lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <70a9c6fe0811250225l2f015488y2cf97441374dc485@mail.gmail.com>
Date: Tue, 25 Nov 2008 11:25:57 +0100
From: "Eric Rachner" <eric@...hner.us>
To: "Memisyazici, Aras" <arasm@...edu>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsoft takes 7 years to 'solve' a problem?!

Hey, kid -

If you've got any better ideas about how to fix NTLM, the industry is ready
& waiting to hear them.

The fact is, NTLM is an old & busted protocol that happens to be used *
everywhere*, and there's no way to fix it without breaking compatibility
with, oh, just the entire installed base.  I was happy to see MS08-068
because the technique it implements is better than nothing - it offers a
nice, clever way to reduce the exploitability of the issue without breaking
anything important.

Don't bother telling us all how M$ should just bite the incompatibility
bullet and turn NTLM off - that's been an option for users, theoretically
speaking, since about the time Windows Kerberos support became mature, and
practically speaking, nobody seems to be turning NTLM off here in the real
world.

- Eric

On Tue, Nov 25, 2008 at 7:44 AM, Memisyazici, Aras <arasm@...edu> wrote:

> <RANT>
>
> <snip:: taken from MSRC Blog:
> http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-smbrelay.aspx
> >
>
> What we released today with MS08-068 is that security update. It addresses
> the SMBRelay issue (discovered in 2001) does so in a way that doesn't have
> the negative impact on applications that we originally believed addressing
> this issue would have.
>
> </snip>
>
> So... Hmm... I wonder what would happen if the rest of the world followed
> suit with M$' approach, and took 7 years to "fix" an issue in order to "not
> cause a significant impact"...
>
> Scenario:
>
> Ppl: Hey Ford, if one brute-forces the keyless entry on the door, you're
> car explodes...
>
> Ford: well... I'll offer you three choices, two immediately, and the last
> one 7 yrs later. You can either not use the keyless entry system (we'll give
> you some shiny duck-tape to cover it) or you can use the biometric-knub
> system which requires that you have a knub... So those who have arms & legs
> can't use the system... (btw this will give birth to a whole new industry
> that will allow ppl to pay money for a product that fakes a knub for people
> with appendages) But it's biometric & cool this way! Or you can wait for 7
> years and we'll release a non-exploding version of the keyless-entry system.
>
> ***************************************
>
> OK... Maybe I'm going a bit extreme, but WTH?! Am I the only one who is
> interpreting this, this way? Really? When has releasing a solution to a
> problem 7 years later ever been acceptable?
>
> Jus' sayin' ...
>
> </RANT>
>
> Aras 'Russ' Memisyazici
> Systems Administrator
> Virginia Tech
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ