lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 26 Nov 2008 00:27:08 -0600
From: Paul Schmehl <pschmehl_lists@...rr.com>
To: Eric Rachner <eric@...hner.us>, "Memisyazici, Aras" <arasm@...edu>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsoft takes 7 years to 'solve' a problem?!

--On November 25, 2008 4:25:57 AM -0600 Eric Rachner <eric@...hner.us> 
wrote:

> Hey, kid -
>
> If you've got any better ideas about how to fix NTLM, the industry is
> ready & waiting to hear them.
>
> The fact is, NTLM is an old & busted protocol that happens to be used
> everywhere, and there's no way to fix it without breaking compatibility
> with, oh, just the entire installed base.  I was happy to see MS08-068
> because the technique it implements is better than nothing - it offers a
> nice, clever way to reduce the exploitability of the issue without
> breaking anything important.
>
> Don't bother telling us all how M$ should just bite the incompatibility
> bullet and turn NTLM off - that's been an option for users,
> theoretically speaking, since about the time Windows Kerberos support
> became mature, and practically speaking, nobody seems to be turning NTLM
> off here in the real world.
>

Don't be silly.  The answer is staring you in the face, right?  Just rip 
out your entire infrastructure and replace it with Linux and it's all 
good.  A few training courses to get your lusers up to speed and you 
racing down the information superhighway without all the evil badness 
clogging up your arteries.

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying

Content of type "application/pkcs7-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ