This doesn't work as of version 1.3(?) and later. There is a time delay before the 'ok' message is sent by the server. If it gets two correct login attempts in the delay period (1-5 seconds, default 2), it assumes an attack is underway and rejects them both. Adam =?ISO-8859-1?Q?J=FCri_Kaljundi?= wrote: | Wed, 7 Aug 1996, Adam Shostack wrote: | > J=FCri Kaljundi wrote: | > | At Defcon this year they promised to tell about some security flaws in | > | SecurID tokens, anyone know more about that? | > =09My understanding is that the guy who was going to give the | > talk had nda difficulties. Vin? Did you make it out? The talk was | > going to be on race conditions, denial of service attacks, and the | > like. | | This is something that seems to be a little problematic to me. Considering | the 3-minute time slot, it seems fairly easy to somehow block the SecurID | server at the time a user is sending his username/passcode, steal that | information and allow a malicious user to enter that information into the | server. Or have I misunderstood some security aspects? | | J=FCri Kaljundi | AS Stallion | jk@stallion.ee -- "It is seldom that liberty of any kind is lost all at once." -Hume