't sufficient warning. This is a little kick to get things moving. You know how it is, weaknesses in road design aren't shored up until someone gets killed.

      1. Aaron Em

        Re: Time to migrate? Well sure it is -- now!

        Fair do's; I now see Schneier co-wrote a paper on the subject in nineteen-ninety-fucking-nine.

        On another note, I'm glad I finally managed to pick up a couple of downvotes today! Any day where that doesn't happen I start to wonder if I've somehow tumbled through a hole in the universe and wound up in Bizarro World.

        1. DryBones

          Re: Time to migrate? Well sure it is -- now!

          Well, mostly it was for coming out flaming when they've had lots of warning and ignored it. Likewise, have an upvote for righting yourself.

          I imagine there's a line in the BOFH handbook that goes, "If you want something done, kick over the anthill."

        2. Anonymous Coward
          Anonymous Coward

          @ Aaron Em

          Here, have a downvote - I've got plenty of them.

          Also, it's "fair dues" - as in:, someone has had their fair dues, what is due to them.

          If you say it the right way then there is no confusion about using an apostrophe where one clearly doesn't belong.

    3. Fred Flintstone Gold badge

      Re: @Aaron Em - asshole?

      I recommend you spend a bit of time researching who Moxie is and what he does. I've met him a few times and I think I'm a fairly good judge of character - I have met fe people who are deserving less of the expletive you used.

      The guy is as genuine as they come, and I doubt he would have put something in the public eye is it was a new vulnerability. Instead, he's highlighting something that has been with us for over 10 years - methinks that classifies as "enough time".

    4. PyLETS

      Re: Time to migrate? Well sure it is -- now!

      Now that this asshole has publicized the exploit and wrapped it up in a package any half-assed script kiddie can screw somebody over with ...

      Bad guys are never going to be afraid of knowledge which gives them lower sentences if caught than what they get from using it illegally anyway, so your attitude isn't going to deter them from obtaining it and keeping it to themselves.

      So how does it help if us good guys with systems to defend are not informed exactly how weak the stuff which implements what we are using is proven to be ? It's thanks to those like Moxie Marlinspike who put this kind of research into the public domain that we're able to know.

  2. David Hicks

    Chapcrack? We'll have none of that on my internets thankyou...

    I know some folks object to the publishing of exploits, but it really is the only way to ge the industry moving most of the time.

    It's been seen time and time again - if you write an academic paper on a crack and speak privately to the affected parties, nothing happens. It's only when you demonstrate how easy it is and publish in the open that anything gets done.

  3. Eddy Ito


    Chapcrack! That certain to get attention 'cause let's face it a chapped crack sounds uncomfortable as it is but being exposed by someone who goes by Marlinspike only adds to the pucker factor.

    1. Aaron Em
      Thumb Up

      Re: Ouch!

      Shame I can't upvote more than once --

      1. DryBones

        Re: Ouch!

        Ah well, he got the point, anyway.

    2. Khaptain Silver badge

      Re: Ouch!

      Eddy doesn's arse about, he gets straight to the point.

  4. This post has been deleted by its author

  5. PeteA


    Does anyone still use it? Seriously?? As the article points out, it's been known to be broken since last century.

    1. phuzz Silver badge

      Re: PPTP???

      We used it in my old job, because as far as I could tell, anything else that was built into windows required fucking about with certificates, which was a bit heavyweight for a small business.

      I suppose I should mention this to my old boss.

  6. Rubber chicken

    Shall we start using RSA SecurID now?

    1. SJRulez

      I would go for even stronger security than that, two plastic cups and some string. The only concern you have is someone getting physical access to your string and tying their cup into yours where as RSA you can just undermine that by hacking into them!

      1. Anonymous Coward
        Anonymous Coward

        SJ does not Rulez

        Your comment makes no sense, mate.

        Elsewhere I also observe that you have atrocious English, so I declare that you do not in fact rule.

        1. This post has been deleted by its author

        2. SJRulez

          Re: SJ does not Rulez

          The correct title would be SJ does not Rule..... SJRulez are SJ's Rules of how the world works.

          Incidentally most of my comments probably don't make sense but it fills the boring hours between pushing buttons at work.

  7. Daniel B.


    I'd like to point out that I distrust anything that smells like DES or uses DES at any point. That one has been cracked since the 20th century, I even distrust 3DES for this reason. Its only a matter of time that someone finds how to crack 3DES based on the DES crack.

    Also, anything with "MS" in the name is usually a half-assed security implementation, and this is proof of it.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020